v
Зеркало из https://github.com/vlang/v
1module ed25519
2
3import crypto.rand
4import crypto.sha512
5import crypto.internal.subtle
6import crypto.ed25519.internal.edwards25519
7
8// public_key_size is the sizeof public keys in bytes
9pub const public_key_size = 32
10
11// private_key_size is the sizeof private keys in bytes
12pub const private_key_size = 64
13
14// signature_size is the size of signatures generated and verified by this modules, in bytes.
15pub const signature_size = 64
16
17// seed_size is the size of private key seeds in bytes
18pub const seed_size = 32
19
20// `PublicKey` is Ed25519 public keys.
21pub type PublicKey = []u8
22
23// equal reports whether p and x have the same value.
24pub fn (p PublicKey) equal(x []u8) bool {
25return subtle.constant_time_compare(p, PublicKey(x)) == 1
26}
27
28// PrivateKey is Ed25519 private keys
29pub type PrivateKey = []u8
30
31// seed returns the private key seed corresponding to priv.
32// RFC 8032's private keys correspond to seeds in this module.
33pub fn (priv PrivateKey) seed() []u8 {
34mut seed := []u8{len: seed_size}
35copy(mut seed, priv[..32])
36return seed
37}
38
39// public_key returns the []u8 corresponding to priv.
40pub fn (priv PrivateKey) public_key() PublicKey {
41assert priv.len == private_key_size
42mut publickey := []u8{len: public_key_size}
43copy(mut publickey, priv[32..])
44return PublicKey(publickey)
45}
46
47// currentyly x not `crypto.PrivateKey`
48pub fn (priv PrivateKey) equal(x []u8) bool {
49return subtle.constant_time_compare(priv, PrivateKey(x)) == 1
50}
51
52// sign signs the given message with priv.
53pub fn (priv PrivateKey) sign(message []u8) ![]u8 {
54/*
55if opts.HashFunc() != crypto.Hash(0) {
56return nil, errors.New("ed25519: cannot sign hashed message")
57}*/
58
59return sign(priv, message)
60}
61
62// sign`signs the message with privatekey and returns a signature
63pub fn sign(privatekey PrivateKey, message []u8) ![]u8 {
64mut signature := []u8{len: signature_size}
65sign_generic(mut signature, privatekey, message)!
66return signature
67}
68
69fn sign_generic(mut signature []u8, privatekey []u8, message []u8) ! {
70if privatekey.len != private_key_size {
71panic('ed25519: bad private key length: ${privatekey.len}')
72}
73seed, publickey := privatekey[..seed_size], privatekey[seed_size..]
74
75mut h := sha512.sum512(seed)
76mut s := edwards25519.new_scalar()
77s.set_bytes_with_clamping(h[..32])!
78mut prefix := unsafe { h[32..] }
79
80mut mh := sha512.new()
81mh.write(prefix)!
82mh.write(message)!
83
84mut msg_digest := []u8{cap: sha512.size}
85msg_digest = mh.sum(msg_digest)
86
87mut r := edwards25519.new_scalar()
88r.set_uniform_bytes(msg_digest)!
89
90mut rr := edwards25519.Point{}
91rr.scalar_base_mult(mut r)
92
93mut kh := sha512.new()
94kh.write(rr.bytes())!
95kh.write(publickey)!
96kh.write(message)!
97
98mut hram_digest := []u8{cap: sha512.size}
99hram_digest = kh.sum(hram_digest)
100mut k := edwards25519.new_scalar()
101k.set_uniform_bytes(hram_digest)!
102
103mut ss := edwards25519.new_scalar()
104ss.multiply_add(k, s, r)
105
106copy(mut signature[..32], rr.bytes())
107copy(mut signature[32..], ss.bytes())
108}
109
110// verify reports whether sig is a valid signature of message by publickey.
111pub fn verify(publickey PublicKey, message []u8, sig []u8) !bool {
112if publickey.len != public_key_size {
113return error('ed25519: bad public key length: ${publickey.len}')
114}
115
116if sig.len != signature_size || sig[63] & 224 != 0 {
117return false
118}
119
120mut aa := edwards25519.Point{}
121aa.set_bytes(publickey)!
122
123mut kh := sha512.new()
124kh.write(sig[..32])!
125kh.write(publickey)!
126kh.write(message)!
127
128mut hram_digest := []u8{cap: sha512.size}
129hram_digest = kh.sum(hram_digest)
130
131mut k := edwards25519.new_scalar()
132k.set_uniform_bytes(hram_digest)!
133
134mut ss := edwards25519.new_scalar()
135ss.set_canonical_bytes(sig[32..])!
136
137// [S]B = R + [k]A --> [k](-A) + [S]B = R
138mut minus_a := edwards25519.Point{}
139minus_a.negate(aa)
140mut rr := edwards25519.Point{}
141rr.vartime_double_scalar_base_mult(k, minus_a, ss)
142
143return subtle.constant_time_compare(sig[..32], rr.bytes()) == 1
144}
145
146// generate_key generates a public/private key pair entropy using `crypto.rand`.
147pub fn generate_key() !(PublicKey, PrivateKey) {
148mut seed := rand.bytes(seed_size)!
149
150privatekey := new_key_from_seed(seed)
151mut publickey := []u8{len: public_key_size}
152copy(mut publickey, privatekey[32..])
153
154return publickey, privatekey
155}
156
157// new_key_from_seed calculates a private key from a seed. private keys of RFC 8032
158// correspond to seeds in this module
159pub fn new_key_from_seed(seed []u8) PrivateKey {
160// Outline the function body so that the returned key can be stack-allocated.
161mut privatekey := []u8{len: private_key_size}
162new_key_from_seed_generic(mut privatekey, seed)
163return PrivateKey(privatekey)
164}
165
166fn new_key_from_seed_generic(mut privatekey []u8, seed []u8) {
167if seed.len != seed_size {
168panic('ed25519: bad seed length: ${seed.len}')
169}
170
171mut h := sha512.sum512(seed)
172mut s := edwards25519.new_scalar()
173s.set_bytes_with_clamping(h[..32]) or { panic(err) }
174mut aa := edwards25519.Point{}
175aa.scalar_base_mult(mut s)
176
177mut publickey := aa.bytes()
178
179copy(mut privatekey, seed)
180copy(mut privatekey[32..], publickey)
181}
182