Use Ed25519 for signatures.

2026-02-17 05:09:53 +01:00 · 2018-02-01 16:56:50 +00:00
parent 7a1247e325
commit 6bf2cb69c5
13 changed files with 104 additions and 271 deletions
--- a/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoComponent.java
+++ b/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoComponent.java
@@ -22,10 +22,6 @@ public interface CryptoComponent {
 	KeyParser getSignatureKeyParser();
 	KeyPair generateEdKeyPair();
 	KeyParser getEdKeyParser();
 	KeyParser getMessageKeyParser();
 	/**
@@ -53,7 +49,7 @@ public interface CryptoComponent {
 			throws GeneralSecurityException;
 	/**
-	 * Signs the given byte[] with the given ECDSA private key.
+	 * Signs the given byte[] with the given private key.
 	 *
 	 * @param label a namespaced label indicating the purpose of this
 	 * signature, to prevent it from being repurposed or colliding with a
@@ -62,18 +58,9 @@ public interface CryptoComponent {
 	byte[] sign(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException;
 	/**
 	 * Signs the given byte[] with the given Ed25519 private key.
 	 *
 	 * @param label A label specific to this signature
 	 *              to ensure that the signature cannot be repurposed
 	 */
 	byte[] signEd(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException;
 	/**
 	 * Verifies that the given signature is valid for the signed data
-	 * and the given ECDSA public key.
+	 * and the given public key.
 	 *
 	 * @param label a namespaced label indicating the purpose of this
 	 * signature, to prevent it from being repurposed or colliding with a
@@ -83,17 +70,6 @@ public interface CryptoComponent {
 	boolean verify(String label, byte[] signedData, byte[] publicKey,
 			byte[] signature) throws GeneralSecurityException;
 	/**
 	 * Verifies that the given signature is valid for the signed data
 	 * and the given Ed25519 public key.
 	 *
 	 * @param label A label that was specific to this signature
 	 *              to ensure that the signature cannot be repurposed
 	 * @return true if the signature was valid, false otherwise.
 	 */
 	boolean verifyEd(String label, byte[] signedData, byte[] publicKey,
 			byte[] signature) throws GeneralSecurityException;
 	/**
 	 * Returns the hash of the given inputs. The inputs are unambiguously
 	 * combined by prefixing each input with its length.
--- a/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoConstants.java
+++ b/bramble-api/src/main/java/org/briarproject/bramble/api/crypto/CryptoConstants.java
@@ -0,0 +1,19 @@
 package org.briarproject.bramble.api.crypto;
 public interface CryptoConstants {
 	/**
 	 * The maximum length of an agreement public key in bytes.
 	 */
 	int MAX_AGREEMENT_PUBLIC_KEY_BYTES = 65;
 	/**
 	 * The maximum length of a signature public key in bytes.
 	 */
 	int MAX_SIGNATURE_PUBLIC_KEY_BYTES = 32;
 	/**
 	 * The maximum length of a signature in bytes.
 	 */
 	int MAX_SIGNATURE_BYTES = 64;
 }
--- a/bramble-api/src/main/java/org/briarproject/bramble/api/identity/Author.java
+++ b/bramble-api/src/main/java/org/briarproject/bramble/api/identity/Author.java
@@ -22,7 +22,7 @@ public class Author {
 	/**
 	 * The current version of the author structure.
 	 */
-	public static final int FORMAT_VERSION = 0;
+	public static final int FORMAT_VERSION = 1;
 	private final AuthorId id;
 	private final int formatVersion;
--- a/bramble-api/src/main/java/org/briarproject/bramble/api/identity/AuthorConstants.java
+++ b/bramble-api/src/main/java/org/briarproject/bramble/api/identity/AuthorConstants.java
@@ -1,5 +1,8 @@
 package org.briarproject.bramble.api.identity;
 import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_SIGNATURE_BYTES;
 import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_SIGNATURE_PUBLIC_KEY_BYTES;
 public interface AuthorConstants {
 	/**
@@ -8,26 +11,14 @@ public interface AuthorConstants {
 	int MAX_AUTHOR_NAME_LENGTH = 50;
 	/**
-	 * The maximum length of a public key in bytes.
