From 1abfd74ec7114e5d8e2411f7a4fa10bdce97e277 Mon Sep 17 00:00:00 2001 From: Daniel Holmgren Date: Tue, 7 Jan 2025 11:59:21 -0600 Subject: [PATCH] Update crypto libraries (#3335) * update crypto libs & use new format option * reinstall deps * changeset --- .changeset/lucky-sloths-tie.md | 5 +++++ packages/aws/package.json | 2 +- packages/crypto/package.json | 4 ++-- packages/crypto/src/p256/operations.ts | 6 +---- packages/crypto/src/secp256k1/operations.ts | 6 +---- pnpm-lock.yaml | 25 +++++++++++---------- 6 files changed, 23 insertions(+), 25 deletions(-) create mode 100644 .changeset/lucky-sloths-tie.md diff --git a/.changeset/lucky-sloths-tie.md b/.changeset/lucky-sloths-tie.md new file mode 100644 index 00000000000..16dd32feb42 --- /dev/null +++ b/.changeset/lucky-sloths-tie.md @@ -0,0 +1,5 @@ +--- +"@atproto/crypto": patch +--- + +Update noble crypto libraries diff --git a/packages/aws/package.json b/packages/aws/package.json index d6d58e0b304..79613b70cb4 100644 --- a/packages/aws/package.json +++ b/packages/aws/package.json @@ -26,7 +26,7 @@ "@aws-sdk/client-kms": "^3.196.0", "@aws-sdk/client-s3": "^3.224.0", "@aws-sdk/lib-storage": "^3.226.0", - "@noble/curves": "^1.1.0", + "@noble/curves": "^1.7.0", "key-encoder": "^2.0.3", "multiformats": "^9.9.0", "uint8arrays": "3.0.0" diff --git a/packages/crypto/package.json b/packages/crypto/package.json index 649739d9d0a..77b6fb33a16 100644 --- a/packages/crypto/package.json +++ b/packages/crypto/package.json @@ -20,8 +20,8 @@ "build": "tsc --build tsconfig.build.json" }, "dependencies": { - "@noble/curves": "^1.1.0", - "@noble/hashes": "^1.3.1", + "@noble/curves": "^1.7.0", + "@noble/hashes": "^1.6.1", "uint8arrays": "3.0.0" }, "devDependencies": { diff --git a/packages/crypto/src/p256/operations.ts b/packages/crypto/src/p256/operations.ts index 7422c282281..36153c321f6 100644 --- a/packages/crypto/src/p256/operations.ts +++ b/packages/crypto/src/p256/operations.ts @@ -28,12 +28,8 @@ export const verifySig = async ( ): Promise => { const allowMalleable = opts?.allowMalleableSig ?? false const msgHash = await sha256(data) - // parse as compact sig to prevent signature malleability - // library supports sigs in 2 different formats: https://github.com/paulmillr/noble-curves/issues/99 - if (!allowMalleable && !isCompactFormat(sig)) { - return false - } return p256.verify(sig, msgHash, publicKey, { + format: allowMalleable ? undefined : 'compact', // prevent DER-encoded signatures lowS: !allowMalleable, }) } diff --git a/packages/crypto/src/secp256k1/operations.ts b/packages/crypto/src/secp256k1/operations.ts index 9214f63014a..4e8dc95d1fa 100644 --- a/packages/crypto/src/secp256k1/operations.ts +++ b/packages/crypto/src/secp256k1/operations.ts @@ -28,12 +28,8 @@ export const verifySig = async ( ): Promise => { const allowMalleable = opts?.allowMalleableSig ?? false const msgHash = await sha256(data) - // parse as compact sig to prevent signature malleability - // library supports sigs in 2 different formats: https://github.com/paulmillr/noble-curves/issues/99 - if (!allowMalleable && !isCompactFormat(sig)) { - return false - } return k256.verify(sig, msgHash, publicKey, { + format: allowMalleable ? undefined : 'compact', // prevent DER-encoded signatures lowS: !allowMalleable, }) } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index acf08a4db61..b2eda360d72 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -130,8 +130,8 @@ importers: specifier: ^3.226.0 version: 3.226.0(@aws-sdk/abort-controller@3.374.0)(@aws-sdk/client-s3@3.224.0) '@noble/curves': - specifier: ^1.1.0 - version: 1.1.0 + specifier: ^1.7.0 + version: 1.8.0 key-encoder: specifier: ^2.0.3 version: 2.0.3 @@ -426,11 +426,11 @@ importers: packages/crypto: dependencies: '@noble/curves': - specifier: ^1.1.0 - version: 1.1.0 + specifier: ^1.7.0 + version: 1.8.0 '@noble/hashes': - specifier: ^1.3.1 - version: 1.3.1 + specifier: ^1.6.1 + version: 1.7.0 uint8arrays: specifier: 3.0.0 version: 3.0.0 @@ -5579,15 +5579,16 @@ packages: read-yaml-file: 1.1.0 dev: true - /@noble/curves@1.1.0: - resolution: {integrity: sha512-091oBExgENk/kGj3AZmtBDMpxQPDtxQABR2B9lb1JbVTs6ytdzZNwvhxQ4MWasRNEzlbEH8jCWFCwhF/Obj5AA==} + /@noble/curves@1.8.0: + resolution: {integrity: sha512-j84kjAbzEnQHaSIhRPUmB3/eVXu2k3dKPl2LOrR8fSOIL+89U+7lV117EWHtq/GHM3ReGHM46iRBdZfpc4HRUQ==} + engines: {node: ^14.21.3 || >=16} dependencies: - '@noble/hashes': 1.3.1 + '@noble/hashes': 1.7.0 dev: false - /@noble/hashes@1.3.1: - resolution: {integrity: sha512-EbqwksQwz9xDRGfDST86whPBgM65E0OH/pCgqW0GBVzO22bNE+NuIbeTb714+IfSjU3aRk47EUvXIb5bTsenKA==} - engines: {node: '>= 16'} + /@noble/hashes@1.7.0: + resolution: {integrity: sha512-HXydb0DgzTpDPwbVeDGCG1gIu7X6+AuU6Zl6av/E/KG8LMsvPntvq+w17CHRpKBmN6Ybdrt1eP3k4cj8DJa78w==} + engines: {node: ^14.21.3 || >=16} dev: false /@noble/secp256k1@1.7.1: