Cv25519 encryption.

7 files changed, 524 insertions, 53 deletions

diff --git a/Crypto/JOSE/AESKW.hs b/Crypto/JOSE/AESKW.hs
new file mode 100644
index 0000000..6b3d28e
--- /dev/null
+++ b/Crypto/JOSE/AESKW.hs
@@ -0,0 +1,123 @@
+-- Copyright (C) 2016  Fraser Tweedale
+--
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the License.
+-- You may obtain a copy of the License at
+--
+--      http://www.apache.org/licenses/LICENSE-2.0
+--
+-- Unless required by applicable law or agreed to in writing, software
+-- distributed under the License is distributed on an "AS IS" BASIS,
+-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-- See the License for the specific language governing permissions and
+-- limitations under the License.
+
+{-# LANGUAGE ScopedTypeVariables #-}
+
+{- |
+
+Advanced Encryption Standard (AES) Key Wrap Algorithm;
+<https://https://tools.ietf.org/html/rfc3394>.
+
+-}
+module Crypto.JOSE.AESKW
+  (
+    aesKeyWrap
+  , aesKeyUnwrap
+  ) where
+
+import Control.Monad.State
+import Crypto.Cipher.Types
+import Data.Bits (xor)
+import Data.ByteArray as BA hiding (replicate, xor)
+import Data.Memory.Endian (BE(..), toBE)
+import Data.Memory.PtrMethods (memCopy)
+import Data.Word (Word64)
+import Foreign.Ptr (Ptr, plusPtr)
+import Foreign.Storable (peek, peekElemOff, poke, pokeElemOff)
+import System.IO.Unsafe (unsafePerformIO)
+
+iv :: Word64
+iv = 0xA6A6A6A6A6A6A6A6
+
+aesKeyWrapStep
+  :: BlockCipher128 cipher
+  => cipher
+  -> Ptr Word64   -- ^ register
+  -> (Int, Int)   -- ^ step (t) and offset (i)
+  -> StateT Word64 IO ()
+aesKeyWrapStep cipher p (t, i) = do
+  a <- get
+  r_i <- lift $ peekElemOff p i
+  m :: ScrubbedBytes <-
+    lift $ alloc 16 $ \p' -> poke p' a >> pokeElemOff p' 1 r_i
+  let b = ecbEncrypt cipher m
+  b_hi <- lift $ withByteArray b peek
+  b_lo <- lift $ withByteArray b (`peekElemOff` 1)
+  put (b_hi `xor` unBE (toBE (fromIntegral t)))
+  lift $ pokeElemOff p i b_lo
+
+-- | Wrap a secret.
+--
+-- Input size must be a multiple of 8 bytes, and at least 16 bytes.
+-- Output size is input size plus 8 bytes.
+--
+aesKeyWrap
+  :: (ByteArrayAccess m, ByteArray c, BlockCipher128 cipher)
+  => cipher
+  -> m
+  -> c
+aesKeyWrap cipher m = unsafePerformIO $ do
+  let n = BA.length m
+  c <- withByteArray m $ \p ->
+    alloc (n + 8) $ \p' ->
+      memCopy (p' `plusPtr` 8) p n
+  withByteArray c $ \p -> do
+    let coords = zip [1..] (join (replicate 6 [1 .. n `div` 8]))
+    a <- execStateT (mapM_ (aesKeyWrapStep cipher p) coords) iv
+    poke p a
+  return c
+
+aesKeyUnwrapStep
+  :: BlockCipher128 cipher
+  => cipher
+  -> Ptr Word64   -- ^ register
+  -> (Int, Int)   -- ^ step (t) and offset (i)
+  -> StateT Word64 IO ()
+aesKeyUnwrapStep cipher p (t, i) = do
+  a <- get
+  r_i <- lift $ peekElemOff p i
+  let a_t = a `xor` unBE (toBE (fromIntegral t))
+  m :: ScrubbedBytes <-
+    lift $ alloc 16 $ \p' -> poke p' a_t >> pokeElemOff p' 1 r_i
+  let b = ecbDecrypt cipher m
+  b_hi <- lift $ withByteArray b peek
+  b_lo <- lift $ withByteArray b (`peekElemOff` 1)
+  put b_hi
+  lift $ pokeElemOff p i b_lo
+
+-- | Unwrap a secret.
+--
+-- Input size must be a multiple of 8 bytes, and at least 24 bytes.
+-- Output size is input size minus 8 bytes.
+--
+-- Returns 'Nothing' if inherent integrity check fails.  Otherwise,
+-- the chance that the key data is corrupt is 2 ^ -64.
