EdDSA improvements

peterdettman · peterdettman · commit e6e1b652aa13 · 2022-11-17T10:43:15.000+07:00
- better guards on context values
- add verify method to public keys
diff --git a/core/src/main/java/org/bouncycastle/crypto/params/Ed25519PrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/Ed25519PrivateKeyParameters.java
@@ -102,11 +102,28 @@ public void sign(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,
         }
         case Ed25519.Algorithm.Ed25519ctx:
         {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
+
             Ed25519.sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);
             break;
         }
         case Ed25519.Algorithm.Ed25519ph:
         {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
             if (Ed25519.PREHASH_SIZE != msgLen)
             {
                 throw new IllegalArgumentException("msgLen");
diff --git a/core/src/main/java/org/bouncycastle/crypto/params/Ed25519PublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/Ed25519PublicKeyParameters.java
@@ -47,6 +47,56 @@ public byte[] getEncoded()
         return Arrays.clone(data);
     }
 
+    public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen, byte[] sig, int sigOff)
+    {
+        switch (algorithm)
+        {
+        case Ed25519.Algorithm.Ed25519:
+        {
+            if (null != ctx)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
+
+            return Ed25519.verify(sig, sigOff, data, 0, msg, msgOff, msgLen);
+        }
+        case Ed25519.Algorithm.Ed25519ctx:
+        {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
+
+            return Ed25519.verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen);
+        }
+        case Ed25519.Algorithm.Ed25519ph:
+        {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
+            if (Ed25519.PREHASH_SIZE != msgLen)
+            {
+                throw new IllegalArgumentException("msgLen");
+            }
+
+            return Ed25519.verifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff);
+        }
+        default:
+        {
+            throw new IllegalArgumentException("algorithm");
+        }
+        }
+    }
+
     private static byte[] validate(byte[] buf)
     {
         if (buf.length != KEY_SIZE)
diff --git a/core/src/main/java/org/bouncycastle/crypto/params/Ed448PrivateKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/Ed448PrivateKeyParameters.java
@@ -92,11 +92,28 @@ public void sign(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,
         {
         case Ed448.Algorithm.Ed448:
         {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
+
             Ed448.sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);
             break;
         }
         case Ed448.Algorithm.Ed448ph:
         {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
             if (Ed448.PREHASH_SIZE != msgLen)
             {
                 throw new IllegalArgumentException("msgLen");
diff --git a/core/src/main/java/org/bouncycastle/crypto/params/Ed448PublicKeyParameters.java b/core/src/main/java/org/bouncycastle/crypto/params/Ed448PublicKeyParameters.java
@@ -47,6 +47,47 @@ public byte[] getEncoded()
         return Arrays.clone(data);
     }
 
+    public boolean verify(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen, byte[] sig, int sigOff)
+    {
+        switch (algorithm)
+        {
+        case Ed448.Algorithm.Ed448:
+        {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
+
+            return Ed448.verify(sig, sigOff, data, 0, ctx, msg, msgOff, msgLen);
+        }
+        case Ed448.Algorithm.Ed448ph:
+        {
+            if (null == ctx)
+            {
+                throw new NullPointerException("'ctx' cannot be null");
+            }
+            if (ctx.length > 255)
+            {
+                throw new IllegalArgumentException("ctx");
+            }
+            if (Ed448.PREHASH_SIZE != msgLen)
+            {
+                throw new IllegalArgumentException("msgLen");
+            }
+
+            return Ed448.verifyPrehash(sig, sigOff, data, 0, ctx, msg, msgOff);
+        }
+        default:
+        {
+            throw new IllegalArgumentException("algorithm");
+        }
+        }
+    }
+
     private static byte[] validate(byte[] buf)
     {
         if (buf.length != KEY_SIZE)
diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/Ed25519Signer.java b/core/src/main/java/org/bouncycastle/crypto/signers/Ed25519Signer.java
@@ -78,7 +78,7 @@ public void reset()
         buffer.reset();
     }
 
-    private static class Buffer extends ByteArrayOutputStream
+    private static final class Buffer extends ByteArrayOutputStream
     {
         synchronized byte[] generateSignature(Ed25519PrivateKeyParameters privateKey)
         {
@@ -96,8 +96,7 @@ synchronized boolean verifySignature(Ed25519PublicKeyParameters publicKey, byte[
                 return false;
             }
 
