ed25519_dalek/verifying.rs
1// -*- mode: rust; -*-
2//
3// This file is part of ed25519-dalek.
4// Copyright (c) 2017-2019 isis lovecruft
5// See LICENSE for licensing information.
6//
7// Authors:
8// - isis agora lovecruft <[email protected]>
9
10//! ed25519 public keys.
11
12use core::fmt::Debug;
13use core::hash::{Hash, Hasher};
14
15use curve25519_dalek::{
16 digest::{Digest, array::typenum::U64},
17 edwards::{CompressedEdwardsY, EdwardsPoint},
18 montgomery::MontgomeryPoint,
19 scalar::Scalar,
20};
21
22use ed25519::signature::{MultipartVerifier, Verifier};
23
24use sha2::Sha512;
25
26#[cfg(feature = "pkcs8")]
27use ed25519::pkcs8;
28
29#[cfg(feature = "serde")]
30use serde::{Deserialize, Deserializer, Serialize, Serializer};
31
32#[cfg(feature = "digest")]
33use crate::context::Context;
34#[cfg(feature = "digest")]
35use curve25519_dalek::digest::Update;
36#[cfg(feature = "digest")]
37use signature::DigestVerifier;
38
39use crate::{
40 constants::PUBLIC_KEY_LENGTH,
41 errors::{InternalError, SignatureError},
42 hazmat::ExpandedSecretKey,
43 signature::InternalSignature,
44 signing::SigningKey,
45};
46
47#[cfg(feature = "hazmat")]
48mod stream;
49#[cfg(feature = "hazmat")]
50pub use self::stream::StreamVerifier;
51
52/// An ed25519 public key.
53///
54/// # Note
55///
56/// The `Eq` and `Hash` impls here use the compressed Edwards y encoding, _not_ the algebraic
57/// representation. This means if this `VerifyingKey` is non-canonically encoded, it will be
58/// considered unequal to the other equivalent encoding, despite the two representing the same
59/// point. More encoding details can be found
60/// [here](https://hdevalence.ca/blog/2020-10-04-its-25519am).
61/// If you want to make sure that signatures produced with respect to those sorts of public keys
62/// are rejected, use [`VerifyingKey::verify_strict`].
63// Invariant: VerifyingKey.1 is always the decompression of VerifyingKey.0
64#[derive(Copy, Clone, Default, Eq)]
65pub struct VerifyingKey {
66 /// Serialized compressed Edwards-y point.
67 pub(crate) compressed: CompressedEdwardsY,
68
69 /// Decompressed Edwards point used for curve arithmetic operations.
70 pub(crate) point: EdwardsPoint,
71}
72
73impl Debug for VerifyingKey {
74 fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
75 write!(f, "VerifyingKey({:?}), {:?})", self.compressed, self.point)
76 }
77}
78
79impl AsRef<[u8]> for VerifyingKey {
80 fn as_ref(&self) -> &[u8] {
81 self.as_bytes()
82 }
83}
84
85impl Hash for VerifyingKey {
86 fn hash<H: Hasher>(&self, state: &mut H) {
87 self.as_bytes().hash(state);
88 }
89}
90
91impl PartialEq<VerifyingKey> for VerifyingKey {
92 fn eq(&self, other: &VerifyingKey) -> bool {
93 self.as_bytes() == other.as_bytes()
94 }
95}
96
97impl From<&ExpandedSecretKey> for VerifyingKey {
98 /// Derive this public key from its corresponding `ExpandedSecretKey`.
99 fn from(expanded_secret_key: &ExpandedSecretKey) -> VerifyingKey {
100 VerifyingKey::from(EdwardsPoint::mul_base(&expanded_secret_key.scalar))
101 }
102}
103
104impl From<&SigningKey> for VerifyingKey {
105 fn from(signing_key: &SigningKey) -> VerifyingKey {
106 signing_key.verifying_key()
107 }
108}
109
110impl From<EdwardsPoint> for VerifyingKey {
111 fn from(point: EdwardsPoint) -> VerifyingKey {
112 VerifyingKey {
113 point,
114 compressed: point.compress(),
115 }
116 }
117}
118
119impl VerifyingKey {
120 /// Convert this public key to a byte array.
