update ed25519-dalek and rand

eclipse-biscuit · Feb 11, 2023 · a160593 · a160593
1 parent 1bf87b0
commit a160593
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 70 deletions.
diff --git a/biscuit-auth/Cargo.toml b/biscuit-auth/Cargo.toml
@@ -24,7 +24,7 @@ docsrs = []
 uuid = ["dep:uuid"]
 
 [dependencies]
-rand_core = "^0.5"
+rand_core = "^0.6"
 sha2 = "^0.9"
 prost = "0.10"
 prost-types = "0.10"
@@ -33,11 +33,11 @@ nom = {version = "7", default-features = false, features = ["std"] }
 hex = "0.4"
 zeroize = { version = "1", default-features = false }
 thiserror = "1"
-rand = { version = "0.7" }
+rand = { version = "0.8" }
 inline-c = { version = "0.1", optional = true }
 wasm-bindgen = { version = "0.2", optional = true }
 base64 = "0.13.0"
-ed25519-dalek = "1.0.1"
+ed25519-dalek = { version = "2.0.0-pre.0", features = ["rand_core", "zeroize"] }
 serde = { version = "1.0.132", optional = true, features = ["derive"] }
 getrandom = { version = "0.1.16" }
 time = { version = "0.3.7", features = ["formatting", "parsing"] }
@@ -48,7 +48,7 @@ biscuit-quote = { version = "0.2.0-alpha5", optional = true, path = "../biscuit-
 
 [dev-dependencies]
 bencher = "0.1.5"
-rand = "0.7"
+rand = "0.8"
 colored-diff = "0.2.3"
 prost-build = "0.10"
 serde = { version = "1.0.130", features = ["derive"] }

diff --git a/biscuit-auth/src/crypto/mod.rs b/biscuit-auth/src/crypto/mod.rs
@@ -19,7 +19,7 @@ use zeroize::Zeroize;
 /// pair of cryptographic keys used to sign a token's block
 #[derive(Debug)]
 pub struct KeyPair {
-    pub kp: ed25519_dalek::Keypair,
+    pub kp: ed25519_dalek::SigningKey,
 }
 
 impl KeyPair {
@@ -28,28 +28,24 @@ impl KeyPair {
     }
 
     pub fn new_with_rng<T: RngCore + CryptoRng>(rng: &mut T) -> Self {
-        let kp = ed25519_dalek::Keypair::generate(rng);
+        let kp = ed25519_dalek::SigningKey::generate(rng);
 
         KeyPair { kp }
     }
 
     pub fn from(key: &PrivateKey) -> Self {
-        let secret = SecretKey::from_bytes(&key.0.to_bytes()).unwrap();
-
-        let public = (&key.0).into();
-
         KeyPair {
-            kp: ed25519_dalek::Keypair { secret, public },
+            kp: ed25519_dalek::SigningKey::from_bytes(&key.0),
         }
     }
 
     pub fn private(&self) -> PrivateKey {
-        let secret = SecretKey::from_bytes(&self.kp.secret.to_bytes()).unwrap();
+        let secret = self.kp.to_bytes();
         PrivateKey(secret)
     }
 
     pub fn public(&self) -> PublicKey {
-        PublicKey(self.kp.public)
+        PublicKey(self.kp.verifying_key())
     }
 }
 
@@ -59,20 +55,14 @@ impl std::default::Default for KeyPair {
     }
 }
 
-impl Drop for KeyPair {
-    fn drop(&mut self) {
-        self.kp.secret.zeroize();
-    }
-}
-
 /// the private part of a [KeyPair]
 #[derive(Debug)]
 pub struct PrivateKey(pub(crate) ed25519_dalek::SecretKey);
 
 impl PrivateKey {
     /// serializes to a byte array
     pub fn to_bytes(&self) -> [u8; 32] {
-        self.0.to_bytes()
+        self.0
     }
 
     /// serializes to an hex-encoded string
@@ -85,10 +75,7 @@ impl PrivateKey {
         let bytes: [u8; 32] = bytes
             .try_into()
             .map_err(|_| Format::InvalidKeySize(bytes.len()))?;
-        SecretKey::from_bytes(&bytes)
-            .map(PrivateKey)
-            .map_err(|s| s.to_string())
-            .map_err(Format::InvalidKey)
+        Ok(PrivateKey(bytes))
     }
 
     /// deserializes from an hex-encoded string
@@ -99,7 +86,7 @@ impl PrivateKey {
 
     /// returns the matching public key
     pub fn public(&self) -> PublicKey {
-        PublicKey((&self.0).into())
+        PublicKey(SigningKey::from_bytes(&self.0).verifying_key())
     }
 }
 
@@ -117,7 +104,7 @@ impl Drop for PrivateKey {
 
 /// the public part of a [KeyPair]
 #[derive(Debug, Clone, Copy, Eq)]
-pub struct PublicKey(pub(crate) ed25519_dalek::PublicKey);
+pub struct PublicKey(pub(crate) ed25519_dalek::VerifyingKey);
 
 impl PublicKey {
     /// serializes to a byte array
@@ -132,7 +119,11 @@ impl PublicKey {
 
