ed25519 1.0.0-jruby → 1.1.0-jruby

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/spec/EdDSAGenParameterSpec.java

@@ -0,0 +1,32 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa.spec;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * Implementation of AlgorithmParameterSpec that holds the name of a named
+ * EdDSA curve specification.
+ * @author str4d
+ *
+ */
+public class EdDSAGenParameterSpec implements AlgorithmParameterSpec {
+    private final String name;
+
+    public EdDSAGenParameterSpec(String stdName) {
+        name = stdName;
+    }
+
+    public String getName() {
+        return name;
+    }
+}

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/spec/EdDSANamedCurveSpec.java

@@ -0,0 +1,35 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa.spec;
+
+import net.i2p.crypto.eddsa.math.Curve;
+import net.i2p.crypto.eddsa.math.GroupElement;
+import net.i2p.crypto.eddsa.math.ScalarOps;
+
+/**
+ * EdDSA Curve specification that can also be referred to by name.
+ * @author str4d
+ *
+ */
+public class EdDSANamedCurveSpec extends EdDSAParameterSpec {
+    private final String name;
+
+    public EdDSANamedCurveSpec(String name, Curve curve,
+            String hashAlgo, ScalarOps sc, GroupElement B) {
+        super(curve, hashAlgo, sc, B);
+        this.name = name;
+    }
+
+    public String getName() {
+        return name;
+    }
+}

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/spec/EdDSANamedCurveTable.java

@@ -0,0 +1,71 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa.spec;
+
+import java.util.Hashtable;
+import java.util.Locale;
+
+import net.i2p.crypto.eddsa.Utils;
+import net.i2p.crypto.eddsa.math.Curve;
+import net.i2p.crypto.eddsa.math.Field;
+import net.i2p.crypto.eddsa.math.ed25519.Ed25519LittleEndianEncoding;
+import net.i2p.crypto.eddsa.math.ed25519.Ed25519ScalarOps;
+
+/**
+ * The named EdDSA curves.
+ * @author str4d
+ *
+ */
+public class EdDSANamedCurveTable {
+    public static final String ED_25519 = "Ed25519";
+
+    private static final Field ed25519field = new Field(
+                    256, // b
+                    Utils.hexToBytes("edffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f"), // q
+                    new Ed25519LittleEndianEncoding());
+
+    private static final Curve ed25519curve = new Curve(ed25519field,
+            Utils.hexToBytes("a3785913ca4deb75abd841414d0a700098e879777940c78c73fe6f2bee6c0352"), // d
+            ed25519field.fromByteArray(Utils.hexToBytes("b0a00e4a271beec478e42fad0618432fa7d7fb3d99004d2b0bdfc14f8024832b"))); // I
+
+    private static final EdDSANamedCurveSpec ed25519 = new EdDSANamedCurveSpec(
+            ED_25519,
+            ed25519curve,
+            "SHA-512", // H
+            new Ed25519ScalarOps(), // l
+            ed25519curve.createPoint( // B
+                    Utils.hexToBytes("5866666666666666666666666666666666666666666666666666666666666666"),
+                    true)); // Precompute tables for B
+
+    private static final Hashtable<String, EdDSANamedCurveSpec> curves = new Hashtable<String, EdDSANamedCurveSpec>();
+
+    public static void defineCurve(EdDSANamedCurveSpec curve) {
+        curves.put(curve.getName().toLowerCase(Locale.ENGLISH), curve);
+    }
+
+    static void defineCurveAlias(String name, String alias) {
+        EdDSANamedCurveSpec curve = curves.get(name.toLowerCase(Locale.ENGLISH));
+        if (curve == null) {
+            throw new IllegalStateException();
+        }
+        curves.put(alias.toLowerCase(Locale.ENGLISH), curve);
+    }
+
+    static {
+        // RFC 8032
+        defineCurve(ed25519);
+    }
+
+    public static EdDSANamedCurveSpec getByName(String name) {
+        return curves.get(name.toLowerCase(Locale.ENGLISH));
+    }
+}

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/spec/EdDSAParameterSpec.java

