verify third party block signatures

Author: Geal

src/main/java/com/clevercloud/biscuit/crypto/PublicKey.java

@@ -2,11 +2,17 @@
 
 import biscuit.format.schema.Schema;
 import biscuit.format.schema.Schema.PublicKey.Algorithm;
+import com.clevercloud.biscuit.datalog.Scope;
+import com.clevercloud.biscuit.error.Error;
 import com.clevercloud.biscuit.token.builder.Utils;
+import com.google.protobuf.ByteString;
+import io.vavr.control.Either;
 import net.i2p.crypto.eddsa.EdDSAPublicKey;
 import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec;
 
 import static com.clevercloud.biscuit.crypto.KeyPair.ed25519;
+import static io.vavr.API.Left;
+import static io.vavr.API.Right;
 
 public class PublicKey {
 
@@ -41,6 +47,22 @@ public PublicKey(Algorithm algorithm, String hex) {
         this.algorithm = algorithm;
     }
 
+    public Schema.PublicKey serialize() {
+        Schema.PublicKey.Builder publicKey = Schema.PublicKey.newBuilder();
+        publicKey.setKey(ByteString.copyFrom(this.toBytes()));
+        publicKey.setAlgorithm(this.algorithm);
+        return publicKey.build();
+    }
+
+    static public PublicKey deserialize(Schema.PublicKey pk) throws Error.FormatError.DeserializationError {
+        if(!pk.hasAlgorithm() || !pk.hasKey() || pk.getAlgorithm() != Algorithm.Ed25519) {
+            throw new Error.FormatError.DeserializationError("Invalid " +
+                    "public key");
+        }
+
+        return new PublicKey(pk.getAlgorithm(), pk.getKey().toByteArray());
+    }
+
     @Override
     public boolean equals(Object o) {
         if (this == o) return true;

src/main/java/com/clevercloud/biscuit/datalog/FactSet.java

@@ -17,6 +17,10 @@ public FactSet(Origin o, HashSet<Fact> factSet) {
         facts.put(o, factSet);
     }
 
+    public HashMap<Origin, HashSet<Fact>> facts() {
+        return this.facts;
+    }
+
     public void add(Origin origin, Fact fact) {
         if(!facts.containsKey(origin)) {
             facts.put(origin, new HashSet<>());

src/main/java/com/clevercloud/biscuit/datalog/SymbolTable.java

@@ -173,13 +173,33 @@ public String print_rule_body(final Rule r) {
             }
             res += String.join(", ", expressions);
         }
+
+        if(!r.scopes().isEmpty()) {
+            res += " trusting ";
+            final List<String> scopes = r.scopes().stream().map((s) -> this.print_scope(s)).collect(Collectors.toList());
+            res += String.join(", ", scopes);
+        }
         return res;
     }
 
     public String print_expression(final Expression e) {
         return e.print(this).get();
     }
 
+    public String print_scope(final Scope scope) {
+        switch(scope.kind) {
+            case Authority:
+                return "authority";
+            case Previous:
+                return "previous";
+            case PublicKey:
+                Option<PublicKey> pk = this.get_pk((int) scope.publicKey);
+                if(pk.isDefined()) {
+                    return pk.toString();
+                }
+        }
+        return "?";
+    }
 
     public String print_predicate(final Predicate p) {
         List<String> ids = p.terms().stream().map((t) -> {

src/main/java/com/clevercloud/biscuit/datalog/World.java

@@ -138,11 +138,13 @@ public String print(SymbolTable symbol_table) {
       StringBuilder s = new StringBuilder();
 
       s.append("World {\n\t\tfacts: [");
-       for (Iterator<Fact> it = this.facts.stream().iterator(); it.hasNext(); ) {
-           Fact f = it.next();
-           s.append("\n\t\t\t");
-           s.append(symbol_table.print_fact(f));
-       }
+      for(Map.Entry<Origin, HashSet<Fact>> entry: this.facts.facts().entrySet()) {
+         s.append("\n\t\t\t"+entry.getKey()+":");
+         for(Fact f: entry.getValue()) {
+            s.append("\n\t\t\t\t");
+            s.append(symbol_table.print_fact(f));
+         }
+      }
 