121 #[inline]
122 pub fn to_bytes(&self) -> [u8; PUBLIC_KEY_LENGTH] {
123 self.compressed.to_bytes()
124 }
125
126 /// View this public key as a byte array.
127 #[inline]
128 pub fn as_bytes(&self) -> &[u8; PUBLIC_KEY_LENGTH] {
129 &(self.compressed).0
130 }
131
132 /// Construct a `VerifyingKey` from a slice of bytes.
133 ///
134 /// Verifies the point is valid under [ZIP-215] rules. RFC 8032 / NIST point validation criteria
135 /// are currently unsupported (see [dalek-cryptography/curve25519-dalek#626]).
136 ///
137 /// # Example
138 ///
139 /// ```
140 /// use ed25519_dalek::VerifyingKey;
141 /// use ed25519_dalek::PUBLIC_KEY_LENGTH;
142 /// use ed25519_dalek::SignatureError;
143 ///
144 /// # fn doctest() -> Result<VerifyingKey, SignatureError> {
145 /// let public_key_bytes: [u8; PUBLIC_KEY_LENGTH] = [
146 /// 215, 90, 152, 1, 130, 177, 10, 183, 213, 75, 254, 211, 201, 100, 7, 58,
147 /// 14, 225, 114, 243, 218, 166, 35, 37, 175, 2, 26, 104, 247, 7, 81, 26];
148 ///
149 /// let public_key = VerifyingKey::from_bytes(&public_key_bytes)?;
150 /// #
151 /// # Ok(public_key)
152 /// # }
153 /// #
154 /// # fn main() {
155 /// # doctest();
156 /// # }
157 /// ```
158 ///
159 /// # Returns
160 ///
161 /// A `Result` whose okay value is an EdDSA `VerifyingKey` or whose error value
162 /// is a `SignatureError` describing the error that occurred.
163 ///
164 /// [ZIP-215]: https://zips.z.cash/zip-0215
165 /// [dalek-cryptography/curve25519-dalek#626]: https://github.com/dalek-cryptography/curve25519-dalek/issues/626
166 #[inline]
167 pub fn from_bytes(bytes: &[u8; PUBLIC_KEY_LENGTH]) -> Result<VerifyingKey, SignatureError> {
168 let compressed = CompressedEdwardsY(*bytes);
169 let point = compressed
170 .decompress()
171 .ok_or(InternalError::PointDecompression)?;
172
173 // Invariant: VerifyingKey.1 is always the decompression of VerifyingKey.0
174 Ok(VerifyingKey { compressed, point })
175 }
176
177 /// Create a verifying context that can be used for Ed25519ph with
178 /// [`DigestVerifier`].
179 #[cfg(feature = "digest")]
180 pub fn with_context<'k, 'v>(
181 &'k self,
182 context_value: &'v [u8],
183 ) -> Result<Context<'k, 'v, Self>, SignatureError> {
184 Context::new(self, context_value)
185 }
186
187 /// Returns whether this is a _weak_ public key, i.e., if this public key has low order.
188 ///
189 /// A weak public key can be used to generate a signature that's valid for almost every
190 /// message. [`Self::verify_strict`] denies weak keys, but if you want to check for this
191 /// property before verification, then use this method.
192 pub fn is_weak(&self) -> bool {
193 self.point.is_small_order()
194 }
195
196 /// The ordinary non-batched Ed25519 verification check, rejecting non-canonical R values. (see
197 /// [`Self::RCompute`]). `CtxDigest` is the digest used to calculate the pseudorandomness
198 /// needed for signing. According to the spec, `CtxDigest = Sha512`.
199 ///
200 /// This definition is loose in its parameters so that end-users of the `hazmat` module can
201 /// change how the `ExpandedSecretKey` is calculated and which hash function to use.
202 #[allow(non_snake_case)]
203 pub(crate) fn raw_verify<CtxDigest>(
204 &self,
205 message: &[&[u8]],
206 signature: &ed25519::Signature,
207 ) -> Result<(), SignatureError>
208 where
209 CtxDigest: Digest<OutputSize = U64>,
210 {
211 let signature = InternalSignature::try_from(signature)?;
212
213 let expected_R = RCompute::<CtxDigest>::compute(self, signature, None, message);
214 if expected_R == signature.R {
215 Ok(())
216 } else {
217 Err(InternalError::Verify.into())
218 }
219 }
220
221 /// The prehashed non-batched Ed25519 verification check, rejecting non-canonical R values.
