Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

update ed25519-dalek and rand #136

Merged
merged 10 commits into from
Aug 23, 2023
Merged

update ed25519-dalek and rand #136

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
1c976b9
update ed25519-dalek and rand
Geal Feb 11, 2023
9dc0bf1
update to 2.0.0-rc.2
Geal May 29, 2023
4abc9d7
update samples
Geal May 29, 2023
a443d4f
Update biscuit-auth/Cargo.toml
Geal Aug 15, 2023
c6e66b7
Merge branch 'main' into update-ed25519-dalek
Geal Aug 16, 2023
ff26870
remove the keypair field from the public API
Geal Aug 16, 2023
de65efe
Merge branch 'main' into update-ed25519-dalek
Geal Aug 17, 2023
e986c7a
Merge branch 'main' into update-ed25519-dalek
Geal Aug 23, 2023
e6f47dc
update samples with the more deterministic keys
Geal Aug 23, 2023
ae2e52c
update samples
Geal Aug 23, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions biscuit-auth/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ docsrs = []
uuid = ["dep:uuid"]

[dependencies]
rand_core = "^0.5"
rand_core = "^0.6"
sha2 = "^0.9"
prost = "0.10"
prost-types = "0.10"
Expand All @@ -33,11 +33,11 @@ nom = {version = "7", default-features = false, features = ["std"] }
hex = "0.4"
zeroize = { version = "1", default-features = false }
thiserror = "1"
rand = { version = "0.7" }
rand = { version = "0.8" }
inline-c = { version = "0.1", optional = true }
wasm-bindgen = { version = "0.2", optional = true }
base64 = "0.13.0"
ed25519-dalek = "1.0.1"
ed25519-dalek = { version = "2.0.0", features = ["rand_core", "zeroize"] }
serde = { version = "1.0.132", optional = true, features = ["derive"] }
getrandom = { version = "0.1.16" }
time = { version = "0.3.7", features = ["formatting", "parsing"] }
Expand All @@ -48,7 +48,7 @@ biscuit-quote = { version = "0.2.1", optional = true, path = "../biscuit-quote"

[dev-dependencies]
bencher = "0.1.5"
rand = "0.7"
rand = "0.8"
colored-diff = "0.2.3"
prost-build = "0.10"
serde = { version = "1.0.130", features = ["derive"] }
Expand Down
154 changes: 77 additions & 77 deletions biscuit-auth/samples/README.md
View file
Open in desktop

Large diffs are not rendered by default.

146 changes: 73 additions & 73 deletions biscuit-auth/samples/samples.json
View file
Open in desktop

Large diffs are not rendered by default.

Binary file modified biscuit-auth/samples/test001_basic.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test002_different_root_key.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test003_invalid_signature_format.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test004_random_block.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test005_invalid_signature.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test006_reordered_blocks.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test007_scoped_rules.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test008_scoped_checks.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test009_expired_token.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test010_authorizer_scope.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test011_authorizer_authority_caveats.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test012_authority_caveats.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test013_block_rules.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test014_regex_constraint.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test015_multi_queries_caveats.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test016_caveat_head_name.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test017_expressions.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test018_unbound_variables_in_rule.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test019_generating_ambient_from_variables.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test020_sealed.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test021_parsing.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test022_default_symbols.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test023_execution_scope.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test024_third_party.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test025_check_all.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test026_public_keys_interning.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test027_integer_wraparound.bc
View file
Open in desktop
Binary file not shown.
Binary file modified biscuit-auth/samples/test028_expressions_v4.bc
View file
Open in desktop
Binary file not shown.
41 changes: 15 additions & 26 deletions biscuit-auth/src/crypto/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ use zeroize::Zeroize;
/// pair of cryptographic keys used to sign a token's block
#[derive(Debug)]
pub struct KeyPair {
pub kp: ed25519_dalek::Keypair,
pub kp: ed25519_dalek::SigningKey,
}

impl KeyPair {
Expand All @@ -28,28 +28,24 @@ impl KeyPair {
}

pub fn new_with_rng<T: RngCore + CryptoRng>(rng: &mut T) -> Self {
let kp = ed25519_dalek::Keypair::generate(rng);
let kp = ed25519_dalek::SigningKey::generate(rng);

