Ed25519 signer implementations (#596)

Signed-off-by: Mark S. Lewis <[email protected]>

Author: bestbeforetoday

java/README.md

@@ -38,7 +38,7 @@ A suitable gRPC channel service provider must also be specified (as described in
 <dependency>
     <groupId>io.grpc</groupId>
     <artifactId>grpc-netty-shaded</artifactId>
-    <version>1.54.1</version>
+    <version>1.55.1</version>
     <scope>runtime</scope>
 </dependency>
 ```
@@ -54,7 +54,7 @@ implementation 'org.hyperledger.fabric:fabric-gateway:1.2.2'
 A suitable gRPC channel service provider must also be specified (as described in the [gRPC security documentation](https://github.com/grpc/grpc-java/blob/master/SECURITY.md#transport-security-tls)), such as:
 
 ```groovy
-runtimeOnly 'io.grpc:grpc-netty-shaded:1.54.1'
+runtimeOnly 'io.grpc:grpc-netty-shaded:1.55.1'
 ```
 
 ## Compatibility

java/pom.xml

@@ -38,8 +38,7 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <javaVersion>8</javaVersion>
-        <grpcVersion>1.54.1</grpcVersion>
-        <protobufVersion>3.21.12</protobufVersion> <!-- keep major/minor version in step with one used by io.grpc:grpc-protobuf -->
+        <grpcVersion>1.55.1</grpcVersion>
         <enforceJavaVersion>1.8</enforceJavaVersion> <!-- this is overridden in the release profile -->
         <bouncyCastleVersion>1.73</bouncyCastleVersion>
         <skipUnitTests>${skipTests}</skipUnitTests>
@@ -68,13 +67,6 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
-            <dependency>
-                <groupId>com.google.protobuf</groupId>
-                <artifactId>protobuf-bom</artifactId>
-                <version>${protobufVersion}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -121,12 +113,6 @@
             <artifactId>bcprov-jdk18on</artifactId>
             <version>${bouncyCastleVersion}</version>
         </dependency>
-        <dependency> <!-- Necessary for Java 9+, according to https://github.com/grpc/grpc-java#readme -->
-            <groupId>org.apache.tomcat</groupId>
-            <artifactId>annotations-api</artifactId>
-            <version>6.0.53</version>
-            <scope>provided</scope>
-        </dependency>
         <dependency>
             <groupId>io.grpc</groupId>
             <artifactId>grpc-netty-shaded</artifactId>
@@ -140,10 +126,6 @@
             <groupId>io.grpc</groupId>
             <artifactId>grpc-stub</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.google.protobuf</groupId>
-            <artifactId>protobuf-java</artifactId>
-        </dependency>
         <dependency>
             <groupId>com.google.code.gson</groupId>
             <artifactId>gson</artifactId>
@@ -180,6 +162,9 @@
                                 <requireJavaVersion>
                                     <version>${enforceJavaVersion}</version>
                                 </requireJavaVersion>
+                                <requireMavenVersion>
+                                    <version>3.6.3</version>
+                                </requireMavenVersion>
                             </rules>
                         </configuration>
                     </execution>
@@ -216,12 +201,12 @@
             </plugin>
             <plugin>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>3.0.0</version>
+                <version>3.1.0</version>
                 <dependencies>
                     <dependency>
                         <groupId>me.fabriciorby</groupId>
                         <artifactId>maven-surefire-junit5-tree-reporter</artifactId>
-                        <version>1.1.0</version>
+                        <version>1.2.1</version>
                     </dependency>
                 </dependencies>
                 <configuration>
@@ -295,20 +280,10 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-dependency-plugin</artifactId>
-                <version>3.6.0</version>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-resources-plugin</artifactId>
-                <version>3.3.1</version>
-            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-source-plugin</artifactId>
-                <version>3.2.1</version>
+                <version>3.3.0</version>
                 <executions>
                     <execution>
                         <id>attach-sources</id>
@@ -348,6 +323,15 @@
