Skip to main content

ed25519_dalek/
verifying.rs

1// -*- mode: rust; -*-
2//
3// This file is part of ed25519-dalek.
4// Copyright (c) 2017-2019 isis lovecruft
5// See LICENSE for licensing information.
6//
7// Authors:
8// - isis agora lovecruft <[email protected]>
9
10//! ed25519 public keys.
11
12use core::fmt::Debug;
13use core::hash::{Hash, Hasher};
14
15use curve25519_dalek::{
16    digest::{Digest, array::typenum::U64},
17    edwards::{CompressedEdwardsY, EdwardsPoint},
18    montgomery::MontgomeryPoint,
19    scalar::Scalar,
20};
21
22use ed25519::signature::{MultipartVerifier, Verifier};
23
24use sha2::Sha512;
25
26#[cfg(feature = "pkcs8")]
27use ed25519::pkcs8;
28
29#[cfg(feature = "serde")]
30use serde::{Deserialize, Deserializer, Serialize, Serializer};
31
32#[cfg(feature = "digest")]
33use crate::context::Context;
34#[cfg(feature = "digest")]
35use curve25519_dalek::digest::Update;
36#[cfg(feature = "digest")]
37use signature::DigestVerifier;
38
39use crate::{
40    constants::PUBLIC_KEY_LENGTH,
41    errors::{InternalError, SignatureError},
42    hazmat::ExpandedSecretKey,
43    signature::InternalSignature,
44    signing::SigningKey,
45};
46
47#[cfg(feature = "hazmat")]
48mod stream;
49#[cfg(feature = "hazmat")]
50pub use self::stream::StreamVerifier;
51
52/// An ed25519 public key.
53///
54/// # Note
55///
56/// The `Eq` and `Hash` impls here use the compressed Edwards y encoding, _not_ the algebraic
57/// representation. This means if this `VerifyingKey` is non-canonically encoded, it will be
58/// considered unequal to the other equivalent encoding, despite the two representing the same
59/// point. More encoding details can be found
60/// [here](https://hdevalence.ca/blog/2020-10-04-its-25519am).
61/// If you want to make sure that signatures produced with respect to those sorts of public keys
62/// are rejected, use [`VerifyingKey::verify_strict`].
63// Invariant: VerifyingKey.1 is always the decompression of VerifyingKey.0
64#[derive(Copy, Clone, Default, Eq)]
65pub struct VerifyingKey {
66    /// Serialized compressed Edwards-y point.
67    pub(crate) compressed: CompressedEdwardsY,
68
69    /// Decompressed Edwards point used for curve arithmetic operations.
70    pub(crate) point: EdwardsPoint,
71}
72
73impl Debug for VerifyingKey {
74    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
75        write!(f, "VerifyingKey({:?}), {:?})", self.compressed, self.point)
76    }
77}
78
79impl AsRef<[u8]> for VerifyingKey {
80    fn as_ref(&self) -> &[u8] {
81        self.as_bytes()
82    }
83}
84
85impl Hash for VerifyingKey {
86    fn hash<H: Hasher>(&self, state: &mut H) {
87        self.as_bytes().hash(state);
88    }
89}
90
91impl PartialEq<VerifyingKey> for VerifyingKey {
92    fn eq(&self, other: &VerifyingKey) -> bool {
93        self.as_bytes() == other.as_bytes()
94    }
95}
96
97impl From<&ExpandedSecretKey> for VerifyingKey {
98    /// Derive this public key from its corresponding `ExpandedSecretKey`.
99    fn from(expanded_secret_key: &ExpandedSecretKey) -> VerifyingKey {
100        VerifyingKey::from(EdwardsPoint::mul_base(&expanded_secret_key.scalar))
101    }
102}
103
104impl From<&SigningKey> for VerifyingKey {
105    fn from(signing_key: &SigningKey) -> VerifyingKey {
106        signing_key.verifying_key()
107    }
108}
109
110impl From<EdwardsPoint> for VerifyingKey {
111    fn from(point: EdwardsPoint) -> VerifyingKey {
112        VerifyingKey {
113            point,
114            compressed: point.compress(),
115        }
116    }
117}
118
119impl VerifyingKey {
120    /// Convert this public key to a byte array.