-            byte[] pk = publicKey.getEncoded();
-            boolean result = Ed25519.verify(signature, 0, pk, 0, buf, 0, count);
+            boolean result = publicKey.verify(Ed25519.Algorithm.Ed25519, null, buf, 0, count, signature, 0);
             reset();
             return result;
         }
diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/Ed25519ctxSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/Ed25519ctxSigner.java
@@ -22,6 +22,11 @@ public class Ed25519ctxSigner
 
     public Ed25519ctxSigner(byte[] context)
     {
+        if (null == context)
+        {
+            throw new NullPointerException("'context' cannot be null");
+        }
+
         this.context = Arrays.clone(context);
     }
 
@@ -80,7 +85,7 @@ public void reset()
         buffer.reset();
     }
 
-    private static class Buffer extends ByteArrayOutputStream
+    private static final class Buffer extends ByteArrayOutputStream
     {
         synchronized byte[] generateSignature(Ed25519PrivateKeyParameters privateKey, byte[] ctx)
         {
@@ -98,8 +103,7 @@ synchronized boolean verifySignature(Ed25519PublicKeyParameters publicKey, byte[
                 return false;
             }
 
-            byte[] pk = publicKey.getEncoded();
-            boolean result = Ed25519.verify(signature, 0, pk, 0, ctx, buf, 0, count);
+            boolean result = publicKey.verify(Ed25519.Algorithm.Ed25519ctx, ctx, buf, 0, count, signature, 0);            
             reset();
             return result;
         }
diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/Ed25519phSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/Ed25519phSigner.java
@@ -21,6 +21,11 @@ public class Ed25519phSigner
 
     public Ed25519phSigner(byte[] context)
     {
+        if (null == context)
+        {
+            throw new NullPointerException("'context' cannot be null");
+        }
+
         this.context = Arrays.clone(context);
     }
 
@@ -84,8 +89,13 @@ public boolean verifySignature(byte[] signature)
             return false;
         }
 
-        byte[] pk = publicKey.getEncoded();
-        return Ed25519.verifyPrehash(signature, 0, pk, 0, context, prehash);
+        byte[] msg = new byte[Ed25519.PREHASH_SIZE];
+        if (Ed25519.PREHASH_SIZE != prehash.doFinal(msg, 0))
+        {
+            throw new IllegalStateException("Prehash digest failed");
+        }
+
+        return publicKey.verify(Ed25519.Algorithm.Ed25519ph, context, msg, 0, Ed25519.PREHASH_SIZE, signature, 0);
     }
 
     public void reset()
diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/Ed448Signer.java b/core/src/main/java/org/bouncycastle/crypto/signers/Ed448Signer.java
@@ -10,7 +10,6 @@
 import org.bouncycastle.math.ec.rfc8032.Ed448;
 import org.bouncycastle.util.Arrays;
 
-
 public class Ed448Signer
     implements Signer
 {
@@ -23,6 +22,11 @@ public class Ed448Signer
 
     public Ed448Signer(byte[] context)
     {
+        if (null == context)
+        {
+            throw new NullPointerException("'context' cannot be null");
+        }
+        
         this.context = Arrays.clone(context);
     }
 
@@ -81,7 +85,7 @@ public void reset()
         buffer.reset();
     }
 
-    private static class Buffer extends ByteArrayOutputStream
+    private static final class Buffer extends ByteArrayOutputStream
     {
         synchronized byte[] generateSignature(Ed448PrivateKeyParameters privateKey, byte[] ctx)
         {
@@ -99,8 +103,7 @@ synchronized boolean verifySignature(Ed448PublicKeyParameters publicKey, byte[]
                 return false;
             }
 
-            byte[] pk = publicKey.getEncoded();
-            boolean result = Ed448.verify(signature, 0, pk, 0, ctx, buf, 0, count);
+            boolean result = publicKey.verify(Ed448.Algorithm.Ed448, ctx, buf, 0, count, signature, 0);
             reset();
             return result;
         }
diff --git a/core/src/main/java/org/bouncycastle/crypto/signers/Ed448phSigner.java b/core/src/main/java/org/bouncycastle/crypto/signers/Ed448phSigner.java
@@ -21,6 +21,11 @@ public class Ed448phSigner
 
     public Ed448phSigner(byte[] context)
     {
+        if (null == context)
+        {
+            throw new NullPointerException("'context' cannot be null");
+        }
+
         this.context = Arrays.clone(context);
     }
 
@@ -84,8 +89,13 @@ public boolean verifySignature(byte[] signature)
             return false;
         }
 
