Add ECDSA key support (SECP256R1) again #108
Conversation
just want to get plumbed in and existing tests passing
sync upstream
…cuit#4) This implements 3rd party block generation and appending to existing tokens. It also fixes existing issues with public key interning which made deserialization of tokens with 3rd party blocks incorrect in some cases. Co-authored-by: Geoffroy Couprie <contact@geoffroycouprie.com>
# Conflicts: # src/main/java/org/biscuitsec/biscuit/crypto/KeyPair.java # src/main/java/org/biscuitsec/biscuit/crypto/PublicKey.java # src/main/java/org/biscuitsec/biscuit/token/Biscuit.java # src/main/java/org/biscuitsec/biscuit/token/UnverifiedBiscuit.java # src/main/java/org/biscuitsec/biscuit/token/builder/parser/Parser.java # src/main/java/org/biscuitsec/biscuit/token/format/SerializedBiscuit.java # src/test/java/org/biscuitsec/biscuit/token/BiscuitTest.java
Implement 3rd party block creation (eclipse-biscuit#104)
# Conflicts: # src/main/java/org/biscuitsec/biscuit/token/UnverifiedBiscuit.java
src/main/java/org/biscuitsec/biscuit/crypto/Ed25519KeyPair.java
Outdated
Show resolved
Hide resolved
pom.xml
Outdated
| <dependency> | ||
| <groupId>org.bouncycastle</groupId> | ||
| <artifactId>bcprov-jdk18on</artifactId> | ||
| <version>1.78.1</version> |
There was a problem hiding this comment.
| <version>1.78.1</version> | |
| <version>1.79</version> |
Do we bump the version of Bouncy ?
| import java.security.Security; | ||
| import java.security.Signature; | ||
|
|
||
| class SECP256R1KeyPair extends KeyPair { |
There was a problem hiding this comment.
| class SECP256R1KeyPair extends KeyPair { | |
| final class SECP256R1KeyPair extends KeyPair { |
| return Either.left(new Error.FormatError.Signature.InvalidSignatureSize(signature.length)); | ||
|
|
||
| if (publicKey.algorithm == Schema.PublicKey.Algorithm.Ed25519) { | ||
| if (signature.length != 64) { |
There was a problem hiding this comment.
Could be an improvement to replace it by a constant.
| return Either.left(new Error.FormatError.Signature.InvalidSignatureSize(signature.length)); | ||
| } | ||
| } else if (publicKey.algorithm == Schema.PublicKey.Algorithm.SECP256R1) { | ||
| if (signature.length < 68 || signature.length > 72) { |
There was a problem hiding this comment.
Could be an improvement to replace it by a constant.
| @@ -335,20 +337,25 @@ public UnverifiedBiscuit copy() throws Error { | |||
|
|
|||
| public Biscuit verify(PublicKey publicKey) throws Error, NoSuchAlgorithmException, SignatureException, InvalidKeyException { | |||
| SerializedBiscuit serializedBiscuit = this.serializedBiscuit; | |||
| serializedBiscuit.verify(publicKey); | |||
| var result = serializedBiscuit.verify(publicKey); | |||
There was a problem hiding this comment.
Good catch, I will check the impact to remove vavr in the future. It is not the best fit for our purpose.
|
The failing test from the specification is linked to this PR eclipse-biscuit/biscuit#175 |
Thanks for the review, will address those comments 🚀 Regarding the test you updated; is that |
Yes, it is necessary to update the signature and verification of the signature. We have also a new format of protobuf message. Let me know if you want me to care of it or prefer to implement it yourself. |
Updating the Java implementation to the latest Biscuit spec feels like a separate task from adding support for ECDSA keys, and should be in it's own PR. I have updated |
|
agreed that is a separate task. we will need to carry it out right away because as of now in biscuit-rust, the use of P256 triggers the use of v1 signatures. |
Supersedes #101
Had some difficulties syncing latest on the other PR, because the fork got disconnected from upstream when my organisation did a bulk visibility change across all repositories. Have just done in my personal account, same branch as before but synced with upstream.
Uses BouncyCastle for the provider. Any feedback greatly appreciated. Thanks!
I also have a follow up PR for adding remote signing capabilities, for when the private key is not directly accessible. I'll open that later, once these changes (hopefully) get accepted 🤞 . I understand you have other implementations to coordinate so no rush.