crypto: signing and verifying not supported for ed25519/ed448

[mscdex]

• Version: master
• Platform: n/a
• Subsystem: crypto

From https://www.openssl.org/docs/manmaster/man7/Ed25519.html:

The PureEdDSA algorithm does not support the streaming mechanism of other signature algorithms using, for example, EVP_DigestUpdate(). The message to sign or verify must be passed using the one-shot EVP_DigestSign() and EVP_DigestVerify() functions.

When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the digest type parameter MUST be set to NULL.

I'm not sure how we want to implement support for this in node, perhaps with special algorithm names for crypto.createSign()/crypto.createVerify() that only permit a single call to .update() or that buffer all data passed to each .update() for the one-shot sign/verify at the end?

[bnoordhuis]

that only permit a single call to .update()

That would be my preference. Buffering is a performance pitfall and DoS vector.

[tniessen]

I agree with @bnoordhuis. Also, we have a similar behavior for Cipher in CCM mode which does not support streaming either.

[mscdex]

Well there will still have to be some kind of buffering (the single chunk) if we're going to allow some compatibility with the existing API.

There's also the problem of what users are expected to use for the algorithm name with createSign()/createVerify()? Do they specify something like 'ed25519', despite not being a valid hash name and then also have to verify that if the algorithm was 'ed25519' that the user supplies an 'ed25519' key to match?

We could avoid all of this if we added a separate one-shot sign/verify API, but I'm not sure what that would look like or if people would support something like that.

[tniessen]

That's a good question...

The PureEdDSA algorithm does not support the streaming mechanism of other signature algorithms using, for example, EVP_DigestUpdate(). The message to sign or verify must be passed using the one-shot EVP_DigestSign() and EVP_DigestVerify() functions.

When calling EVP_DigestSignInit() or EVP_DigestVerifyInit(), the digest type parameter MUST be set to NULL.

You are right, this makes compatibility with our existing APIs difficult.

[mscdex]

/cc @nodejs/collaborators ideas? thoughts?

[sam-github]

I would support a one-shot API. Usually, crypto APIs have a one-shot, and a multi-shot API.

I'm also fine if its possible to implement with the restriction of single-call-to-update. That sounds like it might have to involve some unique to ed shenanigans, and would need to allow the 'digest' to be the 'signature algorithm' (like 'pureeddsa-sha512').

How widely used is PureEdDSA? Requiring two passes is pretty unusual.

[mscdex]

How widely used is PureEdDSA

It's used by ed25519 (and ed448 for that matter), which is used for modern SSH keys for example.