Skip to content

Commit

Permalink
complete key_package/builder
Browse files Browse the repository at this point in the history
  • Loading branch information
yngrtc committed Sep 10, 2023
1 parent 0d918d8 commit 169793e
Show file tree
Hide file tree
Showing 9 changed files with 116 additions and 87 deletions.
14 changes: 6 additions & 8 deletions rmls/src/crypto/key_pair.rs
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,17 @@
use crate::crypto::{HPKEPublicKey, SignaturePublicKey};
use bytes::Bytes;

use crate::crypto::provider::SignatureScheme;
use crate::crypto::{HPKEPrivateKey, HPKEPublicKey, SignaturePrivateKey, SignaturePublicKey};

/// SignatureKeyPair is a wrapper of CryptoProvider's signature key pair
#[derive(Default, Debug, Clone, Eq, PartialEq)]
pub struct SignatureKeyPair {
pub(crate) private_key: Bytes,
pub(crate) private_key: SignaturePrivateKey,
pub(crate) public_key: SignaturePublicKey,
pub(crate) signature_scheme: SignatureScheme,
}

impl SignatureKeyPair {
/// Returns private key
pub fn private_key(&self) -> &Bytes {
pub fn private_key(&self) -> &SignaturePrivateKey {
&self.private_key
}

Expand All @@ -31,13 +29,13 @@ impl SignatureKeyPair {
/// HPKEKeyPair is a wrapper of CryptoProvider's HPKE key pair
#[derive(Default, Debug, Clone, Eq, PartialEq)]
pub struct HPKEKeyPair {
pub(crate) private_key: Bytes,
pub(crate) private_key: HPKEPrivateKey,
pub(crate) public_key: HPKEPublicKey,
}

impl HPKEKeyPair {
/// Returns private key
pub fn private_key(&self) -> &Bytes {
pub fn private_key(&self) -> &HPKEPrivateKey {
&self.private_key
}

Expand All @@ -47,4 +45,4 @@ impl HPKEKeyPair {
}
}

pub(crate) type EncryptionKeyPair = HPKEKeyPair;
pub type EncryptionKeyPair = HPKEKeyPair;
51 changes: 13 additions & 38 deletions rmls/src/crypto/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,31 +13,28 @@ pub mod credential;
pub mod key_pair;
pub mod provider;

/// [RFC9420 Sec.5.1.1](https://www.rfc-editor.org/rfc/rfc9420.html#section-5.1.1) HPKE public keys are
/// opaque values in a format defined by the underlying protocol (see Section 4 of
/// [RFC9180](https://www.rfc-editor.org/rfc/rfc9180.html) for more information).
#[derive(Default, Debug, Clone, Eq, PartialEq, Hash)]
pub struct HPKEPublicKey(Bytes);
pub struct SecretKey(Bytes);

impl Deref for HPKEPublicKey {
impl Deref for SecretKey {
type Target = Bytes;

fn deref(&self) -> &Self::Target {
&self.0
}
}

impl Deserializer for HPKEPublicKey {
impl Deserializer for SecretKey {
fn deserialize<B>(buf: &mut B) -> Result<Self>
where
Self: Sized,
B: Buf,
{
Ok(HPKEPublicKey(deserialize_opaque_vec(buf)?))
Ok(SecretKey(deserialize_opaque_vec(buf)?))
}
}

impl Serializer for HPKEPublicKey {
impl Serializer for SecretKey {
fn serialize<B>(&self, buf: &mut B) -> Result<()>
where
Self: Sized,
Expand All @@ -47,38 +44,16 @@ impl Serializer for HPKEPublicKey {
}
}

/// [RFC9420 Sec.5.1.1](https://www.rfc-editor.org/rfc/rfc9420.html#section-5.1.1) HPKE public keys are
/// opaque values in a format defined by the underlying protocol (see Section 4 of
/// [RFC9180](https://www.rfc-editor.org/rfc/rfc9180.html) for more information).
pub type HPKEPublicKey = SecretKey;
pub type HPKEPrivateKey = SecretKey;

