ed25519 1.2.4-java

data/Rakefile

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+
+require "rake/clean"
+CLEAN.include("**/*.o", "**/*.so", "**/*.bundle", "*.jar", "pkg", "tmp")
+
+if defined? JRUBY_VERSION
+  require "rake/javaextensiontask"
+  Rake::JavaExtensionTask.new("ed25519_jruby") do |ext|
+    ext.ext_dir = "ext/ed25519_jruby"
+  end
+else
+  require "rake/extensiontask"
+
+  Rake::ExtensionTask.new("ed25519_ref10") do |ext|
+    ext.ext_dir = "ext/ed25519_ref10"
+  end
+end
+
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new
+
+require "rubocop/rake_task"
+RuboCop::RakeTask.new
+
+task default: %w[compile spec rubocop]

data/appveyor.yml

@@ -0,0 +1,21 @@
+branches:
+  only:
+    - master
+
+environment:
+  PATH: C:\Ruby%RUBY_VERSION%\DevKit\mingw\bin;C:\Ruby%RUBY_VERSION%\bin;C:\Ruby%RUBY_VERSION%\DevKit\bin;%PATH%
+  matrix:
+  - RUBY_VERSION: "21-x64"
+  - RUBY_VERSION: "22-x64"
+  - RUBY_VERSION: "23-x64"
+  - RUBY_VERSION: "24-x64"
+
+build: off
+
+test_script:
+  - SET RAKEOPT=-rdevkit
+  - ruby -v
+  - gem -v
+  - bundle -v
+  - bundle
+  - bundle exec rake compile spec

data/ed25519.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require File.expand_path("lib/ed25519/version", __dir__)
+
+Gem::Specification.new do |spec|
+  spec.name          = "ed25519"
+  spec.version       = Ed25519::VERSION
+  spec.authors       = ["Tony Arcieri"]
+  spec.email         = ["tony.arcieri@gmail.com"]
+  spec.summary       = "An efficient digital signature library providing the Ed25519 algorithm"
+  spec.description = <<-DESCRIPTION.strip.gsub(/\s+/, " ")
+    A Ruby binding to the Ed25519 elliptic curve public-key signature system
+    described in RFC 8032.
+  DESCRIPTION
+  spec.homepage      = "https://github.com/crypto-rb/ed25519"
+  spec.license       = "MIT"
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  if defined? JRUBY_VERSION
+    spec.platform = "java"
+    spec.files << "lib/ed25519_jruby.jar"
+  else
+    spec.platform   = Gem::Platform::RUBY
+    spec.extensions = ["ext/ed25519_ref10/extconf.rb"]
+  end
+
+  spec.required_ruby_version = ">= 2.0.0"
+  spec.add_development_dependency "bundler", "~> 1.16"
+end

data/ext/ed25519_jruby/LICENSE.txt

@@ -0,0 +1,123 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.
+
+For more information, please see https://creativecommons.org/publicdomain/zero/1.0/

