Crypto++ 8.9
Free C++ class library of cryptographic schemes
xed25519.h
Go to the documentation of this file.
1// xed25519.h - written and placed in public domain by Jeffrey Walton
2// Crypto++ specific implementation wrapped around Andrew
3// Moon's public domain curve25519-donna and ed25519-donna,
4// http://github.com/floodyberry/curve25519-donna and
5// http://github.com/floodyberry/ed25519-donna.
6
7// Typically the key agreement classes encapsulate their data more
8// than x25519 does below. They are a little more accessible
9// due to crypto_box operations.
10
11/// \file xed25519.h
12/// \brief Classes for x25519 and ed25519 operations
13/// \details This implementation integrates Andrew Moon's public domain code
14/// for curve25519-donna and ed25519-donna.
15/// \details Moving keys into and out of the library proceeds as follows.
16/// If an Integer class is accepted or returned, then the data is in big
17/// endian format. That is, the MSB is at byte position 0, and the LSB
18/// is at byte position 31. The Integer will work as expected, just like
19/// an int or a long.
20/// \details If a byte array is accepted, then the byte array is in little
21/// endian format. That is, the LSB is at byte position 0, and the MSB is
22/// at byte position 31. This follows the implementation where byte 0 is
23/// clamed with 248. That is my_arr[0] &= 248 to mask the lower 3 bits.
24/// \details PKCS8 and X509 keys encoded using ASN.1 follow little endian
25/// arrays. The format is specified in <A HREF=
26/// "http:///tools.ietf.org/html/draft-ietf-curdle-pkix">draft-ietf-curdle-pkix</A>.
27/// \details If you have a little endian array and you want to wrap it in
28/// an Integer using big endian then you can perform the following:
29/// <pre>Integer x(my_arr, SECRET_KEYLENGTH, UNSIGNED, LITTLE_ENDIAN_ORDER);</pre>
30/// \sa Andrew Moon's x22519 GitHub <A
31/// HREF="http://github.com/floodyberry/curve25519-donna">curve25519-donna</A>,
32/// ed22519 GitHub <A
33/// HREF="http://github.com/floodyberry/ed25519-donna">ed25519-donna</A>, and
34/// <A HREF="http:///tools.ietf.org/html/draft-ietf-curdle-pkix">draft-ietf-curdle-pkix</A>
35/// \since Crypto++ 8.0
36
37#ifndef CRYPTOPP_XED25519_H
38#define CRYPTOPP_XED25519_H
39
40#include "cryptlib.h"
41#include "pubkey.h"
42#include "oids.h"
43
44NAMESPACE_BEGIN(CryptoPP)
45
46class Integer;
47struct ed25519Signer;
48struct ed25519Verifier;
49
50// ******************** x25519 Agreement ************************* //
51
52/// \brief x25519 with key validation
53/// \since Crypto++ 8.0
55{
56public:
57 /// \brief Size of the private key
58 /// \details SECRET_KEYLENGTH is the size of the private key, in bytes.
59 CRYPTOPP_CONSTANT(SECRET_KEYLENGTH = 32);
60 /// \brief Size of the public key
61 /// \details PUBLIC_KEYLENGTH is the size of the public key, in bytes.
62 CRYPTOPP_CONSTANT(PUBLIC_KEYLENGTH = 32);
63 /// \brief Size of the shared key
64 /// \details SHARED_KEYLENGTH is the size of the shared key, in bytes.
65 CRYPTOPP_CONSTANT(SHARED_KEYLENGTH = 32);
66
67 virtual ~x25519() {}
68
69 /// \brief Create a x25519 object
70 /// \details This constructor creates an empty x25519 object. It is
71 /// intended for use in loading existing parameters, like CryptoBox
72 /// parameters. If you are performing key agreement you should use a
73 /// constructor that generates random parameters on construction.
74 x25519() {}
75
76 /// \brief Create a x25519 object
77 /// \param y public key
78 /// \param x private key
79 /// \details This constructor creates a x25519 object using existing parameters.
80 /// \note The public key is not validated.
81 x25519(const byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]);
82
83 /// \brief Create a x25519 object
84 /// \param x private key
85 /// \details This constructor creates a x25519 object using existing parameters.
86 /// The public key is calculated from the private key.
87 x25519(const byte x[SECRET_KEYLENGTH]);
88
89 /// \brief Create a x25519 object
90 /// \param y public key
91 /// \param x private key
92 /// \details This constructor creates a x25519 object using existing parameters.
93 /// \note The public key is not validated.
94 x25519(const Integer &y, const Integer &x);
95
96 /// \brief Create a x25519 object
97 /// \param x private key
98 /// \details This constructor creates a x25519 object using existing parameters.
99 /// The public key is calculated from the private key.
100 x25519(const Integer &x);
101
102 /// \brief Create a x25519 object
103 /// \param rng RandomNumberGenerator derived class
104 /// \details This constructor creates a new x25519 using the random number generator.
106
107 /// \brief Create a x25519 object
108 /// \param params public and private key
109 /// \details This constructor creates a x25519 object using existing parameters.
110 /// The <tt>params</tt> can be created with <tt>Save</tt>.
111 /// \note The public key is not validated.
113
114 /// \brief Create a x25519 object
115 /// \param oid an object identifier
116 /// \details This constructor creates a new x25519 using the specified OID. The public
117 /// and private points are uninitialized.
118 x25519(const OID &oid);
119
120 /// \brief Clamp a private key
121 /// \param x private key
122 /// \details ClampKeys() clamps a private key and then regenerates the
123 /// public key from the private key.
124 void ClampKey(byte x[SECRET_KEYLENGTH]) const;
125
126 /// \brief Determine if private key is clamped
127 /// \param x private key
128 bool IsClamped(const byte x[SECRET_KEYLENGTH]) const;
129
130 /// \brief Test if a key has small order
131 /// \param y public key
132 bool IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const;
133
134 /// \brief Get the Object Identifier
135 /// \return the Object Identifier
136 /// \details The default OID is from RFC 8410 using <tt>id-X25519</tt>.
137 /// The default private key format is RFC 5208.