121    #[inline]
122    pub fn to_bytes(&self) -> [u8; PUBLIC_KEY_LENGTH] {
123        self.compressed.to_bytes()
124    }
125
126    /// View this public key as a byte array.
127    #[inline]
128    pub fn as_bytes(&self) -> &[u8; PUBLIC_KEY_LENGTH] {
129        &(self.compressed).0
130    }
131
132    /// Construct a `VerifyingKey` from a slice of bytes.
133    ///
134    /// Verifies the point is valid under [ZIP-215] rules. RFC 8032 / NIST point validation criteria
135    /// are currently unsupported (see [dalek-cryptography/curve25519-dalek#626]).
136    ///
137    /// # Example
138    ///
139    /// ```
140    /// use ed25519_dalek::VerifyingKey;
141    /// use ed25519_dalek::PUBLIC_KEY_LENGTH;
142    /// use ed25519_dalek::SignatureError;
143    ///
144    /// # fn doctest() -> Result<VerifyingKey, SignatureError> {
145    /// let public_key_bytes: [u8; PUBLIC_KEY_LENGTH] = [
146    ///    215,  90, 152,   1, 130, 177,  10, 183, 213,  75, 254, 211, 201, 100,   7,  58,
147    ///     14, 225, 114, 243, 218, 166,  35,  37, 175,   2,  26, 104, 247,   7,   81, 26];
148    ///
149    /// let public_key = VerifyingKey::from_bytes(&public_key_bytes)?;
150    /// #
151    /// # Ok(public_key)
152    /// # }
153    /// #
154    /// # fn main() {
155    /// #     doctest();
156    /// # }
157    /// ```
158    ///
159    /// # Returns
160    ///
161    /// A `Result` whose okay value is an EdDSA `VerifyingKey` or whose error value
162    /// is a `SignatureError` describing the error that occurred.
163    ///
164    /// [ZIP-215]: https://zips.z.cash/zip-0215
165    /// [dalek-cryptography/curve25519-dalek#626]: https://github.com/dalek-cryptography/curve25519-dalek/issues/626
166    #[inline]
167    pub fn from_bytes(bytes: &[u8; PUBLIC_KEY_LENGTH]) -> Result<VerifyingKey, SignatureError> {
168        let compressed = CompressedEdwardsY(*bytes);
169        let point = compressed
170            .decompress()
171            .ok_or(InternalError::PointDecompression)?;
172
173        // Invariant: VerifyingKey.1 is always the decompression of VerifyingKey.0
174        Ok(VerifyingKey { compressed, point })
175    }
176
177    /// Create a verifying context that can be used for Ed25519ph with
178    /// [`DigestVerifier`].
179    #[cfg(feature = "digest")]
180    pub fn with_context<'k, 'v>(
181        &'k self,
182        context_value: &'v [u8],
183    ) -> Result<Context<'k, 'v, Self>, SignatureError> {
184        Context::new(self, context_value)
185    }
186
187    /// Returns whether this is a _weak_ public key, i.e., if this public key has low order.
188    ///
189    /// A weak public key can be used to generate a signature that's valid for almost every
190    /// message. [`Self::verify_strict`] denies weak keys, but if you want to check for this
191    /// property before verification, then use this method.
192    pub fn is_weak(&self) -> bool {
193        self.point.is_small_order()
194    }
195
196    /// The ordinary non-batched Ed25519 verification check, rejecting non-canonical R values. (see
197    /// [`Self::RCompute`]). `CtxDigest` is the digest used to calculate the pseudorandomness
198    /// needed for signing. According to the spec, `CtxDigest = Sha512`.
199    ///
200    /// This definition is loose in its parameters so that end-users of the `hazmat` module can
201    /// change how the `ExpandedSecretKey` is calculated and which hash function to use.
202    #[allow(non_snake_case)]
203    pub(crate) fn raw_verify<CtxDigest>(
204        &self,
205        message: &[&[u8]],
206        signature: &ed25519::Signature,
207    ) -> Result<(), SignatureError>
208    where
209        CtxDigest: Digest<OutputSize = U64>,
210    {
211        let signature = InternalSignature::try_from(signature)?;
212
213        let expected_R = RCompute::<CtxDigest>::compute(self, signature, None, message);
214        if expected_R == signature.R {
215            Ok(())
216        } else {
217            Err(InternalError::Verify.into())
218        }
219    }
220
221    /// The prehashed non-batched Ed25519 verification check, rejecting non-canonical R values.
