biscuit-auth · divarvel · Jul 31, 2024 · Jul 3, 2024 · Jul 3, 2024 · Jul 31, 2024
diff --git a/biscuit-servant/ChangeLog.md b/biscuit-servant/ChangeLog.md
@@ -1,5 +1,9 @@
 # Changelog for biscuit-servant
 
+## 0.4.0.0
+
+- use biscuit-haskell 0.4.0.0
+
 ## 0.3.0.1
 
 - use biscuit-haskell 0.3.0.1

diff --git a/biscuit-servant/biscuit-servant.cabal b/biscuit-servant/biscuit-servant.cabal
@@ -1,7 +1,7 @@
 cabal-version: 2.0
 
 name:           biscuit-servant
-version:        0.3.0.1
+version:        0.4.0.0
 category:       Security
 synopsis:       Servant support for the Biscuit security token
 description:    Please see the README on GitHub at <https://github.com/biscuit-auth/biscuit-haskell#readme>
@@ -34,7 +34,7 @@ library
   ghc-options: -Wall
   build-depends:
     base                 >= 4.7 && <5,
-    biscuit-haskell      >= 0.3 && < 0.4,
+    biscuit-haskell      >= 0.4 && < 0.5,
     bytestring           >= 0.10 && <0.12,
     mtl                  >= 2.2 && < 2.4,
     text                 >= 1.2 && <3,

diff --git a/biscuit/ChangeLog.md b/biscuit/ChangeLog.md
@@ -1,5 +1,11 @@
 # Changelog for biscuit-haskell
 
+## 0.4.0.0
+
+- abort authorization on evaluation error as mandated by the spec
+- use utf8 byte count in `{string}.length()` as mandated by the spec
+- fix security issue with third-party blocks public key interning, see [advisory](https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-rgqv-mwc3-c78m)
+
 ## 0.3.0.1
 
 - GHC 9.6 and 9.8 support

diff --git a/biscuit/biscuit-haskell.cabal b/biscuit/biscuit-haskell.cabal
@@ -1,7 +1,7 @@
 cabal-version: 2.0
 
 name:           biscuit-haskell
-version:        0.3.0.1
+version:        0.4.0.0
 category:       Security
 synopsis:       Library support for the Biscuit security token
 description:    Please see the README on GitHub at <https://github.com/biscuit-auth/biscuit-haskell#readme>

diff --git a/biscuit/src/Auth/Biscuit/ProtoBufAdapter.hs b/biscuit/src/Auth/Biscuit/ProtoBufAdapter.hs
@@ -1,5 +1,6 @@
 {-# LANGUAGE DataKinds         #-}
 {-# LANGUAGE LambdaCase        #-}
+{-# LANGUAGE MultiWayIf        #-}
 {-# LANGUAGE NamedFieldPuns    #-}
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE RecordWildCards   #-}
@@ -25,13 +26,12 @@ module Auth.Biscuit.ProtoBufAdapter
   , thirdPartyBlockContentsToPb
   ) where
 
-import           Control.Monad            (when)
+import           Control.Monad            (unless, when)
 import           Control.Monad.State      (StateT, get, lift, modify)
-import           Data.Bitraversable       (bisequence)
 import           Data.ByteString          (ByteString)
 import           Data.Int                 (Int64)
 import qualified Data.List.NonEmpty       as NE
-import           Data.Maybe               (isNothing)
+import           Data.Maybe               (isJust, isNothing)
 import qualified Data.Set                 as Set
 import qualified Data.Text                as T
 import           Data.Time                (UTCTime)
@@ -110,17 +110,17 @@ pbToBlock ePk PB.Block{..} = do
   -- but use the global public keys table:
   --   symbols defined in 3rd party blocks are not visible
   --   to following blocks, but public keys are
-  when (isNothing ePk) $ modify (registerNewSymbols blockSymbols)
-  modify (registerNewPublicKeys $ foldMap pure ePk <> blockPks)
+  when (isNothing ePk) $ do
+    modify (registerNewSymbols blockSymbols)
+    modify (registerNewPublicKeys blockPks)
   currentSymbols <- get
 