data/ext/ed25519_jruby/README.md

@@ -0,0 +1,77 @@
+EdDSA-Java
+==========
+
+[![Build Status](https://travis-ci.org/str4d/ed25519-java.svg?branch=master)](https://travis-ci.org/str4d/ed25519-java)
+
+This is an implementation of EdDSA in Java. Structurally, it is based on the ref10 implementation in SUPERCOP (see https://ed25519.cr.yp.to/software.html).
+
+There are two internal implementations:
+* A port of the radix-2^51 operations in ref10 - fast and constant-time, but only useful for Ed25519.
+* A generic version using BigIntegers for calculation - a bit slower and not constant-time, but compatible with any EdDSA parameter specification.
+
+
+To use
+------
+
+Download the latest .jar from the releases tab and place it in your classpath.
+
+Gradle users:
+
+```
+compile 'net.i2p.crypto:eddsa:0.2.0'
+```
+
+The code requires Java 6 (for e.g. the `Arrays.copyOfRange()` calls in `EdDSAEngine.engineVerify()`).
+
+The JUnit4 tests require the Hamcrest library `hamcrest-all.jar`.
+
+This code is released to the public domain and can be used for any purpose. See `LICENSE.txt` for details.
+
+Disclaimer
+----------
+
+There are **no** guarantees that this is secure for all cases, and users should
+review the code themselves before depending on it. PRs that fix bugs or improve
+reviewability are very welcome. Additionally:
+
+- The unit test suite includes tests against
+  [the data from the original Python implementation](https://ed25519.cr.yp.to/python/sign.input).
+- The code (as of 97cea3f0d910fc627c7b57b1bc4d783cdd0c2a4a) was reviewed by
+  [an independent developer](https://github.com/BloodyRookie).
+- The code (as of dc9f58f2c874463c15465326efc040d17a627b3a) was audited by an independent third party,
+  and the one issue found [was fixed](https://github.com/str4d/ed25519-java/pull/31).
+
+Code comparison
+---------------
+
+For ease of following, here are the main methods in ref10 and their equivalents in this codebase:
+
+| EdDSA Operation | ref10 function | Java function |
+| --------------- | -------------- | ------------- |
+| Generate keypair | `crypto_sign_keypair` | `EdDSAPrivateKeySpec` constructor |
+| Sign message | `crypto_sign` | `EdDSAEngine.engineSign` |
+| Verify signature | `crypto_sign_open` | `EdDSAEngine.engineVerify` |
+
+| EdDSA point arithmetic | ref10 function | Java function |
+| ---------------------- | -------------- | ------------- |
+| `R = b * B` | `ge_scalarmult_base` | `GroupElement.scalarMultiply` |
+| `R = a*A + b*B` | `ge_double_scalarmult_vartime` | `GroupElement.doubleScalarMultiplyVariableTime` |
+| `R = 2 * P` | `ge_p2_dbl` | `GroupElement.dbl` |
+| `R = P + Q` | `ge_madd`, `ge_add` | `GroupElement.madd`, `GroupElement.add` |
+| `R = P - Q` | `ge_msub`, `ge_sub` | `GroupElement.msub`, `GroupElement.sub` |
+
+
+Important changes
+-----------------
+
+### 0.2.0
+
+- Ed25519 is now named `Ed25519` in `EdDSANamedCurveTable`, and the previous public constant
+  (containing the older inaccurate name) has been removed.
+
+Credits
+-------
+
+* The Ed25519 class was originally ported by k3d3 from [the Python Ed25519 reference implementation](https://ed25519.cr.yp.to/python/ed25519.py).
+* Useful comments and tweaks were found in [the GNUnet implementation of Ed25519](https://gnunet.org/svn/gnunet-java/src/main/java/org/gnunet/util/crypto/) (based on k3d3's class).
+* [BloodyRookie](https://github.com/BloodyRookie) reviewed the code, adding many useful comments, unit tests and literature.

