-switch to EdDSA egos only for signature rest endpoint

author: Tristan Schwieren <tristan.schwieren@tum.de> 2022-08-26 15:51:29 +0200
committer: Tristan Schwieren <tristan.schwieren@tum.de> 2022-08-26 17:49:07 +0200
commit: 7777cef05fedae221bf4b82c6b5a1de87a7d101e (patch)
tree: 4fe985301185257f5d4dfd78e5944cc062cd5f1f
parent: 45f2059a57f4a55214bb25b1efc8da2f184ef1ae (diff)
download: gnunet-7777cef05fedae221bf4b82c6b5a1de87a7d101e.tar.gz
gnunet-7777cef05fedae221bf4b82c6b5a1de87a7d101e.zip
4 files changed, 112 insertions, 72 deletions
diff --git a/src/identity/plugin_rest_identity.c b/src/identity/plugin_rest_identity.c
index 06ef7a174..15e0987f2 100644
--- a/src/identity/plugin_rest_identity.c
+++ b/src/identity/plugin_rest_identity.c
@@ -1202,9 +1202,10 @@ void
 ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
 {
  struct RequestHandle *handle = ((struct ego_sign_data_cls *) cls)->handle;
-  char *data = (char *) ((struct ego_sign_data_cls *) cls)->data; // data is url decoded
+  unsigned char *data
+    = (unsigned char *) ((struct ego_sign_data_cls *) cls)->data; // data is url decoded
  struct MHD_Response *resp;
-  struct GNUNET_CRYPTO_EcdsaSignature sig;
+  struct GNUNET_CRYPTO_EddsaSignature sig;
  char *sig_str;
  char *result;
@@ -1216,7 +1217,15 @@ ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
    return;
  }
-  if ( GNUNET_OK != GNUNET_CRYPTO_ecdsa_sign_raw (&(ego->pk.ecdsa_key),
+  if (ntohl (ego->pk.type) != GNUNET_IDENTITY_TYPE_EDDSA)
+  {
+    handle->response_code = MHD_HTTP_BAD_REQUEST;
+    handle->emsg = GNUNET_strdup ("Ego has to use an EdDSA key");
+    GNUNET_SCHEDULER_add_now (&do_error, handle);
+    return;
+  }
+  if ( GNUNET_OK != GNUNET_CRYPTO_eddsa_sign_raw (&(ego->pk.eddsa_key),
                                                  (void *) data,
                                                  strlen (data),
                                                  &sig))
@@ -1227,10 +1236,9 @@ ego_sign_data_cb (void *cls, struct GNUNET_IDENTITY_Ego *ego)
    return;
  }
-  // TODO: Encode the signature 
+  sig_str = malloc (64);
-  sig_str = malloc(64);
+  GNUNET_CRYPTO_eddsa_signature_encode (
-  GNUNET_CRYPTO_ecdsa_signature_encode(
+    (const struct GNUNET_CRYPTO_EddsaSignature *) &sig,
-    (const struct GNUNET_CRYPTO_EcdsaSignature *) &sig, 
    &sig_str);
  GNUNET_asprintf (&result,
diff --git a/src/identity/test_plugin_rest_identity_signature.sh b/src/identity/test_plugin_rest_identity_signature.sh
index 2a56996d5..6b3470388 100755
--- a/src/identity/test_plugin_rest_identity_signature.sh
+++ b/src/identity/test_plugin_rest_identity_signature.sh
@@ -5,6 +5,13 @@
 header='{"alg":"ES256"}'
 payload='{"iss":"joe",\r\n "exp":1300819380,\r\n "http://example.com/is_root":true}'
+key='{"kty":"EC",
+      "crv":"P-256",
+      "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
+      "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
+      "d":"jpsQnnGQmL-YBIffH1136cspYG6-0iY7X1fCE9-E9LI"
+     }'
 header_payload_test=(
    101 121 74 104 98 71 99 105 79 105 74 70 85 122 73
    49 78 105 74 57 46 101 121 74 112 99 51 77 105 79 105
@@ -15,27 +22,50 @@ header_payload_test=(
