Implementation of CoSERV signing and verification #8
Conversation
Implement methods for signing and verification of CoSERV. The Signer, Verifier traits and their implementations OpensslSigner and OpensslVerifier are similar to those from corim-rs and internally uses the objects from corim-rs to perform these operations. Supports JWK and PEM encoded keys Signed-off-by: Dhanus M Lal <[email protected]>
corim-rs serializes kty EC as EC2, the field must be changed from EC to EC in a valid JWK before it can be deserialized to corim_rs::CoseKey Signed-off-by: Dhanus M Lal <[email protected]>
thomas-fossati
left a comment
thomas-fossati
left a comment
There was a problem hiding this comment.
Looks very good to me, thanks!
I have inlined a high-level (non-blocking) comment on the verification API signature that I’d like to discuss.
|
|
||
| // check if header contains the same algorithm as the verifier | ||
| // todo: find a better way of doing this | ||
| if let Some(ref alg) = sign1.protected.header.alg { |
There was a problem hiding this comment.
This makes me wonder whether the verification API should simply not require an explicit algorithm from the caller and instead try to use whatever is present in the signed object.
Fix clippy error cargo deny: updated Cargo.lock (bytes and time) Signed-off-by: Dhanus M Lal <[email protected]>
paulhowardarm
left a comment
paulhowardarm
left a comment
There was a problem hiding this comment.
Thank you for the PR. Looks great overall, and offers the expected functionality. I have a few observations and suggestions. There are a couple of small things I think should be changed:
- The
fix_kty()function should be renamed, and the comment should be changed (it is not a "bug work-around") - One of the comments had a copy/paste error.
I also had a question on whether the sign/verify traits could be re-used from corim-rs rather than re-defined here. Maybe you already tried to do this but there was some reason it didn't work? If so, we don't necessarily need to change it.
| }) | ||
| } | ||
|
|
||
| /// Construct [OpensslVerifier] from PEM private key |
There was a problem hiding this comment.
I think the comment should say "from JWK public key" here
| use super::{CoseAlgorithm, CoservError}; | ||
|
|
||
| /// Interface for COSE signer. | ||
| pub trait CoseSigner { |
There was a problem hiding this comment.
For the CoseSigner and CoseVerifier traits, might it be possible to import those from corim-rs rather than re-define them here? The definitions are not identical, but given @thomas-fossati 's other comment on whether the algorithm field is necessary, I wonder if that makes it easier to just re-use the bits from corim-rs? Just to avoid the duplication.
| // this function is a workaround for a bug in corim-rs: | ||
| // key type for elliptic curve keys is serialized as EC2 | ||
| // instead of EC in corim-rs | ||
| fn fix_kty(bytes: &[u8]) -> Result<Vec<u8>, CoservError> { |
There was a problem hiding this comment.
This is not a bug in corim-rs. What's actually happening here is a format conversion from JWK to COSE key. I think this function needs to be called jwk_to_cose() (or something like that). The code itself might be fine as it is (certainly for a PoC), but please check the specs to make sure that no additional conversion steps are needed.
4 participants
Implement methods for signing and verification of CoSERV. The Signer, Verifier traits and their implementations OpensslSigner and OpensslVerifier are similar to those from corim-rs and internally uses the objects from corim-rs to perform these operations. Supports JWK and PEM encoded keys with openssl feature flag.