diff --git a/libp2p.nimble b/libp2p.nimble
index 0dd9cff66..f0a35c8ca 100644
--- a/libp2p.nimble
+++ b/libp2p.nimble
@@ -21,4 +21,5 @@ task test, "Runs the test suite":
exec "nim c -r tests/testcid"
exec "nim c -r tests/testecnist"
exec "nim c -r tests/testrsa"
+ exec "nim c -r tests/tested25519"
exec "nim c -r tests/testdaemon"
diff --git a/libp2p/crypto/ecnist.nim b/libp2p/crypto/ecnist.nim
index 918aefde4..37a8b15ba 100644
--- a/libp2p/crypto/ecnist.nim
+++ b/libp2p/crypto/ecnist.nim
@@ -7,8 +7,13 @@
## This file may not be copied, modified, or distributed except according to
## those terms.
-## This module implements ECDSA and ECDHE for NIST elliptic curves
-## secp256r1, secp384r1 and secp521r1.
+## This module implements constant-time ECDSA and ECDHE for NIST elliptic
+## curves secp256r1, secp384r1 and secp521r1.
+##
+## This module uses unmodified parts of code from
+## BearSSL library
+## Copyright(C) 2018 Thomas Pornin .
+
import common
import nimcrypto/utils
import minasn1
@@ -95,7 +100,7 @@ proc checkScalar(scalar: openarray[byte], curve: cint): uint32 =
z = z or u
if len(scalar) == orderlen:
for i in 0..= -15:
+ r[i] -= r[i + b] shl b
+ for k in (i + b)..<256:
+ if r[k] == 0'i8:
+ r[k] = 1'i8
+ break
+ r[k] = 0'i8
+ else:
+ break
+ inc(b)
+
+proc geDoubleScalarMultVartime(r: var GeP2, a: openarray[byte], A: GeP3,
+ b: openarray[byte]) =
+ var
+ aslide: array[256, int8]
+ bslide: array[256, int8]
+ ai: array[8, GeCached]
+ t: GeP1P1
+ u: GeP3
+ a2: GeP3
+
+ slide(aslide, a)
+ slide(bslide, b)
+
+ geP3ToCached(ai[0], A)
+ geP3dbl(t, A); geP1P1toP3(a2, t)
+ geAdd(t, a2, ai[0]); geP1P1toP3(u, t); geP3ToCached(ai[1], u)
+ geAdd(t, a2, ai[1]); geP1P1toP3(u, t); geP3ToCached(ai[2], u)
+ geAdd(t, a2, ai[2]); geP1P1toP3(u, t); geP3ToCached(ai[3], u)
+ geAdd(t, a2, ai[3]); geP1P1toP3(u, t); geP3ToCached(ai[4], u)
+ geAdd(t, a2, ai[4]); geP1P1toP3(u, t); geP3ToCached(ai[5], u)
+ geAdd(t, a2, ai[5]); geP1P1toP3(u, t); geP3ToCached(ai[6], u)
+ geAdd(t, a2, ai[6]); geP1P1toP3(u, t); geP3ToCached(ai[7], u)
+ geP20(r)
+
+ var k = 255
+ while k >= 0:
+ if (aslide[k] != 0) or (bslide[k] != 0):
+ break
+ dec(k)
+
+ while k >= 0:
+ geP2dbl(t, r)
+ if aslide[k] > 0:
+ geP1P1toP3(u, t)
+ geAdd(t, u, ai[aslide[k] div 2])
+ elif aslide[k] < 0:
+ geP1P1toP3(u, t)
+ geSub(t, u, ai[(-aslide[k]) div 2])
+ if bslide[k] > 0:
+ geP1P1toP3(u, t)
+ geMadd(t, u, BiPrecomp[bslide[k] div 2])
+ elif bslide[k] < 0:
+ geP1P1toP3(u, t)
+ geMsub(t, u, BiPrecomp[(-bslide[k]) div 2])
+ geP1P1toP2(r, t)
+ dec(k)
+
+proc GT(x, y: uint32): uint32 {.inline.} =
+ var z = cast[uint32](y - x)
+ result = (z xor ((x xor y) and (x xor z))) shr 31
+
+proc CMP(x, y: uint32): int32 {.inline.} =
