Consider removing/replacing dependency on `net.i2p.crypto:eddsa`

[pepijnve]

A CVE was raised against net.i2p.crypto:eddsa with no patch available. See GHSA-p53j-g8pw-4w5f for details. Is it feasible to replace this dependency with code from, for instance, Bouncy Castle?

[exceptionfactory]

Thanks for raising the question and highlighting the issues with the eddsa library @pepijnve.

I have submitted pull request #993 to address this issue, removing the dependency on eddsa and building against standard Java Security classes.

For versions of Java before Java 15, Bouncy Castle provides support for Ed25519 as you noted. For Java 15 and following, using the standard Java Security classes should enable future integration without requiring Bouncy Castle, although there are several other changes required to reach that goal.

[hierynomus]

It's done, 0.40.0 is out in the wild!

[parthsoni-osfin]

@hierynomus Not able to find the latest version here: http://mvnrepository.com/artifact/net.i2p.crypto/eddsa
Is it available somewhere else?

[hierynomus]

Not sure what you're searching for @parthsoni-osfin? But I'm not the maintainer of net.i2p.crypto:eddsa...

[parthsoni-osfin]

@hierynomus Was looking for eddsa fix, changed sshj version to 0.40.0. It is fixed now.