[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[gnunet] 04/06: -switch to EdDSA egos only for signature rest endpoint
|
From: |
gnunet |
|
Subject: |
[gnunet] 04/06: -switch to EdDSA egos only for signature rest endpoint |
|
Date: |
Wed, 31 Aug 2022 17:04:42 +0200 |
This is an automated email from the git hooks/post-receive script.
martin-schanzenbach pushed a commit to branch master
in repository gnunet.
commit 7777cef05fedae221bf4b82c6b5a1de87a7d101e
Author: Tristan Schwieren <tristan.schwieren@tum.de>
AuthorDate: Fri Aug 26 15:51:29 2022 +0200
-switch to EdDSA egos only for signature rest endpoint
---
src/identity/plugin_rest_identity.c | 22 ++++--
.../test_plugin_rest_identity_signature.sh | 40 ++++++++--
src/include/gnunet_crypto_lib.h | 32 +++++++-
src/util/crypto_ecc.c | 90 ++++++++--------------
4 files changed, 112 insertions(+), 72 deletions(-)
diff --git a/src/identity/plugin_rest_identity.c
b/src/identity/plugin_rest_identity.c
index 06ef7a174..15e0987f2 100644
--- a/src/identity/plugin_rest_identity.c
+++ b/src/identity/plugin_rest_identity.c
@@ -1202,9 +1202,10 @@ void
ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
{
struct RequestHandle *handle = ((struct ego_sign_data_cls *) cls)->handle;
- char *data = (char *) ((struct ego_sign_data_cls *) cls)->data; // data is
url decoded
+ unsigned char *data
+ = (unsigned char *) ((struct ego_sign_data_cls *) cls)->data; // data is
url decoded
struct MHD_Response *resp;
- struct GNUNET_CRYPTO_EcdsaSignature sig;
+ struct GNUNET_CRYPTO_EddsaSignature sig;
char *sig_str;
char *result;
@@ -1216,7 +1217,15 @@ ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego
*ego)
return;
}
- if ( GNUNET_OK != GNUNET_CRYPTO_ecdsa_sign_raw (&(ego->pk.ecdsa_key),
+ if (ntohl (ego->pk.type) != GNUNET_IDENTITY_TYPE_EDDSA)
+ {
+ handle->response_code = MHD_HTTP_BAD_REQUEST;
+ handle->emsg = GNUNET_strdup ("Ego has to use an EdDSA key");
+ GNUNET_SCHEDULER_add_now (&do_error, handle);
+ return;
+ }
+
+ if ( GNUNET_OK != GNUNET_CRYPTO_eddsa_sign_raw (&(ego->pk.eddsa_key),
(void *) data,
strlen (data),
&sig))
@@ -1227,10 +1236,9 @@ ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego
*ego)
return;
}
- // TODO: Encode the signature
- sig_str = malloc(64);
- GNUNET_CRYPTO_ecdsa_signature_encode(
- (const struct GNUNET_CRYPTO_EcdsaSignature *) &sig,
+ sig_str = malloc (64);
+ GNUNET_CRYPTO_eddsa_signature_encode (
+ (const struct GNUNET_CRYPTO_EddsaSignature *) &sig,
&sig_str);
GNUNET_asprintf (&result,
diff --git a/src/identity/test_plugin_rest_identity_signature.sh
b/src/identity/test_plugin_rest_identity_signature.sh
index 2a56996d5..6b3470388 100755
--- a/src/identity/test_plugin_rest_identity_signature.sh
+++ b/src/identity/test_plugin_rest_identity_signature.sh
@@ -5,6 +5,13 @@
header='{"alg":"ES256"}'
payload='{"iss":"joe",\r\n "exp":1300819380,\r\n
"http://example.com/is_root":true}'
+key='{"kty":"EC",
+ "crv":"P-256",
+ "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
+ "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
+ "d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"