+ cast[int32](GT(x, y)) or -(cast[int32](GT(y, x)))
+
+proc EQ0(x: int32): uint32 {.inline.} =
+ var q = cast[uint32](x)
+ result = not(q or -q) shr 31
+
+proc NEQ(x, y: uint32): uint32 {.inline.} =
+ var q = cast[uint32](x xor y)
+ result = ((q or -q) shr 31)
+
+proc LT0(x: int32): uint32 {.inline.} =
+ result = cast[uint32](x) shr 31
+
+proc checkScalar*(scalar: openarray[byte]): uint32 =
+ var z = 0'u32
+ var c = 0'i32
+ for u in scalar:
+ z = z or u
+ if len(scalar) == len(CurveOrder):
+ for i in countdown(len(scalar) - 1, 0):
+ c = c or (-(cast[int32](EQ0(c))) and CMP(scalar[i], CurveOrder[i]))
+ else:
+ c = -1
+ result = NEQ(z, 0'u32) and LT0(c)
+
+const
+ EdPrivateKeySize* = 64
+ ## Size in octets (bytes) of serialized ED25519 private key.
+ EdPublicKeySize* = 32
+ ## Size in octets (bytes) of serialized ED25519 public key.
+ EdSignatureSize* = 64
+ ## Size in octets (bytes) of serialized ED25519 signature.
+
+type
+ EdPrivateKey* = object
+ data*: array[EdPrivateKeySize, byte]
+
+ EdPublicKey* = object
+ data*: array[EdPublicKeySize, byte]
+
+ EdSignature* = object
+ data*: array[EdSignatureSize, byte]
+
+ EdKeyPair* = object
+ seckey*: EdPrivateKey
+ pubkey*: EdPublicKey
+
+ EdError* = object of Exception
+ EdRngError* = object of EdError
+ EdIncorrectError* = object of EdError
+
+proc random*(t: typedesc[EdPrivateKey]): EdPrivateKey =
+ ## Generate new random ED25519 private key using OS specific CSPRNG.
+ var
+ point: GeP3
+ pk: array[EdPublicKeySize, byte]
+ if randomBytes(result.data.toOpenArray(0, 31)) != 32:
+ raise newException(EdRngError, "Could not generate random data")
+ var hash = sha512.digest(result.data.toOpenArray(0, 31))
+ hash.data[0] = hash.data[0] and 0xF8'u8
+ hash.data[31] = hash.data[31] and 0x3F'u8
+ hash.data[31] = hash.data[31] or 0x40'u8
+ geScalarMultBase(point, hash.data)
+ geP3ToBytes(pk, point)
+ copyMem(addr result.data[32], addr pk[0], 32)
+
+proc random*(t: typedesc[EdKeyPair]): EdKeyPair =
+ ## Generate new random ED25519 private and public keypair using OS specific
+ ## CSPRNG.
+ var point: GeP3
+ if randomBytes(result.seckey.data.toOpenArray(0, 31)) != 32:
+ raise newException(EdRngError, "Could not generate random data")
+ var hash = sha512.digest(result.seckey.data.toOpenArray(0, 31))
+ hash.data[0] = hash.data[0] and 0xF8'u8
+ hash.data[31] = hash.data[31] and 0x3F'u8
+ hash.data[31] = hash.data[31] or 0x40'u8
+ geScalarMultBase(point, hash.data)
+ geP3ToBytes(result.pubkey.data, point)
+ copyMem(addr result.seckey.data[32], addr result.pubkey.data[0], 32)
+
+proc getKey*(key: EdPrivateKey): EdPublicKey =
+ ## Calculate and return ED25519 public key from private key ``key``.