@@ -0,0 +1,97 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa.spec;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.AlgorithmParameterSpec;
+
+import net.i2p.crypto.eddsa.math.Curve;
+import net.i2p.crypto.eddsa.math.GroupElement;
+import net.i2p.crypto.eddsa.math.ScalarOps;
+
+import java.io.Serializable;
+
+/**
+ * Parameter specification for an EdDSA algorithm.
+ * @author str4d
+ *
+ */
+public class EdDSAParameterSpec implements AlgorithmParameterSpec, Serializable {
+    private static final long serialVersionUID = 8274987108472012L;
+    private final Curve curve;
+    private final String hashAlgo;
+    private final ScalarOps sc;
+    private final GroupElement B;
+
+    /**
+     * @param curve the curve
+     * @param hashAlgo the JCA string for the hash algorithm
+     * @param sc the parameter L represented as ScalarOps
+     * @param B the parameter B
+     * @throws IllegalArgumentException if hash algorithm is unsupported or length is wrong
+     */
+    public EdDSAParameterSpec(Curve curve, String hashAlgo,
+            ScalarOps sc, GroupElement B) {
+        try {
+            MessageDigest hash = MessageDigest.getInstance(hashAlgo);
+            // EdDSA hash function must produce 2b-bit output
+            if (curve.getField().getb()/4 != hash.getDigestLength())
+                throw new IllegalArgumentException("Hash output is not 2b-bit");
+        } catch (NoSuchAlgorithmException e) {
+            throw new IllegalArgumentException("Unsupported hash algorithm");
+        }
+
+        this.curve = curve;
+        this.hashAlgo = hashAlgo;
+        this.sc = sc;
+        this.B = B;
+    }
+
+    public Curve getCurve() {
+        return curve;
+    }
+
+    public String getHashAlgorithm() {
+        return hashAlgo;
+    }
+
+    public ScalarOps getScalarOps() {
+        return sc;
+    }
+
+    /**
+     *  @return the base (generator)
+     */
+    public GroupElement getB() {
+        return B;
+    }
+
+    @Override
+    public int hashCode() {
+        return hashAlgo.hashCode() ^
+               curve.hashCode() ^
+               B.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (o == this)
+            return true;
+        if (!(o instanceof EdDSAParameterSpec))
+            return false;
+        EdDSAParameterSpec s = (EdDSAParameterSpec) o;
+        return hashAlgo.equals(s.getHashAlgorithm()) &&
+               curve.equals(s.getCurve()) &&
+               B.equals(s.getB());
+    }
+}

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/spec/EdDSAPrivateKeySpec.java