+--
+aesKeyUnwrap
+  :: (ByteArrayAccess c, ByteArray m, BlockCipher128 cipher)
+  => cipher
+  -> c
+  -> Maybe m
+aesKeyUnwrap cipher c = unsafePerformIO $ do
+  let n = BA.length c - 8
+  m <- withByteArray c $ \p' ->
+    alloc n $ \p ->
+      memCopy p (p' `plusPtr` 8) n
+  a <- withByteArray c $ \p' -> peek p'
+  a' <- withByteArray m $ \p -> do
+    let n' = n `div` 8
+    let tMax = n' * 6
+    let coords = zip [tMax,tMax-1..1] (cycle [n'-1,n'-2..0])
+    execStateT (mapM_ (aesKeyUnwrapStep cipher p) coords) a
+  return $ if a' == iv then Just m else Nothing
diff --git a/Data/OpenPGP.hs b/Data/OpenPGP.hs
index 45ca27e..17a6927 100644
--- a/Data/OpenPGP.hs
+++ b/Data/OpenPGP.hs
@@ -66,7 +66,10 @@ module Data.OpenPGP (
         secret_key_fields,
         eccOID,
         encode_public_key_material,
-        decode_public_key_material
+        decode_public_key_material,
+        getEllipticCurvePublicKey,
+        encodeOID,
+        hashLen
 ) where
 
 import Control.Applicative
@@ -361,7 +364,8 @@ secret_key_fields ELGAMAL = ['x']
 secret_key_fields DSA     = ['x']
 secret_key_fields ECDSA   = ['d']
 secret_key_fields Ed25519 = ['d']
-secret_key_fields alg     = error ("Unkown secret fields for "++show alg) -- Nothing in the spec. Maybe empty
+secret_key_fields ECC     = ['d']
+secret_key_fields alg     = error ("Unknown secret fields for "++show alg) -- Nothing in the spec. Maybe empty
 
 (!) :: (HasCallStack, Show k, Eq k) => [(k,v)] -> k -> v
 (!) xs k = case lookup k xs of
@@ -425,16 +429,21 @@ eccOID PublicKeyPacket { key = k } = lookup 'c' k >>= \(MPI oid) -> Just (snd $
 eccOID SecretKeyPacket { key = k } = lookup 'c' k >>= \(MPI oid) -> Just (snd $ putBigNum oid)
 eccOID _ = Nothing
 
+encodeOID :: MPI -> B.ByteString
+encodeOID c =
+    let (bitlen,oid) = B.splitAt 2 (encode c)
+        len16 = decode bitlen :: Word16
+        (fullbytes,rembits) = len16 `quotRem` 8
+        len8 = fromIntegral (fullbytes + if rembits/=0 then 1 else 0) :: Word8
+    in len8 `B.cons` oid
+
 encode_public_key_material :: Packet -> [B.ByteString]
 encode_public_key_material k | key_algorithm k `elem` [ECDSA,Ed25519,ECC]  = do
     -- http://tools.ietf.org/html/rfc6637
     c <- maybeToList $ lookup 'c' (key k)
     MPI l <- maybeToList $ lookup 'l' (key k)
     MPI flag <- maybeToList $ lookup 'f' (key k)
-    let (bitlen,oid) = B.splitAt 2 (encode c)
-        len16 = decode bitlen :: Word16
-        (fullbytes,rembits) = len16 `quotRem` 8
-        len8 = fromIntegral (fullbytes + if rembits/=0 then 1 else 0) :: Word8
+    let oid = encodeOID c
         eccstuff = case lookup 'e' (key k) of
             Just (MPI stuff) -> encode (fromIntegral stuff :: Word32)
             Nothing    -> B.empty
@@ -442,39 +451,45 @@ encode_public_key_material k | key_algorithm k `elem` [ECDSA,Ed25519,ECC]  = do
         0x40 -> do
             MPI n <- maybeToList $ lookup 'n' (key k)
             let xy = flag*(4^l) + n
-            [ len8 `B.cons` oid, encode (MPI xy), eccstuff ]
+            [ oid, encode (MPI xy), eccstuff ]
         _ -> do
             MPI x <- maybeToList $ lookup 'x' (key k)
             MPI y <- maybeToList $ lookup 'y' (key k)
             let xy = flag*(4^l) + x*(2^l) + y
-            [ len8 `B.cons` oid, encode (MPI xy), eccstuff ]
+            [ oid, encode (MPI xy), eccstuff ]
 encode_public_key_material k = map (encode . (key k !)) (public_key_fields $ key_algorithm k)
 
-decode_public_key_material :: KeyAlgorithm -> Get [(Char,MPI)]
-decode_public_key_material algorithm | algorithm `elem` [ECDSA, Ed25519] = do
-    -- http://tools.ietf.org/html/rfc6637 (9) Algorithm-Specific Fields for ECDSA keys
-    oidlen <- get :: Get Word8
-    oidbytes <- getSomeByteString (fromIntegral oidlen)
-    let mpiFromBytes bytes = MPI (getBigNum $ B.toStrict bytes)
-        oid = mpiFromBytes oidbytes
+getEllipticCurvePublicKey :: Get [(Char,MPI)]
+getEllipticCurvePublicKey = do
     MPI fxy <- get
     let integerBytesize i = fromIntegral $ LZ.length (encode (MPI i)) - 2
         width = ( integerBytesize fxy - 1 ) `div` 2
         l = width*8
         (flag,xy) = fxy `quotRem` (256^(2*width))