+	 * The maximum length of a public key in bytes. This applies to the
-	 * <p>
+	 * signature algorithm used by the current {@link Author format version}.
 	 * Public keys use SEC1 format: 0x04 x y, where x and y are unsigned
 	 * big-endian integers.
 	 * <p>
 	 * For a 256-bit elliptic curve, the maximum length is 2 * 256 / 8 + 1.
 	 */
-	int MAX_PUBLIC_KEY_LENGTH = 65;
+	int MAX_PUBLIC_KEY_LENGTH = MAX_SIGNATURE_PUBLIC_KEY_BYTES;
 	/**
-	 * The maximum length of a signature in bytes.
+	 * The maximum length of a signature in bytes. This applies to the
-	 * <p>
+	 * signature algorithm used by the current {@link Author format version}.
 	 * A signature is an ASN.1 DER sequence containing two integers, r and s.
 	 * The format is 0x30 len1 0x02 len2 r 0x02 len3 s, where len1 is
 	 * len(0x02 len2 r 0x02 len3 s) as a DER length, len2 is len(r) as a DER
 	 * length, len3 is len(s) as a DER length, and r and s are signed
 	 * big-endian integers of minimal length.
 	 * <p>
 	 * For a 256-bit elliptic curve, the lengths are one byte each, so the
 	 * maximum length is 2 * 256 / 8 + 8.
 	 */
-	int MAX_SIGNATURE_LENGTH = 72;
+	int MAX_SIGNATURE_LENGTH = MAX_SIGNATURE_BYTES;
 }
--- a/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java
+++ b/bramble-core/src/main/java/org/briarproject/bramble/crypto/CryptoComponentImpl.java
@@ -46,7 +46,6 @@ class CryptoComponentImpl implements CryptoComponent {
 	private static final int AGREEMENT_KEY_PAIR_BITS = 256;
 	private static final int SIGNATURE_KEY_PAIR_BITS = 256;
 	private static final int ED_KEY_PAIR_BITS = 256;
 	private static final int STORAGE_IV_BYTES = 24; // 196 bits
 	private static final int PBKDF_SALT_BYTES = 32; // 256 bits
 	private static final int PBKDF_FORMAT_SCRYPT = 0;
@@ -54,11 +53,9 @@ class CryptoComponentImpl implements CryptoComponent {
 	private final SecureRandom secureRandom;
 	private final PasswordBasedKdf passwordBasedKdf;
 	private final ECKeyPairGenerator agreementKeyPairGenerator;
-	private final ECKeyPairGenerator signatureKeyPairGenerator;
+	private final KeyPairGenerator signatureKeyPairGenerator;
 	private final KeyParser agreementKeyParser, signatureKeyParser;
 	private final MessageEncrypter messageEncrypter;
 	private final KeyPairGenerator edKeyPairGenerator;
 	private final KeyParser edKeyParser;
 	@Inject
 	CryptoComponentImpl(SecureRandomProvider secureRandomProvider,
@@ -87,16 +84,13 @@ class CryptoComponentImpl implements CryptoComponent {
 				PARAMETERS, secureRandom);
 		agreementKeyPairGenerator = new ECKeyPairGenerator();
 		agreementKeyPairGenerator.init(params);
-		signatureKeyPairGenerator = new ECKeyPairGenerator();
+		signatureKeyPairGenerator = new KeyPairGenerator();
-		signatureKeyPairGenerator.init(params);
+		signatureKeyPairGenerator.initialize(SIGNATURE_KEY_PAIR_BITS,
 				secureRandom);
 		agreementKeyParser = new Sec1KeyParser(PARAMETERS,
 				AGREEMENT_KEY_PAIR_BITS);
-		signatureKeyParser = new Sec1KeyParser(PARAMETERS,
+		signatureKeyParser = new EdKeyParser();
 				SIGNATURE_KEY_PAIR_BITS);
 		messageEncrypter = new MessageEncrypter(secureRandom);
 		edKeyPairGenerator = new KeyPairGenerator();
 		edKeyPairGenerator.initialize(ED_KEY_PAIR_BITS, secureRandom);
 		edKeyParser = new EdKeyParser();
 	}
 	// Based on https://android-developers.googleblog.com/2013/08/some-securerandom-thoughts.html
