crypto-refresh: add support for new Ed25519 key and signature format

This addition is backwards compatible. We offer no way to generate v4 keys in the new format.

src/crypto/crypto.js

@@ -145,7 +145,8 @@ export function parsePublicKeyParams(algo, bytes) {
       const Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
       return { read: read, publicParams: { oid, Q } };
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       const oid = new OID(); read += oid.read(bytes);
       checkSupportedCurve(oid);
       let Q = util.readMPI(bytes.subarray(read)); read += Q.length + 2;
@@ -159,6 +160,10 @@ export function parsePublicKeyParams(algo, bytes) {
       const kdfParams = new KDFParams(); read += kdfParams.read(bytes.subarray(read));
       return { read: read, publicParams: { oid, Q, kdfParams } };
     }
+    case enums.publicKey.ed25519: {
+      const A = bytes.subarray(read, read + 32); read += A.length;
+      return { read, publicParams: { A } };
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -195,12 +200,17 @@ export function parsePrivateKeyParams(algo, bytes, publicParams) {
       d = util.leftPad(d, curve.payloadSize);
       return { read, privateParams: { d } };
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       const curve = new Curve(publicParams.oid);
       let seed = util.readMPI(bytes.subarray(read)); read += seed.length + 2;
       seed = util.leftPad(seed, curve.payloadSize);
       return { read, privateParams: { seed } };
     }
+    case enums.publicKey.ed25519: {
+      const seed = bytes.subarray(read, read + 32); read += seed.length;
+      return { read, privateParams: { seed } };
+    }
     default:
       throw new UnsupportedError('Unknown public key encryption algorithm.');
   }
@@ -250,9 +260,12 @@ export function parseEncSessionKeyParams(algo, bytes) {
  * @returns {Uint8Array} The array containing the MPIs.
  */
 export function serializeParams(algo, params) {
+  // Some algorithms do not rely on MPIs to store the binary params
+  const algosWithNativeRepresentation = new Set([enums.publicKey.ed25519]);
   const orderedParams = Object.keys(params).map(name => {
     const param = params[name];
-    return util.isUint8Array(param) ? util.uint8ArrayToMPI(param) : param.write();
+    if (!util.isUint8Array(param)) return param.write();
+    return algosWithNativeRepresentation.has(algo) ? param : util.uint8ArrayToMPI(param);
   });
   return util.concatUint8Array(orderedParams);
 }
@@ -281,6 +294,7 @@ export function generateParams(algo, bits, oid) {
         publicParams: { oid: new OID(oid), Q }
       }));
     case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy:
       return publicKey.elliptic.generate(oid).then(({ oid, Q, secret }) => ({
         privateParams: { seed: secret },
         publicParams: { oid: new OID(oid), Q }
@@ -294,6 +308,11 @@ export function generateParams(algo, bits, oid) {
           kdfParams: new KDFParams({ hash, cipher })
         }
       }));
+    case enums.publicKey.ed25519:
+      return publicKey.elliptic.eddsa.generate(algo).then(({ A, seed }) => ({
+        privateParams: { seed },
+        publicParams: { A }
+      }));
     case enums.publicKey.dsa:
     case enums.publicKey.elgamal:
       throw new Error('Unsupported algorithm for key generation.');
@@ -339,10 +358,16 @@ export async function validateParams(algo, publicParams, privateParams) {
       const { d } = privateParams;
       return algoModule.validateParams(oid, Q, d);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
-      const { oid, Q } = publicParams;
+    case enums.publicKey.ed25519Legacy: {
+      const { Q, oid } = publicParams;
       const { seed } = privateParams;
-      return publicKey.elliptic.eddsa.validateParams(oid, Q, seed);
+      return publicKey.elliptic.eddsaLegacy.validateParams(oid, Q, seed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
+      const { seed } = privateParams;
+      return publicKey.elliptic.eddsa.validateParams(algo, A, seed);
     }
     default:
       throw new Error('Unknown public key algorithm.');

src/crypto/public_key/elliptic/eddsa.js

@@ -26,12 +26,30 @@ import nacl from '@openpgp/tweetnacl/nacl-fast-light';
 import util from '../../../util';
 import enums from '../../../enums';
 import hash from '../../hash';
+import { getRandomBytes } from '../../random';
 
 nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest());
 