-        byte[] pk = publicKey.getEncoded();
-        return Ed448.verifyPrehash(signature, 0, pk, 0, context, prehash);
+        byte[] msg = new byte[Ed448.PREHASH_SIZE];
+        if (Ed448.PREHASH_SIZE != prehash. doFinal(msg, 0, Ed448.PREHASH_SIZE))
+        {
+            throw new IllegalStateException("Prehash digest failed");
+        }
+
+        return publicKey.verify(Ed448.Algorithm.Ed448ph, context, msg, 0, Ed448.PREHASH_SIZE, signature, 0);
     }
 
     public void reset()
diff --git a/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java b/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed25519.java
@@ -202,6 +202,11 @@ private static int checkPoint(int[] x, int[] y, int[] z)
 
     private static boolean checkPointVar(byte[] p)
     {
+        if ((decode32(p, 28) & 0x7FFFFFFF) < P[7])
+        {
+            return true;
+        }
+
         int[] t = new int[COORD_INTS];
         decode32(p, 0, t, 0, COORD_INTS);
         t[COORD_INTS - 1] &= 0x7FFFFFFF;
@@ -223,7 +228,12 @@ private static byte[] copy(byte[] buf, int off, int len)
 
     private static Digest createDigest()
     {
-        return new SHA512Digest();
+        Digest d = new SHA512Digest();
+        if (d.getDigestSize() != 64)
+        {
+            throw new IllegalStateException();
+        }
+        return d;
     }
 
     public static Digest createPrehash()
@@ -369,7 +379,7 @@ public static void generatePrivateKey(SecureRandom random, byte[] k)
     public static void generatePublicKey(byte[] sk, int skOff, byte[] pk, int pkOff)
     {
         Digest d = createDigest();
-        byte[] h = new byte[d.getDigestSize()];
+        byte[] h = new byte[64];
 
         d.update(sk, skOff, SECRET_KEY_SIZE);
         d.doFinal(h, 0);
@@ -470,7 +480,7 @@ private static void implSign(byte[] sk, int skOff, byte[] ctx, byte phflag, byte
         }
 
         Digest d = createDigest();
-        byte[] h = new byte[d.getDigestSize()];
+        byte[] h = new byte[64];
 
         d.update(sk, skOff, SECRET_KEY_SIZE);
         d.doFinal(h, 0);
@@ -493,7 +503,7 @@ private static void implSign(byte[] sk, int skOff, byte[] pk, int pkOff, byte[]
         }
 
         Digest d = createDigest();
-        byte[] h = new byte[d.getDigestSize()];
+        byte[] h = new byte[64];
 
         d.update(sk, skOff, SECRET_KEY_SIZE);
         d.doFinal(h, 0);
@@ -533,7 +543,7 @@ private static boolean implVerify(byte[] sig, int sigOff, byte[] pk, int pkOff,
         }
 
         Digest d = createDigest();
-        byte[] h = new byte[d.getDigestSize()];
+        byte[] h = new byte[64];
 
         dom2(d, phflag, ctx);
         d.update(R, 0, POINT_BYTES);
diff --git a/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed448.java b/core/src/main/java/org/bouncycastle/math/ec/rfc8032/Ed448.java
@@ -171,6 +171,10 @@ private static boolean checkPointVar(byte[] p)
         {
             return false;
         }
+        if (decode32(p, 52) != P[13])
+        {
+            return true;
+        }
 
         int[] t = new int[COORD_INTS];
         decode32(p, 0, t, 0, COORD_INTS);
diff --git a/core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed25519Test.java b/core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed25519Test.java
diff --git a/core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed448Test.java b/core/src/test/java/org/bouncycastle/math/ec/rfc8032/test/Ed448Test.java

