Support for Ed25519 Host- and Private-Keys

Author: darinkes

src/Renci.SshNet/ConnectionInfo.cs

@@ -378,6 +378,7 @@ public ConnectionInfo(string host, int port, string username, ProxyTypes proxyTy
 
             HostKeyAlgorithms = new Dictionary<string, Func<byte[], KeyHostAlgorithm>>
                 {
+                    {"ssh-ed25519", data => new KeyHostAlgorithm("ssh-ed25519", new ED25519Key(), data)},
 #if FEATURE_ECDSA
                     {"ecdsa-sha2-nistp256", data => new KeyHostAlgorithm("ecdsa-sha2-nistp256", new EcdsaKey(), data)},
                     {"ecdsa-sha2-nistp384", data => new KeyHostAlgorithm("ecdsa-sha2-nistp384", new EcdsaKey(), data)},

src/Renci.SshNet/Renci.SshNet.csproj

@@ -376,6 +376,7 @@
     <Compile Include="Security\BouncyCastle\src\util\Strings.cs" />
     <Compile Include="Security\BouncyCastle\src\util\Times.cs" />
     <Compile Include="Security\Chaos.NaCl\CryptoBytes.cs" />
+    <Compile Include="Security\Chaos.NaCl\Ed25519.cs" />
     <Compile Include="Security\Chaos.NaCl\Internal\Array16.cs" />
     <Compile Include="Security\Chaos.NaCl\Internal\Array8.cs" />
     <Compile Include="Security\Chaos.NaCl\Internal\ByteIntegerConverter.cs" />
@@ -435,8 +436,11 @@
     <Compile Include="Security\Chaos.NaCl\Internal\Sha512Internal.cs" />
     <Compile Include="Security\Chaos.NaCl\MontgomeryCurve25519.cs" />
     <Compile Include="Security\Chaos.NaCl\Sha512.cs" />
+    <Compile Include="Security\Cryptography\Ciphers\Ed255129.cs" />
+    <Compile Include="Security\Cryptography\ED25519DigitalSignature.cs" />
     <Compile Include="Security\Cryptography\EcdsaDigitalSignature.cs" />
     <Compile Include="Security\Cryptography\EcdsaKey.cs" />
+    <Compile Include="Security\Cryptography\ED25519Key.cs" />
     <Compile Include="Security\Cryptography\HMACMD5.cs" />
     <Compile Include="Security\Cryptography\HMACSHA1.cs" />
     <Compile Include="Security\Cryptography\HMACSHA256.cs" />
@@ -753,4 +757,4 @@
   <Target Name="AfterBuild">
   </Target>
   -->
-</Project>
+</Project>

