diff options
Diffstat (limited to 'vendor/golang.org/x/crypto/ed25519/ed25519.go')
-rw-r--r-- | vendor/golang.org/x/crypto/ed25519/ed25519.go | 181 |
1 files changed, 0 insertions, 181 deletions
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go deleted file mode 100644 index f1d9567..0000000 --- a/vendor/golang.org/x/crypto/ed25519/ed25519.go +++ /dev/null | |||
@@ -1,181 +0,0 @@ | |||
1 | // Copyright 2016 The Go Authors. All rights reserved. | ||
2 | // Use of this source code is governed by a BSD-style | ||
3 | // license that can be found in the LICENSE file. | ||
4 | |||
5 | // Package ed25519 implements the Ed25519 signature algorithm. See | ||
6 | // http://ed25519.cr.yp.to/. | ||
7 | // | ||
8 | // These functions are also compatible with the “Ed25519” function defined in | ||
9 | // https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-05. | ||
10 | package ed25519 | ||
11 | |||
12 | // This code is a port of the public domain, “ref10” implementation of ed25519 | ||
13 | // from SUPERCOP. | ||
14 | |||
15 | import ( | ||
16 | "crypto" | ||
17 | cryptorand "crypto/rand" | ||
18 | "crypto/sha512" | ||
19 | "crypto/subtle" | ||
20 | "errors" | ||
21 | "io" | ||
22 | "strconv" | ||
23 | |||
24 | "golang.org/x/crypto/ed25519/internal/edwards25519" | ||
25 | ) | ||
26 | |||
27 | const ( | ||
28 | // PublicKeySize is the size, in bytes, of public keys as used in this package. | ||
29 | PublicKeySize = 32 | ||
30 | // PrivateKeySize is the size, in bytes, of private keys as used in this package. | ||
31 | PrivateKeySize = 64 | ||
32 | // SignatureSize is the size, in bytes, of signatures generated and verified by this package. | ||
33 | SignatureSize = 64 | ||
34 | ) | ||
35 | |||
36 | // PublicKey is the type of Ed25519 public keys. | ||
37 | type PublicKey []byte | ||
38 | |||
39 | // PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer. | ||
40 | type PrivateKey []byte | ||
41 | |||
42 | // Public returns the PublicKey corresponding to priv. | ||
43 | func (priv PrivateKey) Public() crypto.PublicKey { | ||
44 | publicKey := make([]byte, PublicKeySize) | ||
45 | copy(publicKey, priv[32:]) | ||
46 | return PublicKey(publicKey) | ||
47 | } | ||
48 | |||
49 | // Sign signs the given message with priv. | ||
50 | // Ed25519 performs two passes over messages to be signed and therefore cannot | ||
51 | // handle pre-hashed messages. Thus opts.HashFunc() must return zero to | ||
52 | // indicate the message hasn't been hashed. This can be achieved by passing | ||
53 | // crypto.Hash(0) as the value for opts. | ||
54 | func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) (signature []byte, err error) { | ||
55 | if opts.HashFunc() != crypto.Hash(0) { | ||
56 | return nil, errors.New("ed25519: cannot sign hashed message") | ||
57 | } | ||
58 | |||
59 | return Sign(priv, message), nil | ||
60 | } | ||
61 | |||
62 | // GenerateKey generates a public/private key pair using entropy from rand. | ||
63 | // If rand is nil, crypto/rand.Reader will be used. | ||
64 | func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, err error) { | ||
65 | if rand == nil { | ||
66 | rand = cryptorand.Reader | ||
67 | } | ||
68 | |||
69 | privateKey = make([]byte, PrivateKeySize) | ||
70 | publicKey = make([]byte, PublicKeySize) | ||
71 | _, err = io.ReadFull(rand, privateKey[:32]) | ||
72 | if err != nil { | ||
73 | return nil, nil, err | ||
74 | } | ||
75 | |||
76 | digest := sha512.Sum512(privateKey[:32]) | ||
77 | digest[0] &= 248 | ||
78 | digest[31] &= 127 | ||
79 | digest[31] |= 64 | ||
80 | |||