                 <additionalJavadocOpts>--no-module-directories</additionalJavadocOpts>
             </properties>
         </profile>
+        <profile>
+            <id>maven-compiler-release</id>
+            <activation>
+                <jdk>[9,)</jdk>
+            </activation>
+            <properties>
+                <maven.compiler.release>${javaVersion}</maven.compiler.release>
+            </properties>
+        </profile>
         <profile>
             <id>checkstyle</id>
             <activation>
@@ -378,7 +362,7 @@
                             <dependency>
                                 <groupId>com.puppycrawl.tools</groupId>
                                 <artifactId>checkstyle</artifactId>
-                                <version>10.10.0</version>
+                                <version>10.12.0</version>
                             </dependency>
                         </dependencies>
                     </plugin>

java/src/main/java/org/hyperledger/fabric/client/identity/ECPrivateKeySigner.java

@@ -6,44 +6,33 @@
 
 package org.hyperledger.fabric.client.identity;
 
+import org.bouncycastle.asn1.ASN1Integer;
+
 import java.math.BigInteger;
 import java.security.GeneralSecurityException;
-import java.security.Provider;
-import java.security.Signature;
 import java.security.interfaces.ECPrivateKey;
 
-import org.bouncycastle.asn1.ASN1Integer;
-import org.bouncycastle.jce.provider.BouncyCastleProvider;
-
 final class ECPrivateKeySigner implements Signer {
-    private static final Provider PROVIDER = new BouncyCastleProvider();
     private static final String ALGORITHM_NAME = "NONEwithECDSA";
 
-    private final ECPrivateKey privateKey;
+    private final Signer signer;
     private final BigInteger curveN;
     private final BigInteger halfCurveN;
 
     ECPrivateKeySigner(final ECPrivateKey privateKey) {
-        this.privateKey = privateKey;
+        signer = new PrivateKeySigner(privateKey, ALGORITHM_NAME);
         curveN = privateKey.getParams().getOrder();
         halfCurveN = curveN.divide(BigInteger.valueOf(2));
     }
 
     @Override
     public byte[] sign(final byte[] digest) throws GeneralSecurityException {
-        byte[] rawSignature = generateSignature(digest);
+        byte[] rawSignature = signer.sign(digest);
         ECSignature signature = ECSignature.fromBytes(rawSignature);
         signature = preventMalleability(signature);
         return signature.getBytes();
     }
 
-    private byte[] generateSignature(final byte[] digest) throws GeneralSecurityException {
-        Signature signer = Signature.getInstance(ALGORITHM_NAME, PROVIDER);
-        signer.initSign(privateKey);
-        signer.update(digest);
-        return signer.sign();
-    }
-
     private ECSignature preventMalleability(final ECSignature signature) {
         BigInteger s = signature.getS().getValue();
         if (s.compareTo(halfCurveN) > 0) {
@@ -52,5 +41,4 @@ private ECSignature preventMalleability(final ECSignature signature) {
         }
         return signature;
     }
-
 }

java/src/main/java/org/hyperledger/fabric/client/identity/PrivateKeySigner.java

@@ -0,0 +1,34 @@
+/*
+ * Copyright 2023 IBM All Rights Reserved.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+package org.hyperledger.fabric.client.identity;
+
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.Signature;
+
+final class PrivateKeySigner implements Signer {
+    private static final Provider PROVIDER = new BouncyCastleProvider();
+
+    private final PrivateKey privateKey;
+    private final String algorithm;
+
+    PrivateKeySigner(final PrivateKey privateKey, final String algorithm) {
+        this.privateKey = privateKey;
+        this.algorithm = algorithm;
+    }
+
+    @Override
+    public byte[] sign(final byte[] digest) throws GeneralSecurityException {
+        Signature signer = Signature.getInstance(algorithm, PROVIDER);
+        signer.initSign(privateKey);
+        signer.update(digest);
+        return signer.sign();
+    }
+}

java/src/main/java/org/hyperledger/fabric/client/identity/Signers.java

@@ -13,18 +13,40 @@
  * Factory methods to create standard signing implementations.
  */
 public final class Signers {
+    private static final String ED25519_ALGORITHM = "Ed25519";
+
     /**
      * Create a new signer that uses the supplied private key for signing. The {@link Identities} class provides static