139 return m_oid.Empty() ? ASN1::X25519() : m_oid;
140 }
141
142 /// \brief Set the Object Identifier
143 /// \param oid the new Object Identifier
144 void SetAlgorithmID(const OID& oid) {
145 m_oid = oid;
146 }
147
148 // CryptoParameters
149 bool Validate(RandomNumberGenerator &rng, unsigned int level) const;
150 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
151 void AssignFrom(const NameValuePairs &source);
152
153 // CryptoParameters
155
156 /// \brief DER encode ASN.1 object
157 /// \param bt BufferedTransformation object
158 /// \details Save() will write the OID associated with algorithm or scheme.
159 /// In the case of public and private keys, this function writes the
160 /// subjectPublicKeyInfo parts.
161 /// \details The default OID is from RFC 8410 using <tt>id-X25519</tt>.
162 /// The default private key format is RFC 5208, which is the old format.
163 /// The old format provides the best interop, and keys will work
164 /// with OpenSSL.
165 /// \sa <A HREF="http://tools.ietf.org/rfc/rfc5958.txt">RFC 5958, Asymmetric
166 /// Key Packages</A>
167 void Save(BufferedTransformation &bt) const {
168 DEREncode(bt, 0);
169 }
170
171 /// \brief DER encode ASN.1 object
172 /// \param bt BufferedTransformation object
173 /// \param v1 flag indicating v1
174 /// \details Save() will write the OID associated with algorithm or scheme.
175 /// In the case of public and private keys, this function writes the
176 /// subjectPublicKeyInfo parts.
177 /// \details The default OID is from RFC 8410 using <tt>id-X25519</tt>.
178 /// The default private key format is RFC 5208.
179 /// \details v1 means INTEGER 0 is written. INTEGER 0 means
180 /// RFC 5208 format, which is the old format. The old format provides
181 /// the best interop, and keys will work with OpenSSL. The other
182 /// option uses INTEGER 1. INTEGER 1 means RFC 5958 format,
183 /// which is the new format.
184 /// \sa <A HREF="http://tools.ietf.org/rfc/rfc5958.txt">RFC 5958, Asymmetric
185 /// Key Packages</A>
186 void Save(BufferedTransformation &bt, bool v1) const {
187 DEREncode(bt, v1 ? 0 : 1);
188 }
189
190 /// \brief BER decode ASN.1 object
191 /// \param bt BufferedTransformation object
192 /// \sa <A HREF="http://tools.ietf.org/rfc/rfc5958.txt">RFC 5958, Asymmetric
193 /// Key Packages</A>
195 BERDecode(bt);
196 }
197
198 // PKCS8PrivateKey
200 void DEREncode(BufferedTransformation &bt) const { DEREncode(bt, 0); }
201 void BERDecodePrivateKey(BufferedTransformation &bt, bool parametersPresent, size_t size);
203
204 /// \brief DER encode ASN.1 object
205 /// \param bt BufferedTransformation object
206 /// \param version indicates version
207 /// \details DEREncode() will write the OID associated with algorithm or
208 /// scheme. In the case of public and private keys, this function writes
209 /// the subjectPublicKeyInfo parts.
210 /// \details The default OID is from RFC 8410 using <tt>id-X25519</tt>.
211 /// The default private key format is RFC 5208.
212 /// \details The value of version is written as the INTEGER. INTEGER 0 means
213 /// RFC 5208 format, which is the old format. The old format provides
214 /// the best interop, and keys will work with OpenSSL. The INTEGER 1
215 /// means RFC 5958 format, which is the new format.
216 void DEREncode(BufferedTransformation &bt, int version) const;
217
218 /// \brief Determine if OID is valid for this object
219 /// \details BERDecodeAndCheckAlgorithmID() parses the OID from
220 /// <tt>bt</tt> and determines if it valid for this object. The
221 /// problem in practice is there are multiple OIDs available to
222 /// denote curve25519 operations. The OIDs include an old GNU
223 /// OID used by SSH, OIDs specified in draft-josefsson-pkix-newcurves,
224 /// and OIDs specified in draft-ietf-curdle-pkix.
225 /// \details By default BERDecodeAndCheckAlgorithmID() accepts an
226 /// OID set by the user, <tt>ASN1::curve25519()</tt> and <tt>ASN1::X25519()</tt>.
227 /// <tt>ASN1::curve25519()</tt> is generic and says "this key is valid for
228 /// curve25519 operations". <tt>ASN1::X25519()</tt> is specific and says
229 /// "this key is valid for x25519 key exchange."
231
232 // DL_PrivateKey
233 void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &params);
234
235 // SimpleKeyAgreementDomain
236 unsigned int AgreedValueLength() const {return SHARED_KEYLENGTH;}
237 unsigned int PrivateKeyLength() const {return SECRET_KEYLENGTH;}
238 unsigned int PublicKeyLength() const {return PUBLIC_KEYLENGTH;}
239
240 // SimpleKeyAgreementDomain
241 void GeneratePrivateKey(RandomNumberGenerator &rng, byte *privateKey) const;
242 void GeneratePublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const;
243 bool Agree(byte *agreedValue, const byte *privateKey, const byte *otherPublicKey, bool validateOtherPublicKey=true) const;
244
245protected:
246 // Create a public key from a private key
247 void SecretToPublicKey(byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]) const;
248
249protected:
252 OID m_oid; // preferred OID
253};
254
255// ****************** ed25519 Signer *********************** //
256
257/// \brief ed25519 message accumulator
258/// \details ed25519 buffers the entire message, and does not
259/// digest the message incrementally. You should be careful with
260/// large messages like files on-disk. The behavior is by design
261/// because Bernstein feels small messages should be authenticated;
262/// and larger messages will be digested by the application.
263/// \details The accumulator is used for signing and verification.
264/// The first 64-bytes of storage is reserved for the signature.
265/// During signing the signature storage is unused. During
266/// verification the first 64 bytes holds the signature. The
267/// signature is provided by the PK_Verifier framework and the
268/// call to PK_Signer::InputSignature. Member functions data()
269/// and size() refer to the accumulated message. Member function
270/// signature() refers to the signature with an implicit size of
271/// SIGNATURE_LENGTH bytes.
272/// \details Applications which digest large messages, like an ISO
273/// disk file, should take care because the design effectively
274/// disgorges the format operation from the signing operation.
275/// Put another way, be careful to ensure what you are signing is
276/// is in fact a digest of the intended message, and not a different
277/// message digest supplied by an attacker.
279{
280 CRYPTOPP_CONSTANT(RESERVE_SIZE=2048+64);
281 CRYPTOPP_CONSTANT(SIGNATURE_LENGTH=64);
282
283 /// \brief Create a message accumulator
287
288 /// \brief Create a message accumulator
289 /// \details ed25519 does not use a RNG. You can safely use
290 /// NullRNG() because IsProbablistic returns false.