222    /// (see [`Self::recompute_R`]). `CtxDigest` is the digest used to calculate the
223    /// pseudorandomness needed for signing. `MsgDigest` is the digest used to hash the signed
224    /// message. According to the spec, `MsgDigest = CtxDigest = Sha512`.
225    ///
226    /// This definition is loose in its parameters so that end-users of the `hazmat` module can
227    /// change how the `ExpandedSecretKey` is calculated and which hash function to use.
228    #[cfg(feature = "digest")]
229    #[allow(non_snake_case)]
230    pub(crate) fn raw_verify_prehashed<CtxDigest, MsgDigest>(
231        &self,
232        prehashed_message: MsgDigest,
233        context: Option<&[u8]>,
234        signature: &ed25519::Signature,
235    ) -> Result<(), SignatureError>
236    where
237        CtxDigest: Digest<OutputSize = U64>,
238        MsgDigest: Digest<OutputSize = U64>,
239    {
240        let signature = InternalSignature::try_from(signature)?;
241
242        let ctx: &[u8] = context.unwrap_or(b"");
243        debug_assert!(
244            ctx.len() <= 255,
245            "The context must not be longer than 255 octets."
246        );
247
248        let message = prehashed_message.finalize();
249
250        let expected_R = RCompute::<CtxDigest>::compute(self, signature, Some(ctx), &[&message]);
251
252        if expected_R == signature.R {
253            Ok(())
254        } else {
255            Err(InternalError::Verify.into())
256        }
257    }
258
259    /// Verify a `signature` on a `prehashed_message` using the Ed25519ph algorithm.
260    ///
261    /// # Inputs
262    ///
263    /// * `prehashed_message` is an instantiated hash digest with 512-bits of
264    ///   output which has had the message to be signed previously fed into its
265    ///   state.
266    /// * `context` is an optional context string, up to 255 bytes inclusive,
267    ///   which may be used to provide additional domain separation.  If not
268    ///   set, this will default to an empty string.
269    /// * `signature` is a purported Ed25519ph signature on the `prehashed_message`.
270    ///
271    /// # Returns
272    ///
273    /// Returns `true` if the `signature` was a valid signature created by this
274    /// [`SigningKey`] on the `prehashed_message`.
275    ///
276    /// # Note
277    ///
278    /// The RFC only permits SHA-512 to be used for prehashing, i.e., `MsgDigest = Sha512`. This
279    /// function technically works, and is probably safe to use, with any secure hash function with
280    /// 512-bit digests, but anything outside of SHA-512 is NOT specification-compliant. We expose
281    /// [`crate::Sha512`] for user convenience.
282    #[cfg(feature = "digest")]
283    #[allow(non_snake_case)]
284    pub fn verify_prehashed<MsgDigest>(
285        &self,
286        prehashed_message: MsgDigest,
287        context: Option<&[u8]>,
288        signature: &ed25519::Signature,
289    ) -> Result<(), SignatureError>
290    where
291        MsgDigest: Digest<OutputSize = U64>,
292    {
293        self.raw_verify_prehashed::<Sha512, MsgDigest>(prehashed_message, context, signature)
294    }
295
296    /// Strictly verify a signature on a message with this keypair's public key.
297    ///
298    /// # On The (Multiple) Sources of Malleability in Ed25519 Signatures
299    ///
300    /// This version of verification is technically non-RFC8032 compliant.  The
301    /// following explains why.
302    ///
303    /// 1. Scalar Malleability
304    ///
305    /// The authors of the RFC explicitly stated that verification of an ed25519
306    /// signature must fail if the scalar `s` is not properly reduced mod $\ell$:
307    ///
308    /// > To verify a signature on a message M using public key A, with F
309    /// > being 0 for Ed25519ctx, 1 for Ed25519ph, and if Ed25519ctx or
310    /// > Ed25519ph is being used, C being the context, first split the
311    /// > signature into two 32-octet halves.  Decode the first half as a
312    /// > point R, and the second half as an integer S, in the range
313    /// > 0 <= s < L.  Decode the public key A as point A'.  If any of the
314    /// > decodings fail (including S being out of range), the signature is
315    /// > invalid.)
316    ///
317    /// All `verify_*()` functions within ed25519-dalek perform this check.