+/**
+ * Generate (non-legacy) EdDSA key
+ * @param {module:enums.publicKey} algo - Algorithm identifier
+ * @returns Promise<{ A, seed }>
+ */
+export async function generate(algo) {
+  switch (algo) {
+    case enums.publicKey.ed25519: {
+      const seed = getRandomBytes(32);
+      const { publicKey: A } = nacl.sign.keyPair.fromSeed(seed);
+      return { A, seed };
+    }
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+}
+
 /**
  * Sign a message using the provided key
- * @param {module:type/oid} oid - Elliptic curve object identifier
+ * @param {module:enums.publicKey} algo - Algorithm identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
  * @param {Uint8Array} message - Message to sign
  * @param {Uint8Array} publicKey - Public key
@@ -43,55 +61,67 @@ nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest());
  * }>} Signature of the message
  * @async
  */
-export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+export async function sign(algo, hashAlgo, message, publicKey, privateKey, hashed) {
   if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
     // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
     throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
   }
-  const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
+  switch (algo) {
-  const signature = nacl.sign.detached(hashed, secretKey);
+    case enums.publicKey.ed25519: {
-  // EdDSA signature params are returned in little-endian format
+      const secretKey = util.concatUint8Array([privateKey, publicKey]);
-  return {
+      const signature = nacl.sign.detached(hashed, secretKey);
-    r: signature.subarray(0, 32),
+      return { RS: signature };
-    s: signature.subarray(32)
+    }
-  };
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
+
 }
 
 /**
  * Verifies if a signature is valid for a message
- * @param {module:type/oid} oid - Elliptic curve object identifier
+ * @param {module:enums.publicKey} algo - Algorithm identifier
  * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
- * @param  {{r: Uint8Array,
+ * @param  {{ RS: Uint8Array }} signature Signature to verify the message
-             s: Uint8Array}}   signature Signature to verify the message
  * @param {Uint8Array} m - Message to verify
  * @param {Uint8Array} publicKey - Public key used to verify the message
  * @param {Uint8Array} hashed - The hashed message
  * @returns {Boolean}
  * @async
  */
-export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+export async function verify(algo, hashAlgo, { RS }, m, publicKey, hashed) {
-  const signature = util.concatUint8Array([r, s]);
+  switch (algo) {
-  return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
+    case enums.publicKey.ed25519: {
+      return nacl.sign.detached.verify(hashed, RS, publicKey);
+    }
+    case enums.publicKey.ed448:
+    default:
+      throw new Error('Unsupported EdDSA algorithm');
+  }
 }
 /**
- * Validate EdDSA parameters
+ * Validate (non-legacy) EdDSA parameters
- * @param {module:type/oid} oid - Elliptic curve object identifier
+ * @param {module:enums.publicKey} algo - Algorithm identifier
- * @param {Uint8Array} Q - EdDSA public point
+ * @param {Uint8Array} A - EdDSA public point
  * @param {Uint8Array} k - EdDSA secret seed
+ * @param {Uint8Array} oid - (legacy only) EdDSA OID
  * @returns {Promise<Boolean>} Whether params are valid.
  * @async
  */
-export async function validateParams(oid, Q, k) {
+export async function validateParams(algo, A, k) {
-  // Check whether the given curve is supported
+  switch (algo) {
-  if (oid.getName() !== 'ed25519') {
+    case enums.publicKey.ed25519: {
-    return false;
+      /**
-  }
+       * Derive public point A' from private key
+       * and expect A == A'
+       */
+      const { publicKey } = nacl.sign.keyPair.fromSeed(k);
+      return util.equalsUint8Array(A, publicKey);
+    }
 
-  /**
+    case enums.publicKey.ed448: // unsupported
-   * Derive public point Q' = dG from private key
+    default:
-   * and expect Q == Q'
+      return false;
-   */
+  }
-  const { publicKey } = nacl.sign.keyPair.fromSeed(k);
-  const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
-  return util.equalsUint8Array(Q, dG);
 }

