require PKCS#8 v2 format for better security

Notably, this format requires that the public key also be present.
This format is what ed25519_new_keypair/1 generates, and it is
strongly encouraged for higher security.

diff --git a/src/prolog/lib/crypto.pl b/src/prolog/lib/crypto.pl
index 696bb0e691929343797b60e458a23d140ae0a877..9fb5e2163e0ae9cc4137c1bad9a1c874cf45f07c 100644 (file)
--- a/src/prolog/lib/crypto.pl
+++ b/src/prolog/lib/crypto.pl
@@ -644,9 +644,9 @@ encoding_bytes(utf8, Cs, Bs) :-
      The public key is represented as a list of characters.
 
    - ed25519_sign(+Key, +Data, -Signature, +Options)
-     Key and Data must be lists of characters. Key is a private key or
-     key pair in PKCS#8 (v1 or v2) DER format. Sign Data with Key,
-     yielding Signature as a list of hexadecimal characters.
+     Key and Data must be lists of characters. Key is a key pair in
+     PKCS#8 v2 format as generated by ed25519_new_keypair/1. Sign Data
+     with Key, yielding Signature as a list of hexadecimal characters.
 
    - ed25519_verify(+Key, +Data, +Signature, +Options)
      Key and Data must be lists of characters. Key is a public key.

diff --git a/src/prolog/machine/system_calls.rs b/src/prolog/machine/system_calls.rs
index 895efad8d219a8c2d9587bf6d1207411a65b4fbc..1fe7b5767164181d0409f0201ec285359944121b 100644 (file)
--- a/src/prolog/machine/system_calls.rs
+++ b/src/prolog/machine/system_calls.rs
@@ -5461,7 +5461,7 @@ impl MachineState {
                 let stub1 = MachineError::functor_stub(clause_name!("ed25519_keypair_public_key"), 2);
                 let bytes = self.integers_to_bytevec(temp_v!(1), stub1);
 
-                let key_pair = match signature::Ed25519KeyPair::from_pkcs8_maybe_unchecked(&bytes) {
+                let key_pair = match signature::Ed25519KeyPair::from_pkcs8(&bytes) {
                                   Ok(kp) => { kp }
                                   _ => { self.fail = true; return Ok(()); }
                                };
@@ -5479,7 +5479,7 @@ impl MachineState {
                 let stub2 = MachineError::functor_stub(clause_name!("ed25519_sign"), 4);
                 let data = self.integers_to_bytevec(temp_v!(2), stub2);
 
-                let key_pair = match signature::Ed25519KeyPair::from_pkcs8_maybe_unchecked(&key) {
+                let key_pair = match signature::Ed25519KeyPair::from_pkcs8(&key) {
                                   Ok(kp) => { kp }
                                   _ => { self.fail = true; return Ok(()); }
                                };