   let symbolsForCurrentBlock =
-        -- third party blocks use an isolated symbol table,
-        -- but use the global public keys table.
+        -- third party blocks use an isolated symbol and public keys table,
         --   3rd party blocks don't see previously defined
-        --   symbols, but see previously defined public keys
+        --   symbols or public keys
         if isNothing ePk then currentSymbols
-                         else registerNewSymbols blockSymbols $ forgetSymbols currentSymbols
+                         else registerNewPublicKeys blockPks $ registerNewSymbols blockSymbols newSymbolTable
   let bContext = PB.getField context
       bVersion = PB.getField version
   lift $ do
@@ -129,32 +129,41 @@ pbToBlock ePk PB.Block{..} = do
     bRules <- traverse (pbToRule s) $ PB.getField rules_v2
     bChecks <- traverse (pbToCheck s) $ PB.getField checks_v2
     bScope <- Set.fromList <$> traverse (pbToScope s) (PB.getField scope)
-    let isV3 = isNothing ePk
-            && Set.null bScope
-            && all ruleHasNoScope bRules
-            && all (queryHasNoScope . cQueries) bChecks
-            && all isCheckOne bChecks
-            && all ruleHasNoV4Operators bRules
-            && all (queryHasNoV4Operators . cQueries)  bChecks
-    case (bVersion, isV3) of
-      (Just 4, _) -> pure Block {..}
-      (Just 3, True) -> pure Block {..}
-      (Just 3, False) ->
-        Left "Biscuit v4 fields are present, but the block version is 3."
+    let v5Plus = isJust ePk
+        v4Plus = not $ and
+          [ Set.null bScope
+          , all ruleHasNoScope bRules
+          , all (queryHasNoScope . cQueries) bChecks
+          , all isCheckOne bChecks
+          , all ruleHasNoV4Operators bRules
+          , all (queryHasNoV4Operators . cQueries) bChecks
+          ]
+    case (bVersion, v4Plus, v5Plus) of
+      (Just 5, _, _) -> pure Block {..}
+      (Just 4, _, False) -> pure Block {..}
+      (Just 4, _, True) ->
+        Left "Biscuit v5 features are present, but the block version is 4."
+      (Just 3, False, False) -> pure Block {..}
+      (Just 3, True, False) ->
+        Left "Biscuit v4 features are present, but the block version is 3."
+      (Just 3, _, True) ->
+        Left "Biscuit v5 features are present, but the block version is 3."
       _ ->
         Left $ "Unsupported biscuit version: " <> maybe "0" show bVersion <> ". Only versions 3 and 4 are supported"
 
 -- | Turn a biscuit block into a protobuf block, for serialization,
 -- along with the newly defined symbols
 blockToPb :: Bool -> Symbols -> Block -> (BlockSymbols, PB.Block)
 blockToPb hasExternalPk existingSymbols b@Block{..} =
-  let isV3 = not hasExternalPk
-            && Set.null bScope
-            && all ruleHasNoScope bRules
-            && all (queryHasNoScope . cQueries) bChecks
-            && all isCheckOne bChecks
-            && all ruleHasNoV4Operators bRules
-            && all (queryHasNoV4Operators . cQueries) bChecks
+  let v4Plus = not $ and
+        [Set.null bScope
+        , all ruleHasNoScope bRules
+        , all (queryHasNoScope . cQueries) bChecks
+        , all isCheckOne bChecks
+        , all ruleHasNoV4Operators bRules
+        , all (queryHasNoV4Operators . cQueries) bChecks
+        ]
+      v5Plus = hasExternalPk
       bSymbols = buildSymbolTable existingSymbols b
       s = reverseSymbols $ addFromBlock existingSymbols bSymbols
       symbols   = PB.putField $ getSymbolList bSymbols
@@ -164,8 +173,9 @@ blockToPb hasExternalPk existingSymbols b@Block{..} =
       checks_v2 = PB.putField $ checkToPb s <$> bChecks
       scope     = PB.putField $ scopeToPb s <$> Set.toList bScope
       pksTable   = PB.putField $ publicKeyToPb <$> getPkList bSymbols
-      version   = PB.putField $ if isV3 then Just 3
-                                        else Just 4
+      version   = PB.putField $ if | v5Plus    -> Just 5
+                                   | v4Plus    -> Just 4
+                                   | otherwise -> Just 3
    in (bSymbols, PB.Block {..})
 
 pbToFact :: Symbols -> PB.FactV2 -> Either String Fact
@@ -415,17 +425,15 @@ binaryToPb = PB.OpBinary . PB.putField . \case
   BitwiseXor     -> PB.BitwiseXor
   NotEqual       -> PB.NotEqual
 