@@ -155,21 +149,6 @@ class CryptoComponentImpl implements CryptoComponent {
 		return secret;
 	}
 	@Override
 	public KeyPair generateEdKeyPair() {
 		java.security.KeyPair keyPair = edKeyPairGenerator.generateKeyPair();
 		EdDSAPublicKey edPublicKey = (EdDSAPublicKey) keyPair.getPublic();
 		PublicKey publicKey = new EdPublicKey(edPublicKey.getAbyte());
 		EdDSAPrivateKey edPrivateKey = (EdDSAPrivateKey) keyPair.getPrivate();
 		PrivateKey privateKey = new EdPrivateKey(edPrivateKey.getSeed());
 		return new KeyPair(publicKey, privateKey);
 	}
 	@Override
 	public KeyParser getEdKeyParser() {
 		return edKeyParser;
 	}
 	@Override
 	public KeyPair generateAgreementKeyPair() {
 		AsymmetricCipherKeyPair keyPair =
@@ -193,17 +172,11 @@ class CryptoComponentImpl implements CryptoComponent {
 	@Override
 	public KeyPair generateSignatureKeyPair() {
-		AsymmetricCipherKeyPair keyPair =
+		java.security.KeyPair keyPair = signatureKeyPairGenerator.generateKeyPair();
-				signatureKeyPairGenerator.generateKeyPair();
+		EdDSAPublicKey edPublicKey = (EdDSAPublicKey) keyPair.getPublic();
-		// Return a wrapper that uses the SEC 1 encoding
+		PublicKey publicKey = new EdPublicKey(edPublicKey.getAbyte());
-		ECPublicKeyParameters ecPublicKey =
+		EdDSAPrivateKey edPrivateKey = (EdDSAPrivateKey) keyPair.getPrivate();
-				(ECPublicKeyParameters) keyPair.getPublic();
+		PrivateKey privateKey = new EdPrivateKey(edPrivateKey.getSeed());
 		PublicKey publicKey = new Sec1PublicKey(ecPublicKey
 		);
 		ECPrivateKeyParameters ecPrivateKey =
 				(ECPrivateKeyParameters) keyPair.getPrivate();
 		PrivateKey privateKey = new Sec1PrivateKey(ecPrivateKey,
 				SIGNATURE_KEY_PAIR_BITS);
 		return new KeyPair(publicKey, privateKey);
 	}
@@ -240,19 +213,8 @@ class CryptoComponentImpl implements CryptoComponent {
 	@Override
 	public byte[] sign(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException {
-		return sign(new SignatureImpl(secureRandom), signatureKeyParser, label,
+		PrivateKey key = signatureKeyParser.parsePrivateKey(privateKey);
-				toSign, privateKey);
+		Signature sig = new EdSignature();
 	}
 	@Override
 	public byte[] signEd(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException {
 		return sign(new EdSignature(), edKeyParser, label, toSign, privateKey);
 	}
 	private byte[] sign(Signature sig, KeyParser keyParser, String label,
 			byte[] toSign, byte[] privateKey) throws GeneralSecurityException {
 		PrivateKey key = keyParser.parsePrivateKey(privateKey);
 		sig.initSign(key);
 		updateSignature(sig, label, toSign);
 		return sig.sign();
@@ -261,21 +223,8 @@ class CryptoComponentImpl implements CryptoComponent {
 	@Override
 	public boolean verify(String label, byte[] signedData, byte[] publicKey,
 			byte[] signature) throws GeneralSecurityException {
-		return verify(new SignatureImpl(secureRandom), signatureKeyParser,
+		PublicKey key = signatureKeyParser.parsePublicKey(publicKey);
-				label, signedData, publicKey, signature);
+		Signature sig = new EdSignature();
 	}
 	@Override
 	public boolean verifyEd(String label, byte[] signedData, byte[] publicKey,
 			byte[] signature) throws GeneralSecurityException {
 		return verify(new EdSignature(), edKeyParser, label, signedData,
 				publicKey, signature);
 	}
 	private boolean verify(Signature sig, KeyParser keyParser, String label,
