Merge pull request #23 from thomastaylor312/jszwedko/update-ed25519_d…

…alek

Address rustsec dalek advisory

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "nkeys"
-version = "0.3.1"
+version = "0.3.2"
 authors = ["wasmCloud Team"]
 edition = "2021"
 description = "Rust implementation of the NATS nkeys library"
@@ -13,16 +13,25 @@ keywords = ["crypto", "nats", "ed25519", "cryptography"]
 categories = ["cryptography", "authentication"]
 
 [features]
-cli = ["quicli", "structopt", "term-table", "exitfailure", "env_logger", "serde_json"]
+cli = [
+    "quicli",
+    "structopt",
+    "term-table",
+    "exitfailure",
+    "env_logger",
+    "serde_json",
+]
 
 [[bin]]
 name = "nk"
 required-features = ["cli"]
 
 [dependencies]
-signatory = "0.23"
-ed25519 = { version = "1.3", default-features = false }
-ed25519-dalek = { version = "1.0.1", default-features = false, features = ["u64_backend"] }
+signatory = "0.27"
+ed25519 = { version = "2.0.0", default-features = false }
+ed25519-dalek = { version = "2.0.0", default-features = false, features = [
+    "digest",
+] }
 rand = "0.8"
 byteorder = "1.3.4"
 data-encoding = "2.3.0"
@@ -32,7 +41,7 @@ log = "0.4.11"
 quicli = { version = "0.4", optional = true }
 structopt = { version = "0.3.17", optional = true }
 term-table = { version = "1.3.0", optional = true }
-exitfailure = { version = "0.5.1", optional =true }
+exitfailure = { version = "0.5.1", optional = true }
 env_logger = { version = "0.9", optional = true }
 serde_json = { version = "1.0", optional = true }
 

src/bin/nk/main.rs

@@ -96,7 +96,7 @@ fn generate(kt: &KeyPairType, output_type: &Output) {
                 "seed": kp.seed().unwrap(),
             });
 
-            println!("{}", output.to_string());
+            println!("{}", output);
         }
     }
 }

src/lib.rs

@@ -48,7 +48,7 @@
 use std::fmt::{self, Debug};
 
 use crc::{extract_crc, push_crc, valid_checksum};
-use ed25519_dalek::{ExpandedSecretKey, PublicKey, SecretKey, Signature, Verifier};
+use ed25519_dalek::{SecretKey, Signer, SigningKey, Verifier, VerifyingKey};
 use rand::prelude::*;
 
 const ENCODED_SEED_LENGTH: usize = 58;
@@ -81,7 +81,8 @@ type Result<T> = std::result::Result<T, crate::error::Error>;
 pub struct KeyPair {
     kp_type: KeyPairType,
     sk: Option<SecretKey>, //rawkey_kind: RawKeyKind,
-    pk: PublicKey,
+    signing_key: Option<SigningKey>,
+    pk: VerifyingKey,
 }
 
 impl Debug for KeyPair {
@@ -160,11 +161,12 @@ impl KeyPair {
     /// Returns an error if there is an issue using the bytes to generate the key
     /// NOTE: These bytes should be generated from a cryptographically secure random source.
     pub fn new_from_raw(kp_type: KeyPairType, random_bytes: [u8; 32]) -> Result<KeyPair> {
-        let s = create_seed(random_bytes)?;
+        let signing_key = SigningKey::from_bytes(&random_bytes);
         Ok(KeyPair {
             kp_type,
-            pk: pk_from_seed(&s),
-            sk: Some(s),
+            pk: signing_key.verifying_key(),
+            signing_key: Some(signing_key),
+            sk: Some(random_bytes),
         })
     }
 
@@ -243,9 +245,8 @@ impl KeyPair {
 
     /// Attempts to sign the given input with the key pair's seed
     pub fn sign(&self, input: &[u8]) -> Result<Vec<u8>> {
-        if let Some(ref seed) = self.sk {
-            let expanded: ExpandedSecretKey = seed.into();
-            let sig: Signature = expanded.sign(input, &self.pk);
+        if let Some(ref seed) = self.signing_key {
+            let sig = seed.sign(input);
             Ok(sig.to_bytes().to_vec())
         } else {
             Err(err!(SignatureError, "Cannot sign without a seed key"))
@@ -256,7 +257,7 @@ impl KeyPair {
     pub fn verify(&self, input: &[u8], sig: &[u8]) -> Result<()> {
         let mut fixedsig = [0; ed25519::Signature::BYTE_SIZE];
         fixedsig.copy_from_slice(sig);
-        let insig = ed25519::Signature::from_bytes(&fixedsig)?;
+        let insig = ed25519::Signature::from_bytes(&fixedsig);
 
         match self.pk.verify(input, &insig) {
             Ok(()) => Ok(()),
@@ -277,7 +278,7 @@ impl KeyPair {
 
             raw.push(b1);
             raw.push(b2);
-            raw.extend(seed.as_bytes().iter());
+            raw.extend(seed.iter());
             push_crc(&mut raw);
 
             Ok(data_encoding::BASE32_NOPAD.encode(&raw[..]))
@@ -300,11 +301,12 @@ impl KeyPair {
             ))
         } else {
             raw.remove(0);
-            match PublicKey::from_bytes(&raw) {
+            match VerifyingKey::try_from(&raw[..]) {
                 Ok(pk) => Ok(KeyPair {
                     kp_type: KeyPairType::from(prefix),
                     pk,
                     sk: None,
+                    signing_key: None,
                 }),
                 Err(_) => Err(err!(VerifyError, "Could not read public key")),
             }
@@ -332,14 +334,16 @@ impl KeyPair {
             let b2 = (raw[0] & 7) << 5 | ((raw[1] & 248) >> 3);
 
             let kp_type = KeyPairType::from(b2);
-            let mut seed_bytes = [0u8; 32];
-            seed_bytes.copy_from_slice(&raw[2..]);
-            let seed = SecretKey::from_bytes(&seed_bytes[..])?;
+            let mut seed = [0u8; 32];
+            seed.copy_from_slice(&raw[2..]);
+
+            let signing_key = SigningKey::from_bytes(&seed);
 
             Ok(KeyPair {
                 kp_type,
-                pk: pk_from_seed(&seed),
+                pk: signing_key.verifying_key(),
                 sk: Some(seed),
+                signing_key: Some(signing_key),
             })
         }
     }
@@ -350,10 +354,6 @@ impl KeyPair {
     }
 }
 
-fn pk_from_seed(seed: &SecretKey) -> PublicKey {
-    seed.into()
-}
-
 fn decode_raw(raw: &[u8]) -> Result<Vec<u8>> {
     let mut b32_decoded = data_encoding::BASE32_NOPAD.decode(raw)?;
 
@@ -371,10 +371,6 @@ fn generate_seed_rand() -> [u8; 32] {
     rng.gen::<[u8; 32]>()
 }
 
-fn create_seed(rand_bytes: [u8; 32]) -> Result<SecretKey> {
-    SecretKey::from_bytes(&rand_bytes[..]).map_err(|e| e.into())
-}
-
 fn get_prefix_byte(kp_type: &KeyPairType) -> u8 {
     match kp_type {
         KeyPairType::Server => PREFIX_BYTE_SERVER,