Migrate (back) to ed25519-dalek

We've had many requests to leverage `ed25519-dalek`'s
`ExpandedSecretKey` functionality in order to support keys exported from
YubiHSMs. See #978, #891, and #742.

I have been a bit wary of the implementation though, because it has
always involved having both `ed25519-consensus` and `ed25519-dalek`,
often with enums over multiple key types, which seems incredibly
overcomplicated just to implement this feature.

We originally switched to `ed25519-consensus` because `tendermint-rs`
did, and it makes sense there where ZIP-215 provides consensus-critical
signature verification rules that don't diverge between implementations.
However that's a bit irrelevant for our purposes as this is a signing
service, and ZIP-215 allows us to use whatever signing implementation we
want.

Now that we've vendored `tendermint-p2p` as `tmkms-p2p` we can
unilaterally switch the Ed25519 implementation (back) to
`ed25519-dalek`, which should make adding `ExpandedSecretKey` support
much easier and avoid having to worry about two implementations.

This additionally switches (back) to upstream `curve25519-dalek` so as
to support X25519 as part of the SecretConnection protocol.

Author: tony-iqlusion

Cargo.lock

@@ -22,7 +22,7 @@ chrono = "0.4"
 clap = "4"
 cosmrs = "0.22"
 ed25519 = "2"
-ed25519-consensus = "2"
+ed25519-dalek = "2"
 elliptic-curve = { version = "0.13", features = ["pkcs8"], optional = true }
 eyre = "0.6"
 getrandom = "0.2"

Cargo.toml

@@ -7,7 +7,7 @@ type SigningKeyBytes = [u8; SigningKey::BYTE_SIZE];
 
 /// Ed25519 signing key.
 #[derive(Clone, Debug)]
-pub struct SigningKey(ed25519_consensus::SigningKey);
+pub struct SigningKey(ed25519_dalek::SigningKey);
 
 impl SigningKey {
     /// Size of an encoded Ed25519 signing key in bytes.
@@ -20,7 +20,7 @@ impl SigningKey {
 
     /// Get the verifying key for this signing key.
     pub fn verifying_key(&self) -> VerifyingKey {
-        VerifyingKey(self.0.verification_key())
+        VerifyingKey(self.0.verifying_key())
     }
 }
 
@@ -30,8 +30,8 @@ impl From<SigningKeyBytes> for SigningKey {
     }
 }
 
-impl From<SigningKey> for ed25519_consensus::SigningKey {
-    fn from(signing_key: SigningKey) -> ed25519_consensus::SigningKey {
+impl From<SigningKey> for ed25519_dalek::SigningKey {
+    fn from(signing_key: SigningKey) -> ed25519_dalek::SigningKey {
         signing_key.0
     }
 }
@@ -42,8 +42,8 @@ impl From<&SigningKey> for tmkms_p2p::PublicKey {
     }
 }
 
-impl From<ed25519_consensus::SigningKey> for SigningKey {
-    fn from(signing_key: ed25519_consensus::SigningKey) -> SigningKey {
+impl From<ed25519_dalek::SigningKey> for SigningKey {
+    fn from(signing_key: ed25519_dalek::SigningKey) -> SigningKey {
         SigningKey(signing_key)
     }
 }

src/keyring/ed25519/signing_key.rs

@@ -5,7 +5,7 @@ use signature::Verifier;
 
 /// Ed25519 verification key.
 #[derive(Clone, Debug)]
-pub struct VerifyingKey(pub(super) ed25519_consensus::VerificationKey);
+pub struct VerifyingKey(pub(super) ed25519_dalek::VerifyingKey);
 
 impl VerifyingKey {
     /// Size of an encoded Ed25519 verifying key in bytes.
@@ -45,10 +45,7 @@ impl From<&VerifyingKey> for tmkms_p2p::PublicKey {
 
 impl Verifier<Signature> for VerifyingKey {
     fn verify(&self, msg: &[u8], sig: &Signature) -> signature::Result<()> {
-        let sig = ed25519_consensus::Signature::from(sig.to_bytes());
-        self.0
-            .verify(&sig, msg)
-            .map_err(|_| signature::Error::new())
+        self.0.verify(msg, &sig)
     }
 }
 

src/keyring/ed25519/verifying_key.rs

@@ -21,18 +21,18 @@ description = """
     """
 
