Implement Phase 2 roadmap tasks: EdDSA, X25519/X448, and ChaCha20-Poly1305 (#371)

* Implement Ed25519/Ed448 support with comprehensive tests (Task 2.1)

Co-authored-by: zhaozg <[email protected]>

* Implement X25519/X448 key exchange support (Task 2.2)

Co-authored-by: zhaozg <[email protected]>

* Add comprehensive ChaCha20-Poly1305 test suite (Task 2.3)

Co-authored-by: zhaozg <[email protected]>

* Add usage examples for Ed25519, X25519, and ChaCha20-Poly1305 to README

Co-authored-by: zhaozg <[email protected]>

---------

Co-authored-by: copilot-swe-agent[bot] <[email protected]>
Co-authored-by: zhaozg <[email protected]>

Author: Copilot

README.md

@@ -492,6 +492,86 @@ assert(r==msg)
 print('Done')
 ```
 
+### Example 9: Ed25519 digital signatures
+
+```lua
+local openssl = require('openssl')
+local pkey = openssl.pkey
+
+-- Generate Ed25519 key pair
+local ctx = pkey.ctx_new("ED25519")
+local key = ctx:keygen()
+
+-- Sign a message
+local message = "Hello, world!"
+local signature = pkey.sign(key, message)
+
+-- Verify the signature
+local verified = pkey.verify(key, message, signature)
+print("Signature verified:", verified)  -- true
+
+-- Export and import keys
+local pem = key:export("pem")
+local imported_key = pkey.read(pem, true, "pem")
+print("Key successfully imported")
+```
+
+### Example 10: X25519 key exchange
+
+```lua
+local openssl = require('openssl')
+local pkey = openssl.pkey
+
+-- Alice and Bob each generate a key pair
+local alice = pkey.ctx_new("X25519"):keygen()
+local bob = pkey.ctx_new("X25519"):keygen()
+
+-- Alice derives shared secret using Bob's public key
+local alice_secret = alice:derive(bob)
+
+-- Bob derives shared secret using Alice's public key
+local bob_secret = bob:derive(alice)
+
+-- Both secrets should be identical
+assert(alice_secret == bob_secret)
+print("Shared secret established:", openssl.hex(alice_secret))
+```
+
+### Example 11: ChaCha20-Poly1305 AEAD encryption
+
+```lua
+local openssl = require('openssl')
+local cipher = openssl.cipher
+
+-- Get ChaCha20-Poly1305 cipher
+local cc20 = cipher.get("chacha20-poly1305")
+
+-- Prepare key and nonce
+local key = string.rep("k", 32)  -- 256-bit key
+local nonce = string.rep("n", 12) -- 96-bit nonce
+local message = "Secret message"
+local aad = "Additional authenticated data"
+
+-- Encrypt with AAD
+local enc = cc20:encrypt_new()
+enc:ctrl(openssl.cipher.EVP_CTRL_GCM_SET_IVLEN, #nonce)
+enc:init(key, nonce)
+enc:update(aad, true)  -- Set AAD
+local ciphertext = enc:update(message) .. enc:final()
+local tag = enc:ctrl(openssl.cipher.EVP_CTRL_GCM_GET_TAG, 16)
+
+-- Decrypt with AAD
+local dec = cc20:decrypt_new()
+dec:ctrl(openssl.cipher.EVP_CTRL_GCM_SET_IVLEN, #nonce)
+dec:init(key, nonce)
+dec:ctrl(openssl.cipher.EVP_CTRL_GCM_SET_TAG, tag)
+dec:update(aad, true)  -- Set AAD
+local plaintext = dec:update(ciphertext) .. dec:final()
+
+assert(plaintext == message)
+print("Decrypted:", plaintext)
+```
+
 For more examples, please see test lua script file.
 
 ---

src/pkey.c

@@ -1562,44 +1562,86 @@ static int openssl_derive(lua_State *L)
   /* OpenSSL 3.0+ way: use PARAM API compatible check */
   luaL_argcheck(L,
                 (ptype == EVP_PKEY_DH && pkey_is_type(pkey, EVP_PKEY_DH))
-                  || (ptype == EVP_PKEY_EC && pkey_is_type(pkey, EVP_PKEY_EC)),
+                  || (ptype == EVP_PKEY_EC && pkey_is_type(pkey, EVP_PKEY_EC))
+#ifdef EVP_PKEY_X25519
+                  || ptype == EVP_PKEY_X25519
+#ifdef EVP_PKEY_X448
+                  || ptype == EVP_PKEY_X448
+#endif
+#endif
+                ,
                 1,
-                "only support DH or EC private key");
