1use crate::{Array, BatchVerifier, PrivateKeyExt};
2use bytes::{Buf, BufMut};
3use commonware_codec::{Error as CodecError, FixedSize, Read, ReadExt, Write};
4use commonware_utils::{hex, union_unique};
5use ed25519_consensus::{self, VerificationKey};
6use rand::{CryptoRng, Rng, RngCore};
7use std::{
8 borrow::Cow,
9 fmt::{Debug, Display},
10 hash::{Hash, Hasher},
11 ops::Deref,
12};
13use zeroize::{Zeroize, ZeroizeOnDrop};
14
15const CURVE_NAME: &str = "ed25519";
16const PRIVATE_KEY_LENGTH: usize = 32;
17const PUBLIC_KEY_LENGTH: usize = 32;
18const SIGNATURE_LENGTH: usize = 64;
19
20#[derive(Clone, Zeroize, ZeroizeOnDrop)]
22pub struct PrivateKey {
23 raw: [u8; PRIVATE_KEY_LENGTH],
24 key: ed25519_consensus::SigningKey,
25}
26
27impl crate::PrivateKey for PrivateKey {}
28
29impl crate::Signer for PrivateKey {
30 type Signature = Signature;
31 type PublicKey = PublicKey;
32
33 fn sign(&self, namespace: Option<&[u8]>, msg: &[u8]) -> Self::Signature {
34 let sig = match namespace {
35 Some(namespace) => self.key.sign(&union_unique(namespace, msg)),
36 None => self.key.sign(msg),
37 };
38 Signature::from(sig)
39 }
40
41 fn public_key(&self) -> Self::PublicKey {
42 let raw = self.key.verification_key().to_bytes();
43 Self::PublicKey {
44 raw,
45 key: self.key.verification_key().to_owned(),
46 }
47 }
48}
49
50impl PrivateKeyExt for PrivateKey {
51 fn from_rng<R: Rng + CryptoRng>(rng: &mut R) -> Self {
52 let key = ed25519_consensus::SigningKey::new(rng);
53 let raw = key.to_bytes();
54 Self { raw, key }
55 }
56}
57
58impl Write for PrivateKey {
59 fn write(&self, buf: &mut impl BufMut) {
60 self.raw.write(buf);
61 }
62}
63
64impl Read for PrivateKey {
65 type Cfg = ();
66
67 fn read_cfg(buf: &mut impl Buf, _: &()) -> Result<Self, CodecError> {
68 let raw = <[u8; Self::SIZE]>::read(buf)?;
69 let key = ed25519_consensus::SigningKey::from(raw);
70 Ok(Self { raw, key })
71 }
72}
73
74impl FixedSize for PrivateKey {
75 const SIZE: usize = PRIVATE_KEY_LENGTH;
76}
77
78impl Array for PrivateKey {}
79
80impl Eq for PrivateKey {}
81
82impl Hash for PrivateKey {
83 fn hash<H: Hasher>(&self, state: &mut H) {
84 self.raw.hash(state);
85 }
86}
87
88impl PartialEq for PrivateKey {
89 fn eq(&self, other: &Self) -> bool {
90 self.raw == other.raw
91 }
92}
93
94impl Ord for PrivateKey {
95 fn cmp(&self, other: &Self) -> std::cmp::Ordering {
96 self.raw.cmp(&other.raw)
97 }
98}
99
100impl PartialOrd for PrivateKey {
101 fn partial_cmp(&self, other: &Self) -> Option<std::cmp::Ordering> {
102 Some(self.cmp(other))
103 }
104}
105
106impl AsRef<[u8]> for PrivateKey {
107 fn as_ref(&self) -> &[u8] {
108 &self.raw
109 }
110}
111
112impl Deref for PrivateKey {
113 type Target = [u8];
114 fn deref(&self) -> &[u8] {
115 &self.raw
116 }
117}
118
119impl From<ed25519_consensus::SigningKey> for PrivateKey {
120 fn from(key: ed25519_consensus::SigningKey) -> Self {
121 let raw = key.to_bytes();
122 Self { raw, key }
123 }
124}
125
126impl Debug for PrivateKey {
127 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
128 write!(f, "{}", hex(&self.raw))
129 }
130}
131
132impl Display for PrivateKey {
