Cryptography: ED25519 Support

This won't happen until OpenSSL has ed25519 support: https://github.com/openssl/openssl/issues/487

This can stay open, as none of our other tracking issues cover ed25519

Damn that was quick. Thanks Alex!

Filed a tracking issue on our end to take advantage of this once it's available. Looking forward to it! :P

https://trac.torproject.org/projects/tor/ticket/22022

+1 for this

Ed25519 support was recently merged in OpenSSL master: openssl/openssl#3503.

Yep, we'll be implementing this when 1.1.1 is released.

Wonderful, thanks!

I went ahead and implemented this as an experiment today: https://github.com/pyca/cryptography/compare/master...reaperhulk:ed25519

That is a WIP patch. It passes all tests, but there's no support for serialization of private keys, public key serialization is bare bytes only, and there's insufficient documentation. The API structure for loading/serializing probably needs a look as well since we'll likely want to support PKCS8. Also, to use this you'll have to compile against OpenSSL 1.1.1-dev (which means cloning current git master, building it, and successfully linking against it instead of whatever other OpenSSL you may have resident on your system)

Ed25519 TLS support was also merged to OpenSSL master: openssl/openssl#3585

Since so many people are watching this issue here's an update. ed25519 support is basically ready, but we can't ship it (or ed448) until a bug fix release of OpenSSL 1.1.1 comes out to correct an issue we found in our testing. Hopefully that will happen sometime soon, but there's no timeline from the OpenSSL project at the moment.

thank you! excited to see this hit!

a bug fix release of OpenSSL 1.1.1 comes out to correct an issue we found in our testing.

Is this tracked somewhere public on the OpenSSL side?

https://github.com/openssl/openssl/issues/7706 and https://github.com/openssl/openssl/issues/7693 are the issues I opened (and they link to the PRs that fix the bugs).

Release is scheduled for next week: https://mta.openssl.org/pipermail/openssl-announce/2019-February/000145.html

Once that release comes out we can dust off the ed25519 and ed448 PRs, get them landed, and get a release out that adds support.

Looking forward to it!

Is there documentation available for what the API will look like here?

I'd also like to do some testing of what you have right now vs. the implementation I'm currently using from libnacl to see if I can make them interoperate.

The API will look effectively identical to x25519/x448 but with sign/verify methods. You can see old PRs https://github.com/pyca/cryptography/pull/4114 and https://github.com/pyca/cryptography/pull/4610. Both of them need to be rebased and updated to match the serialization supported on the x25519/x448 side.

Great, thanks! I've already updated my curve25519/curve448 implementation to use the new serialization support for x25519/x448 in PyCA 2.5 and it's working well for doing ECDH. If similar public & private key classes are used but with sign() and verify() methods, I think that should work as long as I have a way to get the signature as a raw byte string (64 bytes in the Ed25519 case, or 114 bytes if I remember right for Ed448).

Yeah the EdDSA signatures created by OpenSSL have no additional ASN.1 structure around them so the resulting byte strings should be what you expect.

I'm happy to report that both Ed25519 and Ed448 are now working in AsyncSSH using the support added to the PyCA 2.6.1 release last week. This is now released as part of AsyncSSH 1.16.0.