blob: 74fcdcdf4e6612b8259f2f64ad62b20850d7e6d9 [file] [log] [blame]
// Copyright 2021 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package ed25519_test
import (
// TestEd25519Vectors runs a very large set of test vectors that exercise all
// combinations of low-order points, low-order components, and non-canonical
// encodings. These vectors lock in unspecified and spec-divergent behaviors in
// edge cases that are not security relevant in most contexts, but that can
// cause issues in consensus applications if changed.
// Our behavior matches the "classic" unwritten verification rules of the
// "ref10" reference implementation.
// Note that although we test for these edge cases, they are not covered by the
// Go 1 Compatibility Promise. Applications that need stable verification rules
// should use
// See for more details.
func TestEd25519Vectors(t *testing.T) {
jsonVectors := downloadEd25519Vectors(t)
var vectors []struct {
A, R, S, M string
Flags []string
if err := json.Unmarshal(jsonVectors, &vectors); err != nil {
for i, v := range vectors {
expectedToVerify := true
for _, f := range v.Flags {
switch f {
// We use the simplified verification formula that doesn't multiply
// by the cofactor, so any low order residue will cause the
// signature not to verify.
// This is allowed, but not required, by RFC 8032.
case "LowOrderResidue":
expectedToVerify = false
// Our point decoding allows non-canonical encodings (in violation
// of RFC 8032) but R is not decoded: instead, R is recomputed and
// compared bytewise against the canonical encoding.
case "NonCanonicalR":
expectedToVerify = false
publicKey := decodeHex(t, v.A)
signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...)
message := []byte(v.M)
didVerify := ed25519.Verify(publicKey, message, signature)
if didVerify && !expectedToVerify {
t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags)
if !didVerify && expectedToVerify {
t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags)
func downloadEd25519Vectors(t *testing.T) []byte {
// Download the JSON test file from the GOPROXY with `go mod download`,
// pinning the version so test and module caching works as expected.
goTool := testenv.GoToolPath(t)
path := ""
cmd := exec.Command(goTool, "mod", "download", "-json", path)
// TODO: enable the sumdb once the TryBots proxy supports it.
cmd.Env = append(os.Environ(), "GONOSUMDB=*")
output, err := cmd.Output()
if err != nil {
t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output)
var dm struct {
Dir string // absolute path to cached source root directory
if err := json.Unmarshal(output, &dm); err != nil {
jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json"))
if err != nil {
t.Fatalf("failed to read ed25519vectors.json: %v", err)
return jsonVectors
func decodeHex(t *testing.T, s string) []byte {
b, err := hex.DecodeString(s)
if err != nil {
t.Errorf("invalid hex: %v", err)
return b