18 ANONYMOUS_NAMESPACE_BEGIN
22 CRYPTOPP_ALIGN_DATA(16)
23 const
byte blacklist[][32] = {
24 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
25 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
26 { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
27 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
28 { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
29 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
30 { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
31 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
32 { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
33 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
34 { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
35 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
36 { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
37 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
38 { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
39 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
40 { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
41 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
42 { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
43 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
44 { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
45 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
46 { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
47 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }
50 bool HasSmallOrder(
const byte y[32])
54 for (
size_t j = 0; j < 32; j++) {
55 for (
size_t i = 0; i <
COUNTOF(blacklist); i++) {
56 c[i] |= y[j] ^ blacklist[i][j];
61 for (
size_t i = 0; i <
COUNTOF(blacklist); i++) {
65 return (
bool)((k >> 8) & 1);
68 ANONYMOUS_NAMESPACE_END
74 x25519::
x25519(const
byte y[PUBLIC_KEYLENGTH], const
byte x[SECRET_KEYLENGTH])
76 std::memcpy(m_pk, y, PUBLIC_KEYLENGTH);
77 std::memcpy(m_sk, x, SECRET_KEYLENGTH);
120 SecretToPublicKey(m_pk, m_sk);
130 x[0] &= 248; x[31] &= 127; x[31] |= 64;
135 return (x[0] & 248) == x[0] && (x[31] & 127) == x[31] && (x[31] | 64) == x[31];
140 return HasSmallOrder(y);
143 void x25519::SecretToPublicKey(
byte y[PUBLIC_KEYLENGTH],
const byte x[SECRET_KEYLENGTH])
const
157 if (!m_oid.
Empty() && m_oid != oid)
159 else if (oid == ASN1::curve25519() || oid == ASN1::X25519() ||
160 oid ==
OID(1)+3+6+1+4+1+3029+1+5)
172 BERDecodeUnsigned<word32>(privateKeyInfo, version,
INTEGER, 0, 1);
177 algorithm.MessageEnd();
184 bool generatePublicKey =
true;
191 unsigned int unusedBits;
198 generatePublicKey =
false;
204 if (generatePublicKey)
218 DEREncodeUnsigned<word32>(privateKeyInfo, version);
222 algorithm.MessageEnd();
253 if (parametersPresent)
269 CRYPTOPP_UNUSED(rng);
273 if (level >= 1 &&
IsClamped(m_sk) ==
false)
281 SecretToPublicKey(pk, m_sk);
312 *
reinterpret_cast<OID *
>(pValue) = m_oid;
339 if (source.
GetValue(
"DerivePublicKey", derive) && derive ==
true)
340 SecretToPublicKey(m_pk, m_sk);
351 SecretToPublicKey(m_pk, m_sk);
362 CRYPTOPP_UNUSED(rng);
363 SecretToPublicKey(publicKey, privateKey);
366 bool x25519::Agree(
byte *agreedValue,
const byte *privateKey,
const byte *otherPublicKey,
bool validateOtherPublicKey)
const
371 if (validateOtherPublicKey &&
IsSmallOrder(otherPublicKey))
379 void ed25519PrivateKey::SecretToPublicKey(
byte y[PUBLIC_KEYLENGTH],
const byte x[SECRET_KEYLENGTH])
const
387 return HasSmallOrder(y);
392 CRYPTOPP_UNUSED(rng);
401 SecretToPublicKey(pk, m_sk);
432 *
reinterpret_cast<OID *
>(pValue) = m_oid;
460 if (source.
GetValue(
"DerivePublicKey", derive) && derive ==
true)
461 SecretToPublicKey(m_pk, m_sk);
491 if (!m_oid.
Empty() && m_oid != oid)
493 else if (oid == ASN1::curve25519() || oid == ASN1::Ed25519())
505 BERDecodeUnsigned<word32>(privateKeyInfo, version,
INTEGER, 0, 1);
510 algorithm.MessageEnd();
517 bool generatePublicKey =
true;
524 unsigned int unusedBits;
531 generatePublicKey =
false;
537 if (generatePublicKey)
550 DEREncodeUnsigned<word32>(privateKeyInfo, version);
554 algorithm.MessageEnd();
585 if (parametersPresent)
599 void ed25519PrivateKey::SetPrivateExponent (
const byte x[SECRET_KEYLENGTH])
603 (
"DerivePublicKey",
true));
606 void ed25519PrivateKey::SetPrivateExponent (
const Integer &x)
615 (
"DerivePublicKey",
true));
618 const Integer& ed25519PrivateKey::GetPrivateExponent()
const
637 (
"DerivePublicKey",
true));
663 (
"DerivePublicKey",
true));
727 *
reinterpret_cast<OID *
>(pValue) = m_oid;
756 if (!m_oid.
Empty() && m_oid != oid)
758 else if (oid == ASN1::curve25519() || oid == ASN1::Ed25519())
771 algorithm.MessageEnd();
784 algorithm.MessageEnd();
794 if (parametersPresent)
798 unsigned int unusedBits;
814 void ed25519PublicKey::SetPublicElement (
const byte y[PUBLIC_KEYLENGTH])
819 void ed25519PublicKey::SetPublicElement (
const Integer &y)
829 const Integer& ed25519PublicKey::GetPublicElement()
const
837 CRYPTOPP_UNUSED(rng); CRYPTOPP_UNUSED(level);
854 y.
Encode(by, PUBLIC_KEYLENGTH); std::reverse(by+0, by+PUBLIC_KEYLENGTH);
892 CRYPTOPP_UNUSED(signatureLen);