Merge pull request #30 from raphaelrobert/align-base-spec

Align token_key_id/truncated_token_key_id with the base spec
raphaelrobert · Apr 8, 2024 · 13a3db6 · 13a3db6
2 parents b88130a + d148e76
commit 13a3db6
Show file tree

Hide file tree

Showing 20 changed files with 249 additions and 167 deletions.
diff --git a/benches/public.rs b/benches/public.rs
@@ -1,4 +1,4 @@
-use privacypass::public_tokens::{public_key_to_token_key_id, server::OriginKeyStore};
+use privacypass::public_tokens::{public_key_to_truncated_token_key_id, server::OriginKeyStore};
 #[path = "../tests/public_memory_stores.rs"]
 mod public_memory_stores;
 
@@ -165,7 +165,7 @@ pub fn criterion_public_benchmark(c: &mut Criterion) {
                         .unwrap();
                     origin_key_store
                         .insert(
-                            public_key_to_token_key_id(&key_pair.pk),
+                            public_key_to_truncated_token_key_id(&key_pair.pk),
                             key_pair.pk.clone(),
                         )
                         .await;

diff --git a/src/auth/authorize.rs b/src/auth/authorize.rs
@@ -13,7 +13,7 @@ use std::io::Write;
 use thiserror::Error;
 use tls_codec::{Deserialize, Error, Serialize, Size};
 
-use crate::{ChallengeDigest, KeyId, Nonce, TokenType};
+use crate::{ChallengeDigest, Nonce, TokenKeyId, TokenType};
 
 use super::{base64_char, key_name, opt_spaces, space};
 
@@ -34,7 +34,7 @@ pub struct Token<Nk: ArrayLength<u8>> {
     token_type: TokenType,
     nonce: Nonce,
     challenge_digest: ChallengeDigest,
-    token_key_id: KeyId,
+    token_key_id: TokenKeyId,
     authenticator: GenericArray<u8, Nk>,
 }
 
@@ -66,7 +66,7 @@ impl<Nk: ArrayLength<u8>> Deserialize for Token<Nk> {
         let token_type = TokenType::tls_deserialize(bytes)?;
         let nonce = Nonce::tls_deserialize(bytes)?;
         let challenge_digest = ChallengeDigest::tls_deserialize(bytes)?;
-        let token_key_id = KeyId::tls_deserialize(bytes)?;
+        let token_key_id = TokenKeyId::tls_deserialize(bytes)?;
         let mut authenticator = vec![0u8; Nk::to_usize()];
         let len = bytes.read(authenticator.as_mut_slice())?;
         if len != Nk::to_usize() {
@@ -88,7 +88,7 @@ impl<Nk: ArrayLength<u8>> Token<Nk> {
         token_type: TokenType,
         nonce: Nonce,
         challenge_digest: ChallengeDigest,
-        token_key_id: KeyId,
+        token_key_id: TokenKeyId,
         authenticator: GenericArray<u8, Nk>,
     ) -> Self {
         Self {
@@ -116,7 +116,7 @@ impl<Nk: ArrayLength<u8>> Token<Nk> {
     }
 
     /// Returns the token key ID.
-    pub const fn token_key_id(&self) -> &KeyId {
+    pub const fn token_key_id(&self) -> &TokenKeyId {
         &self.token_key_id
     }
 

diff --git a/src/batched_tokens_p384/client.rs b/src/batched_tokens_p384/client.rs
@@ -7,12 +7,12 @@ use voprf::{EvaluationElement, Proof, Result, VoprfClient};
 
 use crate::{
     auth::{authenticate::TokenChallenge, authorize::Token},
-    ChallengeDigest, KeyId, TokenInput, TokenType,
+    ChallengeDigest, TokenInput, TokenKeyId, TokenType,
 };
 
 use super::{
-    key_id_to_token_key_id, public_key_to_key_id, BatchedToken, Nonce, PublicKey, TokenRequest,
-    TokenResponse,
+    public_key_to_token_key_id, truncate_token_key_id, BatchedToken, Nonce, PublicKey,
+    TokenRequest, TokenResponse,
 };
 
