fixed

deatil · deatil · commit e6ffd91417f6 · 2025-11-18T01:40:09.000+08:00
diff --git a/elliptic/ed521/ed521_curves.go b/elliptic/ed521/ed521_curves.go
@@ -13,18 +13,18 @@ func initAll() {
 func initE521() {
     ed521 = &Ed521Curve{
         Name:    "Ed521",
-        P:       bigFromHex("1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"),
-        N:       bigFromHex("7ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd15b6c64746fc85f736b8af5e7ec53f04fbd8c4569a8f1f4540ea2435f5180d6b"),
-        D:       bigFromHex("1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa4331"),
-        Gx:      bigFromHex("752cb45c48648b189df90cb2296b2878a3bfd9f42fc6c818ec8bf3c9c0c6203913f6ecc5ccc72434b1ae949d568fc99c6059d0fb13364838aa302a940a2f19ba6c"),
-        Gy:      bigFromHex("0c"),
+        P:       bigFromDec("6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151"),
+        N:       bigFromDec("1716199415032652428745475199770348304317358825035826352348615864796385795849413675475876651663657849636693659065234142604319282948702542317993421293670108523"),
+        D:       bigFromDec("-376014"),
+        Gx:      bigFromDec("1571054894184995387535939749894317568645297350402905821437625181152304994381188529632591196067604100772673927915114267193389905003276673749012051148356041324"),
+        Gy:      bigFromDec("12"),
         BitSize: 521,
     }
 }
 
-func bigFromHex(s string) (i *big.Int) {
+func bigFromDec(s string) (i *big.Int) {
     i = new(big.Int)
-    i.SetString(s, 16)
+    i.SetString(s, 10)
 
     return
 }
diff --git a/elliptic/ed521/ed521_test.go b/elliptic/ed521/ed521_test.go
@@ -144,3 +144,21 @@ func Test_MarshalCompressed(t *testing.T) {
     cryptobin_test.Equal(t, a1, x)
     cryptobin_test.Equal(t, b1, y)
 }
+
+func Test_MarshalPoint(t *testing.T) {
+    a1 := bigintFromHex("135e8ba63870ade80365ee6b6832d971a83c8519310bed795809637bd61e4d54676d0823d7a95d26291be2742994d833b16d306dcea0574b57924aac6b62552ef81")
+    b1 := bigintFromHex("d6e622c17fb2723b47ef82f0a704694689c96c5cc12f24b42a735b89283c6bd47fe0596dff8841603414b8b3a5c681d72750e03a807f6668a008738876e2f1fcde")
+
+    m := MarshalPoint(ED521(), a1, b1)
+
+    m2 := fmt.Sprintf("%x", m)
+    mcheck := "defcf1e276887308a068667f803ae05027d781c6a5b3b81434604188ff6d59e07fd46b3c28895b732ab4242fc15c6cc989466904a7f082ef473b72b27fc122e6d680"
+
+    cryptobin_test.Equal(t, mcheck, m2)
+
+    mcheck2 := bigintFromHex(mcheck).Bytes()
+
+    x, y := UnmarshalPoint(ED521(), mcheck2)
+    cryptobin_test.Equal(t, a1, x)
+    cryptobin_test.Equal(t, b1, y)
+}
diff --git a/elliptic/ed521/params.go b/elliptic/ed521/params.go
@@ -252,6 +252,42 @@ func (curve *Ed521Curve) UnmarshalCompressed(data []byte) (x, y *big.Int) {
     return
 }
 
+func (curve *Ed521Curve) UnmarshalPoint(data []byte) (x, y *big.Int) {
+    byteLen := (curve.BitSize + 7) / 8
+    if len(data) != byteLen {
+        return
+    }
+
+    size := len(data)
+    eP := make([]byte, size)
+    copy(eP, data)
+
+    sign := eP[size-1] & 0x80
+    eP[size - 1] &= 0x7F // got 0x7F = ~0x80
+
+    eP = Reverse(eP)
+
+    p := curve.Params().P
+    y = new(big.Int).SetBytes(eP)
+    if y.Cmp(p) >= 0 {
+        return
+    }
+
+    // x² = (y² - 1) / (dy² - 1)
+    x = curve.polynomial(y)
+    x = x.ModSqrt(x, curve.P)
+    if x == nil {
+        return
+    }
+
+    if byte(sign) != data[0]&1 {
+        x.Sub(p, x)
+        x.Mod(x, p)
+    }
+
+    return
+}
+
 func Marshal(curve elliptic.Curve, x, y *big.Int) []byte {
     panicIfNotOnCurve(curve, x, y)
 
@@ -295,6 +331,34 @@ func UnmarshalCompressed(curve elliptic.Curve, data []byte) (*big.Int, *big.Int)
     return nil, nil
 }
 