src/crypto/public_key/elliptic/eddsa_legacy.js

@@ -0,0 +1,99 @@
+// OpenPGP.js - An OpenPGP implementation in javascript
+// Copyright (C) 2018 Proton Technologies AG
+//
+// This library is free software; you can redistribute it and/or
+// modify it under the terms of the GNU Lesser General Public
+// License as published by the Free Software Foundation; either
+// version 3.0 of the License, or (at your option) any later version.
+//
+// This library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+// Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public
+// License along with this library; if not, write to the Free Software
+// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+/**
+ * @fileoverview Implementation of legacy EdDSA following RFC4880bis-03 for OpenPGP.
+ * This key type has been deprecated by the crypto-refresh RFC.
+ * @module crypto/public_key/elliptic/eddsa_legacy
+ * @private
+ */
+
+import sha512 from 'hash.js/lib/hash/sha/512';
+import nacl from '@openpgp/tweetnacl/nacl-fast-light';
+import util from '../../../util';
+import enums from '../../../enums';
+import hash from '../../hash';
+
+nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest());
+
+/**
+ * Sign a message using the provided legacy EdDSA key
+ * @param {module:type/oid} oid - Elliptic curve object identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger)
+ * @param {Uint8Array} message - Message to sign
+ * @param {Uint8Array} publicKey - Public key
+ * @param {Uint8Array} privateKey - Private key used to sign the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Promise<{
+ *   r: Uint8Array,
+ *   s: Uint8Array
+ * }>} Signature of the message
+ * @async
+ */
+export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) {
+  if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) {
+    // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2
+    throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.');
+  }
+  const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]);
+  const signature = nacl.sign.detached(hashed, secretKey);
+  // EdDSA signature params are returned in little-endian format
+  return {
+    r: signature.subarray(0, 32),
+    s: signature.subarray(32)
+  };
+}
+
+/**
+ * Verifies if a legacy EdDSA signature is valid for a message
+ * @param {module:type/oid} oid - Elliptic curve object identifier
+ * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature
+ * @param  {{r: Uint8Array,
+             s: Uint8Array}}   signature Signature to verify the message
+ * @param {Uint8Array} m - Message to verify
+ * @param {Uint8Array} publicKey - Public key used to verify the message
+ * @param {Uint8Array} hashed - The hashed message
+ * @returns {Boolean}
+ * @async
+ */
+export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) {
+  const signature = util.concatUint8Array([r, s]);
+  return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1));
+}
+/**
+ * Validate legacy EdDSA parameters
+ * @param {module:type/oid} oid - Elliptic curve object identifier
+ * @param {Uint8Array} Q - EdDSA public point
+ * @param {Uint8Array} k - EdDSA secret seed
+ * @returns {Promise<Boolean>} Whether params are valid.
+ * @async
+ */
+export async function validateParams(oid, Q, k) {
+  // Check whether the given curve is supported
+  if (oid.getName() !== 'ed25519') {
+    return false;
+  }
+
+  /**
+   * Derive public point Q' = dG from private key
+   * and expect Q == Q'
+   */
+  const { publicKey } = nacl.sign.keyPair.fromSeed(k);
+  const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix
+  return util.equalsUint8Array(Q, dG);
+
+}

src/crypto/public_key/elliptic/index.js

@@ -27,9 +27,10 @@
 
 import { Curve, generate, getPreferredHashAlgo } from './curves';
 import * as ecdsa from './ecdsa';
+import * as eddsaLegacy from './eddsa_legacy';
 import * as eddsa from './eddsa';
 import * as ecdh from './ecdh';
 
 export {
-  Curve, ecdh, ecdsa, eddsa, generate, getPreferredHashAlgo
+  Curve, ecdh, ecdsa, eddsaLegacy, eddsa, generate, getPreferredHashAlgo
 };

