Add SigningData struct

awslabs · Jan 6, 2025 · 5349dd3 · 5349dd3
1 parent 369a67b
commit 5349dd3
Show file tree

Hide file tree

Showing 7 changed files with 95 additions and 62 deletions.
diff --git a/mls-rs-core/src/identity.rs b/mls-rs-core/src/identity.rs
@@ -12,8 +12,17 @@ mod x509;
 
 pub use basic::*;
 pub use credential::*;
+use mls_rs_codec::{MlsDecode, MlsEncode, MlsSize};
 pub use provider::*;
 pub use signing_identity::*;
 
 #[cfg(feature = "x509")]
 pub use x509::*;
+
+use crate::crypto::SignatureSecretKey;
+
+#[derive(Clone, Debug, MlsEncode, MlsSize, MlsDecode, PartialEq)]
+pub struct SigningData {
+    pub signing_identity: SigningIdentity,
+    pub signing_key: SignatureSecretKey,
+}
diff --git a/mls-rs/examples/api_1x.rs b/mls-rs/examples/api_1x.rs
@@ -26,7 +26,7 @@ fn main() -> Result<(), MlsError> {
 
     // Bob generates key package. We store secrets in memory, no need for any storage.
     let key_package_generation = bob
-        .key_package_builder(CIPHERSUITE)?
+        .key_package_builder(CIPHERSUITE, None)?
         .valid_for_sec(123)
         .build()?;
 

diff --git a/mls-rs/src/client.rs b/mls-rs/src/client.rs
@@ -31,7 +31,9 @@ use mls_rs_core::crypto::{CryptoProvider, SignatureSecretKey};
 use mls_rs_core::error::{AnyError, IntoAnyError};
 use mls_rs_core::extension::{ExtensionError, ExtensionList, ExtensionType};
 use mls_rs_core::group::{GroupStateStorage, ProposalType};
-use mls_rs_core::identity::{CredentialType, IdentityProvider, MemberValidationContext};
+use mls_rs_core::identity::{
+    CredentialType, IdentityProvider, MemberValidationContext, SigningData,
+};
 use mls_rs_core::key_package::{KeyPackageData, KeyPackageStorage};
 
 use crate::group::external_commit::ExternalCommitBuilder;
@@ -491,8 +493,9 @@ where
     pub fn key_package_builder(
         &self,
         cipher_suite: CipherSuite,
+        signing_data: Option<SigningData>,
     ) -> Result<
-        KeyPackageBuilder<'_, <C::CryptoProvider as CryptoProvider>::CipherSuiteProvider>,
+        KeyPackageBuilder<<C::CryptoProvider as CryptoProvider>::CipherSuiteProvider>,
         MlsError,
     > {
         let cipher_suite_provider = self
@@ -501,7 +504,11 @@ where
             .cipher_suite_provider(cipher_suite)
             .ok_or(MlsError::UnsupportedCipherSuite(cipher_suite))?;
 
-        Ok(KeyPackageBuilder::new(self, cipher_suite_provider))
+        Ok(KeyPackageBuilder::new(
+            self,
+            cipher_suite_provider,
+            signing_data,
+        )?)
     }
 
     /// Create a group with a specific group_id.

diff --git a/mls-rs/src/external_client.rs b/mls-rs/src/external_client.rs
@@ -13,10 +13,7 @@ mod config;
 mod group;
 
 pub(crate) use config::ExternalClientConfig;
-use mls_rs_core::{
-    crypto::{CryptoProvider, SignatureSecretKey},
-    identity::SigningIdentity,
-};
+use mls_rs_core::{crypto::CryptoProvider, identity::SigningData};
 
 use builder::{ExternalBaseConfig, ExternalClientBuilder};
 