318    ///
319    /// 2. Point malleability
320    ///
321    /// The authors of the RFC added in a malleability check to step #3 in
322    /// ยง5.1.7, for small torsion components in the `R` value of the signature,
323    /// *which is not strictly required*, as they state:
324    ///
325    /// > Check the group equation \[8\]\[S\]B = \[8\]R + \[8\]\[k\]A'.  It's
326    /// > sufficient, but not required, to instead check \[S\]B = R + \[k\]A'.
327    ///
328    /// # History of Malleability Checks
329    ///
330    /// As originally defined (cf. the "Malleability" section in the README of
331    /// this repo), ed25519 signatures didn't consider *any* form of
332    /// malleability to be an issue.  Later the scalar malleability was
333    /// considered important.  Still later, particularly with interests in
334    /// cryptocurrency design and in unique identities (e.g. for Signal users,
335    /// Tor onion services, etc.), the group element malleability became a
336    /// concern.
337    ///
338    /// However, libraries had already been created to conform to the original
339    /// definition.  One well-used library in particular even implemented the
340    /// group element malleability check, *but only for batch verification*!
341    /// Which meant that even using the same library, a single signature could
342    /// verify fine individually, but suddenly, when verifying it with a bunch
343    /// of other signatures, the whole batch would fail!
344    ///
345    /// # "Strict" Verification
346    ///
347    /// This method performs *both* of the above signature malleability checks.
348    ///
349    /// It must be done as a separate method because one doesn't simply get to
350    /// change the definition of a cryptographic primitive ten years
351    /// after-the-fact with zero consideration for backwards compatibility in
352    /// hardware and protocols which have it already have the older definition
353    /// baked in.
354    ///
355    /// # Return
356    ///
357    /// Returns `Ok(())` if the signature is valid, and `Err` otherwise.
358    #[allow(non_snake_case)]
359    pub fn verify_strict(
360        &self,
361        message: &[u8],
362        signature: &ed25519::Signature,
363    ) -> Result<(), SignatureError> {
364        let signature = InternalSignature::try_from(signature)?;
365
366        let signature_R = signature
367            .R
368            .decompress()
369            .ok_or_else(|| SignatureError::from(InternalError::Verify))?;
370
371        // Logical OR is fine here as we're not trying to be constant time.
372        if signature_R.is_small_order() || self.point.is_small_order() {
373            return Err(InternalError::Verify.into());
374        }
375
376        let expected_R = RCompute::<Sha512>::compute(self, signature, None, &[message]);
377        if expected_R == signature.R {
378            Ok(())
379        } else {
380            Err(InternalError::Verify.into())
381        }
382    }
383
384    /// Constructs stream verifier with candidate `signature`.
385    ///
386    /// Useful for cases where the whole message is not available all at once, allowing the
387    /// internal signature state to be updated incrementally and verified at the end. In some cases,
388    /// this will reduce the need for additional allocations.
389    #[cfg(feature = "hazmat")]
390    pub fn verify_stream(
391        &self,
392        signature: &ed25519::Signature,
393    ) -> Result<StreamVerifier, SignatureError> {
394        let signature = InternalSignature::try_from(signature)?;
395        Ok(StreamVerifier::new(*self, signature))
396    }
397
398    /// Verify a `signature` on a `prehashed_message` using the Ed25519ph algorithm,
399    /// using strict signature checking as defined by [`Self::verify_strict`].
400    ///
401    /// # Inputs
402    ///
403    /// * `prehashed_message` is an instantiated hash digest with 512-bits of
404    ///   output which has had the message to be signed previously fed into its
405    ///   state.
406    /// * `context` is an optional context string, up to 255 bytes inclusive,
407    ///   which may be used to provide additional domain separation.  If not
408    ///   set, this will default to an empty string.
409    /// * `signature` is a purported Ed25519ph signature on the `prehashed_message`.
410    ///
411    /// # Returns
412    ///
413    /// Returns `true` if the `signature` was a valid signature created by this
414    /// [`SigningKey`] on the `prehashed_message`.
415    ///
416    /// # Note
417    ///
418    /// The RFC only permits SHA-512 to be used for prehashing, i.e., `MsgDigest = Sha512`. This
419    /// function technically works, and is probably safe to use, with any secure hash function with
420    /// 512-bit digests, but anything outside of SHA-512 is NOT specification-compliant. We expose
421    /// [`crate::Sha512`] for user convenience.