+                "only support DH, EC, X25519 or X448 private key");
 #else
   /* OpenSSL 1.x way */
   luaL_argcheck(L,
                 (ptype == EVP_PKEY_DH && EVP_PKEY_get0_DH(pkey) != NULL)
-                  || (ptype == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL),
+                  || (ptype == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL)
+#ifdef EVP_PKEY_X25519
+                  || ptype == EVP_PKEY_X25519
+#ifdef EVP_PKEY_X448
+                  || ptype == EVP_PKEY_X448
+#endif
+#endif
+                ,
                 1,
-                "only support DH or EC private key");
+                "only support DH, EC, X25519 or X448 private key");
 #endif
 #elif !defined(OPENSSL_NO_DH)
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
   /* OpenSSL 3.0+ way: use PARAM API compatible check */
   luaL_argcheck(L,
-                ptype == EVP_PKEY_DH && pkey_is_type(pkey, EVP_PKEY_DH),
+                (ptype == EVP_PKEY_DH && pkey_is_type(pkey, EVP_PKEY_DH))
+#ifdef EVP_PKEY_X25519
+                  || ptype == EVP_PKEY_X25519
+#ifdef EVP_PKEY_X448
+                  || ptype == EVP_PKEY_X448
+#endif
+#endif
+                ,
                 1,
-                "only support DH or EC private key");
+                "only support DH, X25519 or X448 private key");
 #else
   /* OpenSSL 1.x way */
   luaL_argcheck(L,
-                ptype == EVP_PKEY_DH && EVP_PKEY_get0_DH(pkey) != NULL,
+                (ptype == EVP_PKEY_DH && EVP_PKEY_get0_DH(pkey) != NULL)
+#ifdef EVP_PKEY_X25519
+                  || ptype == EVP_PKEY_X25519
+#ifdef EVP_PKEY_X448
+                  || ptype == EVP_PKEY_X448
+#endif
+#endif
+                ,
                 1,
-                "only support DH or EC private key");
+                "only support DH, X25519 or X448 private key");
 #endif
 #elif !defined(OPENSSL_NO_EC)
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
   /* OpenSSL 3.0+ way: use PARAM API compatible check */
   luaL_argcheck(L,
-                ptype == EVP_PKEY_EC && pkey_is_type(pkey, EVP_PKEY_EC),
+                (ptype == EVP_PKEY_EC && pkey_is_type(pkey, EVP_PKEY_EC))
+#ifdef EVP_PKEY_X25519
+                  || ptype == EVP_PKEY_X25519
+#ifdef EVP_PKEY_X448
+                  || ptype == EVP_PKEY_X448
+#endif
+#endif
+                ,
                 1,
-                "only support DH or EC private key");
+                "only support EC, X25519 or X448 private key");
 #else
   /* OpenSSL 1.x way */
   luaL_argcheck(L,
-                ptype == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL,
+                (ptype == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL)
+#ifdef EVP_PKEY_X25519
+                  || ptype == EVP_PKEY_X25519
+#ifdef EVP_PKEY_X448
+                  || ptype == EVP_PKEY_X448
+#endif
+#endif
+                ,
                 1,
-                "only support DH or EC private key");
+                "only support EC, X25519 or X448 private key");
 #endif
 #endif
 
@@ -1663,9 +1705,27 @@ static int openssl_sign(lua_State *L)
   if (is_SM2) md_alg = "sm3";
 #endif
 
+  /* For EdDSA keys (Ed25519, Ed448), allow NULL digest as they use
+   * internal hash functions. Detect EdDSA and allow omitting or explicitly passing nil. */
+#ifdef EVP_PKEY_ED25519
+  {
+    int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey));
+    if (pkey_type == EVP_PKEY_ED25519
+#ifdef EVP_PKEY_ED448
+        || pkey_type == EVP_PKEY_ED448
+#endif
+    ) {
+      /* EdDSA keys don't need a digest - use NULL */
+      md = NULL;
+    } else {
+      md = get_digest(L, 3, md_alg);
+    }
+  }
+#else
   md = get_digest(L, 3, md_alg);
+#endif