@@ -39,7 +36,7 @@ pub use group::{ExternalGroup, ExternalReceivedMessage, ExternalSnapshot};
 /// the resulting group state.
 pub struct ExternalClient<C> {
     config: C,
-    signing_data: Option<(SignatureSecretKey, SigningIdentity)>,
+    signing_data: Option<SigningData>,
 }
 
 impl ExternalClient<()> {
@@ -52,10 +49,7 @@ impl<C> ExternalClient<C>
 where
     C: ExternalClientConfig + Clone,
 {
-    pub(crate) fn new(
-        config: C,
-        signing_data: Option<(SignatureSecretKey, SigningIdentity)>,
-    ) -> Self {
+    pub(crate) fn new(config: C, signing_data: Option<SigningData>) -> Self {
         Self {
             config,
             signing_data,

diff --git a/mls-rs/src/external_client/builder.rs b/mls-rs/src/external_client/builder.rs
@@ -276,7 +276,10 @@ impl<C: IntoConfig> ExternalClientBuilder<C> {
         signing_identity: SigningIdentity,
     ) -> ExternalClientBuilder<IntoConfigOutput<C>> {
         let mut c = self.0.into_config();
-        c.0.signing_data = Some((signer, signing_identity));
+        c.0.signing_data = Some(SigningData {
+            signing_identity,
+            signing_key: signer,
+        });
         ExternalClientBuilder(c)
     }
 }
@@ -520,7 +523,7 @@ impl Default for Settings {
 /// Definitions meant to be private that are inaccessible outside this crate. They need to be marked
 /// `pub` because they appear in public definitions.
 mod private {
-    use mls_rs_core::{crypto::SignatureSecretKey, identity::SigningIdentity};
+    use mls_rs_core::identity::SigningData;
 
     use super::{IntoConfigOutput, Settings};
 
@@ -533,7 +536,7 @@ mod private {
         pub(crate) identity_provider: Ip,
         pub(crate) mls_rules: Mpf,
         pub(crate) crypto_provider: Cp,
-        pub(crate) signing_data: Option<(SignatureSecretKey, SigningIdentity)>,
+        pub(crate) signing_data: Option<SigningData>,
     }
 
     pub trait IntoConfig {
@@ -557,7 +560,7 @@ mod private {
 
 use mls_rs_core::{
     crypto::SignatureSecretKey,
-    identity::{IdentityProvider, SigningIdentity},
+    identity::{IdentityProvider, SigningData, SigningIdentity},
 };
 use private::{Config, ConfigInner, IntoConfig};
 

diff --git a/mls-rs/src/external_client/group.rs b/mls-rs/src/external_client/group.rs
@@ -4,8 +4,10 @@
 
 use mls_rs_codec::{MlsDecode, MlsEncode, MlsSize};
 use mls_rs_core::{
-    crypto::SignatureSecretKey, error::IntoAnyError, extension::ExtensionList, group::Member,
-    identity::IdentityProvider,
+    error::IntoAnyError,
+    extension::ExtensionList,
+    group::Member,
+    identity::{IdentityProvider, SigningData},
 };
 
 use crate::{
@@ -103,14 +105,14 @@ where
     pub(crate) config: C,
     pub(crate) cipher_suite_provider: <C::CryptoProvider as CryptoProvider>::CipherSuiteProvider,
     pub(crate) state: GroupState,
-    pub(crate) signing_data: Option<(SignatureSecretKey, SigningIdentity)>,
+    pub(crate) signing_data: Option<SigningData>,
 }
 
 impl<C: ExternalClientConfig + Clone> ExternalGroup<C> {
     #[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
     pub(crate) async fn join(
         config: C,
-        signing_data: Option<(SignatureSecretKey, SigningIdentity)>,
+        signing_data: Option<SigningData>,
         group_info: MlsMessage,
         tree_data: Option<ExportedTree<'_>>,
     ) -> Result<Self, MlsError> {
@@ -428,8 +430,10 @@ impl<C: ExternalClientConfig + Clone> ExternalGroup<C> {
         proposal: Proposal,
         authenticated_data: Vec<u8>,
     ) -> Result<MlsMessage, MlsError> {
-        let (signer, signing_identity) =
-            self.signing_data.as_ref().ok_or(MlsError::SignerNotFound)?;
+        let SigningData {
+            signing_key,
+            signing_identity,
+        } = self.signing_data.as_ref().ok_or(MlsError::SignerNotFound)?;
 
