Support for EdDSA
Closed this issue · 10 comments
There is an issue (#639) asking about support for EdDSA that was closed back in August 2021. Has anyone picked up this work? If so, I'd like to help finish it!
I'll be starting this week if I don't get any positive replies here.
Hello,
I have it on the backlog but have not yet had time to add it. Any help adding it as a new algorithm would be greatly appreciated!
Thanks,
Andrew
Understood. I'm picking it up, and I hope to make it a quick turn-around. I'll post progress here.
For anyone interested in an update...
I've completed coding for libacvp, but I can't validate it. I've discovered that OpenSSL is missing some critical functionality in EdDSA, making it a partial implementation at best. I'm planning to hold the work until I can validate all of the changes. If anyone here is waiting on this work, please post here and let me know. If there's strong support for an early release, I'll reconsider.
KeyGen:
Works fine, passes 100%
KeyVer:
https://mta.openssl.org/pipermail/openssl-users/2023-June/016441.html
(Briefly explains the issue, no replies @ 17 days and counting)
Sign/Verify:
https://mta.openssl.org/pipermail/openssl-users/2023-June/016455.html
(Long, detailed explanation of the issue, 1 reply with limited info)
Is there an update further for this support here, as openssl seems to have implemented support for all EdDSA curve instances.
openssl/openssl@4f8b7c2#top
I have two clients that completed the EdDSA implementation for PureEdDSA for 3.0 and 3.1, and I've passed testing for both. This testing only validates my libacvp changes for PureEdDSA (complete, with full context support). The code I have should pass HashEdDSA as well, but I'll need to test against 3.2 to confirm. I'll confirm with passing on the Demo server, which should be sufficient.
I'll submit a PR in a week or so with full coverage for EdDSA.
Thanks for the update. Is response file getting validated by Demo server in your testing - just for the confirmation. For my response file (that is exactly as in https://pages.nist.gov/ACVP/draft-celi-acvp-eddsa.html#name-eddsa-siggen-test-group-res ), I see below validation log. (BTW I am using dpdk-ci tools/acvp for the testing).
{
"tcId": 1,
"result": "failed",
"reason": "Validation failed: Failed to verify",
"expected": {},
"provided": {}
},
In case if it is not an issue through libacvp, please ignore (and I ll find out why).
Thanks for the update @RandallSteck! If/when you do a PR, could you base it in the libacvp_2_1_0-throttle branch?
Thanks,
Andrew
Hello, is there an update for this support here?
After tracing EVP_PKEY_public_check() in OpenSSL 3.2.0, it seems to only check whether there is a public key in the key.
(Ref: https://github.com/openssl/openssl/blob/openssl-3.2.0/providers/implementations/keymgmt/ecx_kmgmt.c#L792)
The ecx->haspubkey are set in ossl_ecx_key_fromdata() finally if we use EVP_PKEY_new_raw_public_key_ex()
Therefore, I wonder that is it enough to use EVP_PKEY_public_check() for EdDSA KeyVer test.
Thank you.
Update:
After doing some research, I think we have to check whether the point is on the curve and other properties. Therefore, we should not use EVP_PKEY_public_check().
Hi all,
@0140454 apologies for the delay getting back here.I have run into the exact issue and opened a discussion on the OpenSSL page. I am trying to get more info (they seem to suggest keyVer may not be required). Will update here if I find out more.
EDDSA support (with keyVer disabled in the app for now) has been merged into 2_1_0-throttle, set to come out soon. Closing this issue!
Andrew
Hi Andrew,
Thanks for your work again.
Since we thought it might be useful for the caller who may want to know whether a public key is valid, we introduced a naive implementation of EDDSA KeyVer in our fork of OpenSSL FIPS provider without cosulting the OpenSSL team after my last comment, and passed CAVP demo test.
However, I appreciate you informing me there is a discussion about this. I will follow up the discussion. Thank you.