133 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
134 write!(f, "{}", hex(&self.raw))
135 }
136}
137
138#[derive(Clone, Eq, PartialEq, Ord, PartialOrd, Hash)]
140pub struct PublicKey {
141 raw: [u8; PUBLIC_KEY_LENGTH],
142 key: ed25519_consensus::VerificationKey,
143}
144
145impl From<PrivateKey> for PublicKey {
146 fn from(value: PrivateKey) -> Self {
147 let raw = value.key.verification_key().to_bytes();
148 Self {
149 raw,
150 key: value.key.verification_key(),
151 }
152 }
153}
154
155impl crate::PublicKey for PublicKey {}
156
157impl crate::Verifier for PublicKey {
158 type Signature = Signature;
159
160 fn verify(&self, namespace: Option<&[u8]>, msg: &[u8], sig: &Self::Signature) -> bool {
161 match namespace {
162 Some(namespace) => {
163 let payload = union_unique(namespace, msg);
164 self.key.verify(&sig.signature, &payload).is_ok()
165 }
166 None => self.key.verify(&sig.signature, msg).is_ok(),
167 }
168 }
169}
170
171impl Write for PublicKey {
172 fn write(&self, buf: &mut impl BufMut) {
173 self.raw.write(buf);
174 }
175}
176
177impl Read for PublicKey {
178 type Cfg = ();
179
180 fn read_cfg(buf: &mut impl Buf, _: &()) -> Result<Self, CodecError> {
181 let raw = <[u8; Self::SIZE]>::read(buf)?;
182 let key = VerificationKey::try_from(raw)
183 .map_err(|e| CodecError::Wrapped(CURVE_NAME, e.into()))?;
184 Ok(Self { raw, key })
185 }
186}
187
188impl FixedSize for PublicKey {
189 const SIZE: usize = PUBLIC_KEY_LENGTH;
190}
191
192impl Array for PublicKey {}
193
194impl AsRef<[u8]> for PublicKey {
195 fn as_ref(&self) -> &[u8] {
196 &self.raw
197 }
198}
199
200impl Deref for PublicKey {
201 type Target = [u8];
202 fn deref(&self) -> &[u8] {
203 &self.raw
204 }
205}
206
207impl From<VerificationKey> for PublicKey {
208 fn from(key: VerificationKey) -> Self {
209 let raw = key.to_bytes();
210 Self { raw, key }
211 }
212}
213
214impl Debug for PublicKey {
215 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
216 write!(f, "{}", hex(&self.raw))
217 }
218}
219
220impl Display for PublicKey {
221 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
222 write!(f, "{}", hex(&self.raw))
223 }
224}
225
226#[derive(Clone, Eq, PartialEq)]
228pub struct Signature {
229 raw: [u8; SIGNATURE_LENGTH],
230 signature: ed25519_consensus::Signature,
231}
232
233impl crate::Signature for Signature {}
234
235impl Write for Signature {
236 fn write(&self, buf: &mut impl BufMut) {
237 self.raw.write(buf);
238 }
239}
240
241impl Read for Signature {
242 type Cfg = ();
243
244 fn read_cfg(buf: &mut impl Buf, _: &()) -> Result<Self, CodecError> {
245 let raw = <[u8; Self::SIZE]>::read(buf)?;
246 let signature = ed25519_consensus::Signature::from(raw);
247 Ok(Self { raw, signature })
248 }
249}
250
251impl FixedSize for Signature {
252 const SIZE: usize = SIGNATURE_LENGTH;
253}
254
255impl Array for Signature {}
256
257impl Hash for Signature {
258 fn hash<H: Hasher>(&self, state: &mut H) {
259 self.raw.hash(state);
260 }
261}
262
263impl Ord for Signature {
264 fn cmp(&self, other: &Self) -> std::cmp::Ordering {
265 self.raw.cmp(&other.raw)
266 }
267}
268
