Merge pull request #23 from str4d/downstream-tweaks

Pull in changes from I2P

Author: str4d

src/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -44,7 +44,7 @@
  *Option 1:
  *</p><ol>
  *<li>Call initSign() or initVerify() as usual.
- *</li><li>Call setParameter(ONE_SHOT_MOE)
+ *</li><li>Call setParameter(ONE_SHOT_MODE)
  *</li><li>Call update(byte[]) or update(byte[], int, int) exactly once
  *</li><li>Call sign() or verify() as usual.
  *</li><li>If doing additional one-shot signs or verifies with this object, you must

src/net/i2p/crypto/eddsa/EdDSAPrivateKey.java

@@ -96,6 +96,9 @@ public String getFormat() {
      *  This will hopefully be clarified in the next draft.
      *  But sun.security.pkcs.PKCS8Key expects them so we must include them for keytool to work.
      *
+     *  This encodes the seed. It will return null if constructed from
+     *  a spec which was directly constructed from H, in which case seed is null.
+     *
      *  @return 49 bytes for Ed25519, null for other curves
      */
     public byte[] getEncoded() {
@@ -178,22 +181,38 @@ public EdDSAParameterSpec getParams() {
         return edDsaSpec;
     }
 
+    /**
+     *  @return will be null if constructed from a spec which was
+     *          directly constructed from H
+     */
     public byte[] getSeed() {
         return seed;
     }
 
+    /**
+     *  @return the hash of the seed
+     */
     public byte[] getH() {
         return h;
     }
 
+    /**
+     *  @return the private key
+     */
     public byte[] geta() {
         return a;
     }
 
+    /**
+     *  @return the public key
+     */
     public GroupElement getA() {
         return A;
     }
 
+    /**
+     *  @return the public key
+     */
     public byte[] getAbyte() {
         return Abyte;
     }

src/net/i2p/crypto/eddsa/math/Constants.java

@@ -13,7 +13,7 @@
 
 import net.i2p.crypto.eddsa.Utils;
 
-public class Constants {
+final class Constants {
     public static final byte[] ZERO = Utils.hexToBytes("0000000000000000000000000000000000000000000000000000000000000000");
     public static final byte[] ONE = Utils.hexToBytes("0100000000000000000000000000000000000000000000000000000000000000");
     public static final byte[] TWO = Utils.hexToBytes("0200000000000000000000000000000000000000000000000000000000000000");

src/net/i2p/crypto/eddsa/math/bigint/BigIntegerLittleEndianEncoding.java

@@ -40,8 +40,11 @@ public byte[] encode(FieldElement x) {
      *  Constant time.
      *
      *  @return array of length b/8
+     *  @throws IllegalStateException if field not set
      */
     public byte[] encode(BigInteger x) {
+        if (f == null)
+            throw new IllegalStateException("field not set");
         byte[] in = x.toByteArray();
         byte[] out = new byte[f.getb()/8];
         for (int i = 0; i < in.length; i++) {
@@ -53,7 +56,18 @@ public byte[] encode(BigInteger x) {
         return out;
     }
 
+    /**
+     *  Decode a FieldElement from its (b-1)-bit encoding.
+     *  The highest bit is masked out.
+     *
+     *  @param in the (b-1)-bit encoding of a FieldElement.
+     *  @return the FieldElement represented by 'val'.
+     *  @throws IllegalStateException if field not set
+     *  @throws IllegalArgumentException if encoding is invalid
+     */
     public FieldElement decode(byte[] in) {
+        if (f == null)
+            throw new IllegalStateException("field not set");
         if (in.length != f.getb()/8)
             throw new IllegalArgumentException("Not a valid encoding");
         return new BigIntegerFieldElement(f, toBigInteger(in).and(mask));

src/net/i2p/crypto/eddsa/spec/EdDSAParameterSpec.java

@@ -65,6 +65,9 @@ public ScalarOps getScalarOps() {
         return sc;
     }
 
+    /**
+     *  @return the base (generator)
+     */
     public GroupElement getB() {
         return B;
     }

src/net/i2p/crypto/eddsa/spec/EdDSAPrivateKeySpec.java

@@ -60,26 +60,59 @@ public EdDSAPrivateKeySpec(byte[] seed, EdDSAParameterSpec spec) {
         }
     }
 