-pbToThirdPartyBlockRequest :: PB.ThirdPartyBlockRequest -> Either String (Crypto.PublicKey, [Crypto.PublicKey])
+pbToThirdPartyBlockRequest :: PB.ThirdPartyBlockRequest -> Either String Crypto.PublicKey
 pbToThirdPartyBlockRequest PB.ThirdPartyBlockRequest{previousPk, pkTable} = do
-  bisequence
-    ( pbToPublicKey $ PB.getField previousPk
-    , traverse pbToPublicKey $ PB.getField pkTable
-    )
+  unless (null $ PB.getField pkTable) $ Left "Public key table provided in third-party block request"
+  pbToPublicKey $ PB.getField previousPk
 
-thirdPartyBlockRequestToPb :: (Crypto.PublicKey, [Crypto.PublicKey]) -> PB.ThirdPartyBlockRequest
-thirdPartyBlockRequestToPb (previousPk, pkTable) = PB.ThirdPartyBlockRequest
+thirdPartyBlockRequestToPb :: Crypto.PublicKey -> PB.ThirdPartyBlockRequest
+thirdPartyBlockRequestToPb previousPk = PB.ThirdPartyBlockRequest
   { previousPk = PB.putField $ publicKeyToPb previousPk
-  , pkTable = PB.putField $ publicKeyToPb <$> pkTable
+  , pkTable = PB.putField []
   }
 
 pbToThirdPartyBlockContents :: PB.ThirdPartyBlockContents -> Either String (ByteString, Crypto.Signature, Crypto.PublicKey)

diff --git a/biscuit/src/Auth/Biscuit/Symbols.hs b/biscuit/src/Auth/Biscuit/Symbols.hs
@@ -15,7 +15,6 @@ module Auth.Biscuit.Symbols
   , addFromBlock
   , registerNewSymbols
   , registerNewPublicKeys
-  , forgetSymbols
   , reverseSymbols
   , getSymbolList
   , getPkList
@@ -139,9 +138,6 @@ registerNewPublicKeys newPks s@Symbols{publicKeys} =
   let newPkMap = Map.fromList $ zip [getNextPublicKeyOffset s..] (newPks \\ elems publicKeys)
    in s { publicKeys = publicKeys <> newPkMap }
 
-forgetSymbols :: Symbols -> Symbols
-forgetSymbols s = s { symbols = commonSymbols }
-
 -- | Reverse a symbol table
 reverseSymbols :: Symbols -> ReverseSymbols
 reverseSymbols (Symbols sm pkm) =

diff --git a/biscuit/src/Auth/Biscuit/Token.hs b/biscuit/src/Auth/Biscuit/Token.hs
@@ -306,26 +306,21 @@ addSignedBlock :: SecretKey
                -> Biscuit Open check
                -> IO (Biscuit Open check)
 addSignedBlock eSk block b@Biscuit{..} = do
-  let symbolsForCurrentBlock = forgetSymbols $ registerNewPublicKeys [toPublic eSk] symbols
-      (newSymbols, blockSerialized) = PB.encodeBlock <$> blockToPb True symbolsForCurrentBlock block
+  let (_, blockSerialized) = PB.encodeBlock <$> blockToPb True newSymbolTable block
       lastBlock = NE.last (authority :| blocks)
       (_, _, lastPublicKey, _) = lastBlock
       Open p = proof
   (signedBlock, nextSk) <- signExternalBlock p eSk lastPublicKey blockSerialized
   pure $ b { blocks = blocks <> [toParsedSignedBlock block signedBlock]
-           , symbols = registerNewPublicKeys (getPkList newSymbols) symbols
            , proof = Open nextSk
            }
 
