Most implementations, including this one, consider the private key to be
the concatenation of the initial 32-byte seed and the public key.
However the RFC 8032 formulation considers the "private key" to just be
the seed, which, in turn, means the upcoming draft-ietf-curdle-pkix
specification for embedding Ed25519 into PKCS#8 only stores the seed.
Exporting ed25519.PrivateKey to the seed is easy: key[:32]. Importing
the seed to ed25519.PrivateKey is not currently possible because the
logic is tied up in ed25519.GenerateKey. Split out
ed25519.NewKeyFromSeed for this, as well as an ed25519.PrivateKey.Seed
accessor to keep the abstraction consistent.
Change-Id: I4068eaf2073009dff3d84224aa145b56b59a5854
Reviewed-on: https://go-review.googlesource.com/115297
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in
the range [0, order) in order to prevent signature malleability. This is
a new requirement in the RFC so the ed25519 package predates it. This
change aligns the code with the RFC.
The linked bug says that libsodium is also enforcing this check by
default.
See golang/go#24350
Change-Id: Ib69ce7c9e5a58971cbe225318d9fd87660bd5e4b
Reviewed-on: https://go-review.googlesource.com/100436
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
The EdDSA draft has been approved as RFC 8032.
Change-Id: I2c0fba98d63ea51a7bb79acef55b9847cd0fa727
Reviewed-on: https://go-review.googlesource.com/74670
Reviewed-by: Adam Langley <agl@golang.org>
Verify operates only on public data and thus is not constant-time. The
use of a constant-time function in Verify was thus misleading.
Fixesgolang/go#21137
Change-Id: I1ff5a0371fbe8abe62420f19acf3e416fe1b1428
Reviewed-on: https://go-review.googlesource.com/53074
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Kevin Burke <kev@inburke.com>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Many websites now support HTTPS that may not at the time the code was
committed; let's use the HTTPS links where we can.
Change-Id: I7099dfa0dbb213294e65b4387f343d6e8f955b97
Reviewed-on: https://go-review.googlesource.com/47131
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
This change “graduates” the Ed25519 package from my personal GitHub
account to x/crypto. At this point, the code and algorithm seems
sufficiently mature that it warrants more general exposure. (There seem
to be about 110 packages importing it from my GitHub repo:
https://godoc.org/github.com/agl/ed25519?importers)
Two people made changes to the code while it was living in my GitHub.
Both have signed the CLA and both have confirmed that they intended
their changes to be covered by it. (Recorded internally in b/28166583.)
The significant change from GitHub to x/crypto is that the types of
public keys, private keys and signatures have been changed from pointers
to arrays into []byte and that support for crypto.Signer has been added.
Updates golang/go#8581
Change-Id: Ia8632d2153e289363b50d76fd0662d1a7fed00f6
Reviewed-on: https://go-review.googlesource.com/22030
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Martin Garton <garton@gmail.com>
Reviewed-by: Adam Langley <agl@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Filippo Valsorda
David Benjamin
Adam Langley
Joe Kyo
Kevin Burke