222 /// (see [`Self::recompute_R`]). `CtxDigest` is the digest used to calculate the
223 /// pseudorandomness needed for signing. `MsgDigest` is the digest used to hash the signed
224 /// message. According to the spec, `MsgDigest = CtxDigest = Sha512`.
225 ///
226 /// This definition is loose in its parameters so that end-users of the `hazmat` module can
227 /// change how the `ExpandedSecretKey` is calculated and which hash function to use.
228 #[cfg(feature = "digest")]
229 #[allow(non_snake_case)]
230 pub(crate) fn raw_verify_prehashed<CtxDigest, MsgDigest>(
231 &self,
232 prehashed_message: MsgDigest,
233 context: Option<&[u8]>,
234 signature: &ed25519::Signature,
235 ) -> Result<(), SignatureError>
236 where
237 CtxDigest: Digest<OutputSize = U64>,
238 MsgDigest: Digest<OutputSize = U64>,
239 {
240 let signature = InternalSignature::try_from(signature)?;
241
242 let ctx: &[u8] = context.unwrap_or(b"");
243 debug_assert!(
244 ctx.len() <= 255,
245 "The context must not be longer than 255 octets."
246 );
247
248 let message = prehashed_message.finalize();
249
250 let expected_R = RCompute::<CtxDigest>::compute(self, signature, Some(ctx), &[&message]);
251
252 if expected_R == signature.R {
253 Ok(())
254 } else {
255 Err(InternalError::Verify.into())
256 }
257 }
258
259 /// Verify a `signature` on a `prehashed_message` using the Ed25519ph algorithm.
260 ///
261 /// # Inputs
262 ///
263 /// * `prehashed_message` is an instantiated hash digest with 512-bits of
264 /// output which has had the message to be signed previously fed into its
265 /// state.
266 /// * `context` is an optional context string, up to 255 bytes inclusive,
267 /// which may be used to provide additional domain separation. If not
268 /// set, this will default to an empty string.
269 /// * `signature` is a purported Ed25519ph signature on the `prehashed_message`.
270 ///
271 /// # Returns
272 ///
273 /// Returns `true` if the `signature` was a valid signature created by this
274 /// [`SigningKey`] on the `prehashed_message`.
275 ///
276 /// # Note
277 ///
278 /// The RFC only permits SHA-512 to be used for prehashing, i.e., `MsgDigest = Sha512`. This
279 /// function technically works, and is probably safe to use, with any secure hash function with
280 /// 512-bit digests, but anything outside of SHA-512 is NOT specification-compliant. We expose
281 /// [`crate::Sha512`] for user convenience.
282 #[cfg(feature = "digest")]
283 #[allow(non_snake_case)]
284 pub fn verify_prehashed<MsgDigest>(
285 &self,
286 prehashed_message: MsgDigest,
287 context: Option<&[u8]>,
288 signature: &ed25519::Signature,
289 ) -> Result<(), SignatureError>
290 where
291 MsgDigest: Digest<OutputSize = U64>,
292 {
293 self.raw_verify_prehashed::<Sha512, MsgDigest>(prehashed_message, context, signature)
294 }
295
296 /// Strictly verify a signature on a message with this keypair's public key.
297 ///
298 /// # On The (Multiple) Sources of Malleability in Ed25519 Signatures
299 ///
300 /// This version of verification is technically non-RFC8032 compliant. The
301 /// following explains why.
302 ///
303 /// 1. Scalar Malleability
304 ///
305 /// The authors of the RFC explicitly stated that verification of an ed25519
306 /// signature must fail if the scalar `s` is not properly reduced mod $\ell$:
307 ///
308 /// > To verify a signature on a message M using public key A, with F
309 /// > being 0 for Ed25519ctx, 1 for Ed25519ph, and if Ed25519ctx or
310 /// > Ed25519ph is being used, C being the context, first split the
311 /// > signature into two 32-octet halves. Decode the first half as a
312 /// > point R, and the second half as an integer S, in the range
313 /// > 0 <= s < L. Decode the public key A as point A'. If any of the
314 /// > decodings fail (including S being out of range), the signature is
315 /// > invalid.)
316 ///
317 /// All `verify_*()` functions within ed25519-dalek perform this check.