+ copyMem(addr result.data[0], unsafeAddr key.data[32], 32)
+
+proc toBytes*(key: EdPrivateKey, data: var openarray[byte]): int =
+ ## Serialize ED25519 `private key` ``key`` to raw binary form and store it
+ ## to ``data``.
+ ##
+ ## Procedure returns number of bytes (octets) needed to store
+ ## ED25519 private key.
+ result = len(key.data)
+ if len(data) >= result:
+ copyMem(addr data[0], unsafeAddr key.data[0], len(key.data))
+
+proc toBytes*(key: EdPublicKey, data: var openarray[byte]): int =
+ ## Serialize ED25519 `public key` ``key`` to raw binary form and store it
+ ## to ``data``.
+ ##
+ ## Procedure returns number of bytes (octets) needed to store
+ ## ED25519 public key.
+ result = len(key.data)
+ if len(data) >= result:
+ copyMem(addr data[0], unsafeAddr key.data[0], len(key.data))
+
+proc toBytes*(sig: EdSignature, data: var openarray[byte]): int =
+ ## Serialize ED25519 `signature` ``sig`` to raw binary form and store it
+ ## to ``data``.
+ ##
+ ## Procedure returns number of bytes (octets) needed to store
+ ## ED25519 signature.
+ result = len(sig.data)
+ if len(data) >= result:
+ copyMem(addr data[0], unsafeAddr sig.data[0], len(sig.data))
+
+proc getBytes*(key: EdPrivateKey): seq[byte] = @(key.data)
+ ## Serialize ED25519 `private key` and return it.
+
+proc getBytes*(key: EdPublicKey): seq[byte] = @(key.data)
+ ## Serialize ED25519 `public key` and return it.
+
+proc getBytes*(sig: EdSignature): seq[byte] = @(sig.data)
+ ## Serialize ED25519 `signature` and return it.
+
+proc `==`*(eda, edb: EdPrivateKey): bool =
+ ## Compare ED25519 `private key` objects for equality.
+ result = (eda.data == edb.data)
+
+proc `==`*(eda, edb: EdPublicKey): bool =
+ ## Compare ED25519 `public key` objects for equality.
+ result = (eda.data == edb.data)
+
+proc `==`*(eda, edb: EdSignature): bool =
+ ## Compare ED25519 `signature` objects for equality.
+ result = (eda.data == edb.data)
+
+proc `$`*(key: EdPrivateKey): string = toHex(key.data)
+ ## Return string representation of ED25519 `private key`.
+
+proc `$`*(key: EdPublicKey): string = toHex(key.data)
+ ## Return string representation of ED25519 `private key`.
+
+proc `$`*(sig: EdSignature): string = toHex(sig.data)
+ ## Return string representation of ED25519 `signature`.
+
+proc init*(key: var EdPrivateKey, data: openarray[byte]): bool =
+ ## Initialize ED25519 `private key` ``key`` from raw binary
+ ## representation ``data``.
+ ##
+ ## Procedure returns ``true`` on success.
+ let length = EdPrivateKeySize
+ if len(data) >= length:
+ copyMem(addr key.data[0], unsafeAddr data[0], length)
+ result = true
+
+proc init*(key: var EdPublicKey, data: openarray[byte]): bool =
+ ## Initialize ED25519 `public key` ``key`` from raw binary
+ ## representation ``data``.
+ ##
+ ## Procedure returns ``true`` on success.
+ let length = EdPublicKeySize
+ if len(data) >= length:
+ copyMem(addr key.data[0], unsafeAddr data[0], length)
+ result = true
+
+proc init*(sig: var EdSignature, data: openarray[byte]): bool =
+ ## Initialize ED25519 `signature` ``sig`` from raw binary
+ ## representation ``data``.
+ ##
+ ## Procedure returns ``true`` on success.
+ let length = EdSignatureSize
+ if len(data) >= length:
+ copyMem(addr sig.data[0], unsafeAddr data[0], length)
+ result = true
+
+proc init*(key: var EdPrivateKey, data: string): bool =
+ ## Initialize ED25519 `private key` ``key`` from hexadecimal string
+ ## representation ``data``.
