ed25519 1.0.0-jruby → 1.1.0-jruby

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 7ae17b8d776a0e09bfba306d42f817e806cdeb14
-  data.tar.gz: f7551dd72b2361acc584c0e8a7f8406f1a395532
+  metadata.gz: ffe9a55bb4a20efc99365fc6ed06329de947ce39
+  data.tar.gz: 7913e3cd83720eb011f69069512f3791f1878839
 SHA512:
-  metadata.gz: c4997f60634446a3b948b9ddcd2c228b2d2a4ce2a23ef9cb5f09b933d090273b898c3e97c802cad9c4f85710ed4b588aac9f414f9aa2a01699bcd48f5aaded4b
-  data.tar.gz: 406ec016f0cdae858fc6276895e36cd3ffc0276b1e1f46ff99b726b33cf7f9daff67ed7e4e21f3b610a6c2e093b7efa591c8d21889736570207b0ef0336b8e9b
+  metadata.gz: 3994f501b34ca888050eb0a7e7620a8e3570683d0207c21716c3c5ac27b063133f452fca7d0c658027cd00eeb15d7ed01cf7fcbdfa930791e7354f8c04933c46
+  data.tar.gz: 184956a2e7e6a414502d3b56fe814e216b622587789f1959b24d55d2c1b329740072a040b8f873385f146bd72da7d853c024a30ca100355c81b35b38b485fcc9

data/.gitignore

@@ -10,6 +10,7 @@
 *.o
 *.so
 *.bundle
+*.jar
 
 # rspec failure tracking
 .rspec_status

data/CHANGES.md

@@ -1,3 +1,16 @@
+# [1.1.0] (2017-12-13)
+
+[1.1.0]: https://github.com/cryptosphere/x25519/compare/v1.0.0...v1.1.0
+
+* [#11](https://github.com/cryptosphere/ed25519/pull/11)
+  ext/ed25519_java: switch to str4d/ed25519-java implementation (fixes #4)
+
+* [#9](https://github.com/cryptosphere/ed25519/pull/9)
+  Implement Java backend as a proper JRuby extension
+
+* [#8](https://github.com/cryptosphere/ed25519/pull/8)
+  Use an attr_accessor for Ed25519.provider
+
 # [1.0.0] (2017-12-12)
 
 [1.0.0]: https://github.com/cryptosphere/x25519/compare/v0.1.0...v1.0.0

data/README.md

@@ -14,9 +14,16 @@ described in [RFC 8032].
 
 Two implementations are provided: a MRI C extension which uses the "ref10"
 implementation from the SUPERCOP benchmark suite, and a pure Java version
-which is a direct port of the Python implementation.
+based on [str4d/ed25519-java].
+
+Ed25519 is one of two notable algorithms implemented atop the Curve25519
+elliptic curve. The [x25519 gem] is a related project of this one,
+and implements the X25519 Diffie-Hellman key exchange algorithm on the
+Montgomery form of Curve25519.
 
 [RFC 8032]: https://tools.ietf.org/html/rfc8032
+[str4d/ed25519-java]: https://github.com/str4d/ed25519-java
+[x25519 gem]: https://github.com/cryptosphere/x25519
 
 ## What is Ed25519?
 
@@ -118,7 +125,7 @@ verify_key  = Ed25519::VerifyKey.new(verify_key_bytes)
 
 ## Security Notes
 
-The Ed25519 "ref" implementation from SUPERCOP was lovingly crafted by expert
+The Ed25519 "ref10" implementation from SUPERCOP was lovingly crafted by expert
 security boffins with great care taken to prevent timing attacks. The same
 cannot be said for the C code used in the **ed25519.rb** C extension or in the
 entirety of the provided Java implementation.
@@ -130,13 +137,6 @@ by experts who can fix any potential timing vulnerabilities)
 **ed25519.rb** relies on a strong `SecureRandom` for key generation.
 Weaknesses in the random number source can potentially result in insecure keys.
 