292 CRYPTOPP_UNUSED(rng); Restart();
293 }
294
295 /// \brief Add data to the accumulator
296 /// \param msg pointer to the data to accumulate
297 /// \param len the size of the data, in bytes
298 void Update(const byte* msg, size_t len) {
299 if (msg && len)
300 m_msg.insert(m_msg.end(), msg, msg+len);
301 }
302
303 /// \brief Reset the accumulator
304 void Restart() {
305 m_msg.reserve(RESERVE_SIZE);
306 m_msg.resize(SIGNATURE_LENGTH);
307 }
308
309 /// \brief Retrieve pointer to signature buffer
310 /// \return pointer to signature buffer
311 byte* signature() {
312 return &m_msg[0];
313 }
314
315 /// \brief Retrieve pointer to signature buffer
316 /// \return pointer to signature buffer
317 const byte* signature() const {
318 return &m_msg[0];
319 }
320
321 /// \brief Retrieve pointer to data buffer
322 /// \return pointer to data buffer
323 const byte* data() const {
324 return &m_msg[0]+SIGNATURE_LENGTH;
325 }
326
327 /// \brief Retrieve size of data buffer
328 /// \return size of the data buffer, in bytes
329 size_t size() const {
330 return m_msg.size()-SIGNATURE_LENGTH;
331 }
332
333protected:
334 // TODO: Find an equivalent Crypto++ structure.
335 std::vector<byte, AllocatorWithCleanup<byte> > m_msg;
336};
337
338/// \brief Ed25519 private key
339/// \details ed25519PrivateKey is somewhat of a hack. It needed to
340/// provide DL_PrivateKey interface to fit into the existing
341/// framework, but it lacks a lot of the internals of a true
342/// DL_PrivateKey. The missing pieces include GroupParameters
343/// and Point, which provide the low level field operations
344/// found in traditional implementations like NIST curves over
345/// prime and binary fields.
346/// \details ed25519PrivateKey is also unusual because the
347/// class members of interest are byte arrays and not Integers.
348/// In addition, the byte arrays are little-endian meaning
349/// LSB is at element 0 and the MSB is at element 31.
350/// If you call GetPrivateExponent() then the little-endian byte
351/// array is converted to a big-endian Integer() so it can be
352/// returned the way a caller expects. And calling
353/// SetPrivateExponent performs a similar internal conversion.
354/// \since Crypto++ 8.0
356{
357 /// \brief Size of the private key
358 /// \details SECRET_KEYLENGTH is the size of the private key, in bytes.
359 CRYPTOPP_CONSTANT(SECRET_KEYLENGTH = 32);
360 /// \brief Size of the public key
361 /// \details PUBLIC_KEYLENGTH is the size of the public key, in bytes.
362 CRYPTOPP_CONSTANT(PUBLIC_KEYLENGTH = 32);
363 /// \brief Size of the signature
364 /// \details SIGNATURE_LENGTH is the size of the signature, in bytes.
365 /// ed25519 is a DL-based signature scheme. The signature is the
366 /// concatenation of <tt>r || s</tt>.
367 CRYPTOPP_CONSTANT(SIGNATURE_LENGTH = 64);
368
369 virtual ~ed25519PrivateKey() {}
370
371 // CryptoMaterial
372 bool Validate(RandomNumberGenerator &rng, unsigned int level) const;
373 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
374 void AssignFrom(const NameValuePairs &source);
375
376 // GroupParameters
378 return m_oid.Empty() ? ASN1::Ed25519() : m_oid;
379 }
380
381 /// \brief DER encode ASN.1 object
382 /// \param bt BufferedTransformation object
383 /// \details Save() will write the OID associated with algorithm or scheme.
384 /// In the case of public and private keys, this function writes the
385 /// subjectPublicKeyInfo parts.
386 /// \details The default OID is from RFC 8410 using <tt>id-Ed25519</tt>.
387 /// The default private key format is RFC 5208, which is the old format.
388 /// The old format provides the best interop, and keys will work
389 /// with OpenSSL.
390 /// \sa <A HREF="http://tools.ietf.org/rfc/rfc5958.txt">RFC 5958, Asymmetric
391 /// Key Packages</A>
392 void Save(BufferedTransformation &bt) const {
393 DEREncode(bt, 0);
394 }
395
396 /// \brief DER encode ASN.1 object
397 /// \param bt BufferedTransformation object
398 /// \param v1 flag indicating v1
399 /// \details Save() will write the OID associated with algorithm or scheme.
400 /// In the case of public and private keys, this function writes the
401 /// subjectPublicKeyInfo parts.
402 /// \details The default OID is from RFC 8410 using <tt>id-Ed25519</tt>.
403 /// The default private key format is RFC 5208.
404 /// \details v1 means INTEGER 0 is written. INTEGER 0 means
405 /// RFC 5208 format, which is the old format. The old format provides
406 /// the best interop, and keys will work with OpenSSL. The other
407 /// option uses INTEGER 1. INTEGER 1 means RFC 5958 format,
408 /// which is the new format.
409 /// \sa <A HREF="http://tools.ietf.org/rfc/rfc5958.txt">RFC 5958, Asymmetric
410 /// Key Packages</A>
411 void Save(BufferedTransformation &bt, bool v1) const {
412 DEREncode(bt, v1 ? 0 : 1);
413 }
414
415 /// \brief BER decode ASN.1 object
416 /// \param bt BufferedTransformation object
417 /// \sa <A HREF="http://tools.ietf.org/rfc/rfc5958.txt">RFC 5958, Asymmetric
418 /// Key Packages</A>
420 BERDecode(bt);
421 }
422
423 /// \brief Initializes a public key from this key
424 /// \param pub reference to a public key
425 void MakePublicKey(PublicKey &pub) const;
426
427 // PKCS8PrivateKey
429 void DEREncode(BufferedTransformation &bt) const { DEREncode(bt, 0); }
430 void BERDecodePrivateKey(BufferedTransformation &bt, bool parametersPresent, size_t size);
432
433 /// \brief DER encode ASN.1 object
434 /// \param bt BufferedTransformation object
435 /// \param version indicates version
436 /// \details DEREncode() will write the OID associated with algorithm or
437 /// scheme. In the case of public and private keys, this function writes
438 /// the subjectPublicKeyInfo parts.
