Skip to content

Commit

Permalink
Test Ed25519 with small- and mixed-order points (#43751)
Browse files Browse the repository at this point in the history
Add tests to ensure that the Ed25519 Verify implementation performs
checks for small-order keys and signature's point R.

Additionally, add tests for mixed-order points, and check that the
cofactorless (unbatched) verification equation is used, as required
by the latest draft.
  • Loading branch information
javifernandez authored Feb 19, 2024
1 parent d643cf9 commit 0926ff5
Show file tree
Hide file tree
Showing 3 changed files with 164 additions and 5 deletions.
6 changes: 2 additions & 4 deletions WebCryptoAPI/derive_bits_keys/cfrg_curves_bits.js
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,6 @@ function define_tests() {
// Verify the derive functions perform checks against the all-zero value results,
// ensuring small-order points are rejected.
// https://www.rfc-editor.org/rfc/rfc7748#section-6.1
// TODO: The spec states that the check must be done on use, but there is discussion about doing it on import.
// https://github.com/WICG/webcrypto-secure-curves/pull/13
Object.keys(kSmallOrderPoint).forEach(function(algorithmName) {
kSmallOrderPoint[algorithmName].forEach(function(test) {
promise_test(async() => {
Expand All @@ -23,8 +21,8 @@ function define_tests() {
false, [])
derived = await subtle.deriveBits({name: algorithmName, public: publicKey}, privateKey, 8 * sizes[algorithmName]);
} catch (err) {
assert_false(privateKey === undefined, "Private key should be valid.");
assert_false(publicKey === undefined, "Public key should be valid.");
assert_true(privateKey !== undefined, "Private key should be valid.");
assert_true(publicKey !== undefined, "Public key should be valid.");
assert_equals(err.name, "OperationError", "Should throw correct error, not " + err.name + ": " + err.message + ".");
}
assert_equals(derived, undefined, "Operation succeeded, but should not have.");
Expand Down
22 changes: 22 additions & 0 deletions WebCryptoAPI/sign_verify/eddsa.js
Original file line number Diff line number Diff line change
Expand Up @@ -366,6 +366,28 @@ function run_test() {
}, "Sign and verify using generated " + vector.algorithmName + " keys.");
});

// When verifying an Ed25519 or Ed448 signature, if the public key or the first half of the signature (R) is
// an invalid or small-order element, return false.
Object.keys(kSmallOrderTestCases).forEach(function (algorithmName) {
var algorithm = {name: algorithmName};
kSmallOrderTestCases[algorithmName].forEach(function(test) {
// Test low-order public keys
promise_test(async() => {
let isVerified = true;
let publicKey;
try {
publicKey = await subtle.importKey("raw", test.keyData,
algorithm,
false, ["verify"])
isVerified = await subtle.verify(algorithmName, publicKey, test.signature, test.message);
} catch (err) {
assert_equals(isVerified, test.verified, "Signature verification result.");
assert_unreached("The operation shouldn't fail, but it thown this error: " + err.name + ": " + err.message + ".");
}
assert_false(isVerified, "Signature verification result.");
}, algorithmName + " Verification checks with small-order key of order - Test " + test.id);
});
});

// A test vector has all needed fields for signing and verifying, EXCEPT that the
// key field may be null. This function replaces that null with the Correct
Expand Down
Loading

0 comments on commit 0926ff5

Please sign in to comment.