     return $ case flag of
-        0x40 -> [('c',oid), ('l',MPI l), ('n',MPI xy), ('f',MPI flag)]
+        0x40 -> [('l',MPI l), ('n',MPI xy), ('f',MPI flag)]
         _    -> let (x,y) = xy `quotRem` (256^width)
                     -- (fx,y) = xy `quotRem` (256^width)
                     -- (flag,x) = fx `quotRem` (256^width)
-                in [('c',oid), ('l',MPI l), ('x',MPI x), ('y',MPI y), ('f',MPI flag)]
-decode_public_key_material ECC = do
-    -- http://tools.ietf.org/html/rfc6637 (9) Algorithm-Specific Fields for ECDH keys:
+                in [('l',MPI l), ('x',MPI x), ('y',MPI y), ('f',MPI flag)]
+
+getOID :: Get MPI
+getOID = do
     oidlen <- get :: Get Word8
     oidbytes <- getSomeByteString (fromIntegral oidlen)
     let mpiFromBytes bytes = MPI (getBigNum $ B.toStrict bytes)
         oid = mpiFromBytes oidbytes
-    MPI fxy <- get
+    return oid
+
+decode_public_key_material :: KeyAlgorithm -> Get [(Char,MPI)]
+decode_public_key_material algorithm | algorithm `elem` [ECDSA, Ed25519] = do
+    -- http://tools.ietf.org/html/rfc6637 (9) Algorithm-Specific Fields for ECDSA keys
+    oid <- getOID
+    fmap (('c',oid) :) getEllipticCurvePublicKey
+decode_public_key_material ECC = do
+    -- http://tools.ietf.org/html/rfc6637 (9) Algorithm-Specific Fields for ECDH keys:
+    oid <- getOID
+    result <- getEllipticCurvePublicKey
     eccstuff <- get :: Get Word32
         {- eccstuff is 4 one-byte fields:
                 flen <- get :: Get Word8
@@ -482,17 +497,7 @@ decode_public_key_material ECC = do
                 hashid <- get :: Get Word8
                 algoid <- get :: Get Word8
         -}
-    let integerBytesize i = fromIntegral $ LZ.length (encode (MPI i)) - 2
-        width = ( integerBytesize fxy - 1 ) `div` 2
-        l = width*8
-        (flag,xy) = fxy `quotRem` (256^(2*width))
-        result = case flag of
-            0x40 -> [('c',oid), ('l',MPI l), ('n',MPI xy), ('f',MPI flag)]
-            _    -> let (x,y) = xy `quotRem` (256^width)
-                        -- (fx,y) = xy `quotRem` (256^width)
-                        -- (flag,x) = fx `quotRem` (256^width)
-                    in [('c',oid), ('l',MPI l), ('x',MPI x), ('y',MPI y), ('f',MPI flag)]
-    return $ result ++ [('e',MPI (fromIntegral eccstuff))]
+    return $ ('c', oid) : result ++ [('e',MPI (fromIntegral eccstuff))]
 decode_public_key_material algorithm = mapM (\f -> fmap ((,)f) get) (public_key_fields algorithm)
 
 put_packet :: Packet -> (B.ByteString, Word8)
@@ -907,6 +912,16 @@ infiniHashes hsh s = LZ.fromChunks (hs 0)
 data HashAlgorithm = MD5 | SHA1 | RIPEMD160 | SHA256 | SHA384 | SHA512 | SHA224 | HashAlgorithm Word8
         deriving (Show, Read, Eq, Ord)
 
+hashLen :: HashAlgorithm -> Int
+hashLen MD5               = 16
+hashLen SHA1              = 20
+hashLen RIPEMD160         = 20
+hashLen SHA256            = 32
+hashLen SHA384            = 48
+hashLen SHA512            = 64
+hashLen SHA224            = 28
+hashLen (HashAlgorithm _) = 0
+
 instance Enum HashAlgorithm where
         toEnum 01 = MD5
         toEnum 02 = SHA1
diff --git a/Data/OpenPGP/Util/Cv25519.hs b/Data/OpenPGP/Util/Cv25519.hs
new file mode 100644
index 0000000..aef3521
--- /dev/null
+++ b/Data/OpenPGP/Util/Cv25519.hs
@@ -0,0 +1,231 @@
+{-# LANGUAGE ExistentialQuantification #-}
+{-# LANGUAGE QuasiQuotes               #-}
+module Data.OpenPGP.Util.Cv25519 where
+
+import Control.Arrow
+import Control.Monad
+import Data.Binary
+import Data.Binary.Get
+import Data.ByteString (ByteString)
+import Data.Bits
+import qualified Data.ByteArray as BA
+import qualified Data.ByteString.Char8 as B8
+import qualified Data.ByteString as BS
+import qualified Data.ByteString.Lazy as BL
+import Data.Char
+import Numeric
+import Data.Int
+
+import Data.OpenPGP.Internal
+import Data.OpenPGP.Util
+import Data.OpenPGP.Util.Base
+import Data.OpenPGP as OpenPGP
+import Crypto.Cipher.SBox
+import Data.OpenPGP.Util.Ed25519 (zeroExtend,zeroPad)
+import qualified Crypto.PubKey.Curve25519 as Cv25519
+import Crypto.Error
+import Crypto.Cipher.AES
+import Crypto.Cipher.Types
+import Data.OpenPGP.Util.DecryptSecretKey -- (withS2K, simpleUnCFB, Enciphered(..))