         let external_senders_ext = self
             .state
@@ -451,7 +455,7 @@ impl<C: ExternalClientConfig + Clone> ExternalGroup<C> {
             &self.state.context,
             sender,
             Content::Proposal(Box::new(proposal.clone())),
-            signer,
+            signing_key,
             WireFormat::PublicMessage,
             authenticated_data,
         )
@@ -664,7 +668,7 @@ where
 pub struct ExternalSnapshot {
     version: u16,
     pub(crate) state: RawGroupState,
-    signing_data: Option<(SignatureSecretKey, SigningIdentity)>,
+    signing_data: Option<SigningData>,
 }
 
 impl ExternalSnapshot {
@@ -851,6 +855,9 @@ mod tests {
     use assert_matches::assert_matches;
     use mls_rs_codec::{MlsDecode, MlsEncode};
 
+    #[cfg(feature = "by_ref_proposal")]
+    use mls_rs_core::identity::SigningData;
+
     #[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
     async fn test_group_with_one_commit(v: ProtocolVersion, cs: CipherSuite) -> TestGroup {
         let mut group = test_group(v, cs).await;
@@ -1170,7 +1177,10 @@ mod tests {
 
         let mut server = make_external_group(&alice).await;
 
-        server.signing_data = Some((server_key, server_identity));
+        server.signing_data = Some(SigningData {
+            signing_key: server_key,
+            signing_identity: server_identity,
+        });
 
         let charlie_key_package =
             test_key_package_message(TEST_PROTOCOL_VERSION, TEST_CIPHER_SUITE, "charlie").await;
@@ -1190,7 +1200,10 @@ mod tests {
 
         let mut server = make_external_group(&alice).await;
 
-        server.signing_data = Some((server_key, server_identity));
+        server.signing_data = Some(SigningData {
+            signing_key: server_key,
+            signing_identity: server_identity,
+        });
 
         let external_proposal = server.propose_remove(1, vec![]).await.unwrap();
 
@@ -1203,7 +1216,10 @@ mod tests {
         let (signing_id, secret_key, alice) = setup_extern_proposal_test(false).await;
         let mut server = make_external_group(&alice).await;
 
-        server.signing_data = Some((secret_key, signing_id));
+        server.signing_data = Some(SigningData {
+            signing_key: secret_key,
+            signing_identity: signing_id,
+        });
 
         let charlie_key_package =
             test_key_package_message(TEST_PROTOCOL_VERSION, TEST_CIPHER_SUITE, "charlie").await;
@@ -1232,7 +1248,10 @@ mod tests {
 
         let mut server = make_external_group(&alice).await;
 
-        server.signing_data = Some((server_key, server_identity));
+        server.signing_data = Some(SigningData {
+            signing_key: server_key,
+            signing_identity: server_identity,
+        });
 
         let res = server.propose_remove(1, vec![]).await;
 

diff --git a/mls-rs/src/key_package/builder.rs b/mls-rs/src/key_package/builder.rs
@@ -8,15 +8,15 @@ use alloc::vec;
 use mls_rs_codec::{MlsDecode, MlsEncode, MlsSize};
 use mls_rs_core::error::IntoAnyError;
 use mls_rs_core::extension::MlsExtension;
+use mls_rs_core::identity::SigningData;
 use mls_rs_core::key_package::KeyPackageData;
 
 use crate::client::MlsError;
 use crate::client_config::ClientConfig;
 use crate::Client;
 use crate::{
-    crypto::{HpkeSecretKey, SignatureSecretKey},
+    crypto::HpkeSecretKey,
     group::framing::MlsMessagePayload,
-    identity::SigningIdentity,
     protocol_version::ProtocolVersion,
     signer::Signable,
     tree_kem::{
@@ -29,31 +29,18 @@ use crate::{
 use super::{KeyPackage, KeyPackageRef};
 
 #[derive(Clone, Debug)]
-pub struct KeyPackageBuilder<'a, CP> {
+pub struct KeyPackageBuilder<CP> {
     protocol_version: ProtocolVersion,
     cipher_suite_provider: CP,
-    signing_identity: Option<SigningIdentity>,
-    signing_key: Option<&'a SignatureSecretKey>,
+    signing_data: SigningData,
     key_package_extensions: ExtensionList,
     leaf_node_extensions: ExtensionList,
     validity_sec: u64,
     // This I feel like can still be fixed for client as it rarely changes?
     capabilities: Capabilities,
 }
 
