diff --git a/biscuit-auth/Cargo.toml b/biscuit-auth/Cargo.toml index 6f4d765a..0664a1a4 100644 --- a/biscuit-auth/Cargo.toml +++ b/biscuit-auth/Cargo.toml @@ -27,7 +27,6 @@ pem = ["ed25519-dalek/pem", "ed25519-dalek/pkcs8"] [dependencies] rand_core = "^0.6" -sha2 = "^0.9" prost = "0.10" prost-types = "0.10" regex = { version = "1.5", default-features = false, features = ["std"] } @@ -38,7 +37,7 @@ thiserror = "1" rand = { version = "0.8" } wasm-bindgen = { version = "0.2", optional = true } base64 = "0.13.0" -ed25519-dalek = { version = "2.0.0", features = ["rand_core", "zeroize"] } +ed25519-dalek = { version = "2.0.0", features = ["rand_core", "zeroize", "digest"] } serde = { version = "1.0.132", optional = true, features = ["derive"] } getrandom = { version = "0.2.15" } time = { version = "0.3.7", features = ["formatting", "parsing"] } diff --git a/biscuit-auth/src/crypto/mod.rs b/biscuit-auth/src/crypto/mod.rs index 1c1054ce..ab04410a 100644 --- a/biscuit-auth/src/crypto/mod.rs +++ b/biscuit-auth/src/crypto/mod.rs @@ -672,6 +672,27 @@ pub(crate) fn generate_authority_block_signature_payload_v1( to_verify } +pub(crate) fn generate_authority_block_signature_payload_v1_prehashed< + H: ecdsa::signature::digest::Update, +>( + payload: &[u8], + next_key: &PublicKey, + version: u32, + hasher: &mut H, +) { + hasher.update(b"\0BLOCK\0\0VERSION\0"); + hasher.update(&version.to_le_bytes()); + + hasher.update(&b"\0PAYLOAD\0"[..]); + hasher.update(payload); + + hasher.update(&b"\0ALGORITHM\0"[..]); + hasher.update(&(next_key.algorithm() as i32).to_le_bytes()); + + hasher.update(&b"\0NEXTKEY\0"[..]); + hasher.update(&next_key.to_bytes()); +} + pub(crate) fn generate_block_signature_payload_v1( payload: &[u8], next_key: &PublicKey, @@ -986,4 +1007,38 @@ mod tests { let deser_pub = PublicKey::from_pem(&pem_pub).unwrap(); assert_eq!(p256_pub, deser_pub); } + + #[test] + fn prehashed_signature() { + use ::p256::NistP256; + use ecdsa::hazmat::DigestPrimitive; + use ed25519_dalek::DigestSigner; + + let kp = ed25519::KeyPair::new(); + let next_key = KeyPair::new(); + let version = 1; + let payload = b"payload"; + let mut prehashed: ed25519_dalek::Sha512 = ed25519_dalek::Sha512::default(); + generate_authority_block_signature_payload_v1_prehashed( + payload, + &next_key.public(), + version, + &mut prehashed, + ); + //let hash = ed25519_dalek::Digest::finalize(prehashed); + let sig = kp.kp.try_sign_digest(prehashed).unwrap().to_vec(); + println!("{:?}", sig); + + let to_sign = + generate_authority_block_signature_payload_v1(payload, &next_key.public(), version); + + let sig2 = kp.sign(&to_sign).unwrap(); + assert_eq!(sig, sig2.to_bytes()); + + // let mut prehashed2 = ::Digest::default(); + // generate_authority_block_signature_payload_v1_prehashed(b"payload", 1, &mut prehashed2); + // let kp = p256::KeyPair::new(); + // let sig: ecdsa::Signature = kp.kp.try_sign_digest(prehashed2).unwrap(); + // println!("{:?}", sig); + } } diff --git a/biscuit-auth/src/crypto/p256.rs b/biscuit-auth/src/crypto/p256.rs index a76e4ce4..3aec91df 100644 --- a/biscuit-auth/src/crypto/p256.rs +++ b/biscuit-auth/src/crypto/p256.rs @@ -16,7 +16,7 @@ use std::hash::Hash; /// pair of cryptographic keys used to sign a token's block #[derive(Debug, PartialEq)] pub struct KeyPair { - kp: SigningKey, + pub(super) kp: SigningKey, } impl KeyPair {