81 | var A edwards25519.ExtendedGroupElement | ||
82 | var hBytes [32]byte | ||
83 | copy(hBytes[:], digest[:]) | ||
84 | edwards25519.GeScalarMultBase(&A, &hBytes) | ||
85 | var publicKeyBytes [32]byte | ||
86 | A.ToBytes(&publicKeyBytes) | ||
87 | |||
88 | copy(privateKey[32:], publicKeyBytes[:]) | ||
89 | copy(publicKey, publicKeyBytes[:]) | ||
90 | |||
91 | return publicKey, privateKey, nil | ||
92 | } | ||
93 | |||
94 | // Sign signs the message with privateKey and returns a signature. It will | ||
95 | // panic if len(privateKey) is not PrivateKeySize. | ||
96 | func Sign(privateKey PrivateKey, message []byte) []byte { | ||
97 | if l := len(privateKey); l != PrivateKeySize { | ||
98 | panic("ed25519: bad private key length: " + strconv.Itoa(l)) | ||
99 | } | ||
100 | |||
101 | h := sha512.New() | ||
102 | h.Write(privateKey[:32]) | ||
103 | |||
104 | var digest1, messageDigest, hramDigest [64]byte | ||
105 | var expandedSecretKey [32]byte | ||
106 | h.Sum(digest1[:0]) | ||
107 | copy(expandedSecretKey[:], digest1[:]) | ||
108 | expandedSecretKey[0] &= 248 | ||
109 | expandedSecretKey[31] &= 63 | ||
110 | expandedSecretKey[31] |= 64 | ||
111 | |||
112 | h.Reset() | ||
113 | h.Write(digest1[32:]) | ||
114 | h.Write(message) | ||
115 | h.Sum(messageDigest[:0]) | ||
116 | |||
117 | var messageDigestReduced [32]byte | ||
118 | edwards25519.ScReduce(&messageDigestReduced, &messageDigest) | ||
119 | var R edwards25519.ExtendedGroupElement | ||
120 | edwards25519.GeScalarMultBase(&R, &messageDigestReduced) | ||
121 | |||
122 | var encodedR [32]byte | ||
123 | R.ToBytes(&encodedR) | ||
124 | |||
125 | h.Reset() | ||
126 | h.Write(encodedR[:]) | ||
127 | h.Write(privateKey[32:]) | ||
128 | h.Write(message) | ||
129 | h.Sum(hramDigest[:0]) | ||
130 | var hramDigestReduced [32]byte | ||
131 | edwards25519.ScReduce(&hramDigestReduced, &hramDigest) | ||
132 | |||
133 | var s [32]byte | ||
134 | edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced) | ||
135 | |||
136 | signature := make([]byte, SignatureSize) | ||
137 | copy(signature[:], encodedR[:]) | ||
138 | copy(signature[32:], s[:]) | ||
139 | |||
140 | return signature | ||
141 | } | ||
142 | |||
143 | // Verify reports whether sig is a valid signature of message by publicKey. It | ||
144 | // will panic if len(publicKey) is not PublicKeySize. | ||
145 | func Verify(publicKey PublicKey, message, sig []byte) bool { | ||
146 | if l := len(publicKey); l != PublicKeySize { | ||
147 | panic("ed25519: bad public key length: " + strconv.Itoa(l)) | ||
148 | } | ||
149 | |||
150 | if len(sig) != SignatureSize || sig[63]&224 != 0 { | ||
151 | return false | ||
152 | } | ||
153 | |||
154 | var A edwards25519.ExtendedGroupElement | ||
155 | var publicKeyBytes [32]byte | ||
156 | copy(publicKeyBytes[:], publicKey) | ||
157 | if !A.FromBytes(&publicKeyBytes) { | ||
158 | return false | ||
159 | } | ||
160 | edwards25519.FeNeg(&A.X, &A.X) | ||
161 | edwards25519.FeNeg(&A.T, &A.T) | ||
162 | |||
163 | h := sha512.New() | ||
164 | h.Write(sig[:32]) | ||
165 | h.Write(publicKey[:]) | ||
166 | h.Write(message) | ||
167 | var digest [64]byte | ||
168 | h.Sum(digest[:0]) | ||
169 | |||
170 | var hReduced [32]byte | ||
171 | edwards25519.ScReduce(&hReduced, &digest) | ||
172 | |||
173 | var R edwards25519.ProjectiveGroupElement | ||
174 | var b [32]byte | ||
175 | copy(b[:], sig[32:]) | ||
176 | edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b) | ||
177 | |||
178 | var checkR [32]byte | ||
179 | R.ToBytes(&checkR) | ||
180 | return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1 | ||
181 | } | ||