 			byte[] signedData, byte[] publicKey, byte[] signature)
 			throws GeneralSecurityException {
 		PublicKey key = keyParser.parsePublicKey(publicKey);
 		sig.initVerify(key);
 		updateSignature(sig, label, signedData);
 		return sig.verify(signature);
--- a/bramble-core/src/main/java/org/briarproject/bramble/crypto/SignatureImpl.java
+++ b/bramble-core/src/main/java/org/briarproject/bramble/crypto/SignatureImpl.java
@@ -1,91 +0,0 @@
 package org.briarproject.bramble.crypto;
 import org.briarproject.bramble.api.crypto.PrivateKey;
 import org.briarproject.bramble.api.crypto.PublicKey;
 import org.briarproject.bramble.api.nullsafety.NotNullByDefault;
 import org.spongycastle.crypto.Digest;
 import org.spongycastle.crypto.digests.Blake2bDigest;
 import org.spongycastle.crypto.params.ECPrivateKeyParameters;
 import org.spongycastle.crypto.params.ECPublicKeyParameters;
 import org.spongycastle.crypto.params.ParametersWithRandom;
 import org.spongycastle.crypto.signers.DSADigestSigner;
 import org.spongycastle.crypto.signers.DSAKCalculator;
 import org.spongycastle.crypto.signers.ECDSASigner;
 import org.spongycastle.crypto.signers.HMacDSAKCalculator;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
 import java.util.logging.Logger;
 import javax.annotation.concurrent.NotThreadSafe;
 import static java.util.logging.Level.INFO;
@NotThreadSafe
@NotNullByDefault
 class SignatureImpl implements Signature {
 	private static final Logger LOG =
 			Logger.getLogger(SignatureImpl.class.getName());
 	private final SecureRandom secureRandom;
 	private final DSADigestSigner signer;
 	SignatureImpl(SecureRandom secureRandom) {
 		this.secureRandom = secureRandom;
 		Digest digest = new Blake2bDigest(256);
 		DSAKCalculator calculator = new HMacDSAKCalculator(digest);
 		signer = new DSADigestSigner(new ECDSASigner(calculator), digest);
 	}
 	@Override
 	public void initSign(PrivateKey k) throws GeneralSecurityException {
 		if (!(k instanceof Sec1PrivateKey))
 			throw new IllegalArgumentException();
 		ECPrivateKeyParameters priv = ((Sec1PrivateKey) k).getKey();
 		signer.init(true, new ParametersWithRandom(priv, secureRandom));
 	}
 	@Override
 	public void initVerify(PublicKey k) throws GeneralSecurityException {
 		if (!(k instanceof Sec1PublicKey))
 			throw new IllegalArgumentException();
 		ECPublicKeyParameters pub = ((Sec1PublicKey) k).getKey();
 		signer.init(false, pub);
 	}
 	@Override
 	public void update(byte b) {
 		signer.update(b);
 	}
 	@Override
 	public void update(byte[] b) {
 		update(b, 0, b.length);
 	}
 	@Override
 	public void update(byte[] b, int off, int len) {
 		signer.update(b, off, len);
 	}
 	@Override
 	public byte[] sign() {
 		long now = System.currentTimeMillis();
 		byte[] signature = signer.generateSignature();
 		long duration = System.currentTimeMillis() - now;
 		if (LOG.isLoggable(INFO))
 			LOG.info("Generating signature took " + duration + " ms");
 		return signature;
 	}
 	@Override
 	public boolean verify(byte[] signature) {
 		long now = System.currentTimeMillis();
 		boolean valid = signer.verifySignature(signature);
 		long duration = System.currentTimeMillis() - now;
 		if (LOG.isLoggable(INFO))
 			LOG.info("Verifying signature took " + duration + " ms");
 		return valid;
 	}
 }
--- a/bramble-core/src/test/java/org/briarproject/bramble/crypto/EcdsaSignatureTest.java
