[crypto] Add functions to convert ed25519 keys to curve25519 (#40)

lhchavez · web-flow · commit 9801aa3d47b1 · 2025-09-18T22:20:01.000-07:00
[paserk] Add functions to convert ed25519 keys to curve25519 https://libsodium.gitbook.io/doc/advanced/ed25519-curve25519 has a nice algorithm (with a proof!) that says that it is possible to use an ed25119 key (used for signature) and make it a curve25519 (used for asymmetric encryption). This change adds two new functions that achieve this.
diff --git a/.semaphore/semaphore.yml b/.semaphore/semaphore.yml
@@ -29,10 +29,10 @@ blocks:
         commands:
           - checkout
           - ./scripts/install_codecov.sh
-          - sem-version go 1.17
+          - sem-version go 1.22
           - go mod download
       jobs:
         - name: run tests
           commands:
             - go test -cover -covermode=atomic -coverprofile coverage.out
-    dependencies: []
+    dependencies: []
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/replit/go-replidentity
 go 1.17
 
 require (
+	filippo.io/edwards25519 v1.1.0
 	github.com/o1egl/paseto v1.0.0
 	github.com/stretchr/testify v1.8.0
 	golang.org/x/crypto v0.35.0
diff --git a/go.sum b/go.sum
@@ -1,3 +1,5 @@
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=
 github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=
 github.com/aead/chacha20poly1305 v0.0.0-20170617001512-233f39982aeb h1:6Z/wqhPFZ7y5ksCEV/V5MXOazLaeu/EW97CU5rz8NWk=
diff --git a/identity_test.go b/identity_test.go
@@ -61,7 +61,7 @@ func Example() {
 	)
 }
 
-func ExampleRenew() {
+func ExampleVerifyRenewIdentity() {
 	identity := os.Getenv("REPL_RENEWAL")
 	if identity == "" {
 		fmt.Println("Sorry, this repl does not yet have an identity (anonymous run?).")
diff --git a/keys.go b/keys.go
@@ -0,0 +1,34 @@
+package replidentity
+
+import (
+	"crypto/ed25519"
+	"crypto/sha512"
+
+	"filippo.io/edwards25519"
+	"golang.org/x/crypto/curve25519"
+)
+
+// ed25519PrivateKeyToCurve25519 converts a ed25519 private key in X25519 equivalent
+// source: https://github.com/FiloSottile/age/blob/980763a16e30ea5c285c271344d2202fcb18c33b/agessh/agessh.go#L287
+func Ed25519PrivateKeyToCurve25519(pk ed25519.PrivateKey) [32]byte {
+	h := sha512.New()
+	h.Write(pk.Seed())
+	out := h.Sum(nil)
+	var res [curve25519.ScalarSize]byte
+	copy(res[:], out[:curve25519.ScalarSize])
+	return res
+}
+
+// ed25519PublicKeyToCurve25519 converts a ed25519 public key in X25519 equivalent
+// source: https://github.com/FiloSottile/age/blob/main/agessh/agessh.go#L190
+func Ed25519PublicKeyToCurve25519(pk ed25519.PublicKey) ([32]byte, error) {
+	// See https://blog.filippo.io/using-ed25519-keys-for-encryption and
+	// https://pkg.go.dev/filippo.io/edwards25519#Point.BytesMontgomery.
+	p, err := new(edwards25519.Point).SetBytes(pk)
+	var res [curve25519.ScalarSize]byte
+	if err != nil {
+		return res, err
+	}
+	copy(res[:], p.BytesMontgomery())
+	return res, nil
+}
diff --git a/keys_test.go b/keys_test.go
@@ -0,0 +1,35 @@
+package replidentity
+
+import (
+	"crypto/ed25519"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	// https://github.com/jedisct1/libsodium/blob/09e995c0c85a0026510704b8ce7f5867a09a3841/test/default/ed25519_convert.c#L5
+	seed = []byte{
+		0x42, 0x11, 0x51, 0xa4, 0x59, 0xfa, 0xea, 0xde, 0x3d, 0x24, 0x71, 0x15, 0xf9, 0x4a, 0xed, 0xae,
+		0x42, 0x31, 0x81, 0x24, 0x09, 0x5a, 0xfa, 0xbe, 0x4d, 0x14, 0x51, 0xa5, 0x59, 0xfa, 0xed, 0xee,
+	}
+)
+
+func TestEd25519PrivateKeyToCurve25519(t *testing.T) {
+	privateKey := ed25519.NewKeyFromSeed(seed)
+
+	privateCurve := Ed25519PrivateKeyToCurve25519(privateKey)
+	// https://github.com/jedisct1/libsodium/blob/09e995c0c85a0026510704b8ce7f5867a09a3841/test/default/ed25519_convert.c#L36
+	assert.Equal(t, privateCurve, [32]byte{
+		0x82, 0x52, 0x03, 0x03, 0x76, 0xd4, 0x71, 0x12, 0xbe, 0x7f, 0x73, 0xed, 0x7a, 0x01, 0x92, 0x93,
+		0xdd, 0x12, 0xad, 0x91, 0x0b, 0x65, 0x44, 0x55, 0x79, 0x8b, 0x46, 0x67, 0xd7, 0x3d, 0xe1, 0xe6,
+	})
+	publicCurve, err := Ed25519PublicKeyToCurve25519(privateKey.Public().(ed25519.PublicKey))
+	require.NoError(t, err)
+	// https://github.com/jedisct1/libsodium/blob/09e995c0c85a0026510704b8ce7f5867a09a3841/test/default/ed25519_convert.c#L35
+	assert.Equal(t, publicCurve, [32]byte{
+		0xf1, 0x81, 0x4f, 0x0e, 0x8f, 0xf1, 0x04, 0x3d, 0x8a, 0x44, 0xd2, 0x5b, 0xab, 0xff, 0x3c, 0xed,
+		0xca, 0xe6, 0xc2, 0x2c, 0x3e, 0xda, 0xa4, 0x8f, 0x85, 0x7a, 0xe7, 0x0d, 0xe2, 0xba, 0xae, 0x50,
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=`
	`2`	`+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=`
`1`	`3`	`github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da h1:KjTM2ks9d14ZYCvmHS9iAKVt9AyzRSqNU1qabPih5BY=`
`2`	`4`	`github.com/aead/chacha20 v0.0.0-20180709150244-8b13a72661da/go.mod h1:eHEWzANqSiWQsof+nXEI9bUVUyV6F53Fp89EuCh2EAA=`
`3`	`5`	`github.com/aead/chacha20poly1305 v0.0.0-20170617001512-233f39982aeb h1:6Z/wqhPFZ7y5ksCEV/V5MXOazLaeu/EW97CU5rz8NWk=`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ func Example() {`
`61`	`61`	`)`
`62`	`62`	`}`
`63`	`63`
`64`		`-func ExampleRenew() {`
	`64`	`+func ExampleVerifyRenewIdentity() {`
`65`	`65`	`identity := os.Getenv("REPL_RENEWAL")`
`66`	`66`	`if identity == "" {`
`67`	`67`	`fmt.Println("Sorry, this repl does not yet have an identity (anonymous run?).")`