269impl PartialOrd for Signature {
270 fn partial_cmp(&self, other: &Self) -> Option<std::cmp::Ordering> {
271 Some(self.cmp(other))
272 }
273}
274
275impl AsRef<[u8]> for Signature {
276 fn as_ref(&self) -> &[u8] {
277 &self.raw
278 }
279}
280
281impl Deref for Signature {
282 type Target = [u8];
283 fn deref(&self) -> &[u8] {
284 &self.raw
285 }
286}
287
288impl From<ed25519_consensus::Signature> for Signature {
289 fn from(value: ed25519_consensus::Signature) -> Self {
290 let raw = value.to_bytes();
291 Self {
292 raw,
293 signature: value,
294 }
295 }
296}
297
298impl Debug for Signature {
299 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
300 write!(f, "{}", hex(&self.raw))
301 }
302}
303
304impl Display for Signature {
305 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
306 write!(f, "{}", hex(&self.raw))
307 }
308}
309
310pub struct Batch {
312 verifier: ed25519_consensus::batch::Verifier,
313}
314
315impl BatchVerifier<PublicKey> for Batch {
316 fn new() -> Self {
317 Batch {
318 verifier: ed25519_consensus::batch::Verifier::new(),
319 }
320 }
321
322 fn add(
323 &mut self,
324 namespace: Option<&[u8]>,
325 message: &[u8],
326 public_key: &PublicKey,
327 signature: &Signature,
328 ) -> bool {
329 let payload = match namespace {
330 Some(namespace) => Cow::Owned(union_unique(namespace, message)),
331 None => Cow::Borrowed(message),
332 };
333 let item = ed25519_consensus::batch::Item::from((
334 public_key.key.into(),
335 signature.signature,
336 &payload,
337 ));
338 self.verifier.queue(item);
339 true
340 }
341
342 fn verify<R: RngCore + CryptoRng>(self, rng: &mut R) -> bool {
343 self.verifier.verify(rng).is_ok()
344 }
345}
346
347#[cfg(test)]
349mod tests {
350 use super::*;
351 use crate::{ed25519, Signer as _, Verifier as _};
352 use commonware_codec::{DecodeExt, Encode};
353 use rand::rngs::OsRng;
354
355 fn test_sign_and_verify(
356 private_key: PrivateKey,
357 public_key: PublicKey,
358 message: &[u8],
359 signature: Signature,
360 ) {
361 let computed_signature = private_key.sign(None, message);
362 assert_eq!(computed_signature, signature);
363 assert!(public_key.verify(None, message, &computed_signature));
364 }
365
366 fn parse_private_key(private_key: &str) -> PrivateKey {
367 PrivateKey::decode(
368 commonware_utils::from_hex_formatted(private_key)
369 .unwrap()
370 .as_ref(),
371 )
372 .unwrap()
373 }
374
375 fn parse_public_key(public_key: &str) -> PublicKey {
376 PublicKey::decode(
377 commonware_utils::from_hex_formatted(public_key)
378 .unwrap()
379 .as_ref(),
380 )
381 .unwrap()
382 }
383
384 fn parse_signature(signature: &str) -> Signature {
385 Signature::decode(
386 commonware_utils::from_hex_formatted(signature)
387 .unwrap()
388 .as_ref(),
389 )
390 .unwrap()
391 }
392
393 fn vector_1() -> (PrivateKey, PublicKey, Vec<u8>, Signature) {
394 (
395 parse_private_key(
397 "
398 9d61b19deffd5a60ba844af492ec2cc4
399 4449c5697b326919703bac031cae7f60
400 ",
401 ),
402 parse_public_key(
404 "
405 d75a980182b10ab7d54bfed3c964073a
406 0ee172f3daa62325af021a68f707511a
407 ",
408 ),
409 b"".to_vec(),
411 parse_signature(
413 "
