Skip to content

fixture removal + generate signing key #819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: notary/config-refactor
Choose a base branch
from
Open

fixture removal + generate signing key #819

wants to merge 8 commits into from

Conversation

yuroitaki
Copy link
Member

  • generate signing key if not provided
  • migrate fixture to test crate
  • removes redundant code from tee module
  • derive pub key from provided signing key

@yuroitaki yuroitaki requested review from heeckhau and sinui0 April 30, 2025 11:55
@yuroitaki yuroitaki changed the title Fixture removal fixture removal + generate signing key Apr 30, 2025
sinui0
sinui0 requested changes Apr 30, 2025
View reviewed changes
Copy link
Member

@sinui0 sinui0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm modulo a couple things

crates/notary/server/src/signing.rs Outdated
Comment on lines 106 to 174
impl SigningKey {
fn verifying_key(&self) -> VerifyingKey {
match self {
SigningKey::Secp256k1(key) => VerifyingKey::K256(*key.verifying_key()),
SigningKey::Secp256r1(key) => VerifyingKey::P256(*key.verifying_key()),
}
}
}

/// Corresponding public key of the attestation key.
pub struct PublicKey {
#[allow(dead_code)]
alg_id: KeyAlgId,
key: VerifyingKey,
}

impl PublicKey {
fn new(alg_id: KeyAlgId, key: VerifyingKey) -> Self {
Self { alg_id, key }
}

/// Converts the public key into PEM encoding in compressed form.
pub fn to_pem(&self) -> Result<String, pkcs8::Error> {
Ok(self.key.to_public_key_pem(LineEnding::LF)?)
}

#[cfg(feature = "tee_quote")]
/// Coverts the public key into bytes in compressed form.
pub fn to_compressed_bytes(&self) -> Vec<u8> {
self.key.to_compressed_bytes()
}
}

enum VerifyingKey {
K256(k256::ecdsa::VerifyingKey),
P256(p256::ecdsa::VerifyingKey),
}

impl VerifyingKey {
fn to_compressed_bytes(&self) -> Vec<u8> {
let encoded_point = match self {
VerifyingKey::K256(key) => key.to_encoded_point(true),
VerifyingKey::P256(key) => key.to_encoded_point(true),
};
encoded_point.as_bytes().to_vec()
}
}
// The default `EncodePublicKey` impl for both `k256::ecdsa::VerifyingKey` and
// `p256::ecdsa::VerifyingKey` are serializing the public key in uncompressed
// format. This overrides that to obtain the compressed format.
//
// Reference: https://github.com/RustCrypto/traits/blob/f44963a897af10d125efe3af89b20930ebe4a999/elliptic-curve/src/public_key.rs#L476-L493
impl EncodePublicKey for VerifyingKey {
fn to_public_key_der(&self) -> Result<der::Document, pkcs8::spki::Error> {
let algorithm = match self {
VerifyingKey::K256(key) => key.algorithm_identifier()?,
VerifyingKey::P256(key) => key.algorithm_identifier()?,
};

let public_key_bytes = self.to_compressed_bytes();
let subject_public_key = der::asn1::BitStringRef::new(0, &public_key_bytes)?;

pkcs8::SubjectPublicKeyInfo {
algorithm,
subject_public_key,
}
.try_into()
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels like functionality that should be in tlsn-core.

Perhaps the Signer trait should also have a required method for providing the verifying key in PEM format.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, didn't realise technically all of PublicKey (and VerifyingKey) functionalities are already present in Signer except for to_pem; so if that's added, then we don't need Publickey anymore since in notary server crate I can just do

  • signer.verifying_key()
  • signer.to_pem()

right?

@heeckhau
Copy link
Member

heeckhau commented May 2, 2025
edited
Loading

@yuroitaki The TEE config needs an update too. Or should we drop it?

crates/notary/server/tee/config/config.yaml

Error: Unexpected(Failed to load config: missing field `host`

Location:
    crates/notary/server/src/main.rs:14:24)

sinui0
sinui0 approved these changes May 7, 2025
View reviewed changes
Copy link
Member

@sinui0 sinui0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heeckhau heeckhau heeckhau left review comments

@sinui0 sinui0 sinui0 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@yuroitaki @heeckhau @sinui0