src/crypto/signature.js

@@ -43,10 +43,11 @@ export function parseSignatureParams(algo, signature) {
       const s = util.readMPI(signature.subarray(read));
       return { r, s };
     }
-    // Algorithm-Specific Fields for EdDSA signatures:
+    // Algorithm-Specific Fields for legacy EdDSA signatures:
     // -  MPI of an EC point r.
     // -  EdDSA value s, in MPI, in the little endian representation
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       // When parsing little-endian MPI data, we always need to left-pad it, as done with big-endian values:
       // https://www.ietf.org/archive/id/draft-ietf-openpgp-rfc4880bis-10.html#section-3.2-9
       let r = util.readMPI(signature.subarray(read)); read += r.length + 2;
@@ -55,6 +56,12 @@ export function parseSignatureParams(algo, signature) {
       s = util.leftPad(s, 32);
       return { r, s };
     }
+    // Algorithm-Specific Fields for Ed25519 signatures:
+    // - 64 octets of the native signature
+    case enums.publicKey.ed25519: {
+      const RS = signature.subarray(read, read + 64); read += RS.length;
+      return { RS };
+    }
     default:
       throw new UnsupportedError('Unknown signature algorithm.');
   }
@@ -96,10 +103,15 @@ export async function verify(algo, hashAlgo, signature, publicParams, data, hash
       const s = util.leftPad(signature.s, curveSize);
       return publicKey.elliptic.ecdsa.verify(oid, hashAlgo, { r, s }, data, Q, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       const { oid, Q } = publicParams;
       // signature already padded on parsing
-      return publicKey.elliptic.eddsa.verify(oid, hashAlgo, signature, data, Q, hashed);
+      return publicKey.elliptic.eddsaLegacy.verify(oid, hashAlgo, signature, data, Q, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicParams;
+      return publicKey.elliptic.eddsa.verify(algo, hashAlgo, signature, data, A, hashed);
     }
     default:
       throw new Error('Unknown signature algorithm.');
@@ -146,10 +158,16 @@ export async function sign(algo, hashAlgo, publicKeyParams, privateKeyParams, da
       const { d } = privateKeyParams;
       return publicKey.elliptic.ecdsa.sign(oid, hashAlgo, data, Q, d, hashed);
     }
-    case enums.publicKey.eddsa: {
+    case enums.publicKey.eddsa:
+    case enums.publicKey.ed25519Legacy: {
       const { oid, Q } = publicKeyParams;
       const { seed } = privateKeyParams;
-      return publicKey.elliptic.eddsa.sign(oid, hashAlgo, data, Q, seed, hashed);
+      return publicKey.elliptic.eddsaLegacy.sign(oid, hashAlgo, data, Q, seed, hashed);
+    }
+    case enums.publicKey.ed25519: {
+      const { A } = publicKeyParams;
+      const { seed } = privateKeyParams;
+      return publicKey.elliptic.eddsa.sign(algo, hashAlgo, data, A, seed, hashed);
     }
     default:
       throw new Error('Unknown signature algorithm.');

src/enums.js

@@ -90,7 +90,7 @@ export default {
     gnu: 101
   },
 
-  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-9.1|RFC4880bis-04, section 9.1}
+  /** {@link https://tools.ietf.org/html/draft-ietf-openpgp-crypto-refresh-08.html#section-9.1|crypto-refresh RFC, section 9.1}
    * @enum {Integer}
    * @readonly
    */
@@ -109,13 +109,22 @@ export default {
     ecdh: 18,
     /** ECDSA (Sign only) [RFC6637] */
     ecdsa: 19,
-    /** EdDSA (Sign only)
+    /** EdDSA (Sign only) - deprecated by crypto-refresh (replaced by `ed25519` identifier below)
      * [{@link https://tools.ietf.org/html/draft-koch-eddsa-for-openpgp-04|Draft RFC}] */
-    eddsa: 22,
+    ed25519Legacy: 22, // NB: this is declared before `eddsa` to translate 22 to 'eddsa' for backwards compatibility
+    eddsa: 22, // to be deprecated in v6
     /** Reserved for AEDH */
     aedh: 23,
     /** Reserved for AEDSA */
-    aedsa: 24
+    aedsa: 24,
+    /** ECDH 25519 (encrypt only) */
+    x25519: 25,
+    /** ECDH 448 (encrypt only) */
+    x448: 26,
+    /** EdDSA 25519 (sign only) */
+    ed25519: 27,
+    /** EdDSA 448 (sign only) */
+    eddsa448: 28
   },
 
   /** {@link https://tools.ietf.org/html/rfc4880#section-9.2|RFC4880, section 9.2}

src/packet/public_key.js

@@ -260,7 +260,7 @@ class PublicKeyPacket {
     const modulo = this.publicParams.n || this.publicParams.p;
     if (modulo) {
       result.bits = util.uint8ArrayBitLength(modulo);
-    } else {
+    } else if (this.publicParams.oid) {
       result.curve = this.publicParams.oid.getName();
     }
     return result;

test/crypto/validate.js

@@ -87,7 +87,7 @@ async function generatePrivateKeyObject(options) {
 
 /* eslint-disable no-invalid-this */
 module.exports = () => {
-  describe('EdDSA parameter validation', function() {
+  describe('EdDSA parameter validation (legacy format)', function() {
     let eddsaKey;
     before(async () => {
       eddsaKey = await generatePrivateKeyObject({ curve: 'ed25519' });

test/general/key.js

@@ -3012,6 +3012,22 @@ zWBsBR8VnoOVfEE+VQk6YAi7cTSjcMjfsIez9FYtAQDKo9aCMhUohYyqvhZjn8aS
     })).to.be.rejectedWith(/Cannot read KDFParams/);
   });
 