318 ///
319 /// 2. Point malleability
320 ///
321 /// The authors of the RFC added in a malleability check to step #3 in
322 /// ยง5.1.7, for small torsion components in the `R` value of the signature,
323 /// *which is not strictly required*, as they state:
324 ///
325 /// > Check the group equation \[8\]\[S\]B = \[8\]R + \[8\]\[k\]A'. It's
326 /// > sufficient, but not required, to instead check \[S\]B = R + \[k\]A'.
327 ///
328 /// # History of Malleability Checks
329 ///
330 /// As originally defined (cf. the "Malleability" section in the README of
331 /// this repo), ed25519 signatures didn't consider *any* form of
332 /// malleability to be an issue. Later the scalar malleability was
333 /// considered important. Still later, particularly with interests in
334 /// cryptocurrency design and in unique identities (e.g. for Signal users,
335 /// Tor onion services, etc.), the group element malleability became a
336 /// concern.
337 ///
338 /// However, libraries had already been created to conform to the original
339 /// definition. One well-used library in particular even implemented the
340 /// group element malleability check, *but only for batch verification*!
341 /// Which meant that even using the same library, a single signature could
342 /// verify fine individually, but suddenly, when verifying it with a bunch
343 /// of other signatures, the whole batch would fail!
344 ///
345 /// # "Strict" Verification
346 ///
347 /// This method performs *both* of the above signature malleability checks.
348 ///
349 /// It must be done as a separate method because one doesn't simply get to
350 /// change the definition of a cryptographic primitive ten years
351 /// after-the-fact with zero consideration for backwards compatibility in
352 /// hardware and protocols which have it already have the older definition
353 /// baked in.
354 ///
355 /// # Return
356 ///
357 /// Returns `Ok(())` if the signature is valid, and `Err` otherwise.
358 #[allow(non_snake_case)]
359 pub fn verify_strict(
360 &self,
361 message: &[u8],
362 signature: &ed25519::Signature,
363 ) -> Result<(), SignatureError> {
364 let signature = InternalSignature::try_from(signature)?;
365
366 let signature_R = signature
367 .R
368 .decompress()
369 .ok_or_else(|| SignatureError::from(InternalError::Verify))?;
370
371 // Logical OR is fine here as we're not trying to be constant time.
372 if signature_R.is_small_order() || self.point.is_small_order() {
373 return Err(InternalError::Verify.into());
374 }
375
376 let expected_R = RCompute::<Sha512>::compute(self, signature, None, &[message]);
377 if expected_R == signature.R {
378 Ok(())
379 } else {
380 Err(InternalError::Verify.into())
381 }
382 }
383
384 /// Constructs stream verifier with candidate `signature`.
385 ///
386 /// Useful for cases where the whole message is not available all at once, allowing the
387 /// internal signature state to be updated incrementally and verified at the end. In some cases,
388 /// this will reduce the need for additional allocations.
389 #[cfg(feature = "hazmat")]
390 pub fn verify_stream(
391 &self,
392 signature: &ed25519::Signature,
393 ) -> Result<StreamVerifier, SignatureError> {
394 let signature = InternalSignature::try_from(signature)?;
395 Ok(StreamVerifier::new(*self, signature))
396 }
397
398 /// Verify a `signature` on a `prehashed_message` using the Ed25519ph algorithm,
399 /// using strict signature checking as defined by [`Self::verify_strict`].
400 ///
401 /// # Inputs
402 ///
403 /// * `prehashed_message` is an instantiated hash digest with 512-bits of
404 /// output which has had the message to be signed previously fed into its
405 /// state.
406 /// * `context` is an optional context string, up to 255 bytes inclusive,
407 /// which may be used to provide additional domain separation. If not
408 /// set, this will default to an empty string.
409 /// * `signature` is a purported Ed25519ph signature on the `prehashed_message`.
410 ///
411 /// # Returns
412 ///
413 /// Returns `true` if the `signature` was a valid signature created by this
414 /// [`SigningKey`] on the `prehashed_message`.
415 ///
416 /// # Note
417 ///
418 /// The RFC only permits SHA-512 to be used for prehashing, i.e., `MsgDigest = Sha512`. This
419 /// function technically works, and is probably safe to use, with any secure hash function with
420 /// 512-bit digests, but anything outside of SHA-512 is NOT specification-compliant. We expose
421 /// [`crate::Sha512`] for user convenience.