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -0,0 +1,491 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa;
+
+import java.io.ByteArrayOutputStream;
+import java.nio.ByteBuffer;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Arrays;
+
+import net.i2p.crypto.eddsa.math.Curve;
+import net.i2p.crypto.eddsa.math.GroupElement;
+import net.i2p.crypto.eddsa.math.ScalarOps;
+import sun.security.x509.X509Key;
+
+/**
+ * Signing and verification for EdDSA.
+ *<p>
+ * The EdDSA sign and verify algorithms do not interact well with
+ * the Java Signature API, as one or more update() methods must be
+ * called before sign() or verify(). Using the standard API,
+ * this implementation must copy and buffer all data passed in
+ * via update().
+ *</p><p>
+ * This implementation offers two ways to avoid this copying,
+ * but only if all data to be signed or verified is available
+ * in a single byte array.
+ *</p><p>
+ *Option 1:
+ *</p><ol>
+ *<li>Call initSign() or initVerify() as usual.
+ *</li><li>Call setParameter(ONE_SHOT_MODE)
+ *</li><li>Call update(byte[]) or update(byte[], int, int) exactly once
+ *</li><li>Call sign() or verify() as usual.
+ *</li><li>If doing additional one-shot signs or verifies with this object, you must
+ *         call setParameter(ONE_SHOT_MODE) each time
+ *</li></ol>
+ *
+ *<p>
+ *Option 2:
+ *</p><ol>
+ *<li>Call initSign() or initVerify() as usual.
+ *</li><li>Call one of the signOneShot() or verifyOneShot() methods.
+ *</li><li>If doing additional one-shot signs or verifies with this object,
+ *         just call signOneShot() or verifyOneShot() again.
+ *</li></ol>
+ *
+ * @author str4d
+ *
+ */
+public final class EdDSAEngine extends Signature {
+    public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
+
+    private MessageDigest digest;
+    private ByteArrayOutputStream baos;
+    private EdDSAKey key;
+    private boolean oneShotMode;
+    private byte[] oneShotBytes;
+    private int oneShotOffset;
+    private int oneShotLength;
+
+    /**
+     *  To efficiently sign or verify data in one shot, pass this to setParameters()
+     *  after initSign() or initVerify() but BEFORE THE FIRST AND ONLY
+     *  update(data) or update(data, off, len). The data reference will be saved
+     *  and then used in sign() or verify() without copying the data.
+     *  Violate these rules and you will get a SignatureException.
+     */
+    public static final AlgorithmParameterSpec ONE_SHOT_MODE = new OneShotSpec();
+
+    private static class OneShotSpec implements AlgorithmParameterSpec {}
+
+    /**
+     * No specific EdDSA-internal hash requested, allows any EdDSA key.
+     */
+    public EdDSAEngine() {
+        super(SIGNATURE_ALGORITHM);
+    }
+
+    /**
+     * Specific EdDSA-internal hash requested, only matching keys will be allowed.
+     * @param digest the hash algorithm that keys must have to sign or verify.
+     */
+    public EdDSAEngine(MessageDigest digest) {
+        this();
+        this.digest = digest;
+    }
+
+    private void reset() {
+        if (digest != null)
+            digest.reset();
+        if (baos != null)
+            baos.reset();
+        oneShotMode = false;
+        oneShotBytes = null;
+    }
+
+    @Override
+    protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
+        reset();
+        if (privateKey instanceof EdDSAPrivateKey) {
+            EdDSAPrivateKey privKey = (EdDSAPrivateKey) privateKey;
+            key = privKey;
+
+            if (digest == null) {
+                // Instantiate the digest from the key parameters
+                try {
+                    digest = MessageDigest.getInstance(key.getParams().getHashAlgorithm());
+                } catch (NoSuchAlgorithmException e) {
+                    throw new InvalidKeyException("cannot get required digest " + key.getParams().getHashAlgorithm() + " for private key.");
+                }
+            } else if (!key.getParams().getHashAlgorithm().equals(digest.getAlgorithm()))
+                throw new InvalidKeyException("Key hash algorithm does not match chosen digest");
+            digestInitSign(privKey);
+        } else {
+            throw new InvalidKeyException("cannot identify EdDSA private key: " + privateKey.getClass());
+        }
+    }
+
+    private void digestInitSign(EdDSAPrivateKey privKey) {
+        // Preparing for hash
+        // r = H(h_b,...,h_2b-1,M)
+        int b = privKey.getParams().getCurve().getField().getb();
+        digest.update(privKey.getH(), b/8, b/4 - b/8);
+    }
+
+    @Override
+    protected void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
+        reset();
+        if (publicKey instanceof EdDSAPublicKey) {
+            key = (EdDSAPublicKey) publicKey;
+
+            if (digest == null) {
+                // Instantiate the digest from the key parameters
+                try {
+                    digest = MessageDigest.getInstance(key.getParams().getHashAlgorithm());
+                } catch (NoSuchAlgorithmException e) {