+func MarshalPoint(curve elliptic.Curve, x, y *big.Int) []byte {
+    panicIfNotOnCurve(curve, x, y)
+
+    byteLen := (curve.Params().BitSize + 7) / 8
+
+    compressed := make([]byte, byteLen)
+    y.FillBytes(compressed)
+
+    compressed = Reverse(compressed)
+
+    one := big.NewInt(1)
+
+    xx := new(big.Int).Set(x)
+    if xx.And(xx, one).Cmp(one) == 0 {
+        compressed[byteLen-1] |= 0x80
+    }
+
+    return compressed
+}
+
+func UnmarshalPoint(curve elliptic.Curve, data []byte) (*big.Int, *big.Int) {
+    if c, ok := curve.(*Ed521Curve); ok {
+        return c.UnmarshalPoint(data)
+    }
+
+    return nil, nil
+}
+
 func panicIfNotOnCurve(curve elliptic.Curve, x, y *big.Int) {
     // (0, 0) is the point at infinity by convention. It's ok to operate on it,
     // although IsOnCurve is documented to return false for it. See Issue 37294.
diff --git a/pubkey/ed521/ed521.go b/pubkey/ed521/ed521.go
@@ -10,8 +10,6 @@ import (
     "crypto/elliptic"
 
     "golang.org/x/crypto/sha3"
-    "golang.org/x/crypto/cryptobyte"
-    "golang.org/x/crypto/cryptobyte/asn1"
 
     "github.com/deatil/go-cryptobin/elliptic/ed521"
 )
@@ -27,6 +25,12 @@ var (
 const (
     // ContextMaxSize is the maximum length (in bytes) allowed for context.
     ContextMaxSize = 255
+    // PublicKeySize is the size, in bytes, of public keys as used in this package.
+    PublicKeySize = 133
+    // PrivateKeySize is the size, in bytes, of private keys as used in this package.
+    PrivateKeySize = 66
+    // SignatureSize is the size, in bytes, of signatures generated and verified by this package.
+    SignatureSize = 132
     // SeedSize is the size, in bytes, of private key seeds.
     SeedSize = 66
 )
@@ -180,7 +184,7 @@ func NewPrivateKey(d []byte) (*PrivateKey, error) {
 
 // return PrivateKey data
 func PrivateKeyTo(key *PrivateKey) []byte {
-    privateKey := make([]byte, (key.Curve.Params().N.BitLen()+7)/8)
+    privateKey := make([]byte, PrivateKeySize)
     return key.D.FillBytes(privateKey)
 }
 
@@ -245,10 +249,14 @@ func sign(privateKey *PrivateKey, message []byte, domPre, context string) ([]byt
         PHM = message
     }
 
-    n := privateKey.Curve.Params().N
+    params := privateKey.Curve.Params()
+    n := params.N
+    byteLen := (params.BitSize + 7) / 8
+
+    var tmpBuf []byte
 
     seed := privateKey.D.Bytes()
-    publicKeyBytes := ed521.MarshalCompressed(privateKey.Curve, privateKey.X, privateKey.Y)
+    publicKeyBytes := ed521.MarshalPoint(privateKey.Curve, privateKey.X, privateKey.Y)
 
     h := make([]byte, 132)
     sha3.ShakeSum256(h, seed)
@@ -267,21 +275,31 @@ func sign(privateKey *PrivateKey, message []byte, domPre, context string) ([]byt
     messageDigest := make([]byte, 132)
     mh.Read(messageDigest)
 
+    messageDigest = ed521.Reverse(messageDigest)
+
     r := new(big.Int).SetBytes(messageDigest)
     r.Mod(r, n)
 
     _, R := privateKey.Curve.ScalarBaseMult(r.Bytes())
 
+    buf := make([]byte, 2*byteLen)
+    R.FillBytes(buf[:byteLen])
+
+    tmpBuf = ed521.Reverse(buf[:byteLen])
+    copy(buf[:byteLen], tmpBuf)
+
     kh := sha3.NewShake256()
     kh.Write([]byte(domPre))
     kh.Write([]byte{byte(len(context))})
     kh.Write([]byte(context))
-    kh.Write(R.Bytes())
+    kh.Write(buf[:byteLen])
     kh.Write(publicKeyBytes)
     kh.Write(PHM)
     hramDigest := make([]byte, 132)
     kh.Read(hramDigest)
 
+    hramDigest = ed521.Reverse(hramDigest)
+
     k := new(big.Int).SetBytes(hramDigest)
     k.Mod(k, n)
 
