New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to verify a caller based on a public key #395
Comments
These are the keys I'm testing with. |
p256 is the crate for secp256r1 keys, the IC uses secp256k1 keys which are provided by the |
BasicIdentity could more descriptively be named Ed25519Identity. You're right that OpenSSL doesn't support it; that's one of the big reasons we support secp256k1 (the other being that Bitcoin uses it). But it is in a general sense better, which is why the IC primarily targets it. |
Thanks, |
Thanks again. I was using that at first but changed crates when I found the test I linked to and tried to verify that it worked the same on my system. |
By "it" do you mean ed25519Identity or secp256k1? |
Just to clarify on this, apparently newer versions of OpenSSL support I tried using If you know how to make this work, I'd appreciate the insight. Also agent-rs/ic-agent/src/identity/basic.rs Lines 42 to 44 in 4245c49
I'm not sure if it was a conscious decision to only support v2 keys with |
For some reason, in my standalone example
|
It also looks like this may not work in a canister as-is since it appears to be trying to use Not sure why randomness is even needed for verification so maybe I can turn off a default feature. Will look into providing something like I did here if not: https://github.com/codebase-labs/ic-auth-tokens/blob/76113cbaa8b788b1989a9d5ef0868cdb12ee46af/crates/ic-auth-tokens/src/lib.rs#L75-L95 |
|
Sounds like you got that backwards - FromStr is only implemented if the pem feature is enabled, and isn't if it's disabled.
The one we use for our tests, I generated in Rust via k256.
Ed25519, especially for the speed. |
yes, I used |
Thanks. I thought that might be it. I was hoping for something that people would likely already have installed. |
Thanks for all the help. I'll make a PR to update the documentation with what was learned here. |
I'm struggling to verify a caller based on a public key. I generated a private key with
openssl ecparam -name secp256k1 -genkey -noout -out identity.pem
and a public key withopenssl ec -in secp256k1.pem -pubout -out public.pem
I create an identity with
let identity = Secp256k1Identity::from_pem_file(private_key_path)?;
which gives me a principal oftvfic-z7h73-2yknr-uyp26-pru5d-bjfbs-3tdnz-mctcw-mkj5d-uecaw-aae
Based on the source code for
Secp256k1Identity
it looks like I need to provide a der-encoded public key toPrincipal::self_authenticating
:agent-rs/ic-agent/src/identity/secp256k1.rs
Lines 71 to 75 in 391f38e
I'd prefer to support a workflow where users can copy and paste the contents of the public key PEM file, and based on how
Secp256kIdentity
is encoding the public key I found the following which seems to be exactly what I need:https://github.com/RustCrypto/elliptic-curves/blob/078363da500b04a031bcefb41bd25363b7ce1df7/p256/tests/pkcs8.rs#L57-L63
This is what I'm doing but the public key fails to parse.
Lastly, I was quite confused about
Secp256k1Identity
vsBasicIdentity
.BasicIdentity
supports ED25519 so I tried to use that first, but I couldn't figure it out.openssl
on my machine didn't support that algorithm which I thought presented a barrier for people, and even then you'd get a v1 key which doesn't guarantee that the private key matches the public key.Curious if ED25519 is still the better option.
The text was updated successfully, but these errors were encountered: