| // Copyright 2021 The Go Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style |
| // license that can be found in the LICENSE file. |
| |
| package ed25519_test |
| |
| import ( |
| "crypto/ed25519" |
| "encoding/hex" |
| "encoding/json" |
| "internal/testenv" |
| "os" |
| "os/exec" |
| "path/filepath" |
| "testing" |
| ) |
| |
| // TestEd25519Vectors runs a very large set of test vectors that exercise all |
| // combinations of low-order points, low-order components, and non-canonical |
| // encodings. These vectors lock in unspecified and spec-divergent behaviors in |
| // edge cases that are not security relevant in most contexts, but that can |
| // cause issues in consensus applications if changed. |
| // |
| // Our behavior matches the "classic" unwritten verification rules of the |
| // "ref10" reference implementation. |
| // |
| // Note that although we test for these edge cases, they are not covered by the |
| // Go 1 Compatibility Promise. Applications that need stable verification rules |
| // should use github.com/hdevalence/ed25519consensus. |
| // |
| // See https://hdevalence.ca/blog/2020-10-04-its-25519am for more details. |
| func TestEd25519Vectors(t *testing.T) { |
| jsonVectors := downloadEd25519Vectors(t) |
| var vectors []struct { |
| A, R, S, M string |
| Flags []string |
| } |
| if err := json.Unmarshal(jsonVectors, &vectors); err != nil { |
| t.Fatal(err) |
| } |
| for i, v := range vectors { |
| expectedToVerify := true |
| for _, f := range v.Flags { |
| switch f { |
| // We use the simplified verification formula that doesn't multiply |
| // by the cofactor, so any low order residue will cause the |
| // signature not to verify. |
| // |
| // This is allowed, but not required, by RFC 8032. |
| case "LowOrderResidue": |
| expectedToVerify = false |
| // Our point decoding allows non-canonical encodings (in violation |
| // of RFC 8032) but R is not decoded: instead, R is recomputed and |
| // compared bytewise against the canonical encoding. |
| case "NonCanonicalR": |
| expectedToVerify = false |
| } |
| } |
| |
| publicKey := decodeHex(t, v.A) |
| signature := append(decodeHex(t, v.R), decodeHex(t, v.S)...) |
| message := []byte(v.M) |
| |
| didVerify := ed25519.Verify(publicKey, message, signature) |
| if didVerify && !expectedToVerify { |
| t.Errorf("#%d: vector with flags %s unexpectedly verified", i, v.Flags) |
| } |
| if !didVerify && expectedToVerify { |
| t.Errorf("#%d: vector with flags %s unexpectedly rejected", i, v.Flags) |
| } |
| } |
| } |
| |
| func downloadEd25519Vectors(t *testing.T) []byte { |
| testenv.MustHaveExternalNetwork(t) |
| |
| // Download the JSON test file from the GOPROXY with `go mod download`, |
| // pinning the version so test and module caching works as expected. |
| goTool := testenv.GoToolPath(t) |
| path := "filippo.io/mostly-harmless/ed25519vectors@v0.0.0-20210322192420-30a2d7243a94" |
| cmd := exec.Command(goTool, "mod", "download", "-json", path) |
| // TODO: enable the sumdb once the TryBots proxy supports it. |
| cmd.Env = append(os.Environ(), "GONOSUMDB=*") |
| output, err := cmd.Output() |
| if err != nil { |
| t.Fatalf("failed to run `go mod download -json %s`, output: %s", path, output) |
| } |
| var dm struct { |
| Dir string // absolute path to cached source root directory |
| } |
| if err := json.Unmarshal(output, &dm); err != nil { |
| t.Fatal(err) |
| } |
| |
| jsonVectors, err := os.ReadFile(filepath.Join(dm.Dir, "ed25519vectors.json")) |
| if err != nil { |
| t.Fatalf("failed to read ed25519vectors.json: %v", err) |
| } |
| return jsonVectors |
| } |
| |
| func decodeHex(t *testing.T, s string) []byte { |
| t.Helper() |
| b, err := hex.DecodeString(s) |
| if err != nil { |
| t.Errorf("invalid hex: %v", err) |
| } |
| return b |
| } |