// OpenPGP.js - An OpenPGP implementation in javascript // Copyright (C) 2018 Proton Technologies AG // // This library is free software; you can redistribute it and/or // modify it under the terms of the GNU Lesser General Public // License as published by the Free Software Foundation; either // version 3.0 of the License, or (at your option) any later version. // // This library is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU // Lesser General Public License for more details. // // You should have received a copy of the GNU Lesser General Public // License along with this library; if not, write to the Free Software // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA /** * @fileoverview Implementation of EdDSA following RFC4880bis-03 for OpenPGP * @module crypto/public_key/elliptic/eddsa * @private */ import sha512 from 'hash.js/lib/hash/sha/512'; import nacl from '@openpgp/tweetnacl/nacl-fast-light.js'; import util from '../../../util'; import enums from '../../../enums'; import hash from '../../hash'; nacl.hash = bytes => new Uint8Array(sha512().update(bytes).digest()); /** * Sign a message using the provided key * @param {module:type/oid} oid - Elliptic curve object identifier * @param {module:enums.hash} hashAlgo - Hash algorithm used to sign (must be sha256 or stronger) * @param {Uint8Array} message - Message to sign * @param {Uint8Array} publicKey - Public key * @param {Uint8Array} privateKey - Private key used to sign the message * @param {Uint8Array} hashed - The hashed message * @returns {Promise<{ * r: Uint8Array, * s: Uint8Array * }>} Signature of the message * @async */ export async function sign(oid, hashAlgo, message, publicKey, privateKey, hashed) { if (hash.getHashByteLength(hashAlgo) < hash.getHashByteLength(enums.hash.sha256)) { // see https://tools.ietf.org/id/draft-ietf-openpgp-rfc4880bis-10.html#section-15-7.2 throw new Error('Hash algorithm too weak: sha256 or stronger is required for EdDSA.'); } const secretKey = util.concatUint8Array([privateKey, publicKey.subarray(1)]); const signature = nacl.sign.detached(hashed, secretKey); // EdDSA signature params are returned in little-endian format return { r: signature.subarray(0, 32), s: signature.subarray(32) }; } /** * Verifies if a signature is valid for a message * @param {module:type/oid} oid - Elliptic curve object identifier * @param {module:enums.hash} hashAlgo - Hash algorithm used in the signature * @param {{r: Uint8Array, s: Uint8Array}} signature Signature to verify the message * @param {Uint8Array} m - Message to verify * @param {Uint8Array} publicKey - Public key used to verify the message * @param {Uint8Array} hashed - The hashed message * @returns {Boolean} * @async */ export async function verify(oid, hashAlgo, { r, s }, m, publicKey, hashed) { const signature = util.concatUint8Array([r, s]); return nacl.sign.detached.verify(hashed, signature, publicKey.subarray(1)); } /** * Validate EdDSA parameters * @param {module:type/oid} oid - Elliptic curve object identifier * @param {Uint8Array} Q - EdDSA public point * @param {Uint8Array} k - EdDSA secret seed * @returns {Promise} Whether params are valid. * @async */ export async function validateParams(oid, Q, k) { // Check whether the given curve is supported if (oid.getName() !== 'ed25519') { return false; } /** * Derive public point Q' = dG from private key * and expect Q == Q' */ const { publicKey } = nacl.sign.keyPair.fromSeed(k); const dG = new Uint8Array([0x40, ...publicKey]); // Add public key prefix return util.equalsUint8Array(Q, dG); }