       s.append("\n\t\t]\n\t\trules: [");
        for (Iterator<Rule> it = this.rules.stream().iterator(); it.hasNext(); ) {

src/main/java/com/clevercloud/biscuit/token/Authorizer.java

@@ -557,7 +557,15 @@ public Long authorize(RunLimits limits) throws Error {
 
     public String print_world() {
         //FIXME
-        final List<String> facts = this.world.facts().stream().map((f) -> this.symbols.print_fact(f)).collect(Collectors.toList());
+        StringBuilder facts = new StringBuilder();
+        for(Map.Entry<Origin, HashSet<com.clevercloud.biscuit.datalog.Fact>> entry: this.world.facts().facts().entrySet()) {
+            facts.append("\n\t\t"+entry.getKey()+":");
+            for(com.clevercloud.biscuit.datalog.Fact f: entry.getValue()) {
+                facts.append("\n\t\t\t");
+                facts.append(this.symbols.print_fact(f));
+            }
+        }
+        //final List<String> facts = this.world.facts().facts().entrySet().stream().map((f) -> this.symbols.print_fact(f)).collect(Collectors.toList());
         final List<String> rules = this.world.rules().stream().map((r) -> this.symbols.print_rule(r)).collect(Collectors.toList());
 
         List<String> checks = new ArrayList<>();
@@ -580,8 +588,9 @@ public String print_world() {
             }
         }
 
-        return "World {\n\tfacts: [\n\t\t" +
-                String.join(",\n\t\t", facts) +
+        return "World {\n\tfacts: [" +
+                facts.toString() +
+                //String.join(",\n\t\t", facts) +
                 "\n\t],\n\trules: [\n\t\t" +
                 String.join(",\n\t\t", rules) +
                 "\n\t],\n\tchecks: [\n\t\t" +

src/main/java/com/clevercloud/biscuit/token/Biscuit.java

@@ -7,17 +7,15 @@
 import com.clevercloud.biscuit.error.Error;
 import com.clevercloud.biscuit.token.format.SerializedBiscuit;
 import com.clevercloud.biscuit.token.format.SignedBlock;
+import io.vavr.Tuple3;
 import io.vavr.control.Either;
 import io.vavr.control.Option;
 
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.SignatureException;
-import java.util.ArrayList;
-import java.util.Base64;
-import java.util.Collections;
-import java.util.List;
+import java.util.*;
 
 /**
  * Biscuit auth token
@@ -122,18 +120,21 @@ static private Biscuit make(final SecureRandom rng, final KeyPair root, final Op
         } else {
             SerializedBiscuit s = container.get();
             List<byte[]> revocation_ids = s.revocation_identifiers();
+            HashMap<Long, List<Long>> publicKeyToBlockId = new HashMap<>();
 
             Option<SerializedBiscuit> c = Option.some(s);
-            return new Biscuit(authority, blocks, symbols, s, revocation_ids, root_key_id);
+            return new Biscuit(authority, blocks, symbols, s, publicKeyToBlockId, revocation_ids, root_key_id);
         }
     }
 
-    Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit, List<byte[]> revocation_ids) {
-        super(authority, blocks, symbols, serializedBiscuit, revocation_ids);
+    Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit,
+            HashMap<Long, List<Long>> publicKeyToBlockId, List<byte[]> revocation_ids) {
+        super(authority, blocks, symbols, serializedBiscuit, publicKeyToBlockId, revocation_ids);
     }
 