+
+import Crypto.JOSE.AESKW
+
+oid_cv25519 = 0x2B060104019755010501
+
+getEphemeralKey :: OpenPGP.Packet -> Maybe ([(Char,MPI)],BL.ByteString)
+getEphemeralKey AsymmetricSessionKeyPacket
+                    { version        = 3
+                    , key_algorithm  = ECC
+                    , encrypted_data = dta } = do
+    -- Algorithm-Specific Fields for ECDH encryption:
+    --
+    --  *  MPI of an EC point representing an ephemeral public key.
+    --
+    --  *  a one-octet size, followed by a symmetric key encoded using the
+    --     method described in Section 13.5.
+    (b,_,d) <- either (const Nothing) Just $ runGetOrFail getEllipticCurvePublicKey dta
+    (sz,m) <- BL.uncons b
+    guard $ BL.length m == fromIntegral sz
+    return (d,m)
+getEphemeralKey _ = Nothing
+
+-- The value "m" in the above formulas is derived from the session key
+-- as follows.  First, the session key is prefixed with a one-octet
+-- algorithm identifier that specifies the symmetric encryption
+-- algorithm used to encrypt the following Symmetrically Encrypted Data
+-- Packet.  Then a two-octet checksum is appended, which is equal to the
+-- sum of the preceding session key octets, not including the algorithm
+-- identifier, modulo 65536.  This value is then encoded as described in
+-- PKCS#1 block encoding EME-PKCS1-v1_5 in Section 7.2.1 of [RFC3447] to
+-- form the "m" value used in the formulas above.  See Section 14.1 of
+-- this document for notes on OpenPGP's use of PKCS#1.
+
+privateCv25519Key :: OpenPGP.Packet -> Maybe Cv25519.SecretKey
+privateCv25519Key k@SecretKeyPacket { key_algorithm = ECC, symmetric_algorithm = Unencrypted } = do
+    guard $ oid_cv25519 == keyParam 'c' k
+    case Cv25519.secretKey $ zeroExtend 32 $ integerToLE (keyParam 'd' k) of
+        CryptoPassed cv25519sec -> Just cv25519sec
+        CryptoFailed err        -> Nothing
+
+hexify = map toUpper . hexString . BS.unpack
+
+
+
+hexString :: [Word8] -> String
+hexString = foldr (pad `oo` showHex) ""
+        where
+        pad s | odd $ length s = '0':s
+              | otherwise = s
+
+        oo :: (b -> c) -> (a -> a1 -> b) -> a -> a1 -> c
+        oo = (.) . (.)
+
+cv25519Key :: [(Char,MPI)] -> Maybe Cv25519.PublicKey
+cv25519Key k = do
+    MPI flag <- lookup 'f' k
+    n <- case flag of
+        0x40 -> zeroPad 32 . integerToBS . (\(MPI n)-> n) <$> lookup 'n' k
+        -- TODO: The following was based on Ed25519.  Verify that it is correct for Cv25519.
+        _    -> do MPI y <- lookup 'y' k
+                   MPI x <- lookup 'x' k
+                   let ybs = zeroExtend 32 $ integerToLE y
+                       lb = BS.last ybs
+                   return $ if x < 0 then BS.take 31 ybs `BS.snoc` (lb .|. 0x80)
+                                     else BS.take 31 ybs `BS.snoc` (lb .&. 0x7F)
+    maybeCryptoError $ Cv25519.publicKey n
+
+kdfParams :: OpenPGP.Packet -> (OpenPGP.HashAlgorithm, OpenPGP.SymmetricAlgorithm)
+kdfParams k = toEnum *** toEnum $ divMod e 256
+ where
+    e = 0x0FFFF .&. (fromIntegral $ keyParam 'e' k)
+    -- flen   <- get :: Get Word8 -- always 3 (length of following bytes)
+    -- one    <- get :: Get Word8 -- always 0x01 (reserved)
+    -- hashid <- get :: Get Word8 -- HashAlgorithm
+    -- algoid <- get :: Get Word8 -- SymmetricAlgorithm
+
+data SomeKeyCipher = forall c. BlockCipher128 c => SomeKeyCipher c
+
+someAES128 :: AES128 -> SomeKeyCipher
+someAES192 :: AES192 -> SomeKeyCipher
+someAES256 :: AES256 -> SomeKeyCipher
+someAES128 = SomeKeyCipher
+someAES192 = SomeKeyCipher
+someAES256 = SomeKeyCipher
+
+keyCipher :: OpenPGP.SymmetricAlgorithm -> BS.ByteString -> Maybe SomeKeyCipher
+keyCipher OpenPGP.AES128 key = someAES128 <$> maybeCryptoError (cipherInit key)
+keyCipher OpenPGP.AES192 key = someAES192 <$> maybeCryptoError (cipherInit key)
+keyCipher OpenPGP.AES256 key = someAES256 <$> maybeCryptoError (cipherInit key)
+keyCipher _ _ = Nothing
+
+keyCipherSize OpenPGP.AES128 = cipherKeySize (undefined :: AES128)
+keyCipherSize OpenPGP.AES192 = cipherKeySize (undefined :: AES192)
+keyCipherSize OpenPGP.AES256 = cipherKeySize (undefined :: AES256)
+
+
+kdfParamBytes :: OpenPGP.Packet -> BL.ByteString
+kdfParamBytes k = BL.fromChunks
+       [ BL.toStrict $ encodeOID (MPI $ keyParam 'c' k) -- curve_OID_len || curve_OID
+       , BS.singleton $ fromIntegral $ fromEnum $ key_algorithm k  -- public_key_alg_ID
+       , BL.toStrict $ encode (fromIntegral (keyParam 'e' k) :: Word32) -- 03 || 01 || KDF_hash_ID || KEK_alg_ID for AESKeyWrap
+       , B8.pack "Anonymous Sender    "
+       , let Fingerprint fp = fingerprint k in fp
+       ]
+
+-- The Concatenation Key Derivation Function (Approved Alternative 1) [SP800-56A]
+kdf :: OpenPGP.HashAlgorithm -> Cv25519.DhSecret -> Int -> BL.ByteString -> Maybe BL.ByteString
+kdf hsh z keybytelen otherinfo
+    | reps > 2^32 - 1                                = Nothing
+    -- XXX: I don't understand /max_hash_inputlen/.