+ ##
+ ## Procedure returns ``true`` on success.
+ result = init(key, fromHex(data))
+
+proc init*(key: var EdPublicKey, data: string): bool =
+ ## Initialize ED25519 `public key` ``key`` from hexadecimal string
+ ## representation ``data``.
+ ##
+ ## Procedure returns ``true`` on success.
+ result = init(key, fromHex(data))
+
+proc init*(sig: var EdSignature, data: string): bool =
+ ## Initialize ED25519 `signature` ``sig`` from hexadecimal string
+ ## representation ``data``.
+ ##
+ ## Procedure returns ``true`` on success.
+ result = init(sig, fromHex(data))
+
+proc init*(t: typedesc[EdPrivateKey], data: openarray[byte]): EdPrivateKey =
+ ## Initialize ED25519 `private key` from raw binary representation ``data``
+ ## and return constructed object.
+ if not init(result, data):
+ raise newException(EdIncorrectError, "Incorrect binary form")
+
+proc init*(t: typedesc[EdPublicKey], data: openarray[byte]): EdPublicKey =
+ ## Initialize ED25519 `public key` from raw binary representation ``data``
+ ## and return constructed object.
+ if not init(result, data):
+ raise newException(EdIncorrectError, "Incorrect binary form")
+
+proc init*(t: typedesc[EdSignature], data: openarray[byte]): EdSignature =
+ ## Initialize ED25519 `signature` from raw binary representation ``data``
+ ## and return constructed object.
+ if not init(result, data):
+ raise newException(EdIncorrectError, "Incorrect binary form")
+
+proc init*(t: typedesc[EdPrivateKey], data: string): EdPrivateKey =
+ ## Initialize ED25519 `private key` from hexadecimal string representation
+ ## ``data`` and return constructed object.
+ if not init(result, data):
+ raise newException(EdIncorrectError, "Incorrect binary form")
+
+proc init*(t: typedesc[EdPublicKey], data: string): EdPublicKey =
+ ## Initialize ED25519 `public key` from hexadecimal string representation
+ ## ``data`` and return constructed object.
+ if not init(result, data):
+ raise newException(EdIncorrectError, "Incorrect binary form")
+
+proc init*(t: typedesc[EdSignature], data: string): EdSignature =
+ ## Initialize ED25519 `signature` from hexadecimal string representation
+ ## ``data`` and return constructed object.
+ if not init(result, data):
+ raise newException(EdIncorrectError, "Incorrect binary form")
+
+proc clear*(key: var EdPrivateKey) =
+ ## Wipe and clear memory of ED25519 `private key`.
+ burnMem(key.data)
+
+proc clear*(key: var EdPublicKey) =
+ ## Wipe and clear memory of ED25519 `public key`.
+ burnMem(key.data)
+
+proc clear*(sig: var EdSignature) =
+ ## Wipe and clear memory of ED25519 `signature`.
+ burnMem(sig.data)
+
+proc clear*(pair: var EdKeyPair) =
+ ## Wipe and clear memory of ED25519 `key pair`.
+ burnMem(pair.seckey.data)
+ burnMem(pair.pubkey.data)
+
+proc sign*[T: byte|char](key: EdPrivateKey,
+ message: openarray[T]): EdSignature {.noinit.} =
+ ## Create ED25519 signature of data ``message`` using private key ``key``.
