core_crypto/e2e_identity/
crypto.rs

1use super::error::*;
2use crate::{MlsError, prelude::MlsCiphersuite};
3use mls_crypto_provider::{MlsCryptoProvider, PkiKeypair, RustCrypto};
4use openmls_basic_credential::SignatureKeyPair as OpenMlsSignatureKeyPair;
5use openmls_traits::{
6    OpenMlsCryptoProvider,
7    crypto::OpenMlsCrypto,
8    types::{Ciphersuite, SignatureScheme},
9};
10use wire_e2e_identity::prelude::JwsAlgorithm;
11use zeroize::Zeroize;
12
13impl super::E2eiEnrollment {
14    pub(super) fn new_sign_key(
15        ciphersuite: MlsCiphersuite,
16        backend: &MlsCryptoProvider,
17    ) -> Result<E2eiSignatureKeypair> {
18        let (sk, _) = backend
19            .crypto()
20            .signature_key_gen(ciphersuite.signature_algorithm())
21            .map_err(MlsError::wrap("performing signature keygen"))?;
22        E2eiSignatureKeypair::try_new(ciphersuite.signature_algorithm(), sk)
23    }
24
25    pub(super) fn get_sign_key_for_mls(&self) -> Result<Vec<u8>> {
26        let sk = match self.ciphersuite.signature_algorithm() {
27            SignatureScheme::ECDSA_SECP256R1_SHA256 | SignatureScheme::ECDSA_SECP384R1_SHA384 => self.sign_sk.to_vec(),
28            SignatureScheme::ECDSA_SECP521R1_SHA512 => RustCrypto::normalize_p521_secret_key(&self.sign_sk).to_vec(),
29            SignatureScheme::ED25519 => RustCrypto::normalize_ed25519_key(self.sign_sk.as_slice())
30                .map_err(MlsError::wrap("normalizing ed25519 key"))?
31                .to_bytes()
32                .to_vec(),
33            SignatureScheme::ED448 => return Err(Error::NotYetSupported),
34        };
35        Ok(sk)
36    }
37}
38
39impl TryFrom<MlsCiphersuite> for JwsAlgorithm {
40    type Error = Error;
41
42    fn try_from(cs: MlsCiphersuite) -> Result<Self> {
43        let cs = openmls_traits::types::Ciphersuite::from(cs);
44        Ok(match cs {
45            Ciphersuite::MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
46            | Ciphersuite::MLS_128_DHKEMX25519_CHACHA20POLY1305_SHA256_Ed25519 => JwsAlgorithm::Ed25519,
47            Ciphersuite::MLS_128_DHKEMP256_AES128GCM_SHA256_P256 => JwsAlgorithm::P256,
48            Ciphersuite::MLS_256_DHKEMP384_AES256GCM_SHA384_P384 => JwsAlgorithm::P384,
49            Ciphersuite::MLS_256_DHKEMP521_AES256GCM_SHA512_P521 => JwsAlgorithm::P521,
50            Ciphersuite::MLS_256_DHKEMX448_AES256GCM_SHA512_Ed448
51            | Ciphersuite::MLS_256_DHKEMX448_CHACHA20POLY1305_SHA512_Ed448 => return Err(Error::NotYetSupported),
52        })
53    }
54}
55
56#[derive(Debug, serde::Serialize, serde::Deserialize, Zeroize, derive_more::From, derive_more::Deref)]
57#[zeroize(drop)]
58pub struct E2eiSignatureKeypair(Vec<u8>);
59
60impl E2eiSignatureKeypair {
61    pub fn try_new(sc: SignatureScheme, sk: Vec<u8>) -> Result<Self> {
62        let keypair = PkiKeypair::new(sc, sk).map_err(MlsError::wrap("creating new pki keypair"))?;
63        Ok(Self(keypair.signing_key_bytes()))
64    }
65}
66
67impl TryFrom<&OpenMlsSignatureKeyPair> for E2eiSignatureKeypair {
68    type Error = Error;
69
70    fn try_from(kp: &OpenMlsSignatureKeyPair) -> Result<Self> {
71        Self::try_new(kp.signature_scheme(), kp.private().to_vec())
72    }
73}