+    --
+    -- max_hash_inputlen: an integer that indicates the maximum length (in
+    -- bits) of the bit string(s) input to the hash function.
+    --
+    -- | 8 * (BS.length zo) > max_hash_inputlen - 32 = Nothing
+    | otherwise                                      = Just derivedKeyingMaterial
+ where
+    keydatalen = 8 * fromIntegral keybytelen :: Int64
+    hashlen = 8 * fromIntegral (hashLen hsh) :: Int64
+    reps = fromIntegral $ (keydatalen + hashlen - 1) `div` hashlen
+    counter = 0x00000001 :: Word32
+    zo = BL.fromStrict (BA.convert z) <> otherinfo
+    hashes = [ hashBySymbol hsh (encode (i::Word32) <> zo)
+                | i <- [1 .. reps] ] -- Compute Hash i = H(counter || Z || OtherInfo).
+    -- Let Hhash be set to Hash[reps] if (keydatalen / hashlen) is an integer; otherwise, let Hhash
+    -- be set to the (keydatalen mod hashlen) leftmost bits of Hash[reps].
+    hhash = case keydatalen `mod` hashlen of
+        0 -> last hashes
+        r -> BS.take (fromIntegral $ (r + 7) `div` 8) $ last hashes -- TODO: Zero out the 8 - (r `mod` 8) last bits?
+    derivedKeyingMaterial = BL.fromChunks $ init hashes ++ [ hhash ]
+
+
+-- The input to the key wrapping method is the value "m" derived from
+-- the session key, as described in Section 5.1, "Public-Key Encrypted
+-- Session Key Packets (Tag 1)", except that the PKCS #1.5 padding step
+-- is omitted.  The result is padded using the method described in
+-- [PKCS5] to the 8-byte granularity.  For example, the following
+-- AES-256 session key, in which 32 octets are denoted from k0 to k31,
+-- is composed to form the following 40 octet sequence:
+--
+-- 09 k0 k1 ... k31 c0 c1 05 05 05 05 05
+--
+-- The octets c0 and c1 above denote the checksum.  This encoding allows
+-- the sender to obfuscate the size of the symmetric encryption key used
+-- to encrypt the data.  For example, assuming that an AES algorithm is
+-- used for the session key, the sender MAY use 21, 13, and 5 bytes of
+-- padding for AES-128, AES-192, and AES-256, respectively, to provide
+-- the same number of octets, 40 total, as an input to the key wrapping
+-- method.
+--
+-- From Section 5.1, "Public-Key Encrypted Session Key Packets (Tag 1)"
+--
+-- The value "m" in the above formulas is derived from the session key
+-- as follows.  First, the session key is prefixed with a one-octet
+-- algorithm identifier that specifies the symmetric encryption
+-- algorithm used to encrypt the following Symmetrically Encrypted Data
+-- Packet.  Then a two-octet checksum is appended, which is equal to the
+-- sum of the preceding session key octets, not including the algorithm
+-- identifier, modulo 65536.  This value is then encoded as described in
+-- PKCS#1 block encoding EME-PKCS1-v1_5 in Section 7.2.1 of [RFC3447] to
+-- form the "m" value used in the formulas above.  See Section 14.1 of
+-- this document for notes on OpenPGP's use of PKCS#1.
+decodeEncryptedKey :: ByteString -> Maybe (SymmetricAlgorithm, ByteString)
+decodeEncryptedKey m = do
+    (algb,ks) <- BS.uncons m
+    let alg = toEnum $ fromIntegral algb :: OpenPGP.SymmetricAlgorithm
+    sz <- case keyCipherSize alg of
+                KeySizeFixed n -> Just n
+                _              -> Nothing
+    let (key,macbs) = BS.splitAt sz ks
+        (macb,trail) = BS.splitAt 2 macbs
+        mac = decode $ BL.fromStrict macb :: Word16
+        chk = sum $ map fromIntegral $ BS.unpack key
+    guard $ chk == mac
+    Just (alg, key)
+
+decryptMessage :: Packet    -- ^ local secret key (ecdh cv25519)
+                  -> Packet -- ^ ephemeral remote public key (ecdh cv25519) and encrypted symmetric key.