439 /// \details The default OID is from RFC 8410 using <tt>id-X25519</tt>.
440 /// The default private key format is RFC 5208.
441 /// \details The value of version is written as the INTEGER. INTEGER 0 means
442 /// RFC 5208 format, which is the old format. The old format provides
443 /// the best interop, and keys will work with OpenSSL. The INTEGER 1
444 /// means RFC 5958 format, which is the new format.
445 void DEREncode(BufferedTransformation &bt, int version) const;
446
447 /// \brief Determine if OID is valid for this object
448 /// \details BERDecodeAndCheckAlgorithmID() parses the OID from
449 /// <tt>bt</tt> and determines if it valid for this object. The
450 /// problem in practice is there are multiple OIDs available to
451 /// denote curve25519 operations. The OIDs include an old GNU
452 /// OID used by SSH, OIDs specified in draft-josefsson-pkix-newcurves,
453 /// and OIDs specified in draft-ietf-curdle-pkix.
454 /// \details By default BERDecodeAndCheckAlgorithmID() accepts an
455 /// OID set by the user, <tt>ASN1::curve25519()</tt> and <tt>ASN1::Ed25519()</tt>.
456 /// <tt>ASN1::curve25519()</tt> is generic and says "this key is valid for
457 /// curve25519 operations". <tt>ASN1::Ed25519()</tt> is specific and says
458 /// "this key is valid for ed25519 signing."
460
461 // PKCS8PrivateKey
462 void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &params);
463 void SetPrivateExponent(const byte x[SECRET_KEYLENGTH]);
464 void SetPrivateExponent(const Integer &x);
465 const Integer& GetPrivateExponent() const;
466
467 /// \brief Test if a key has small order
468 /// \param y public key
469 bool IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const;
470
471 /// \brief Retrieve private key byte array
472 /// \return the private key byte array
473 /// \details GetPrivateKeyBytePtr() is used by signing code to call ed25519_sign.
474 const byte* GetPrivateKeyBytePtr() const {
475 return m_sk.begin();
476 }
477
478 /// \brief Retrieve public key byte array
479 /// \return the public key byte array
480 /// \details GetPublicKeyBytePtr() is used by signing code to call ed25519_sign.
481 const byte* GetPublicKeyBytePtr() const {
482 return m_pk.begin();
483 }
484
485protected:
486 // Create a public key from a private key
487 void SecretToPublicKey(byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]) const;
488
489protected:
492 OID m_oid; // preferred OID
493 mutable Integer m_x; // for DL_PrivateKey
494};
495
496/// \brief Ed25519 signature algorithm
497/// \since Crypto++ 8.0
499{
500 /// \brief Size of the private key
501 /// \details SECRET_KEYLENGTH is the size of the private key, in bytes.
502 CRYPTOPP_CONSTANT(SECRET_KEYLENGTH = 32);
503 /// \brief Size of the public key
504 /// \details PUBLIC_KEYLENGTH is the size of the public key, in bytes.
505 CRYPTOPP_CONSTANT(PUBLIC_KEYLENGTH = 32);
506 /// \brief Size of the signature
507 /// \details SIGNATURE_LENGTH is the size of the signature, in bytes.
508 /// ed25519 is a DL-based signature scheme. The signature is the
509 /// concatenation of <tt>r || s</tt>.
510 CRYPTOPP_CONSTANT(SIGNATURE_LENGTH = 64);
511 typedef Integer Element;
512
513 virtual ~ed25519Signer() {}
514
515 /// \brief Create an ed25519Signer object
517
518 /// \brief Create an ed25519Signer object
519 /// \param y public key
520 /// \param x private key
521 /// \details This constructor creates an ed25519Signer object using existing parameters.
522 /// \note The public key is not validated.
523 ed25519Signer(const byte y[PUBLIC_KEYLENGTH], const byte x[SECRET_KEYLENGTH]);
524
525 /// \brief Create an ed25519Signer object
526 /// \param x private key
527 /// \details This constructor creates an ed25519Signer object using existing parameters.
528 /// The public key is calculated from the private key.
529 ed25519Signer(const byte x[SECRET_KEYLENGTH]);
530
531 /// \brief Create an ed25519Signer object
532 /// \param y public key
533 /// \param x private key
534 /// \details This constructor creates an ed25519Signer object using existing parameters.
535 /// \note The public key is not validated.
536 ed25519Signer(const Integer &y, const Integer &x);
537
538 /// \brief Create an ed25519Signer object
539 /// \param x private key
540 /// \details This constructor creates an ed25519Signer object using existing parameters.
541 /// The public key is calculated from the private key.
542 ed25519Signer(const Integer &x);
543
544 /// \brief Create an ed25519Signer object
545 /// \param key PKCS8 private key
546 /// \details This constructor creates an ed25519Signer object using existing private key.
547 /// \note The keys are not validated.
548 /// \since Crypto++ 8.6
549 ed25519Signer(const PKCS8PrivateKey &key);
550
551 /// \brief Create an ed25519Signer object
552 /// \param rng RandomNumberGenerator derived class
553 /// \details This constructor creates a new ed25519Signer using the random number generator.
555
556 /// \brief Create an ed25519Signer object
557 /// \param params public and private key
558 /// \details This constructor creates an ed25519Signer object using existing parameters.
559 /// The <tt>params</tt> can be created with <tt>Save</tt>.
560 /// \note The public key is not validated.
562
563 // DL_ObjectImplBase
564 /// \brief Retrieves a reference to a Private Key
565 /// \details AccessKey() retrieves a non-const reference to a private key.
566 PrivateKey& AccessKey() { return m_key; }
567 PrivateKey& AccessPrivateKey() { return m_key; }
568
569 /// \brief Retrieves a reference to a Private Key
570 /// \details AccessKey() retrieves a const reference to a private key.