422    #[cfg(feature = "digest")]
423    #[allow(non_snake_case)]
424    pub fn verify_prehashed_strict<MsgDigest>(
425        &self,
426        prehashed_message: MsgDigest,
427        context: Option<&[u8]>,
428        signature: &ed25519::Signature,
429    ) -> Result<(), SignatureError>
430    where
431        MsgDigest: Digest<OutputSize = U64>,
432    {
433        let signature = InternalSignature::try_from(signature)?;
434
435        let ctx: &[u8] = context.unwrap_or(b"");
436        debug_assert!(
437            ctx.len() <= 255,
438            "The context must not be longer than 255 octets."
439        );
440
441        let signature_R = signature
442            .R
443            .decompress()
444            .ok_or_else(|| SignatureError::from(InternalError::Verify))?;
445
446        // Logical OR is fine here as we're not trying to be constant time.
447        if signature_R.is_small_order() || self.point.is_small_order() {
448            return Err(InternalError::Verify.into());
449        }
450
451        let message = prehashed_message.finalize();
452        let expected_R = RCompute::<Sha512>::compute(self, signature, Some(ctx), &[&message]);
453
454        if expected_R == signature.R {
455            Ok(())
456        } else {
457            Err(InternalError::Verify.into())
458        }
459    }
460
461    /// Convert this verifying key into Montgomery form.
462    ///
463    /// This can be used for performing X25519 Diffie-Hellman using Ed25519 keys. The output of
464    /// this function is a valid X25519 public key whose secret key is `sk.to_scalar_bytes()`,
465    /// where `sk` is a valid signing key for this `VerifyingKey`.
466    ///
467    /// # Note
468    ///
469    /// We do NOT recommend this usage of a signing/verifying key. Signing keys are usually
470    /// long-term keys, while keys used for key exchange should rather be ephemeral. If you can
471    /// help it, use a separate key for encryption.
472    ///
473    /// For more information on the security of systems which use the same keys for both signing
474    /// and Diffie-Hellman, see the paper
475    /// [On using the same key pair for Ed25519 and an X25519 based KEM](https://eprint.iacr.org/2021/509).
476    pub fn to_montgomery(&self) -> MontgomeryPoint {
477        self.point.to_montgomery()
478    }
479
480    /// Return this verifying key in Edwards form.
481    pub fn to_edwards(&self) -> EdwardsPoint {
482        self.point
483    }
484}
485
486/// Helper for verification. Computes the _expected_ R component of the signature. The
487/// caller compares this to the real R component.
488/// This computes `H(R || A || M)` where `H` is the 512-bit hash function
489/// given by `CtxDigest` (this is SHA-512 in spec-compliant Ed25519).
490///
491/// For pre-hashed variants a `h` with the context already included can be provided.
492/// Note that this returns the compressed form of R and the caller does a byte comparison. This
493/// means that all our verification functions do not accept non-canonically encoded R values.
494/// See the validation criteria blog post for more details:
495///     https://hdevalence.ca/blog/2020-10-04-its-25519am
496pub(crate) struct RCompute<CtxDigest> {
497    key: VerifyingKey,
498    signature: InternalSignature,
499    h: CtxDigest,
500}
501
502#[allow(non_snake_case)]
503impl<CtxDigest> RCompute<CtxDigest>
504where
505    CtxDigest: Digest<OutputSize = U64>,
506{
507    /// If `prehash_ctx.is_some()`, this does the prehashed variant of the computation using its
508    /// contents.