414 e5564300c360ac729086e2cc806e828a
415 84877f1eb8e5d974d873e06522490155
416 5fb8821590a33bacc61e39701cf9b46b
417 d25bf5f0595bbe24655141438e7a100b
418 ",
419 ),
420 )
421 }
422
423 fn vector_2() -> (PrivateKey, PublicKey, Vec<u8>, Signature) {
424 (
425 parse_private_key(
427 "
428 4ccd089b28ff96da9db6c346ec114e0f
429 5b8a319f35aba624da8cf6ed4fb8a6fb
430 ",
431 ),
432 parse_public_key(
434 "
435 3d4017c3e843895a92b70aa74d1b7ebc
436 9c982ccf2ec4968cc0cd55f12af4660c
437 ",
438 ),
439 [0x72].to_vec(),
441 parse_signature(
443 "
444 92a009a9f0d4cab8720e820b5f642540
445 a2b27b5416503f8fb3762223ebdb69da
446 085ac1e43e15996e458f3613d0f11d8c
447 387b2eaeb4302aeeb00d291612bb0c00
448 ",
449 ),
450 )
451 }
452
453 #[test]
454 fn test_codec_private_key() {
455 let private_key = parse_private_key(
456 "
457 9d61b19deffd5a60ba844af492ec2cc4
458 4449c5697b326919703bac031cae7f60
459 ",
460 );
461 let encoded = private_key.encode();
462 assert_eq!(encoded.len(), PRIVATE_KEY_LENGTH);
463 let decoded = PrivateKey::decode(encoded).unwrap();
464 assert_eq!(private_key, decoded);
465 }
466
467 #[test]
468 fn test_codec_public_key() {
469 let public_key = parse_public_key(
470 "
471 d75a980182b10ab7d54bfed3c964073a
472 0ee172f3daa62325af021a68f707511a
473 ",
474 );
475 let encoded = public_key.encode();
476 assert_eq!(encoded.len(), PUBLIC_KEY_LENGTH);
477 let decoded = PublicKey::decode(encoded).unwrap();
478 assert_eq!(public_key, decoded);
479 }
480
481 #[test]
482 fn test_codec_signature() {
483 let signature = parse_signature(
484 "
485 e5564300c360ac729086e2cc806e828a
486 84877f1eb8e5d974d873e06522490155
487 5fb8821590a33bacc61e39701cf9b46b
488 d25bf5f0595bbe24655141438e7a100b
489 ",
490 );
491 let encoded = signature.encode();
492 assert_eq!(encoded.len(), SIGNATURE_LENGTH);
493 let decoded = Signature::decode(encoded).unwrap();
494 assert_eq!(signature, decoded);
495 }
496
497 #[test]
498 fn rfc8032_test_vector_1() {
499 let (private_key, public_key, message, signature) = vector_1();
500 test_sign_and_verify(private_key, public_key, &message, signature)
501 }
502
503 #[test]
505 #[should_panic]
506 fn bad_signature() {
507 let (private_key, public_key, message, _) = vector_1();
508 let private_key_2 = PrivateKey::from_rng(&mut OsRng);
509 let bad_signature = private_key_2.sign(None, message.as_ref());
510 test_sign_and_verify(private_key, public_key, &message, bad_signature);
511 }
512
513 #[test]
515 #[should_panic]
516 fn different_message() {
517 let (private_key, public_key, _, signature) = vector_1();
518 let different_message = b"this is a different message".to_vec();
519 test_sign_and_verify(private_key, public_key, &different_message, signature);
520 }
521
522 #[test]
523 fn rfc8032_test_vector_2() {
524 let (private_key, public_key, message, signature) = vector_2();
525 test_sign_and_verify(private_key, public_key, &message, signature)
526 }
527
528 #[test]
529 fn rfc8032_test_vector_3() {
530 let private_key = parse_private_key(
531 "
532 c5aa8df43f9f837bedb7442f31dcb7b1
533 66d38535076f094b85ce3a2e0b4458f7
534 ",
535 );
536 let public_key = parse_public_key(
537 "
