|
|
|
|
Quelle signer.rs
Sprache: unbekannt
|
|
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// Copyright by contributors to this project.
// SPDX-License-Identifier: (Apache-2.0 OR MIT)
use alloc::vec::Vec;
use core::fmt::{self, Debug};
use mls_rs_codec::{MlsEncode, MlsSize};
use mls_rs_core::error::IntoAnyError;
use crate::client::MlsError;
use crate::crypto::{CipherSuiteProvider, SignaturePublicKey, SignatureSecretKey};
#[derive(Clone, MlsSize, MlsEncode)]
struct SignContent {
#[mls_codec(with = "mls_rs_codec::byte_vec")]
label: Vec<u8>,
#[mls_codec(with = "mls_rs_codec::byte_vec")]
content: Vec<u8>,
}
impl Debug for SignContent {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
f.debug_struct("SignContent")
.field("label", &mls_rs_core::debug::pretty_bytes(&self.label))
.field("content", &mls_rs_core::debug::pretty_bytes(&self.content))
.finish()
}
}
impl SignContent {
pub fn new(label: &str, content: Vec<u8>) -> Self {
Self {
label: [b"MLS 1.0 ", label.as_bytes()].concat(),
content,
}
}
}
#[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
#[cfg_attr(all(target_arch = "wasm32", mls_build_async), maybe_async::must_be_async(?Send))]
#[cfg_attr(
all(not(target_arch = "wasm32"), mls_build_async),
maybe_async::must_be_async
)]
pub(crate) trait Signable<'a> {
const SIGN_LABEL: &'static str;
type SigningContext: Send + Sync;
fn signature(&self) -> &[u8];
fn signable_content(
&self,
context: &Self::SigningContext,
) -> Result<Vec<u8>, mls_rs_codec::Error>;
fn write_signature(&mut self, signature: Vec<u8>);
async fn sign<P: CipherSuiteProvider>(
&mut self,
signature_provider: &P,
signer: &SignatureSecretKey,
context: &Self::SigningContext,
) -> Result<(), MlsError> {
let sign_content = SignContent::new(Self::SIGN_LABEL, self.signable_content(context)?);
let signature = signature_provider
.sign(signer, &sign_content.mls_encode_to_vec()?)
.await
.map_err(|e| MlsError::CryptoProviderError(e.into_any_error()))?;
self.write_signature(signature);
Ok(())
}
async fn verify<P: CipherSuiteProvider>(
&self,
signature_provider: &P,
public_key: &SignaturePublicKey,
context: &Self::SigningContext,
) -> Result<(), MlsError> {
let sign_content = SignContent::new(Self::SIGN_LABEL, self.signable_content(context)?);
signature_provider
.verify(
public_key,
self.signature(),
&sign_content.mls_encode_to_vec()?,
)
.await
.map_err(|_| MlsError::InvalidSignature)
}
}
#[cfg(test)]
pub(crate) mod test_utils {
use alloc::vec;
use alloc::{string::String, vec::Vec};
use mls_rs_core::crypto::CipherSuiteProvider;
use crate::crypto::test_utils::try_test_cipher_suite_provider;
use super::Signable;
#[derive(Debug, serde::Serialize, serde::Deserialize)]
pub struct SignatureInteropTestCase {
#[serde(with = "hex::serde", rename = "priv")]
secret: Vec<u8>,
#[serde(with = "hex::serde", rename = "pub")]
public: Vec<u8>,
#[serde(with = "hex::serde")]
content: Vec<u8>,
label: String,
#[serde(with = "hex::serde")]
signature: Vec<u8>,
}
#[derive(Debug, serde::Serialize, serde::Deserialize)]
pub struct InteropTestCase {
cipher_suite: u16,
sign_with_label: SignatureInteropTestCase,
}
#[maybe_async::test(not(mls_build_async), async(mls_build_async, crate::futures_test))]
async fn test_basic_crypto_test_vectors() {
let test_cases: Vec<InteropTestCase> =
load_test_case_json!(basic_crypto, Vec::<InteropTestCase>::new());
for test_case in test_cases {
if let Some(cs) = try_test_cipher_suite_provider(test_case.cipher_suite) {
test_case.sign_with_label.verify(&cs).await;
}
}
}
pub struct TestSignable {
pub content: Vec<u8>,
pub signature: Vec<u8>,
}
impl<'a> Signable<'a> for TestSignable {
const SIGN_LABEL: &'static str = "SignWithLabel";
type SigningContext = Vec<u8>;
fn signature(&self) -> &[u8] {
&self.signature
}
fn signable_content(
&self,
context: &Self::SigningContext,
) -> Result<Vec<u8>, mls_rs_codec::Error> {
Ok([context.as_slice(), self.content.as_slice()].concat())
}
fn write_signature(&mut self, signature: Vec<u8>) {
self.signature = signature
}
}
impl SignatureInteropTestCase {
#[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
pub async fn verify<P: CipherSuiteProvider>(&self, cs: &P) {
let public = self.public.clone().into();
let signable = TestSignable {
content: self.content.clone(),
signature: self.signature.clone(),
};
