cryptography icon indicating copy to clipboard operation
cryptography copied to clipboard

Published 20 hours ago verified publisher icon dint-dev

[flutter cryptography] Ed25519 KeyGen suspicious `privateKey` usage

Open ghost opened this issue 2 years ago • 3 comments

https://github.com/dint-dev/cryptography/blob/854472b69a604c5ee262019ce8d2ad5bf4ee6ce5/cryptography_flutter/lib/src/ed25519.dart#L53-L56

That's either a bug (which needs to be fixed), or that variable should be named something else.

None of the native systems actually support Ed25519 keys, so, in practice, this isn't like, awful. Even still, a PR may end up exposing this issue (if this is one) in the future.

ghost avatar Sep 14 '22 19:09 ghost

In Ed25519 isn't the public key derived from the chosen private key itself derived from an initial 32 byte seed ?

a-manraj-pvotal avatar Sep 21 '22 04:09 a-manraj-pvotal

Yes, ed25519 Public Keys are derived from Ed25519 Private Keys which are derived from a 32-byte seed.

That's not what's happening here. The SimplePublicKey constructor takes the bytes of the public key, as evidenced by the constructor not doing anything to the bytes, and dart-cryptography's Ed25519.verify (the public key in the signature is used as-is)

ghost avatar Sep 21 '22 17:09 ghost

I agree, SimplePublicKey is called with the public key (not the private key) on other locations, e.g. https://github.com/dint-dev/cryptography/blob/854472b69a604c5ee262019ce8d2ad5bf4ee6ce5/cryptography_flutter/lib/src/ed25519.dart#L99

There are a lot of small and easy to merge pull-requests which seam to be ignored. Does anybody know if this project is still maintained?

brandsimon avatar Sep 30 '22 17:09 brandsimon

This was fixed by cryptography_flutter 2.1.0, which also has much better integration tests.

terrier989 avatar Mar 03 '23 20:03 terrier989