 mkThirdPartyBlock' :: SecretKey
-                   -> [PublicKey]
                    -> PublicKey
                    -> Block
                    -> (ByteString, Signature, PublicKey)
-mkThirdPartyBlock' eSk pkTable lastPublicKey block =
-  let symbolsForCurrentBlock = registerNewPublicKeys [toPublic eSk] $
-        registerNewPublicKeys pkTable newSymbolTable
-      (_, payload) = PB.encodeBlock <$> blockToPb True symbolsForCurrentBlock block
+mkThirdPartyBlock' eSk lastPublicKey block =
+  let (_, payload) = PB.encodeBlock <$> blockToPb True newSymbolTable block
       (eSig, ePk) = sign3rdPartyBlock eSk lastPublicKey payload
    in (payload, eSig, ePk)
 
@@ -336,17 +331,17 @@ mkThirdPartyBlock :: SecretKey
                   -> Block
                   -> Either String ByteString
 mkThirdPartyBlock eSk req block = do
-  (previousPk, pkTable) <- pbToThirdPartyBlockRequest =<< PB.decodeThirdPartyBlockRequest req
-  pure $ PB.encodeThirdPartyBlockContents . thirdPartyBlockContentsToPb $ mkThirdPartyBlock' eSk pkTable previousPk block
+  previousPk<- pbToThirdPartyBlockRequest =<< PB.decodeThirdPartyBlockRequest req
+  pure $ PB.encodeThirdPartyBlockContents . thirdPartyBlockContentsToPb $ mkThirdPartyBlock' eSk previousPk block
 
 -- | Generate a third-party block request. It can be used in
 -- conjunction with 'mkThirdPartyBlock' to generate a
 -- third-party block, which can be then appended to a token with
 -- 'applyThirdPartyBlock'.
 mkThirdPartyBlockReq :: Biscuit proof check -> ByteString
-mkThirdPartyBlockReq Biscuit{authority,blocks,symbols} =
+mkThirdPartyBlockReq Biscuit{authority,blocks} =
   let (_, _ , lastPk, _) = NE.last $ authority :| blocks
-   in PB.encodeThirdPartyBlockRequest $ thirdPartyBlockRequestToPb (lastPk, getPkTable symbols)
+   in PB.encodeThirdPartyBlockRequest $ thirdPartyBlockRequestToPb lastPk
 
 -- | Given a base64-encoded third-party block, append it to a token.
 applyThirdPartyBlock :: Biscuit Open check -> ByteString -> Either String (IO (Biscuit Open check))

diff --git a/biscuit/test/samples/current/README.md b/biscuit/test/samples/current/README.md
@@ -1841,7 +1841,7 @@ allow if true;
 
 revocation ids:
 - `470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03`
-- `93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405`
+- `342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03`
 
 authorizer world:
 ```
@@ -2041,7 +2041,7 @@ check if true trusting previous, ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755
 1:
 symbols: []
 
-public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"]
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"]
 
 external signature by: "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
 
@@ -2055,7 +2055,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5
 2:
 symbols: []
 
-public keys: []
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"]
 
 external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"
 
@@ -2068,7 +2068,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5
 3:
 symbols: []
 
-public keys: []
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"]
 
 external signature by: "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"
 
@@ -2081,7 +2081,7 @@ check if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5
 4:
 symbols: []
 
-public keys: ["ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"]
+public keys: ["ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463", "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"]
 
 ```
 query(4);
@@ -2103,10 +2103,10 @@ allow if true;
 
 revocation ids:
 - `3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04`
-- `45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400`
-- `179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703`
-- `edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d`
-- `6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07`
+- `6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d`
+- `5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04`
+- `c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09`
+- `3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900`
 