 [dependencies]
-chacha20poly1305 = { version = "0.10", default-features = false, features = ["reduced-round"] }
-curve25519-dalek-ng = { version = "4", default-features = false }
-ed25519-consensus = { version = "2", default-features = false }
+aead = { version = "0.5", default-features = false }
+chacha20poly1305 = { version = "0.10", default-features = false }
+curve25519-dalek = { version = "4", default-features = false, features = ["rand_core"] }
+ed25519-dalek = { version = "2", default-features = false }
 hkdf = { version = "0.12.3", default-features = false }
 merlin = { version = "3", default-features = false }
 prost = { version = "0.13", default-features = false, features = ["std"] }
 rand_core = { version = "0.6", default-features = false, features = ["std"] }
 sha2 = { version = "0.10", default-features = false }
-subtle = { version = "2", default-features = false }
-zeroize = { version = "1", default-features = false }
 signature = { version = "2", default-features = false }
-aead = { version = "0.5", default-features = false }
+subtle = { version = "2", default-features = false }
 tendermint = { version = "0.40.4", default-features = false }
 tendermint-proto = { version = "0.40.4", default-features = false }
 tendermint-std-ext = { version = "0.40.4", default-features = false }
+zeroize = { version = "1", default-features = false }

tmkms-p2p/Cargo.toml

@@ -7,10 +7,10 @@ use crate::{
     state::{ReceiveState, SendState},
 };
 use chacha20poly1305::{ChaCha20Poly1305, KeyInit};
-use curve25519_dalek_ng::{
-    constants::X25519_BASEPOINT, montgomery::MontgomeryPoint as EphemeralPublic,
-    scalar::Scalar as EphemeralSecret,
+use curve25519_dalek::{
+    montgomery::MontgomeryPoint as EphemeralPublic, scalar::Scalar as EphemeralSecret,
 };
+use ed25519_dalek::{Signer, Verifier};
 use merlin::Transcript;
 use rand_core::OsRng;
 use subtle::ConstantTimeEq;
@@ -27,18 +27,18 @@ pub(crate) struct Handshake<S> {
 
 /// `AwaitingEphKey` means we're waiting for the remote ephemeral pubkey.
 pub(crate) struct AwaitingEphKey {
-    local_privkey: ed25519_consensus::SigningKey,
+    local_privkey: ed25519_dalek::SigningKey,
     local_eph_privkey: Option<EphemeralSecret>,
 }
 
 #[allow(clippy::use_self)]
 impl Handshake<AwaitingEphKey> {
     /// Initiate a handshake.
     #[must_use]
-    pub fn new(local_privkey: ed25519_consensus::SigningKey) -> (Self, EphemeralPublic) {
+    pub fn new(local_privkey: ed25519_dalek::SigningKey) -> (Self, EphemeralPublic) {
         // Generate an ephemeral key for perfect forward secrecy.
         let local_eph_privkey = EphemeralSecret::random(&mut OsRng);
-        let local_eph_pubkey = X25519_BASEPOINT * local_eph_privkey;
+        let local_eph_pubkey = EphemeralPublic::mul_base(&local_eph_privkey);
 
         (
             Self {
@@ -67,9 +67,10 @@ impl Handshake<AwaitingEphKey> {
         let Some(local_eph_privkey) = self.state.local_eph_privkey.take() else {
             return Err(Error::MissingSecret);
         };
-        let local_eph_pubkey = X25519_BASEPOINT * local_eph_privkey;
+        let local_eph_pubkey = EphemeralPublic::mul_base(&local_eph_privkey);
 
         // Compute common shared secret.
+        // TODO(tarcieri): use `mul_clamped` instead?
         let shared_secret = local_eph_privkey * remote_eph_pubkey;
 
         let mut transcript = Transcript::new(b"TENDERMINT_SECRET_CONNECTION_TRANSCRIPT_HASH");
@@ -122,7 +123,7 @@ pub(crate) struct AwaitingAuthSig {
     sc_mac: [u8; 32],
     recv_cipher: ChaCha20Poly1305,
     send_cipher: ChaCha20Poly1305,
-    local_signature: ed25519_consensus::Signature,
+    local_signature: ed25519_dalek::Signature,
 }
 
 impl Handshake<AwaitingAuthSig> {
@@ -139,17 +140,17 @@ impl Handshake<AwaitingAuthSig> {
 
         let remote_pubkey = match pk_sum {
             proto::crypto::public_key::Sum::Ed25519(ref bytes) => {
-                ed25519_consensus::VerificationKey::try_from(&bytes[..])
+                ed25519_dalek::VerifyingKey::try_from(&bytes[..])
                     .map_err(|_| Error::SignatureInvalid)
             }
             proto::crypto::public_key::Sum::Secp256k1(_) => Err(Error::UnsupportedKey),
         }?;
 
-        let remote_sig = ed25519_consensus::Signature::try_from(auth_sig_msg.sig.as_slice())
+        let remote_sig = ed25519_dalek::Signature::try_from(auth_sig_msg.sig.as_slice())
             .map_err(|_| Error::SignatureInvalid)?;
 
         remote_pubkey
-            .verify(&remote_sig, &self.state.sc_mac)
+            .verify(&self.state.sc_mac, &remote_sig)
             .map_err(|_| Error::SignatureInvalid)?;
 
         // We've authorized.
@@ -169,7 +170,7 @@ impl Handshake<AwaitingAuthSig> {
     }
 