422 #[cfg(feature = "digest")]
423 #[allow(non_snake_case)]
424 pub fn verify_prehashed_strict<MsgDigest>(
425 &self,
426 prehashed_message: MsgDigest,
427 context: Option<&[u8]>,
428 signature: &ed25519::Signature,
429 ) -> Result<(), SignatureError>
430 where
431 MsgDigest: Digest<OutputSize = U64>,
432 {
433 let signature = InternalSignature::try_from(signature)?;
434
435 let ctx: &[u8] = context.unwrap_or(b"");
436 debug_assert!(
437 ctx.len() <= 255,
438 "The context must not be longer than 255 octets."
439 );
440
441 let signature_R = signature
442 .R
443 .decompress()
444 .ok_or_else(|| SignatureError::from(InternalError::Verify))?;
445
446 // Logical OR is fine here as we're not trying to be constant time.
447 if signature_R.is_small_order() || self.point.is_small_order() {
448 return Err(InternalError::Verify.into());
449 }
450
451 let message = prehashed_message.finalize();
452 let expected_R = RCompute::<Sha512>::compute(self, signature, Some(ctx), &[&message]);
453
454 if expected_R == signature.R {
455 Ok(())
456 } else {
457 Err(InternalError::Verify.into())
458 }
459 }
460
461 /// Convert this verifying key into Montgomery form.
462 ///
463 /// This can be used for performing X25519 Diffie-Hellman using Ed25519 keys. The output of
464 /// this function is a valid X25519 public key whose secret key is `sk.to_scalar_bytes()`,
465 /// where `sk` is a valid signing key for this `VerifyingKey`.
466 ///
467 /// # Note
468 ///
469 /// We do NOT recommend this usage of a signing/verifying key. Signing keys are usually
470 /// long-term keys, while keys used for key exchange should rather be ephemeral. If you can
471 /// help it, use a separate key for encryption.
472 ///
473 /// For more information on the security of systems which use the same keys for both signing
474 /// and Diffie-Hellman, see the paper
475 /// [On using the same key pair for Ed25519 and an X25519 based KEM](https://eprint.iacr.org/2021/509).
476 pub fn to_montgomery(&self) -> MontgomeryPoint {
477 self.point.to_montgomery()
478 }
479
480 /// Return this verifying key in Edwards form.
481 pub fn to_edwards(&self) -> EdwardsPoint {
482 self.point
483 }
484}
485
486/// Helper for verification. Computes the _expected_ R component of the signature. The
487/// caller compares this to the real R component.
488/// This computes `H(R || A || M)` where `H` is the 512-bit hash function
489/// given by `CtxDigest` (this is SHA-512 in spec-compliant Ed25519).
490///
491/// For pre-hashed variants a `h` with the context already included can be provided.
492/// Note that this returns the compressed form of R and the caller does a byte comparison. This
493/// means that all our verification functions do not accept non-canonically encoded R values.
494/// See the validation criteria blog post for more details:
495/// https://hdevalence.ca/blog/2020-10-04-its-25519am
496pub(crate) struct RCompute<CtxDigest> {
497 key: VerifyingKey,
498 signature: InternalSignature,
499 h: CtxDigest,
500}
501
502#[allow(non_snake_case)]
503impl<CtxDigest> RCompute<CtxDigest>
504where
505 CtxDigest: Digest<OutputSize = U64>,
506{
507 /// If `prehash_ctx.is_some()`, this does the prehashed variant of the computation using its
508 /// contents.