-## JRuby Notes
-
-**ed25519.rb** provides a pure Java backend, however this backend is much slower
-than the C-based version. While **ed25519.rb** will function on JRuby, it may be
-too slow to be usable for a given use case. You should benchmark your
-application to determine if it will be fast enough for your purposes.
-
 ## Contributing
 
 Bug reports and pull requests are welcome on GitHub at https://github.com/cryptosphere/ed25519.

data/Rakefile

@@ -3,12 +3,12 @@
 require "bundler/gem_tasks"
 
 require "rake/clean"
-CLEAN.include("**/*.o", "**/*.so", "**/*.bundle", "pkg", "tmp")
+CLEAN.include("**/*.o", "**/*.so", "**/*.bundle", "*.jar", "pkg", "tmp")
 
 if defined? JRUBY_VERSION
   require "rake/javaextensiontask"
-  Rake::JavaExtensionTask.new("ed25519_java") do |ext|
-    ext.ext_dir = "ext/ed25519_java"
+  Rake::JavaExtensionTask.new("ed25519_jruby") do |ext|
+    ext.ext_dir = "ext/ed25519_jruby"
   end
 else
   require "rake/extensiontask"

data/ext/ed25519_jruby/LICENSE.txt

@@ -0,0 +1,123 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.
+
+For more information, please see https://creativecommons.org/publicdomain/zero/1.0/

data/ext/ed25519_jruby/README.md

@@ -0,0 +1,77 @@
+EdDSA-Java
+==========
+
+[![Build Status](https://travis-ci.org/str4d/ed25519-java.svg?branch=master)](https://travis-ci.org/str4d/ed25519-java)
+
+This is an implementation of EdDSA in Java. Structurally, it is based on the ref10 implementation in SUPERCOP (see https://ed25519.cr.yp.to/software.html).
+
+There are two internal implementations:
+* A port of the radix-2^51 operations in ref10 - fast and constant-time, but only useful for Ed25519.
+* A generic version using BigIntegers for calculation - a bit slower and not constant-time, but compatible with any EdDSA parameter specification.
+
+
+To use
+------
+
+Download the latest .jar from the releases tab and place it in your classpath.
+
+Gradle users:
+
+```
+compile 'net.i2p.crypto:eddsa:0.2.0'
+```
+
+The code requires Java 6 (for e.g. the `Arrays.copyOfRange()` calls in `EdDSAEngine.engineVerify()`).
+
+The JUnit4 tests require the Hamcrest library `hamcrest-all.jar`.
+
+This code is released to the public domain and can be used for any purpose. See `LICENSE.txt` for details.
+
+Disclaimer
+----------
+
+There are **no** guarantees that this is secure for all cases, and users should
+review the code themselves before depending on it. PRs that fix bugs or improve
+reviewability are very welcome. Additionally:
+
+- The unit test suite includes tests against
+  [the data from the original Python implementation](https://ed25519.cr.yp.to/python/sign.input).
+- The code (as of 97cea3f0d910fc627c7b57b1bc4d783cdd0c2a4a) was reviewed by
+  [an independent developer](https://github.com/BloodyRookie).
+- The code (as of dc9f58f2c874463c15465326efc040d17a627b3a) was audited by an independent third party,
+  and the one issue found [was fixed](https://github.com/str4d/ed25519-java/pull/31).
+
+Code comparison
+---------------
+
+For ease of following, here are the main methods in ref10 and their equivalents in this codebase:
+
+| EdDSA Operation | ref10 function | Java function |
+| --------------- | -------------- | ------------- |
+| Generate keypair | `crypto_sign_keypair` | `EdDSAPrivateKeySpec` constructor |
+| Sign message | `crypto_sign` | `EdDSAEngine.engineSign` |
+| Verify signature | `crypto_sign_open` | `EdDSAEngine.engineVerify` |
+
+| EdDSA point arithmetic | ref10 function | Java function |
+| ---------------------- | -------------- | ------------- |
+| `R = b * B` | `ge_scalarmult_base` | `GroupElement.scalarMultiply` |
+| `R = a*A + b*B` | `ge_double_scalarmult_vartime` | `GroupElement.doubleScalarMultiplyVariableTime` |
+| `R = 2 * P` | `ge_p2_dbl` | `GroupElement.dbl` |
+| `R = P + Q` | `ge_madd`, `ge_add` | `GroupElement.madd`, `GroupElement.add` |
+| `R = P - Q` | `ge_msub`, `ge_sub` | `GroupElement.msub`, `GroupElement.sub` |
+
+
+Important changes
+-----------------
+
+### 0.2.0
+
+- Ed25519 is now named `Ed25519` in `EdDSANamedCurveTable`, and the previous public constant
+  (containing the older inaccurate name) has been removed.
+
+Credits
+-------
+
+* The Ed25519 class was originally ported by k3d3 from [the Python Ed25519 reference implementation](https://ed25519.cr.yp.to/python/ed25519.py).
+* Useful comments and tweaks were found in [the GNUnet implementation of Ed25519](https://gnunet.org/svn/gnunet-java/src/main/java/org/gnunet/util/crypto/) (based on k3d3's class).
+* [BloodyRookie](https://github.com/BloodyRookie) reviewed the code, adding many useful comments, unit tests and literature.