509    pub(crate) fn compute(
510        key: &VerifyingKey,
511        signature: InternalSignature,
512        prehash_ctx: Option<&[u8]>,
513        message: &[&[u8]],
514    ) -> CompressedEdwardsY {
515        let mut c = Self::new(key, signature, prehash_ctx);
516        message.iter().for_each(|slice| c.update(slice));
517        c.finish()
518    }
519
520    pub(crate) fn new(
521        key: &VerifyingKey,
522        signature: InternalSignature,
523        prehash_ctx: Option<&[u8]>,
524    ) -> Self {
525        let R = &signature.R;
526        let A = &key.compressed;
527
528        let mut h = CtxDigest::new();
529        if let Some(c) = prehash_ctx {
530            h.update(b"SigEd25519 no Ed25519 collisions");
531            h.update([1]); // Ed25519ph
532            h.update([c.len() as u8]);
533            h.update(c);
534        }
535
536        h.update(R.as_bytes());
537        h.update(A.as_bytes());
538        Self {
539            key: *key,
540            signature,
541            h,
542        }
543    }
544
545    pub(crate) fn update(&mut self, m: &[u8]) {
546        self.h.update(m)
547    }
548
549    pub(crate) fn finish(self) -> CompressedEdwardsY {
550        let k = Scalar::from_hash(self.h);
551
552        let minus_A: EdwardsPoint = -self.key.point;
553        // Recall the (non-batched) verification equation: -[k]A + [s]B = R
554        EdwardsPoint::vartime_double_scalar_mul_basepoint(&k, &(minus_A), &self.signature.s)
555            .compress()
556    }
557}
558
559impl Verifier<ed25519::Signature> for VerifyingKey {
560    /// Verify a signature on a message with this keypair's public key.
561    ///
562    /// # Return
563    ///
564    /// Returns `Ok(())` if the signature is valid, and `Err` otherwise.
565    fn verify(&self, message: &[u8], signature: &ed25519::Signature) -> Result<(), SignatureError> {
566        self.multipart_verify(&[message], signature)
567    }
568}
569
570impl MultipartVerifier<ed25519::Signature> for VerifyingKey {
571    fn multipart_verify(
572        &self,
573        message: &[&[u8]],
574        signature: &ed25519::Signature,
575    ) -> Result<(), SignatureError> {
576        self.raw_verify::<Sha512>(message, signature)
577    }
578}
579
580/// Equivalent to [`VerifyingKey::verify_prehashed`] with `context` set to [`None`].
581#[cfg(feature = "digest")]
582impl<MsgDigest> DigestVerifier<MsgDigest, ed25519::Signature> for VerifyingKey
583where
584    MsgDigest: Digest<OutputSize = U64> + Update,
585{
586    fn verify_digest<F: Fn(&mut MsgDigest) -> Result<(), SignatureError>>(
587        &self,
588        f: F,
589        signature: &ed25519::Signature,
590    ) -> Result<(), SignatureError> {
591        let mut digest = MsgDigest::new();
592        f(&mut digest)?;
593        self.verify_prehashed(digest, None, signature)
594    }
595}
596
597/// Equivalent to [`VerifyingKey::verify_prehashed`] with `context` set to [`Some`]
598/// containing `self.value()`.
599#[cfg(feature = "digest")]
600impl<MsgDigest> DigestVerifier<MsgDigest, ed25519::Signature> for Context<'_, '_, VerifyingKey>
601where
602    MsgDigest: Digest<OutputSize = U64> + Update,
603{
604    fn verify_digest<F: Fn(&mut MsgDigest) -> Result<(), SignatureError>>(
605        &self,
606        f: F,
607        signature: &ed25519::Signature,
608    ) -> Result<(), SignatureError> {
609        let mut digest = MsgDigest::new();
610        f(&mut digest)?;
611        self.key()
612            .verify_prehashed(digest, Some(self.value()), signature)
613    }
614}
615
616impl TryFrom<&[u8]> for VerifyingKey {
617    type Error = SignatureError;
618
619    #[inline]
620    fn try_from(bytes: &[u8]) -> Result<Self, Self::Error> {
621        let bytes = bytes.try_into().map_err(|_| InternalError::BytesLength {
622            name: "VerifyingKey",
623            length: PUBLIC_KEY_LENGTH,
624        })?;
625        Self::from_bytes(bytes)
626    }
627}
628
629#[cfg(feature = "pkcs8")]
630impl pkcs8::spki::SignatureAlgorithmIdentifier for VerifyingKey {
631    type Params = pkcs8::spki::der::AnyRef<'static>;
632