+++ b/bramble-core/src/test/java/org/briarproject/bramble/crypto/EcdsaSignatureTest.java
@@ -1,25 +0,0 @@
 package org.briarproject.bramble.crypto;
 import org.briarproject.bramble.api.crypto.KeyPair;
 import java.security.GeneralSecurityException;
 public class EcdsaSignatureTest extends SignatureTest {
 	@Override
 	protected KeyPair generateKeyPair() {
 		return crypto.generateSignatureKeyPair();
 	}
 	@Override
 	protected byte[] sign(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException {
 		return crypto.sign(label, toSign, privateKey);
 	}
 	@Override
 	protected boolean verify(String label, byte[] signedData, byte[] publicKey,
 			byte[] signature) throws GeneralSecurityException {
 		return crypto.verify(label, signedData, publicKey, signature);
 	}
 }
--- a/bramble-core/src/test/java/org/briarproject/bramble/crypto/EdSignatureTest.java
+++ b/bramble-core/src/test/java/org/briarproject/bramble/crypto/EdSignatureTest.java
@@ -133,19 +133,19 @@ public class EdSignatureTest extends SignatureTest {
 	@Override
 	protected KeyPair generateKeyPair() {
-		return crypto.generateEdKeyPair();
+		return crypto.generateSignatureKeyPair();
 	}
 	@Override
 	protected byte[] sign(String label, byte[] toSign, byte[] privateKey)
 			throws GeneralSecurityException {
-		return crypto.signEd(label, toSign, privateKey);
+		return crypto.sign(label, toSign, privateKey);
 	}
 	@Override
 	protected boolean verify(String label, byte[] signedData, byte[] publicKey,
 			byte[] signature) throws GeneralSecurityException {
-		return crypto.verifyEd(label, signedData, publicKey, signature);
+		return crypto.verify(label, signedData, publicKey, signature);
 	}
 	@Test
--- a/bramble-core/src/test/java/org/briarproject/bramble/crypto/KeyEncodingAndParsingTest.java
+++ b/bramble-core/src/test/java/org/briarproject/bramble/crypto/KeyEncodingAndParsingTest.java
@@ -6,13 +6,14 @@ import org.briarproject.bramble.api.crypto.PrivateKey;
 import org.briarproject.bramble.api.crypto.PublicKey;
 import org.briarproject.bramble.test.BrambleTestCase;
 import org.briarproject.bramble.test.TestSecureRandomProvider;
 import org.briarproject.bramble.test.TestUtils;
 import org.junit.Test;
 import java.security.GeneralSecurityException;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
+import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_AGREEMENT_PUBLIC_KEY_BYTES;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_SIGNATURE_LENGTH;
+import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_SIGNATURE_BYTES;
 import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_SIGNATURE_PUBLIC_KEY_BYTES;
 import static org.briarproject.bramble.test.TestUtils.getRandomBytes;
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertTrue;
@@ -28,7 +29,7 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 			KeyPair keyPair = crypto.generateSignatureKeyPair();
 			// Check the length of the public key
 			byte[] publicKey = keyPair.getPublic().getEncoded();
-			assertTrue(publicKey.length <= MAX_PUBLIC_KEY_LENGTH);
+			assertTrue(publicKey.length <= MAX_AGREEMENT_PUBLIC_KEY_BYTES);
 		}
 	}
@@ -45,7 +46,8 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 		aPub = parser.parsePublicKey(aPub.getEncoded());
 		aPub = parser.parsePublicKey(aPub.getEncoded());
 		// Derive the shared secret again - it should be the same
-		byte[] secret1 = crypto.performRawKeyAgreement(bPair.getPrivate(), aPub);