 /// Client-side state that is kept between the token requests and token responses.
@@ -45,17 +45,20 @@ pub enum IssueTokenError {
 /// The client side of the batched token issuance protocol.
 #[derive(Debug)]
 pub struct Client {
-    key_id: KeyId,
+    token_key_id: TokenKeyId,
     public_key: PublicKey,
 }
 
 impl Client {
     /// Create a new client from a public key.
     #[must_use]
     pub fn new(public_key: PublicKey) -> Self {
-        let key_id = public_key_to_key_id(&public_key);
+        let token_key_id = public_key_to_token_key_id(&public_key);
 
-        Self { key_id, public_key }
+        Self {
+            token_key_id,
+            public_key,
+        }
     }
 
     /// Issue a token request.
@@ -97,14 +100,14 @@ impl Client {
         for nonce in nonces {
             // nonce = random(32)
             // challenge_digest = SHA256(challenge)
-            // token_input = concat(0xF901, nonce, challenge_digest, key_id)
+            // token_input = concat(0xF901, nonce, challenge_digest, token_key_id)
             // blind, blinded_element = client_context.Blind(token_input)
 
             let token_input = TokenInput::new(
                 TokenType::BatchedTokenP384,
                 nonce,
                 challenge_digest,
-                self.key_id,
+                self.token_key_id,
             );
 
             let blinded_element =
@@ -138,7 +141,7 @@ impl Client {
 
         let token_request = TokenRequest {
             token_type: TokenType::BatchedTokenP384,
-            token_key_id: key_id_to_token_key_id(&self.key_id),
+            truncated_token_key_id: truncate_token_key_id(&self.token_key_id),
             blinded_elements: blinded_elements.into(),
         };
 
@@ -202,7 +205,7 @@ impl Client {
                 TokenType::BatchedTokenP384,
                 token_state.token_input.nonce,
                 token_state.challenge_digest,
-                token_state.token_input.key_id,
+                token_state.token_input.token_key_id,
                 *authenticator,
             );
             tokens.push(token);

diff --git a/src/batched_tokens_p384/mod.rs b/src/batched_tokens_p384/mod.rs
@@ -11,7 +11,7 @@ use tls_codec_derive::{TlsDeserialize, TlsSerialize, TlsSize};
 use typenum::U48;
 pub use voprf::*;
 
-use crate::{auth::authorize::Token, KeyId, Nonce, TokenKeyId, TokenType};
+use crate::{auth::authorize::Token, Nonce, TokenKeyId, TokenType, TruncatedTokenKeyId};
 
 use self::server::serialize_public_key;
 
@@ -27,14 +27,14 @@ pub type BatchedToken = Token<U48>;
 /// Public key alias
 pub type PublicKey = <NistP384 as Group>::Elem;
 
-fn public_key_to_key_id(public_key: &PublicKey) -> KeyId {
+fn public_key_to_token_key_id(public_key: &PublicKey) -> TokenKeyId {
     let public_key = serialize_public_key(*public_key);
 
     Sha256::digest(public_key).into()
 }
 
-fn key_id_to_token_key_id(key_id: &KeyId) -> TokenKeyId {
-    *key_id.iter().last().unwrap_or(&0)
+fn truncate_token_key_id(token_key_id: &TokenKeyId) -> TruncatedTokenKeyId {
+    *token_key_id.iter().last().unwrap_or(&0)
 }
 
 /// Serialization error
@@ -62,14 +62,14 @@ pub struct BlindedElement {
 /// ```c
 /// struct {
 ///     uint16_t token_type = 0xF901;
-///     uint8_t token_key_id;
+///     uint8_t truncated_token_key_id;
 ///     BlindedElement blinded_element[Nr];
 /// } TokenRequest;
 /// ```
 #[derive(Debug, TlsDeserialize, TlsSerialize, TlsSize)]
 pub struct TokenRequest {
     token_type: TokenType,
-    token_key_id: TokenKeyId,
+    truncated_token_key_id: TruncatedTokenKeyId,
     blinded_elements: TlsVecU16<BlindedElement>,
 }
 

diff --git a/src/batched_tokens_p384/server.rs b/src/batched_tokens_p384/server.rs
@@ -9,10 +9,10 @@ use voprf::{
     BlindedElement, Error, Group, Result, VoprfServer, VoprfServerBatchEvaluateFinishResult,
 };
 
