Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Looking for explanation for how to validate verifying key #702

Closed
TheButlah opened this issue Sep 19, 2024 · 4 comments
Closed

Looking for explanation for how to validate verifying key #702

TheButlah opened this issue Sep 19, 2024 · 4 comments

Comments

@TheButlah
Copy link

The docs for VerifyingKey::from_bytes say that:

Warning

The caller is responsible for ensuring that the bytes passed into this method actually represent a curve25519_dalek::curve::CompressedEdwardsY and that said compressed point is actually a point on the curve.

I wanted to know if this verification is performed as part of VerifyingKey::verify_strict or if I still have to verify it myself.

If I need to verify it myself, would you accept a PR to add that to some example code.

Here is what I have so far, does it look correct?

#[derive(thiserror::Error, Debug)]
pub enum TryFromBytesError {
	#[error(
		"the provided bytes was not the y coordinate of a valid point on the curve"
	)]
	NotOnCurve,
	#[error("public key has a low order and is too weak, which would allow the key to generate signatures that work for almost any message. To prevent this, we reject weak keys.")]
	WeakKey,
}

// Instantiates `PubKey` from some bytes. Performs all necessary validation
/// that the key is valid and of sufficient strength.
///
/// Note that we will reject any keys that are too weak (aka low order).
pub fn try_from_bytes(bytes: &[u8; Self::LEN]) -> Result<VerifyingKey, TryFromBytesError> {
	let compressed_edwards = CompressedEdwardsY(bytes.to_owned());
	let Some(edwards) = compressed_edwards.decompress() else {
		return Err(TryFromBytesError::NotOnCurve);
	};
	let key = ed25519_dalek::VerifyingKey::from(edwards);
	if key.is_weak() {
		return Err(TryFromBytesError::WeakKey);
	}
	Ok(key)
}
@TheButlah TheButlah changed the title Need explanation for how to validate verifying key Looking for explanation for how to validate verifying key Sep 19, 2024
@tarcieri
Copy link
Contributor

We've discussed this in the past in #380 (and #626).

VerifyingKey::from_bytes decompresses a CompressedEdwardsY, and in performing point decompression it ensures the result is a valid curve point, or returns an error. So that warning is just out-of-date and should probably be removed.

In its place we should probably mention the current point validation criteria used: the ZIP-215 rules, as opposed to RFC8032 / NIST (see #626).

@tarcieri
Copy link
Contributor

Opened #704 to update the wording

@TheButlah
Copy link
Author

So to confirm- I don't need to mess with key validation at all myself, and can just use from_bytes?

@tarcieri
Copy link
Contributor

Correct. Check the docs in #704 and let me know if they make sense now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @TheButlah