+ }'
+
header_payload_test=(
101 121 74 104 98 71 99 105 79 105 74 70 85 122 73
49 78 105 74 57 46 101 121 74 112 99 51 77 105 79 105
@@ -15,27 +22,50 @@ header_payload_test=(
98 83 57 112 99 49 57 121 98 50 57 48 73 106 112 48
99 110 86 108 102 81)
+base64url_add_padding() {
+ for i in $( seq 1 $(( 4 - ${#1} % 4 )) ); do padding+="="; done
+ echo "$1""$padding"
+}
+
base64url_encode () {
echo -n -e "$1" | base64 -w0 | tr '+/' '-_' | tr -d '='
}
+base64url_decode () {
+ padded_input=$(base64url_add_padding "$1")
+ echo -n "$padded_input" | tr '_-' '/+' | base64 -w0 --decode
+}
+
+base32crockford_encode () {
+ echo -n "$i" | basenc --base32hex | tr 'IJKLMNOPQRSTUV' 'JKMNPQRSTVWXYZ'
+}
+
+header_enc=$(base64url_encode "$header")
+payload_enc=$(base64url_encode "$payload")
+
# encode header_payload test vektor
for i in "${header_payload_test[@]}"
do
header_payload_test_enc+=$(printf "\x$(printf %x $i)")
done
-header_enc=$(base64url_encode "$header")
-payload_enc=$(base64url_encode "$payload")
-
-# test base64url encoding and header & payload concatenation
+# test base64url encoding and header-payload concatenation
if [ "$header_enc.$payload_enc" != $header_payload_test_enc ] ;
then
exit 1
fi
signature_enc=$(curl -s
"localhost:7776/sign?user=tristan&data=$header_payload_enc" | jq -r
'.signature')
-echo "$header_enc.$payload_enc.$signature_enc"
+jwt="$header_enc.$payload_enc.$signature_enc"
+echo $jwt
+
+# Convert secret JWK to GNUnet skey
+key_dec=$(base64url_decode $( echo -n "$key" | jq -r '.d'))
+for i in $(echo -n $key_dec | xxd -p | tr -d '\n' | fold -w 2)
+do
+ echo -n "$i "
+done
+echo ""
# TODO: Test Signature
# Gen key: Public Key GNS zone type value + d in crockford encoding
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 1d5722450..93945c731 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -1955,11 +1955,35 @@ GNUNET_CRYPTO_ecdsa_sign_ (
* @return enum GNUNET_GenericReturnValue
*/
enum GNUNET_GenericReturnValue
-GNUNET_CRYPTO_ecdsa_sign_raw (
- const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
+GNUNET_CRYPTO_eddsa_sign_raw (
+ const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
void *data,
- size_t len,
- struct GNUNET_CRYPTO_EcdsaSignature *sig);
+ size_t size,
+ struct GNUNET_CRYPTO_EddsaSignature *sig);
+
+/**
+ * @brief
+ *
+ * @param sig
+ * @param sig_str
+ * @return enum GNUNET_GenericReturnValue
+ */
+size_t
+GNUNET_CRYPTO_eddsa_signature_encode(
+ const struct GNUNET_CRYPTO_EddsaSignature *sig,
+ char **sig_str);
+
+/**
+ * @brief
+ *
+ * @param sig_str
+ * @param sig
+ * @return enum GNUNET_GenericReturnValue
+ */
+size_t
+GNUNET_CRYPTO_eddsa_signature_decode(
+ const char *sig_str,
+ struct GNUNET_CRYPTO_EddsaSignature *sig);
/**
* @brief
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index 36945e291..0ac6e2865 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -594,68 +594,46 @@ GNUNET_CRYPTO_ecdsa_sign_ (
return GNUNET_OK;
}
-// TODO: Code reuse with GNUNET_CRYPTO_ecdsa_sign_
-// Refactor above as a wrapper around raw
enum GNUNET_GenericReturnValue