538 fc51cd8e6218a1a38da47ed00230f058
539 0816ed13ba3303ac5deb911548908025
540 ",
541 );
542 let message: [u8; 2] = [0xaf, 0x82];
543 let signature = parse_signature(
544 "
545 6291d657deec24024827e69c3abe01a3
546 0ce548a284743a445e3680d7db5ac3ac
547 18ff9b538d16f290ae67f760984dc659
548 4a7c15e9716ed28dc027beceea1ec40a
549 ",
550 );
551 test_sign_and_verify(private_key, public_key, &message, signature)
552 }
553
554 #[test]
555 fn rfc8032_test_vector_1024() {
556 let private_key = parse_private_key(
557 "
558 f5e5767cf153319517630f226876b86c
559 8160cc583bc013744c6bf255f5cc0ee5
560 ",
561 );
562 let public_key = parse_public_key(
563 "
564 278117fc144c72340f67d0f2316e8386
565 ceffbf2b2428c9c51fef7c597f1d426e
566 ",
567 );
568 let message = commonware_utils::from_hex_formatted(
569 "
570 08b8b2b733424243760fe426a4b54908
571 632110a66c2f6591eabd3345e3e4eb98
572 fa6e264bf09efe12ee50f8f54e9f77b1
573 e355f6c50544e23fb1433ddf73be84d8
574 79de7c0046dc4996d9e773f4bc9efe57
575 38829adb26c81b37c93a1b270b20329d
576 658675fc6ea534e0810a4432826bf58c
577 941efb65d57a338bbd2e26640f89ffbc
578 1a858efcb8550ee3a5e1998bd177e93a
579 7363c344fe6b199ee5d02e82d522c4fe
580 ba15452f80288a821a579116ec6dad2b
581 3b310da903401aa62100ab5d1a36553e
582 06203b33890cc9b832f79ef80560ccb9
583 a39ce767967ed628c6ad573cb116dbef
584 efd75499da96bd68a8a97b928a8bbc10
585 3b6621fcde2beca1231d206be6cd9ec7
586 aff6f6c94fcd7204ed3455c68c83f4a4
587 1da4af2b74ef5c53f1d8ac70bdcb7ed1
588 85ce81bd84359d44254d95629e9855a9
589 4a7c1958d1f8ada5d0532ed8a5aa3fb2
590 d17ba70eb6248e594e1a2297acbbb39d
591 502f1a8c6eb6f1ce22b3de1a1f40cc24
592 554119a831a9aad6079cad88425de6bd
593 e1a9187ebb6092cf67bf2b13fd65f270
594 88d78b7e883c8759d2c4f5c65adb7553
595 878ad575f9fad878e80a0c9ba63bcbcc
596 2732e69485bbc9c90bfbd62481d9089b
597 eccf80cfe2df16a2cf65bd92dd597b07
598 07e0917af48bbb75fed413d238f5555a
599 7a569d80c3414a8d0859dc65a46128ba
600 b27af87a71314f318c782b23ebfe808b
601 82b0ce26401d2e22f04d83d1255dc51a
602 ddd3b75a2b1ae0784504df543af8969b
603 e3ea7082ff7fc9888c144da2af58429e
604 c96031dbcad3dad9af0dcbaaaf268cb8
605 fcffead94f3c7ca495e056a9b47acdb7
606 51fb73e666c6c655ade8297297d07ad1
607 ba5e43f1bca32301651339e22904cc8c
608 42f58c30c04aafdb038dda0847dd988d
609 cda6f3bfd15c4b4c4525004aa06eeff8
610 ca61783aacec57fb3d1f92b0fe2fd1a8
611 5f6724517b65e614ad6808d6f6ee34df
612 f7310fdc82aebfd904b01e1dc54b2927
613 094b2db68d6f903b68401adebf5a7e08
614 d78ff4ef5d63653a65040cf9bfd4aca7
615 984a74d37145986780fc0b16ac451649
616 de6188a7dbdf191f64b5fc5e2ab47b57
617 f7f7276cd419c17a3ca8e1b939ae49e4
618 88acba6b965610b5480109c8b17b80e1
619 b7b750dfc7598d5d5011fd2dcc5600a3
620 2ef5b52a1ecc820e308aa342721aac09
621 43bf6686b64b2579376504ccc493d97e
622 6aed3fb0f9cd71a43dd497f01f17c0e2
623 cb3797aa2a2f256656168e6c496afc5f
624 b93246f6b1116398a346f1a641f3b041
625 e989f7914f90cc2c7fff357876e506b5
626 0d334ba77c225bc307ba537152f3f161
627 0e4eafe595f6d9d90d11faa933a15ef1
628 369546868a7f3a45a96768d40fd9d034
629 12c091c6315cf4fde7cb68606937380d
630 b2eaaa707b4c4185c32eddcdd306705e
631 4dc1ffc872eeee475a64dfac86aba41c
632 0618983f8741c5ef68d3a101e8a3b8ca