-    Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit, List<byte[]> revocation_ids, Option<Integer> root_key_id) {
-        super(authority, blocks, symbols, serializedBiscuit, revocation_ids, root_key_id);
+    Biscuit(Block authority, List<Block> blocks, SymbolTable symbols, SerializedBiscuit serializedBiscuit,
+            HashMap<Long, List<Long>> publicKeyToBlockId, List<byte[]> revocation_ids, Option<Integer> root_key_id) {
+        super(authority, blocks, symbols, serializedBiscuit, publicKeyToBlockId, revocation_ids, root_key_id);
     }
 
     /**
@@ -260,81 +261,20 @@ static public Biscuit from_bytes_with_symbols(byte[] data, KeyDelegate delegate,
         return Biscuit.from_serialized_biscuit(ser, symbols);
     }
 
-    /**
-     * Fills a Biscuit structure from a deserialized token
-     *
-     * @return
-     */
-    @Deprecated
-    static Biscuit from_serialize_biscuit(SerializedBiscuit ser, SymbolTable symbols) throws Error {
-        Either<Error.FormatError, Block> authRes = Block.from_bytes(ser.authority.block);
-        if (authRes.isLeft()) {
-            Error e = authRes.getLeft();
-            throw e;
-        }
-        Block authority = authRes.get();
-
-        ArrayList<Block> blocks = new ArrayList<>();
-        for (SignedBlock bdata : ser.blocks) {
-            Either<Error.FormatError, Block> blockRes = Block.from_bytes(bdata.block);
-            if (blockRes.isLeft()) {
-                Error e = blockRes.getLeft();
-                throw e;
-            }
-            blocks.add(blockRes.get());
-        }
-
-        for (String s : authority.symbols.symbols) {
-            symbols.add(s);
-        }
-
-        for (Block b : blocks) {
-            for (String s : b.symbols.symbols) {
-                symbols.add(s);
-            }
-        }
-
-        List<byte[]> revocation_ids = ser.revocation_identifiers();
-
-        return new Biscuit(authority, blocks, symbols, ser, revocation_ids);
-    }
-
     /**
      * Fills a Biscuit structure from a deserialized token
      *
      * @return
      */
     static Biscuit from_serialized_biscuit(SerializedBiscuit ser, SymbolTable symbols) throws Error {
-        Either<Error.FormatError, Block> authRes = Block.from_bytes(ser.authority.block);
-        if (authRes.isLeft()) {
-            Error e = authRes.getLeft();
-            throw e;
-        }
-        Block authority = authRes.get();
-
-        ArrayList<Block> blocks = new ArrayList<>();
-        for (SignedBlock bdata : ser.blocks) {
-            Either<Error.FormatError, Block> blockRes = Block.from_bytes(bdata.block);
-            if (blockRes.isLeft()) {
-                Error e = blockRes.getLeft();
-                throw e;
-            }
-            blocks.add(blockRes.get());
-        }
-
-        for (String s : authority.symbols.symbols) {
-            symbols.add(s);
-        }
-
-        for (Block b : blocks) {
-            for (String s : b.symbols.symbols) {
-                symbols.add(s);
-            }
-        }
+        Tuple3<Block, ArrayList<Block>, HashMap<Long, List<Long>>> t = ser.extractBlocks(symbols);
+        Block authority = t._1;
+        ArrayList<Block> blocks = t._2;
+        HashMap<Long, List<Long>> publicKeyToBlockId = t._3;
 
         List<byte[]> revocation_ids = ser.revocation_identifiers();
 
-        return new Biscuit(authority, blocks, symbols, ser, revocation_ids);
+        return new Biscuit(authority, blocks, symbols, ser, publicKeyToBlockId, revocation_ids);
     }
 
     /**
@@ -424,7 +364,10 @@ public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair, Block bl
 
         List<byte[]> revocation_ids = container.revocation_identifiers();
 
-        return new Biscuit(copiedBiscuit.authority, blocks, symbols, container, revocation_ids);
+        HashMap<Long, List<Long>> publicKeyToBlockId = new HashMap<>();
+        publicKeyToBlockId.putAll(this.publicKeyToBlockId);
+
+        return new Biscuit(copiedBiscuit.authority, blocks, symbols, container, publicKeyToBlockId, revocation_ids);
     }
 