     /// Borrow the local signature.
-    pub fn local_signature(&self) -> &ed25519_consensus::Signature {
+    pub fn local_signature(&self) -> &ed25519_dalek::Signature {
         &self.state.local_signature
     }
 }

tmkms-p2p/src/handshake.rs

@@ -1,7 +1,7 @@
 //! Secret Connection Protocol: message framing and versioning
 
 use crate::{Error, Result, public_key};
-use curve25519_dalek_ng::montgomery::MontgomeryPoint as EphemeralPublic;
+use curve25519_dalek::montgomery::MontgomeryPoint as EphemeralPublic;
 use prost::Message as _;
 use tendermint_proto::v0_38 as proto;
 
@@ -47,8 +47,8 @@ pub(crate) fn decode_initial_handshake(bytes: &[u8]) -> Result<EphemeralPublic>
 /// Panics if the Protobuf encoding of `AuthSigMessage` fails
 #[must_use]
 pub(crate) fn encode_auth_signature(
-    pub_key: &ed25519_consensus::VerificationKey,
-    signature: &ed25519_consensus::Signature,
+    pub_key: &ed25519_dalek::VerifyingKey,
+    signature: &ed25519_dalek::Signature,
 ) -> Vec<u8> {
     // Protobuf `AuthSigMessage`
     let pub_key = proto::crypto::PublicKey {

tmkms-p2p/src/protocol.rs

@@ -10,7 +10,7 @@ use tendermint::node;
 #[derive(Copy, Clone, Debug, Eq, PartialEq)]
 pub enum PublicKey {
     /// Ed25519 Secret Connection Keys
-    Ed25519(ed25519_consensus::VerificationKey),
+    Ed25519(ed25519_dalek::VerifyingKey),
 }
 
 impl PublicKey {
@@ -20,14 +20,14 @@ impl PublicKey {
     ///
     /// * if the bytes given are invalid
     pub fn from_raw_ed25519(bytes: &[u8]) -> Result<Self> {
-        ed25519_consensus::VerificationKey::try_from(bytes)
+        ed25519_dalek::VerifyingKey::try_from(bytes)
             .map(Self::Ed25519)
             .map_err(|_| Error::SignatureInvalid)
     }
 
     /// Get Ed25519 public key
     #[must_use]
-    pub const fn ed25519(self) -> Option<ed25519_consensus::VerificationKey> {
+    pub const fn ed25519(self) -> Option<ed25519_dalek::VerifyingKey> {
         match self {
             Self::Ed25519(pk) => Some(pk),
         }
@@ -54,14 +54,14 @@ impl Display for PublicKey {
     }
 }
 
-impl From<&ed25519_consensus::SigningKey> for PublicKey {
-    fn from(sk: &ed25519_consensus::SigningKey) -> Self {
-        Self::Ed25519(sk.verification_key())
+impl From<&ed25519_dalek::SigningKey> for PublicKey {
+    fn from(sk: &ed25519_dalek::SigningKey) -> Self {
+        Self::Ed25519(sk.verifying_key())
     }
 }
 
-impl From<ed25519_consensus::VerificationKey> for PublicKey {
-    fn from(pk: ed25519_consensus::VerificationKey) -> Self {
+impl From<ed25519_dalek::VerifyingKey> for PublicKey {
+    fn from(pk: ed25519_dalek::VerifyingKey) -> Self {
         Self::Ed25519(pk)
     }
 }

tmkms-p2p/src/public_key.rs

@@ -6,7 +6,7 @@ use crate::{
     proto, protocol,
     state::{ReceiveState, SendState},
 };
-use curve25519_dalek_ng::montgomery::MontgomeryPoint as EphemeralPublic;
+use curve25519_dalek::montgomery::MontgomeryPoint as EphemeralPublic;
 use std::{
     io::{self, Read, Write},
     slice,
@@ -92,7 +92,7 @@ impl<IoHandler: Read + Write + Send + Sync> SecretConnection<IoHandler> {
     /// * if receiving the signature fails
     pub fn new(
         mut io_handler: IoHandler,
-        local_privkey: ed25519_consensus::SigningKey,
+        local_privkey: ed25519_dalek::SigningKey,
     ) -> Result<Self> {
         // Start a handshake process.
         let local_pubkey = PublicKey::from(&local_privkey);
@@ -129,8 +129,8 @@ impl<IoHandler: Read + Write + Send + Sync> SecretConnection<IoHandler> {
     /// Encode our auth signature and decode theirs.
     fn share_auth_signature(
         &mut self,
-        pubkey: &ed25519_consensus::VerificationKey,
-        local_signature: &ed25519_consensus::Signature,
+        pubkey: &ed25519_dalek::VerifyingKey,
+        local_signature: &ed25519_dalek::Signature,
     ) -> Result<proto::p2p::AuthSigMessage> {
         /// Length of the auth message response
         // 32 + 64 + (proto overhead = 1 prefix + 2 fields + 2 lengths + total length)