-impl<'a, CP> KeyPackageBuilder<'a, CP> {
-    pub fn signing_data(
-        self,
-        signing_identity: SigningIdentity,
-        signing_key: &'a SignatureSecretKey,
-    ) -> Self {
-        Self {
-            signing_identity: Some(signing_identity),
-            signing_key: Some(signing_key),
-            ..self
-        }
-    }
-
+impl<CP> KeyPackageBuilder<CP> {
     pub fn with_key_package_extension<T: MlsExtension>(
         mut self,
         extension: T,
@@ -80,13 +67,13 @@ impl<'a, CP> KeyPackageBuilder<'a, CP> {
     }
 }
 
-impl<CP: CipherSuiteProvider> KeyPackageBuilder<'_, CP> {
+impl<CP: CipherSuiteProvider> KeyPackageBuilder<CP> {
     #[cfg_attr(not(mls_build_async), maybe_async::must_be_sync)]
     pub async fn build(self) -> Result<KeyPackageGeneration, MlsError> {
-        let (signing_identity, signing_key) = self
-            .signing_identity
-            .zip(self.signing_key)
-            .ok_or(MlsError::SignerNotFound)?;
+        let SigningData {
+            signing_identity,
+            signing_key,
+        } = self.signing_data;
 
         let (init_secret_key, public_init) = self
             .cipher_suite_provider
@@ -105,7 +92,7 @@ impl<CP: CipherSuiteProvider> KeyPackageBuilder<'_, CP> {
             &self.cipher_suite_provider,
             properties,
             signing_identity,
-            signing_key,
+            &signing_key,
             lifetime,
         )
         .await?;
@@ -122,7 +109,7 @@ impl<CP: CipherSuiteProvider> KeyPackageBuilder<'_, CP> {
         package.grease(&self.cipher_suite_provider)?;
 
         package
-            .sign(&self.cipher_suite_provider, signing_key, &())
+            .sign(&self.cipher_suite_provider, &signing_key, &())
             .await?;
 
         let package_bytes = package.mls_encode_to_vec()?;
@@ -160,18 +147,32 @@ pub struct KeyPackageGeneration {
     pub key_package_data: KeyPackageData,
 }
 
-impl<'a, CP> KeyPackageBuilder<'a, CP> {
-    pub(crate) fn new<C: ClientConfig>(client: &'a Client<C>, cipher_suite_provider: CP) -> Self {
-        Self {
+impl<CP> KeyPackageBuilder<CP> {
+    pub(crate) fn new<C: ClientConfig>(
+        client: &Client<C>,
+        cipher_suite_provider: CP,
+        signing_data: Option<SigningData>,
+    ) -> Result<Self, MlsError> {
+        let signing_data = client
+            .signing_identity
+            .clone()
+            .zip(client.signer.clone())
+            .map(|((signing_identity, _), signing_key)| SigningData {
+                signing_identity,
+                signing_key,
+            })
+            .or_else(|| signing_data)
+            .ok_or(MlsError::SignerNotFound)?;
+
+        Ok(Self {
             protocol_version: client.version,
             cipher_suite_provider,
-            signing_identity: client.signing_identity.clone().map(|(id, _)| id),
-            signing_key: client.signer.as_ref(),
+            signing_data,
             key_package_extensions: Default::default(),
             leaf_node_extensions: Default::default(),
             validity_sec: 86400 * 366,
             capabilities: client.config.capabilities(),
-        }
+        })
     }
 }
 
@@ -213,7 +214,7 @@ mod tests {
                 .build();
 
             let generated = client
-                .key_package_builder(cipher_suite)
+                .key_package_builder(cipher_suite, None)
                 .unwrap()
                 .with_key_package_extension(TestExtension::from(32))
                 .unwrap()
@@ -296,7 +297,7 @@ mod tests {
             .extension_types([42.into()])
             .build();
 
-        let builder = client.key_package_builder(TEST_CIPHER_SUITE).unwrap();
+        let builder = client.key_package_builder(TEST_CIPHER_SUITE, None).unwrap();
         let mut generated_keys = HashSet::new();
 
         for _ in 0..100 {