KeyPair { kp }
}

pub fn from(key: &PrivateKey) -> Self {
let secret = SecretKey::from_bytes(&key.0.to_bytes()).unwrap();

let public = (&key.0).into();

KeyPair {
kp: ed25519_dalek::Keypair { secret, public },
kp: ed25519_dalek::SigningKey::from_bytes(&key.0),
}
}

pub fn private(&self) -> PrivateKey {
let secret = SecretKey::from_bytes(&self.kp.secret.to_bytes()).unwrap();
let secret = self.kp.to_bytes();
PrivateKey(secret)
}

pub fn public(&self) -> PublicKey {
PublicKey(self.kp.public)
PublicKey(self.kp.verifying_key())
}
}

Expand All @@ -59,20 +55,14 @@ impl std::default::Default for KeyPair {
}
}

impl Drop for KeyPair {
fn drop(&mut self) {
self.kp.secret.zeroize();
}
}

/// the private part of a [KeyPair]
#[derive(Debug)]
pub struct PrivateKey(pub(crate) ed25519_dalek::SecretKey);

impl PrivateKey {
/// serializes to a byte array
pub fn to_bytes(&self) -> [u8; 32] {
self.0.to_bytes()
self.0
}

/// serializes to an hex-encoded string
Expand All @@ -85,10 +75,7 @@ impl PrivateKey {
let bytes: [u8; 32] = bytes
.try_into()
.map_err(|_| Format::InvalidKeySize(bytes.len()))?;
SecretKey::from_bytes(&bytes)
.map(PrivateKey)
.map_err(|s| s.to_string())
.map_err(Format::InvalidKey)
Ok(PrivateKey(bytes))
}

/// deserializes from an hex-encoded string
Expand All @@ -99,7 +86,7 @@ impl PrivateKey {

/// returns the matching public key
pub fn public(&self) -> PublicKey {
PublicKey((&self.0).into())
PublicKey(SigningKey::from_bytes(&self.0).verifying_key())
}
}

Expand All @@ -117,7 +104,7 @@ impl Drop for PrivateKey {

/// the public part of a [KeyPair]
#[derive(Debug, Clone, Copy, Eq)]
pub struct PublicKey(pub(crate) ed25519_dalek::PublicKey);
pub struct PublicKey(pub(crate) ed25519_dalek::VerifyingKey);

impl PublicKey {
/// serializes to a byte array
Expand All @@ -132,7 +119,11 @@ impl PublicKey {

/// deserializes from a byte array
pub fn from_bytes(bytes: &[u8]) -> Result<Self, error::Format> {
ed25519_dalek::PublicKey::from_bytes(bytes)
let bytes: [u8; 32] = bytes
.try_into()
.map_err(|_| Format::InvalidKeySize(bytes.len()))?;

ed25519_dalek::VerifyingKey::from_bytes(&bytes)
.map(PublicKey)
.map_err(|s| s.to_string())
.map_err(Format::InvalidKey)
Expand Down Expand Up @@ -245,13 +236,11 @@ pub fn sign(
}

pub fn verify_block_signature(block: &Block, public_key: &PublicKey) -> Result<(), error::Format> {
use ed25519_dalek::ed25519::signature::Signature;

//FIXME: replace with SHA512 hashing
let mut to_verify = block.data.to_vec();

if let Some(signature) = block.external_signature.as_ref() {
to_verify.extend_from_slice(signature.signature.as_bytes());
to_verify.extend_from_slice(&signature.signature.to_bytes());
}
to_verify.extend(&(crate::format::schema::public_key::Algorithm::Ed25519 as i32).to_le_bytes());
to_verify.extend(&block.next_key.to_bytes());
Expand Down
35 changes: 7 additions & 28 deletions biscuit-auth/src/format/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,14 @@
//! - serialization of a wrapper structure containing serialized blocks and the signature
use super::crypto::{self, KeyPair, PrivateKey, PublicKey, TokenNext};

use ed25519_dalek::ed25519::signature::Signature;
use ed25519_dalek::Signer;
use prost::Message;

use super::error;
use super::token::Block;
use crate::crypto::ExternalSignature;
use crate::datalog::SymbolTable;
use crate::token::RootKeyProvider;
use ed25519_dalek::Signer;
use std::collections::HashMap;
use std::convert::TryInto;

