Fix EDDSA_LEGACY signing/verification with Ed448 keys #1675
Conversation
|
Hm, I'm currently adding more tests, including for Legacy X448 encryption and I wonder, if it's really worth supporting non-standard legacy X488 (with PublicKeyAlgorithmTags.ECDH) and legacy Ed448 (with PublicKeyAlgorithmTags.EDDSA_LEGACY). Originally I thought support for these would be desirable, since the PGPKeyConverter classes had partial support already, but the more I think about it I guess supporting those key types would lead to people generating them, causing interop issues with other implementations. Removing support for non-standard keys would involve reverting some changes from #1663 (simplifying EDDSA_LEGACY branches to always assume Ed25519, removing X448 from the ECDH branches), and removing the LegacyX448KeyPairTest, LegacyEd448KeyPairTest classes. |
vanitasvitae
force-pushed
the
fixEd448Signing
branch
2 times, most recently
from
5f455eb to
04104b0
Compare
|
Usually the best way to deal with this is to support verification, but disable generation, so for now at least the best thing to do would be to revert the ability to use an Ed448 key in this context, but allow the signatures generated that way to be verified. |
|
Apparently, EDDSA_LEGACY+Ed448 is used by LibrePGP, so its debatable, whether it makes sense to deliberately revert signing support, now that its already implemented. I'd leave this decision up to you :) |
vanitasvitae
force-pushed
the
fixEd448Signing
branch
from
04104b0 to
d07266b
Compare
|
Far be it from me to argue with the market on this one! Lets leave it as it be and hope for the best. |
When creating/verifying signatures made using
PublicKeyAlgorithmTags.EDDSA_LEGACY, BC creates Signer object instances of Ed25519. While this is in line with the rfcs (EdDSALegacy is only specified for Ed25519), BC also supports key generation etc. using Ed448.(Do we want to retain support for LEGACY_EDDSA + Ed448?)
(Update: LEGACY_EDDSA + Ed448 is defined in LibrePGP, see #1677 )
As a result, when generating/verifying signatures made using Ed448+EDDSA_LEGACY, BC tries to use Ed25519 signers, which fails.
Further, PGPSignature parses EDDSA_LEGACY signatures only as Ed25519, which means Ed448 signature result in OOB exceptions.
This PR changes the signer/verifier methods to detect, which curve is actually used when a EDDSA_LEGACY key is provided and to return an appropriate signer object accordingly.
The patch also fixes signature parsing for EDDSA_LEGACY Ed448 signatures by inspecting the length of the encoded signature values.