Change signature format in minisign integrity proofs

This commit is contained in:
silverpill 2022-11-19 14:54:33 +00:00
parent a46ceeb575
commit 4a5bcba127
7 changed files with 54 additions and 26 deletions

View file

@ -11,7 +11,7 @@ use crate::frontend::get_subscription_page_url;
use crate::identity::{ use crate::identity::{
claims::create_identity_claim, claims::create_identity_claim,
did::Did, did::Did,
minisign::verify_minisign_signature, minisign::verify_minisign_identity_proof,
signatures::{PROOF_TYPE_ID_EIP191, PROOF_TYPE_ID_MINISIGN}, signatures::{PROOF_TYPE_ID_EIP191, PROOF_TYPE_ID_MINISIGN},
}; };
use crate::models::profiles::types::{ use crate::models::profiles::types::{
@ -55,7 +55,7 @@ pub fn parse_identity_proof(
if proof_type != PROOF_TYPE_ID_MINISIGN { if proof_type != PROOF_TYPE_ID_MINISIGN {
return Err(ValidationError("unknown proof type")); return Err(ValidationError("unknown proof type"));
}; };
verify_minisign_signature( verify_minisign_identity_proof(
did_key, did_key,
&message, &message,
signature, signature,

View file

@ -12,8 +12,8 @@ use crate::http_signatures::verify::{
use crate::identity::did::Did; use crate::identity::did::Did;
use crate::json_signatures::verify::{ use crate::json_signatures::verify::{
get_json_signature, get_json_signature,
verify_ed25519_json_signature,
verify_eip191_json_signature, verify_eip191_json_signature,
verify_minisign_json_signature,
verify_rsa_json_signature, verify_rsa_json_signature,
JsonSignatureVerificationError as JsonSignatureError, JsonSignatureVerificationError as JsonSignatureError,
JsonSigner, JsonSigner,
@ -153,7 +153,7 @@ pub async fn verify_signed_activity(
if let Some(profile) = profiles.pop() { if let Some(profile) = profiles.pop() {
match did { match did {
Did::Key(did_key) => { Did::Key(did_key) => {
verify_minisign_json_signature( verify_ed25519_json_signature(
&did_key, &did_key,
&signature_data.message, &signature_data.message,
&signature_data.signature, &signature_data.signature,

View file

@ -1,4 +1,6 @@
/// https://jedisct1.github.io/minisign/ /// https://jedisct1.github.io/minisign/
use std::convert::TryInto;
use blake2::{Blake2b512, Digest}; use blake2::{Blake2b512, Digest};
use ed25519_dalek::{ use ed25519_dalek::{
PublicKey, PublicKey,
@ -58,7 +60,7 @@ pub fn minisign_key_to_did(key_b64: &str) -> Result<DidKey, ParseError> {
// Signature format: // Signature format:
// base64(<signature_algorithm> || <key_id> || <signature>) // base64(<signature_algorithm> || <key_id> || <signature>)
fn parse_minisign_signature(signature_b64: &str) pub fn parse_minisign_signature(signature_b64: &str)
-> Result<[u8; 64], ParseError> -> Result<[u8; 64], ParseError>
{ {
let signature_bin = base64::decode(signature_b64)?; let signature_bin = base64::decode(signature_b64)?;
@ -79,7 +81,7 @@ fn parse_minisign_signature(signature_b64: &str)
Ok(signature) Ok(signature)
} }
fn verify_ed25519_signature( fn _verify_ed25519_signature(
message: &str, message: &str,
signer: [u8; 32], signer: [u8; 32],
signature: [u8; 64], signature: [u8; 64],
@ -105,7 +107,7 @@ pub enum VerificationError {
SignatureError(#[from] SignatureError), SignatureError(#[from] SignatureError),
} }
pub fn verify_minisign_signature( pub fn verify_minisign_identity_proof(
signer: &DidKey, signer: &DidKey,
message: &str, message: &str,
signature: &str, signature: &str,
@ -113,7 +115,24 @@ pub fn verify_minisign_signature(
let ed25519_key = signer.try_ed25519_key()?; let ed25519_key = signer.try_ed25519_key()?;
let ed25519_signature = parse_minisign_signature(signature)?; let ed25519_signature = parse_minisign_signature(signature)?;
let message = format!("{}\n", message); let message = format!("{}\n", message);
verify_ed25519_signature( _verify_ed25519_signature(
&message,
ed25519_key,
ed25519_signature,
)?;
Ok(())
}
pub fn verify_ed25519_signature(
signer: &DidKey,
message: &str,
signature: &[u8],
) -> Result<(), VerificationError> {
let ed25519_key = signer.try_ed25519_key()?;
let ed25519_signature = signature.try_into()
.map_err(|_| ParseError::InvalidSignatureLength)?;
let message = format!("{}\n", message);
_verify_ed25519_signature(
&message, &message,
ed25519_key, ed25519_key,
ed25519_signature, ed25519_signature,
@ -133,6 +152,6 @@ mod tests {
let minisign_signature = let minisign_signature =
"RUSA58rRENpGFVKxdZGMG1WdIJ+dlyP83qOqw6GP0H/Li6Brug2A3mFKLtleIRLi6IIG0smzOlX5CEsisNnc897OUHIOSNLsQQs="; "RUSA58rRENpGFVKxdZGMG1WdIJ+dlyP83qOqw6GP0H/Li6Brug2A3mFKLtleIRLi6IIG0smzOlX5CEsisNnc897OUHIOSNLsQQs=";
let signer = minisign_key_to_did(minisign_key).unwrap(); let signer = minisign_key_to_did(minisign_key).unwrap();
verify_minisign_signature(&signer, message, minisign_signature).unwrap(); verify_minisign_identity_proof(&signer, message, minisign_signature).unwrap();
} }
} }