/// [RFC9420 Sec.5.1.1](https://www.rfc-editor.org/rfc/rfc9420.html#section-5.1.1) Signature public keys
/// are likewise represented as opaque values in a format defined by the cipher suite's signature scheme.
#[derive(Default, Debug, Clone, Eq, PartialEq, Hash)]
pub struct SignaturePublicKey(Bytes);

impl Deref for SignaturePublicKey {
type Target = Bytes;

fn deref(&self) -> &Self::Target {
&self.0
}
}

impl Deserializer for SignaturePublicKey {
fn deserialize<B>(buf: &mut B) -> Result<Self>
where
Self: Sized,
B: Buf,
{
Ok(SignaturePublicKey(deserialize_opaque_vec(buf)?))
}
}

impl Serializer for SignaturePublicKey {
fn serialize<B>(&self, buf: &mut B) -> Result<()>
where
Self: Sized,
B: BufMut,
{
serialize_opaque_vec(&self.0, buf)
}
}
pub type SignaturePublicKey = SecretKey;
pub type SignaturePrivateKey = SecretKey;

/// [RFC9420 Sec.5.1](https://www.rfc-editor.org/rfc/rfc9420.html#section-5.1) Key Encapsulation
/// Mechanism (KEM) of HPKE parameters
Expand Down
8 changes: 4 additions & 4 deletions rmls/src/crypto/provider/ring/hpke.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,15 +33,15 @@ impl provider::Hpke for HpkeSuiteWrapper {
provider::Kem::KEM_X25519_HKDF_SHA256 => {
let (private_key, public_key) = hpke::kem::X25519HkdfSha256::derive_keypair(ikm);
Ok(HPKEKeyPair {
private_key: Bytes::from(private_key.to_bytes().to_vec()),
public_key: HPKEPublicKey(Bytes::from(public_key.to_bytes().to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_bytes().to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_bytes().to_vec())),
})
}
provider::Kem::KEM_P256_HKDF_SHA256 => {
let (private_key, public_key) = hpke::kem::DhP256HkdfSha256::derive_keypair(ikm);
Ok(HPKEKeyPair {
private_key: Bytes::from(private_key.to_bytes().to_vec()),
public_key: HPKEPublicKey(Bytes::from(public_key.to_bytes().to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_bytes().to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_bytes().to_vec())),
})
}
_ => Err(Error::UnsupportedKem),
Expand Down
16 changes: 7 additions & 9 deletions rmls/src/crypto/provider/ring/signature.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ use ring::signature::{
};
use signature::Signer;

use crate::crypto::{key_pair::SignatureKeyPair, provider::SignatureScheme, SignaturePublicKey};
use crate::crypto::{key_pair::SignatureKeyPair, provider::SignatureScheme, SecretKey};
use crate::utilities::error::*;

#[allow(non_camel_case_types)]
Expand All @@ -24,10 +24,8 @@ impl crate::crypto::provider::Signature for SignatureSchemeWrapper {
let key_pair = Ed25519KeyPair::from_seed_unchecked(&seed)
.map_err(|_| Error::InvalidEd25519PrivateKey)?;
Ok(SignatureKeyPair {
private_key: Bytes::from(seed.to_vec()),
public_key: SignaturePublicKey(Bytes::from(
key_pair.public_key().as_ref().to_vec(),
)),
private_key: SecretKey(Bytes::from(seed.to_vec())),
public_key: SecretKey(Bytes::from(key_pair.public_key().as_ref().to_vec())),
signature_scheme: self.0,
})
}
Expand All @@ -39,8 +37,8 @@ impl crate::crypto::provider::Signature for SignatureSchemeWrapper {
signing_key.verifying_key().to_sec1_bytes(),
);
Ok(SignatureKeyPair {
private_key: Bytes::from(private_key.to_vec()),
public_key: SignaturePublicKey(Bytes::from(public_key.to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_vec())),
signature_scheme: self.0,
})
}
Expand All @@ -52,8 +50,8 @@ impl crate::crypto::provider::Signature for SignatureSchemeWrapper {
signing_key.verifying_key().to_sec1_bytes(),
);
Ok(SignatureKeyPair {
private_key: Bytes::from(private_key.to_vec()),
public_key: SignaturePublicKey(Bytes::from(public_key.to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_vec())),
signature_scheme: self.0,
})
}
Expand Down
8 changes: 4 additions & 4 deletions rmls/src/crypto/provider/rust/hpke.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,15 @@ impl provider::Hpke for HpkeSuiteWrapper {
provider::Kem::KEM_X25519_HKDF_SHA256 => {
let (private_key, public_key) = hpke::kem::X25519HkdfSha256::derive_keypair(ikm);
Ok(HPKEKeyPair {
private_key: Bytes::from(private_key.to_bytes().to_vec()),
public_key: HPKEPublicKey(Bytes::from(public_key.to_bytes().to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_bytes().to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_bytes().to_vec())),
})
}
provider::Kem::KEM_P256_HKDF_SHA256 => {
let (private_key, public_key) = hpke::kem::DhP256HkdfSha256::derive_keypair(ikm);
Ok(HPKEKeyPair {
private_key: Bytes::from(private_key.to_bytes().to_vec()),
public_key: HPKEPublicKey(Bytes::from(public_key.to_bytes().to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_bytes().to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_bytes().to_vec())),
})
}
_ => Err(Error::UnsupportedKem),
Expand Down
14 changes: 7 additions & 7 deletions rmls/src/crypto/provider/rust/signature.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ use bytes::Bytes;
use rand_core::SeedableRng;
use signature::{Signer, Verifier};