Original file line number	Diff line number	Diff line change
`@@ -102,11 +102,28 @@ public void sign(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,`
`102`	`102`	`}`
`103`	`103`	`case Ed25519.Algorithm.Ed25519ctx:`
`104`	`104`	`{`
	`105`	`+ if (null == ctx)`
	`106`	`+ {`
	`107`	`+ throw new NullPointerException("'ctx' cannot be null");`
	`108`	`+ }`
	`109`	`+ if (ctx.length > 255)`
	`110`	`+ {`
	`111`	`+ throw new IllegalArgumentException("ctx");`
	`112`	`+ }`
	`113`	`+`
`105`	`114`	`Ed25519.sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);`
`106`	`115`	`break;`
`107`	`116`	`}`
`108`	`117`	`case Ed25519.Algorithm.Ed25519ph:`
`109`	`118`	`{`
	`119`	`+ if (null == ctx)`
	`120`	`+ {`
	`121`	`+ throw new NullPointerException("'ctx' cannot be null");`
	`122`	`+ }`
	`123`	`+ if (ctx.length > 255)`
	`124`	`+ {`
	`125`	`+ throw new IllegalArgumentException("ctx");`
	`126`	`+ }`
`110`	`127`	`if (Ed25519.PREHASH_SIZE != msgLen)`
`111`	`128`	`{`
`112`	`129`	`throw new IllegalArgumentException("msgLen");`
Original file line number	Diff line number	Diff line change
`@@ -92,11 +92,28 @@ public void sign(int algorithm, byte[] ctx, byte[] msg, int msgOff, int msgLen,`
`92`	`92`	`{`
`93`	`93`	`case Ed448.Algorithm.Ed448:`
`94`	`94`	`{`
	`95`	`+ if (null == ctx)`
	`96`	`+ {`
	`97`	`+ throw new NullPointerException("'ctx' cannot be null");`
	`98`	`+ }`
	`99`	`+ if (ctx.length > 255)`
	`100`	`+ {`
	`101`	`+ throw new IllegalArgumentException("ctx");`
	`102`	`+ }`
	`103`	`+`
`95`	`104`	`Ed448.sign(data, 0, pk, 0, ctx, msg, msgOff, msgLen, sig, sigOff);`
`96`	`105`	`break;`
`97`	`106`	`}`
`98`	`107`	`case Ed448.Algorithm.Ed448ph:`
`99`	`108`	`{`
	`109`	`+ if (null == ctx)`
	`110`	`+ {`
	`111`	`+ throw new NullPointerException("'ctx' cannot be null");`
	`112`	`+ }`
	`113`	`+ if (ctx.length > 255)`
	`114`	`+ {`
	`115`	`+ throw new IllegalArgumentException("ctx");`
	`116`	`+ }`
`100`	`117`	`if (Ed448.PREHASH_SIZE != msgLen)`
`101`	`118`	`{`
`102`	`119`	`throw new IllegalArgumentException("msgLen");`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,7 @@ public void reset()`
`78`	`78`	`buffer.reset();`
`79`	`79`	`}`
`80`	`80`
`81`		`- private static class Buffer extends ByteArrayOutputStream`
	`81`	`+ private static final class Buffer extends ByteArrayOutputStream`
`82`	`82`	`{`
`83`	`83`	`synchronized byte[] generateSignature(Ed25519PrivateKeyParameters privateKey)`
`84`	`84`	`{`
`@@ -96,8 +96,7 @@ synchronized boolean verifySignature(Ed25519PublicKeyParameters publicKey, byte[`
`96`	`96`	`return false;`
`97`	`97`	`}`
`98`	`98`
`99`		`- byte[] pk = publicKey.getEncoded();`
`100`		`- boolean result = Ed25519.verify(signature, 0, pk, 0, buf, 0, count);`
	`99`	`+ boolean result = publicKey.verify(Ed25519.Algorithm.Ed25519, null, buf, 0, count, signature, 0);`
`101`	`100`	`reset();`
`102`	`101`	`return result;`
`103`	`102`	`}`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,11 @@ public class Ed25519ctxSigner`
`22`	`22`
`23`	`23`	`public Ed25519ctxSigner(byte[] context)`
`24`	`24`	`{`
	`25`	`+ if (null == context)`
	`26`	`+ {`
	`27`	`+ throw new NullPointerException("'context' cannot be null");`
	`28`	`+ }`
	`29`	`+`
`25`	`30`	`this.context = Arrays.clone(context);`
`26`	`31`	`}`
`27`	`32`
`@@ -80,7 +85,7 @@ public void reset()`
`80`	`85`	`buffer.reset();`
`81`	`86`	`}`
`82`	`87`
`83`		`- private static class Buffer extends ByteArrayOutputStream`
	`88`	`+ private static final class Buffer extends ByteArrayOutputStream`
`84`	`89`	`{`
`85`	`90`	`synchronized byte[] generateSignature(Ed25519PrivateKeyParameters privateKey, byte[] ctx)`
`86`	`91`	`{`
`@@ -98,8 +103,7 @@ synchronized boolean verifySignature(Ed25519PublicKeyParameters publicKey, byte[`
`98`	`103`	`return false;`
`99`	`104`	`}`