-use crate::{NonceStore, TokenInput, TokenKeyId, TokenType};
+use crate::{NonceStore, TokenInput, TokenType, TruncatedTokenKeyId};
 
 use super::{
-    key_id_to_token_key_id, public_key_to_key_id, BatchedToken, PublicKey, TokenRequest,
+    public_key_to_token_key_id, truncate_token_key_id, BatchedToken, PublicKey, TokenRequest,
     TokenResponse, NK, NS,
 };
 
@@ -56,10 +56,17 @@ pub enum RedeemTokenError {
 /// that the store requires inner mutability.
 #[async_trait]
 pub trait BatchedKeyStore: Send + Sync {
-    /// Inserts a keypair with a given `token_key_id` into the key store.
-    async fn insert(&self, token_key_id: TokenKeyId, server: VoprfServer<NistP384>);
-    /// Returns a keypair with a given `token_key_id` from the key store.
-    async fn get(&self, token_key_id: &TokenKeyId) -> Option<VoprfServer<NistP384>>;
+    /// Inserts a keypair with a given `truncated_token_key_id` into the key store.
+    async fn insert(
+        &self,
+        truncated_token_key_id: TruncatedTokenKeyId,
+        server: VoprfServer<NistP384>,
+    );
+    /// Returns a keypair with a given `truncated_token_key_id` from the key store.
+    async fn get(
+        &self,
+        truncated_token_key_id: &TruncatedTokenKeyId,
+    ) -> Option<VoprfServer<NistP384>>;
 }
 
 /// Serializes a public key.
@@ -111,8 +118,9 @@ impl Server {
         let server = VoprfServer::<NistP384>::new_from_seed(seed, info)
             .map_err(|_| CreateKeypairError::SeedError)?;
         let public_key = server.get_public_key();
-        let token_key_id = key_id_to_token_key_id(&public_key_to_key_id(&server.get_public_key()));
-        key_store.insert(token_key_id, server).await;
+        let truncated_token_key_id =
+            truncate_token_key_id(&public_key_to_token_key_id(&server.get_public_key()));
+        key_store.insert(truncated_token_key_id, server).await;
         Ok(public_key)
     }
 
@@ -141,7 +149,7 @@ impl Server {
             return Err(IssueTokenResponseError::InvalidTokenType);
         }
         let server = key_store
-            .get(&token_request.token_key_id)
+            .get(&token_request.truncated_token_key_id)
             .await
             .ok_or(IssueTokenResponseError::KeyIdNotFound)?;
 
@@ -196,10 +204,10 @@ impl Server {
             token_type: token.token_type(),
             nonce: token.nonce(),
             challenge_digest: *token.challenge_digest(),
-            key_id: *token.token_key_id(),
+            token_key_id: *token.token_key_id(),
         };
         let server = key_store
-            .get(&key_id_to_token_key_id(token.token_key_id()))
+            .get(&truncate_token_key_id(token.token_key_id()))
             .await
             .ok_or(RedeemTokenError::KeyIdNotFound)?;
         let token_authenticator = server
@@ -224,8 +232,10 @@ impl Server {
         let server = VoprfServer::<NistP384>::new_with_key(private_key)
             .map_err(|_| CreateKeypairError::SeedError)?;
         let public_key = server.get_public_key();
-        let token_key_id = key_id_to_token_key_id(&public_key_to_key_id(&server.get_public_key()));
-        key_store.insert(token_key_id, server).await;
+        let token_key_id = public_key_to_token_key_id(&server.get_public_key());
+        key_store
+            .insert(truncate_token_key_id(&token_key_id), server)
+            .await;
         Ok(public_key)
     }
 }

diff --git a/src/batched_tokens_ristretto255/client.rs b/src/batched_tokens_ristretto255/client.rs
@@ -6,12 +6,12 @@ use voprf::{EvaluationElement, Proof, Result, Ristretto255, VoprfClient};
 
 use crate::{
     auth::{authenticate::TokenChallenge, authorize::Token},
-    ChallengeDigest, KeyId, TokenInput, TokenType,
+    ChallengeDigest, TokenInput, TokenKeyId, TokenType,
 };
 
 use super::{
-    key_id_to_token_key_id, public_key_to_key_id, BatchedToken, Nonce, PublicKey, TokenRequest,
-    TokenResponse,
+    public_key_to_token_key_id, truncate_token_key_id, BatchedToken, Nonce, PublicKey,
+    TokenRequest, TokenResponse,
 };
 