data/ext/ed25519_jruby/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -0,0 +1,491 @@
+/**
+ * EdDSA-Java by str4d
+ *
+ * To the extent possible under law, the person who associated CC0 with
+ * EdDSA-Java has waived all copyright and related or neighboring rights
+ * to EdDSA-Java.
+ *
+ * You should have received a copy of the CC0 legalcode along with this
+ * work. If not, see <https://creativecommons.org/publicdomain/zero/1.0/>.
+ *
+ */
+package net.i2p.crypto.eddsa;
+
+import java.io.ByteArrayOutputStream;
+import java.nio.ByteBuffer;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Arrays;
+
+import net.i2p.crypto.eddsa.math.Curve;
+import net.i2p.crypto.eddsa.math.GroupElement;
+import net.i2p.crypto.eddsa.math.ScalarOps;
+import sun.security.x509.X509Key;
+
+/**
+ * Signing and verification for EdDSA.
+ *<p>
+ * The EdDSA sign and verify algorithms do not interact well with
+ * the Java Signature API, as one or more update() methods must be
+ * called before sign() or verify(). Using the standard API,
+ * this implementation must copy and buffer all data passed in
+ * via update().
+ *</p><p>
+ * This implementation offers two ways to avoid this copying,
+ * but only if all data to be signed or verified is available
+ * in a single byte array.
+ *</p><p>
+ *Option 1:
+ *</p><ol>
+ *<li>Call initSign() or initVerify() as usual.
+ *</li><li>Call setParameter(ONE_SHOT_MODE)
+ *</li><li>Call update(byte[]) or update(byte[], int, int) exactly once
+ *</li><li>Call sign() or verify() as usual.
+ *</li><li>If doing additional one-shot signs or verifies with this object, you must
+ *         call setParameter(ONE_SHOT_MODE) each time
+ *</li></ol>
+ *
+ *<p>
+ *Option 2:
+ *</p><ol>
+ *<li>Call initSign() or initVerify() as usual.
+ *</li><li>Call one of the signOneShot() or verifyOneShot() methods.
+ *</li><li>If doing additional one-shot signs or verifies with this object,
+ *         just call signOneShot() or verifyOneShot() again.
+ *</li></ol>
+ *
+ * @author str4d
+ *
+ */
+public final class EdDSAEngine extends Signature {
+    public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
+
+    private MessageDigest digest;
+    private ByteArrayOutputStream baos;
+    private EdDSAKey key;
+    private boolean oneShotMode;
+    private byte[] oneShotBytes;
+    private int oneShotOffset;
+    private int oneShotLength;
+
+    /**
+     *  To efficiently sign or verify data in one shot, pass this to setParameters()
+     *  after initSign() or initVerify() but BEFORE THE FIRST AND ONLY
+     *  update(data) or update(data, off, len). The data reference will be saved
+     *  and then used in sign() or verify() without copying the data.
+     *  Violate these rules and you will get a SignatureException.
+     */
+    public static final AlgorithmParameterSpec ONE_SHOT_MODE = new OneShotSpec();
+
+    private static class OneShotSpec implements AlgorithmParameterSpec {}
+
+    /**
+     * No specific EdDSA-internal hash requested, allows any EdDSA key.
+     */
+    public EdDSAEngine() {
+        super(SIGNATURE_ALGORITHM);
+    }
+
+    /**
+     * Specific EdDSA-internal hash requested, only matching keys will be allowed.
+     * @param digest the hash algorithm that keys must have to sign or verify.
+     */
+    public EdDSAEngine(MessageDigest digest) {
+        this();
+        this.digest = digest;
+    }
+
+    private void reset() {
+        if (digest != null)
+            digest.reset();
+        if (baos != null)
+            baos.reset();
+        oneShotMode = false;
+        oneShotBytes = null;
+    }
+
+    @Override
+    protected void engineInitSign(PrivateKey privateKey) throws InvalidKeyException {
+        reset();
+        if (privateKey instanceof EdDSAPrivateKey) {
+            EdDSAPrivateKey privKey = (EdDSAPrivateKey) privateKey;
+            key = privKey;
+
+            if (digest == null) {
+                // Instantiate the digest from the key parameters
+                try {
