Fix StrongholdStorage::get_public_key

iotaledger · Apr 29, 2024 · b347a1e · b347a1e
1 parent 096bb30
commit b347a1e
Show file tree

Hide file tree

Showing 8 changed files with 87 additions and 179 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -24,7 +24,7 @@ thiserror = { version = "1.0", default-features = false }
 strum = { version = "0.25", default-features = false, features = ["std", "derive"] }
 serde_json = { version = "1.0", default-features = false }
 json-proof-token = { version = "0.3.5" }
-zkryptium = { version = "0.2.1", default-features = false, features = ["bbsplus"] }
+zkryptium = { version = "0.2.2", default-features = false, features = ["bbsplus"] }
 
 [workspace.package]
 authors = ["IOTA Stiftung"]

diff --git a/identity_storage/src/key_storage/bls.rs b/identity_storage/src/key_storage/bls.rs
@@ -25,8 +25,7 @@ fn random_bbs_keypair<S>() -> Result<(BBSplusSecretKey, BBSplusPublicKey), zkryp
 where
   S: BbsCiphersuite,
 {
-  let key_pair = KeyPair::<BBSplus<S>>::random()?;
-  Ok((key_pair.private_key().clone(), key_pair.public_key().clone()))
+  KeyPair::<BBSplus<S>>::random().map(KeyPair::into_parts)
 }
 
 /// Generates a new BBS+ keypair using either `BLS12381-SHA256` or `BLS12381-SHAKE256`.

diff --git a/identity_stronghold/src/lib.rs b/identity_stronghold/src/lib.rs
@@ -4,7 +4,7 @@
 pub(crate) mod ed25519;
 mod stronghold_jwk_storage;
 #[cfg(any(feature = "bbs-plus", test))]
-mod stronghold_jwk_storage_ext;
+mod stronghold_jwk_storage_bbs_plus_ext;
 mod stronghold_key_id;
 pub(crate) mod stronghold_key_type;
 #[cfg(test)]

diff --git a/identity_stronghold/src/stronghold_jwk_storage.rs b/identity_stronghold/src/stronghold_jwk_storage.rs
@@ -4,6 +4,7 @@
 //! Wrapper around [`StrongholdSecretManager`](StrongholdSecretManager).
 
 use async_trait::async_trait;
+use identity_storage::key_storage::bls::encode_bls_jwk;
 use identity_storage::key_storage::JwkStorage;
 use identity_storage::JwkGenOutput;
 use identity_storage::KeyId;
@@ -19,14 +20,19 @@ use identity_verification::jwu;
 use iota_sdk::client::secret::stronghold::StrongholdSecretManager;
 use iota_sdk::client::secret::SecretManager;
 use iota_stronghold::procedures::Ed25519Sign;
+use iota_stronghold::procedures::FatalProcedureError;
 use iota_stronghold::procedures::GenerateKey;
 use iota_stronghold::procedures::KeyType as ProceduresKeyType;
+use iota_stronghold::procedures::Runner;
 use iota_stronghold::procedures::StrongholdProcedure;
 use iota_stronghold::Location;
 use iota_stronghold::Stronghold;
+use jsonprooftoken::jpa::algs::ProofAlgorithm;
 use std::str::FromStr;
 use std::sync::Arc;
 use tokio::sync::MutexGuard;
+use zeroize::Zeroizing;
+use zkryptium::bbsplus::keys::BBSplusSecretKey;
 
 use crate::ed25519;
 use crate::stronghold_key_type::StrongholdKeyType;
@@ -56,7 +62,68 @@ impl StrongholdStorage {
     }
   }
 
