40 lines
1.6 KiB
Diff
40 lines
1.6 KiB
Diff
--- ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java 2025-03-14 14:47:43.404137953 +0100
|
|
+++ ed25519-java-0.3.0/src/net/i2p/crypto/eddsa/EdDSAEngine.java 2025-03-14 14:50:31.859888550 +0100
|
|
@@ -12,6 +12,7 @@
|
|
package net.i2p.crypto.eddsa;
|
|
|
|
import java.io.ByteArrayOutputStream;
|
|
+import java.math.BigInteger;
|
|
import java.nio.ByteBuffer;
|
|
import java.security.InvalidAlgorithmParameterException;
|
|
import java.security.InvalidKeyException;
|
|
@@ -29,6 +30,7 @@
|
|
import net.i2p.crypto.eddsa.math.Curve;
|
|
import net.i2p.crypto.eddsa.math.GroupElement;
|
|
import net.i2p.crypto.eddsa.math.ScalarOps;
|
|
+import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
|
|
|
|
/**
|
|
* Signing and verification for EdDSA.
|
|
@@ -69,6 +71,8 @@
|
|
public final class EdDSAEngine extends Signature {
|
|
public static final String SIGNATURE_ALGORITHM = "NONEwithEdDSA";
|
|
|
|
+ private static final BigInteger ORDER = new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
|
|
+
|
|
private MessageDigest digest;
|
|
private ByteArrayOutputStream baos;
|
|
private EdDSAKey key;
|
|
@@ -306,6 +310,11 @@
|
|
h = key.getParams().getScalarOps().reduce(h);
|
|
|
|
byte[] Sbyte = Arrays.copyOfRange(sigBytes, b/8, b/4);
|
|
+ // RFC 8032
|
|
+ BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
|
|
+ if (Sbigint.compareTo(ORDER) >= 0)
|
|
+ return false;
|
|
+
|
|
// R = SB - H(Rbar,Abar,M)A
|
|
GroupElement R = key.getParams().getB().doubleScalarMultiplyVariableTime(
|
|
((EdDSAPublicKey) key).getNegativeA(), h, Sbyte);
|