diff options
| author | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2023-11-15 22:39:25 +0000 |
|---|---|---|
| committer | Ian Jackson <ijackson@chiark.greenend.org.uk> | 2023-11-15 22:55:44 +0000 |
| commit | d2ef5c4d2491c9aef5c1722976d651dd5205f5d4 (patch) | |
| tree | 58131afbca4907cd97e54d7ce42a5bc1e24b351e /spec | |
| parent | eb2c1296df4bfed89cef83aefdf67d8d86fe7aa7 (diff) | |
| download | torspec-d2ef5c4d2491c9aef5c1722976d651dd5205f5d4.tar.gz torspec-d2ef5c4d2491c9aef5c1722976d651dd5205f5d4.zip | |
ssh-protocols: x25519@spec.tpo: Specify the useless string wrap
This is what we actually do right now, what the ssh-encoding crate
forces us to do, and the same thing as the upstreams do for ed25519.
So we'll keep doing it this way too, even though it's daft.
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/ssh-protocols.md | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/spec/ssh-protocols.md b/spec/ssh-protocols.md index d1268cb..021b277 100644 --- a/spec/ssh-protocols.md +++ b/spec/ssh-protocols.md @@ -162,13 +162,19 @@ as per and [s5](https://datatracker.ietf.org/doc/html/rfc7748#section-5). -The public key data is the u-coordinate encoded as the byte string `u[]` -from RFC7748 s5. +The public key data is: +``` + string wrapper for the following fixed-length data: + byte[32] the u-coordinate encoded as u[] from RFC7748 s5 +``` -The private key data is the scalar k -encoded according to RFC7748 s5 -(i.e. as a fixed-length 32-byte little endian byte string). -It MUST be stored as the true scalar value. +The private key data is: +``` + string wrapper for the following fixed-length data: + byte[32] the scalar k encoded according to RFC7748 s5 +``` + +k MUST be stored as the true scalar value. So if the private key was generated from 32 random bytes according to the procedure described in RFC7748 s5 "in order to decode 32 random bytes as an integer scalar". @@ -182,6 +188,16 @@ it SHOULD be rejected; if it is not rejected, it MUST NOT be used unchanged, but MUST instead be clamped. +Keys whose `string` wrapper is not of the expected length MUST be rejected. + +> The `string` wrapper is useless, +> but the same wrapper approach is used in official SSH for +> ed25519 public keys ([RFC8709 +> s4](https://datatracker.ietf.org/doc/html/rfc8709#name-public-key-format)). +> and for ed25519 private keys in the SSH agent protocol +> ([draft-miller-ssh-agent-04 4.2.3](https://datatracker.ietf.org/doc/html/draft-miller-ssh-agent-04#section-4.2.3)). +> We do the same here for consistency (and implementation convenience). + > X25519 keys are > [interconvertible with ed25519 keys](dir-spec/converting-to-ed25519.md). > So, it would be possible to store the ed25519 form instead, |