+                    throw new InvalidKeyException("cannot get required digest " + key.getParams().getHashAlgorithm() + " for private key.");
+                }
+            } else if (!key.getParams().getHashAlgorithm().equals(digest.getAlgorithm()))
+                throw new InvalidKeyException("Key hash algorithm does not match chosen digest");
+        } else if (publicKey instanceof X509Key) {
+            // X509Certificate will sometimes contain an X509Key rather than the EdDSAPublicKey itself; the contained
+            // key is valid but needs to be instanced as an EdDSAPublicKey before it can be used.
+            EdDSAPublicKey parsedPublicKey;
+            try {
+                parsedPublicKey = new EdDSAPublicKey(new X509EncodedKeySpec(publicKey.getEncoded()));
+            } catch (InvalidKeySpecException ex) {
+                throw new InvalidKeyException("cannot handle X.509 EdDSA public key: " + publicKey.getAlgorithm());
+            }
+            engineInitVerify(parsedPublicKey);
+        } else {
+            throw new InvalidKeyException("cannot identify EdDSA public key: " + publicKey.getClass());
+        }
+    }
+
+    /**
+     * @throws SignatureException if in one-shot mode
+     */
+    @Override
+    protected void engineUpdate(byte b) throws SignatureException {
+        if (oneShotMode)
+            throw new SignatureException("unsupported in one-shot mode");
+        if (baos == null)
+            baos = new ByteArrayOutputStream(256);
+        baos.write(b);
+    }
+
+    /**
+     * @throws SignatureException if one-shot rules are violated
+     */
+    @Override
+    protected void engineUpdate(byte[] b, int off, int len)
+            throws SignatureException {
+        if (oneShotMode) {
+            if (oneShotBytes != null)
+                throw new SignatureException("update() already called");
+            oneShotBytes = b;
+            oneShotOffset = off;
+            oneShotLength = len;
+        } else {
+            if (baos == null)
+                baos = new ByteArrayOutputStream(256);
+            baos.write(b, off, len);
+        }
+    }
+
+    @Override
+    protected byte[] engineSign() throws SignatureException {
+        try {
+            return x_engineSign();
+        } finally {
+            reset();
+            // must leave the object ready to sign again with
+            // the same key, as required by the API
+            EdDSAPrivateKey privKey = (EdDSAPrivateKey) key;
+            digestInitSign(privKey);
+        }
+    }
+
+    private byte[] x_engineSign() throws SignatureException {
+        Curve curve = key.getParams().getCurve();
+        ScalarOps sc = key.getParams().getScalarOps();
+        byte[] a = ((EdDSAPrivateKey) key).geta();
+
+        byte[] message;
+        int offset, length;
+        if (oneShotMode) {
+            if (oneShotBytes == null)
+                throw new SignatureException("update() not called first");
+            message = oneShotBytes;
+            offset = oneShotOffset;
+            length = oneShotLength;
+        } else {
+            if (baos == null)
+                message = new byte[0];
+            else
+                message = baos.toByteArray();
+            offset = 0;
+            length = message.length;
+        }
+        // r = H(h_b,...,h_2b-1,M)
+        digest.update(message, offset, length);
+        byte[] r = digest.digest();
+
+        // r mod l
+        // Reduces r from 64 bytes to 32 bytes
+        r = sc.reduce(r);
+
+        // R = rB
+        GroupElement R = key.getParams().getB().scalarMultiply(r);
+        byte[] Rbyte = R.toByteArray();
+
+        // S = (r + H(Rbar,Abar,M)*a) mod l
+        digest.update(Rbyte);
+        digest.update(((EdDSAPrivateKey) key).getAbyte());
+        digest.update(message, offset, length);
+        byte[] h = digest.digest();
+        h = sc.reduce(h);
+        byte[] S = sc.multiplyAndAdd(h, a, r);
+
+        // R+S
+        int b = curve.getField().getb();
+        ByteBuffer out = ByteBuffer.allocate(b/4);
+        out.put(Rbyte).put(S);
+        return out.array();
+    }
+
+    @Override
+    protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
+        try {
+            return x_engineVerify(sigBytes);
+        } finally {
+            reset();
+        }
+    }
+
+    private boolean x_engineVerify(byte[] sigBytes) throws SignatureException {
+        Curve curve = key.getParams().getCurve();
+        int b = curve.getField().getb();
+        if (sigBytes.length != b/4)
+            throw new SignatureException("signature length is wrong");
+
+        // R is first b/8 bytes of sigBytes, S is second b/8 bytes
+        digest.update(sigBytes, 0, b/8);
+        digest.update(((EdDSAPublicKey) key).getAbyte());
+        // h = H(Rbar,Abar,M)
+        byte[] message;
+        int offset, length;
+        if (oneShotMode) {
+            if (oneShotBytes == null)
+                throw new SignatureException("update() not called first");
+            message = oneShotBytes;
+            offset = oneShotOffset;