+  async fn get_ed25519_public_key(&self, key_id: &KeyId) -> KeyStorageResult<Jwk> {
+    let stronghold = self.get_stronghold().await;
+    let client = get_client(&stronghold)?;
+
+    let location = Location::generic(
+      IDENTITY_VAULT_PATH.as_bytes().to_vec(),
+      key_id.to_string().as_bytes().to_vec(),
+    );
+
+    let public_key_procedure = iota_stronghold::procedures::PublicKey {
+      ty: ProceduresKeyType::Ed25519,
+      private_key: location,
+    };
+
+    let procedure_result = client
+      .execute_procedure(StrongholdProcedure::PublicKey(public_key_procedure))
+      .map_err(|err| KeyStorageError::new(KeyStorageErrorKind::KeyNotFound).with_source(err))?;
+
+    let public_key: Vec<u8> = procedure_result.into();
+
+    let mut params = JwkParamsOkp::new();
+    params.x = jwu::encode_b64(public_key);
+    params.crv = EdCurve::Ed25519.name().to_owned();
+    let mut jwk: Jwk = Jwk::from_params(params);
+    jwk.set_alg(JwsAlgorithm::EdDSA.name());
+    jwk.set_kid(jwk.thumbprint_sha256_b64());
+
+    Ok(jwk)
+  }
+
+  async fn get_bls12381g2_public_key(&self, key_id: &KeyId) -> KeyStorageResult<Jwk> {
+    let stronghold = self.get_stronghold().await;
+    let client = get_client(&stronghold)?;
+
+    let location = Location::generic(
+      IDENTITY_VAULT_PATH.as_bytes().to_vec(),
+      key_id.to_string().as_bytes().to_vec(),
+    );
+
+    client
+      .get_guards([location], |[sk]| {
+        let sk = BBSplusSecretKey::from_bytes(&sk.borrow()).map_err(|e| FatalProcedureError::from(e.to_string()))?;
+        let pk = sk.public_key();
+        let public_jwk = encode_bls_jwk(&sk, &pk, ProofAlgorithm::BLS12381_SHA256).1;
+
+        drop(Zeroizing::new(sk.to_bytes()));
+        Ok(public_jwk)
+      })
+      .map_err(|e| KeyStorageError::new(KeyStorageErrorKind::KeyNotFound).with_source(e))
+  }
+
+  /// Attepts to retrieve the public key corresponding to the key of id `key_id`,
+  /// returning it as a `key_type` encoded public JWK.
+  pub async fn get_public_key_with_type(&self, key_id: &KeyId, key_type: StrongholdKeyType) -> KeyStorageResult<Jwk> {
+    match key_type {
+      StrongholdKeyType::Ed25519 => self.get_ed25519_public_key(key_id).await,
+      StrongholdKeyType::Bls12381G2 => self.get_bls12381g2_public_key(key_id).await,
+    }
+  }
+
   /// Retrieve the public key corresponding to `key_id`.
+  #[deprecated(since = "1.3.0", note = "use `get_public_key_with_type` instead")]
   pub async fn get_public_key(&self, key_id: &KeyId) -> KeyStorageResult<Jwk> {
     let stronghold = self.get_stronghold().await;
     let client = get_client(&stronghold)?;
@@ -100,8 +167,12 @@ impl JwkStorage for StrongholdStorage {
 
     let keytype: ProceduresKeyType = match key_type {
       StrongholdKeyType::Ed25519 => ProceduresKeyType::Ed25519,
-      StrongholdKeyType::BLS12381G2 => {
-        todo!("return an error that instruct the user to call the BBS+ flavor for this function.")
+      StrongholdKeyType::Bls12381G2 => {
+        return Err(
+          KeyStorageError::new(KeyStorageErrorKind::Unspecified).with_custom_message(format!(
+            "`{key_type}` is supported but `JwkStorageBbsPlusExt::generate_bbs` should be called instead."
+          )),
+        )
       }
     };
 

diff --git a/identity_stronghold/src/stronghold_jwk_storage_ext.rs b/identity_stronghold/src/stronghold_jwk_storage_ext.rs
diff --git a/identity_stronghold/src/stronghold_key_type.rs b/identity_stronghold/src/stronghold_key_type.rs
@@ -20,15 +20,15 @@ const BLS12381G2_KEY_TYPE_STR: &str = "BLS12381G2";
 #[derive(Debug, Copy, Clone)]
 pub enum StrongholdKeyType {
   Ed25519,
-  BLS12381G2,
+  Bls12381G2,
 }
 