    98 83 57 112 99 49 57 121 98 50 57 48 73 106 112 48
    99 110 86 108 102 81)
+base64url_add_padding() {
+    for i in $( seq 1 $(( 4 - ${#1} % 4 )) ); do padding+="="; done
+    echo "$1""$padding"
+}
 base64url_encode () {
    echo -n -e "$1" | base64 -w0 | tr '+/' '-_' | tr -d '='
 }
+base64url_decode () {
+    padded_input=$(base64url_add_padding "$1")
+    echo -n "$padded_input" | tr '_-' '/+' | base64 -w0 --decode 
+}
+base32crockford_encode () {
+    echo -n "$i" | basenc --base32hex | tr 'IJKLMNOPQRSTUV' 'JKMNPQRSTVWXYZ'
+}
+header_enc=$(base64url_encode "$header")
+payload_enc=$(base64url_encode "$payload")
 # encode header_payload test vektor
 for i in "${header_payload_test[@]}"
 do 
    header_payload_test_enc+=$(printf "\x$(printf %x $i)")
 done
-header_enc=$(base64url_encode "$header")
+# test base64url encoding and header-payload concatenation
-payload_enc=$(base64url_encode "$payload")
-# test base64url encoding and header & payload concatenation
 if [ "$header_enc.$payload_enc" != $header_payload_test_enc ] ; 
 then 
    exit 1
 fi
 signature_enc=$(curl -s "localhost:7776/sign?user=tristan&data=$header_payload_enc" | jq -r '.signature')
-echo "$header_enc.$payload_enc.$signature_enc"
+jwt="$header_enc.$payload_enc.$signature_enc"
+echo $jwt
+# Convert secret JWK to GNUnet skey
+key_dec=$(base64url_decode $( echo -n "$key" | jq -r '.d'))
+for i in $(echo -n $key_dec | xxd -p | tr -d '\n' | fold -w 2)
+do 
+    echo -n "$i "
+done
+echo ""
 # TODO: Test Signature
    # Gen key: Public Key GNS zone type value + d in crockford encoding
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 1d5722450..93945c731 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -1955,11 +1955,35 @@ GNUNET_CRYPTO_ecdsa_sign_ (
 * @return enum GNUNET_GenericReturnValue 
 */
 enum GNUNET_GenericReturnValue
-GNUNET_CRYPTO_ecdsa_sign_raw (
+GNUNET_CRYPTO_eddsa_sign_raw (
-  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
+  const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
  void *data,
-  size_t len,
+  size_t size,
-  struct GNUNET_CRYPTO_EcdsaSignature *sig);
+  struct GNUNET_CRYPTO_EddsaSignature *sig);
+/**
+ * @brief 
+ * 
+ * @param sig 
+ * @param sig_str 
+ * @return enum GNUNET_GenericReturnValue 
+ */
+size_t
+GNUNET_CRYPTO_eddsa_signature_encode(
+  const struct GNUNET_CRYPTO_EddsaSignature *sig,
+  char **sig_str);
+/**
+ * @brief 
+ * 
+ * @param sig_str 
+ * @param sig 
+ * @return enum GNUNET_GenericReturnValue 
+ */
+size_t
+GNUNET_CRYPTO_eddsa_signature_decode(
+  const char *sig_str,
+  struct GNUNET_CRYPTO_EddsaSignature *sig);
 /**
 * @brief 
diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c
index 36945e291..0ac6e2865 100644
--- a/src/util/crypto_ecc.c
+++ b/src/util/crypto_ecc.c
@@ -594,68 +594,46 @@ GNUNET_CRYPTO_ecdsa_sign_ (
  return GNUNET_OK;
 }
-// TODO: Code reuse with GNUNET_CRYPTO_ecdsa_sign_
-// Refactor above as a wrapper around raw
 enum GNUNET_GenericReturnValue
-GNUNET_CRYPTO_ecdsa_sign_raw (
+GNUNET_CRYPTO_eddsa_sign_raw (
-  const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv,
+  const struct GNUNET_CRYPTO_EddsaPrivateKey *priv,
