From b43f27030eaa33e1a92a163086876003240c7838 Mon Sep 17 00:00:00 2001
From: Markus Triska <triska@metalevel.at>
Date: Wed, 20 May 2020 23:51:31 +0200
Subject: [PATCH] require PKCS#8 v2 format for better security

Notably, this format requires that the public key also be present.
This format is what ed25519_new_keypair/1 generates, and it is
strongly encouraged for higher security.
---
 src/prolog/lib/crypto.pl           | 6 +++---
 src/prolog/machine/system_calls.rs | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/prolog/lib/crypto.pl b/src/prolog/lib/crypto.pl
index 696bb0e6..9fb5e216 100644
--- a/src/prolog/lib/crypto.pl
+++ b/src/prolog/lib/crypto.pl
@@ -644,9 +644,9 @@ encoding_bytes(utf8, Cs, Bs) :-
      The public key is represented as a list of characters.
 
    - ed25519_sign(+Key, +Data, -Signature, +Options)
-     Key and Data must be lists of characters. Key is a private key or
-     key pair in PKCS#8 (v1 or v2) DER format. Sign Data with Key,
-     yielding Signature as a list of hexadecimal characters.
+     Key and Data must be lists of characters. Key is a key pair in
+     PKCS#8 v2 format as generated by ed25519_new_keypair/1. Sign Data
+     with Key, yielding Signature as a list of hexadecimal characters.
 
    - ed25519_verify(+Key, +Data, +Signature, +Options)
      Key and Data must be lists of characters. Key is a public key.
diff --git a/src/prolog/machine/system_calls.rs b/src/prolog/machine/system_calls.rs
index 895efad8..1fe7b576 100644
--- a/src/prolog/machine/system_calls.rs
+++ b/src/prolog/machine/system_calls.rs
@@ -5461,7 +5461,7 @@ impl MachineState {
                 let stub1 = MachineError::functor_stub(clause_name!("ed25519_keypair_public_key"), 2);
                 let bytes = self.integers_to_bytevec(temp_v!(1), stub1);
 
-                let key_pair = match signature::Ed25519KeyPair::from_pkcs8_maybe_unchecked(&bytes) {
+                let key_pair = match signature::Ed25519KeyPair::from_pkcs8(&bytes) {
                                   Ok(kp) => { kp }
                                   _ => { self.fail = true; return Ok(()); }
                                };
@@ -5479,7 +5479,7 @@ impl MachineState {
                 let stub2 = MachineError::functor_stub(clause_name!("ed25519_sign"), 4);
                 let data = self.integers_to_bytevec(temp_v!(2), stub2);
 
-                let key_pair = match signature::Ed25519KeyPair::from_pkcs8_maybe_unchecked(&key) {
+                let key_pair = match signature::Ed25519KeyPair::from_pkcs8(&key) {
                                   Ok(kp) => { kp }
                                   _ => { self.fail = true; return Ok(()); }
                                };
-- 
2.54.0