Description
There are two different meanings of Ed25519 private key:
- 64 bytes derived from a 32 byte seed with SHA-512. I'll call this preprocessed private key.
- Just the 32 byte seed. I'll call this private key seed. Obviously, the preprocessed private key can't be transformed back into the private key seed.
libolm stores preprocessed private keys in the Account and OutboundGroupSession pickles, which can be used in the bundled ed25519 library. However, other Ed25519 implementations (OpenSSL) do not support preprocessed private keys, so they are incompatible with existing pickled objects. RFC 8032 specifies the private key of Ed25519 is the private key seed, so you can't blame these implementations. If private key seeds were stored in the pickles instead, all Ed25519 implementations would be compatible.
I think that this issue is currently internal to Matrix clients, so clients can just store private key seeds internally if they need that. At least, that seems to work for me. This would change with the Dehydrated Devices MSC, because this MSC requires clients to store pickled accounts on the server, so they would have to agree on a common format.
I would like to integrate the OpenSSL implementation of Ed25519 into libolm eventually, so I propose these changes:
- Allow to store either preprocessed private keys or private key seeds in _olm_ed25519_private_key. Add a flag to _olm_ed25519_private_key to distinguish them. This would require a pickle format update.
- Store private key seeds in _olm_ed25519_private_key for newly created keys. In Account and OutboundGroupSession, the private key seeds are new random data, so storing it directly does not reveal previously secret data.
Would that be acceptable?