Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for ECDSA signatures on curve secp256r1 #165

Merged
merged 9 commits into from
Nov 20, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 47 additions & 4 deletions SPECIFICATIONS.md
Original file line number Diff line number Diff line change
Expand Up @@ -177,7 +177,7 @@ The logic language is described by the following EBNF grammar:
```
<origin_clause> ::= <sp>? "trusting " <origin_element> <sp>? ("," <sp>? <origin_element> <sp>?)*
<origin_element> ::= "authority" | "previous" | <signature_alg> "/" <bytes>
<signature_alg> ::= "ed25519"
<signature_alg> ::= "ed25519" | "secp256r1"

<block> ::= (<origin_clause> ";" <sp>?)? (<block_element> | <comment> )*
<block_element> ::= <sp>? ( <check> | <fact> | <rule> ) <sp>? ";" <sp>?
Expand Down Expand Up @@ -712,6 +712,7 @@ message PublicKey {

enum Algorithm {
Ed25519 = 0;
SECP256R1 = 1;
}

required bytes key = 2;
Expand Down Expand Up @@ -782,13 +783,55 @@ is a Biscuit token, that base 64 string should be prefixed with `biscuit:`.

### Cryptography

Biscuit tokens are based on public key cryptography, with a chain of Ed25519
Biscuit tokens are based on public key cryptography, with a chain of
signatures. Each block contains the serialized Datalog, the next public key,
and the signature by the previous key. The token also contains the private key
corresponding to the last public key, to sign a new block and attenuate the
token, or a signature of the last block by the last private key, to seal the
token.

#### Algorithms

Biscuit supports multiple signature algorithms for its blocks, that can change
between blocks in one token. The algorithm kind is defined in the `Algorithm`
enum of the protobuf serialization of the public key. The `nextSecret` field
in the proof section of the token uses the same algorithm as the `nextKey`
of the last block.

The following algorithms are supported:

##### Ed25519

The default signature algorithm is Ed25519 as introduced in [Bernstein, Daniel J.;
Duif, Niels; Lange, Tanja; Schwabe, Peter; Bo-Yin Yang (2012). "High-speed
high-security signatures" (PDF). Journal of Cryptographic Engineering](https://ed25519.cr.yp.to/ed25519-20110926.pdf)
and specified in [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032).

The protobuf encoding is defined as follows:
- `key` field of the `Publickey` message: [compressed Edwards Y format](https://www.rfc-editor.org/rfc/rfc8032#section-5.1.2)
- `nextSecret` in the `Proof` message: [32 bytes of cryptographically secure random data in little-endian](https://www.rfc-editor.org/rfc/rfc8032#section-5.1.5)
- `signature` field in `Signature` and `ExternalSignature` messages: [concatenation of R and S values](https://www.rfc-editor.org/rfc/rfc8032#section-5.1.6)

##### ECDSA

Biscuit supports the ECDSA algorithm over the secp256r1 curve as defined in
[SEC2v1](https://www.secg.org/sec1-v2.pdf), using the SHA-256 hashing
algorithm. It is recommended to use a deterministic signature algorithm
version like the one defined in [RFC 6979](https://datatracker.ietf.org/doc/html/rfc6979).


The protobuf encoding is defined as follows:
- `key` field of the `Publickey` message: [compressed SEC1 format, defined in section 2.3.3](https://www.secg.org/sec1-v2.pdf). Allowed prefixes: `02`, `03`
- `nextSecret` in the `Proof` message: big endian representation of the secret scalar
- `signature` field in `Signature` and `ExternalSignature` messages: [SEC1 ASN.1 format, defined in section C5](https://www.secg.org/sec1-v2.pdf), only using the `r` and `s` parameters

```
ECDSA-Sig-Value ::= SEQUENCE {
r INTEGER,
s INTEGER
}
```

#### Signed payload generation

The data covered by the signature algorithm depends on the `version` field of
Expand Down Expand Up @@ -865,7 +908,7 @@ the signed payload format for external signatures, thereafter referred as "exter

#### Signature (one block)

- `(pk_0, sk_0)` the root public and private Ed25519 keys
- `(pk_0, sk_0)` the root public and private keys
- `data_0` the serialized Datalog
- `(pk_1, sk_1)` the next key pair, generated at random
- `alg_1` the little endian representation of the signature algorithm fr `pk1, sk1` (see protobuf schema)
Expand Down Expand Up @@ -929,7 +972,7 @@ Token {
##### Optional external signature

Blocks generated by a trusted third party can carry an *extra* signature to provide a proof of their
origin. Same as regular signatures, they rely on Ed25519.
origin. Same as regular signatures, they rely on public key cryptography.

The external signature for block `n+1`, with `(external_pk, external_sk)` is `external_sig_n+1`, the signature of the payload in format "external signature payload v1" by `external_sk`.
The authority block can't carry an external signature. This is necessary to make sure an external signature can't be used for any other token.
Expand Down
87 changes: 86 additions & 1 deletion samples/current/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ check if resource($0), operation("read"), right($0, "read");

### validation

result: `Err(Format(InvalidSignatureSize(16)))`
result: `Err(Format(BlockSignatureDeserializationError("block signature deserialization error: [117, 149, 161, 18, 161, 235, 91, 129, 166, 227, 152, 133, 46, 97, 24, 183]")))`


------------------------------
Expand Down Expand Up @@ -3187,3 +3187,88 @@ World {

result: `Ok(0)`


------------------------------

## ECDSA secp256r1 signatures: test036_secp256r1.bc
### token

authority:
symbols: ["file1", "file2"]

public keys: []