+                    digest = MessageDigest.getInstance(key.getParams().getHashAlgorithm());
+                } catch (NoSuchAlgorithmException e) {
+                    throw new InvalidKeyException("cannot get required digest " + key.getParams().getHashAlgorithm() + " for private key.");
+                }
+            } else if (!key.getParams().getHashAlgorithm().equals(digest.getAlgorithm()))
+                throw new InvalidKeyException("Key hash algorithm does not match chosen digest");
+            digestInitSign(privKey);
+        } else {
+            throw new InvalidKeyException("cannot identify EdDSA private key: " + privateKey.getClass());
+        }
+    }
+
+    private void digestInitSign(EdDSAPrivateKey privKey) {
+        // Preparing for hash
+        // r = H(h_b,...,h_2b-1,M)
+        int b = privKey.getParams().getCurve().getField().getb();
+        digest.update(privKey.getH(), b/8, b/4 - b/8);
+    }
+
+    @Override
+    protected void engineInitVerify(PublicKey publicKey) throws InvalidKeyException {
+        reset();
+        if (publicKey instanceof EdDSAPublicKey) {
+            key = (EdDSAPublicKey) publicKey;
+
+            if (digest == null) {
+                // Instantiate the digest from the key parameters
+                try {
+                    digest = MessageDigest.getInstance(key.getParams().getHashAlgorithm());
+                } catch (NoSuchAlgorithmException e) {
+                    throw new InvalidKeyException("cannot get required digest " + key.getParams().getHashAlgorithm() + " for private key.");
+                }
+            } else if (!key.getParams().getHashAlgorithm().equals(digest.getAlgorithm()))
+                throw new InvalidKeyException("Key hash algorithm does not match chosen digest");
+        } else if (publicKey instanceof X509Key) {
+            // X509Certificate will sometimes contain an X509Key rather than the EdDSAPublicKey itself; the contained
+            // key is valid but needs to be instanced as an EdDSAPublicKey before it can be used.
+            EdDSAPublicKey parsedPublicKey;
+            try {
+                parsedPublicKey = new EdDSAPublicKey(new X509EncodedKeySpec(publicKey.getEncoded()));
+            } catch (InvalidKeySpecException ex) {
+                throw new InvalidKeyException("cannot handle X.509 EdDSA public key: " + publicKey.getAlgorithm());
+            }
+            engineInitVerify(parsedPublicKey);
+        } else {
+            throw new InvalidKeyException("cannot identify EdDSA public key: " + publicKey.getClass());
+        }
+    }
+
+    /**
+     * @throws SignatureException if in one-shot mode
+     */
+    @Override
+    protected void engineUpdate(byte b) throws SignatureException {
+        if (oneShotMode)
+            throw new SignatureException("unsupported in one-shot mode");
+        if (baos == null)
+            baos = new ByteArrayOutputStream(256);
+        baos.write(b);
+    }
+
+    /**
+     * @throws SignatureException if one-shot rules are violated
+     */
+    @Override
+    protected void engineUpdate(byte[] b, int off, int len)
+            throws SignatureException {
+        if (oneShotMode) {
+            if (oneShotBytes != null)
+                throw new SignatureException("update() already called");
+            oneShotBytes = b;
+            oneShotOffset = off;
+            oneShotLength = len;
+        } else {
+            if (baos == null)
+                baos = new ByteArrayOutputStream(256);
+            baos.write(b, off, len);
+        }
+    }
+
+    @Override
+    protected byte[] engineSign() throws SignatureException {
+        try {
+            return x_engineSign();
+        } finally {
+            reset();
+            // must leave the object ready to sign again with
+            // the same key, as required by the API
+            EdDSAPrivateKey privKey = (EdDSAPrivateKey) key;
+            digestInitSign(privKey);
+        }
+    }
+
+    private byte[] x_engineSign() throws SignatureException {