     /// deserializes from a byte array
     pub fn from_bytes(bytes: &[u8]) -> Result<Self, error::Format> {
-        ed25519_dalek::PublicKey::from_bytes(bytes)
+        let bytes: [u8; 32] = bytes
+            .try_into()
+            .map_err(|_| Format::InvalidKeySize(bytes.len()))?;
+
+        ed25519_dalek::VerifyingKey::from_bytes(&bytes)
             .map(PublicKey)
             .map_err(|s| s.to_string())
             .map_err(Format::InvalidKey)
@@ -245,13 +236,11 @@ pub fn sign(
 }
 
 pub fn verify_block_signature(block: &Block, public_key: &PublicKey) -> Result<(), error::Format> {
-    use ed25519_dalek::ed25519::signature::Signature;
-
     //FIXME: replace with SHA512 hashing
     let mut to_verify = block.data.to_vec();
 
     if let Some(signature) = block.external_signature.as_ref() {
-        to_verify.extend_from_slice(signature.signature.as_bytes());
+        to_verify.extend_from_slice(&signature.signature.to_bytes());
     }
     to_verify.extend(&(crate::format::schema::public_key::Algorithm::Ed25519 as i32).to_le_bytes());
     to_verify.extend(&block.next_key.to_bytes());

diff --git a/biscuit-auth/src/format/mod.rs b/biscuit-auth/src/format/mod.rs
@@ -6,15 +6,14 @@
 //! - serialization of a wrapper structure containing serialized blocks and the signature
 use super::crypto::{self, KeyPair, PrivateKey, PublicKey, TokenNext};
 
-use ed25519_dalek::ed25519::signature::Signature;
+use ed25519_dalek::Signer;
 use prost::Message;
 
 use super::error;
 use super::token::Block;
 use crate::crypto::ExternalSignature;
 use crate::datalog::SymbolTable;
 use crate::token::RootKeyProvider;
-use ed25519_dalek::Signer;
 use std::collections::HashMap;
 use std::convert::TryInto;
 
@@ -63,12 +62,7 @@ impl SerializedBiscuit {
             .try_into()
             .map_err(|_| error::Format::InvalidSignatureSize(data.authority.signature.len()))?;
 
-        let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
-            error::Format::SignatureDeserializationError(format!(
-                "signature deserialization error: {:?}",
-                e
-            ))
-        })?;
+        let signature = ed25519_dalek::Signature::from_bytes(&bytes);
 
         if data.authority.external_signature.is_some() {
             return Err(error::Format::DeserializationError(
@@ -91,12 +85,7 @@ impl SerializedBiscuit {
                 .try_into()
                 .map_err(|_| error::Format::InvalidSignatureSize(block.signature.len()))?;
 
-            let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
-                error::Format::BlockSignatureDeserializationError(format!(
-                    "block signature deserialization error: {:?}",
-                    e
-                ))
-            })?;
+            let signature = ed25519_dalek::Signature::from_bytes(&bytes);
 
             let external_signature = if let Some(ex) = block.external_signature.as_ref() {
                 let public_key = PublicKey::from_proto(&ex.public_key)?;
@@ -105,12 +94,7 @@ impl SerializedBiscuit {
                     .try_into()
                     .map_err(|_| error::Format::InvalidSignatureSize(ex.signature.len()))?;
 
-                let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
-                    error::Format::BlockSignatureDeserializationError(format!(
-                        "block external signature deserialization error: {:?}",
-                        e
-                    ))
-                })?;
+                let signature = ed25519_dalek::Signature::from_bytes(&bytes);
 
                 Some(ExternalSignature {
                     public_key,
@@ -141,12 +125,7 @@ impl SerializedBiscuit {
                 let bytes: [u8; 64] = (&v[..])
                     .try_into()
                     .map_err(|_| error::Format::InvalidSignatureSize(v.len()))?;
-                let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
-                    error::Format::SignatureDeserializationError(format!(
-                        "final signature deserialization error: {:?}",
-                        e
-                    ))
-                })?;
+                let signature = ed25519_dalek::Signature::from_bytes(&bytes);
                 TokenNext::Seal(signature)
             }
         };
@@ -336,7 +315,7 @@ impl SerializedBiscuit {
                 error::Format::SerializationError(format!("serialization error: {:?}", e))
             })?;
         if let Some(signature) = &external_signature {
-            v.extend_from_slice(signature.signature.as_bytes());
+            v.extend_from_slice(&signature.signature.to_bytes());
         }
 
         let signature = crypto::sign(&keypair, next_keypair, &v)?;
@@ -369,7 +348,7 @@ impl SerializedBiscuit {
 
         let mut v = block.clone();
         if let Some(signature) = &external_signature {
-            v.extend_from_slice(signature.signature.as_bytes());
+            v.extend_from_slice(&signature.signature.to_bytes());
         }
 
         let signature = crypto::sign(&keypair, next_keypair, &v)?;

diff --git a/biscuit-auth/src/token/mod.rs b/biscuit-auth/src/token/mod.rs
@@ -407,12 +407,7 @@ impl Biscuit {
             .try_into()
             .map_err(|_| error::Format::InvalidSignatureSize(external_signature.signature.len()))?;
 
-        let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
-            error::Format::BlockSignatureDeserializationError(format!(
-                "block external signature deserialization error: {:?}",
-                e
-            ))
-        })?;
+        let signature = ed25519_dalek::Signature::from_bytes(&bytes);
         let previous_key = self
             .container
             .blocks

diff --git a/biscuit-auth/src/token/unverified.rs b/biscuit-auth/src/token/unverified.rs
@@ -301,12 +301,7 @@ impl UnverifiedBiscuit {
             .try_into()
             .map_err(|_| error::Format::InvalidSignatureSize(external_signature.signature.len()))?;
 
-        let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
-            error::Format::BlockSignatureDeserializationError(format!(
-                "block external signature deserialization error: {:?}",
-                e
-            ))
-        })?;
+        let signature = ed25519_dalek::Signature::from_bytes(&bytes);
         let previous_key = self
             .container
             .blocks