Skip to content

Raise ValueError from verify_digest for Edwards curve keys (fixes #349)#380

Open
apoorvdarshan wants to merge 1 commit into
tlsfuzzer:masterfrom
apoorvdarshan:fix/issue-349-verify-digest-eddsa
Open

Raise ValueError from verify_digest for Edwards curve keys (fixes #349)#380
apoorvdarshan wants to merge 1 commit into
tlsfuzzer:masterfrom
apoorvdarshan:fix/issue-349-verify-digest-eddsa

Conversation

@apoorvdarshan

Copy link
Copy Markdown

Fixes #349

Root cause

VerifyingKey.verify_digest is missing the CurveEdTw guard that
VerifyingKey.verify and the SigningKey.sign_digest* methods already
have. For an Edwards-curve (EdDSA) key the method falls through to the
ECDSA code path and reaches:

r, s = sigdecode(signature, self.pubkey.order)

An EdDSA public key's pubkey is a PublicKey object that has no
order attribute, so the call raises a confusing AttributeError
instead of a clear "unsupported for Edwards curves" error. This is
exactly the behaviour reported in the issue.

Reproduction

from ecdsa.keys import SigningKey, VerifyingKey
from ecdsa.curves import Ed25519

sk = SigningKey.generate(curve=Ed25519)
vk = sk.verifying_key
msg = b"message"
sig = sk.sign(msg)

print("verify(sig, data) ->", vk.verify(sig, msg))   # correct usage
vk.verify_digest(sig, msg)                            # the bug

Before the fix:

verify(sig, data) -> True
Traceback (most recent call last):
  ...
  File ".../ecdsa/keys.py", line 735, in verify_digest
    r, s = sigdecode(signature, self.pubkey.order)
AttributeError: 'PublicKey' object has no attribute 'order'

After the fix:

verify(sig, data) -> True
ValueError: Method unsupported for Edwards curves

Fix

Add the same two-line guard used by sign_digest() /
sign_digest_deterministic() / sign_number() at the top of
verify_digest():

if isinstance(self.curve.curve, CurveEdTw):
    raise ValueError("Method unsupported for Edwards curves")

and document the raised exception in the docstring. EdDSA signs the
message directly and has no pre-hashed-digest verification API, so
verify() is the correct entry point (as noted in the issue). The
change is fully localized to verify_digest; no other code path is
affected.

Tests

Added test_ed25519_verify_digest to TestVerifyingKeyFromDer in
src/ecdsa/test_keys.py, asserting that verify_digest on an Ed25519
key raises ValueError containing "Method unsupported for Edwards".
It mirrors the existing test_ed25519_sign_digest style. Confirmed it
fails on unmodified master (with the AttributeError above) and
passes after the fix.

Test runs (Python 3.14, pytest):

  • test_keys.py: 179 passed
  • test_eddsa.py: 87 passed
  • test_pyecdsa.py: 800 passed
  • test_malformed_sigs.py: 205 passed

flake8 setup.py speed.py src is clean, and black --line-length 79
reports both changed files unchanged.

Disclosure: prepared with AI assistance; reviewed and verified locally.

VerifyingKey.verify_digest lacked the CurveEdTw guard that verify() and
the SigningKey.sign_digest* methods already have. Calling it on an EdDSA
(Ed25519/Ed448) key therefore fell through to the ECDSA path and raised a
confusing AttributeError: 'PublicKey' object has no attribute 'order',
instead of a clear error telling the user the method is unsupported.

Add the same guard used by sign_digest(), raising
ValueError("Method unsupported for Edwards curves"), and document the
raised exception. EdDSA signs the message directly and has no pre-hashed
digest API, so verify() is the correct entry point.

Fixes tlsfuzzer#349
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ecdsa.keys.VerifyingKey.verify_digest should fail for CurveEdTw

1 participant