 /// Client-side state that is kept between the token requests and token responses.
@@ -44,17 +44,20 @@ pub enum IssueTokenError {
 /// The client side of the batched token issuance protocol.
 #[derive(Debug)]
 pub struct Client {
-    key_id: KeyId,
+    token_key_id: TokenKeyId,
     public_key: PublicKey,
 }
 
 impl Client {
     /// Create a new client from a public key.
     #[must_use]
     pub fn new(public_key: PublicKey) -> Self {
-        let key_id = public_key_to_key_id(&public_key);
+        let token_key_id = public_key_to_token_key_id(&public_key);
 
-        Self { key_id, public_key }
+        Self {
+            token_key_id,
+            public_key,
+        }
     }
 
     /// Issue a token request.
@@ -96,14 +99,14 @@ impl Client {
         for nonce in nonces {
             // nonce = random(32)
             // challenge_digest = SHA256(challenge)
-            // token_input = concat(0xF91A, nonce, challenge_digest, key_id)
+            // token_input = concat(0xF91A, nonce, challenge_digest, token_key_id)
             // blind, blinded_element = client_context.Blind(token_input)
 
             let token_input = TokenInput::new(
                 TokenType::BatchedTokenRistretto255,
                 nonce,
                 challenge_digest,
-                self.key_id,
+                self.token_key_id,
             );
 
             let blinded_element =
@@ -137,7 +140,7 @@ impl Client {
 
         let token_request = TokenRequest {
             token_type: TokenType::BatchedTokenRistretto255,
-            token_key_id: key_id_to_token_key_id(&self.key_id),
+            truncated_token_key_id: truncate_token_key_id(&self.token_key_id),
             blinded_elements: blinded_elements.into(),
         };
 
@@ -201,7 +204,7 @@ impl Client {
                 TokenType::BatchedTokenRistretto255,
                 token_state.token_input.nonce,
                 token_state.challenge_digest,
-                token_state.token_input.key_id,
+                token_state.token_input.token_key_id,
                 *authenticator,
             );
             tokens.push(token);

diff --git a/src/batched_tokens_ristretto255/mod.rs b/src/batched_tokens_ristretto255/mod.rs
@@ -10,7 +10,7 @@ use tls_codec_derive::{TlsDeserialize, TlsSerialize, TlsSize};
 use typenum::U64;
 pub use voprf::*;
 
-use crate::{auth::authorize::Token, KeyId, Nonce, TokenKeyId, TokenType};
+use crate::{auth::authorize::Token, Nonce, TokenKeyId, TokenType, TruncatedTokenKeyId};
 
 use self::server::serialize_public_key;
 
@@ -26,14 +26,14 @@ pub type BatchedToken = Token<U64>;
 /// Public key alias
 pub type PublicKey = <Ristretto255 as Group>::Elem;
 
-fn public_key_to_key_id(public_key: &PublicKey) -> KeyId {
+fn public_key_to_token_key_id(public_key: &PublicKey) -> TokenKeyId {
     let public_key = serialize_public_key(*public_key);
 
     Sha256::digest(public_key).into()
 }
 
-fn key_id_to_token_key_id(key_id: &KeyId) -> TokenKeyId {
-    *key_id.iter().last().unwrap_or(&0)
+fn truncate_token_key_id(token_key_id: &TokenKeyId) -> TruncatedTokenKeyId {
+    *token_key_id.iter().last().unwrap_or(&0)
 }
 
 /// Serialization error
@@ -61,14 +61,14 @@ pub struct BlindedElement {
 /// ```c
 /// struct {
 ///     uint16_t token_type = 0xF91A;
-///     uint8_t token_key_id;
+///     uint8_t truncated_token_key_id;
 ///     BlindedElement blinded_element[Nr];
 /// } TokenRequest;
 /// ```
 #[derive(Debug, TlsDeserialize, TlsSerialize, TlsSize)]
 pub struct TokenRequest {
     token_type: TokenType,
-    token_key_id: TokenKeyId,
+    truncated_token_key_id: TruncatedTokenKeyId,
     blinded_elements: TlsVecU16<BlindedElement>,
 }