-GNUNET_CRYPTO_ecdsa_sign_raw (
- const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
+GNUNET_CRYPTO_eddsa_sign_raw (
+ const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
void *data,
- size_t len,
- struct GNUNET_CRYPTO_EcdsaSignature *sig)
+ size_t size,
+ struct GNUNET_CRYPTO_EddsaSignature *sig)
{
- struct GNUNET_HashCode hash_code;
- gcry_sexp_t skey_sexp;
- gcry_sexp_t sig_sexp;
- gcry_sexp_t data_sexp;
- gcry_error_t error;
- gcry_mpi_t rs[2];
-
- // Decode private key
- skey_sexp = decode_private_ecdsa_key (priv);
-
- // Hash data
- GNUNET_CRYPTO_hash (data, len, &hash_code);
- if (0 != (error = gcry_sexp_build (&data_sexp,
- NULL,
- "(data(flags rfc6979)(hash %s %b))",
- "sha512",
- (int) sizeof(hash_code),
- &hash_code)))
- {
- LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", error);
- return GNUNET_SYSERR;
- }
+ unsigned char sk[crypto_sign_SECRETKEYBYTES];
+ unsigned char pk[crypto_sign_PUBLICKEYBYTES];
+ int res;
- // Sign Hash
- if (0 != (error = gcry_pk_sign (&sig_sexp, data_sexp, skey_sexp)))
- {
- LOG (GNUNET_ERROR_TYPE_WARNING,
- _ ("ECC signing failed at %s:%d: %s\n"),
- __FILE__,
- __LINE__,
- gcry_strerror (error));
- gcry_sexp_release (data_sexp);
- gcry_sexp_release (skey_sexp);
- return GNUNET_SYSERR;
- }
- gcry_sexp_release (skey_sexp);
- gcry_sexp_release (data_sexp);
+ GNUNET_assert (0 == crypto_sign_seed_keypair (pk, sk, priv->d));
+ res = crypto_sign_detached ((uint8_t *) sig,
+ NULL,
+ (uint8_t *) data,
+ size,
+ sk);
+ return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
+}
- /* extract 'r' and 's' values from sexpression 'sig_sexp' and store in
- 'signature' */
- if (0 != (error = key_from_sexp (rs, sig_sexp, "sig-val", "rs")))
- {
- GNUNET_break (0);
- gcry_sexp_release (sig_sexp);
- return GNUNET_SYSERR;
- }
- gcry_sexp_release (sig_sexp);
- GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof(sig->r), rs[0]);
- GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof(sig->s), rs[1]);
- gcry_mpi_release (rs[0]);
- gcry_mpi_release (rs[1]);
+size_t
+GNUNET_CRYPTO_eddsa_signature_encode (
+ const struct GNUNET_CRYPTO_EddsaSignature *sig,
+ char **sig_str)
+{
+ return GNUNET_STRINGS_base64url_encode (
+ (void*) sig,
+ 32,
+ sig_str);
+}
- return GNUNET_OK;
+size_t
+GNUNET_CRYPTO_eddsa_signature_decode (
+ const char *sig_str,
+ struct GNUNET_CRYPTO_EddsaSignature *sig)
+{
+ return GNUNET_STRINGS_base64url_decode (
+ sig_str,
+ strlen (sig_str),
+ (void **) &sig);
}
size_t
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
- [gnunet] branch master updated (fcfa115e2 -> cc70504a2), gnunet, 2022/08/31
- [gnunet] 01/06: - siop for reclaim; A rest endpoint that signs stuff, gnunet, 2022/08/31
- [gnunet] 04/06: -switch to EdDSA egos only for signature rest endpoint,
gnunet <=
- [gnunet] 02/06: -sign rest api + unfinished test, gnunet, 2022/08/31
- [gnunet] 03/06: - add to gitignore, gnunet, 2022/08/31
- [gnunet] 06/06: Merge branch 'dev/trizuz/siop', gnunet, 2022/08/31
- [gnunet] 05/06: - finished test for signature rest endpoint, gnunet, 2022/08/31