@@ -0,0 +1,133 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa.spec;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.KeySpec;
+import java.util.Arrays;
+
+import net.i2p.crypto.eddsa.math.GroupElement;
+
+/**
+ * @author str4d
+ *
+ */
+public class EdDSAPrivateKeySpec implements KeySpec {
+    private final byte[] seed;
+    private final byte[] h;
+    private final byte[] a;
+    private final GroupElement A;
+    private final EdDSAParameterSpec spec;
+
+    /**
+     *  @param seed the private key
+     *  @param spec the parameter specification for this key
+     *  @throws IllegalArgumentException if seed length is wrong or hash algorithm is unsupported
+     */
+    public EdDSAPrivateKeySpec(byte[] seed, EdDSAParameterSpec spec) {
+        if (seed.length != spec.getCurve().getField().getb()/8)
+            throw new IllegalArgumentException("seed length is wrong");
+
+        this.spec = spec;
+        this.seed = seed;
+
+        try {
+            MessageDigest hash = MessageDigest.getInstance(spec.getHashAlgorithm());
+            int b = spec.getCurve().getField().getb();
+
+            // H(k)
+            h = hash.digest(seed);
+
+            /*a = BigInteger.valueOf(2).pow(b-2);
+            for (int i=3;i<(b-2);i++) {
+                a = a.add(BigInteger.valueOf(2).pow(i).multiply(BigInteger.valueOf(Utils.bit(h,i))));
+            }*/
+            // Saves ~0.4ms per key when running signing tests.
+            // TODO: are these bitflips the same for any hash function?
+            h[0] &= 248;
+            h[(b/8)-1] &= 63;
+            h[(b/8)-1] |= 64;
+            a = Arrays.copyOfRange(h, 0, b/8);
+
+            A = spec.getB().scalarMultiply(a);
+        } catch (NoSuchAlgorithmException e) {
+            throw new IllegalArgumentException("Unsupported hash algorithm");
+        }
+    }
+
+    /**
+     *  Initialize directly from the hash.
+     *  getSeed() will return null if this constructor is used.
+     *
+     *  @param spec the parameter specification for this key
+     *  @param h the private key
+     *  @throws IllegalArgumentException if hash length is wrong
+     *  @since 0.1.1
+     */
+    public EdDSAPrivateKeySpec(EdDSAParameterSpec spec, byte[] h) {
+        if (h.length != spec.getCurve().getField().getb()/4)
+            throw new IllegalArgumentException("hash length is wrong");
+
+	this.seed = null;
+	this.h = h;
+	this.spec = spec;
+	int b = spec.getCurve().getField().getb();
+
+        h[0] &= 248;
+        h[(b/8)-1] &= 63;
+        h[(b/8)-1] |= 64;
+        a = Arrays.copyOfRange(h, 0, b/8);
+
+        A = spec.getB().scalarMultiply(a);
+    }
+
+    public EdDSAPrivateKeySpec(byte[] seed, byte[] h, byte[] a, GroupElement A, EdDSAParameterSpec spec) {
+        this.seed = seed;
+        this.h = h;
+        this.a = a;
+        this.A = A;
+        this.spec = spec;
+    }
+
+    /**
+     *  @return will be null if constructed directly from the private key
+     */
+    public byte[] getSeed() {
+        return seed;
+    }
+
+    /**
+     *  @return the hash
+     */
+    public byte[] getH() {
+        return h;
+    }
+
+    /**
+     *  @return the private key
+     */
+    public byte[] geta() {
+        return a;
+    }
+
+    /**
+     *  @return the public key
+     */
+    public GroupElement getA() {
+        return A;
+    }
+
+    public EdDSAParameterSpec getParams() {
+        return spec;
+    }
+}

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/spec/EdDSAPublicKeySpec.java

@@ -0,0 +1,61 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa.spec;
+
+import java.security.spec.KeySpec;
+
+import net.i2p.crypto.eddsa.math.GroupElement;
+
+/**
+ * @author str4d
+ *
+ */
+public class EdDSAPublicKeySpec implements KeySpec {
+    private final GroupElement A;
+    private final GroupElement Aneg;
+    private final EdDSAParameterSpec spec;
+
+    /**
+     * @param pk the public key
+     * @param spec the parameter specification for this key
+     * @throws IllegalArgumentException if key length is wrong
+     */
+    public EdDSAPublicKeySpec(byte[] pk, EdDSAParameterSpec spec) {
+        if (pk.length != spec.getCurve().getField().getb()/8)
+            throw new IllegalArgumentException("public-key length is wrong");
+
+        this.A = new GroupElement(spec.getCurve(), pk);
+        // Precompute -A for use in verification.
+        this.Aneg = A.negate();
+        Aneg.precompute(false);
+        this.spec = spec;
+    }
+
+    public EdDSAPublicKeySpec(GroupElement A, EdDSAParameterSpec spec) {
+        this.A = A;
+        this.Aneg = A.negate();
+        Aneg.precompute(false);
+        this.spec = spec;
+    }
+
+    public GroupElement getA() {
+        return A;
+    }
+
+    public GroupElement getNegativeA() {
+        return Aneg;
+    }
+
+    public EdDSAParameterSpec getParams() {
+        return spec;
+    }
+}

