-
Notifications
You must be signed in to change notification settings - Fork 1
/
lib.rs
396 lines (351 loc) · 14.1 KB
/
lib.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
#![cfg_attr(not(feature = "std"), no_std)]
extern crate alloc;
use alloc::{
format,
string::{String, ToString},
vec::Vec,
};
use entropy_programs_core::{bindgen::*, export_program, prelude::*, Error};
use base64::{prelude::BASE64_STANDARD, Engine};
use ed25519_dalek::{Signature as Ed25519Signature, VerifyingKey as Ed25519PublicKey};
use k256::ecdsa::{
signature::Verifier, Signature as EcdsaSignature, VerifyingKey as EcdsaPublicKey,
};
use schnorrkel::{signing_context, PublicKey as Sr25519PublicKey, Signature as Sr25519Signature};
use serde::{Deserialize, Serialize};
#[cfg(test)]
mod tests;
// TODO confirm this isn't an issue for audit
register_custom_getrandom!(always_fail);
/// JSON-deserializable struct that will be used to derive the program-JSON interface.
/// Note how this uses JSON-native types only.
#[cfg_attr(feature = "std", derive(schemars::JsonSchema))]
#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
pub struct UserConfig {
/// base64-encoded compressed point (33-byte) ECDSA public keys, (eg. "A572dqoue5OywY/48dtytQimL9WO0dpSObaFbAxoEWW9")
pub ecdsa_public_keys: Option<Vec<String>>,
pub sr25519_public_keys: Option<Vec<String>>,
pub ed25519_public_keys: Option<Vec<String>>,
}
/// Used by the program to verify signatures
#[derive(Debug, Default, PartialEq, Eq, Clone)]
pub struct Config {
pub ecdsa_public_keys: Vec<EcdsaPublicKey>,
pub sr25519_public_keys: Vec<Sr25519PublicKey>,
pub ed25519_public_keys: Vec<Ed25519PublicKey>,
}
/// JSON representation of the auxiliary data
#[cfg_attr(feature = "std", derive(schemars::JsonSchema))]
#[derive(Debug, PartialEq, Eq, Clone, Serialize, Deserialize)]
pub struct AuxData {
/// "ecdsa", "ed25519", "sr25519"
pub public_key_type: String,
/// base64-encoded public key
pub public_key: String,
/// base64-encoded signature
pub signature: String,
/// The context for the signature only needed in sr25519 signature type
pub context: String,
}
trait DeviceKey {
type PublicKey;
type Signature;
fn verify_signature(&self, message: &[u8], context: &[u8]) -> Result<(), Error>;
fn from_base64(public_key: &[u8], signature: &[u8]) -> Result<Self, Error>
where
Self: Sized;
fn pub_key_from_base64(public_key: &[u8]) -> Result<Self::PublicKey, Error>
where
Self: Sized;
fn to_base64(&self) -> (String, String);
// Checks that the public key is included in the config
fn confirm_in_config(&self, config: &Config) -> Result<(), Error>;
}
struct VerificationParameters<P, S> {
pub_key: P,
signature: S,
}
type Ecdsa = VerificationParameters<EcdsaPublicKey, EcdsaSignature>;
type Sr25519 = VerificationParameters<Sr25519PublicKey, Sr25519Signature>;
type Ed25519 = VerificationParameters<Ed25519PublicKey, Ed25519Signature>;
impl DeviceKey for Ecdsa {
type PublicKey = EcdsaPublicKey;
type Signature = EcdsaSignature;
fn verify_signature(&self, message: &[u8], _context: &[u8]) -> Result<(), Error> {
self.pub_key.verify(message, &self.signature).map_err(|_| {
Error::InvalidSignatureRequest("Unable to verify ecdsa signature".to_string())
})
}
fn from_base64(pub_key_encoded: &[u8], signature_encoded: &[u8]) -> Result<Self, Error> {
let pub_key = Ecdsa::pub_key_from_base64(pub_key_encoded)?;
let signature = EcdsaSignature::from_slice(
BASE64_STANDARD
.decode(signature_encoded)
.map_err(|_| Error::InvalidSignatureRequest("ecdsa from_base64 error".to_string()))?
.as_slice(),
)
.map_err(|_| Error::InvalidSignatureRequest("Invalid ecdsa signature".to_string()))?;
Ok(Ecdsa { pub_key, signature })
}
fn pub_key_from_base64(pub_key_encoded: &[u8]) -> Result<Self::PublicKey, Error> {
let pub_key = EcdsaPublicKey::from_sec1_bytes(
BASE64_STANDARD
.decode(pub_key_encoded)
.map_err(|_| {
Error::InvalidSignatureRequest("ecdsa pub_key_from_base64 error".to_string())
})?
