From 4caa5ee724d33b31e9cb7d57964b461ecec76c5a Mon Sep 17 00:00:00 2001 From: Jeffrey Walton Date: Thu, 7 Feb 2019 15:00:00 -0500 Subject: [PATCH] Add SecretToPublicKey function for ed25519 Also remove IsClamped. Clamping occurs with ed25519, but it happens inside the Donna code. It is not needed elsewhere for ed25519. --- donna_32.cpp | 2 +- xed25519.cpp | 32 ++++++++++---------------------- xed25519.h | 15 ++++----------- 3 files changed, 15 insertions(+), 34 deletions(-) diff --git a/donna_32.cpp b/donna_32.cpp index 98beb9bc3..c20f7b3ed 100644 --- a/donna_32.cpp +++ b/donna_32.cpp @@ -1739,7 +1739,7 @@ int curve25519_mult_CXX(byte sharedKey[32], const byte secretKey[32], const byte using namespace CryptoPP::Donna::X25519; FixedSizeSecBlock e; - for (size_t i = 0;i < 32;++i) + for (size_t i = 0; i < 32; ++i) e[i] = secretKey[i]; e[0] &= 0xf8; e[31] &= 0x7f; e[31] |= 0x40; diff --git a/xed25519.cpp b/xed25519.cpp index f8544f345..78d0f53dd 100644 --- a/xed25519.cpp +++ b/xed25519.cpp @@ -365,18 +365,12 @@ bool x25519::Agree(byte *agreedValue, const byte *privateKey, const byte *otherP // ******************** ed25519 Signer ************************* // -void ed25519PrivateKey::ClampKeys(byte y[PUBLIC_KEYLENGTH], byte x[SECRET_KEYLENGTH]) const +void ed25519PrivateKey::SecretToPublicKey(byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]) const { - x[0] &= 248; x[31] &= 127; x[31] |= 64; int ret = Donna::ed25519_publickey(y, x); CRYPTOPP_ASSERT(ret == 0); CRYPTOPP_UNUSED(ret); } -bool ed25519PrivateKey::IsClamped(const byte x[SECRET_KEYLENGTH]) const -{ - return (x[0] & 248) == x[0] && (x[31] & 127) == x[31] && (x[31] | 64) == x[31]; -} - bool ed25519PrivateKey::IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const { return HasSmallOrder(y); @@ -385,17 +379,14 @@ bool ed25519PrivateKey::IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const bool ed25519PrivateKey::Validate(RandomNumberGenerator &rng, unsigned int level) const { CRYPTOPP_UNUSED(rng); - CRYPTOPP_ASSERT(IsClamped(m_sk) == true); CRYPTOPP_ASSERT(IsSmallOrder(m_pk) == false); - if (level >= 1 && IsClamped(m_sk) == false) - return false; - if (level >= 2 && IsSmallOrder(m_pk) == true) + if (level >= 1 && IsSmallOrder(m_pk) == true) return false; if (level >= 3) { SecByteBlock sk(m_sk, SECRET_KEYLENGTH), pk(PUBLIC_KEYLENGTH); - ClampKeys(pk, sk); + SecretToPublicKey(pk, sk); // Secret key is already clamped, bufs are equal if (VerifyBufsEqual(pk, m_pk, PUBLIC_KEYLENGTH) == false) @@ -454,11 +445,10 @@ void ed25519PrivateKey::AssignFrom(const NameValuePairs &source) m_oid = oid; } - bool clamp = false; - if (source.GetValue("Clamp", clamp) && clamp == true) - ClampKeys(m_pk, m_sk); + bool derive = false; + if (source.GetValue("DerivePublicKey", derive) && derive == true) + SecretToPublicKey(m_pk, m_sk); - CRYPTOPP_ASSERT(IsClamped(m_sk) == true); CRYPTOPP_ASSERT(IsSmallOrder(m_pk) == false); } @@ -469,7 +459,6 @@ void ed25519PrivateKey::GenerateRandom(RandomNumberGenerator &rng, const NameVal rng.IncorporateEntropy(seed.begin(), seed.size()); rng.GenerateBlock(m_sk, SECRET_KEYLENGTH); - m_sk[0] &= 248; m_sk[31] &= 127; m_sk[31] |= 64; int ret = Donna::ed25519_publickey(m_pk, m_sk); CRYPTOPP_ASSERT(ret == 0); CRYPTOPP_UNUSED(ret); } @@ -537,7 +526,6 @@ void ed25519PrivateKey::BERDecode(BufferedTransformation &bt) if (generatePublicKey) Donna::ed25519_publickey(m_pk, m_sk); - CRYPTOPP_ASSERT(IsClamped(m_sk) == true); CRYPTOPP_ASSERT(IsSmallOrder(m_pk) == false); } @@ -601,7 +589,7 @@ void ed25519PrivateKey::SetPrivateExponent (const byte x[SECRET_KEYLENGTH]) { AssignFrom(MakeParameters (Name::PrivateExponent(), ConstByteArrayParameter(x, SECRET_KEYLENGTH)) - ("Clamp", true)); + ("DerivePublicKey", true)); } void ed25519PrivateKey::SetPrivateExponent (const Integer &x) @@ -613,7 +601,7 @@ void ed25519PrivateKey::SetPrivateExponent (const Integer &x) AssignFrom(MakeParameters (Name::PrivateExponent(), ConstByteArrayParameter(bx, SECRET_KEYLENGTH, false)) - ("Clamp", true)); + ("DerivePublicKey", true)); } const Integer& ed25519PrivateKey::GetPrivateExponent() const @@ -635,7 +623,7 @@ ed25519Signer::ed25519Signer(const byte x[SECRET_KEYLENGTH]) { AccessPrivateKey().AssignFrom(MakeParameters (Name::PrivateExponent(), ConstByteArrayParameter(x, SECRET_KEYLENGTH, false)) - ("Clamp", true)); + ("DerivePublicKey", true)); } ed25519Signer::ed25519Signer(const Integer &y, const Integer &x) @@ -661,7 +649,7 @@ ed25519Signer::ed25519Signer(const Integer &x) AccessPrivateKey().AssignFrom(MakeParameters (Name::PrivateExponent(), ConstByteArrayParameter(bx, SECRET_KEYLENGTH, false)) - ("Clamp", true)); + ("DerivePublicKey", true)); } ed25519Signer::ed25519Signer(RandomNumberGenerator &rng) diff --git a/xed25519.h b/xed25519.h index bb6ff228a..bf466f856 100644 --- a/xed25519.h +++ b/xed25519.h @@ -452,17 +452,6 @@ struct ed25519PrivateKey : public PKCS8PrivateKey void SetPrivateExponent(const Integer &x); const Integer& GetPrivateExponent() const; - /// \brief Clamp a private key - /// \param y public key - /// \param x private key - /// \details ClampKeys() clamps a private key and then regenerates the - /// public key from the private key. - void ClampKeys(byte y[PUBLIC_KEYLENGTH], byte x[SECRET_KEYLENGTH]) const; - - /// \brief Determine if private key is clamped - /// \param x private key - bool IsClamped(const byte x[SECRET_KEYLENGTH]) const; - /// \brief Test if a key has small order /// \param y public key bool IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const; @@ -481,6 +470,10 @@ struct ed25519PrivateKey : public PKCS8PrivateKey return m_pk.begin(); } +protected: + // Create a public key from a private key + void SecretToPublicKey(byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]) const; + protected: FixedSizeSecBlock m_sk; FixedSizeSecBlock m_pk;