signable.verify(cs, &public, &vec![]).await.unwrap();
}
}
}
#[cfg(test)]
mod tests {
use super::{test_utils::TestSignable, *};
use crate::{
client::test_utils::TEST_CIPHER_SUITE,
crypto::test_utils::{
test_cipher_suite_provider, try_test_cipher_suite_provider, TestCryptoProvider,
},
group::test_utils::random_bytes,
};
use alloc::vec;
use assert_matches::assert_matches;
#[derive(Debug, serde::Serialize, serde::Deserialize)]
struct TestCase {
cipher_suite: u16,
#[serde(with = "hex::serde")]
content: Vec<u8>,
#[serde(with = "hex::serde")]
context: Vec<u8>,
#[serde(with = "hex::serde")]
signature: Vec<u8>,
#[serde(with = "hex::serde")]
signer: Vec<u8>,
#[serde(with = "hex::serde")]
public: Vec<u8>,
}
#[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
#[cfg_attr(coverage_nightly, coverage(off))]
async fn generate_test_cases() -> Vec<TestCase> {
let mut test_cases = Vec::new();
for cipher_suite in TestCryptoProvider::all_supported_cipher_suites() {
let provider = test_cipher_suite_provider(cipher_suite);
let (signer, public) = provider.signature_key_generate().await.unwrap();
let content = random_bytes(32);
let context = random_bytes(32);
let mut test_signable = TestSignable {
content: content.clone(),
signature: Vec::new(),
};
test_signable
.sign(&provider, &signer, &context)
.await
.unwrap();
test_cases.push(TestCase {
cipher_suite: cipher_suite.into(),
content,
context,
signature: test_signable.signature,
signer: signer.to_vec(),
public: public.to_vec(),
});
}
test_cases
}
#[cfg(mls_build_async)]
async fn load_test_cases() -> Vec<TestCase> {
load_test_case_json!(signatures, generate_test_cases().await)
}
#[cfg(not(mls_build_async))]
fn load_test_cases() -> Vec<TestCase> {
load_test_case_json!(signatures, generate_test_cases())
}
#[maybe_async::test(not(mls_build_async), async(mls_build_async, crate::futures_test))]
async fn test_signatures() {
let cases = load_test_cases().await;
for one_case in cases {
let Some(cipher_suite_provider) = try_test_cipher_suite_provider(one_case.cipher_suite)
else {
continue;
};
let public_key = SignaturePublicKey::from(one_case.public);
// Wasm uses incompatible signature secret key format
#[cfg(not(target_arch = "wasm32"))]
{
// Test signature generation
let mut test_signable = TestSignable {
content: one_case.content.clone(),
signature: Vec::new(),
};
let signature_key = SignatureSecretKey::from(one_case.signer);
test_signable
.sign(&cipher_suite_provider, &signature_key, &one_case.context)
.await
.unwrap();
test_signable
.verify(&cipher_suite_provider, &public_key, &one_case.context)
.await
.unwrap();
}
// Test verifying an existing signature
let test_signable = TestSignable {
content: one_case.content,
signature: one_case.signature,
};
test_signable
.verify(&cipher_suite_provider, &public_key, &one_case.context)
.await
.unwrap();
}
}
#[maybe_async::test(not(mls_build_async), async(mls_build_async, crate::futures_test))]
async fn test_invalid_signature() {
let cipher_suite_provider = test_cipher_suite_provider(TEST_CIPHER_SUITE);
let (correct_secret, _) = cipher_suite_provider
.signature_key_generate()
.await
.unwrap();
let (_, incorrect_public) = cipher_suite_provider
.signature_key_generate()
.await
.unwrap();
let mut test_signable = TestSignable {
content: random_bytes(32),
signature: vec![],
};
test_signable
.sign(&cipher_suite_provider, &correct_secret, &vec![])
.await
.unwrap();
let res = test_signable
.verify(&cipher_suite_provider, &incorrect_public, &vec![])
.await;
assert_matches!(res, Err(MlsError::InvalidSignature));
}
#[maybe_async::test(not(mls_build_async), async(mls_build_async, crate::futures_test))]
async fn test_invalid_context() {
let cipher_suite_provider = test_cipher_suite_provider(TEST_CIPHER_SUITE);
let (secret, public) = cipher_suite_provider
.signature_key_generate()
.await
.unwrap();
let correct_context = random_bytes(32);
let incorrect_context = random_bytes(32);
let mut test_signable = TestSignable {
content: random_bytes(32),
signature: vec![],
};
test_signable
.sign(&cipher_suite_provider, &secret, &correct_context)
.await
.unwrap();
let res = test_signable
.verify(&cipher_suite_provider, &public, &incorrect_context)
.await;
assert_matches!(res, Err(MlsError::InvalidSignature));
}
}
[ Dauer der Verarbeitung: 0.36 Sekunden
(vorverarbeitet)
]
|
2026-04-04
|
|
|
|
|