+		byte[] secret1 =
 				crypto.performRawKeyAgreement(bPair.getPrivate(), aPub);
 		assertArrayEquals(secret, secret1);
 	}
@@ -62,7 +64,8 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 		bPriv = parser.parsePrivateKey(bPriv.getEncoded());
 		bPriv = parser.parsePrivateKey(bPriv.getEncoded());
 		// Derive the shared secret again - it should be the same
-		byte[] secret1 = crypto.performRawKeyAgreement(bPriv, aPair.getPublic());
+		byte[] secret1 =
 				crypto.performRawKeyAgreement(bPriv, aPair.getPublic());
 		assertArrayEquals(secret, secret1);
 	}
@@ -76,12 +79,12 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 		// Parse some random byte arrays - expect GeneralSecurityException
 		for (int i = 0; i < 1000; i++) {
 			try {
-				parser.parsePublicKey(TestUtils.getRandomBytes(pubLength));
+				parser.parsePublicKey(getRandomBytes(pubLength));
 			} catch (GeneralSecurityException expected) {
 				// Expected
 			}
 			try {
-				parser.parsePrivateKey(TestUtils.getRandomBytes(privLength));
+				parser.parsePrivateKey(getRandomBytes(privLength));
 			} catch (GeneralSecurityException expected) {
 				// Expected
 			}
@@ -95,7 +98,7 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 			KeyPair keyPair = crypto.generateSignatureKeyPair();
 			// Check the length of the public key
 			byte[] publicKey = keyPair.getPublic().getEncoded();
-			assertTrue(publicKey.length <= MAX_PUBLIC_KEY_LENGTH);
+			assertTrue(publicKey.length <= MAX_SIGNATURE_PUBLIC_KEY_BYTES);
 		}
 	}
@@ -106,44 +109,53 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 			KeyPair keyPair = crypto.generateSignatureKeyPair();
 			byte[] key = keyPair.getPrivate().getEncoded();
 			// Sign some random data and check the length of the signature
-			byte[] toBeSigned = TestUtils.getRandomBytes(1234);
+			byte[] toBeSigned = getRandomBytes(1234);
 			byte[] signature = crypto.sign("label", toBeSigned, key);
-			assertTrue(signature.length <= MAX_SIGNATURE_LENGTH);
+			assertTrue(signature.length <= MAX_SIGNATURE_BYTES);
 		}
 	}
 	@Test
 	public void testSignaturePublicKeyEncodingAndParsing() throws Exception {
 		KeyParser parser = crypto.getSignatureKeyParser();
-		// Generate two key pairs
+		// Generate a key pair and sign some data
-		KeyPair aPair = crypto.generateSignatureKeyPair();
+		KeyPair keyPair = crypto.generateSignatureKeyPair();
-		KeyPair bPair = crypto.generateSignatureKeyPair();
+		PublicKey publicKey = keyPair.getPublic();
-		// Derive the shared secret
+		PrivateKey privateKey = keyPair.getPrivate();
-		PublicKey aPub = aPair.getPublic();
+		byte[] message = getRandomBytes(123);
-		byte[] secret = crypto.performRawKeyAgreement(bPair.getPrivate(), aPub);
+		byte[] signature = crypto.sign("test", message,
 				privateKey.getEncoded());
 		// Verify the signature
 		assertTrue(crypto.verify("test", message, publicKey.getEncoded(),
 				signature));
 		// Encode and parse the public key - no exceptions should be thrown
-		aPub = parser.parsePublicKey(aPub.getEncoded());
+		publicKey = parser.parsePublicKey(publicKey.getEncoded());
-		aPub = parser.parsePublicKey(aPub.getEncoded());
+		// Verify the signature again
-		// Derive the shared secret again - it should be the same
+		assertTrue(crypto.verify("test", message, publicKey.getEncoded(),
