You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
237 lines
6.4 KiB
237 lines
6.4 KiB
package ed25519
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/subtle"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
|
|
"github.com/oasisprotocol/curve25519-voi/primitives/ed25519"
|
|
"github.com/oasisprotocol/curve25519-voi/primitives/ed25519/extra/cache"
|
|
|
|
"github.com/tendermint/tendermint/crypto"
|
|
"github.com/tendermint/tendermint/crypto/tmhash"
|
|
"github.com/tendermint/tendermint/internal/jsontypes"
|
|
tmjson "github.com/tendermint/tendermint/libs/json"
|
|
)
|
|
|
|
//-------------------------------------
|
|
|
|
var (
|
|
_ crypto.PrivKey = PrivKey{}
|
|
|
|
// curve25519-voi's Ed25519 implementation supports configurable
|
|
// verification behavior, and tendermint uses the ZIP-215 verification
|
|
// semantics.
|
|
verifyOptions = &ed25519.Options{
|
|
Verify: ed25519.VerifyOptionsZIP_215,
|
|
}
|
|
|
|
cachingVerifier = cache.NewVerifier(cache.NewLRUCache(cacheSize))
|
|
)
|
|
|
|
const (
|
|
PrivKeyName = "tendermint/PrivKeyEd25519"
|
|
PubKeyName = "tendermint/PubKeyEd25519"
|
|
// PubKeySize is is the size, in bytes, of public keys as used in this package.
|
|
PubKeySize = 32
|
|
// PrivateKeySize is the size, in bytes, of private keys as used in this package.
|
|
PrivateKeySize = 64
|
|
// Size of an Edwards25519 signature. Namely the size of a compressed
|
|
// Edwards25519 point, and a field element. Both of which are 32 bytes.
|
|
SignatureSize = 64
|
|
// SeedSize is the size, in bytes, of private key seeds. These are the
|
|
// private key representations used by RFC 8032.
|
|
SeedSize = 32
|
|
|
|
KeyType = "ed25519"
|
|
|
|
// cacheSize is the number of public keys that will be cached in
|
|
// an expanded format for repeated signature verification.
|
|
//
|
|
// TODO/perf: Either this should exclude single verification, or be
|
|
// tuned to `> validatorSize + maxTxnsPerBlock` to avoid cache
|
|
// thrashing.
|
|
cacheSize = 4096
|
|
)
|
|
|
|
func init() {
|
|
tmjson.RegisterType(PubKey{}, PubKeyName)
|
|
tmjson.RegisterType(PrivKey{}, PrivKeyName)
|
|
|
|
jsontypes.MustRegister(PubKey{})
|
|
jsontypes.MustRegister(PrivKey{})
|
|
}
|
|
|
|
// PrivKey implements crypto.PrivKey.
|
|
type PrivKey []byte
|
|
|
|
// TypeTag satisfies the jsontypes.Tagged interface.
|
|
func (PrivKey) TypeTag() string { return PrivKeyName }
|
|
|
|
// Bytes returns the privkey byte format.
|
|
func (privKey PrivKey) Bytes() []byte {
|
|
return []byte(privKey)
|
|
}
|
|
|
|
// Sign produces a signature on the provided message.
|
|
// This assumes the privkey is wellformed in the golang format.
|
|
// The first 32 bytes should be random,
|
|
// corresponding to the normal ed25519 private key.
|
|
// The latter 32 bytes should be the compressed public key.
|
|
// If these conditions aren't met, Sign will panic or produce an
|
|
// incorrect signature.
|
|
func (privKey PrivKey) Sign(msg []byte) ([]byte, error) {
|
|
signatureBytes := ed25519.Sign(ed25519.PrivateKey(privKey), msg)
|
|
return signatureBytes, nil
|
|
}
|
|
|
|
// PubKey gets the corresponding public key from the private key.
|
|
//
|
|
// Panics if the private key is not initialized.
|
|
func (privKey PrivKey) PubKey() crypto.PubKey {
|
|
// If the latter 32 bytes of the privkey are all zero, privkey is not
|
|
// initialized.
|
|
initialized := false
|
|
for _, v := range privKey[32:] {
|
|
if v != 0 {
|
|
initialized = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if !initialized {
|
|
panic("Expected ed25519 PrivKey to include concatenated pubkey bytes")
|
|
}
|
|
|
|
pubkeyBytes := make([]byte, PubKeySize)
|
|
copy(pubkeyBytes, privKey[32:])
|
|
return PubKey(pubkeyBytes)
|
|
}
|
|
|
|
// Equals - you probably don't need to use this.
|
|
// Runs in constant time based on length of the keys.