src/Renci.SshNet/Security/Chaos.NaCl/Ed25519.cs

@@ -0,0 +1,147 @@
+using System;
+using Chaos.NaCl.Internal.Ed25519Ref10;
+
+namespace Chaos.NaCl
+{
+    public static class Ed25519
+    {
+        public static readonly int PublicKeySizeInBytes = 32;
+        public static readonly int SignatureSizeInBytes = 64;
+        public static readonly int ExpandedPrivateKeySizeInBytes = 32 * 2;
+        public static readonly int PrivateKeySeedSizeInBytes = 32;
+        public static readonly int SharedKeySizeInBytes = 32;
+
+        public static bool Verify(ArraySegment<byte> signature, ArraySegment<byte> message, ArraySegment<byte> publicKey)
+        {
+            if (signature.Count != SignatureSizeInBytes)
+                throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Count");
+            if (publicKey.Count != PublicKeySizeInBytes)
+                throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Count");
+            return Ed25519Operations.crypto_sign_verify(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, publicKey.Array, publicKey.Offset);
+        }
+
+        public static bool Verify(byte[] signature, byte[] message, byte[] publicKey)
+        {
+            if (signature == null)
+                throw new ArgumentNullException("signature");
+            if (message == null)
+                throw new ArgumentNullException("message");
+            if (publicKey == null)
+                throw new ArgumentNullException("publicKey");
+            if (signature.Length != SignatureSizeInBytes)
+                throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Length");
+            if (publicKey.Length != PublicKeySizeInBytes)
+                throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Length");
+            return Ed25519Operations.crypto_sign_verify(signature, 0, message, 0, message.Length, publicKey, 0);
+        }
+
+        public static void Sign(ArraySegment<byte> signature, ArraySegment<byte> message, ArraySegment<byte> expandedPrivateKey)
+        {
+            if (signature.Array == null)
+                throw new ArgumentNullException("signature.Array");
+            if (signature.Count != SignatureSizeInBytes)
+                throw new ArgumentException("signature.Count");
+            if (expandedPrivateKey.Array == null)
+                throw new ArgumentNullException("expandedPrivateKey.Array");
+            if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes)
+                throw new ArgumentException("expandedPrivateKey.Count");
+            if (message.Array == null)
+                throw new ArgumentNullException("message.Array");
+            Ed25519Operations.crypto_sign2(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, expandedPrivateKey.Array, expandedPrivateKey.Offset);
+        }
+
+        public static byte[] Sign(byte[] message, byte[] expandedPrivateKey)
+        {
+            var signature = new byte[SignatureSizeInBytes];
+            Sign(new ArraySegment<byte>(signature), new ArraySegment<byte>(message), new ArraySegment<byte>(expandedPrivateKey));
+            return signature;
+        }
+
+        public static byte[] PublicKeyFromSeed(byte[] privateKeySeed)
+        {
+            byte[] privateKey;
+            byte[] publicKey;
+            KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed);
+            CryptoBytes.Wipe(privateKey);
+            return publicKey;
+        }
+
+        public static byte[] ExpandedPrivateKeyFromSeed(byte[] privateKeySeed)
+        {
+            byte[] privateKey;
+            byte[] publicKey;
+            KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed);
+            CryptoBytes.Wipe(publicKey);
+            return privateKey;
+        }
+
+        public static void KeyPairFromSeed(out byte[] publicKey, out byte[] expandedPrivateKey, byte[] privateKeySeed)
+        {
+            if (privateKeySeed == null)
+                throw new ArgumentNullException("privateKeySeed");
+            if (privateKeySeed.Length != PrivateKeySeedSizeInBytes)
+                throw new ArgumentException("privateKeySeed");
+            var pk = new byte[PublicKeySizeInBytes];
+            var sk = new byte[ExpandedPrivateKeySizeInBytes];
+            Ed25519Operations.crypto_sign_keypair(pk, 0, sk, 0, privateKeySeed, 0);
+            publicKey = pk;
+            expandedPrivateKey = sk;
+        }
+
+        public static void KeyPairFromSeed(ArraySegment<byte> publicKey, ArraySegment<byte> expandedPrivateKey, ArraySegment<byte> privateKeySeed)
+        {
+            if (publicKey.Array == null)
+                throw new ArgumentNullException("publicKey.Array");
+            if (expandedPrivateKey.Array == null)
+                throw new ArgumentNullException("expandedPrivateKey.Array");
+            if (privateKeySeed.Array == null)
+                throw new ArgumentNullException("privateKeySeed.Array");
+            if (publicKey.Count != PublicKeySizeInBytes)
+                throw new ArgumentException("publicKey.Count");
+            if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes)
+                throw new ArgumentException("expandedPrivateKey.Count");
+            if (privateKeySeed.Count != PrivateKeySeedSizeInBytes)
+                throw new ArgumentException("privateKeySeed.Count");
+            Ed25519Operations.crypto_sign_keypair(
+                publicKey.Array, publicKey.Offset,
+                expandedPrivateKey.Array, expandedPrivateKey.Offset,
+                privateKeySeed.Array, privateKeySeed.Offset);
+        }
+
+        [Obsolete("Needs more testing")]
+        public static byte[] KeyExchange(byte[] publicKey, byte[] privateKey)
+        {
+            var sharedKey = new byte[SharedKeySizeInBytes];
+            KeyExchange(new ArraySegment<byte>(sharedKey), new ArraySegment<byte>(publicKey), new ArraySegment<byte>(privateKey));
+            return sharedKey;
+        }
+
+        [Obsolete("Needs more testing")]
+        public static void KeyExchange(ArraySegment<byte> sharedKey, ArraySegment<byte> publicKey, ArraySegment<byte> privateKey)
+        {
+            if (sharedKey.Array == null)
+                throw new ArgumentNullException("sharedKey.Array");
+            if (publicKey.Array == null)
+                throw new ArgumentNullException("publicKey.Array");
+            if (privateKey.Array == null)
+                throw new ArgumentNullException("privateKey");
+            if (sharedKey.Count != 32)
+                throw new ArgumentException("sharedKey.Count != 32");
+            if (publicKey.Count != 32)
+                throw new ArgumentException("publicKey.Count != 32");
+            if (privateKey.Count != 64)
+                throw new ArgumentException("privateKey.Count != 64");
+
+            FieldElement montgomeryX, edwardsY, edwardsZ, sharedMontgomeryX;
+            FieldOperations.fe_frombytes(out edwardsY, publicKey.Array, publicKey.Offset);
+            FieldOperations.fe_1(out edwardsZ);
+            MontgomeryCurve25519.EdwardsToMontgomeryX(out montgomeryX, ref edwardsY, ref edwardsZ);
+            byte[] h = Sha512.Hash(privateKey.Array, privateKey.Offset, 32);//ToDo: Remove alloc
+            ScalarOperations.sc_clamp(h, 0);
+            MontgomeryOperations.scalarmult(out sharedMontgomeryX, h, 0, ref montgomeryX);
+            CryptoBytes.Wipe(h);
+            FieldOperations.fe_tobytes(sharedKey.Array, sharedKey.Offset, ref sharedMontgomeryX);
+            MontgomeryCurve25519.KeyExchangeOutputHashNaCl(sharedKey.Array, sharedKey.Offset);
+        }
+    }
+}

