Simon Josefsson simon@josefsson.org writes:
But doesn't that assumes the private key was generated with Nettle, or something compatible with Nettle? Is that a reasonable assumption?
I think it's quite reasonable.
The crucial thing is how the public key is computed from the private key. Nettle does that according to spec (RFC 8032, 5.1.5); at least it appears to agree with test vectors. So let's assume you generate keys with some other tool and import private and public key into an application using nettle.
Then either that other tool also computed the public key according to spec, and then it will be exactly the same as if computed by Nettle. Or it is out of spec in some way, maybe it uses non-canonical representation that happens to interop with other Ed25519-implementations. In the latter case, I think it should be fine to use that pubkey with nettle's signing function, as long as you use it every time, but to me that is a rather obscure corner case.
My concern was if someone generated a Ed25519 public/private key-pair using some other software. Applications using Nettle should use the (trusted) public key in all cases, rather than the output from ed25519_sha512_public_key(), or?
I agree that makes some sense. But... I think it would be prudent, in most cases, to check that private and public keys are consistent whenever a private key file (typically also including a public key) is loaded. If they are inconsistent, that's rather suspicious.
Another point to keep in mind is that in case the private key is used with an implementation that follows RFC 8032 by the letter, whatever pubkey was bundled with the private key is going to be ignored when signing, since it's simply not an input to the signing procedure. "The inputs to the signing procedure is the private key, a 32-octet string, and a message M of arbitrary size."
It would be interesting to understand the real-world applications where this scenarios happens.
I agree it would be interesting it know if there are known implementations/applications using differing pubkeys, and to what degree they interop at all.
Regards, /Niels