+        Curve curve = key.getParams().getCurve();
+        ScalarOps sc = key.getParams().getScalarOps();
+        byte[] a = ((EdDSAPrivateKey) key).geta();
+
+        byte[] message;
+        int offset, length;
+        if (oneShotMode) {
+            if (oneShotBytes == null)
+                throw new SignatureException("update() not called first");
+            message = oneShotBytes;
+            offset = oneShotOffset;
+            length = oneShotLength;
+        } else {
+            if (baos == null)
+                message = new byte[0];
+            else
+                message = baos.toByteArray();
+            offset = 0;
+            length = message.length;
+        }
+        // r = H(h_b,...,h_2b-1,M)
+        digest.update(message, offset, length);
+        byte[] r = digest.digest();
+
+        // r mod l
+        // Reduces r from 64 bytes to 32 bytes
+        r = sc.reduce(r);
+
+        // R = rB
+        GroupElement R = key.getParams().getB().scalarMultiply(r);
+        byte[] Rbyte = R.toByteArray();
+
+        // S = (r + H(Rbar,Abar,M)*a) mod l
+        digest.update(Rbyte);
+        digest.update(((EdDSAPrivateKey) key).getAbyte());
+        digest.update(message, offset, length);
+        byte[] h = digest.digest();
+        h = sc.reduce(h);
+        byte[] S = sc.multiplyAndAdd(h, a, r);
+
+        // R+S
+        int b = curve.getField().getb();
+        ByteBuffer out = ByteBuffer.allocate(b/4);
+        out.put(Rbyte).put(S);
+        return out.array();
+    }
+
+    @Override
+    protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
+        try {
+            return x_engineVerify(sigBytes);
+        } finally {
+            reset();
+        }
+    }
+
+    private boolean x_engineVerify(byte[] sigBytes) throws SignatureException {
+        Curve curve = key.getParams().getCurve();
+        int b = curve.getField().getb();
+        if (sigBytes.length != b/4)
+            throw new SignatureException("signature length is wrong");
+
+        // R is first b/8 bytes of sigBytes, S is second b/8 bytes
+        digest.update(sigBytes, 0, b/8);
+        digest.update(((EdDSAPublicKey) key).getAbyte());
+        // h = H(Rbar,Abar,M)
+        byte[] message;
+        int offset, length;
+        if (oneShotMode) {
+            if (oneShotBytes == null)
+                throw new SignatureException("update() not called first");
+            message = oneShotBytes;
+            offset = oneShotOffset;
+            length = oneShotLength;
+        } else {
+            if (baos == null)
+                message = new byte[0];
+            else
+                message = baos.toByteArray();
+            offset = 0;
+            length = message.length;
+        }
+        digest.update(message, offset, length);
+        byte[] h = digest.digest();
+
+        // h mod l
+        h = key.getParams().getScalarOps().reduce(h);
+
+        byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
+        // R = SB - H(Rbar,Abar,M)A
+        GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
+                ((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
+
+        // Variable time. This should be okay, because there are no secret
+        // values used anywhere in verification.
+        byte[] Rcalc = R.toByteArray();
+        for (int i = 0; i < Rcalc.length; i++) {
+            if (Rcalc[i] != sigBytes[i])
+                return false;
+        }
+        return true;
+    }
+
+    /**
+     *  To efficiently sign all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data)
+     *  sig = sign()
+     *</pre>
+     *
+     * @param data the message to be signed
+     * @return the signature
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public byte[] signOneShot(byte[] data) throws SignatureException {
+        return signOneShot(data, 0, data.length);
+    }
+
+    /**
+     *  To efficiently sign all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data, off, len)