View file

@ -15,5 +15,9 @@ pub const PROOF_TYPE_JCS_RSA: &str = "JcsRsaSignature2022";
// Similar to EthereumPersonalSignature2021 but with JCS // Similar to EthereumPersonalSignature2021 but with JCS
pub const PROOF_TYPE_JCS_EIP191: &str ="JcsEip191Signature2022"; pub const PROOF_TYPE_JCS_EIP191: &str ="JcsEip191Signature2022";
// Version 2022A // Similar to Ed25519Signature2020
pub const PROOF_TYPE_JCS_MINISIGN: &str = "MitraJcsMinisignSignature2022A"; // https://w3c-ccg.github.io/di-eddsa-2020/#ed25519signature2020
// - Canonicalization algorithm: JCS
// - Digest algorithm: BLAKE2b-512
// - Signature algorithm: EdDSA
pub const PROOF_TYPE_JCS_ED25519: &str = "MitraJcsEd25519Signature2022";

View file

@ -7,8 +7,8 @@ use crate::identity::{
did_key::DidKey, did_key::DidKey,
did_pkh::DidPkh, did_pkh::DidPkh,
signatures::{ signatures::{
PROOF_TYPE_JCS_ED25519,
PROOF_TYPE_JCS_EIP191, PROOF_TYPE_JCS_EIP191,
PROOF_TYPE_JCS_MINISIGN,
PROOF_TYPE_JCS_RSA, PROOF_TYPE_JCS_RSA,
}, },
}; };
@ -61,16 +61,16 @@ impl IntegrityProof {
} }
} }
pub fn jcs_minisign( pub fn jcs_ed25519(
signer: &DidKey, signer: &DidKey,
signature: &str, signature: &[u8],
) -> Self { ) -> Self {
Self { Self {
proof_type: PROOF_TYPE_JCS_MINISIGN.to_string(), proof_type: PROOF_TYPE_JCS_ED25519.to_string(),
proof_purpose: PROOF_PURPOSE.to_string(), proof_purpose: PROOF_PURPOSE.to_string(),
verification_method: signer.to_string(), verification_method: signer.to_string(),
created: Utc::now(), created: Utc::now(),
proof_value: signature.to_string(), proof_value: base64::encode(signature),
} }
} }
} }

