ed25519,x25519: run a subset of Wycheproof test vectors

[MichaelMure]

Note

Low Risk
Changes are limited to adding test coverage and embedded Wycheproof JSON vectors; no production crypto logic is modified, but the large vector files may increase repo/test runtime and CI resource usage.

Overview
Adds Wycheproof-based conformance tests for ed25519.PublicKey.VerifyBytes and x25519 ECDH (PrivateKey.KeyExchange), validating expected accept/reject behavior and shared-secret outputs across official edge-case vectors.

Introduces embedded Wycheproof vector bundles under crypto/ed25519/testvectors and crypto/x25519/testvectors with small loaders (Load/Select) to parse and flatten the JSON into per-test cases.

^{Written by Cursor Bugbot for commit 7298447. This will update automatically on new commits. Configure here.}

[Copilot]

Pull request overview

Adds Wycheproof-based test coverage for Ed25519 signature verification and X25519 key exchange by embedding JSON vector sets and running them in package tests.

Changes:

• Introduce crypto/ed25519/testvectors and crypto/x25519/testvectors helper packages that embed and parse Wycheproof JSON into flattened vector slices.
• Add Ed25519 verification tests that iterate Wycheproof vectors and assert expected validity outcomes.
• Add X25519 ECDH tests that iterate Wycheproof vectors and validate shared secret outputs for “valid” (and conditionally for “acceptable”) cases.

Reviewed changes

Copilot reviewed 4 out of 6 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
crypto/x25519/testvectors/vectors.go	New embedded-vector loader + flag-based selector for X25519 Wycheproof vectors.
crypto/x25519/key_test.go	New Wycheproof-driven X25519 key exchange test.
crypto/ed25519/testvectors/vectors.go	New embedded-vector loader + flag-based selector for Ed25519 Wycheproof vectors.
crypto/ed25519/testvectors/ed25519_test.json	Adds the Wycheproof Ed25519 verify vector JSON payload for embedding.
crypto/ed25519/key_test.go	New Wycheproof-driven Ed25519 VerifyBytes test.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Select(vectors) currently returns an empty slice when called with no flags (because hasAnyFlag(..., nil) is always false). This is an easy footgun for callers and differs from the existing Wycheproof selector pattern in crypto/secp256k1/testvectors (SelectECDSA returns all vectors when flags is empty). Consider returning the input vectors unchanged when len(flags)==0, or update the docstring to explicitly state that passing no flags selects none.

[Copilot]

Select(vectors) currently returns an empty slice when called with no flags (because hasAnyFlag(..., nil) is always false). This is an easy footgun for callers and differs from the existing Wycheproof selector pattern in crypto/secp256k1/testvectors (SelectECDSA returns all vectors when flags is empty). Consider returning the input vectors unchanged when len(flags)==0, or update the docstring to explicitly state that passing no flags selects none.

[smoyer64]

Traditionally, the ed25519_test.json file would be in the testdata folder right? And the associated vectors.go would be xxx_test.go. What's the benefit to not follow conventions here? (2 typ.)

[MichaelMure]

Traditionally, the ed25519_test.json file would be in the testdata folder right? And the associated vectors.go would be xxx_test.go. What's the benefit to not follow conventions here? (2 typ.)

Because I want the data loading to be at the same place as the vectors (ie, not duplicated). To be imported, that can't be a _test.go file.

[MichaelMure]

Also, that pattern already exist in the repo.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}