use crate::crypto::{key_pair::SignatureKeyPair, provider::SignatureScheme, SignaturePublicKey};
use crate::crypto::{key_pair::SignatureKeyPair, provider::SignatureScheme, SecretKey};
use crate::utilities::error::*;

#[allow(non_camel_case_types)]
Expand All @@ -20,8 +20,8 @@ impl crate::crypto::provider::Signature for SignatureSchemeWrapper {
let (private_key, public_key) =
signing_key.split_at(ed25519_dalek::SECRET_KEY_LENGTH);
Ok(SignatureKeyPair {
private_key: Bytes::from(private_key.to_vec()),
public_key: SignaturePublicKey(Bytes::from(public_key.to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_vec())),
signature_scheme: self.0,
})
}
Expand All @@ -33,8 +33,8 @@ impl crate::crypto::provider::Signature for SignatureSchemeWrapper {
signing_key.verifying_key().to_sec1_bytes(),
);
Ok(SignatureKeyPair {
private_key: Bytes::from(private_key.to_vec()),
public_key: SignaturePublicKey(Bytes::from(public_key.to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_vec())),
signature_scheme: self.0,
})
}
Expand All @@ -46,8 +46,8 @@ impl crate::crypto::provider::Signature for SignatureSchemeWrapper {
signing_key.verifying_key().to_sec1_bytes(),
);
Ok(SignatureKeyPair {
private_key: Bytes::from(private_key.to_vec()),
public_key: SignaturePublicKey(Bytes::from(public_key.to_vec())),
private_key: SecretKey(Bytes::from(private_key.to_vec())),
public_key: SecretKey(Bytes::from(public_key.to_vec())),
signature_scheme: self.0,
})
}
Expand Down
22 changes: 19 additions & 3 deletions rmls/src/key_package/builder.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,23 @@ impl KeyPackageBuilder {
self
}

/*TODO(yngrtc): pub fn build(self) -> Result<KeyPackage> {
}*/
/// Finalize and build the key package
pub fn build(
self,
crypto_provider: &impl CryptoProvider,
crypto_config: CryptoConfig,
credential: Credential,
signature_key_pair: &SignatureKeyPair,
) -> Result<(KeyPackage, EncryptionKeyPair, HPKEPrivateKey)> {
KeyPackage::new(
crypto_provider,
crypto_config,
credential,
signature_key_pair,
self.key_package_lifetime.unwrap_or_default(),
self.key_package_extensions.unwrap_or_default(),
self.leaf_node_capabilities.unwrap_or_default(),
self.leaf_node_extensions.unwrap_or_default(),
)
}
}
64 changes: 53 additions & 11 deletions rmls/src/key_package/mod.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ pub mod builder;
use bytes::{Buf, BufMut, Bytes, BytesMut};
use std::ops::Deref;

use crate::crypto::key_pair::EncryptionKeyPair;
use crate::crypto::{
cipher_suite::*, config::CryptoConfig, credential::Credential, key_pair::SignatureKeyPair,
provider::CryptoProvider, *,
Expand All @@ -23,6 +24,8 @@ use crate::key_schedule::*;
use crate::ratchet_tree::leaf_node::*;
use crate::utilities::{error::*, serde::*};

const KEY_PACKAGE_SIGNATURE_LABEL: &str = "KeyPackageTBS";