571 const PrivateKey& GetKey() const { return m_key; }
572 const PrivateKey& GetPrivateKey() const { return m_key; }
573
574 // DL_SignatureSchemeBase
575 size_t SignatureLength() const { return SIGNATURE_LENGTH; }
576 size_t MaxRecoverableLength() const { return 0; }
577 size_t MaxRecoverableLengthFromSignatureLength(size_t signatureLength) const {
578 CRYPTOPP_UNUSED(signatureLength); return 0;
579 }
580
581 bool IsProbabilistic() const { return false; }
582 bool AllowNonrecoverablePart() const { return false; }
583 bool RecoverablePartFirst() const { return false; }
584
588
589 void InputRecoverableMessage(PK_MessageAccumulator &messageAccumulator, const byte *recoverableMessage, size_t recoverableMessageLength) const {
590 CRYPTOPP_UNUSED(messageAccumulator); CRYPTOPP_UNUSED(recoverableMessage);
591 CRYPTOPP_UNUSED(recoverableMessageLength);
592 throw NotImplemented("ed25519Signer: this object does not support recoverable messages");
593 }
594
595 size_t SignAndRestart(RandomNumberGenerator &rng, PK_MessageAccumulator &messageAccumulator, byte *signature, bool restart) const;
596
597 /// \brief Sign a stream
598 /// \param rng a RandomNumberGenerator derived class
599 /// \param stream an std::istream derived class
600 /// \param signature a block of bytes for the signature
601 /// \return actual signature length
602 /// \details SignStream() handles large streams. The Stream functions were added to
603 /// ed25519 for signing and verifying files that are too large for a memory allocation.
604 /// The functions are not present in other library signers and verifiers.
605 /// \details ed25519 is a deterministic signature scheme. <tt>IsProbabilistic()</tt>
606 /// returns false and the random number generator can be <tt>NullRNG()</tt>.
607 /// \pre <tt>COUNTOF(signature) == MaxSignatureLength()</tt>
608 /// \since Crypto++ 8.1
609 size_t SignStream (RandomNumberGenerator &rng, std::istream& stream, byte *signature) const;
610
611protected:
612 ed25519PrivateKey m_key;
613};
614
615// ****************** ed25519 Verifier *********************** //
616
617/// \brief Ed25519 public key
618/// \details ed25519PublicKey is somewhat of a hack. It needed to
619/// provide DL_PublicKey interface to fit into the existing
620/// framework, but it lacks a lot of the internals of a true
621/// DL_PublicKey. The missing pieces include GroupParameters
622/// and Point, which provide the low level field operations
623/// found in traditional implementations like NIST curves over
624/// prime and binary fields.
625/// \details ed25519PublicKey is also unusual because the
626/// class members of interest are byte arrays and not Integers.
627/// In addition, the byte arrays are little-endian meaning
628/// LSB is at element 0 and the MSB is at element 31.
629/// If you call GetPublicElement() then the little-endian byte
630/// array is converted to a big-endian Integer() so it can be
631/// returned the way a caller expects. And calling
632/// SetPublicElement() performs a similar internal conversion.
633/// \since Crypto++ 8.0
635{
636 /// \brief Size of the public key
637 /// \details PUBLIC_KEYLENGTH is the size of the public key, in bytes.
638 CRYPTOPP_CONSTANT(PUBLIC_KEYLENGTH = 32);
639 typedef Integer Element;
640
641 virtual ~ed25519PublicKey() {}
642
644 return m_oid.Empty() ? ASN1::Ed25519() : m_oid;
645 }
646
647 /// \brief DER encode ASN.1 object
648 /// \param bt BufferedTransformation object
649 /// \details Save() will write the OID associated with algorithm or scheme.
650 /// In the case of public and private keys, this function writes the
651 /// subjectPublicKeyInfo parts.
652 /// \details The default OID is from RFC 8410 using <tt>id-X25519</tt>.
653 /// The default private key format is RFC 5208, which is the old format.
654 /// The old format provides the best interop, and keys will work
655 /// with OpenSSL.
656 void Save(BufferedTransformation &bt) const {
657 DEREncode(bt);
658 }
659
660 /// \brief BER decode ASN.1 object
661 /// \param bt BufferedTransformation object
662 /// \sa <A HREF="http://tools.ietf.org/rfc/rfc5958.txt">RFC 5958, Asymmetric
663 /// Key Packages</A>
665 BERDecode(bt);
666 }
667
668 // X509PublicKey
670 void DEREncode(BufferedTransformation &bt) const;
671 void BERDecodePublicKey(BufferedTransformation &bt, bool parametersPresent, size_t size);
673
674 /// \brief Determine if OID is valid for this object
675 /// \details BERDecodeAndCheckAlgorithmID() parses the OID from
676 /// <tt>bt</tt> and determines if it valid for this object. The
677 /// problem in practice is there are multiple OIDs available to
678 /// denote curve25519 operations. The OIDs include an old GNU
679 /// OID used by SSH, OIDs specified in draft-josefsson-pkix-newcurves,
680 /// and OIDs specified in draft-ietf-curdle-pkix.
681 /// \details By default BERDecodeAndCheckAlgorithmID() accepts an
682 /// OID set by the user, <tt>ASN1::curve25519()</tt> and <tt>ASN1::Ed25519()</tt>.
683 /// <tt>ASN1::curve25519()</tt> is generic and says "this key is valid for
684 /// curve25519 operations". <tt>ASN1::Ed25519()</tt> is specific and says
685 /// "this key is valid for ed25519 signing."
687
688 bool Validate(RandomNumberGenerator &rng, unsigned int level) const;
689 bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const;
690 void AssignFrom(const NameValuePairs &source);
691
692 // DL_PublicKey
693 void SetPublicElement(const byte y[PUBLIC_KEYLENGTH]);
694 void SetPublicElement(const Element &y);
695 const Element& GetPublicElement() const;
696
697 /// \brief Retrieve public key byte array
698 /// \return the public key byte array
699 /// \details GetPublicKeyBytePtr() is used by signing code to call ed25519_sign.
700 const byte* GetPublicKeyBytePtr() const {
701 return m_pk.begin();
702 }
703
704protected:
706 OID m_oid; // preferred OID
707 mutable Integer m_y; // for DL_PublicKey
708};
709
710/// \brief Ed25519 signature verification algorithm
711/// \since Crypto++ 8.0
713{
714 CRYPTOPP_CONSTANT(PUBLIC_KEYLENGTH = 32);
715 CRYPTOPP_CONSTANT(SIGNATURE_LENGTH = 64);
716 typedef Integer Element;
717
718 virtual ~ed25519Verifier() {}
719
720 /// \brief Create an ed25519Verifier object
722
723 /// \brief Create an ed25519Verifier object
724 /// \param y public key
725 /// \details This constructor creates an ed25519Verifier object using existing parameters.
726 /// \note The public key is not validated.
