Move XDH/EdDSA key generation into low-level

- Clamp X25519, X448 private keys during generation
author: Peter Dettman <peter.dettman@bouncycastle.org> 2018-10-14 17:04:55 +0700
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2018-10-14 17:04:55 +0700
commit: fe659c4b342dcc1aaad7ad44481741bcfa0c2662 (patch)
tree: 08f873ff8ffec313aae1253333b16f613a72d317 /crypto/src
parent: Port PGP utility fix from Java (diff)
download: BouncyCastle.NET-ed25519-fe659c4b342dcc1aaad7ad44481741bcfa0c2662.tar.xz
9 files changed, 36 insertions, 5 deletions
diff --git a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
index 97902e093..8046a0b1b 100644
--- a/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs
@@ -19,7 +19,7 @@ namespace Org.BouncyCastle.Crypto.Parameters
         public Ed25519PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            Ed25519.GeneratePrivateKey(random, data);
         }
 
         public Ed25519PrivateKeyParameters(byte[] buf, int off)
diff --git a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
index 74b5d63f3..f2fc4d533 100644
--- a/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs
@@ -19,7 +19,7 @@ namespace Org.BouncyCastle.Crypto.Parameters
         public Ed448PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            Ed448.GeneratePrivateKey(random, data);
         }
 
         public Ed448PrivateKeyParameters(byte[] buf, int off)
diff --git a/crypto/src/crypto/parameters/X25519KeyGenerationParameters.cs b/crypto/src/crypto/parameters/X25519KeyGenerationParameters.cs
index 09972c7a2..d0bcffa94 100644
--- a/crypto/src/crypto/parameters/X25519KeyGenerationParameters.cs
+++ b/crypto/src/crypto/parameters/X25519KeyGenerationParameters.cs
@@ -8,7 +8,7 @@ namespace Org.BouncyCastle.Crypto.Parameters
         : KeyGenerationParameters
     {
         public X25519KeyGenerationParameters(SecureRandom random)
-            : base(random, 256)
+            : base(random, 255)
         {
         }
     }
diff --git a/crypto/src/crypto/parameters/X25519PrivateKeyParameters.cs b/crypto/src/crypto/parameters/X25519PrivateKeyParameters.cs
index fb49a02b3..f7bbdac74 100644
--- a/crypto/src/crypto/parameters/X25519PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/X25519PrivateKeyParameters.cs
@@ -19,7 +19,7 @@ namespace Org.BouncyCastle.Crypto.Parameters
         public X25519PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            X25519.GeneratePrivateKey(random, data);
         }
 
         public X25519PrivateKeyParameters(byte[] buf, int off)
diff --git a/crypto/src/crypto/parameters/X448PrivateKeyParameters.cs b/crypto/src/crypto/parameters/X448PrivateKeyParameters.cs
index d17aa7947..a073e5799 100644
--- a/crypto/src/crypto/parameters/X448PrivateKeyParameters.cs
+++ b/crypto/src/crypto/parameters/X448PrivateKeyParameters.cs
@@ -19,7 +19,7 @@ namespace Org.BouncyCastle.Crypto.Parameters
         public X448PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            X448.GeneratePrivateKey(random, data);
         }
 
         public X448PrivateKeyParameters(byte[] buf, int off)
diff --git a/crypto/src/math/ec/rfc7748/X25519.cs b/crypto/src/math/ec/rfc7748/X25519.cs
index d8db2527a..8524b9e2c 100644
--- a/crypto/src/math/ec/rfc7748/X25519.cs
+++ b/crypto/src/math/ec/rfc7748/X25519.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Diagnostics;
 
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc7748
@@ -50,6 +51,15 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
             n[7] |= 0x40000000U;
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+
+            k[0] &= 0xF8;
+            k[ScalarSize - 1] &= 0x7F;
+            k[ScalarSize - 1] |= 0x40;
+        }
+
         private static void PointDouble(int[] x, int[] z)
         {
             int[] A = X25519Field.Create();
diff --git a/crypto/src/math/ec/rfc7748/X448.cs b/crypto/src/math/ec/rfc7748/X448.cs
index 63d34d1cf..63e526703 100644
--- a/crypto/src/math/ec/rfc7748/X448.cs
+++ b/crypto/src/math/ec/rfc7748/X448.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Diagnostics;
 
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc7748
@@ -52,6 +53,14 @@ namespace Org.BouncyCastle.Math.EC.Rfc7748
             n[13] |= 0x80000000U;
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+
+            k[0] &= 0xFC;
+            k[ScalarSize - 1] |= 0x80;
+        }
+
         private static void PointDouble(uint[] x, uint[] z)
         {
             uint[] A = X448Field.Create();
diff --git a/crypto/src/math/ec/rfc8032/Ed25519.cs b/crypto/src/math/ec/rfc8032/Ed25519.cs
index 403f11f50..b77853f30 100644
--- a/crypto/src/math/ec/rfc8032/Ed25519.cs
+++ b/crypto/src/math/ec/rfc8032/Ed25519.cs
@@ -5,6 +5,7 @@ using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Math.EC.Rfc7748;
 using Org.BouncyCastle.Math.Raw;
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc8032
@@ -248,6 +249,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             r[rOff + PointBytes - 1] |= (byte)((x[0] & 1) << 7);
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+        }
+
         public static void GeneratePublicKey(byte[] sk, int skOff, byte[] pk, int pkOff)
         {
             IDigest d = CreateDigest();
diff --git a/crypto/src/math/ec/rfc8032/Ed448.cs b/crypto/src/math/ec/rfc8032/Ed448.cs
index 10ebe8f15..38bdee83e 100644
--- a/crypto/src/math/ec/rfc8032/Ed448.cs
+++ b/crypto/src/math/ec/rfc8032/Ed448.cs
@@ -5,6 +5,7 @@ using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Math.EC.Rfc7748;
 using Org.BouncyCastle.Math.Raw;
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc8032
@@ -257,6 +258,11 @@ namespace Org.BouncyCastle.Math.EC.Rfc8032
             r[rOff + PointBytes - 1] = (byte)((x[0] & 1) << 7);
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+        }
+
         public static void GeneratePublicKey(byte[] sk, int skOff, byte[] pk, int pkOff)
         {
             IXof d = CreateXof();
author	Peter Dettman <peter.dettman@bouncycastle.org>	2018-10-14 17:04:55 +0700
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2018-10-14 17:04:55 +0700
commit	fe659c4b342dcc1aaad7ad44481741bcfa0c2662 (patch)
tree	08f873ff8ffec313aae1253333b16f613a72d317 /crypto/src
parent	Port PGP utility fix from Java (diff)
download	BouncyCastle.NET-ed25519-fe659c4b342dcc1aaad7ad44481741bcfa0c2662.tar.xz