-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix pubkey interning test #104
Merged
+645
−92
Merged
Changes from 1 commit
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
65fa372
fix pubkey interning test
Geal dbf40c6
start third party block generation
Geal ecd235c
fix the test
Geal e34c14b
Merge branch 'master' into fix-3rdparty-blocks
Geal efa6ec6
print scope symbol if not found
Geal e5fb061
add another test
Geal 86a3221
add public keys to symbols
Geal 802cb26
add a test that reuses symbols across 3rd party blocks
Geal e31ceed
3rd party block request and response serialization
Geal e911a75
move the 3rd party methods to UnverifiedBiscuit
Geal a4c13d3
abstract key pair and signature generation
Geal a47e387
cleanup
Geal 5610a38
fix visibility
Geal dc15bdc
hardcode the algorithm to Ed25519 for now
Geal ba821a5
remove unused version field
Geal d14e34c
remove comment
Geal File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Loading status checks…
move the 3rd party methods to UnverifiedBiscuit
- Loading branch information
commit e911a75c4cabd7140257a557d3675ebf17387a95
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,20 +1,22 @@ | ||
package org.biscuitsec.biscuit.token; | ||
|
||
import biscuit.format.schema.Schema; | ||
import net.i2p.crypto.eddsa.EdDSAEngine; | ||
import org.biscuitsec.biscuit.crypto.KeyDelegate; | ||
import org.biscuitsec.biscuit.crypto.KeyPair; | ||
import org.biscuitsec.biscuit.crypto.PublicKey; | ||
import org.biscuitsec.biscuit.error.Error; | ||
import org.biscuitsec.biscuit.token.format.ExternalSignature; | ||
import org.biscuitsec.biscuit.token.format.SerializedBiscuit; | ||
import io.vavr.Tuple3; | ||
import io.vavr.control.Either; | ||
import io.vavr.control.Option; | ||
import org.biscuitsec.biscuit.datalog.Check; | ||
import org.biscuitsec.biscuit.datalog.SymbolTable; | ||
|
||
import java.security.InvalidKeyException; | ||
import java.security.NoSuchAlgorithmException; | ||
import java.security.SecureRandom; | ||
import java.security.SignatureException; | ||
import java.nio.ByteBuffer; | ||
import java.nio.ByteOrder; | ||
import java.security.*; | ||
import java.util.*; | ||
import java.util.stream.Collectors; | ||
|
||
|
@@ -232,6 +234,97 @@ public Option<Integer> root_key_id() { | |
return this.root_key_id; | ||
} | ||
|
||
/** | ||
* Generates a third party block request from a token | ||
*/ | ||
public ThirdPartyBlockRequest thirdPartyRequest() { | ||
PublicKey previousKey; | ||
if(this.serializedBiscuit.blocks.isEmpty()) { | ||
previousKey = this.serializedBiscuit.authority.key; | ||
} else { | ||
previousKey = this.serializedBiscuit.blocks.get(this.serializedBiscuit.blocks.size() - 1).key; | ||
} | ||
|
||
List<PublicKey> publicKeys = new ArrayList<>(this.symbols.publicKeys()); | ||
return new ThirdPartyBlockRequest(previousKey, publicKeys); | ||
} | ||
|
||
|
||
/** | ||
* Generates a third party block request from a token | ||
*/ | ||
public UnverifiedBiscuit appendThirdPartyBlock(PublicKey externalKey, ThirdPartyBlockContents blockResponse) | ||
throws NoSuchAlgorithmException, SignatureException, InvalidKeyException, Error { | ||
KeyPair nextKeyPair = new KeyPair(); | ||
|
||
Signature sgr = new EdDSAEngine(MessageDigest.getInstance(org.biscuitsec.biscuit.crypto.KeyPair.ed25519.getHashAlgorithm())); | ||
sgr.initVerify(externalKey.key); | ||
|
||
sgr.update(blockResponse.payload); | ||
ByteBuffer algo_buf = ByteBuffer.allocate(4).order(ByteOrder.LITTLE_ENDIAN); | ||
algo_buf.putInt(Integer.valueOf(Schema.PublicKey.Algorithm.Ed25519.getNumber())); | ||
algo_buf.flip(); | ||
sgr.update(algo_buf); | ||
|
||
PublicKey previousKey; | ||
if(this.serializedBiscuit.blocks.isEmpty()) { | ||
previousKey = this.serializedBiscuit.authority.key; | ||
} else { | ||
previousKey = this.serializedBiscuit.blocks.get(this.serializedBiscuit.blocks.size() - 1).key; | ||
} | ||
sgr.update(previousKey.toBytes()); | ||
if (!sgr.verify(blockResponse.signature)) { | ||
throw new Error.FormatError.Signature.InvalidSignature("signature error: Verification equation was not satisfied"); | ||
} | ||
|
||
Either<Error.FormatError, Block> res = Block.from_bytes(blockResponse.payload, Option.some(externalKey)); | ||
if(res.isLeft()) { | ||
throw res.getLeft(); | ||
} | ||
|
||
Block block = res.get(); | ||
|
||
ExternalSignature externalSignature = new ExternalSignature(externalKey, blockResponse.signature); | ||
|
||
UnverifiedBiscuit copiedBiscuit = this.copy(); | ||
|
||
Either<Error.FormatError, SerializedBiscuit> containerRes = copiedBiscuit.serializedBiscuit.append(nextKeyPair, block, Option.some(externalSignature)); | ||
if (containerRes.isLeft()) { | ||
throw containerRes.getLeft(); | ||
} | ||
|
||
SerializedBiscuit container = containerRes.get(); | ||
|
||
SymbolTable symbols = new SymbolTable(copiedBiscuit.symbols); | ||
|
||
ArrayList<Block> blocks = new ArrayList<>(); | ||
for (Block b : copiedBiscuit.blocks) { | ||
blocks.add(b); | ||
} | ||
blocks.add(block); | ||
|
||
for(PublicKey pk: block.publicKeys) { | ||
symbols.insert(pk); | ||
} | ||
|
||
long pkIndex = symbols.insert(externalKey); | ||
// if (copiedBiscuit.publicKeyToBlockId. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. this can be removed i assume |
||
|
||
|
||
HashMap<Long, List<Long>> publicKeyToBlockId = new HashMap<>(); | ||
publicKeyToBlockId.putAll(this.publicKeyToBlockId); | ||
if(publicKeyToBlockId.containsKey(pkIndex)) { | ||
publicKeyToBlockId.get(pkIndex).add((long)this.blocks.size()+1); | ||
} else { | ||
List<Long> list = new ArrayList<>(); | ||
list.add((long)this.blocks.size()+1); | ||
publicKeyToBlockId.put(pkIndex, list); | ||
} | ||
|
||
List<byte[]> revocation_ids = container.revocation_identifiers(); | ||
|
||
return new UnverifiedBiscuit(copiedBiscuit.authority, blocks, symbols, container, publicKeyToBlockId, revocation_ids); | ||
} | ||
|
||
/** | ||
* Prints a token's content | ||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this serialization logic might be better encapsulated in a method rather than inlined here (and i assume in other places)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
something to look at after the ECDSA PR has merged, I think, otherwise we'll get lots of conflicts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried abstract this into a function for my remote_signer branch however these new third party tests are the only ones which are failing when trying to rebase my branch. Still digging into it, not sure whether subtle nuance or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Think I see my issue, around the
externalSignature
which appears to be specific to third party.