Move XDH/EdDSA key generation into low-level

- Clamp X25519, X448 private keys during generation

Author: peterdettman

crypto/src/crypto/parameters/Ed25519PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class Ed25519PrivateKeyParameters
         public Ed25519PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            Ed25519.GeneratePrivateKey(random, data);
         }
 
         public Ed25519PrivateKeyParameters(byte[] buf, int off)

crypto/src/crypto/parameters/Ed448PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class Ed448PrivateKeyParameters
         public Ed448PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            Ed448.GeneratePrivateKey(random, data);
         }
 
         public Ed448PrivateKeyParameters(byte[] buf, int off)

crypto/src/crypto/parameters/X25519KeyGenerationParameters.cs

@@ -8,7 +8,7 @@ public class X25519KeyGenerationParameters
         : KeyGenerationParameters
     {
         public X25519KeyGenerationParameters(SecureRandom random)
-            : base(random, 256)
+            : base(random, 255)
         {
         }
     }

crypto/src/crypto/parameters/X25519PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class X25519PrivateKeyParameters
         public X25519PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            X25519.GeneratePrivateKey(random, data);
         }
 
         public X25519PrivateKeyParameters(byte[] buf, int off)

crypto/src/crypto/parameters/X448PrivateKeyParameters.cs

@@ -19,7 +19,7 @@ public sealed class X448PrivateKeyParameters
         public X448PrivateKeyParameters(SecureRandom random)
             : base(true)
         {
-            random.NextBytes(data);
+            X448.GeneratePrivateKey(random, data);
         }
 
         public X448PrivateKeyParameters(byte[] buf, int off)

crypto/src/math/ec/rfc7748/X25519.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Diagnostics;
 
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc7748
@@ -50,6 +51,15 @@ private static void DecodeScalar(byte[] k, int kOff, uint[] n)
             n[7] |= 0x40000000U;
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+
+            k[0] &= 0xF8;
+            k[ScalarSize - 1] &= 0x7F;
+            k[ScalarSize - 1] |= 0x40;
+        }
+
         private static void PointDouble(int[] x, int[] z)
         {
             int[] A = X25519Field.Create();

crypto/src/math/ec/rfc7748/X448.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Diagnostics;
 
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc7748
@@ -52,6 +53,14 @@ private static void DecodeScalar(byte[] k, int kOff, uint[] n)
             n[13] |= 0x80000000U;
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+
+            k[0] &= 0xFC;
+            k[ScalarSize - 1] |= 0x80;
+        }
+
         private static void PointDouble(uint[] x, uint[] z)
         {
             uint[] A = X448Field.Create();

crypto/src/math/ec/rfc8032/Ed25519.cs

@@ -5,6 +5,7 @@
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Math.EC.Rfc7748;
 using Org.BouncyCastle.Math.Raw;
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc8032
@@ -248,6 +249,11 @@ private static void EncodePoint(PointAccum p, byte[] r, int rOff)
             r[rOff + PointBytes - 1] |= (byte)((x[0] & 1) << 7);
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+        }
+
         public static void GeneratePublicKey(byte[] sk, int skOff, byte[] pk, int pkOff)
         {
             IDigest d = CreateDigest();

crypto/src/math/ec/rfc8032/Ed448.cs

@@ -5,6 +5,7 @@
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Math.EC.Rfc7748;
 using Org.BouncyCastle.Math.Raw;
+using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Math.EC.Rfc8032
@@ -257,6 +258,11 @@ private static void EncodePoint(PointExt p, byte[] r, int rOff)
             r[rOff + PointBytes - 1] = (byte)((x[0] & 1) << 7);
         }
 
+        public static void GeneratePrivateKey(SecureRandom random, byte[] k)
+        {
+            random.NextBytes(k);
+        }
+
         public static void GeneratePublicKey(byte[] sk, int skOff, byte[] pk, int pkOff)
         {
             IXof d = CreateXof();