727 ed25519Verifier(const byte y[PUBLIC_KEYLENGTH]);
728
729 /// \brief Create an ed25519Verifier object
730 /// \param y public key
731 /// \details This constructor creates an ed25519Verifier object using existing parameters.
732 /// \note The public key is not validated.
733 ed25519Verifier(const Integer &y);
734
735 /// \brief Create an ed25519Verifier object
736 /// \param key X509 public key
737 /// \details This constructor creates an ed25519Verifier object using an existing public key.
738 /// \note The public key is not validated.
739 /// \since Crypto++ 8.6
740 ed25519Verifier(const X509PublicKey &key);
741
742 /// \brief Create an ed25519Verifier object
743 /// \param params public and private key
744 /// \details This constructor creates an ed25519Verifier object using existing parameters.
745 /// The <tt>params</tt> can be created with <tt>Save</tt>.
746 /// \note The public key is not validated.
748
749 /// \brief Create an ed25519Verifier object
750 /// \param signer ed25519 signer object
751 /// \details This constructor creates an ed25519Verifier object using existing parameters.
752 /// The <tt>params</tt> can be created with <tt>Save</tt>.
753 /// \note The public key is not validated.
754 ed25519Verifier(const ed25519Signer& signer);
755
756 // DL_ObjectImplBase
757 /// \brief Retrieves a reference to a Public Key
758 /// \details AccessKey() retrieves a non-const reference to a public key.
759 PublicKey& AccessKey() { return m_key; }
760 PublicKey& AccessPublicKey() { return m_key; }
761
762 /// \brief Retrieves a reference to a Public Key
763 /// \details GetKey() retrieves a const reference to a public key.
764 const PublicKey& GetKey() const { return m_key; }
765 const PublicKey& GetPublicKey() const { return m_key; }
766
767 // DL_SignatureSchemeBase
768 size_t SignatureLength() const { return SIGNATURE_LENGTH; }
769 size_t MaxRecoverableLength() const { return 0; }
770 size_t MaxRecoverableLengthFromSignatureLength(size_t signatureLength) const {
771 CRYPTOPP_UNUSED(signatureLength); return 0;
772 }
773
774 bool IsProbabilistic() const { return false; }
775 bool AllowNonrecoverablePart() const { return false; }
776 bool RecoverablePartFirst() const { return false; }
777
781
782 void InputSignature(PK_MessageAccumulator &messageAccumulator, const byte *signature, size_t signatureLength) const {
783 CRYPTOPP_ASSERT(signature != NULLPTR);
784 CRYPTOPP_ASSERT(signatureLength == SIGNATURE_LENGTH);
785 ed25519_MessageAccumulator& accum = static_cast<ed25519_MessageAccumulator&>(messageAccumulator);
786 if (signature && signatureLength)
787 std::memcpy(accum.signature(), signature, STDMIN((size_t)SIGNATURE_LENGTH, signatureLength));
788 }
789
790 bool VerifyAndRestart(PK_MessageAccumulator &messageAccumulator) const;
791
792 /// \brief Check whether input signature is a valid signature for input message
793 /// \param stream an std::istream derived class
794 /// \param signature a pointer to the signature over the message
795 /// \param signatureLen the size of the signature
796 /// \return true if the signature is valid, false otherwise
797 /// \details VerifyStream() handles large streams. The Stream functions were added to
798 /// ed25519 for signing and verifying files that are too large for a memory allocation.
799 /// The functions are not present in other library signers and verifiers.
800 /// \since Crypto++ 8.1
801 bool VerifyStream(std::istream& stream, const byte *signature, size_t signatureLen) const;
802
803 DecodingResult RecoverAndRestart(byte *recoveredMessage, PK_MessageAccumulator &messageAccumulator) const {
804 CRYPTOPP_UNUSED(recoveredMessage); CRYPTOPP_UNUSED(messageAccumulator);
805 throw NotImplemented("ed25519Verifier: this object does not support recoverable messages");
806 }
807
808protected:
809 ed25519PublicKey m_key;
810};
811
812/// \brief Ed25519 signature scheme
813/// \sa <A HREF="http://cryptopp.com/wiki/Ed25519">Ed25519</A> on the Crypto++ wiki.
814/// \since Crypto++ 8.0
816{
817 /// \brief ed25519 Signer
819 /// \brief ed25519 Verifier
821};
822
823NAMESPACE_END // CryptoPP
824
825#endif // CRYPTOPP_XED25519_H
Interface for buffered transformations.
Definition cryptlib.h:1657
Interface for crypto parameters.
Definition cryptlib.h:2551
Fixed size stack-based SecBlock.
Definition secblock.h:1246
Multiple precision integer with arithmetic operations.
Definition integer.h:50
Interface for retrieving values given their names.
Definition cryptlib.h:327
A method was called which was not implemented.
Definition cryptlib.h:238
Object Identifier.
Definition asn.h:265
bool Empty() const
Determine if OID is empty.
Definition asn.h:311
Interface for accumulating messages to be signed or verified.
Definition cryptlib.h:2866
Interface for public-key signers.
Definition cryptlib.h:2882
Interface for public-key signature verifiers.
Definition cryptlib.h:2946
Encodes and Decodes privateKeyInfo.
Definition asn.h:749
Interface for private keys.
Definition cryptlib.h:2546
Interface for public keys.
Definition cryptlib.h:2541
Interface for random number generators.
Definition cryptlib.h:1440
iterator begin()
Provides an iterator pointing to the first element in the memory block.
Definition secblock.h:836
Interface for domains of simple key agreement protocols.
Definition cryptlib.h:3018
Encodes and decodes subjectPublicKeyInfo.
Definition asn.h:703
x25519 with key validation
Definition xed25519.h:55
bool IsClamped(const byte x[SECRET_KEYLENGTH]) const
Determine if private key is clamped.
Definition xed25519.cpp:133
unsigned int PublicKeyLength() const
Provides the size of the public key.
Definition xed25519.h:238
void BERDecodePrivateKey(BufferedTransformation &bt, bool parametersPresent, size_t size)
Decode privateKey part of privateKeyInfo.
Definition xed25519.cpp:238
unsigned int AgreedValueLength() const
Provides the size of the agreed value.
Definition xed25519.h:236
bool Agree(byte *agreedValue, const byte *privateKey, const byte *otherPublicKey, bool validateOtherPublicKey=true) const
Derive agreed value.
Definition xed25519.cpp:366
static const int PUBLIC_KEYLENGTH
Size of the public key.