+ var ctx: sha512
+ var r: GeP3
+
+ ctx.init()
+ ctx.update(key.data.toOpenArray(0, 31))
+ var hash = ctx.finish()
+
+ hash.data[0] = hash.data[0] and 0xF8'u8
+ hash.data[31] = hash.data[31] and 0x3F'u8
+ hash.data[31] = hash.data[31] or 0x40'u8
+
+ ctx.init()
+ ctx.update(hash.data.toOpenArray(32, 63))
+ ctx.update(message)
+ var nonce = ctx.finish()
+
+ scReduce(nonce.data)
+ geScalarMultBase(r, nonce.data)
+ geP3ToBytes(result.data.toOpenArray(0, 31), r)
+
+ ctx.init()
+ ctx.update(result.data.toOpenArray(0, 31))
+ ctx.update(key.data.toOpenArray(32, 63))
+ ctx.update(message)
+ var hram = ctx.finish()
+ ctx.clear()
+
+ scReduce(hram.data)
+ scMulAdd(result.data.toOpenArray(32, 63), hram.data.toOpenArray(0, 31),
+ hash.data.toOpenArray(0, 31), nonce.data.toOpenArray(0, 31))
+
+proc verify*[T: byte|char](sig: EdSignature, message: openarray[T],
+ key: EdPublicKey): bool =
+ ## Verify ED25519 signature ``sig`` using public key ``key`` and data
+ ## ``message``.
+ ##
+ ## Return ``true`` if message verification succeeded, ``false`` if
+ ## verification failed.
+ var ctx: sha512
+ var rcheck: array[32, byte]
+ var a: GeP3
+ var r: GeP2
+ if (sig.data[63] and 0xE0'u8) != 0:
+ return false
+
+ if checkScalar(sig.data.toOpenArray(32, 63)) == 0:
+ return false
+ if geFromBytesNegateVartime(a, key.data.toOpenArray(0, 31)) != 0:
+ return false
+
+ ctx.init()
+ ctx.update(sig.data.toOpenArray(0, 31))
+ ctx.update(key.data.toOpenArray(0, 31))
+ ctx.update(message)
+ var hash = ctx.finish()
+ scReduce(hash.data)
+
+ geDoubleScalarMultVartime(r, hash.data.toOpenArray(0, 31),
+ a, sig.data.toOpenArray(32, 63))
+ geToBytes(rcheck, r)
+
+ result = (verify32(sig.data.toOpenArray(0, 31), rcheck) == 0)
+
+when isMainModule:
+ echo toHex(CurveOrder)
diff --git a/libp2p/crypto/rsa.nim b/libp2p/crypto/rsa.nim
index 56d439a61..8f32b5f24 100644
--- a/libp2p/crypto/rsa.nim
+++ b/libp2p/crypto/rsa.nim
@@ -7,7 +7,12 @@
## This file may not be copied, modified, or distributed except according to
## those terms.
-## This module implements RSA PKCS#1.5 DSA.
+## This module implements constant-time RSA PKCS#1.5 DSA.
+##
+## This module uses unmodified parts of code from
+## BearSSL library
+## Copyright(C) 2018 Thomas Pornin .
+
import nimcrypto/utils
import common, minasn1
export Asn1Status
diff --git a/tests/testdaemon.nim b/tests/testdaemon.nim
index 30efd6fea..756542631 100644
--- a/tests/testdaemon.nim
+++ b/tests/testdaemon.nim
@@ -50,9 +50,10 @@ proc provideCidTest(): Future[bool] {.async.} =
var id2 = await api2.identity()
await api1.connect(id2.peer, id2.addresses)
+
while true:
var peers = await api1.listPeers()
- if len(peers) != 0:
+ if len(peers) > 0:
break
await api1.dhtProvide(cid)
diff --git a/tests/tested25519.nim b/tests/tested25519.nim
new file mode 100644
index 000000000..40ceb2835
--- /dev/null
+++ b/tests/tested25519.nim
@@ -0,0 +1,183 @@
+## Nim-Libp2p
+## Copyright (c) 2018 Status Research & Development GmbH
+## Licensed under either of
+## * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))
+## * MIT license ([LICENSE-MIT](LICENSE-MIT))
+## at your option.
+## This file may not be copied, modified, or distributed except according to
+## those terms.