-		byte[] secret1 = crypto.performRawKeyAgreement(bPair.getPrivate(), aPub);
+				signature));
 		assertArrayEquals(secret, secret1);
 	}
 	@Test
 	public void testSignaturePrivateKeyEncodingAndParsing() throws Exception {
 		KeyParser parser = crypto.getSignatureKeyParser();
-		// Generate two key pairs
+		// Generate a key pair and sign some data
-		KeyPair aPair = crypto.generateSignatureKeyPair();
+		KeyPair keyPair = crypto.generateSignatureKeyPair();
-		KeyPair bPair = crypto.generateSignatureKeyPair();
+		PublicKey publicKey = keyPair.getPublic();
-		// Derive the shared secret
+		PrivateKey privateKey = keyPair.getPrivate();
-		PrivateKey bPriv = bPair.getPrivate();
+		byte[] message = getRandomBytes(123);
-		byte[] secret = crypto.performRawKeyAgreement(bPriv, aPair.getPublic());
+		byte[] signature = crypto.sign("test", message,
 				privateKey.getEncoded());
 		// Verify the signature
 		assertTrue(crypto.verify("test", message, publicKey.getEncoded(),
 				signature));
 		// Encode and parse the private key - no exceptions should be thrown
-		bPriv = parser.parsePrivateKey(bPriv.getEncoded());
+		privateKey = parser.parsePrivateKey(privateKey.getEncoded());
-		bPriv = parser.parsePrivateKey(bPriv.getEncoded());
+		// Sign the data again - the signatures should be the same
-		// Derive the shared secret again - it should be the same
+		byte[] signature1 = crypto.sign("test", message,
-		byte[] secret1 = crypto.performRawKeyAgreement(bPriv, aPair.getPublic());
+				privateKey.getEncoded());
-		assertArrayEquals(secret, secret1);
+		assertTrue(crypto.verify("test", message, publicKey.getEncoded(),
 				signature1));
 		assertArrayEquals(signature, signature1);
 	}
 	@Test
@@ -156,12 +168,12 @@ public class KeyEncodingAndParsingTest extends BrambleTestCase {
 		// Parse some random byte arrays - expect GeneralSecurityException
 		for (int i = 0; i < 1000; i++) {
 			try {
-				parser.parsePublicKey(TestUtils.getRandomBytes(pubLength));
+				parser.parsePublicKey(getRandomBytes(pubLength));
 			} catch (GeneralSecurityException expected) {
 				// Expected
 			}
 			try {
-				parser.parsePrivateKey(TestUtils.getRandomBytes(privLength));
+				parser.parsePrivateKey(getRandomBytes(privLength));
 			} catch (GeneralSecurityException expected) {
 				// Expected
 			}
--- a/briar-core/src/main/java/org/briarproject/briar/introduction/IntroductionValidator.java
+++ b/briar-core/src/main/java/org/briarproject/briar/introduction/IntroductionValidator.java
@@ -15,6 +15,7 @@ import org.briarproject.briar.client.BdfQueueMessageValidator;
 import javax.annotation.concurrent.Immutable;
 import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_AGREEMENT_PUBLIC_KEY_BYTES;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_SIGNATURE_LENGTH;
@@ -133,7 +134,7 @@ class IntroductionValidator extends BdfQueueMessageValidator {
 			// parse ephemeral public key
 			pubkey = message.getRaw(4);
-			checkLength(pubkey, 1, MAX_PUBLIC_KEY_LENGTH);
+			checkLength(pubkey, 1, MAX_AGREEMENT_PUBLIC_KEY_BYTES);
 			// parse transport properties
 			tp = message.getDictionary(5);
--- a/briar-core/src/test/java/org/briarproject/briar/introduction/IntroduceeManagerTest.java
+++ b/briar-core/src/test/java/org/briarproject/briar/introduction/IntroduceeManagerTest.java
@@ -36,7 +36,7 @@ import org.junit.Test;
 import java.security.GeneralSecurityException;