```
right("file1", "read");
right("file2", "read");
right("file1", "write");
```

1:
symbols: ["0"]

public keys: []

```
check if resource($0), operation("read"), right($0, "read");
```

### validation

authorizer code:
```
resource("file1");
operation("read");

allow if true;
```

revocation ids:
- `760785de30d7348e9c847aab8b3bdad6a0d463f4f50ed9667aade563e9112ee6d2f589630dd7553c2eced2a57edf3636d5c874b35df15120c62fddcbdbd2de09`
- `30440220039667c7a4d964e4b449289dc8fd206d7aa0e77eb701a9253b3307d32c177fa8022023f7523c143c5fb55ee4cafe49804702ef05a70883ebf42185b54bd36a7e7cd4`

authorizer world:
```
World {
facts: [
Facts {
origin: {
None,
},
facts: [
"operation(\"read\")",
"resource(\"file1\")",
],
},
Facts {
origin: {
Some(
0,
),
},
facts: [
"right(\"file1\", \"read\")",
"right(\"file1\", \"write\")",
"right(\"file2\", \"read\")",
],
},
]
rules: []
checks: [
Checks {
origin: Some(
1,
),
checks: [
"check if resource($0), operation(\"read\"), right($0, \"read\")",
],
},
]
policies: [
"allow if true",
]
}
```

result: `Ok(0)`

72 changes: 71 additions & 1 deletion samples/current/samples.json
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@
"result": {
"Err": {
"Format": {
"InvalidSignatureSize": 16
"BlockSignatureDeserializationError": "block signature deserialization error: [117, 149, 161, 18, 161, 235, 91, 129, 166, 227, 152, 133, 46, 97, 24, 183]"
}
}
},
Expand Down Expand Up @@ -2955,6 +2955,76 @@
]
}
}
},
{
"title": "ECDSA secp256r1 signatures",
"filename": "test036_secp256r1.bc",
"token": [
{
"symbols": [
"file1",
"file2"
],
"public_keys": [],
"external_key": null,
"code": "right(\"file1\", \"read\");\nright(\"file2\", \"read\");\nright(\"file1\", \"write\");\n"
},
{
"symbols": [
"0"
],
"public_keys": [],
"external_key": null,
"code": "check if resource($0), operation(\"read\"), right($0, \"read\");\n"
}
],
"validations": {
"": {
"world": {
"facts": [
{
"origin": [
null
],
"facts": [
"operation(\"read\")",
"resource(\"file1\")"
]
},
{
"origin": [
0
],
"facts": [
"right(\"file1\", \"read\")",
"right(\"file1\", \"write\")",
"right(\"file2\", \"read\")"
]
}
],
"rules": [],
"checks": [
{
"origin": 1,
"checks": [
"check if resource($0), operation(\"read\"), right($0, \"read\")"
]
}
],
"policies": [
"allow if true"
]
},
"result": {
"Ok": 0
},
"authorizer_code": "resource(\"file1\");\noperation(\"read\");\n\nallow if true;\n",
"revocation_ids": [
"760785de30d7348e9c847aab8b3bdad6a0d463f4f50ed9667aade563e9112ee6d2f589630dd7553c2eced2a57edf3636d5c874b35df15120c62fddcbdbd2de09",
"30440220039667c7a4d964e4b449289dc8fd206d7aa0e77eb701a9253b3307d32c177fa8022023f7523c143c5fb55ee4cafe49804702ef05a70883ebf42185b54bd36a7e7cd4"
]
}
}
}
]
}
Binary file added samples/current/test036_secp256r1.bc
Binary file not shown.
1 change: 1 addition & 0 deletions schema.proto
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ message PublicKey {

enum Algorithm {
Ed25519 = 0;
SECP256R1 = 1;
}

required bytes key = 2;
Expand Down