+            length = oneShotLength;
+        } else {
+            if (baos == null)
+                message = new byte[0];
+            else
+                message = baos.toByteArray();
+            offset = 0;
+            length = message.length;
+        }
+        digest.update(message, offset, length);
+        byte[] h = digest.digest();
+
+        // h mod l
+        h = key.getParams().getScalarOps().reduce(h);
+
+        byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
+        // R = SB - H(Rbar,Abar,M)A
+        GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
+                ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
+
+        // Variable time. This should be okay, because there are no secret
+        // values used anywhere in verification.
+        byte[] Rcalc = R.toByteArray();
+        for (int i = 0; i < Rcalc.length; i++) {
+            if (Rcalc[i] != sigBytes[i])
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     *  To efficiently sign all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data)
+     *  sig = sign()
+     *</pre>
+     *
+     * @param data the message to be signed
+     * @return the signature
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public byte[] signOneShot(byte[] data) throws SignatureException {
+        return signOneShot(data, 0, data.length);
+    }
+
+    /**
+     *  To efficiently sign all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data, off, len)
+     *  sig = sign()
+     *</pre>
+     *
+     * @param data byte array containing the message to be signed
+     * @param off the start of the message inside data
+     * @param len the length of the message
+     * @return the signature
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public byte[] signOneShot(byte[] data, int off, int len) throws SignatureException {
+        oneShotMode = true;
+        update(data, off, len);
+        return sign();
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data)
+     *  ok = verify(signature)
+     *</pre>
+     *
+     * @param data the message that was signed
+     * @param signature of the message
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, byte[] signature) throws SignatureException {
+        return verifyOneShot(data, 0, data.length, signature, 0, signature.length);
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data, off, len)
+     *  ok = verify(signature)
+     *</pre>
+     *
+     * @param data byte array containing the message that was signed
+     * @param off the start of the message inside data
+     * @param len the length of the message
+     * @param signature of the message
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, int off, int len, byte[] signature) throws SignatureException {
+        return verifyOneShot(data, off, len, signature, 0, signature.length);
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data)
+     *  ok = verify(signature, sigoff, siglen)
+     *</pre>
+     *
+     * @param data the message that was signed
+     * @param signature byte array containing the signature
+     * @param sigoff the start of the signature
+     * @param siglen the length of the signature
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, byte[] signature, int sigoff, int siglen) throws SignatureException {
+        return verifyOneShot(data, 0, data.length, signature, sigoff, siglen);
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data, off, len)
+     *  ok = verify(signature, sigoff, siglen)
+     *</pre>
+     *
+     * @param data byte array containing the message that was signed
+     * @param off the start of the message inside data
+     * @param len the length of the message
+     * @param signature byte array containing the signature
+     * @param sigoff the start of the signature
+     * @param siglen the length of the signature
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, int off, int len, byte[] signature, int sigoff, int siglen) throws SignatureException {
+        oneShotMode = true;
+        update(data, off, len);
+        return verify(signature, sigoff, siglen);
+    }
+
+    /**
+     * @throws InvalidAlgorithmParameterException if spec is ONE_SHOT_MODE and update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec spec) throws InvalidAlgorithmParameterException {
+        if (spec.equals(ONE_SHOT_MODE)) {
+            if (oneShotBytes != null || (baos != null && baos.size() > 0))
+                throw new InvalidAlgorithmParameterException("update() already called");
+            oneShotMode = true;
+        } else {
+            super.engineSetParameter(spec);
+        }
+    }
+
+    /**
+     * @deprecated
+     */
+    @Override
+    protected void engineSetParameter(String param, Object value) {
+        throw new UnsupportedOperationException("engineSetParameter unsupported");
+    }
+
+    /**
+     * @deprecated
+     */
+    @Override
+    protected Object engineGetParameter(String param) {
+        throw new UnsupportedOperationException("engineSetParameter unsupported");
+    }
+}