data/ext/ed25519_jruby/org/cryptosphere/Ed25519Provider.java

@@ -0,0 +1,95 @@
+package org.cryptosphere;
+
+import java.security.MessageDigest;
+import java.security.Signature;
+import java.util.Arrays;
+import net.i2p.crypto.eddsa.EdDSAEngine;
+import net.i2p.crypto.eddsa.EdDSAPrivateKey;
+import net.i2p.crypto.eddsa.EdDSAPublicKey;
+import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
+import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
+import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec;
+import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
+import org.jruby.Ruby;
+import org.jruby.RubyModule;
+import org.jruby.RubyString;
+import org.jruby.anno.JRubyMethod;
+import org.jruby.anno.JRubyModule;
+import org.jruby.runtime.ThreadContext;
+import org.jruby.runtime.builtin.IRubyObject;
+
+@JRubyModule(name="Ed25519::Provider::JRuby")
+public class Ed25519Provider {
+	public static RubyModule createEd25519Module(Ruby runtime) {
+		RubyModule mEd25519 = runtime.defineModule("Ed25519");
+		RubyModule mEd25519Provider = mEd25519.defineModuleUnder("Provider");
+		RubyModule mEd25519ProviderJRuby = mEd25519Provider.defineOrGetModuleUnder("JRuby");
+		mEd25519ProviderJRuby.defineAnnotatedMethods(Ed25519Provider.class);
+
+		return mEd25519ProviderJRuby;
+	}
+
+	@JRubyMethod(name = "create_keypair", module = true)
+	public static IRubyObject create_keypair(ThreadContext context, IRubyObject self, IRubyObject seed) {
+		byte[] seedBytes = seed.convertToString().getByteList().bytes();
+
+		if (seedBytes.length != 32) {
+			throw context.runtime.newArgumentError("expected 32-byte seed value, got " + seedBytes.length);
+		}
+
+		EdDSAParameterSpec edParams = EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.ED_25519);
+                EdDSAPrivateKeySpec signingKey = new EdDSAPrivateKeySpec(seedBytes, edParams);
+                EdDSAPublicKeySpec verifyKey = new EdDSAPublicKeySpec(signingKey.getA(), edParams);
+
+		byte[] keypair = new byte[64];
+
+		System.arraycopy(seedBytes, 0, keypair, 0, 32);
+		System.arraycopy(verifyKey.getA().toByteArray(), 0, keypair, 32, 32);
+
+		return RubyString.newString(context.getRuntime(), keypair);
+	}
+
+	@JRubyMethod(name = "sign", module = true)
+	public static IRubyObject sign(ThreadContext context, IRubyObject self, IRubyObject keypair, IRubyObject msg) throws Exception {
+		byte[] keypairBytes = keypair.convertToString().getByteList().bytes();
+
+		if (keypairBytes.length != 64) {
+			throw context.runtime.newArgumentError("expected 64-byte keypair value, got " + keypairBytes.length);
+		}
+
+                EdDSAParameterSpec edParams = EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.ED_25519);
+                Signature signer = new EdDSAEngine(MessageDigest.getInstance(edParams.getHashAlgorithm()));
+
+		byte[] seedBytes = Arrays.copyOfRange(keypairBytes, 0, 32);
+		EdDSAPrivateKeySpec signingKey = new EdDSAPrivateKeySpec(seedBytes, edParams);
+
+                signer.initSign(new EdDSAPrivateKey(signingKey));
+                signer.update(msg.convertToString().getByteList().bytes());
+
+		return RubyString.newString(context.getRuntime(), signer.sign());
+	}
+
+	@JRubyMethod(name = "verify", module = true)
+	public static IRubyObject verify(ThreadContext context, IRubyObject self, IRubyObject verify_key, IRubyObject signature, IRubyObject msg) throws Exception {
+		byte[] verifyKeyBytes = verify_key.convertToString().getByteList().bytes();
+		byte[] signatureBytes = signature.convertToString().getByteList().bytes();
+
+		if (verifyKeyBytes.length != 32) {
+			throw context.runtime.newArgumentError("expected 32-byte verify key, got " + verifyKeyBytes.length);
+		}
+
+		if (signatureBytes.length != 64) {
+			throw context.runtime.newArgumentError("expected 64-byte signature, got " + signatureBytes.length);
+		}
+
+		EdDSAParameterSpec edParams = EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.ED_25519);
+		Signature signer = new EdDSAEngine(MessageDigest.getInstance(edParams.getHashAlgorithm()));
+		EdDSAPublicKeySpec verifyKey = new EdDSAPublicKeySpec(verifyKeyBytes, edParams);
+
+		signer.initVerify(new EdDSAPublicKey(verifyKey));
+		signer.update(msg.convertToString().getByteList().bytes());
+
+		boolean isValid = signer.verify(signatureBytes);
+		return context.runtime.newBoolean(isValid);
+	}
+}