+                  -> Packet -- ^ symmetrically encrypted data packet
+                  -> Maybe [Packet]
+decryptMessage ecdhkey asym encdta = do
+    (pubk,m) <- getEphemeralKey asym
+    pub25519 <- cv25519Key pubk
+    sec25519 <- privateCv25519Key ecdhkey
+    let shared = Cv25519.dh pub25519 sec25519
+        (hsh, alg) = kdfParams ecdhkey
+        miv = let sz = case keyCipherSize alg of
+                    KeySizeFixed n     -> n
+                    KeySizeEnum ns     -> head ns
+                    KeySizeRange mn mx -> mn
+               in kdf hsh shared sz (kdfParamBytes ecdhkey)
+    (alg,k) <- do
+       iv <- BL.toStrict <$> miv
+       SomeKeyCipher c <- keyCipher alg iv
+       m' <- aesKeyUnwrap c (BL.toStrict m) :: Maybe BS.ByteString
+       decodeEncryptedKey m'
+    withS2K' alg Nothing (BL.fromStrict k) $ \cipher -> do
+        let blksize = blockSize cipher
+            b0 = simpleUnCFB cipher nullIV (encrypted_data encdta)
+            b1 = BL.drop (2 + fromIntegral blksize) b0
+        (_,_, Message ps) <- either (const Nothing) Just $ decodeOrFail b1
+        return ps
diff --git a/Data/OpenPGP/Util/DecryptSecretKey.hs b/Data/OpenPGP/Util/DecryptSecretKey.hs
index 1188f3e..a637b29 100644
--- a/Data/OpenPGP/Util/DecryptSecretKey.hs
+++ b/Data/OpenPGP/Util/DecryptSecretKey.hs
@@ -90,7 +90,7 @@ decryptSecretKey pass k@(OpenPGP.SecretKeyPacket {
         | OpenPGP.s2k_useage k == 254 = (20, sha1 . toStrictBS)
         | otherwise = (2, toStrictBS . encode . checksum . toStrictBS)
         -- Words16s are written as 2 bytes in big-endian (network) order
-    decd = withS2K simpleUnCFB salgo s2k (toLazyBS pass) (EncipheredWithIV encd)
+    decd = withS2K simpleUnCFB salgo (Just s2k) (toLazyBS pass) (EncipheredWithIV encd)
 
 #if defined(VERSION_cryptonite)
     sha1 x = Bytes.convert (hash x :: Digest SHA1)
@@ -122,7 +122,7 @@ maybeGet g bs = unsafePerformIO $
 
 withS2K :: (forall k. (Vincent.BlockCipher k) => k -> Vincent.IV k -> LZ.ByteString -> LZ.ByteString)
            -> OpenPGP.SymmetricAlgorithm
-           -> OpenPGP.S2K
+           -> Maybe OpenPGP.S2K
            -> LZ.ByteString -> Enciphered -> LZ.ByteString
 withS2K codec OpenPGP.AES128 s2k s   = withIV $ codec (string2key s2k s :: Vincent.AES128)
 withS2K codec OpenPGP.AES192 s2k s   = withIV $ codec (string2key s2k s :: Vincent.AES192)
@@ -131,7 +131,7 @@ withS2K codec OpenPGP.Blowfish s2k s = withIV $ codec (string2key s2k s :: Vince
 withS2K codec OpenPGP.CAST5 s2k s    = withIV $ codec (string2key s2k s :: ThomasToVincent CAST5_128)
 withS2K codec algo _ _ = error $ "Unsupported symmetric algorithm : " ++ show algo ++ " in Data.OpenPGP.CryptoAPI.withS2K"
 
-withS2K' :: OpenPGP.SymmetricAlgorithm -> OpenPGP.S2K -> LZ.ByteString
+withS2K' :: OpenPGP.SymmetricAlgorithm -> Maybe OpenPGP.S2K -> LZ.ByteString
             -> (forall b. Vincent.BlockCipher b => b -> x) -> x
 withS2K' OpenPGP.AES128   s2k s f = f (string2key s2k s :: Vincent.AES128)
 withS2K' OpenPGP.AES192   s2k s f = f (string2key s2k s :: Vincent.AES192)
@@ -169,27 +169,16 @@ padThenUnpad k f s = dropPadEnd (f padded)
         padAmount = blksize - (LZ.length s `mod` blksize)
         blksize = fromIntegral $ Vincent.blockSize k
 
-{-
-Data/OpenPGP/Util/DecryptSecretKey.hs:172:20:
-    Couldn't match expected type ‘k’
-                with actual type ‘cryptonite-0.15:Crypto.Error.Types.CryptoFailable
-                                    cipher0’
-      ‘k’ is a rigid type variable bound by
-          the type signature for
-            string2key :: Vincent.BlockCipher k =>
-                          OpenPGP.S2K -> LZ.ByteString -> k
-          at Data/OpenPGP/Util/DecryptSecretKey.hs:171:15
--}
-string2key :: (Vincent.BlockCipher k) => OpenPGP.S2K -> LZ.ByteString -> k
-string2key s2k s = cipher
+string2key :: (Vincent.BlockCipher k) => Maybe OpenPGP.S2K -> LZ.ByteString -> k