.as_slice(),
)
.map_err(|_| Error::InvalidSignatureRequest("Invalid ecdsa public key".to_string()))?;
Ok(pub_key)
}
fn to_base64(&self) -> (String, String) {
let pub_key_encoded = BASE64_STANDARD.encode(self.pub_key.to_encoded_point(true));
let signature_encoded = BASE64_STANDARD.encode(self.signature.to_bytes());
(pub_key_encoded, signature_encoded)
}
fn confirm_in_config(&self, config: &Config) -> Result<(), Error> {
if !config.ecdsa_public_keys.contains(&self.pub_key) {
return Err(Error::InvalidSignatureRequest(
"ECDSA Public key not in config".to_string(),
));
}
Ok(())
}
}
impl DeviceKey for Ed25519 {
type PublicKey = Ed25519PublicKey;
type Signature = Ed25519Signature;
fn verify_signature(&self, message: &[u8], _context: &[u8]) -> Result<(), Error> {
self.pub_key.verify(message, &self.signature).map_err(|_| {
Error::InvalidSignatureRequest("Unable to verify ed25519 signature".to_string())
})
}
fn pub_key_from_base64(public_key: &[u8]) -> Result<Self::PublicKey, Error>
where
Self: Sized,
{
let pub_key = Ed25519PublicKey::try_from(
BASE64_STANDARD
.decode(public_key)
.map_err(|_| {
Error::InvalidSignatureRequest("ed25519 pub_key_from_base64 error".to_string())
})?
.as_slice(),
)
.map_err(|_| Error::InvalidSignatureRequest("Invalid ed25519 public key".to_string()))?;
Ok(pub_key)
}
fn from_base64(pub_key_encoded: &[u8], signature_encoded: &[u8]) -> Result<Self, Error> {
let pub_key = Ed25519::pub_key_from_base64(pub_key_encoded)?;
let signature = Ed25519Signature::try_from(
BASE64_STANDARD
.decode(signature_encoded)
.map_err(|_| {
Error::InvalidSignatureRequest("ed25519 from_base64 error".to_string())
})?
.as_slice(),
)
.unwrap();
Ok(Ed25519 { pub_key, signature })
}
fn to_base64(&self) -> (String, String) {
let pub_key_encoded = BASE64_STANDARD.encode(self.pub_key.to_bytes());
let signature_encoded = BASE64_STANDARD.encode(self.signature.to_bytes());
(pub_key_encoded, signature_encoded)
}
fn confirm_in_config(&self, config: &Config) -> Result<(), Error> {
if !config.ed25519_public_keys.contains(&self.pub_key) {
return Err(Error::InvalidSignatureRequest(
"Ed25519 Public key not in config".to_string(),
));
}
Ok(())
}
}
impl DeviceKey for Sr25519 {
type PublicKey = Sr25519PublicKey;
type Signature = Sr25519Signature;
fn verify_signature(&self, message: &[u8], context: &[u8]) -> Result<(), Error> {
let context = signing_context(context);
self.pub_key
.verify(context.bytes(message), &self.signature)
.map_err(|_| {
Error::InvalidSignatureRequest("Unable to verify sr25519 signature".to_string())
})
}
fn from_base64(pub_key_encoded: &[u8], signature_encoded: &[u8]) -> Result<Self, Error> {
let pub_key = Sr25519::pub_key_from_base64(pub_key_encoded)?;
let signature = Sr25519Signature::from_bytes(
BASE64_STANDARD
.decode(signature_encoded)
.map_err(|_| {
Error::InvalidSignatureRequest("sr25519 from_base64 error".to_string())
})?
.as_slice(),
)
.map_err(|_| Error::InvalidSignatureRequest("Invalid sr25519 signature".to_string()))?;
Ok(Sr25519 { pub_key, signature })
}
fn pub_key_from_base64(pub_key_encoded: &[u8]) -> Result<Self::PublicKey, Error> {
let pub_key = Sr25519PublicKey::from_bytes(
BASE64_STANDARD
.decode(pub_key_encoded)
.map_err(|_| {
Error::InvalidSignatureRequest("sr25519 pub_key_from_base64 error".to_string())
})?