 authorizer world:
 ```

diff --git a/biscuit/test/samples/current/samples.json b/biscuit/test/samples/current/samples.json
@@ -1798,7 +1798,7 @@
           "authorizer_code": "allow if true;\n",
           "revocation_ids": [
             "470e4bf7aa2a01ab39c98150bd06aa15b4aa5d86509044a8809a8634cd8cf2b42269a51a774b65d10bac9369d013070b00187925196a8e680108473f11cf8f03",
-            "93a7315ab1272da9eeef015f6fecbc9ac96fe4660e6204bf64ea2105ebe309e9c9cadc0a26c5604f13910fae3f2cd0800756afb6b6b208bf77adeb1ab2f42405"
+            "342167bc54bc642b6718a276875e55b6d39e9b21e4ce13b926a3d398b6c057fc436385bf4c817a16f9ecdf0b0d950e8b8258a20aeb3fd8896c5e9c1f0a53da03"
           ]
         }
       }
@@ -1939,26 +1939,34 @@
         {
           "symbols": [],
           "public_keys": [
-            "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463"
+            "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
+            "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
           ],
           "external_key": "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189",
           "code": "query(1);\nquery(1, 2) <- query(1), query(2) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n"
         },
         {
           "symbols": [],
-          "public_keys": [],
+          "public_keys": [
+            "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
+            "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
+          ],
           "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
           "code": "query(2);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n"
         },
         {
           "symbols": [],
-          "public_keys": [],
+          "public_keys": [
+            "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
+            "ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189"
+          ],
           "external_key": "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
           "code": "query(3);\ncheck if query(2), query(3) trusting ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\ncheck if query(1) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\n"
         },
         {
           "symbols": [],
           "public_keys": [
+            "ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463",
             "ed25519/f98da8c1cf907856431bfc3dc87531e0eaadba90f919edc232405b85877ef136"
           ],
           "external_key": null,
@@ -2082,10 +2090,10 @@
           "authorizer_code": "check if query(1, 2) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189, ed25519/a060270db7e9c9f06e8f9cc33a64e99f6596af12cb01c4b638df8afc7b642463;\n\ndeny if query(3);\ndeny if query(1, 2);\ndeny if query(0) trusting ed25519/acdd6d5b53bfee478bf689f8e012fe7988bf755e3d7c5152947abc149bc20189;\nallow if true;\n",
           "revocation_ids": [
             "3771cefe71beb21ead35a59c8116ee82627a5717c0295f35980662abccb159fe1b37848cb1818e548656bd4fd882d0094a2daab631c76b2b72e3a093914bfe04",
-            "45133b90f228a81fe4d3042a79f6c6b7608e656e903d6b1f4db32cd774b09b8315af360879a5f210ad7be37ff55e3eb34f237bcc9711407b6329ac6018bfb400",
-            "179f054f3c572646aba5013159ae192ac42f5666dbdd984129955f4652b6829e59f54aa251e451f96329d42a2524ce569c3e1ec52e708b642dd8994af51dd703",
-            "edab54789d6656936fcd28200b9c61643434842d531f09f209fad555e11ff53174db174dafba126e6de448983a56f78d2042bc5782d71a45799c022fe69fb30d",
-            "6a62306831e9dbe83e7b33db96b758c77dd690930f2d2d87e239b210b1944c5582bf6d7e1bfea8e7f928c27f2fff0e2ee2e0adc41e11e0c3abe8d7b96b9ede07"
+            "6528db2c9a561ada9086268549a600a8a52ff434ea8183812623eec0e9b6c5d3c41ab7868808623021d92294d583afdf92f4354bcdaa1bc50453e1b89afd630d",
+            "5d5679fe69bfe74b7919323515e9ecba9d01422b16be9341b57f88e695b2bb0bd7966b781001d2b9e00ee618fdc239c96e17e32cb379f13f12d6bd7b1b47ad04",
+            "c37bf24c063f0310eccab8864e48dbeffcdd7240b4f8d1e01eba4fc703e6c9082b845bb55543b10f008dc7f4e78540411912ac1f36fa2aa90011dca40f323b09",
+            "3f675d6c364e06405d4868c904e40f3d81c32b083d91586db814d4cb4bf536b4ba209d82f11b4cb6da293b60b20d6122fc3e0e08e80c381dee83edd848211900"
           ]
         }
       }

diff --git a/biscuit/test/samples/current/test024_third_party.bc b/biscuit/test/samples/current/test024_third_party.bc
diff --git a/biscuit/test/samples/current/test026_public_keys_interning.bc b/biscuit/test/samples/current/test026_public_keys_interning.bc