+string2key ms2k s = cipher
     where
 #if defined(VERSION_cryptonite)
     CryptoPassed cipher = Vincent.cipherInit k
-    k = toStrictBS $ LZ.take ksize $ OpenPGP.string2key hashBySymbol s2k s
+    k = toStrictBS $ LZ.take ksize $ maybe s (\s2k -> OpenPGP.string2key hashBySymbol s2k s) ms2k
 #else
     cipher = Vincent.cipherInit k
     Right k = Vincent.makeKey $ toStrictBS $
-        LZ.take ksize $ OpenPGP.string2key hashBySymbol s2k s
+        LZ.take ksize $ maybe s (\s2k -> OpenPGP.string2key hashBySymbol s2k s) ms2k
 #endif
     ksize = case Vincent.cipherKeySize cipher of
                 Vincent.KeySizeFixed n -> fromIntegral n
@@ -217,7 +206,7 @@ encryptSecretKey passphrase s2k salgo plain = do
         maybeToList $ lookup f (OpenPGP.key plain)
     chk = LZ.fromChunks [ chkF material ]
     decd = LZ.append material chk
-    encd g = fst $ withS2K' salgo s2k (toLazyBS passphrase) (simpleCFB g) decd
+    encd g = fst $ withS2K' salgo (Just s2k) (toLazyBS passphrase) (simpleCFB g) decd
 
     -- If the string-to-key usage octet is zero or 255, then a two-octet
     -- checksum of the plaintext of the algorithm-specific portion (sum
diff --git a/Data/OpenPGP/Util/Ed25519.hs b/Data/OpenPGP/Util/Ed25519.hs
index 7504e7e..67eeba3 100644
--- a/Data/OpenPGP/Util/Ed25519.hs
+++ b/Data/OpenPGP/Util/Ed25519.hs
@@ -43,8 +43,8 @@ ed25519Key k =
                         x = keyParam 'x' k
                         ybs = zeroExtend 32 $ integerToLE y
                         lb = BS.last ybs
-                    in if x < 0 then BS.take 31 ybs `BS.snoc` (lb .|. 1)
-                                else BS.take 31 ybs `BS.snoc` (lb .&. 0xFE)
+                    in if x < 0 then BS.take 31 ybs `BS.snoc` (lb .|. 0x80)
+                                else BS.take 31 ybs `BS.snoc` (lb .&. 0x7F)
     in case Ed25519.publicKey n of
             CryptoPassed ed25519 -> Just ed25519
             CryptoFailed _       -> Nothing
diff --git a/openpgp-util.cabal b/openpgp-util.cabal
index b0d7f53..ae8d373 100644
--- a/openpgp-util.cabal
+++ b/openpgp-util.cabal
@@ -122,12 +122,14 @@ Flag cryptonite
 
 library
         exposed-modules:
-                Data.OpenPGP.Util
                 Data.OpenPGP
+                Data.OpenPGP.Util
+                Data.OpenPGP.Util.Cv25519
                 Crypto.Cipher.Feistel
                 Crypto.Cipher.Cast5
                 Crypto.Cipher.SBox
                 Crypto.Cipher.ThomasToVincent
+                Crypto.JOSE.AESKW
         other-modules:
                 Data.OpenPGP.Internal
                 Data.OpenPGP.Util.Fingerprint
@@ -140,6 +142,7 @@ library
         build-depends:
                 base == 4.*,
                 transformers,
+                mtl,
                 bytestring,
                 binary >= 0.5.1.0,
                 utf8-string,
diff --git a/tests/test-cv25519.hs b/tests/test-cv25519.hs
new file mode 100644
index 0000000..faf2573
--- /dev/null
+++ b/tests/test-cv25519.hs
@@ -0,0 +1,110 @@
+{-# LANGUAGE QuasiQuotes #-}
+{-# LANGUAGE ExistentialQuantification #-}
+{-# LANGUAGE OverloadedStrings #-}
+
+import Control.Arrow
+import Control.Monad
+import Data.Binary
+import Data.Binary.Get
+import Data.ByteString (ByteString)
+import Data.Bits
+import qualified Data.ByteArray as BA
+import qualified Data.ByteString.Char8 as B8
+import qualified Data.ByteString as BS
+import qualified Data.ByteString.Lazy as BL
+import Data.Char
+import Text.Show.Pretty
+import Numeric
+import Data.Int
+
+import Data.OpenPGP.Internal
+import Data.OpenPGP.Util
+import Data.OpenPGP.Util.Base
+import Data.OpenPGP as OpenPGP
+import Crypto.Cipher.SBox
+import Data.OpenPGP.Util.Ed25519 (zeroExtend,zeroPad)
+import qualified Crypto.PubKey.Curve25519 as Cv25519
+import Crypto.Error
+import Crypto.Cipher.AES
+import Crypto.Cipher.Types
+import Data.OpenPGP.Util.DecryptSecretKey -- (withS2K, simpleUnCFB, Enciphered(..))
