test signature prehashing

Geal · Geal · commit c7e063f68ba9 · 2025-02-09T12:27:14.000+01:00
diff --git a/biscuit-auth/Cargo.toml b/biscuit-auth/Cargo.toml
@@ -27,7 +27,6 @@ pem = ["ed25519-dalek/pem"]
 
 [dependencies]
 rand_core = "^0.6"
-sha2 = "^0.9"
 prost = "0.10"
 prost-types = "0.10"
 regex = { version = "1.5", default-features = false, features = ["std"] }
@@ -38,7 +37,7 @@ thiserror = "1"
 rand = { version = "0.8" }
 wasm-bindgen = { version = "0.2", optional = true }
 base64 = "0.13.0"
-ed25519-dalek = { version = "2.0.0", features = ["rand_core", "zeroize"] }
+ed25519-dalek = { version = "2.0.0", features = ["rand_core", "zeroize", "digest"] }
 serde = { version = "1.0.132", optional = true, features = ["derive"] }
 getrandom = { version = "0.1.16" }
 time = { version = "0.3.7", features = ["formatting", "parsing"] }
diff --git a/biscuit-auth/src/crypto/mod.rs b/biscuit-auth/src/crypto/mod.rs
@@ -848,4 +848,38 @@ mod tests {
         let deser_pub = PublicKey::from_public_key_der(&der_pub, Algorithm::Ed25519).unwrap();
         assert_eq!(ed25519_pub, deser_pub);
     }
+
+    #[test]
+    fn prehashed_signature() {
+        use ::p256::NistP256;
+        use ecdsa::hazmat::DigestPrimitive;
+        use ed25519_dalek::DigestSigner;
+
+        fn generate_authority_block_signature_payload_v1_prehashed<
+            H: ecdsa::signature::digest::Update,
+        >(
+            payload: &[u8],
+            version: u32,
+            hasher: &mut H,
+        ) {
+            hasher.update(b"\0BLOCK\0\0VERSION\0");
+            hasher.update(&version.to_le_bytes());
+
+            hasher.update(&b"\0PAYLOAD\0"[..]);
+            hasher.update(payload);
+        }
+
+        let mut prehashed: ed25519_dalek::Sha512 = ed25519_dalek::Sha512::default();
+        generate_authority_block_signature_payload_v1_prehashed(b"payload", 1, &mut prehashed);
+        let kp = ed25519::KeyPair::new();
+        //let hash = ed25519_dalek::Digest::finalize(prehashed);
+        let sig = kp.kp.try_sign_digest(prehashed).unwrap();
+        println!("{:?}", sig);
+
+        let mut prehashed2 = <NistP256 as DigestPrimitive>::Digest::default();
+        generate_authority_block_signature_payload_v1_prehashed(b"payload", 1, &mut prehashed2);
+        let kp = p256::KeyPair::new();
+        let sig: ecdsa::Signature<NistP256> = kp.kp.try_sign_digest(prehashed2).unwrap();
+        println!("{:?}", sig);
+    }
 }
diff --git a/biscuit-auth/src/crypto/p256.rs b/biscuit-auth/src/crypto/p256.rs
@@ -12,7 +12,7 @@ use std::hash::Hash;
 /// pair of cryptographic keys used to sign a token's block
 #[derive(Debug, PartialEq)]
 pub struct KeyPair {
-    kp: SigningKey,
+    pub(super) kp: SigningKey,
 }
 
 impl KeyPair {

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ use std::hash::Hash;`
`12`	`12`	`/// pair of cryptographic keys used to sign a token's block`
`13`	`13`	`#[derive(Debug, PartialEq)]`
`14`	`14`	`pub struct KeyPair {`
`15`		`- kp: SigningKey,`
	`15`	`+ pub(super) kp: SigningKey,`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`impl KeyPair {`