633    const SIGNATURE_ALGORITHM_IDENTIFIER: pkcs8::spki::AlgorithmIdentifier<Self::Params> =
634        <ed25519::Signature as pkcs8::spki::AssociatedAlgorithmIdentifier>::ALGORITHM_IDENTIFIER;
635}
636
637impl From<VerifyingKey> for EdwardsPoint {
638    fn from(vk: VerifyingKey) -> EdwardsPoint {
639        vk.point
640    }
641}
642
643#[cfg(all(feature = "alloc", feature = "pkcs8"))]
644impl pkcs8::EncodePublicKey for VerifyingKey {
645    fn to_public_key_der(&self) -> pkcs8::spki::Result<pkcs8::Document> {
646        pkcs8::PublicKeyBytes::from(self).to_public_key_der()
647    }
648}
649
650#[cfg(feature = "pkcs8")]
651impl TryFrom<pkcs8::PublicKeyBytes> for VerifyingKey {
652    type Error = pkcs8::spki::Error;
653
654    fn try_from(pkcs8_key: pkcs8::PublicKeyBytes) -> pkcs8::spki::Result<Self> {
655        VerifyingKey::try_from(&pkcs8_key)
656    }
657}
658
659#[cfg(feature = "pkcs8")]
660impl TryFrom<&pkcs8::PublicKeyBytes> for VerifyingKey {
661    type Error = pkcs8::spki::Error;
662
663    fn try_from(pkcs8_key: &pkcs8::PublicKeyBytes) -> pkcs8::spki::Result<Self> {
664        VerifyingKey::from_bytes(pkcs8_key.as_ref()).map_err(|_| pkcs8::spki::Error::KeyMalformed)
665    }
666}
667
668#[cfg(feature = "pkcs8")]
669impl From<VerifyingKey> for pkcs8::PublicKeyBytes {
670    fn from(verifying_key: VerifyingKey) -> pkcs8::PublicKeyBytes {
671        pkcs8::PublicKeyBytes::from(&verifying_key)
672    }
673}
674
675#[cfg(feature = "pkcs8")]
676impl From<&VerifyingKey> for pkcs8::PublicKeyBytes {
677    fn from(verifying_key: &VerifyingKey) -> pkcs8::PublicKeyBytes {
678        pkcs8::PublicKeyBytes(verifying_key.to_bytes())
679    }
680}
681
682#[cfg(feature = "pkcs8")]
683impl TryFrom<pkcs8::spki::SubjectPublicKeyInfoRef<'_>> for VerifyingKey {
684    type Error = pkcs8::spki::Error;
685
686    fn try_from(public_key: pkcs8::spki::SubjectPublicKeyInfoRef<'_>) -> pkcs8::spki::Result<Self> {
687        pkcs8::PublicKeyBytes::try_from(public_key)?.try_into()
688    }
689}
690
691#[cfg(feature = "serde")]
692impl Serialize for VerifyingKey {
693    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
694    where
695        S: Serializer,
696    {
697        serializer.serialize_bytes(&self.as_bytes()[..])
698    }
699}
700
701#[cfg(feature = "serde")]
702impl<'d> Deserialize<'d> for VerifyingKey {
703    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
704    where
705        D: Deserializer<'d>,
706    {
707        struct VerifyingKeyVisitor;
708
709        impl<'de> serde::de::Visitor<'de> for VerifyingKeyVisitor {
710            type Value = VerifyingKey;
711
712            fn expecting(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
713                write!(formatter, "An ed25519 verifying (public) key")
714            }
715
716            fn visit_bytes<E: serde::de::Error>(self, bytes: &[u8]) -> Result<Self::Value, E> {
717                VerifyingKey::try_from(bytes).map_err(E::custom)
718            }
719
720            fn visit_seq<A>(self, mut seq: A) -> Result<Self::Value, A::Error>
721            where
722                A: serde::de::SeqAccess<'de>,
723            {
724                let mut bytes = [0u8; 32];
725
726                #[allow(clippy::needless_range_loop)]
727                for i in 0..32 {
728                    bytes[i] = seq
729                        .next_element()?
730                        .ok_or_else(|| serde::de::Error::invalid_length(i, &"expected 32 bytes"))?;
731                }
732
733                let remaining = (0..)
734                    .map(|_| seq.next_element::<u8>())
735                    .take_while(|el| matches!(el, Ok(Some(_))))
736                    .count();
737
738                if remaining > 0 {
739                    return Err(serde::de::Error::invalid_length(
740                        32 + remaining,
741                        &"expected 32 bytes",
742                    ));
743                }
744
745                VerifyingKey::try_from(&bytes[..]).map_err(serde::de::Error::custom)
746            }
747        }
748
749        deserializer.deserialize_bytes(VerifyingKeyVisitor)
750    }
751}