@@ -290,7 +308,11 @@ func sign(privateKey *PrivateKey, message []byte, domPre, context string) ([]byt
     S.Add(S, r)
     S.Mod(S, n)
 
-    return encodeSignature(R, S)
+    S.FillBytes(buf[byteLen:])
+    tmpBuf = ed521.Reverse(buf[byteLen:])
+    copy(buf[byteLen:], tmpBuf)
+
+    return buf, nil
 }
 
 // VerifyWithOptions reports whether sig is a valid signature of message by
@@ -333,11 +355,6 @@ func VerifyWithOptions(publicKey *PublicKey, message, sig []byte, opts crypto.Si
 
 // Verify reports whether sig is a valid signature of message by publicKey.
 func verify(publicKey *PublicKey, message, sig []byte, domPre, context string) bool {
-    R, S, err := parseSignature(sig)
-    if err != nil {
-        return false
-    }
-
     var PHM []byte
 
     if domPre == domPrefixPh {
@@ -349,23 +366,36 @@ func verify(publicKey *PublicKey, message, sig []byte, domPre, context string) b
     }
 
     curve := publicKey.Curve
+    params := curve.Params()
     n := curve.Params().N
+    byteLen := (params.BitSize + 7) / 8
+
+    if len(sig) != 2*byteLen {
+        return false
+    }
 
-    publicKeyBytes := ed521.MarshalCompressed(publicKey.Curve, publicKey.X, publicKey.Y)
+    RBytes := ed521.Reverse(sig[:byteLen])
+    SBytes := ed521.Reverse(sig[byteLen:])
+
+    R := new(big.Int).SetBytes(RBytes)
+    S := new(big.Int).SetBytes(SBytes)
+
+    publicKeyBytes := ed521.MarshalPoint(publicKey.Curve, publicKey.X, publicKey.Y)
 
     kh := sha3.NewShake256()
     kh.Write([]byte(domPre))
     kh.Write([]byte{byte(len(context))})
     kh.Write([]byte(context))
-    kh.Write(R.Bytes())
+    kh.Write(sig[:byteLen])
     kh.Write(publicKeyBytes)
     kh.Write(PHM)
     hramDigest := make([]byte, 132)
     kh.Read(hramDigest)
 
+    hramDigest = ed521.Reverse(hramDigest)
+
     k := new(big.Int).SetBytes(hramDigest)
     k.Mod(k, n)
-
     k.Mod(k.Neg(k), n)
 
     // r = S - k * pub
@@ -376,35 +406,6 @@ func verify(publicKey *PublicKey, message, sig []byte, domPre, context string) b
     return bigIntEqual(R, y2)
 }
 
-func encodeSignature(r, s *big.Int) ([]byte, error) {
-    var b cryptobyte.Builder
-    b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
-        b.AddASN1BigInt(r)
-        b.AddASN1BigInt(s)
-    })
-
-    return b.Bytes()
-}
-
-func parseSignature(sig []byte) (r, s *big.Int, err error) {
-    var inner cryptobyte.String
-    input := cryptobyte.String(sig)
-
-    r = new(big.Int)
-    s = new(big.Int)
-
-    if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
-        !input.Empty() ||
-        !inner.ReadASN1Integer(r) ||
-        !inner.ReadASN1Integer(s) ||
-        !inner.Empty() {
-        err = ErrInvalidASN1
-        return
-    }
-
-    return
-}
-
 func randFieldElement(rand io.Reader, curve elliptic.Curve) (*big.Int, error) {
     N := curve.Params().N
 
diff --git a/pubkey/ed521/ed521_test.go b/pubkey/ed521/ed521_test.go
@@ -4,7 +4,6 @@ import (
     "fmt"
     "bytes"
     "testing"
-    "math/big"
     "crypto"
     "crypto/rand"
     "crypto/elliptic"
@@ -230,13 +229,7 @@ func Test_SignVerify_fail(t *testing.T) {
         t.Fatal(err)
     }
 
-    R, S, _ := parseSignature(sig)
-    R.Add(R, big.NewInt(1))
-
-    sig, err = encodeSignature(R, S)
-    if err != nil {
-        t.Fatal(err)
-    }
+    sig[len(sig)-6] = sig[len(sig)-6] + 1
 
