1 (edited by lycboy 2022-03-18 01:34:16)

Topic: Is it possible to use ED25519 private key for sign?


Here's the background:
We need to send a token which includes something like device information and service information to devices for identification. This token is generated and signed by our service, but maybe verified by 3rd services. We don't want to distribute the private key to the 3rd services' servers.

Now We implement our service using OpenSSL like this:

    b = BIO_new_mem_buf(pem, pem_len);
    pkey = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);

    if (EVP_PKEY_id(pkey) != EVP_PKEY_ED25519) return invalid_key_type;

    size_t sig_len = 64;
    unsigned char sig[64];
    EVP_MD_CTX *md_ctx = EVP_MD_CTX_new();
    EVP_DigestSignInit(md_ctx, NULL, NULL, NULL, pkey);
    EVP_DigestSign(md_ctx, sig, &sig_len, tk, tk_len);

We found WolfCrypt ED25519 performance is much better than OpenSSL. But When we did the same thing using WolfCrypt we got a BAD_FUNC_ARG error:

    ed25519_key pkey;

    rc = wc_ed25519_init(&pkey);
    if (rc) goto err;

    rc = wc_Ed25519PrivateKeyDecode(dbuf, &idx, &pkey, dlen);
    if (rc) goto err;

    byte sig[ED25519_SIG_SIZE];
    word32 sig_len = ED25519_SIG_SIZE;

    rc = wc_ed25519_sign_msg(tk, tk_len, sig, &sig_len, &pkey);
    if (rc) goto err; /* BAD_FUNC_ARG here */

I digged the WolfCrypt source code and saw this in wolfcrypt/src/ed25519.c:

int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
                            word32 *outLen, ed25519_key* key, byte type,
                            const byte* context, byte contextLen)
    /* ... */

    if (!key->pubKeySet)
        return BAD_FUNC_ARG;

    /* ... */

It seems we could only use the public key for sign... Is it possible to use ED25519 private key for sign and public key for verification?



Re: Is it possible to use ED25519 private key for sign?

Hello Iycboy,

Thanks for joining the wolfSSL Forums. The public key is required for signing with ed25519:

https://datatracker.ietf.org/doc/html/r … tion-5.1.6

Construct the secret scalar s from the first half of the digest, and the corresponding public key A, as described in the previous section.

We have some excellent examples in a separate repository:
https://github.com/wolfSSL/wolfssl-exam … pk/ed25519

Let us know if there are questions.

Eric @ wolfSSL Support

Re: Is it possible to use ED25519 private key for sign?

Hi Iycboy,

Eric is correct that, the public key portion is necessary in addition to the private key for signing. Just as a side note though you can generate the public portion given the private portion of the key. Check out the API wc_ed25519_make_public and wc_ed25519_import_public.

The question is if we should be trying to do this automatically in wolfSSL given a sign request where the public portion of the key is not set, just the private key. Will discuss that internally, in the mean time though generating and importing the public key is how you could avoid having to send / store the public key portion. Or if you could send /store the public key portion with the private key then altering the DER being passed to wc_Ed25519PrivateKeyDecode to also contain the public key would avoid the public key generation step.



Re: Is it possible to use ED25519 private key for sign?

Thank you embhorn and Jacob!  It works now.

The example is very helpful, can't believe I just ignored it...