.as_slice(),
)
.map_err(|_| Error::InvalidSignatureRequest("Invalid sr25519 public key".to_string()))?;
Ok(pub_key)
}
fn to_base64(&self) -> (String, String) {
let pub_key_encoded = BASE64_STANDARD.encode(self.pub_key);
let signature_encoded = BASE64_STANDARD.encode(self.signature.to_bytes());
(pub_key_encoded, signature_encoded)
}
fn confirm_in_config(&self, config: &Config) -> Result<(), Error> {
if !config.sr25519_public_keys.contains(&self.pub_key) {
return Err(Error::InvalidSignatureRequest(
"Sr25519 Public key not in config".to_string(),
));
}
Ok(())
}
}
pub struct DeviceKeyProxy;
impl Program for DeviceKeyProxy {
fn evaluate(
signature_request: SignatureRequest,
raw_config: Option<Vec<u8>>,
_oracle_data: Option<Vec<u8>>,
) -> Result<(), Error> {
let config_json = serde_json::from_slice::<UserConfig>(
raw_config
.ok_or(Error::Evaluation("No config provided.".to_string()))?
.as_slice(),
)
.map_err(|e| Error::Evaluation(format!("Failed to parse config: {}", e)))?;
let aux_data_json = serde_json::from_slice::<AuxData>(
signature_request
.auxilary_data
.ok_or(Error::InvalidSignatureRequest(
"No auxilary_data provided".to_string(),
))?
.as_slice(),
)
.map_err(|e| {
Error::InvalidSignatureRequest(format!("Failed to parse auxilary_data: {}", e))
})?;
let config = Config::try_from(config_json)?;
// assert that the key in the aux data is in the config, and verify signature
match aux_data_json.public_key_type.as_str() {
"ecdsa" => {
let verification_parameters = Ecdsa::from_base64(
aux_data_json.public_key.as_bytes(),
aux_data_json.signature.as_bytes(),
)?;
verification_parameters.confirm_in_config(&config)?;
verification_parameters
.verify_signature(signature_request.message.as_slice(), b"")?;
}
"sr25519" => {
let verification_parameters = Sr25519::from_base64(
aux_data_json.public_key.as_bytes(),
aux_data_json.signature.as_bytes(),
)?;
verification_parameters.confirm_in_config(&config)?;
verification_parameters.verify_signature(
signature_request.message.as_slice(),
aux_data_json.context.as_bytes(),
)?;
}
"ed25519" => {
let verification_parameters = Ed25519::from_base64(
aux_data_json.public_key.as_bytes(),
aux_data_json.signature.as_bytes(),
)?;
verification_parameters.confirm_in_config(&config)?;
verification_parameters
.verify_signature(signature_request.message.as_slice(), b"")?;
}
_ => {
return Err(Error::InvalidSignatureRequest(
"Invalid public key type".to_string(),
))
}
}
Ok(())
}
fn custom_hash(_data: Vec<u8>) -> Option<Vec<u8>> {
None
}
}
impl TryFrom<UserConfig> for Config {
type Error = Error;
fn try_from(config_json: UserConfig) -> Result<Config, Error> {
let mut config = Config::default();
if let Some(ecdsa_pub_keys) = config_json.ecdsa_public_keys {
for encoded_key in ecdsa_pub_keys {
config.ecdsa_public_keys.push(
Ecdsa::pub_key_from_base64(encoded_key.as_bytes()).map_err(|_| {
Error::InvalidSignatureRequest("config conversion ecdsa".to_string())
})?,
);
}
}
if let Some(sr25519_pub_keys) = config_json.sr25519_public_keys {
for encoded_key in sr25519_pub_keys {
let public_key =
Sr25519::pub_key_from_base64(encoded_key.as_bytes()).map_err(|_| {
Error::InvalidSignatureRequest("config conversion sr25519".to_string())
})?;
config.sr25519_public_keys.push(public_key);
}
}
if let Some(ed25519_pub_keys) = config_json.ed25519_public_keys {
for encoded_key in ed25519_pub_keys {
let public_key =
Ed25519::pub_key_from_base64(encoded_key.as_bytes()).map_err(|_| {
Error::InvalidSignatureRequest("config conversion ed25519".to_string())
})?;
config.ed25519_public_keys.push(public_key);
}
}
Ok(config)
}
}
impl From<Config> for UserConfig {
fn from(config: Config) -> UserConfig {
let ecdsa_public_keys = config
.ecdsa_public_keys
.iter()
.map(|key| {
let encoded_key = BASE64_STANDARD.encode(key.to_encoded_point(true).as_bytes());
encoded_key
})
.collect();
let sr25519_public_keys = config
.sr25519_public_keys
.iter()
.map(|key| {
let encoded_key = BASE64_STANDARD.encode(key);
encoded_key
})
.collect();
let ed25519_public_keys = config
.ed25519_public_keys
.iter()
.map(|key| {
let encoded_key = BASE64_STANDARD.encode(key.as_bytes());
encoded_key
})
.collect();
UserConfig {
ecdsa_public_keys: Some(ecdsa_public_keys),
sr25519_public_keys: Some(sr25519_public_keys),
ed25519_public_keys: Some(ed25519_public_keys),
}
}
}
export_program!(DeviceKeyProxy);