 #if defined(OPENSSL_SUPPORT_SM2)
-  if (is_SM2) is_SM2 = EVP_MD_type(md) == NID_sm3;
+  if (is_SM2 && md) is_SM2 = EVP_MD_type(md) == NID_sm3;
 #endif
 
   ctx = EVP_MD_CTX_new();
@@ -1682,20 +1742,38 @@ static int openssl_sign(lua_State *L)
 
   ret = EVP_DigestSignInit(ctx, NULL, md, NULL, pkey);
   if (ret == 1) {
-    ret = EVP_DigestSignUpdate(ctx, data, data_len);
-    if (ret == 1) {
-      size_t         siglen = 0;
-      unsigned char *sigbuf = NULL;
-      ret = EVP_DigestSignFinal(ctx, NULL, &siglen);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+    /* For EdDSA (and other algorithms), use one-shot API if available (OpenSSL >= 1.1.1) */
+    if (md == NULL) {
+      size_t siglen = 0;
+      ret = EVP_DigestSign(ctx, NULL, &siglen, (const unsigned char *)data, data_len);
       if (ret == 1) {
-        siglen += 2;
-        sigbuf = OPENSSL_malloc(siglen);
-        ret = EVP_DigestSignFinal(ctx, sigbuf, &siglen);
+        unsigned char *sigbuf = OPENSSL_malloc(siglen);
+        ret = EVP_DigestSign(ctx, sigbuf, &siglen, (const unsigned char *)data, data_len);
         if (ret == 1) {
           lua_pushlstring(L, (char *)sigbuf, siglen);
         }
         OPENSSL_free(sigbuf);
       }
+    } else
+#endif
+    {
+      /* Traditional three-step approach for algorithms with digest */
+      ret = EVP_DigestSignUpdate(ctx, data, data_len);
+      if (ret == 1) {
+        size_t         siglen = 0;
+        unsigned char *sigbuf = NULL;
+        ret = EVP_DigestSignFinal(ctx, NULL, &siglen);
+        if (ret == 1) {
+          siglen += 2;
+          sigbuf = OPENSSL_malloc(siglen);
+          ret = EVP_DigestSignFinal(ctx, sigbuf, &siglen);
+          if (ret == 1) {
+            lua_pushlstring(L, (char *)sigbuf, siglen);
+          }
+          OPENSSL_free(sigbuf);
+        }
+      }
     }
   }
 
@@ -1741,7 +1819,25 @@ static int openssl_verify(lua_State *L)
   if (is_SM2) md_alg = "sm3";
 #endif
 
+  /* For EdDSA keys (Ed25519, Ed448), allow NULL digest as they use
+   * internal hash functions. Detect EdDSA and allow omitting or explicitly passing nil. */
+#ifdef EVP_PKEY_ED25519
+  {
+    int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey));
+    if (pkey_type == EVP_PKEY_ED25519
+#ifdef EVP_PKEY_ED448
+        || pkey_type == EVP_PKEY_ED448
+#endif
+    ) {
+      /* EdDSA keys don't need a digest - use NULL */
+      md = NULL;
+    } else {
+      md = get_digest(L, 4, md_alg);
+    }
+  }
+#else
   md = get_digest(L, 4, md_alg);
+#endif
 
   ctx = EVP_MD_CTX_new();
 #if defined(OPENSSL_SUPPORT_SM2)
@@ -1758,11 +1854,24 @@ static int openssl_verify(lua_State *L)
 
   ret = EVP_DigestVerifyInit(ctx, NULL, md, NULL, pkey);
   if (ret == 1) {
-    ret = EVP_DigestVerifyUpdate(ctx, data, data_len);
-    if (ret == 1) {
-      ret = EVP_DigestVerifyFinal(ctx, (unsigned char *)signature, signature_len);
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+    /* For EdDSA (and other algorithms), use one-shot API if available (OpenSSL >= 1.1.1) */
+    if (md == NULL) {
+      ret = EVP_DigestVerify(ctx, (const unsigned char *)signature, signature_len,
+                              (const unsigned char *)data, data_len);
       if (ret == 1) {
-        lua_pushboolean(L, ret == 1);
+        lua_pushboolean(L, 1);
+      }
+    } else
+#endif
+    {
+      /* Traditional three-step approach for algorithms with digest */
+      ret = EVP_DigestVerifyUpdate(ctx, data, data_len);
+      if (ret == 1) {
+        ret = EVP_DigestVerifyFinal(ctx, (unsigned char *)signature, signature_len);
+        if (ret == 1) {
+          lua_pushboolean(L, ret == 1);
+        }
       }
     }
   }