      * methods to create a {@code PrivateKey} object from PEM-format data.
+     *
+     * <p>Currently supported private key types are:</p>
+     * <ul>
+     *     <li>ECDSA.</li>
+     *     <li>Ed25519.</li>
+     * </ul>
+     *
+     * <p>Note that the Sign implementations have different expectations on the input data supplied to them.</p>
+     *
+     * <p>The ECDSA signers operate on a pre-computed message digest, and should be combined with an appropriate hash
+     * algorithm. P-256 is typically used with a SHA-256 hash, and P-384 is typically used with a SHA-384 hash.</p>
+     *
+     * <p>The Ed25519 signer operates on the full message content, and should be combined with a
+     * {@link org.hyperledger.fabric.client.Hash#NONE NONE} (or no-op) hash implementation to ensure the complete
+     * message is passed to the signer.</p>
      * @param privateKey A private key.
      * @return A signer implementation.
      */
     public static Signer newPrivateKeySigner(final PrivateKey privateKey) {
         if (privateKey instanceof ECPrivateKey) {
             return new ECPrivateKeySigner((ECPrivateKey) privateKey);
-        } else {
-            throw new IllegalArgumentException("Unsupported private key type: " + privateKey.getClass().getTypeName());
         }
+
+        if (ED25519_ALGORITHM.equals(privateKey.getAlgorithm())) {
+            return new PrivateKeySigner(privateKey, ED25519_ALGORITHM);
+        }
+
+        throw new IllegalArgumentException("Unsupported private key type: " + privateKey.getClass().getTypeName()
+                + " (" + privateKey.getAlgorithm() + ")");
     }
 
     // Private constructor to prevent instantiation

java/src/test/java/org/hyperledger/fabric/client/identity/SignerTest.java

@@ -24,7 +24,6 @@
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 public final class SignerTest {
-    private static final X509Credentials CREDENTIALS = new X509Credentials();
     private static final Provider PROVIDER = new BouncyCastleProvider();
     private static final byte[] MESSAGE = "MESSAGE".getBytes(StandardCharsets.UTF_8);
 
@@ -48,28 +47,40 @@ void new_signer_from_unsupported_private_key_type_throws_IllegalArgumentExceptio
 
     @Test
     void sign_with_P256_key() throws GeneralSecurityException {
-        Signer signer = Signers.newPrivateKeySigner(CREDENTIALS.getPrivateKey());
+        X509Credentials credentials = new X509Credentials();
+        Signer signer = Signers.newPrivateKeySigner(credentials.getPrivateKey());
         byte[] signature = signer.sign(Hash.SHA256.apply(MESSAGE));
 
         Signature verifier = Signature.getInstance("SHA256withECDSA", PROVIDER);
-        assertValidSignature(verifier, CREDENTIALS.getCertificate(), signature);
+        assertValidSignature(verifier, credentials.getCertificate(), signature);
     }
 
     @Test
     void sign_null_digest_throws_NullPointerException() {
-        Signer signer = Signers.newPrivateKeySigner(CREDENTIALS.getPrivateKey());
+        X509Credentials credentials = new X509Credentials();
+        Signer signer = Signers.newPrivateKeySigner(credentials.getPrivateKey());
 
         assertThatThrownBy(() -> signer.sign(null))
             .isInstanceOf(NullPointerException.class);
     }
 
     @Test
     void sign_with_P384_key() throws GeneralSecurityException {
-        X509Credentials credentials = new X509Credentials("P-384");
+        X509Credentials credentials = new X509Credentials(X509Credentials.Curve.P384);
         Signer signer = Signers.newPrivateKeySigner(credentials.getPrivateKey());
         byte[] signature = signer.sign(Hash.SHA384.apply(MESSAGE));
 
         Signature verifier = Signature.getInstance("SHA384withECDSA", PROVIDER);
         assertValidSignature(verifier, credentials.getCertificate(), signature);
     }
+
+    @Test
+    void sign_with_Ed25519_key() throws GeneralSecurityException {
+        X509Credentials credentials = new X509Credentials(X509Credentials.Curve.Ed25519);
+        Signer signer = Signers.newPrivateKeySigner(credentials.getPrivateKey());
+        byte[] signature = signer.sign(MESSAGE);
+
+        Signature verifier = Signature.getInstance(credentials.getPrivateKey().getAlgorithm(), PROVIDER);
+        assertValidSignature(verifier, credentials.getCertificate(), signature);
+    }
 }