+
+import Data.OpenPGP.Util.Cv25519
+
+msg :: ByteString
+msg = [bytes|
+ 84 5e 03 c2 69 bf c6 b5 ad 64 55 12 01 07 40 ed
+ 3a 49 32 b5 2b 4e f5 c8 b1 3d 25 8c 73 c6 bc f3
+ 16 c2 4d ed 23 3c ef ac 01 df ff ea 8a 38 75 30
+ ab 5e d2 7b eb 5c 1f 7d 65 9d 7b 84 b4 5e fb b9
+ 43 81 29 d4 e9 ba 0d 08 34 be 95 40 9d 57 0c 85
+ 0d 94 4c fe 42 21 a0 23 d9 70 3d a2 03 ec 0a d1
+
+ d2 70 01 95 06 62 3d 1b 66 ba 5b 67 b8 a7 2a b7
+ 86 0b 28 94 18 c5 3b ef fc 2f e2 5d 87 78 80 9e
+ 89 dc c7 e7 87 14 b8 bc 8c 9f 93 2f bb 2b c3 7c
+ 3c da c5 32 32 bf 58 3f fa 7f 1c 53 b7 14 63 b7
+ 1c 2e d6 29 c8 8e 15 a8 48 6d 97 a9 35 49 21 c7
+ 73 20 b4 00 4e db 80 04 30 4a df 59 77 79 22 aa
+ 0c 7c 08 a1 d0 d6 a7 30 9d e9 59 8d 2d 9f e8 c4
+ 0c 2b
+ |]
+
+keyring :: ByteString
+keyring =
+ [bytes|
+ 94 58 04 5d c8 7f 7e 16 09 2b 06 01 04 01 da 47
+ 0f 01 01 07 40 bb a7 dc 2a e0 b0 ef 05 d1 69 07
+ 31 b3 91 0d c9 69 38 6f 3f 97 e6 19 45 cb 6c 76
+ 3b 15 29 f5 e5 00 01 00 96 eb 2a 5c d5 5b 65 25
+ e9 dd ed b8 58 1c e9 1e 75 f2 26 92 9d 9f 35 d7
+ 35 a7 65 e5 41 44 f5 f5 11 a4 b4 18 47 75 79 20
+ 54 2e 20 3c 67 75 79 40 65 78 61 6d 70 6c 65 2e
+ 63 6f 6d 3e 88 90 04 13 16 08 00 38 16 21 04 00
+ 7d a7 19 91 02 5a 09 bd da 46 78 38 ed ab 61 d8
+ 66 c7 02 05 02 5d c8 7f 7e 02 1b 03 05 0b 09 08
+ 07 02 06 15 0a 09 08 0b 02 04 16 02 03 01 02 1e
+ 01 02 17 80 00 0a 09 10 38 ed ab 61 d8 66 c7 02
+ 3e d4 00 ff 7a 88 a3 af cd 96 bd 46 b4 31 76 3c
+ 40 35 1c ef 0b 0b 1d e2 66 03 7e 22 4c 32 34 f7
+ db dd 20 98 00 ff 55 20 65 55 ed 70 a4 a0 03 58
+ c3 1c 0a 12 63 b5 5c 3f f8 18 de 62 c8 0b e7 85
+ 37 ee 8c 7a 2a 0d 9c 5d 04 5d c8 7f 7e 12 0a 2b
+ 06 01 04 01 97 55 01 05 01 01 07 40 71 8a c9 e8
+ 0d cf 0d d0 16 10 c2 26 50 f1 f4 1c 49 b4 af 4d
+ aa 0e 06 2b 35 8c 1e 86 79 8c 25 31 03 01 08 07
+ 00 00 ff 68 a2 f7 b1 31 2c 6a 09 82 f2 55 a2 44
+ cb d4 a1 0d 62 ef f0 77 18 68 d9 6c 86 c1 b2 c7
+ e1 4d 40 12 28 88 78 04 18 16 08 00 20 16 21 04
+ 00 7d a7 19 91 02 5a 09 bd da 46 78 38 ed ab 61
+ d8 66 c7 02 05 02 5d c8 7f 7e 02 1b 0c 00 0a 09
+ 10 38 ed ab 61 d8 66 c7 02 86 10 01 00 83 99 5d
+ 74 90 f5 4a b5 74 bc 07 77 7a f7 25 14 3e 5e bf
+ ae 52 99 0c 01 05 0b 4b 57 ee 95 02 1b 01 00 eb
+ db e4 27 95 f9 a4 4f bc f0 ce cc 44 33 90 ab 42
+ 0f aa ca 06 89 ce 48 f1 85 27 62 05 73 e3 03
+ |]
+
+
+expected_result = CompressedDataPacket
+    { compression_algorithm = ZLIB
+    , message = Message [ LiteralDataPacket
+                           { format = 'b'
+                           , filename = "secret-message.txt"
+                           , timestamp = 1573421489
+                           , content = "This is a secret that will be encrypted.\n"}
+                        ]
+    }
+
+main = do
+    let Message [asym,encdta] = decode (BL.fromStrict msg)
+        Message
+            [ master  -- ---Secret 007DA71991025A09BDDA467838EDAB61D866C702 Ed25519
+            , uid     -- UserID "Guy T. <guy@example.com>"
+            , uidsig  -- Signature ^ signed: 38EDAB61D866C702 ["vouch-sign"]
+            , ecdhkey -- SecretKey 8CF3B7D9CDCA47086F3C509AC269BFC6B5AD6455 ECC
+            , ecdhsig -- Signature ^ signed: 38EDAB61D866C702 ["encrypt"]
+            ] = decode (BL.fromStrict keyring)
+        m = decryptMessage ecdhkey asym encdta
+    print m
+    putStrLn $ "decrypt cv25519: " ++ show (m == Just [expected_result])