`100`	`105`
`101`		`- byte[] pk = publicKey.getEncoded();`
`102`		`- boolean result = Ed25519.verify(signature, 0, pk, 0, ctx, buf, 0, count);`
	`106`	`+ boolean result = publicKey.verify(Ed25519.Algorithm.Ed25519ctx, ctx, buf, 0, count, signature, 0);`
`103`	`107`	`reset();`
`104`	`108`	`return result;`
`105`	`109`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,11 @@ public class Ed25519phSigner`
`21`	`21`
`22`	`22`	`public Ed25519phSigner(byte[] context)`
`23`	`23`	`{`
	`24`	`+ if (null == context)`
	`25`	`+ {`
	`26`	`+ throw new NullPointerException("'context' cannot be null");`
	`27`	`+ }`
	`28`	`+`
`24`	`29`	`this.context = Arrays.clone(context);`
`25`	`30`	`}`
`26`	`31`
`@@ -84,8 +89,13 @@ public boolean verifySignature(byte[] signature)`
`84`	`89`	`return false;`
`85`	`90`	`}`
`86`	`91`
`87`		`- byte[] pk = publicKey.getEncoded();`
`88`		`- return Ed25519.verifyPrehash(signature, 0, pk, 0, context, prehash);`
	`92`	`+ byte[] msg = new byte[Ed25519.PREHASH_SIZE];`
	`93`	`+ if (Ed25519.PREHASH_SIZE != prehash.doFinal(msg, 0))`
	`94`	`+ {`
	`95`	`+ throw new IllegalStateException("Prehash digest failed");`
	`96`	`+ }`
	`97`	`+`
	`98`	`+ return publicKey.verify(Ed25519.Algorithm.Ed25519ph, context, msg, 0, Ed25519.PREHASH_SIZE, signature, 0);`
`89`	`99`	`}`
`90`	`100`
`91`	`101`	`public void reset()`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,6 @@`
`10`	`10`	`import org.bouncycastle.math.ec.rfc8032.Ed448;`
`11`	`11`	`import org.bouncycastle.util.Arrays;`
`12`	`12`
`13`		`-`
`14`	`13`	`public class Ed448Signer`
`15`	`14`	`implements Signer`
`16`	`15`	`{`
`@@ -23,6 +22,11 @@ public class Ed448Signer`
`23`	`22`
`24`	`23`	`public Ed448Signer(byte[] context)`
`25`	`24`	`{`
	`25`	`+ if (null == context)`
	`26`	`+ {`
	`27`	`+ throw new NullPointerException("'context' cannot be null");`
	`28`	`+ }`
	`29`	`+`
`26`	`30`	`this.context = Arrays.clone(context);`
`27`	`31`	`}`
`28`	`32`
`@@ -81,7 +85,7 @@ public void reset()`
`81`	`85`	`buffer.reset();`
`82`	`86`	`}`
`83`	`87`
`84`		`- private static class Buffer extends ByteArrayOutputStream`
	`88`	`+ private static final class Buffer extends ByteArrayOutputStream`
`85`	`89`	`{`
`86`	`90`	`synchronized byte[] generateSignature(Ed448PrivateKeyParameters privateKey, byte[] ctx)`
`87`	`91`	`{`
`@@ -99,8 +103,7 @@ synchronized boolean verifySignature(Ed448PublicKeyParameters publicKey, byte[]`
`99`	`103`	`return false;`
`100`	`104`	`}`
`101`	`105`
`102`		`- byte[] pk = publicKey.getEncoded();`
`103`		`- boolean result = Ed448.verify(signature, 0, pk, 0, ctx, buf, 0, count);`
	`106`	`+ boolean result = publicKey.verify(Ed448.Algorithm.Ed448, ctx, buf, 0, count, signature, 0);`
`104`	`107`	`reset();`
`105`	`108`	`return result;`
`106`	`109`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,11 @@ public class Ed448phSigner`
`21`	`21`
`22`	`22`	`public Ed448phSigner(byte[] context)`
`23`	`23`	`{`
	`24`	`+ if (null == context)`
	`25`	`+ {`
	`26`	`+ throw new NullPointerException("'context' cannot be null");`
	`27`	`+ }`
	`28`	`+`
`24`	`29`	`this.context = Arrays.clone(context);`
`25`	`30`	`}`
`26`	`31`
`@@ -84,8 +89,13 @@ public boolean verifySignature(byte[] signature)`
`84`	`89`	`return false;`
`85`	`90`	`}`
`86`	`91`
`87`		`- byte[] pk = publicKey.getEncoded();`
`88`		`- return Ed448.verifyPrehash(signature, 0, pk, 0, context, prehash);`
	`92`	`+ byte[] msg = new byte[Ed448.PREHASH_SIZE];`
	`93`	`+ if (Ed448.PREHASH_SIZE != prehash. doFinal(msg, 0, Ed448.PREHASH_SIZE))`
	`94`	`+ {`
	`95`	`+ throw new IllegalStateException("Prehash digest failed");`
	`96`	`+ }`
	`97`	`+`
	`98`	`+ return publicKey.verify(Ed448.Algorithm.Ed448ph, context, msg, 0, Ed448.PREHASH_SIZE, signature, 0);`
`89`	`99`	`}`
`90`	`100`
`91`	`101`	`public void reset()`