From 28301ab329dd88bfed6c895d958eb21847247780 Mon Sep 17 00:00:00 2001
From: Scott Xu <scott-xu@msn.com>
Date: Wed, 24 Jul 2024 12:23:22 +0800
Subject: [PATCH] Ed25519 is now based on BouncyCastle instead of Chaos.NaCl
 (#1448)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Ed25519 is now based on BouncyCastle instead of Chaos.NaCl

* Generate PublicKey and fix NullReferenceException

* Rectify variable name

---------

Co-authored-by: Wojciech Nagórski <wojtpl2@gmail.com>
---
 .../Cryptography/ED25519DigitalSignature.cs     |  9 ++++++---
 .../Security/Cryptography/ED25519Key.cs         | 17 ++++++++---------
 src/Renci.SshNet/Security/SshKeyData.cs         |  5 +++--
 3 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/src/Renci.SshNet/Security/Cryptography/ED25519DigitalSignature.cs b/src/Renci.SshNet/Security/Cryptography/ED25519DigitalSignature.cs
index 5b39b09ff..41cfe1f74 100644
--- a/src/Renci.SshNet/Security/Cryptography/ED25519DigitalSignature.cs
+++ b/src/Renci.SshNet/Security/Cryptography/ED25519DigitalSignature.cs
@@ -1,7 +1,8 @@
 using System;
 
+using Org.BouncyCastle.Math.EC.Rfc8032;
+
 using Renci.SshNet.Common;
-using Renci.SshNet.Security.Chaos.NaCl;
 
 namespace Renci.SshNet.Security.Cryptography
 {
@@ -39,7 +40,7 @@ public ED25519DigitalSignature(ED25519Key key)
         /// <exception cref="InvalidOperationException">Invalid signature.</exception>
         public override bool Verify(byte[] input, byte[] signature)
         {
-            return Ed25519.Verify(signature, input, _key.PublicKey);
+            return Ed25519.Verify(signature, 0, _key.PublicKey, 0, input, 0, input.Length);
         }
 
         /// <summary>
@@ -52,7 +53,9 @@ public override bool Verify(byte[] input, byte[] signature)
         /// <exception cref="SshException">Invalid ED25519Key key.</exception>
         public override byte[] Sign(byte[] input)
         {
-            return Ed25519.Sign(input, _key.PrivateKey);
+            var signature = new byte[Ed25519.SignatureSize];
+            Ed25519.Sign(_key.PrivateKey, 0, _key.PublicKey, 0, input, 0, input.Length, signature, 0);
+            return signature;
         }
 
         /// <summary>
diff --git a/src/Renci.SshNet/Security/Cryptography/ED25519Key.cs b/src/Renci.SshNet/Security/Cryptography/ED25519Key.cs
index 5ee2332c0..705924635 100644
--- a/src/Renci.SshNet/Security/Cryptography/ED25519Key.cs
+++ b/src/Renci.SshNet/Security/Cryptography/ED25519Key.cs
@@ -1,7 +1,8 @@
 using System;
 
+using Org.BouncyCastle.Math.EC.Rfc8032;
+
 using Renci.SshNet.Common;
-using Renci.SshNet.Security.Chaos.NaCl;
 using Renci.SshNet.Security.Cryptography;
 
 namespace Renci.SshNet.Security
@@ -49,7 +50,7 @@ public override int KeyLength
         {
             get
             {
-                return PublicKey.Length * 8;
+                return Ed25519.PublicKeySize * 8;
             }
         }
 
@@ -91,8 +92,7 @@ public ED25519Key(SshKeyData publicKeyData)
                 throw new ArgumentException($"Invalid Ed25519 public key data ({publicKeyData.Name}, {publicKeyData.Keys.Length}).", nameof(publicKeyData));
             }
 
-            PublicKey = publicKeyData.Keys[0].ToByteArray().Reverse().TrimLeadingZeros().Pad(Ed25519.PublicKeySizeInBytes);
-            PrivateKey = new byte[Ed25519.ExpandedPrivateKeySizeInBytes];
+            PublicKey = publicKeyData.Keys[0].ToByteArray().Reverse().TrimLeadingZeros().Pad(Ed25519.PublicKeySize);
         }
 
         /// <summary>
@@ -103,11 +103,10 @@ public ED25519Key(SshKeyData publicKeyData)
         /// </param>
         public ED25519Key(byte[] privateKeyData)
         {
-            var seed = new byte[Ed25519.PrivateKeySeedSizeInBytes];
-            Buffer.BlockCopy(privateKeyData, 0, seed, 0, seed.Length);
-            Ed25519.KeyPairFromSeed(out var publicKey, out var privateKey, seed);
-            PublicKey = publicKey;
-            PrivateKey = privateKey;
+            PrivateKey = new byte[Ed25519.SecretKeySize];
+            PublicKey = new byte[Ed25519.PublicKeySize];
+            Buffer.BlockCopy(privateKeyData, 0, PrivateKey, 0, Ed25519.SecretKeySize);
+            Ed25519.GeneratePublicKey(privateKeyData, 0, PublicKey, 0);
         }
 
         /// <summary>
diff --git a/src/Renci.SshNet/Security/SshKeyData.cs b/src/Renci.SshNet/Security/SshKeyData.cs
index 6a3af835a..fa0671459 100644
--- a/src/Renci.SshNet/Security/SshKeyData.cs
+++ b/src/Renci.SshNet/Security/SshKeyData.cs
@@ -1,8 +1,9 @@
 using System.Collections.Generic;
 using System.Text;
 
+using Org.BouncyCastle.Math.EC.Rfc8032;
+
 using Renci.SshNet.Common;
-using Renci.SshNet.Security.Chaos.NaCl;
 
 namespace Renci.SshNet.Security
 {
@@ -88,7 +89,7 @@ protected override void SaveData()
                 var keyData = key.ToByteArray().Reverse();
                 if (Name == "ssh-ed25519")
                 {
-                    keyData = keyData.TrimLeadingZeros().Pad(Ed25519.PublicKeySizeInBytes);
+                    keyData = keyData.TrimLeadingZeros().Pad(Ed25519.PublicKeySize);
                 }
 
                 WriteBinaryString(keyData);