Skip to content

Commit

Permalink
Merge pull request #12 from banyancomputer/alex/blake3-fingerprint
Browse files Browse the repository at this point in the history
fix: normalize fingerprints on blake3
  • Loading branch information
amiller68 authored Nov 21, 2023
2 parents 0cd64a2 + 30953de commit cdd5e07
Show file tree
Hide file tree
Showing 4 changed files with 66 additions and 42 deletions.
44 changes: 32 additions & 12 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ rand = "^0.8"
p384 = { version = "^0.13", features = ["arithmetic", "alloc", "pkcs8", "pem"] }
rand_core = "^0.6"
base64ct = "^1.6"
sha1 = "^0.10"
hkdf = "^0.12"
blake3 = "^1.4"
sha2 = "^0.10"
aes-gcm = "^0.10"
chrono = "^0.4"
Expand Down
48 changes: 25 additions & 23 deletions src/key_seal.rs
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,9 @@ pub fn pretty_fingerprint(fingerprint_bytes: &[u8]) -> String {
}

pub fn hex_fingerprint(fingerprint_bytes: &[u8]) -> String {
pretty_fingerprint(fingerprint_bytes).replace(':', "")
fingerprint_bytes
.iter()
.fold(String::new(), |chain, byte| format!("{chain}{byte:02x}"))
}

#[cfg(test)]
Expand All @@ -48,32 +50,32 @@ mod tests {
45, 45, 45, 45, 45, 66, 69, 71, 73, 78, 32, 80, 82, 73, 86, 65, 84, 69, 32, 75, 69, 89, 45,
45, 45, 45, 45, 10, 77, 73, 71, 50, 65, 103, 69, 65, 77, 66, 65, 71, 66, 121, 113, 71, 83,
77, 52, 57, 65, 103, 69, 71, 66, 83, 117, 66, 66, 65, 65, 105, 66, 73, 71, 101, 77, 73, 71,
98, 65, 103, 69, 66, 66, 68, 67, 78, 101, 114, 100, 114, 74, 76, 104, 85, 89, 49, 81, 79,
81, 116, 85, 50, 10, 108, 54, 86, 118, 113, 55, 90, 108, 89, 66, 43, 97, 52, 56, 114, 88,
43, 47, 111, 119, 122, 43, 69, 68, 103, 75, 118, 74, 114, 99, 111, 82, 114, 54, 117, 50,
121, 78, 50, 87, 53, 119, 102, 51, 119, 68, 109, 104, 90, 65, 78, 105, 65, 65, 84, 109, 66,
57, 99, 69, 53, 54, 105, 57, 10, 89, 88, 70, 106, 107, 85, 54, 122, 73, 100, 98, 97, 118,
83, 102, 102, 117, 115, 112, 119, 98, 114, 71, 104, 102, 80, 122, 103, 106, 77, 82, 43, 71,
98, 65, 77, 103, 57, 116, 84, 78, 102, 99, 121, 122, 81, 55, 66, 86, 99, 106, 97, 102, 90,
114, 84, 56, 90, 75, 87, 85, 82, 74, 68, 10, 73, 112, 67, 76, 119, 102, 89, 106, 66, 52,
98, 89, 107, 100, 87, 85, 115, 121, 82, 101, 88, 53, 121, 79, 73, 100, 74, 88, 80, 112, 50,
82, 100, 106, 68, 118, 80, 82, 116, 67, 117, 76, 67, 117, 76, 72, 57, 88, 52, 116, 122,
100, 47, 65, 107, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 82, 73, 86, 65, 84, 69,
32, 75, 69, 89, 45, 45, 45, 45, 45, 10,
98, 65, 103, 69, 66, 66, 68, 68, 80, 48, 106, 53, 117, 69, 112, 122, 43, 102, 67, 100, 120,
51, 84, 76, 114, 10, 79, 56, 121, 50, 72, 77, 100, 49, 113, 107, 105, 82, 86, 53, 97, 66,
108, 73, 69, 73, 49, 104, 103, 73, 50, 56, 67, 73, 110, 67, 53, 98, 106, 99, 75, 69, 97,
118, 115, 103, 79, 106, 53, 111, 97, 82, 79, 104, 90, 65, 78, 105, 65, 65, 84, 79, 66, 51,
54, 47, 114, 52, 56, 69, 10, 72, 102, 100, 99, 77, 48, 104, 117, 105, 66, 107, 102, 101,
101, 108, 71, 67, 100, 115, 55, 100, 53, 48, 56, 115, 47, 111, 57, 121, 104, 104, 112, 117,
117, 51, 70, 84, 104, 102, 53, 79, 54, 71, 114, 84, 98, 87, 73, 72, 54, 99, 110, 99, 71,
83, 55, 102, 100, 47, 86, 109, 48, 90, 90, 10, 52, 57, 90, 75, 49, 86, 53, 74, 119, 85,
111, 81, 76, 117, 71, 68, 113, 114, 69, 103, 73, 102, 113, 75, 65, 83, 82, 70, 102, 82, 86,
81, 114, 52, 76, 70, 116, 115, 121, 80, 100, 51, 47, 51, 77, 57, 83, 90, 82, 43, 80, 97,
68, 65, 81, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 82, 73, 86, 65, 84, 69, 32, 75,
69, 89, 45, 45, 45, 45, 45, 10,
];