View file

@ -6,10 +6,10 @@ use crate::identity::{
did::Did, did::Did,
did_key::DidKey, did_key::DidKey,
did_pkh::DidPkh, did_pkh::DidPkh,
minisign::verify_minisign_signature, minisign::verify_ed25519_signature,
signatures::{ signatures::{
PROOF_TYPE_JCS_ED25519,
PROOF_TYPE_JCS_EIP191, PROOF_TYPE_JCS_EIP191,
PROOF_TYPE_JCS_MINISIGN,
PROOF_TYPE_JCS_RSA, PROOF_TYPE_JCS_RSA,
}, },
}; };
@ -78,7 +78,7 @@ pub fn get_json_signature(
.map_err(|_| VerificationError::InvalidProof("invalid DID"))?; .map_err(|_| VerificationError::InvalidProof("invalid DID"))?;
JsonSigner::Did(Did::Pkh(did_pkh)) JsonSigner::Did(Did::Pkh(did_pkh))
}, },
PROOF_TYPE_JCS_MINISIGN => { PROOF_TYPE_JCS_ED25519 => {
let did_key: DidKey = proof.verification_method.parse() let did_key: DidKey = proof.verification_method.parse()
.map_err(|_| VerificationError::InvalidProof("invalid DID"))?; .map_err(|_| VerificationError::InvalidProof("invalid DID"))?;
JsonSigner::Did(Did::Key(did_key)) JsonSigner::Did(Did::Key(did_key))
@ -126,12 +126,13 @@ pub fn verify_eip191_json_signature(
.map_err(|_| VerificationError::InvalidSignature) .map_err(|_| VerificationError::InvalidSignature)
} }
pub fn verify_minisign_json_signature( pub fn verify_ed25519_json_signature(
signer: &DidKey, signer: &DidKey,
message: &str, message: &str,
signature: &str, signature: &str,
) -> Result<(), VerificationError> { ) -> Result<(), VerificationError> {
verify_minisign_signature(signer, message, signature) let signature_bin = base64::decode(signature)?;
verify_ed25519_signature(signer, message, &signature_bin)
.map_err(|_| VerificationError::InvalidSignature) .map_err(|_| VerificationError::InvalidSignature)
} }

View file

@ -27,15 +27,16 @@ use crate::identity::{
did_pkh::DidPkh, did_pkh::DidPkh,
minisign::{ minisign::{
minisign_key_to_did, minisign_key_to_did,
verify_minisign_signature, parse_minisign_signature,
verify_minisign_identity_proof,
}, },
signatures::{PROOF_TYPE_ID_EIP191, PROOF_TYPE_ID_MINISIGN}, signatures::{PROOF_TYPE_ID_EIP191, PROOF_TYPE_ID_MINISIGN},
}; };
use crate::json_signatures::{ use crate::json_signatures::{
create::{add_integrity_proof, IntegrityProof}, create::{add_integrity_proof, IntegrityProof},
verify::{ verify::{
verify_ed25519_json_signature,
verify_eip191_json_signature, verify_eip191_json_signature,
verify_minisign_json_signature,
}, },
}; };
use crate::mastodon_api::oauth::auth::get_current_user; use crate::mastodon_api::oauth::auth::get_current_user;
@ -293,9 +294,12 @@ async fn send_signed_update(
.map_err(|_| HttpError::InternalError)?; .map_err(|_| HttpError::InternalError)?;
let proof = match signer { let proof = match signer {
Did::Key(signer) => { Did::Key(signer) => {
verify_minisign_json_signature(&signer, &canonical_json, &data.signature) let signature_bin = parse_minisign_signature(&data.signature)
.map_err(|_| ValidationError("invalid encoding"))?;
let signature_b64 = base64::encode(&signature_bin);
verify_ed25519_json_signature(&signer, &canonical_json, &signature_b64)
.map_err(|_| ValidationError("invalid signature"))?; .map_err(|_| ValidationError("invalid signature"))?;
IntegrityProof::jcs_minisign(&signer, &data.signature) IntegrityProof::jcs_ed25519(&signer, &signature_bin)
}, },
Did::Pkh(signer) => { Did::Pkh(signer) => {
let signature_bin = hex::decode(&data.signature) let signature_bin = hex::decode(&data.signature)
@ -382,7 +386,7 @@ async fn create_identity_proof(
// Verify proof // Verify proof
let proof_type = match did { let proof_type = match did {
Did::Key(ref did_key) => { Did::Key(ref did_key) => {
verify_minisign_signature( verify_minisign_identity_proof(
did_key, did_key,
&message, &message,
&proof_data.signature, &proof_data.signature,