Expand Down Expand Up @@ -63,12 +62,7 @@ impl SerializedBiscuit {
.try_into()
.map_err(|_| error::Format::InvalidSignatureSize(data.authority.signature.len()))?;

let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
error::Format::SignatureDeserializationError(format!(
"signature deserialization error: {:?}",
e
))
})?;
let signature = ed25519_dalek::Signature::from_bytes(&bytes);

if data.authority.external_signature.is_some() {
return Err(error::Format::DeserializationError(
Expand All @@ -91,12 +85,7 @@ impl SerializedBiscuit {
.try_into()
.map_err(|_| error::Format::InvalidSignatureSize(block.signature.len()))?;

let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
error::Format::BlockSignatureDeserializationError(format!(
"block signature deserialization error: {:?}",
e
))
})?;
let signature = ed25519_dalek::Signature::from_bytes(&bytes);

let external_signature = if let Some(ex) = block.external_signature.as_ref() {
let public_key = PublicKey::from_proto(&ex.public_key)?;
Expand All @@ -105,12 +94,7 @@ impl SerializedBiscuit {
.try_into()
.map_err(|_| error::Format::InvalidSignatureSize(ex.signature.len()))?;

let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
error::Format::BlockSignatureDeserializationError(format!(
"block external signature deserialization error: {:?}",
e
))
})?;
let signature = ed25519_dalek::Signature::from_bytes(&bytes);

Some(ExternalSignature {
public_key,
Expand Down Expand Up @@ -141,12 +125,7 @@ impl SerializedBiscuit {
let bytes: [u8; 64] = (&v[..])
.try_into()
.map_err(|_| error::Format::InvalidSignatureSize(v.len()))?;
let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
error::Format::SignatureDeserializationError(format!(
"final signature deserialization error: {:?}",
e
))
})?;
let signature = ed25519_dalek::Signature::from_bytes(&bytes);
TokenNext::Seal(signature)
}
};
Expand Down Expand Up @@ -336,7 +315,7 @@ impl SerializedBiscuit {
error::Format::SerializationError(format!("serialization error: {:?}", e))
})?;
if let Some(signature) = &external_signature {
v.extend_from_slice(signature.signature.as_bytes());
v.extend_from_slice(&signature.signature.to_bytes());
}

let signature = crypto::sign(&keypair, next_keypair, &v)?;
Expand Down Expand Up @@ -369,7 +348,7 @@ impl SerializedBiscuit {

let mut v = block.clone();
if let Some(signature) = &external_signature {
v.extend_from_slice(signature.signature.as_bytes());
v.extend_from_slice(&signature.signature.to_bytes());
}

let signature = crypto::sign(&keypair, next_keypair, &v)?;
Expand Down
7 changes: 1 addition & 6 deletions biscuit-auth/src/token/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,12 +412,7 @@ impl Biscuit {
.try_into()
.map_err(|_| error::Format::InvalidSignatureSize(external_signature.signature.len()))?;

let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
error::Format::BlockSignatureDeserializationError(format!(
"block external signature deserialization error: {:?}",
e
))
})?;
let signature = ed25519_dalek::Signature::from_bytes(&bytes);
let previous_key = self
.container
.blocks
Expand Down
7 changes: 1 addition & 6 deletions biscuit-auth/src/token/unverified.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -306,12 +306,7 @@ impl UnverifiedBiscuit {
.try_into()
.map_err(|_| error::Format::InvalidSignatureSize(external_signature.signature.len()))?;

let signature = ed25519_dalek::Signature::from_bytes(&bytes).map_err(|e| {
error::Format::BlockSignatureDeserializationError(format!(
"block external signature deserialization error: {:?}",
e
))
})?;
let signature = ed25519_dalek::Signature::from_bytes(&bytes);
let previous_key = self
.container
.blocks
Expand Down