/// [RFC9420 Sec.5.2](https://www.rfc-editor.org/rfc/rfc9420.html#section-5.2) KeyPackageRef
#[derive(Default, Debug, Clone, Eq, PartialEq)]
pub struct KeyPackageRef(Bytes);
Expand Down Expand Up @@ -146,13 +149,13 @@ impl KeyPackage {
pub(crate) fn new(
crypto_provider: &impl CryptoProvider,
crypto_config: CryptoConfig,
_credential: Credential,
credential: Credential,
signature_key_pair: &SignatureKeyPair,
key_package_lifetime: Lifetime,
key_package_extensions: Extensions,
leaf_node_capabilities: Capabilities,
leaf_node_extensions: Extensions,
) -> Result<Self> {
) -> Result<(Self, EncryptionKeyPair, HPKEPrivateKey)> {
if crypto_provider
.signature(crypto_config.cipher_suite)?
.signature_scheme()
Expand All @@ -164,25 +167,64 @@ impl KeyPackage {
// Create a new HPKE key pair
let mut ikm = vec![0u8; crypto_provider.hash(crypto_config.cipher_suite)?.size()];
crypto_provider.rand().fill(&mut ikm)?;
let _init_key = crypto_provider
let init_key = crypto_provider
.hpke(crypto_config.cipher_suite)?
.kem_derive_key_pair(&ikm)?;

Ok(Self::default())
let (key_package, encryption_key_pair) = Self::from_keys(
crypto_provider,
crypto_config,
credential,
signature_key_pair,
key_package_lifetime,
key_package_extensions,
leaf_node_capabilities,
leaf_node_extensions,
init_key.public_key,
)?;

Ok((key_package, encryption_key_pair, init_key.private_key))
}

#[allow(clippy::too_many_arguments)]
pub(crate) fn from_keys(
_crypto_provider: &impl CryptoProvider,
_crypto_config: CryptoConfig,
_credential: Credential,
_init_key: HPKEPublicKey,
crypto_provider: &impl CryptoProvider,
crypto_config: CryptoConfig,
credential: Credential,
signature_key_pair: &SignatureKeyPair,
key_package_lifetime: Lifetime,
key_package_extensions: Extensions,
leaf_node_capabilities: Capabilities,
leaf_node_extensions: Extensions,
) -> Result<Self> {
Ok(Self::default())
init_key: HPKEPublicKey,
) -> Result<(Self, EncryptionKeyPair)> {
let (leaf_node, encryption_key_pair) = LeafNode::new(
crypto_provider,
crypto_config,
credential,
signature_key_pair,
LeafNodeSource::KeyPackage(key_package_lifetime),
leaf_node_capabilities,
leaf_node_extensions,
TreeInfoTBS::KeyPackage,
)?;

let payload = KeyPackageTBS {
version: crypto_config.version,
cipher_suite: crypto_config.cipher_suite,
init_key,
leaf_node,
extensions: key_package_extensions,
};

let signature = crypto_provider.sign_with_label(
crypto_config.cipher_suite,
&signature_key_pair.public_key,
KEY_PACKAGE_SIGNATURE_LABEL.as_bytes(),
&payload.serialize_detached()?,
)?;

Ok((Self { payload, signature }, encryption_key_pair))
}

fn verify_signature(&self, crypto_provider: &impl CryptoProvider) -> Result<()> {
Expand All @@ -192,7 +234,7 @@ impl KeyPackage {
crypto_provider.verify_with_label(
self.payload.cipher_suite,
&self.payload.leaf_node.payload.signature_key,
b"KeyPackageTBS",
KEY_PACKAGE_SIGNATURE_LABEL.as_bytes(),
&raw,
&self.signature,
)
Expand Down
Loading

0 comments on commit 169793e

Please sign in to comment.