+
+## Test vectors are from RFC 8032 (https://tools.ietf.org/html/rfc8032)
+import unittest
+import nimcrypto/utils
+import ../libp2p/crypto/ed25519/ed25519
+
+const TestsCount = 20
+
+const SecretKeys = [
+ """9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60
+ d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a""",
+ """4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb
+ 3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c""",
+ """c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7
+ fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025""",
+ """f5e5767cf153319517630f226876b86c8160cc583bc013744c6bf255f5cc0ee5
+ 278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e""",
+ """833fe62409237b9d62ec77587520911e9a759cec1d19755b7da901b96dca3d42
+ ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf"""
+]
+const PublicKeys = [
+ "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
+ "3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c",
+ "fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025",
+ "278117fc144c72340f67d0f2316e8386ceffbf2b2428c9c51fef7c597f1d426e",
+ "ec172b93ad5e563bf4932c70e1245034c35467ef2efd4d64ebf819683467e2bf"
+]
+
+const Messages = [
+ "", "72", "af82",
+ """08b8b2b733424243760fe426a4b54908632110a66c2f6591eabd3345e3e4eb98
+ fa6e264bf09efe12ee50f8f54e9f77b1e355f6c50544e23fb1433ddf73be84d8
+ 79de7c0046dc4996d9e773f4bc9efe5738829adb26c81b37c93a1b270b20329d
+ 658675fc6ea534e0810a4432826bf58c941efb65d57a338bbd2e26640f89ffbc
+ 1a858efcb8550ee3a5e1998bd177e93a7363c344fe6b199ee5d02e82d522c4fe
+ ba15452f80288a821a579116ec6dad2b3b310da903401aa62100ab5d1a36553e
+ 06203b33890cc9b832f79ef80560ccb9a39ce767967ed628c6ad573cb116dbef
+ efd75499da96bd68a8a97b928a8bbc103b6621fcde2beca1231d206be6cd9ec7
+ aff6f6c94fcd7204ed3455c68c83f4a41da4af2b74ef5c53f1d8ac70bdcb7ed1
+ 85ce81bd84359d44254d95629e9855a94a7c1958d1f8ada5d0532ed8a5aa3fb2
+ d17ba70eb6248e594e1a2297acbbb39d502f1a8c6eb6f1ce22b3de1a1f40cc24
+ 554119a831a9aad6079cad88425de6bde1a9187ebb6092cf67bf2b13fd65f270
+ 88d78b7e883c8759d2c4f5c65adb7553878ad575f9fad878e80a0c9ba63bcbcc
+ 2732e69485bbc9c90bfbd62481d9089beccf80cfe2df16a2cf65bd92dd597b07
+ 07e0917af48bbb75fed413d238f5555a7a569d80c3414a8d0859dc65a46128ba
+ b27af87a71314f318c782b23ebfe808b82b0ce26401d2e22f04d83d1255dc51a
+ ddd3b75a2b1ae0784504df543af8969be3ea7082ff7fc9888c144da2af58429e
+ c96031dbcad3dad9af0dcbaaaf268cb8fcffead94f3c7ca495e056a9b47acdb7
+ 51fb73e666c6c655ade8297297d07ad1ba5e43f1bca32301651339e22904cc8c
+ 42f58c30c04aafdb038dda0847dd988dcda6f3bfd15c4b4c4525004aa06eeff8
+ ca61783aacec57fb3d1f92b0fe2fd1a85f6724517b65e614ad6808d6f6ee34df
+ f7310fdc82aebfd904b01e1dc54b2927094b2db68d6f903b68401adebf5a7e08
+ d78ff4ef5d63653a65040cf9bfd4aca7984a74d37145986780fc0b16ac451649
+ de6188a7dbdf191f64b5fc5e2ab47b57f7f7276cd419c17a3ca8e1b939ae49e4
+ 88acba6b965610b5480109c8b17b80e1b7b750dfc7598d5d5011fd2dcc5600a3
+ 2ef5b52a1ecc820e308aa342721aac0943bf6686b64b2579376504ccc493d97e
+ 6aed3fb0f9cd71a43dd497f01f17c0e2cb3797aa2a2f256656168e6c496afc5f
+ b93246f6b1116398a346f1a641f3b041e989f7914f90cc2c7fff357876e506b5