     res, _ := Verify(pub, data, sig)
     cryptobin_test.False(t, res)
@@ -344,7 +337,7 @@ var testSigVec = []testVec{
         secretKey: fromHex("313e78bd2f5eb3f0a9ee0120496cb3c891a3d4f79d1b8c01f81cd7d70bcadefbb941a3058dabe6b5dbe559b6f5331cc0087af6a367d47555d5cb95a8dacea4d167"),
         publicKey: fromHex("03015c5b1c1dbdb4e81225cfd8bbfa14b01148b3d3741e9dc0d16c4d40ac8d72eb6752a9015c6aa5c87239491d1d49f292b67a78987283f430af271572e030f9d7f862"),
         message:   fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"),
-        signature: fromHex("3081870242018c284f975122ffb3cb1097b316bbd03f9e03c295d1344b08dc20bba159e7acc28a0048b222a4a39cdd8139ececa2ac7122c4fa8d234a90c4a3cb7f0dff87379d33024128cbc3c194aa653bd038e8a43ec4c9cd8ca293377596dc29c3c6105c5e0bc86cbc6e11949b8ab8ed9b7e65cd2780baaf098e57c73ef2b6ae85e970cd8795c573f8"),
+        signature: fromHex("a6659ed7213f736f46c10c983329523cf246fd0126406bd533783f80b33893b52c899c37e5f8012b378214b983fad7cde1b1d528977a4892cb8abc4872a59d18c500782fdeafb0c93ea7a4f8b16028df15ff05644ede3698ca88c1602ede83c68342aaa013cec1ea2e8d65d4bed0764f8b42e9548a2e41d49786aa0ad2ed782d6c353200"),
         verification: true,
     },
 
@@ -353,7 +346,7 @@ var testSigVec = []testVec{
         secretKey: fromHex("22713dc2f3d8a4611e9266d8a2a9e3d237505dc34c65d87d598b9a4e6c41b35e3d090458e66c8213a4af011e5614377960c99d9f84e379fdd1f1e168b163b5d930"),
         publicKey: fromHex("0300d4a01d6c5cd88d226e33ab966991d6939c72d7012f209a7fc7006d0b9f93df99e8ab5543cb5d27a2818f27cad1648bfecdd49e7772ded70ee7043444a518683019"),
         message:   fromHex("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"),
-        signature: fromHex("3081870242018c284f975122ffb3cb1097b316bbd03f9e03c295d1344b08dc20bba159e7acc28a0048b222a4a39cdd8139ececa2ac7122c4fa8d234a90c4a3cb7f0dff87379d33024128cbc3c194aa653bd038e8a43ec4c9cd8ca293377596dc29c3c6105c5e0bc86cbc6e11949b8ab8ed9b7e65cd2780baaf098e57c73ef2b6ae85e970cd8795c573f8"),
+        signature: fromHex("a6659ed7213f736f46c10c983329523cf246fd0126406bd533783f80b33893b52c899c37e5f8012b378214b983fad7cde1b1d528977a4892cb8abc4872a59d18c500782fdeafb0c93ea7a4f8b16028df15ff05644ede3698ca88c1602ede83c68342aaa013cec1ea2e8d65d4bed0764f8b42e9548a2e41d49786aa0ad2ed782d6c353200"),
         verification: false,
     },
 }
diff --git a/pubkey/ed521/pkcs8_test.go b/pubkey/ed521/pkcs8_test.go
@@ -42,8 +42,8 @@ func Test_MarshalPKCS8(t *testing.T) {
 }
 
 var privPEM = `-----BEGIN PRIVATE KEY-----
-MFYCAQAwDgYKKwYBBAGC3CwCAQYABEFn+ELryWPBgSXqTFTDWjkuJWzLBl88Muvr
-1+xy/LIGwSO2090Eo8LkEV57zYuG0Jjh81ZAuyNaqQ8tma1Wolq/JQ==
+MFcCAQAwDgYKKwYBBAGC3CwCAQYABEIAZ/hC68ljwYEl6kxUw1o5LiVsywZfPDLr
+69fscvyyBsEjttPdBKPC5BFee82LhtCY4fNWQLsjWqkPLZmtVqJavyU=
 -----END PRIVATE KEY-----
 `
 

Original file line number	Diff line number	Diff line change
`@@ -42,8 +42,8 @@ func Test_MarshalPKCS8(t *testing.T) {`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	var privPEM = `-----BEGIN PRIVATE KEY-----
`45`		`-MFYCAQAwDgYKKwYBBAGC3CwCAQYABEFn+ELryWPBgSXqTFTDWjkuJWzLBl88Muvr`
`46`		`-1+xy/LIGwSO2090Eo8LkEV57zYuG0Jjh81ZAuyNaqQ8tma1Wolq/JQ==`
	`45`	`+MFcCAQAwDgYKKwYBBAGC3CwCAQYABEIAZ/hC68ljwYEl6kxUw1o5LiVsywZfPDLr`
	`46`	`+69fscvyyBsEjttPdBKPC5BFee82LhtCY4fNWQLsjWqkPLZmtVqJavyU=`
`47`	`47`	`-----END PRIVATE KEY-----`
`48`	`48`	`
`49`	`49`