18 ANONYMOUS_NAMESPACE_BEGIN
22 CRYPTOPP_ALIGN_DATA(16)
23 const
byte blacklist[][32] = {
24 { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
25 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
26 { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
27 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
28 { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
29 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
30 { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
31 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
32 { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
33 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
34 { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
35 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
36 { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
37 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
38 { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a,
39 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
40 { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b,
41 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
42 { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
43 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
44 { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
45 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
46 { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
47 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }
50 bool HasSmallOrder(
const byte y[32])
54 for (
size_t j = 0; j < 32; j++) {
55 for (
size_t i = 0; i <
COUNTOF(blacklist); i++) {
56 c[i] |= y[j] ^ blacklist[i][j];
61 for (
size_t i = 0; i <
COUNTOF(blacklist); i++) {
65 return (
bool)((k >> 8) & 1);
68 ANONYMOUS_NAMESPACE_END
74 x25519::
x25519(const
byte y[PUBLIC_KEYLENGTH], const
byte x[SECRET_KEYLENGTH])
76 std::memcpy(m_pk, y, SECRET_KEYLENGTH);
77 std::memcpy(m_sk, x, PUBLIC_KEYLENGTH);
120 SecretToPublicKey(m_pk, m_sk);
130 x[0] &= 248; x[31] &= 127; x[31] |= 64;
135 return (x[0] & 248) == x[0] && (x[31] & 127) == x[31] && (x[31] | 64) == x[31];
140 return HasSmallOrder(y);
143 void x25519::SecretToPublicKey(
byte y[PUBLIC_KEYLENGTH],
const byte x[SECRET_KEYLENGTH])
const
155 if (!m_oid.
Empty() && m_oid != oid)
157 else if (oid == ASN1::curve25519() || oid == ASN1::X25519())
169 BERDecodeUnsigned<word32>(privateKeyInfo, version,
INTEGER, 0, 1);
174 algorithm.MessageEnd();
181 bool generatePublicKey =
true;
188 unsigned int unusedBits;
195 generatePublicKey =
false;
201 if (generatePublicKey)
215 DEREncodeUnsigned<word32>(privateKeyInfo, version);
219 algorithm.MessageEnd();
250 if (parametersPresent)
266 CRYPTOPP_UNUSED(rng);
270 if (level >= 1 &&
IsClamped(m_sk) ==
false)
278 SecretToPublicKey(pk, m_sk);
309 *
reinterpret_cast<OID *
>(pValue) = m_oid;
336 if (source.
GetValue(
"DerivePublicKey", derive) && derive ==
true)
337 SecretToPublicKey(m_pk, m_sk);
348 SecretToPublicKey(m_pk, m_sk);
359 CRYPTOPP_UNUSED(rng);
360 SecretToPublicKey(publicKey, privateKey);
363 bool x25519::Agree(
byte *agreedValue,
const byte *privateKey,
const byte *otherPublicKey,
bool validateOtherPublicKey)
const
368 if (validateOtherPublicKey &&
IsSmallOrder(otherPublicKey))
376 void ed25519PrivateKey::SecretToPublicKey(
byte y[PUBLIC_KEYLENGTH],
const byte x[SECRET_KEYLENGTH])
const
384 return HasSmallOrder(y);
389 CRYPTOPP_UNUSED(rng);
398 SecretToPublicKey(pk, m_sk);
429 *
reinterpret_cast<OID *
>(pValue) = m_oid;
457 if (source.
GetValue(
"DerivePublicKey", derive) && derive ==
true)
458 SecretToPublicKey(m_pk, m_sk);
488 if (!m_oid.
Empty() && m_oid != oid)
490 else if (oid == ASN1::curve25519() || oid == ASN1::Ed25519())
502 BERDecodeUnsigned<word32>(privateKeyInfo, version,
INTEGER, 0, 1);
507 algorithm.MessageEnd();
514 bool generatePublicKey =
true;
521 unsigned int unusedBits;
528 generatePublicKey =
false;
534 if (generatePublicKey)
547 DEREncodeUnsigned<word32>(privateKeyInfo, version);
551 algorithm.MessageEnd();
582 if (parametersPresent)
596 void ed25519PrivateKey::SetPrivateExponent (
const byte x[SECRET_KEYLENGTH])
600 (
"DerivePublicKey",
true));
603 void ed25519PrivateKey::SetPrivateExponent (
const Integer &x)
612 (
"DerivePublicKey",
true));
615 const Integer& ed25519PrivateKey::GetPrivateExponent()
const
634 (
"DerivePublicKey",
true));
660 (
"DerivePublicKey",
true));
716 *
reinterpret_cast<OID *
>(pValue) = m_oid;
745 if (!m_oid.
Empty() && m_oid != oid)
747 else if (oid == ASN1::curve25519() || oid == ASN1::Ed25519())
760 algorithm.MessageEnd();
773 algorithm.MessageEnd();
783 if (parametersPresent)
787 unsigned int unusedBits;
803 void ed25519PublicKey::SetPublicElement (
const byte y[PUBLIC_KEYLENGTH])
808 void ed25519PublicKey::SetPublicElement (
const Integer &y)
818 const Integer& ed25519PublicKey::GetPublicElement()
const
826 CRYPTOPP_UNUSED(rng); CRYPTOPP_UNUSED(level);
843 y.
Encode(by, PUBLIC_KEYLENGTH); std::reverse(by+0, by+PUBLIC_KEYLENGTH);
873 CRYPTOPP_UNUSED(signatureLen);