EdDSA signature algorithm, with a non-trivial context

[athoelke]

The Crypto API has had support for the EdDSA signature algorithm since v1.1.0. Current support includes the HashEdDSA variants of this algorithm, and the PureEdDSA variant with a default (empty) context.

PureEdDSA is also defined for use with a non-trivial context parameter. See the definition of Ed25519ctx and Ed448 in RFC 8032 §5.1 and §5.2.

These forms of EdDSA cannot be implemented with the current Crypto API (see the note against PSA_ALG_PURE_EDDSA). Additional API functions would be required so that a context parameter can be provided to the signature and verification operations.