src/Renci.SshNet/Security/Cryptography/Ciphers/Ed255129.cs

@@ -0,0 +1,149 @@
+using Chaos.NaCl;
+using Chaos.NaCl.Internal.Ed25519Ref10;
+using System;
+#pragma warning disable CS1591 // Fehledes XML-Kommentar für öffentlich sichtbaren Typ oder Element
+namespace Renci.SshNet.Security.Cryptography.Ciphers
+{
+    public class Ed25519
+    {
+        public static readonly int PublicKeySizeInBytes = 32;
+        public static readonly int SignatureSizeInBytes = 64;
+        public static readonly int ExpandedPrivateKeySizeInBytes = 32 * 2;
+        public static readonly int PrivateKeySeedSizeInBytes = 32;
+        public static readonly int SharedKeySizeInBytes = 32;
+
+        public static bool Verify(ArraySegment<byte> signature, ArraySegment<byte> message, ArraySegment<byte> publicKey)
+        {
+            if (signature.Count != SignatureSizeInBytes)
+                throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Count");
+            if (publicKey.Count != PublicKeySizeInBytes)
+                throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Count");
+            return Ed25519Operations.crypto_sign_verify(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, publicKey.Array, publicKey.Offset);
+        }
+
+        public static bool Verify(byte[] signature, byte[] message, byte[] publicKey)
+        {
+            if (signature == null)
+                throw new ArgumentNullException("signature");
+            if (message == null)
+                throw new ArgumentNullException("message");
+            if (publicKey == null)
+                throw new ArgumentNullException("publicKey");
+            if (signature.Length != SignatureSizeInBytes)
+                throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Length");
+            if (publicKey.Length != PublicKeySizeInBytes)
+                throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Length");
+            return Ed25519Operations.crypto_sign_verify(signature, 0, message, 0, message.Length, publicKey, 0);
+        }
+
+        public static void Sign(ArraySegment<byte> signature, ArraySegment<byte> message, ArraySegment<byte> expandedPrivateKey)
+        {
+            if (signature.Array == null)
+                throw new ArgumentNullException("signature.Array");
+            if (signature.Count != SignatureSizeInBytes)
+                throw new ArgumentException("signature.Count");
+            if (expandedPrivateKey.Array == null)
+                throw new ArgumentNullException("expandedPrivateKey.Array");
+            if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes)
+                throw new ArgumentException("expandedPrivateKey.Count");
+            if (message.Array == null)
+                throw new ArgumentNullException("message.Array");
+            Ed25519Operations.crypto_sign2(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, expandedPrivateKey.Array, expandedPrivateKey.Offset);
+        }
+
+        public static byte[] Sign(byte[] message, byte[] expandedPrivateKey)
+        {
+            var signature = new byte[SignatureSizeInBytes];
+            Sign(new ArraySegment<byte>(signature), new ArraySegment<byte>(message), new ArraySegment<byte>(expandedPrivateKey));
+            return signature;
+        }
+
+        public static byte[] PublicKeyFromSeed(byte[] privateKeySeed)
+        {
+            byte[] privateKey;
+            byte[] publicKey;
+            KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed);
+            CryptoBytes.Wipe(privateKey);
+            return publicKey;
+        }
+
+        public static byte[] ExpandedPrivateKeyFromSeed(byte[] privateKeySeed)
+        {
+            byte[] privateKey;
+            byte[] publicKey;
+            KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed);
+            CryptoBytes.Wipe(publicKey);
+            return privateKey;
+        }
+