+     *  sig = sign()
+     *</pre>
+     *
+     * @param data byte array containing the message to be signed
+     * @param off the start of the message inside data
+     * @param len the length of the message
+     * @return the signature
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public byte[] signOneShot(byte[] data, int off, int len) throws SignatureException {
+        oneShotMode = true;
+        update(data, off, len);
+        return sign();
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data)
+     *  ok = verify(signature)
+     *</pre>
+     *
+     * @param data the message that was signed
+     * @param signature of the message
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, byte[] signature) throws SignatureException {
+        return verifyOneShot(data, 0, data.length, signature, 0, signature.length);
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data, off, len)
+     *  ok = verify(signature)
+     *</pre>
+     *
+     * @param data byte array containing the message that was signed
+     * @param off the start of the message inside data
+     * @param len the length of the message
+     * @param signature of the message
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, int off, int len, byte[] signature) throws SignatureException {
+        return verifyOneShot(data, off, len, signature, 0, signature.length);
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data)
+     *  ok = verify(signature, sigoff, siglen)
+     *</pre>
+     *
+     * @param data the message that was signed
+     * @param signature byte array containing the signature
+     * @param sigoff the start of the signature
+     * @param siglen the length of the signature
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, byte[] signature, int sigoff, int siglen) throws SignatureException {
+        return verifyOneShot(data, 0, data.length, signature, sigoff, siglen);
+    }
+
+    /**
+     *  To efficiently verify all the data in one shot, if it is available,
+     *  use this method, which will avoid copying the data.
+     *
+     * Same as:
+     *<pre>
+     *  setParameter(ONE_SHOT_MODE)
+     *  update(data, off, len)
+     *  ok = verify(signature, sigoff, siglen)
+     *</pre>
+     *
+     * @param data byte array containing the message that was signed
+     * @param off the start of the message inside data
+     * @param len the length of the message
+     * @param signature byte array containing the signature
+     * @param sigoff the start of the signature
+     * @param siglen the length of the signature
+     * @return true if the signature is valid, false otherwise
+     * @throws SignatureException if update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    public boolean verifyOneShot(byte[] data, int off, int len, byte[] signature, int sigoff, int siglen) throws SignatureException {
+        oneShotMode = true;
+        update(data, off, len);
+        return verify(signature, sigoff, siglen);
+    }
+
+    /**
+     * @throws InvalidAlgorithmParameterException if spec is ONE_SHOT_MODE and update() already called
+     * @see #ONE_SHOT_MODE
+     */
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec spec) throws InvalidAlgorithmParameterException {
+        if (spec.equals(ONE_SHOT_MODE)) {
+            if (oneShotBytes != null || (baos != null && baos.size() > 0))
+                throw new InvalidAlgorithmParameterException("update() already called");
+            oneShotMode = true;
+        } else {
+            super.engineSetParameter(spec);
+        }
+    }
+
+    /**
+     * @deprecated
+     */
+    @Override
+    protected void engineSetParameter(String param, Object value) {
+        throw new UnsupportedOperationException("engineSetParameter unsupported");
+    }
+
+    /**
+     * @deprecated
+     */
+    @Override
+    protected Object engineGetParameter(String param) {
+        throw new UnsupportedOperationException("engineSetParameter unsupported");
+    }
+}