Merge pull request #261 from tlsfuzzer/eddsa-keys

High level API for EdDSA keys

Author: tomato42

.github/workflows/ci.yml

@@ -259,17 +259,17 @@ jobs:
           MERGE_BASE=$(git merge-base origin/$BASE_REF HEAD)
           echo "MERGE_BASE:" $MERGE_BASE
           git checkout $MERGE_BASE
-          instrumental -t ecdsa -i 'test.*|.*_version|.*_compat|.*_sha3' `which pytest` src/ecdsa/test*.py
+          instrumental -t ecdsa -i '.*test_.*|.*_version|.*_compat|.*_sha3' `which pytest` src/ecdsa/test*.py
           instrumental -f .instrumental.cov -s
           instrumental -f .instrumental.cov -s | python diff-instrumental.py --save .diff-instrumental
           git checkout $GITHUB_SHA
-          instrumental -t ecdsa -i 'test.*|.*_version|.*_compat|.*_sha3' `which pytest` src/ecdsa/test*.py
+          instrumental -t ecdsa -i '.*test_.*|.*_version|.*_compat|.*_sha3' `which pytest` src/ecdsa/test*.py
           instrumental -f .instrumental.cov -sr
           instrumental -f .instrumental.cov -s | python diff-instrumental.py --read .diff-instrumental --fail-under 70 --max-difference -0.1
       - name: instrumental test coverage on push
         if: ${{ contains(matrix.opt-deps, 'instrumental') && !github.event.pull_request }}
         run: |
-          instrumental -t ecdsa -i 'test.*|.*_version|.*_compat|.*_sha3' `which pytest` src/ecdsa
+          instrumental -t ecdsa -i '.*test_.*|.*_version|.*_compat|.*_sha3' `which pytest` src/ecdsa
           instrumental -f .instrumental.cov -s
           # just log the values when merging
           instrumental -f .instrumental.cov -s | python diff-instrumental.py

speed.py

@@ -98,6 +98,8 @@ def do(setup_statements, statement):
 )
 
 for curve in [i.name for i in curves]:
+    if curve == "Ed25519" or curve == "Ed448":
+        continue
     S1 = "from ecdsa import SigningKey, ECDH, {0}".format(curve)
     S2 = "our = SigningKey.generate({0})".format(curve)
     S3 = "remote = SigningKey.generate({0}).verifying_key".format(curve)

src/ecdsa/__init__.py

@@ -26,6 +26,8 @@
     SECP112r2,
     SECP128r1,
     SECP160r1,
+    Ed25519,
+    Ed448,
 )
 from .ecdh import (
     ECDH,
@@ -83,6 +85,8 @@
     SECP112r2,
     SECP128r1,
     SECP160r1,
+    Ed25519,
+    Ed448,
     six.b(""),
 ]
 del _hush_pyflakes

src/ecdsa/curves.py

@@ -1,9 +1,9 @@
 from __future__ import division
 
 from six import PY2
-from . import der, ecdsa, ellipticcurve
+from . import der, ecdsa, ellipticcurve, eddsa
 from .util import orderlen, number_to_string, string_to_number
-from ._compat import normalise_bytes
+from ._compat import normalise_bytes, bit_length
 
 
 # orderlen was defined in this module previously, so keep it in __all__,
@@ -33,6 +33,8 @@
     "BRAINPOOLP512r1",
     "PRIME_FIELD_OID",
     "CHARACTERISTIC_TWO_FIELD_OID",
+    "Ed25519",
+    "Ed448",
 ]
 
 
@@ -51,8 +53,16 @@ def __init__(self, name, curve, generator, oid, openssl_name=None):
         self.curve = curve
         self.generator = generator
         self.order = generator.order()
-        self.baselen = orderlen(self.order)
-        self.verifying_key_length = 2 * orderlen(curve.p())
+        if isinstance(curve, ellipticcurve.CurveEdTw):
+            # EdDSA keys are special in that both private and public
+            # are the same size (as it's defined only with compressed points)
+
+            # +1 for the sign bit and then round up
+            self.baselen = (bit_length(curve.p()) + 1 + 7) // 8
+            self.verifying_key_length = self.baselen
+        else:
+            self.baselen = orderlen(self.order)
+            self.verifying_key_length = 2 * orderlen(curve.p())
         self.signature_length = 2 * self.baselen
         self.oid = oid
         if oid:
@@ -90,13 +100,23 @@ def to_der(self, encoding=None, point_encoding="uncompressed"):
             else:
                 encoding = "explicit"
 