+    /**
+     *  Initialize directly from the hash.
+     *  getSeed() will return null if this constructor is used.
+     *
+     *  @param h the private key
+     *  @since 0.1.1
+     */
+    public EdDSAPrivateKeySpec(EdDSAParameterSpec spec, byte[] h) {
+	this.seed = null;
+	this.h = h;
+	this.spec = spec;
+	int b = spec.getCurve().getField().getb();
+
+        h[0] &= 248;
+        h[(b/8)-1] &= 63;
+        h[(b/8)-1] |= 64;
+        a = Arrays.copyOfRange(h, 0, b/8);
+
+        A = spec.getB().scalarMultiply(a);
+    }
+
     public EdDSAPrivateKeySpec(byte[] seed, byte[] h, byte[] a, GroupElement A, EdDSAParameterSpec spec) {
         this.seed = seed;
         this.h = h;
         this.a = a;
         this.A = A;
-        this.spec = spec;        
+        this.spec = spec;
     }
 
+    /**
+     *  @return will be null if constructed directly from the private key
+     */
     public byte[] getSeed() {
         return seed;
     }
 
+    /**
+     *  @return the hash
+     */
     public byte[] getH() {
         return h;
     }
 
+    /**
+     *  @return the private key
+     */
     public byte[] geta() {
         return a;
     }
 
+    /**
+     *  @return the public key
+     */
     public GroupElement getA() {
         return A;
     }

test/net/i2p/crypto/eddsa/spec/EdDSAPrivateKeySpecTest.java

@@ -23,6 +23,7 @@
  */
 public class EdDSAPrivateKeySpecTest {
     static final byte[] ZERO_SEED = Utils.hexToBytes("0000000000000000000000000000000000000000000000000000000000000000");
+    static final byte[] ZERO_H = Utils.hexToBytes("5046adc1dba838867b2bbbfdd0c3423e58b57970b5267a90f57960924a87f1960a6a85eaa642dac835424b5d7c8d637c00408c7a73da672b7f498521420b6dd3");
     static final byte[] ZERO_PK = Utils.hexToBytes("3b6a27bcceb6a42d62a3a8d02a6f0d73653215771de243a63ac048a18b59da29");
 
     static final EdDSANamedCurveSpec ed25519 = EdDSANamedCurveTable.getByName("ed25519-sha-512");
@@ -34,6 +35,18 @@ public class EdDSAPrivateKeySpecTest {
     public void testEdDSAPrivateKeySpecFromSeed() {
         EdDSAPrivateKeySpec key = new EdDSAPrivateKeySpec(ZERO_SEED, ed25519);
         assertThat(key.getSeed(), is(equalTo(ZERO_SEED)));
+        assertThat(key.getH(), is(equalTo(ZERO_H)));
+        assertThat(key.getA().toByteArray(), is(equalTo(ZERO_PK)));
+    }
+
+    /**
+     * Test method for {@link net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec#EdDSAPrivateKeySpec(net.i2p.crypto.eddsa.spec.EdDSAParameterSpec, byte[])}.
+     */
+    @Test
+    public void testEdDSAPrivateKeySpecFromH() {
+        EdDSAPrivateKeySpec key = new EdDSAPrivateKeySpec(ed25519, ZERO_H);
+        assertThat(key.getSeed(), is(nullValue()));
+        assertThat(key.getH(), is(equalTo(ZERO_H)));
         assertThat(key.getA().toByteArray(), is(equalTo(ZERO_PK)));
     }