From e12c9a83df999049970403cbbd6a6427f79f889e Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Mon, 11 Jul 2022 14:30:39 +0100 Subject: util.paseto: Drop custom wrappers around key objects The PASETO spec recommends - no, *requires* - that implementations enforce type safety for keys, and e.g. do not pass them around as arbitrary byte strings. Typed wrapper objects are recommended. I originally followed this advice when starting the lib. However, key wrapping and type safety is now also a feature of util.crypto. All we're doing is duplicating it unnecessarily with this additional wrapper code. --- spec/util_paseto_spec.lua | 2 +- util/paseto.lua | 51 +++++------------------------------------------ 2 files changed, 6 insertions(+), 47 deletions(-) diff --git a/spec/util_paseto_spec.lua b/spec/util_paseto_spec.lua index a57cea18..ec30c6a7 100644 --- a/spec/util_paseto_spec.lua +++ b/spec/util_paseto_spec.lua @@ -73,7 +73,7 @@ describe("util.paseto", function () describe("basic sign/verify", function () local function new_keypair() local kp = paseto.v4_public.new_keypair(); - return kp.private_key:export(), kp.public_key:export(); + return kp:private_pem(), kp:public_pem(); end local privkey1, pubkey1 = new_keypair(); diff --git a/util/paseto.lua b/util/paseto.lua index 02a0aa70..a39f9667 100644 --- a/util/paseto.lua +++ b/util/paseto.lua @@ -8,11 +8,6 @@ local s_pack = require "util.struct".pack; local s_gsub = string.gsub; -local pubkey_methods = {}; -local privkey_methods = {}; - -local v4_public_pubkey_mt = { __index = pubkey_methods }; -local v4_public_privkey_mt = { __index = privkey_methods }; local v4_public = {}; local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] = "/" }; @@ -35,25 +30,14 @@ local function pae(parts) return table.concat(o); end -function privkey_methods:export() - return self.key:private_pem(); -end - -function pubkey_methods:export() - return self.key:public_pem(); -end - function v4_public.sign(m, sk, f, i) - if getmetatable(sk) ~= v4_public_privkey_mt then - error("cannot sign v4.public tokens with this key"); - end if type(m) ~= "table" then return nil, "PASETO payloads must be a table"; end m = json.encode(m); local h = "v4.public."; local m2 = pae({ h, m, f or "", i or "" }); - local sig = crypto.ed25519_sign(sk.key, m2); + local sig = crypto.ed25519_sign(sk, m2); if not f or f == "" then return h..b64url(m..sig); else @@ -62,9 +46,6 @@ function v4_public.sign(m, sk, f, i) end function v4_public.verify(tok, pk, expected_f, i) - if getmetatable(pk) ~= v4_public_pubkey_mt then - error("cannot verify v4.public tokens with this key"); - end local h, sm, f = tok:match("^(v4%.public%.)([^%.]+)%.?(.*)$"); if not h then return nil, "invalid-token-format"; @@ -81,7 +62,7 @@ function v4_public.verify(tok, pk, expected_f, i) end local s, m = raw_sm:sub(-64), raw_sm:sub(1, -65); local m2 = pae({ h, m, f or "", i or "" }); - local ok = crypto.ed25519_verify(pk.key, m2, s); + local ok = crypto.ed25519_verify(pk, m2, s); if not ok then return nil, "invalid-token"; end @@ -92,32 +73,10 @@ function v4_public.verify(tok, pk, expected_f, i) return payload; end +v4_public.import_private_key = crypto.import_private_pem; +v4_public.import_public_key = crypto.import_public_pem; function v4_public.new_keypair() - local key = crypto.generate_ed25519_keypair(); - return { - private_key = setmetatable({ - key = key; - }, v4_public_privkey_mt); - public_key = setmetatable({ - key = key; - }, v4_public_pubkey_mt); - }; -end - -function v4_public.import_public_key(pem) - local key = crypto.import_public_pem(pem); - assert(key:get_type() == "ED25519", "Invalid public key type for v4.public"); - return setmetatable({ - key = key; - }, v4_public_pubkey_mt); -end - -function v4_public.import_private_key(pem) - local key = crypto.import_private_pem(pem); - assert(key:get_type() == "ED25519", "Invalid private key type for v4.public"); - return setmetatable({ - key = key; - }, v4_public_privkey_mt); + return crypto.generate_ed25519_keypair(); end function v4_public.init(private_key_pem, public_key_pem, options) -- cgit v1.2.3