const TEST_DER_KEY: &[u8] = &[
48, 129, 155, 2, 1, 1, 4, 48, 141, 122, 183, 107, 36, 184, 84, 99, 84, 14, 66, 213, 54,
151, 165, 111, 171, 182, 101, 96, 31, 154, 227, 202, 215, 251, 250, 48, 207, 225, 3, 128,
171, 201, 173, 202, 17, 175, 171, 182, 200, 221, 150, 231, 7, 247, 192, 57, 161, 100, 3,
98, 0, 4, 230, 7, 215, 4, 231, 168, 189, 97, 113, 99, 145, 78, 179, 33, 214, 218, 189, 39,
223, 186, 202, 112, 110, 177, 161, 124, 252, 224, 140, 196, 126, 25, 176, 12, 131, 219, 83,
53, 247, 50, 205, 14, 193, 85, 200, 218, 125, 154, 211, 241, 146, 150, 81, 18, 67, 34, 144,
139, 193, 246, 35, 7, 134, 216, 145, 213, 148, 179, 36, 94, 95, 156, 142, 33, 210, 87, 62,
157, 145, 118, 48, 239, 61, 27, 66, 184, 176, 174, 44, 127, 87, 226, 220, 221, 252, 9,
48, 129, 155, 2, 1, 1, 4, 48, 207, 210, 62, 110, 18, 156, 254, 124, 39, 113, 221, 50, 235,
59, 204, 182, 28, 199, 117, 170, 72, 145, 87, 150, 129, 148, 129, 8, 214, 24, 8, 219, 192,
136, 156, 46, 91, 141, 194, 132, 106, 251, 32, 58, 62, 104, 105, 19, 161, 100, 3, 98, 0, 4,
206, 7, 126, 191, 175, 143, 4, 29, 247, 92, 51, 72, 110, 136, 25, 31, 121, 233, 70, 9, 219,
59, 119, 157, 60, 179, 250, 61, 202, 24, 105, 186, 237, 197, 78, 23, 249, 59, 161, 171, 77,
181, 136, 31, 167, 39, 112, 100, 187, 125, 223, 213, 155, 70, 89, 227, 214, 74, 213, 94,
73, 193, 74, 16, 46, 225, 131, 170, 177, 32, 33, 250, 138, 1, 36, 69, 125, 21, 80, 175,
130, 197, 182, 204, 143, 119, 127, 247, 51, 212, 153, 71, 227, 218, 12, 4,
];

const SEALED_KEY: &str = "gWpi+A3+mAm9IaeeI1Fq+g==./7hxZHDThkpnUr58.zLfay5f24Ou/gpXeTn/UTdTLO2vf/65U8hk70Xt6aWTO4gPKmfEdXeDwfIR+q1hX.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJR9Nd3p/UA8UPut9wRt+r7mx5Fv9wxopA+B5gm0lyFSzhJRZO6D4x57sJ68YiDvxSUfSCaOhWWhYTRJ6WxShf/g0bdLdkPrtxelSKHcUj3orr9rELWYUl1fxE6kOfSS4";
const SEALED_KEY: &str = "IsOZbU9AuHemDVCvvD9WnQ==.GajZ6uqi6siOA9ck.FVtz65k9YE5ETzSsLXSgEuyM2rsNQMaD8aO97HtdKuNB2ytZSa7yhm8HTNvcSCwr.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEoHUTBQwf8mOFzlX0cEw/RPdjCiysFYcBj2vpPo1smqVXEb/jXjewWjDlTQAInRF52I/itE1wc9E0wvtUYpoZUjbWOAQkGebVZ6CFl3lLqaw7mAOkK/6I1t1S/Y4xr8mx";

async fn test_encryption_end_to_end() -> Result<(), TombCryptError> {
use crate::key_seal::common::PrivateKey;
Expand Down Expand Up @@ -162,7 +164,7 @@ mod tests {
let token = claims.encode_to(&key).await?;
let _ = ApiToken::decode_from(&token, &public_key).await?;
let metadata = ApiTokenMetadata::try_from(token)?;
let key_id = pretty_fingerprint(public_key.fingerprint().await?.as_slice());
let key_id = hex_fingerprint(public_key.fingerprint().await?.as_slice());

// Check the metadata
assert_eq!(metadata.alg(), "ES384");
Expand Down
14 changes: 8 additions & 6 deletions src/key_seal/internal.rs
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
use base64ct::LineEnding;
use blake3::Hasher;
use p384::elliptic_curve::sec1::ToEncodedPoint;
use p384::{
pkcs8::{DecodePrivateKey, DecodePublicKey, EncodePrivateKey, EncodePublicKey},
PublicKey as P384PublicKey, SecretKey as P384SecretKey,
};
use rand::RngCore;
use sha1::Digest;

use crate::key_seal::common::{FINGERPRINT_SIZE, SALT_SIZE};
use crate::prelude::TombCryptError;
Expand All @@ -17,15 +17,17 @@ pub fn generate_salt() -> [u8; SALT_SIZE] {
salt
}

/// SHA1 compressed point fingerprint function
/// Blake3 compressed point fingerprint function
pub fn fingerprint<'a>(public_key: impl Into<&'a P384PublicKey>) -> [u8; FINGERPRINT_SIZE] {
let public_key = public_key.into();
let compressed_point = public_key.as_ref().to_encoded_point(true);

let mut hasher = sha1::Sha1::new();
let compressed_point = compressed_point.as_bytes();
let mut hasher = Hasher::new();
hasher.update(compressed_point);
let hashed_bytes = hasher.finalize();
hashed_bytes.into()
let mut output = [0u8; FINGERPRINT_SIZE];
let mut output_reader = hasher.finalize_xof();
output_reader.fill(&mut output);
output
}

pub fn gen_ec_key() -> P384SecretKey {
Expand Down

0 comments on commit cdd5e07

Please sign in to comment.