feat: support vetkeys

Author: zensh

Cargo.lock

@@ -14,7 +14,7 @@ strip = true
 opt-level = 's'
 
 [workspace.package]
-version = "0.8.5"
+version = "0.8.6"
 edition = "2021"
 repository = "https://github.com/ldclabs/ic-cose"
 keywords = ["config", "cbor", "canister", "icp", "encryption"]
@@ -30,11 +30,12 @@ serde = "1"
 serde_bytes = "0.11"
 serde_with = "3.12"
 k256 = { version = "0.13", features = ["ecdsa", "schnorr"] }
+ed25519-consensus = "2.1"
 ed25519-dalek = "2"
 x25519-dalek = { version = "2", features = ["static_secrets"] }
 hmac = "0.12"
 hkdf = "0.12"
-const-hex = "1"
+hex = "0.4"
 sha2 = "0.10"
 sha3 = "0.10"
 num-traits = "0.2"
@@ -45,16 +46,17 @@ icrc-ledger-types = "0.1"
 ic-certification = "3.0"
 ic-canister-sig-creation = "1.3"
 ic-agent = "0.40"
-ic_auth_types = "0.4"
-ic_auth_verifier = { version = "0.4" }
-# ic-vetkeys = "0.1"
+ic_auth_types = "0.5"
+ic_auth_verifier = { version = "0.5" }
+ic-vetkeys = "0.2"
 rand = "0.9"
 coset = "0.3"
 aes-gcm = "0.10"
 thiserror = "2"
 ic-secp256k1 = { version = "0.1" }
 ic-ed25519 = { version = "0.2" }
 ic-dummy-getrandom-for-wasm = "0.1"
+tokio = { version = "1" }
 
 [workspace.metadata.cargo-shear]
 ignored = ["ic-dummy-getrandom-for-wasm"]

Cargo.toml

@@ -18,4 +18,9 @@ rand = { workspace = true }
 ic-agent = { workspace = true }
 x25519-dalek = { workspace = true }
 ic_auth_types = { workspace = true }
-# ic-vetkeys = { workspace = true }
+ic-vetkeys = { workspace = true }
+
+[dev-dependencies]
+hex = { workspace = true }
+ed25519-consensus = { workspace = true }
+tokio = { workspace = true, features = ["full"] }

src/ic_cose/Cargo.toml

@@ -0,0 +1,59 @@
+use candid::Principal;
+use ed25519_consensus::SigningKey;
+use ic_agent::{identity::BasicIdentity, Identity};
+use ic_cose::agent::build_agent;
+use ic_cose::client::{Client, CoseSDK};
+use ic_cose::rand_bytes;
+use ic_cose::vetkeys::{IbeCiphertext, IbeIdentity, IbeSeed};
+use ic_cose_types::types::SettingPath;
+use std::sync::Arc;
+
+const IS_LOCAL: bool = false;
+
+// cargo run --example vetkeys
+#[tokio::main]
+async fn main() {
+    let canister = Principal::from_text("53cyg-yyaaa-aaaap-ahpua-cai").unwrap();
+    let sk =
+        hex::decode("5b3770cbfd16d3ac610cc3cda0bc292a448f2c78d6634de6ee280df0a65e4c04").unwrap();
+    let sk: [u8; 32] = sk.try_into().unwrap();
+    let sk = SigningKey::try_from(sk).unwrap();
+    let id = BasicIdentity::from_signing_key(sk);
+    println!("Principal: {}", id.sender().unwrap());
+    // "pxfqr-x3orr-z5yip-7yzdd-hyxgd-dktgh-3awsk-ohzma-lfjzi-753j7-tae"
+
+    let host = if IS_LOCAL {
+        "http://127.0.0.1:4943"
+    } else {
+        "https://icp-api.io"
+    };
+    let agent = build_agent(host, Arc::new(id)).await.unwrap();
+    let cli = Client::new(Arc::new(agent), canister);
+
+    let key = vec![0u8, 1, 2, 3].into();
+    let path = SettingPath {
+        ns: "_".to_string(),
+        user_owned: true,
+        subject: None,
+        key,
+        version: 1,
+    };
+
+    let (vk, dkp) = cli.vetkey(&path).await.unwrap();
+    println!("VetKey: {:?}", hex::encode(vk.signature_bytes()));
+    // VetKey: "8a4554dec6eeb1ab95574005c477ed5a8dadb0acb5d4c7c911771a16d974bcd61db63bd2a89eeb174fc96b58ca9d5eca"
+    println!("Derived Public Key: {:?}", hex::encode(dkp.serialize()));
+    // Derived Public Key: "81b09cdf3a525448978fd72532e19b9fbc8ec7d025af4b5fa2c1f85ef007fdb8946be1ccc288c623acf1bf1fa43cac5f1098012a4f91663eaa73894487c94b4b335af8a224e9e30ca136bad8bfdc2b7fc16f0424f66e88553713852ea04b27a8"
+
+    let ibe_seed: [u8; 32] = rand_bytes();
+    let ibe_seed = IbeSeed::from_bytes(&ibe_seed).unwrap();
+    let ibe_id = IbeIdentity::from_bytes(&path.key);
+    let msg = b"Hello, LDC Labs!";
+    let ciphertext = IbeCiphertext::encrypt(&dkp, &ibe_id, msg, &ibe_seed);
+    let data = ciphertext.serialize();
+    println!("Ciphertext: {:?}", hex::encode(&data));
+
+    let ciphertext = IbeCiphertext::deserialize(&data).unwrap();
+    let decrypted = ciphertext.decrypt(&vk).unwrap();
+    assert_eq!(&decrypted, msg);
+}