509 pub(crate) fn compute(
510 key: &VerifyingKey,
511 signature: InternalSignature,
512 prehash_ctx: Option<&[u8]>,
513 message: &[&[u8]],
514 ) -> CompressedEdwardsY {
515 let mut c = Self::new(key, signature, prehash_ctx);
516 message.iter().for_each(|slice| c.update(slice));
517 c.finish()
518 }
519
520 pub(crate) fn new(
521 key: &VerifyingKey,
522 signature: InternalSignature,
523 prehash_ctx: Option<&[u8]>,
524 ) -> Self {
525 let R = &signature.R;
526 let A = &key.compressed;
527
528 let mut h = CtxDigest::new();
529 if let Some(c) = prehash_ctx {
530 h.update(b"SigEd25519 no Ed25519 collisions");
531 h.update([1]); // Ed25519ph
532 h.update([c.len() as u8]);
533 h.update(c);
534 }
535
536 h.update(R.as_bytes());
537 h.update(A.as_bytes());
538 Self {
539 key: *key,
540 signature,
541 h,
542 }
543 }
544
545 pub(crate) fn update(&mut self, m: &[u8]) {
546 self.h.update(m)
547 }
548
549 pub(crate) fn finish(self) -> CompressedEdwardsY {
550 let k = Scalar::from_hash(self.h);
551
552 let minus_A: EdwardsPoint = -self.key.point;
553 // Recall the (non-batched) verification equation: -[k]A + [s]B = R
554 EdwardsPoint::vartime_double_scalar_mul_basepoint(&k, &(minus_A), &self.signature.s)
555 .compress()
556 }
557}
558
559impl Verifier<ed25519::Signature> for VerifyingKey {
560 /// Verify a signature on a message with this keypair's public key.
561 ///
562 /// # Return
563 ///
564 /// Returns `Ok(())` if the signature is valid, and `Err` otherwise.
565 fn verify(&self, message: &[u8], signature: &ed25519::Signature) -> Result<(), SignatureError> {
566 self.multipart_verify(&[message], signature)
567 }
568}
569
570impl MultipartVerifier<ed25519::Signature> for VerifyingKey {
571 fn multipart_verify(
572 &self,
573 message: &[&[u8]],
574 signature: &ed25519::Signature,
575 ) -> Result<(), SignatureError> {
576 self.raw_verify::<Sha512>(message, signature)
577 }
578}
579
580/// Equivalent to [`VerifyingKey::verify_prehashed`] with `context` set to [`None`].
581#[cfg(feature = "digest")]
582impl<MsgDigest> DigestVerifier<MsgDigest, ed25519::Signature> for VerifyingKey
583where
584 MsgDigest: Digest<OutputSize = U64> + Update,
585{
586 fn verify_digest<F: Fn(&mut MsgDigest) -> Result<(), SignatureError>>(
587 &self,
588 f: F,
589 signature: &ed25519::Signature,
590 ) -> Result<(), SignatureError> {
591 let mut digest = MsgDigest::new();
592 f(&mut digest)?;
593 self.verify_prehashed(digest, None, signature)
594 }
595}
596
597/// Equivalent to [`VerifyingKey::verify_prehashed`] with `context` set to [`Some`]
598/// containing `self.value()`.
599#[cfg(feature = "digest")]
600impl<MsgDigest> DigestVerifier<MsgDigest, ed25519::Signature> for Context<'_, '_, VerifyingKey>
601where
602 MsgDigest: Digest<OutputSize = U64> + Update,
603{
604 fn verify_digest<F: Fn(&mut MsgDigest) -> Result<(), SignatureError>>(
605 &self,
606 f: F,
607 signature: &ed25519::Signature,
608 ) -> Result<(), SignatureError> {
609 let mut digest = MsgDigest::new();
610 f(&mut digest)?;
611 self.key()
612 .verify_prehashed(digest, Some(self.value()), signature)
613 }
614}
615
616impl TryFrom<&[u8]> for VerifyingKey {
617 type Error = SignatureError;
618
619 #[inline]
620 fn try_from(bytes: &[u8]) -> Result<Self, Self::Error> {
621 let bytes = bytes.try_into().map_err(|_| InternalError::BytesLength {
622 name: "VerifyingKey",
623 length: PUBLIC_KEY_LENGTH,
624 })?;
625 Self::from_bytes(bytes)
626 }
627}
628
629#[cfg(feature = "pkcs8")]
630impl pkcs8::spki::SignatureAlgorithmIdentifier for VerifyingKey {
