Reject non-canonical public keys

As specified by RFC 8032 section 5.1.3

Author: dchest

packages/ed25519/ed25519.test.ts

@@ -5188,4 +5188,15 @@ describe("ed25519", () => {
         const xPrivateKey = convertSecretKeyToX25519(edPrivateKey);
         expect(encode(xPrivateKey)).toEqual(xGoodPrivateKey);
     });
+
+    it("should reject non-canonical public key", () => {
+        const canonicalPk = new Uint8Array(32);
+        canonicalPk[0] = 1;
+        const noncanonicalPk = new Uint8Array([0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f]);
+        const message = new Uint8Array([1,2,3]);
+        const signature = new Uint8Array(64);
+        signature[0] = 1;
+        expect(verify(canonicalPk, message, signature)).toBe(true);
+        expect(verify(noncanonicalPk, message, signature)).toBe(false);
+    });
 });

packages/ed25519/ed25519.ts

@@ -737,6 +737,15 @@ function iscanonical(s: Uint8Array) {
     return c !== 0;
 }
 
+function ispkcanonical(p: Uint8Array) {
+    let c = ((p[0] - 0xed) >> 8) & 1;
+    for (let i = 1; i < 31; i++) {
+        c |= p[i] ^ 0xff;
+    }
+    c |= (p[31] & 0x7f) ^ 0x7f;
+    return c !== 0;
+}
+
 function reduce(r: Uint8Array) {
     const x = new Float64Array(64);
     for (let i = 0; i < 64; i++) {
@@ -845,10 +854,16 @@ export function verify(publicKey: Uint8Array, message: Uint8Array, signature: Ui
     if (signature.length !== SIGNATURE_LENGTH) {
         throw new Error(`ed25519: signature must be ${SIGNATURE_LENGTH} bytes`);
     }
+    if (publicKey.length !== PUBLIC_KEY_LENGTH) {
+        throw new Error(`ed25519: public key must be ${PUBLIC_KEY_LENGTH} bytes`);
+    }
 
     if (!iscanonical(signature.subarray(32))) {
         return false;
     }
+    if (!ispkcanonical(publicKey)) {
+        return false;
+    }
     if (unpackneg(q, publicKey)) {
         return false;
     }