  void *data,
-  size_t len,
+  size_t size,
-  struct GNUNET_CRYPTO_EcdsaSignature *sig)
+  struct GNUNET_CRYPTO_EddsaSignature *sig)
 {
-  struct GNUNET_HashCode hash_code;
+  unsigned char sk[crypto_sign_SECRETKEYBYTES];
-  gcry_sexp_t skey_sexp;
+  unsigned char pk[crypto_sign_PUBLICKEYBYTES];
-  gcry_sexp_t sig_sexp;
+  int res;
-  gcry_sexp_t data_sexp;
-  gcry_error_t error;
-  gcry_mpi_t rs[2];
-  // Decode private key
-  skey_sexp = decode_private_ecdsa_key (priv);
-  // Hash data
-  GNUNET_CRYPTO_hash (data, len, &hash_code);
-  if (0 != (error = gcry_sexp_build (&data_sexp,
-                                     NULL,
-                                     "(data(flags rfc6979)(hash %s %b))",
-                                     "sha512",
-                                     (int) sizeof(hash_code),
-                                     &hash_code)))
-  {
-    LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", error);
-    return GNUNET_SYSERR;
-  }
-  // Sign Hash
+  GNUNET_assert (0 == crypto_sign_seed_keypair (pk, sk, priv->d));
-  if (0 != (error = gcry_pk_sign (&sig_sexp, data_sexp, skey_sexp)))
+  res = crypto_sign_detached ((uint8_t *) sig,
-  {
+                              NULL,
-    LOG (GNUNET_ERROR_TYPE_WARNING,
+                              (uint8_t *) data,
-         _ ("ECC signing failed at %s:%d: %s\n"),
+                              size,
-         __FILE__,
+                              sk);
-         __LINE__,
+  return (res == 0) ? GNUNET_OK : GNUNET_SYSERR;
-         gcry_strerror (error));
+}
-    gcry_sexp_release (data_sexp);
-    gcry_sexp_release (skey_sexp);
-    return GNUNET_SYSERR;
-  }
-  gcry_sexp_release (skey_sexp);
-  gcry_sexp_release (data_sexp);
-  /* extract 'r' and 's' values from sexpression 'sig_sexp' and store in
+size_t
-     'signature' */
+GNUNET_CRYPTO_eddsa_signature_encode (
-  if (0 != (error = key_from_sexp (rs, sig_sexp, "sig-val", "rs")))
+  const struct GNUNET_CRYPTO_EddsaSignature *sig,
-  {
+  char **sig_str)
-    GNUNET_break (0);
+{
-    gcry_sexp_release (sig_sexp);
+  return GNUNET_STRINGS_base64url_encode (
-    return GNUNET_SYSERR;
+    (void*) sig,
-  }
+    32,
-  gcry_sexp_release (sig_sexp);
+    sig_str);
-  GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof(sig->r), rs[0]);
+}
-  GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof(sig->s), rs[1]);
-  gcry_mpi_release (rs[0]);
-  gcry_mpi_release (rs[1]);
-  return GNUNET_OK;
+size_t
+GNUNET_CRYPTO_eddsa_signature_decode (
+  const char *sig_str,
+  struct GNUNET_CRYPTO_EddsaSignature *sig)
+{
+  return GNUNET_STRINGS_base64url_decode (
+    sig_str, 
+    strlen (sig_str),
+    (void **) &sig);
 }
 size_t
author	Tristan Schwieren <tristan.schwieren@tum.de>	2022-08-26 15:51:29 +0200
committer	Tristan Schwieren <tristan.schwieren@tum.de>	2022-08-26 17:49:07 +0200
commit	7777cef05fedae221bf4b82c6b5a1de87a7d101e (patch)
tree	4fe985301185257f5d4dfd78e5944cc062cd5f1f
parent	45f2059a57f4a55214bb25b1efc8da2f184ef1ae (diff)
download	gnunet-7777cef05fedae221bf4b82c6b5a1de87a7d101e.tar.gz gnunet-7777cef05fedae221bf4b82c6b5a1de87a7d101e.zip