631 type Params = pkcs8::spki::der::AnyRef<'static>;
632
633 const SIGNATURE_ALGORITHM_IDENTIFIER: pkcs8::spki::AlgorithmIdentifier<Self::Params> =
634 <ed25519::Signature as pkcs8::spki::AssociatedAlgorithmIdentifier>::ALGORITHM_IDENTIFIER;
635}
636
637impl From<VerifyingKey> for EdwardsPoint {
638 fn from(vk: VerifyingKey) -> EdwardsPoint {
639 vk.point
640 }
641}
642
643#[cfg(all(feature = "alloc", feature = "pkcs8"))]
644impl pkcs8::EncodePublicKey for VerifyingKey {
645 fn to_public_key_der(&self) -> pkcs8::spki::Result<pkcs8::Document> {
646 pkcs8::PublicKeyBytes::from(self).to_public_key_der()
647 }
648}
649
650#[cfg(feature = "pkcs8")]
651impl TryFrom<pkcs8::PublicKeyBytes> for VerifyingKey {
652 type Error = pkcs8::spki::Error;
653
654 fn try_from(pkcs8_key: pkcs8::PublicKeyBytes) -> pkcs8::spki::Result<Self> {
655 VerifyingKey::try_from(&pkcs8_key)
656 }
657}
658
659#[cfg(feature = "pkcs8")]
660impl TryFrom<&pkcs8::PublicKeyBytes> for VerifyingKey {
661 type Error = pkcs8::spki::Error;
662
663 fn try_from(pkcs8_key: &pkcs8::PublicKeyBytes) -> pkcs8::spki::Result<Self> {
664 VerifyingKey::from_bytes(pkcs8_key.as_ref()).map_err(|_| pkcs8::spki::Error::KeyMalformed)
665 }
666}
667
668#[cfg(feature = "pkcs8")]
669impl From<VerifyingKey> for pkcs8::PublicKeyBytes {
670 fn from(verifying_key: VerifyingKey) -> pkcs8::PublicKeyBytes {
671 pkcs8::PublicKeyBytes::from(&verifying_key)
672 }
673}
674
675#[cfg(feature = "pkcs8")]
676impl From<&VerifyingKey> for pkcs8::PublicKeyBytes {
677 fn from(verifying_key: &VerifyingKey) -> pkcs8::PublicKeyBytes {
678 pkcs8::PublicKeyBytes(verifying_key.to_bytes())
679 }
680}
681
682#[cfg(feature = "pkcs8")]
683impl TryFrom<pkcs8::spki::SubjectPublicKeyInfoRef<'_>> for VerifyingKey {
684 type Error = pkcs8::spki::Error;
685
686 fn try_from(public_key: pkcs8::spki::SubjectPublicKeyInfoRef<'_>) -> pkcs8::spki::Result<Self> {
687 pkcs8::PublicKeyBytes::try_from(public_key)?.try_into()
688 }
689}
690
691#[cfg(feature = "serde")]
692impl Serialize for VerifyingKey {
693 fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
694 where
695 S: Serializer,
696 {
697 serializer.serialize_bytes(&self.as_bytes()[..])
698 }
699}
700
701#[cfg(feature = "serde")]
702impl<'d> Deserialize<'d> for VerifyingKey {
703 fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
704 where
705 D: Deserializer<'d>,
706 {
707 struct VerifyingKeyVisitor;
708
709 impl<'de> serde::de::Visitor<'de> for VerifyingKeyVisitor {
710 type Value = VerifyingKey;
711
712 fn expecting(&self, formatter: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
713 write!(formatter, "An ed25519 verifying (public) key")
714 }
715
716 fn visit_bytes<E: serde::de::Error>(self, bytes: &[u8]) -> Result<Self::Value, E> {
717 VerifyingKey::try_from(bytes).map_err(E::custom)
718 }
719
720 fn visit_seq<A>(self, mut seq: A) -> Result<Self::Value, A::Error>
721 where
722 A: serde::de::SeqAccess<'de>,
723 {
724 let mut bytes = [0u8; 32];
725
726 #[allow(clippy::needless_range_loop)]
727 for i in 0..32 {
728 bytes[i] = seq
729 .next_element()?
730 .ok_or_else(|| serde::de::Error::invalid_length(i, &"expected 32 bytes"))?;
731 }
732
733 let remaining = (0..)
734 .map(|_| seq.next_element::<u8>())
735 .take_while(|el| matches!(el, Ok(Some(_))))
736 .count();
737
738 if remaining > 0 {
739 return Err(serde::de::Error::invalid_length(
740 32 + remaining,
741 &"expected 32 bytes",
742 ));
743 }
744
745 VerifyingKey::try_from(&bytes[..]).map_err(serde::de::Error::custom)
746 }
747 }
748
749 deserializer.deserialize_bytes(VerifyingKeyVisitor)
750 }
751}