 impl StrongholdKeyType {
   /// String representation of the key type.
   const fn name(&self) -> &'static str {
     match self {
       StrongholdKeyType::Ed25519 => ED25519_KEY_TYPE_STR,
-      StrongholdKeyType::BLS12381G2 => BLS12381G2_KEY_TYPE_STR,
+      StrongholdKeyType::Bls12381G2 => BLS12381G2_KEY_TYPE_STR,
     }
   }
 }
@@ -45,7 +45,7 @@ impl TryFrom<&KeyType> for StrongholdKeyType {
   fn try_from(value: &KeyType) -> Result<Self, Self::Error> {
     match value.as_str() {
       ED25519_KEY_TYPE_STR => Ok(StrongholdKeyType::Ed25519),
-      BLS12381G2_KEY_TYPE_STR => Ok(StrongholdKeyType::BLS12381G2),
+      BLS12381G2_KEY_TYPE_STR => Ok(StrongholdKeyType::Bls12381G2),
       _ => Err(KeyStorageError::new(KeyStorageErrorKind::UnsupportedKeyType)),
     }
   }
@@ -91,7 +91,7 @@ impl TryFrom<&Jwk> for StrongholdKeyType {
             .with_custom_message("only Ed curves are supported for signing")
             .with_source(err)
         })? {
-          BlsCurve::BLS12381G2 => Ok(StrongholdKeyType::BLS12381G2),
+          BlsCurve::BLS12381G2 => Ok(StrongholdKeyType::Bls12381G2),
           curve => Err(
             KeyStorageError::new(KeyStorageErrorKind::UnsupportedKeyType)
               .with_custom_message(format!("{curve} not supported")),

diff --git a/identity_stronghold/src/tests/test_bbs_ext.rs b/identity_stronghold/src/tests/test_bbs_ext.rs
@@ -23,7 +23,7 @@ use crate::StrongholdStorage;
 async fn stronghold_bbs_keypair_gen_works() -> anyhow::Result<()> {
   let stronghold_storage = StrongholdStorage::new(create_stronghold_secret_manager());
   let JwkGenOutput { key_id, jwk, .. } = stronghold_storage
-    .generate_bbs(StrongholdKeyType::BLS12381G2.into(), ProofAlgorithm::BLS12381_SHA256)
+    .generate_bbs(StrongholdKeyType::Bls12381G2.into(), ProofAlgorithm::BLS12381_SHA256)
     .await?;
 
   assert!(jwk.is_public());
@@ -48,7 +48,7 @@ async fn stronghold_bbs_keypair_gen_fails_with_wrong_key_type() -> anyhow::Resul
 async fn stronghold_bbs_keypair_gen_fails_with_wrong_alg() -> anyhow::Result<()> {
   let stronghold_storage = StrongholdStorage::new(create_stronghold_secret_manager());
   let error = stronghold_storage
-    .generate_bbs(StrongholdKeyType::BLS12381G2.into(), ProofAlgorithm::MAC_H256)
+    .generate_bbs(StrongholdKeyType::Bls12381G2.into(), ProofAlgorithm::MAC_H256)
     .await
     .unwrap_err();
 
@@ -61,7 +61,7 @@ async fn stronghold_bbs_keypair_gen_fails_with_wrong_alg() -> anyhow::Result<()>
 async fn stronghold_sign_bbs_works() -> anyhow::Result<()> {
   let stronghold_storage = StrongholdStorage::new(create_stronghold_secret_manager());
   let JwkGenOutput { key_id, jwk, .. } = stronghold_storage
-    .generate_bbs(StrongholdKeyType::BLS12381G2.into(), ProofAlgorithm::BLS12381_SHA256)
+    .generate_bbs(StrongholdKeyType::Bls12381G2.into(), ProofAlgorithm::BLS12381_SHA256)
     .await?;
   let pk = expand_bls_jwk(&jwk)?.1;
   let sk = {

diff --git a/identity_stronghold/src/tests/test_jwk_storage.rs b/identity_stronghold/src/tests/test_jwk_storage.rs
@@ -33,7 +33,10 @@ async fn retrieve() {
     .unwrap();
   let key_id = &generate.key_id;
 
-  let pub_key: Jwk = stronghold_storage.get_public_key(key_id).await.unwrap();
+  let pub_key: Jwk = stronghold_storage
+    .get_public_key_with_type(key_id, crate::stronghold_key_type::StrongholdKeyType::Ed25519)
+    .await
+    .unwrap();
   assert_eq!(generate.jwk, pub_key);
 }