633 c60c905c15fc910840b94c00a0b9d0
634 ",
635 )
636 .unwrap();
637 let signature = parse_signature(
638 "
639 0aab4c900501b3e24d7cdf4663326a3a
640 87df5e4843b2cbdb67cbf6e460fec350
641 aa5371b1508f9f4528ecea23c436d94b
642 5e8fcd4f681e30a6ac00a9704a188a03
643 ",
644 );
645 test_sign_and_verify(private_key, public_key, &message, signature)
646 }
647
648 #[test]
649 fn rfc8032_test_vector_sha() {
650 let private_key = commonware_utils::from_hex_formatted(
651 "
652 833fe62409237b9d62ec77587520911e
653 9a759cec1d19755b7da901b96dca3d42
654 ",
655 )
656 .unwrap();
657 let public_key = commonware_utils::from_hex_formatted(
658 "
659 ec172b93ad5e563bf4932c70e1245034
660 c35467ef2efd4d64ebf819683467e2bf
661 ",
662 )
663 .unwrap();
664 let message = commonware_utils::from_hex_formatted(
665 "
666 ddaf35a193617abacc417349ae204131
667 12e6fa4e89a97ea20a9eeee64b55d39a
668 2192992a274fc1a836ba3c23a3feebbd
669 454d4423643ce80e2a9ac94fa54ca49f
670 ",
671 )
672 .unwrap();
673 let signature = commonware_utils::from_hex_formatted(
674 "
675 dc2a4459e7369633a52b1bf277839a00
676 201009a3efbf3ecb69bea2186c26b589
677 09351fc9ac90b3ecfdfbc7c66431e030
678 3dca179c138ac17ad9bef1177331a704
679 ",
680 )
681 .unwrap();
682 test_sign_and_verify(
683 PrivateKey::decode(private_key.as_ref()).unwrap(),
684 PublicKey::decode(public_key.as_ref()).unwrap(),
685 &message,
686 Signature::decode(signature.as_ref()).unwrap(),
687 )
688 }
689
690 #[test]
691 fn batch_verify_valid() {
692 let v1 = vector_1();
693 let v2 = vector_2();
694 let mut batch = ed25519::Batch::new();
695 assert!(batch.add(None, &v1.2, &v1.1, &v1.3));
696 assert!(batch.add(None, &v2.2, &v2.1, &v2.3));
697 assert!(batch.verify(&mut rand::thread_rng()));
698 }
699
700 #[test]
701 fn batch_verify_invalid() {
702 let v1 = vector_1();
703 let v2 = vector_2();
704 let mut bad_signature = v2.3.to_vec();
705 bad_signature[3] = 0xff;
706
707 let mut batch = Batch::new();
708 assert!(batch.add(None, &v1.2, &v1.1, &v1.3));
709 assert!(batch.add(
710 None,
711 &v2.2,
712 &v2.1,
713 &Signature::decode(bad_signature.as_ref()).unwrap()
714 ));
715 assert!(!batch.verify(&mut rand::thread_rng()));
716 }
717
718 #[test]
719 fn test_zero_signature_fails() {
720 let (_, public_key, message, _) = vector_1();
721 let zero_sig = Signature::decode(vec![0u8; Signature::SIZE].as_ref()).unwrap();
722 assert!(!public_key.verify(None, &message, &zero_sig));
723 }
724
725 #[test]
726 fn test_high_s_fails() {
727 let (_, public_key, message, signature) = vector_1();
728 let mut bad_signature = signature.to_vec();
729 bad_signature[63] |= 0x80; let bad_signature = Signature::decode(bad_signature.as_ref()).unwrap();
731 assert!(!public_key.verify(None, &message, &bad_signature));
732 }
733
734 #[test]
735 fn test_invalid_r_fails() {
736 let (_, public_key, message, signature) = vector_1();
737 let mut bad_signature = signature.to_vec();
738 for b in bad_signature.iter_mut().take(32) {
739 *b = 0xff; }
741 let bad_signature = Signature::decode(bad_signature.as_ref()).unwrap();
742 assert!(!public_key.verify(None, &message, &bad_signature));
743 }
744}