Definition xed25519.h:62
unsigned int PrivateKeyLength() const
Provides the size of the private key.
Definition xed25519.h:237
x25519(const OID &oid)
Create a x25519 object.
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition xed25519.cpp:290
void GeneratePrivateKey(RandomNumberGenerator &rng, byte *privateKey) const
Generate private key in this domain.
Definition xed25519.cpp:354
bool IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const
Test if a key has small order.
Definition xed25519.cpp:138
void ClampKey(byte x[SECRET_KEYLENGTH]) const
Clamp a private key.
Definition xed25519.cpp:128
void BERDecodeAndCheckAlgorithmID(BufferedTransformation &bt)
Determine if OID is valid for this object.
Definition xed25519.cpp:148
void DEREncodePrivateKey(BufferedTransformation &bt) const
Encode privateKey part of privateKeyInfo.
Definition xed25519.cpp:259
void Save(BufferedTransformation &bt, bool v1) const
DER encode ASN.1 object.
Definition xed25519.h:186
void Save(BufferedTransformation &bt) const
DER encode ASN.1 object.
Definition xed25519.h:167
void DEREncode(BufferedTransformation &bt) const
Encode this object into a BufferedTransformation.
Definition xed25519.h:200
bool Validate(RandomNumberGenerator &rng, unsigned int level) const
Check this object for errors.
Definition xed25519.cpp:267
void Load(BufferedTransformation &bt)
BER decode ASN.1 object.
Definition xed25519.h:194
void BERDecode(BufferedTransformation &bt)
Decode this object from a BufferedTransformation.
Definition xed25519.cpp:166
CryptoParameters & AccessCryptoParameters()
Retrieves a reference to Crypto Parameters.
Definition xed25519.h:154
x25519()
Create a x25519 object.
Definition xed25519.h:74
static const int SECRET_KEYLENGTH
Size of the private key.
Definition xed25519.h:59
void AssignFrom(const NameValuePairs &source)
Assign values to this object.
Definition xed25519.cpp:319
void GeneratePublicKey(RandomNumberGenerator &rng, const byte *privateKey, byte *publicKey) const
Generate a public key from a private key in this domain.
Definition xed25519.cpp:360
OID GetAlgorithmID() const
Get the Object Identifier.
Definition xed25519.h:138
static const int SHARED_KEYLENGTH
Size of the shared key.
Definition xed25519.h:65
void SetAlgorithmID(const OID &oid)
Set the Object Identifier.
Definition xed25519.h:144
void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &params)
Generate a random key or crypto parameters.
Definition xed25519.cpp:343
Abstract base classes that provide a uniform interface to this library.
const T & STDMIN(const T &a, const T &b)
Replacement function for std::min.
Definition misc.h:657
Crypto++ library namespace.
ASN.1 object identifiers for algorithms and schemes.
This file contains helper classes/functions for implementing public key algorithms.
Returns a decoding results.
Definition cryptlib.h:283
ed25519 message accumulator
Definition xed25519.h:279
ed25519_MessageAccumulator()
Create a message accumulator.
Definition xed25519.h:284
void Restart()
Reset the accumulator.
Definition xed25519.h:304
size_t size() const
Retrieve size of data buffer.
Definition xed25519.h:329
const byte * data() const
Retrieve pointer to data buffer.
Definition xed25519.h:323
ed25519_MessageAccumulator(RandomNumberGenerator &rng)
Create a message accumulator.
Definition xed25519.h:291
void Update(const byte *msg, size_t len)
Add data to the accumulator.
Definition xed25519.h:298
byte * signature()
Retrieve pointer to signature buffer.
Definition xed25519.h:311
const byte * signature() const
Retrieve pointer to signature buffer.
Definition xed25519.h:317
Ed25519 signature scheme.
Definition xed25519.h:816
ed25519Verifier Verifier
ed25519 Verifier
Definition xed25519.h:820
ed25519Signer Signer
ed25519 Signer
Definition xed25519.h:818
Ed25519 private key.
Definition xed25519.h:356
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition xed25519.cpp:410
const byte * GetPrivateKeyBytePtr() const
Retrieve private key byte array.
Definition xed25519.h:474
void GenerateRandom(RandomNumberGenerator &rng, const NameValuePairs &params)
Generate a random key or crypto parameters.
Definition xed25519.cpp:466
void MakePublicKey(PublicKey &pub) const
Initializes a public key from this key.
Definition xed25519.cpp:477
OID GetAlgorithmID() const
Retrieves the OID of the algorithm.
Definition xed25519.h:377
bool Validate(RandomNumberGenerator &rng, unsigned int level) const
Check this object for errors.
Definition xed25519.cpp:390
void DEREncode(BufferedTransformation &bt) const
Encode this object into a BufferedTransformation.
Definition xed25519.h:429
static const int SIGNATURE_LENGTH
Size of the signature.
Definition xed25519.h:367
void Save(BufferedTransformation &bt, bool v1) const
DER encode ASN.1 object.
Definition xed25519.h:411
void DEREncodePrivateKey(BufferedTransformation &bt) const
Encode privateKey part of privateKeyInfo.
Definition xed25519.cpp:591
void AssignFrom(const NameValuePairs &source)
Assign values to this object.
Definition xed25519.cpp:439
void BERDecodeAndCheckAlgorithmID(BufferedTransformation &bt)
Determine if OID is valid for this object.
Definition xed25519.cpp:484
void BERDecode(BufferedTransformation &bt)
Decode this object from a BufferedTransformation.
Definition xed25519.cpp:499
bool IsSmallOrder(const byte y[PUBLIC_KEYLENGTH]) const
Test if a key has small order.
Definition xed25519.cpp:385
const byte * GetPublicKeyBytePtr() const
Retrieve public key byte array.
Definition xed25519.h:481
void Load(BufferedTransformation &bt)
BER decode ASN.1 object.
Definition xed25519.h:419
void BERDecodePrivateKey(BufferedTransformation &bt, bool parametersPresent, size_t size)
Decode privateKey part of privateKeyInfo.
Definition xed25519.cpp:570
static const int SECRET_KEYLENGTH
Size of the private key.
Definition xed25519.h:359
void Save(BufferedTransformation &bt) const
DER encode ASN.1 object.
Definition xed25519.h:392
static const int PUBLIC_KEYLENGTH
Size of the public key.
Definition xed25519.h:362
Ed25519 public key.