+  it('Parsing V4 key using new curve25519 format', async function() {
+    const privateKey = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xUkEZBw5PBscroGar9fsilA0q9AX979pBhTNkGQ69vQGGW7kxRxNuABB+eAw
+JrQ9A3o1gUJg28ORTQd72+kFo87184qR97a6rRGFzQR0ZXN0wogEEBsIAD4F
+gmQcOTwECwkHCAmQT/m+Rl22Ps8DFQgKBBYAAgECGQECmwMCHgEWIQSUlOfm
+G7MWJd2909ZP+b5GXbY+zwAAVs/4pWH4l7pWcTATBavVqSATMKi4A+usp89G
+J/qaHc+qmcEpIMmPNvLQ7n4F4kEXk8Zwz+OXovVWLQ+Njl5gzooF
+=wYg1
+-----END PGP PRIVATE KEY BLOCK-----` });
+    // sanity checks
+    await expect(privateKey.validate()).to.be.fulfilled;
+    const signingKey = await privateKey.getSigningKey();
+    expect(signingKey.keyPacket.algorithm).to.equal(openpgp.enums.publicKey.ed25519);
+  });
+
   it('Testing key ID and fingerprint for V4 keys', async function() {
     const pubKeysV4 = await openpgp.readKeys({ armoredKeys: twoKeys });
     expect(pubKeysV4).to.exist;
@@ -4077,7 +4093,7 @@ XvmoLueOOShu01X/kaylMqaT8w==
       await subkey.verify();
     });
 
-    it('sign/verify data with the new subkey correctly using curve25519', async function() {
+    it('sign/verify data with the new subkey correctly using curve25519 (legacy format)', async function() {
       const userID = { name: 'test', email: 'a@b.com' };
       const opt = { curve: 'curve25519', userIDs: [userID], format: 'object', subkeys:[] };
       const { privateKey } = await openpgp.generateKey(opt);

test/general/openpgp.js

@@ -4035,6 +4035,34 @@ bsZgJWVlAa5eil6J9ePX2xbo1vVAkLQdzE9+1jL+l7PRIZuVBQ==
           expect(await verified.signatures[0].verified).to.be.true;
         });
       });
+
+      it('sign/verify with new Ed25519 format', async function () {
+        // v4 key, which we do not support generating
+        const privateKey = await openpgp.readKey({ armoredKey: `-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+xUkEZBw5PBscroGar9fsilA0q9AX979pBhTNkGQ69vQGGW7kxRxNuABB+eAw
+JrQ9A3o1gUJg28ORTQd72+kFo87184qR97a6rRGFzQR0ZXN0wogEEBsIAD4F
+gmQcOTwECwkHCAmQT/m+Rl22Ps8DFQgKBBYAAgECGQECmwMCHgEWIQSUlOfm
+G7MWJd2909ZP+b5GXbY+zwAAVs/4pWH4l7pWcTATBavVqSATMKi4A+usp89G
+J/qaHc+qmcEpIMmPNvLQ7n4F4kEXk8Zwz+OXovVWLQ+Njl5gzooF
+=wYg1
+-----END PGP PRIVATE KEY BLOCK-----
+  ` });
+        const plaintext = 'plaintext';
+
+        const signed = await openpgp.sign({
+          message: await openpgp.createMessage({ text: plaintext }),
+          signingKeys: privateKey
+        });
+
+        const { signatures, data } = await openpgp.verify({
+          message: await openpgp.readMessage({ armoredMessage: signed }),
+          verificationKeys: privateKey
+        });
+        expect(data).to.equal(plaintext);
+        expect(signatures).to.have.length(1);
+        expect(await signatures[0].verified).to.be.true;
+      });
     });
 
     describe('Errors', function() {

test/general/streaming.js

@@ -730,7 +730,7 @@ function tests() {
     expect(await verified.signatures[0].verified).to.be.true;
   });
 
-  it('Detached sign small message using x25519 curve keys', async function() {
+  it('Detached sign small message using curve25519 keys (legacy format)', async function() {
     dataArrived(); // Do not wait until data arrived.
     const data = global.ReadableStream ? new global.ReadableStream({
       async start(controller) {