|
|
func (privKey PrivKey) Equals(other crypto.PrivKey) bool {
|
|
if otherEd, ok := other.(PrivKey); ok {
|
|
return subtle.ConstantTimeCompare(privKey[:], otherEd[:]) == 1
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
func (privKey PrivKey) Type() string {
|
|
return KeyType
|
|
}
|
|
|
|
// GenPrivKey generates a new ed25519 private key.
|
|
// It uses OS randomness in conjunction with the current global random seed
|
|
// in tendermint/libs/common to generate the private key.
|
|
func GenPrivKey() PrivKey {
|
|
return genPrivKey(crypto.CReader())
|
|
}
|
|
|
|
// genPrivKey generates a new ed25519 private key using the provided reader.
|
|
func genPrivKey(rand io.Reader) PrivKey {
|
|
_, priv, err := ed25519.GenerateKey(rand)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
return PrivKey(priv)
|
|
}
|
|
|
|
// GenPrivKeyFromSecret hashes the secret with SHA2, and uses
|
|
// that 32 byte output to create the private key.
|
|
// NOTE: secret should be the output of a KDF like bcrypt,
|
|
// if it's derived from user input.
|
|
func GenPrivKeyFromSecret(secret []byte) PrivKey {
|
|
seed := crypto.Sha256(secret) // Not Ripemd160 because we want 32 bytes.
|
|
|
|
return PrivKey(ed25519.NewKeyFromSeed(seed))
|
|
}
|
|
|
|
//-------------------------------------
|
|
|
|
var _ crypto.PubKey = PubKey{}
|
|
|
|
// PubKeyEd25519 implements crypto.PubKey for the Ed25519 signature scheme.
|
|
type PubKey []byte
|
|
|
|
// TypeTag satisfies the jsontypes.Tagged interface.
|
|
func (PubKey) TypeTag() string { return PubKeyName }
|
|
|
|
// Address is the SHA256-20 of the raw pubkey bytes.
|
|
func (pubKey PubKey) Address() crypto.Address {
|
|
if len(pubKey) != PubKeySize {
|
|
panic("pubkey is incorrect size")
|
|
}
|
|
return crypto.Address(tmhash.SumTruncated(pubKey))
|
|
}
|
|
|
|
// Bytes returns the PubKey byte format.
|
|
func (pubKey PubKey) Bytes() []byte {
|
|
return []byte(pubKey)
|
|
}
|
|
|
|
func (pubKey PubKey) VerifySignature(msg []byte, sig []byte) bool {
|
|
// make sure we use the same algorithm to sign
|
|
if len(sig) != SignatureSize {
|
|
return false
|
|
}
|
|
|
|
return cachingVerifier.VerifyWithOptions(ed25519.PublicKey(pubKey), msg, sig, verifyOptions)
|
|
}
|
|
|
|
func (pubKey PubKey) String() string {
|
|
return fmt.Sprintf("PubKeyEd25519{%X}", []byte(pubKey))
|
|
}
|
|
|
|
func (pubKey PubKey) Type() string {
|
|
return KeyType
|
|
}
|
|
|
|
func (pubKey PubKey) Equals(other crypto.PubKey) bool {
|
|
if otherEd, ok := other.(PubKey); ok {
|
|
return bytes.Equal(pubKey[:], otherEd[:])
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
var _ crypto.BatchVerifier = &BatchVerifier{}
|
|
|
|
// BatchVerifier implements batch verification for ed25519.
|
|
type BatchVerifier struct {
|
|
*ed25519.BatchVerifier
|
|
}
|
|
|
|
func NewBatchVerifier() crypto.BatchVerifier {
|
|
return &BatchVerifier{ed25519.NewBatchVerifier()}
|
|
}
|
|
|
|
func (b *BatchVerifier) Add(key crypto.PubKey, msg, signature []byte) error {
|
|
pkEd, ok := key.(PubKey)
|
|
if !ok {
|
|
return fmt.Errorf("pubkey is not Ed25519")
|
|
}
|
|
|
|
pkBytes := pkEd.Bytes()
|
|
|
|
if l := len(pkBytes); l != PubKeySize {
|
|
return fmt.Errorf("pubkey size is incorrect; expected: %d, got %d", PubKeySize, l)
|
|
}
|
|
|
|
// check that the signature is the correct length
|
|
if len(signature) != SignatureSize {
|
|
return errors.New("invalid signature")
|
|
}
|
|
|
|
cachingVerifier.AddWithOptions(b.BatchVerifier, ed25519.PublicKey(pkBytes), msg, signature, verifyOptions)
|
|
|
|
return nil
|
|
}
|
|
|
|
func (b *BatchVerifier) Verify() (bool, []bool) {
|
|
return b.BatchVerifier.Verify(crypto.CReader())
|
|
}
|