Definition xed25519.h:635
void BERDecode(BufferedTransformation &bt)
Decode this object from a BufferedTransformation.
Definition xed25519.cpp:764
void Load(BufferedTransformation &bt)
BER decode ASN.1 object.
Definition xed25519.h:664
static const int PUBLIC_KEYLENGTH
Size of the public key.
Definition xed25519.h:638
void BERDecodeAndCheckAlgorithmID(BufferedTransformation &bt)
Determine if OID is valid for this object.
Definition xed25519.cpp:749
bool GetVoidValue(const char *name, const std::type_info &valueType, void *pValue) const
Get a named value.
Definition xed25519.cpp:712
void DEREncodePublicKey(BufferedTransformation &bt) const
Encode subjectPublicKey part of subjectPublicKeyInfo.
Definition xed25519.cpp:809
void Save(BufferedTransformation &bt) const
DER encode ASN.1 object.
Definition xed25519.h:656
void BERDecodePublicKey(BufferedTransformation &bt, bool parametersPresent, size_t size)
Decode subjectPublicKey part of subjectPublicKeyInfo.
Definition xed25519.cpp:791
const byte * GetPublicKeyBytePtr() const
Retrieve public key byte array.
Definition xed25519.h:700
OID GetAlgorithmID() const
Retrieves the OID of the algorithm.
Definition xed25519.h:643
void DEREncode(BufferedTransformation &bt) const
Encode this object into a BufferedTransformation.
Definition xed25519.cpp:778
bool Validate(RandomNumberGenerator &rng, unsigned int level) const
Check this object for errors.
Definition xed25519.cpp:835
void AssignFrom(const NameValuePairs &source)
Assign values to this object.
Definition xed25519.cpp:734
Ed25519 signature algorithm.
Definition xed25519.h:499
bool RecoverablePartFirst() const
Determines whether the recoverable part must be input before the non-recoverable part.
Definition xed25519.h:583
bool IsProbabilistic() const
Determines whether a signature scheme requires a random number generator.
Definition xed25519.h:581
ed25519Signer()
Create an ed25519Signer object.
Definition xed25519.h:516
PrivateKey & AccessPrivateKey()
Retrieves a reference to a Private Key.
Definition xed25519.h:567
const PrivateKey & GetKey() const
Retrieves a reference to a Private Key.
Definition xed25519.h:571
bool AllowNonrecoverablePart() const
Determines whether the non-recoverable message part can be signed.
Definition xed25519.h:582
size_t SignAndRestart(RandomNumberGenerator &rng, PK_MessageAccumulator &messageAccumulator, byte *signature, bool restart) const
Sign and restart messageAccumulator.
Definition xed25519.cpp:684
static const int PUBLIC_KEYLENGTH
Size of the public key.
Definition xed25519.h:505
size_t MaxRecoverableLength() const
Provides the length of longest message that can be recovered.
Definition xed25519.h:576
static const int SECRET_KEYLENGTH
Size of the private key.
Definition xed25519.h:502
const PrivateKey & GetPrivateKey() const
Retrieves a reference to a Private Key.
Definition xed25519.h:572
static const int SIGNATURE_LENGTH
Size of the signature.
Definition xed25519.h:510
size_t SignStream(RandomNumberGenerator &rng, std::istream &stream, byte *signature) const
Sign a stream.
Definition xed25519.cpp:699
void InputRecoverableMessage(PK_MessageAccumulator &messageAccumulator, const byte *recoverableMessage, size_t recoverableMessageLength) const
Input a recoverable message to an accumulator.
Definition xed25519.h:589
PK_MessageAccumulator * NewSignatureAccumulator(RandomNumberGenerator &rng) const
Create a new HashTransformation to accumulate the message to be signed.
Definition xed25519.h:585
PrivateKey & AccessKey()
Retrieves a reference to a Private Key.
Definition xed25519.h:566
size_t SignatureLength() const
Provides the signature length if it only depends on the key.
Definition xed25519.h:575
size_t MaxRecoverableLengthFromSignatureLength(size_t signatureLength) const
Provides the length of longest message that can be recovered from a signature of given length.
Definition xed25519.h:577
Ed25519 signature verification algorithm.
Definition xed25519.h:713
bool VerifyAndRestart(PK_MessageAccumulator &messageAccumulator) const
Check whether messageAccumulator contains a valid signature and message, and restart messageAccumulat...
Definition xed25519.cpp:879
PublicKey & AccessPublicKey()
Retrieves a reference to a Public Key.
Definition xed25519.h:760
void InputSignature(PK_MessageAccumulator &messageAccumulator, const byte *signature, size_t signatureLength) const
Input signature into a message accumulator.
Definition xed25519.h:782
ed25519Verifier()
Create an ed25519Verifier object.
Definition xed25519.h:721
size_t SignatureLength() const
Provides the signature length if it only depends on the key.
Definition xed25519.h:768
DecodingResult RecoverAndRestart(byte *recoveredMessage, PK_MessageAccumulator &messageAccumulator) const
Recover a message from its signature.
Definition xed25519.h:803
ed25519_MessageAccumulator * NewVerificationAccumulator() const
Create a new HashTransformation to accumulate the message to be verified.
Definition xed25519.h:778
size_t MaxRecoverableLength() const
Provides the length of longest message that can be recovered.
Definition xed25519.h:769
bool RecoverablePartFirst() const
Determines whether the recoverable part must be input before the non-recoverable part.
Definition xed25519.h:776
size_t MaxRecoverableLengthFromSignatureLength(size_t signatureLength) const
Provides the length of longest message that can be recovered from a signature of given length.
Definition xed25519.h:770
const PublicKey & GetKey() const
Retrieves a reference to a Public Key.
Definition xed25519.h:764
bool AllowNonrecoverablePart() const
Determines whether the non-recoverable message part can be signed.
Definition xed25519.h:775
bool VerifyStream(std::istream &stream, const byte *signature, size_t signatureLen) const
Check whether input signature is a valid signature for input message.
Definition xed25519.cpp:889
PublicKey & AccessKey()
Retrieves a reference to a Public Key.
Definition xed25519.h:759
const PublicKey & GetPublicKey() const
Retrieves a reference to a Public Key.
Definition xed25519.h:765
bool IsProbabilistic() const
Determines whether a signature scheme requires a random number generator.
Definition xed25519.h:774
#define CRYPTOPP_ASSERT(exp)
Debugging and diagnostic assertion.
Definition trap.h:68