+ 0d334ba77c225bc307ba537152f3f1610e4eafe595f6d9d90d11faa933a15ef1
+ 369546868a7f3a45a96768d40fd9d03412c091c6315cf4fde7cb68606937380d
+ b2eaaa707b4c4185c32eddcdd306705e4dc1ffc872eeee475a64dfac86aba41c
+ 0618983f8741c5ef68d3a101e8a3b8cac60c905c15fc910840b94c00a0b9d0""",
+ """ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a
+ 2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"""
+
+]
+
+const Signatures = [
+ """e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e06522490155
+ 5fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b""",
+ """92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da
+ 085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c00""",
+ """6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac
+ 18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40a""",
+ """0aab4c900501b3e24d7cdf4663326a3a87df5e4843b2cbdb67cbf6e460fec350
+ aa5371b1508f9f4528ecea23c436d94b5e8fcd4f681e30a6ac00a9704a188a03""",
+ """dc2a4459e7369633a52b1bf277839a00201009a3efbf3ecb69bea2186c26b589
+ 09351fc9ac90b3ecfdfbc7c66431e0303dca179c138ac17ad9bef1177331a704"""
+]
+
+const FailScalars = [
+ "0000000000000000000000000000000000000000000000000000000000000000",
+ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE",
+ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+ "EDD3F55C1A631258D69CF7A2DEF9DE1400000000000000000000000000000010"
+]
+
+const GoodScalars = [
+ "0100000000000000000000000000000000000000000000000000000000000000",
+ "ECD3F55C1A631258D69CF7A2DEF9DE1400000000000000000000000000000010",
+]
+
+suite "Ed25519 test suite":
+ test "Scalar check edge cases test":
+ for item in FailScalars:
+ check checkScalar(fromHex(stripSpaces(item))) == 0
+ for item in GoodScalars:
+ check checkScalar(fromHex(stripSpaces(item))) == 1
+
+ test "Private key serialize/deserialize test":
+ for i in 0.. 0
+ check:
+ rkey1.init(skey1) == true
+ rkey2.init(skey2) == true
+ var rkey3 = EdPrivateKey.init(skey1)
+ var rkey4 = EdPrivateKey.init(skey2)
+ check:
+ rkey1 == key
+ rkey2 == key
+ rkey3 == key
+ rkey4 == key
+ rkey1.clear()
+ rkey2.clear()
+ check:
+ isFullZero(rkey1.data) == true
+ isFullZero(rkey2.data) == true
+
+ test "Public key serialize/deserialize test":
+ for i in 0.. 0
+ rkey1.init(skey1) == true
+ rkey2.init(skey2) == true
+ var rkey3 = EdPublicKey.init(skey1)
+ var rkey4 = EdPublicKey.init(skey2)
+ check:
+ rkey1 == pair.pubkey
+ rkey2 == pair.pubkey
+ rkey3 == pair.pubkey
+ rkey4 == pair.pubkey
+ rkey1.clear()
+ rkey2.clear()
+ check:
+ isFullZero(rkey1.data) == true
+ isFullZero(rkey2.data) == true
+
+ test "RFC8032 test vectors":
+ for i in 0..<5:
+ var key = EdPrivateKey.init(stripSpaces(SecretKeys[i]))
+ var exppub = EdPublicKey.init(stripSpaces(PublicKeys[i]))
+ var pubkey = key.getKey()
+ check pubkey == exppub
+ var msg = fromHex(stripSpaces(Messages[i]))
+ var sig = key.sign(msg)
+ var expsig = EdSignature.init(fromHex(stripSpaces(Signatures[i])))
+ check sig == expsig
+ check sig.verify(msg, pubkey) == true
+ sig.data[32] = not(sig.data[32])
+ check sig.verify(msg, pubkey) == false
+
+ test "Generate/Sign/Serialize/Deserialize/Verify test":
+ var message = "message to sign"
+ for i in 0..