     /**
@@ -448,6 +391,6 @@ public String print() {
     }
 
     public Biscuit copy() throws Error {
-        return Biscuit.from_serialize_biscuit(this.serializedBiscuit, this.symbols);
+        return Biscuit.from_serialized_biscuit(this.serializedBiscuit, this.symbols);
     }
 }

src/main/java/com/clevercloud/biscuit/token/Block.java

@@ -1,20 +1,18 @@
 package com.clevercloud.biscuit.token;
 
 import biscuit.format.schema.Schema;
+import com.clevercloud.biscuit.crypto.PublicKey;
 import com.clevercloud.biscuit.error.Error;
 import com.clevercloud.biscuit.datalog.*;
-import com.clevercloud.biscuit.error.FailedCheck;
-import com.clevercloud.biscuit.error.LogicError;
 import com.clevercloud.biscuit.token.format.SerializedBiscuit;
 import com.google.protobuf.InvalidProtocolBufferException;
 import io.vavr.control.Either;
+import io.vavr.control.Option;
 
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Set;
 
 import static io.vavr.API.Left;
 import static io.vavr.API.Right;
@@ -29,6 +27,7 @@ public class Block {
     final List<Rule> rules;
     final List<Check> checks;
     final List<Scope> scopes;
+    final List<PublicKey> publicKeys;
     final long version;
 
     /**
@@ -43,6 +42,7 @@ public Block(SymbolTable base_symbols) {
         this.rules = new ArrayList<>();
         this.checks = new ArrayList<>();
         this.scopes = new ArrayList<>();
+        this.publicKeys = new ArrayList<>();
         this.version = SerializedBiscuit.MAX_SCHEMA_VERSION;
     }
 
@@ -54,14 +54,23 @@ public Block(SymbolTable base_symbols) {
      * @param checks
      */
     public Block(SymbolTable base_symbols, String context, List<Fact> facts, List<Rule> rules, List<Check> checks,
-                 List<Scope> scopes, int version) {
+                 List<Scope> scopes, List<PublicKey> publicKeys, int version) {
         this.symbols = base_symbols;
         this.context = context;
         this.facts = facts;
         this.rules = rules;
         this.checks = checks;
         this.scopes = scopes;
         this.version = version;
+        this.publicKeys = publicKeys;
+    }
+
+    public SymbolTable symbols() {
+        return symbols;
+    }
+
+    public List<PublicKey> publicKeys() {
+        return publicKeys;
     }
 
     /**
@@ -130,6 +139,10 @@ public Schema.Block serialize() {
             b.addScope(scope.serialize());
         }
 
+        for(PublicKey pk: this.publicKeys) {
+            b.addPublicKeys(pk.serialize());
+        }
+
         b.setVersion(SerializedBiscuit.MAX_SCHEMA_VERSION);
         return b.build();
     }
@@ -198,14 +211,23 @@ static public Either<Error.FormatError, Block> deserialize(Schema.Block b) {
             }
         }
 
+        ArrayList<PublicKey> publicKeys = new ArrayList<>();
+        for (Schema.PublicKey pk: b.getPublicKeysList()) {
+            try {
+                publicKeys.add(PublicKey.deserialize(pk));
+            } catch(Error.FormatError e) {
+                return Left(e);
+            }
+        }
+
         SchemaVersion schemaVersion = new SchemaVersion(facts, rules, checks, scopes);
         Either<Error.FormatError, Void> res = schemaVersion.checkCompatibility(version);
         if (res.isLeft()) {
             Error.FormatError e = res.getLeft();
             return Left(e);
         }
 
-        return Right(new Block(symbols, b.getContext(), facts, rules, checks, scopes, version));
+        return Right(new Block(symbols, b.getContext(), facts, rules, checks, scopes, publicKeys, version));
     }
 
     /**