+        if encoding not in ("named_curve", "explicit"):
+            raise ValueError(
+                "Only 'named_curve' and 'explicit' encodings supported"
+            )
+
         if encoding == "named_curve":
             if not self.oid:
                 raise UnknownCurveError(
                     "Can't encode curve using named_curve encoding without "
                     "associated curve OID"
                 )
             return der.encode_oid(*self.oid)
+        elif isinstance(self.curve, ellipticcurve.CurveEdTw):
+            assert encoding == "explicit"
+            raise UnknownCurveError(
+                "Twisted Edwards curves don't support explicit encoding"
+            )
 
         # encode the ECParameters sequence
         curve_p = self.curve.p()
@@ -408,6 +428,16 @@ def from_pem(cls, string, valid_encodings=None):
 )
 
 
+Ed25519 = Curve(
+    "Ed25519", eddsa.curve_ed25519, eddsa.generator_ed25519, (1, 3, 101, 112),
+)
+
+
+Ed448 = Curve(
+    "Ed448", eddsa.curve_ed448, eddsa.generator_ed448, (1, 3, 101, 113),
+)
+
+
 # no order in particular, but keep previously added curves first
 curves = [
     NIST192p,
@@ -427,6 +457,8 @@ def from_pem(cls, string, valid_encodings=None):
     SECP112r2,
     SECP128r1,
     SECP160r1,
+    Ed25519,
+    Ed448,
 ]
 
 

src/ecdsa/eddsa.py

@@ -102,6 +102,20 @@ def __init__(self, generator, public_key, public_point=None):
                 self.curve, public_key
             )
 
+    def __eq__(self, other):
+        if isinstance(other, PublicKey):
+            return (
+                self.curve == other.curve and self.__encoded == other.__encoded
+            )
+        return NotImplemented
+
+    def __ne__(self, other):
+        return not self == other
+
+    @property
+    def point(self):
+        return self.__point
+
     def public_point(self):
         return self.__point
 
@@ -110,6 +124,7 @@ def public_key(self):
 
     def verify(self, data, signature):
         """Verify a Pure EdDSA signature over data."""
+        data = compat26_str(data)
         if len(signature) != 2 * self.baselen:
             raise ValueError(
                 "Invalid signature length, expected: {0} bytes".format(
@@ -152,7 +167,7 @@ def __init__(self, generator, private_key):
                     self.baselen
                 )
             )
-        self.__private_key = private_key
+        self.__private_key = bytes(private_key)
         self.__h = bytearray(self.curve.hash_func(private_key))
         self.__public_key = None
 
@@ -161,6 +176,21 @@ def __init__(self, generator, private_key):
         scalar = bytes_to_int(a, "little")
         self.__s = scalar
 
+    @property
+    def private_key(self):
+        return self.__private_key
+
+    def __eq__(self, other):
+        if isinstance(other, PrivateKey):
+            return (
+                self.curve == other.curve
+                and self.__private_key == other.__private_key
+            )
+        return NotImplemented
+
+    def __ne__(self, other):
+        return not self == other
+
     def _key_prune(self, key):
         # make sure the key is not in a small subgroup
         h = self.curve.cofactor()
@@ -196,6 +226,7 @@ def public_key(self):
 
     def sign(self, data):
         """Perform a Pure EdDSA signature over data."""
+        data = compat26_str(data)
         A = self.public_key().public_key()
 
         prefix = self.__h[self.baselen :]

src/ecdsa/ellipticcurve.py

@@ -1478,6 +1478,10 @@ def double(self):
             return INFINITY
         return PointEdwards(self.__curve, X3, Y3, Z3, T3, self.__order)
 
+    def __rmul__(self, other):
+        """Multiply point by an integer."""
+        return self * other
+
     def __mul__(self, other):
         """Multiply point by an integer."""
         X2, Y2, Z2, T2 = self.__coords