+        public static void KeyPairFromSeed(out byte[] publicKey, out byte[] expandedPrivateKey, byte[] privateKeySeed)
+        {
+            if (privateKeySeed == null)
+                throw new ArgumentNullException("privateKeySeed");
+            if (privateKeySeed.Length != PrivateKeySeedSizeInBytes)
+                throw new ArgumentException("privateKeySeed");
+            var pk = new byte[PublicKeySizeInBytes];
+            var sk = new byte[ExpandedPrivateKeySizeInBytes];
+            Ed25519Operations.crypto_sign_keypair(pk, 0, sk, 0, privateKeySeed, 0);
+            publicKey = pk;
+            expandedPrivateKey = sk;
+        }
+
+        public static void KeyPairFromSeed(ArraySegment<byte> publicKey, ArraySegment<byte> expandedPrivateKey, ArraySegment<byte> privateKeySeed)
+        {
+            if (publicKey.Array == null)
+                throw new ArgumentNullException("publicKey.Array");
+            if (expandedPrivateKey.Array == null)
+                throw new ArgumentNullException("expandedPrivateKey.Array");
+            if (privateKeySeed.Array == null)
+                throw new ArgumentNullException("privateKeySeed.Array");
+            if (publicKey.Count != PublicKeySizeInBytes)
+                throw new ArgumentException("publicKey.Count");
+            if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes)
+                throw new ArgumentException("expandedPrivateKey.Count");
+            if (privateKeySeed.Count != PrivateKeySeedSizeInBytes)
+                throw new ArgumentException("privateKeySeed.Count");
+            Ed25519Operations.crypto_sign_keypair(
+                publicKey.Array, publicKey.Offset,
+                expandedPrivateKey.Array, expandedPrivateKey.Offset,
+                privateKeySeed.Array, privateKeySeed.Offset);
+        }
+
+        [Obsolete("Needs more testing")]
+        public static byte[] KeyExchange(byte[] publicKey, byte[] privateKey)
+        {
+            var sharedKey = new byte[SharedKeySizeInBytes];
+            KeyExchange(new ArraySegment<byte>(sharedKey), new ArraySegment<byte>(publicKey), new ArraySegment<byte>(privateKey));
+            return sharedKey;
+        }
+
+        [Obsolete("Needs more testing")]
+        public static void KeyExchange(ArraySegment<byte> sharedKey, ArraySegment<byte> publicKey, ArraySegment<byte> privateKey)
+        {
+            if (sharedKey.Array == null)
+                throw new ArgumentNullException("sharedKey.Array");
+            if (publicKey.Array == null)
+                throw new ArgumentNullException("publicKey.Array");
+            if (privateKey.Array == null)
+                throw new ArgumentNullException("privateKey");
+            if (sharedKey.Count != 32)
+                throw new ArgumentException("sharedKey.Count != 32");
+            if (publicKey.Count != 32)
+                throw new ArgumentException("publicKey.Count != 32");
+            if (privateKey.Count != 64)
+                throw new ArgumentException("privateKey.Count != 64");
+
+            FieldElement montgomeryX, edwardsY, edwardsZ, sharedMontgomeryX;
+            FieldOperations.fe_frombytes(out edwardsY, publicKey.Array, publicKey.Offset);
+            FieldOperations.fe_1(out edwardsZ);
+            MontgomeryCurve25519.EdwardsToMontgomeryX(out montgomeryX, ref edwardsY, ref edwardsZ);
+            byte[] h = Sha512.Hash(privateKey.Array, privateKey.Offset, 32);//ToDo: Remove alloc
+            ScalarOperations.sc_clamp(h, 0);
+            MontgomeryOperations.scalarmult(out sharedMontgomeryX, h, 0, ref montgomeryX);
+            CryptoBytes.Wipe(h);
+            FieldOperations.fe_tobytes(sharedKey.Array, sharedKey.Offset, ref sharedMontgomeryX);
+            MontgomeryCurve25519.KeyExchangeOutputHashNaCl(sharedKey.Array, sharedKey.Offset);
+        }
+    }
+}
+#pragma warning restore CS1591 // Fehledes XML-Kommentar für öffentlich sichtbaren Typ oder Element