src/ic_cose/examples/vetkeys.rs

@@ -23,6 +23,7 @@ use std::{collections::BTreeSet, sync::Arc};
 use x25519_dalek::{PublicKey, StaticSecret};
 
 use crate::rand_bytes;
+use crate::vetkeys::{DerivedPublicKey, EncryptedVetKey, TransportSecretKey, VetKey};
 
 #[derive(Clone)]
 pub struct Client {
@@ -250,7 +251,7 @@ pub trait CoseSDK: CanisterCaller + Sized {
     async fn vetkd_encrypted_key(
         &self,
         path: &SettingPath,
-        transport_public_key: &ByteArray<48>,
+        transport_public_key: &ByteBuf,
     ) -> Result<ByteBuf, String> {
         self.canister_update(
             self.canister(),
@@ -261,6 +262,19 @@ pub trait CoseSDK: CanisterCaller + Sized {
         .map_err(format_error)?
     }
 
+    async fn vetkey(&self, path: &SettingPath) -> Result<(VetKey, DerivedPublicKey), String> {
+        let pk = self.vetkd_public_key(path).await?;
+        let dpk = DerivedPublicKey::deserialize(&pk).map_err(|err| format!("{err:?}"))?;
+        let seed: [u8; 32] = rand_bytes();
+        let tsk = TransportSecretKey::from_seed(seed.into())?;
+        let ek = self
+            .vetkd_encrypted_key(path, &tsk.public_key().into())
+            .await?;
+        let evk = EncryptedVetKey::deserialize(&ek).map_err(|err| format!("{err:?}"))?;
+        let vk = evk.decrypt_and_verify(&tsk, &dpk, &path.key)?;
+        Ok((vk, dpk))
+    }
+
     async fn namespace_get_fixed_identity(
         &self,
         namespace: &str,

src/ic_cose/src/client.rs

@@ -2,7 +2,7 @@ use rand::RngCore;
 
 pub mod agent;
 pub mod client;
-// pub mod vetkeys;
+pub mod vetkeys;
 
 pub fn rand_bytes<const N: usize>() -> [u8; N] {
     let mut rng = rand::rng();

src/ic_cose/src/lib.rs

@@ -18,7 +18,7 @@ crate-type = ["cdylib"]
 ic_cose_types = { path = "../ic_cose_types", version = "0.8" }
 candid = { workspace = true }
 ciborium = { workspace = true }
-const-hex = { workspace = true }
+hex = { workspace = true }
 ic-cdk = { workspace = true }
 serde = { workspace = true }
 serde_bytes = { workspace = true }

src/ic_cose_canister/Cargo.toml

@@ -378,7 +378,7 @@ impl fmt::Display for SettingPathKey {
             self.0,
             self.1,
             self.2.to_text(),
-            const_hex::encode(&self.3),
+            hex::encode(&self.3),
             self.4
         )
     }

src/ic_cose_canister/src/store.rs

@@ -26,5 +26,5 @@ sha2 = { workspace = true }
 sha3 = { workspace = true }
 coset = { workspace = true }
 aes-gcm = { workspace = true }
-const-hex = { workspace = true }
+hex = { workspace = true }
 thiserror = { workspace = true }

src/ic_cose_types/Cargo.toml

@@ -64,7 +64,7 @@ pub fn get_scope(claims: &ClaimsSet) -> Result<String, String> {
 #[cfg(test)]
 mod test {
     use super::*;
-    use const_hex::decode;
+    use hex::decode;
 
     #[test]
     fn cwt_works() {