 import java.security.SecureRandom;
-import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
+import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_AGREEMENT_PUBLIC_KEY_BYTES;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_SIGNATURE_LENGTH;
 import static org.briarproject.bramble.api.sync.SyncConstants.MESSAGE_HEADER_LENGTH;
 import static org.briarproject.bramble.test.TestUtils.getAuthor;
@@ -215,7 +215,7 @@ public class IntroduceeManagerTest extends BriarTestCase {
 		// turn request message into a response
 		msg.put(ACCEPT, true);
 		msg.put(TIME, time);
-		msg.put(E_PUBLIC_KEY, getRandomBytes(MAX_PUBLIC_KEY_LENGTH));
+		msg.put(E_PUBLIC_KEY, getRandomBytes(MAX_AGREEMENT_PUBLIC_KEY_BYTES));
 		msg.put(TRANSPORT, new BdfDictionary());
 		context.checking(new Expectations() {{
@@ -308,7 +308,7 @@ public class IntroduceeManagerTest extends BriarTestCase {
 		byte[] publicKeyBytes = introducee2.getAuthor().getPublicKey();
 		BdfDictionary tp = BdfDictionary.of(new BdfEntry("fake", "fake"));
-		byte[] ePublicKeyBytes = getRandomBytes(MAX_PUBLIC_KEY_LENGTH);
+		byte[] ePublicKeyBytes = getRandomBytes(MAX_AGREEMENT_PUBLIC_KEY_BYTES);
 		byte[] mac = getRandomBytes(MAC_LENGTH);
 		SecretKey macKey = getSecretKey();
--- a/briar-core/src/test/java/org/briarproject/briar/introduction/IntroductionIntegrationTest.java
+++ b/briar-core/src/test/java/org/briarproject/briar/introduction/IntroductionIntegrationTest.java
@@ -730,7 +730,7 @@ public class IntroductionIntegrationTest
 	@Test
 	public void testModifiedEphemeralPublicKey() throws Exception {
 		testModifiedResponse(response -> {
-			KeyPair keyPair = crypto.generateSignatureKeyPair();
+			KeyPair keyPair = crypto.generateAgreementKeyPair();
 			response.put(E_PUBLIC_KEY, keyPair.getPublic().getEncoded());
 			return true;
 		});
--- a/briar-core/src/test/java/org/briarproject/briar/introduction/IntroductionValidatorTest.java
+++ b/briar-core/src/test/java/org/briarproject/briar/introduction/IntroductionValidatorTest.java
@@ -20,6 +20,7 @@ import org.briarproject.briar.test.BriarTestCase;
 import org.jmock.Mockery;
 import org.junit.Test;
 import static org.briarproject.bramble.api.crypto.CryptoConstants.MAX_AGREEMENT_PUBLIC_KEY_BYTES;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_AUTHOR_NAME_LENGTH;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_PUBLIC_KEY_LENGTH;
 import static org.briarproject.bramble.api.identity.AuthorConstants.MAX_SIGNATURE_LENGTH;
@@ -164,7 +165,7 @@ public class IntroductionValidatorTest extends BriarTestCase {
 		byte[] groupId = getRandomId();
 		byte[] sessionId = getRandomId();
 		long time = clock.currentTimeMillis();
-		byte[] publicKey = getRandomBytes(MAX_PUBLIC_KEY_LENGTH);
+		byte[] publicKey = getRandomBytes(MAX_AGREEMENT_PUBLIC_KEY_BYTES);
 		String transportId =
 				getRandomString(TransportId.MAX_TRANSPORT_ID_LENGTH);
 		BdfDictionary tProps = BdfDictionary.of(
@@ -255,7 +256,7 @@ public class IntroductionValidatorTest extends BriarTestCase {
 		byte[] groupId = getRandomId();
 		byte[] sessionId = getRandomId();
 		long time = clock.currentTimeMillis();
-		byte[] publicKey = getRandomBytes(MAX_PUBLIC_KEY_LENGTH);
+		byte[] publicKey = getRandomBytes(MAX_AGREEMENT_PUBLIC_KEY_BYTES);
 		String transportId =
 				getRandomString(TransportId.MAX_TRANSPORT_ID_LENGTH);
 		BdfDictionary tProps = BdfDictionary.of(