refactor(server): migrated auth to ml-dsa

2026-04-07 11:43:21 +02:00
parent 1497884ce6
commit 0d424f3afc
25 changed files with 457 additions and 414 deletions
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -1,5 +1,5 @@
 use arbiter_proto::{
-    ClientMetadata, format_challenge,
+    CLIENT_CONTEXT, ClientMetadata, format_challenge,
    proto::{
        client::{
            ClientRequest,
@@ -14,7 +14,7 @@ use arbiter_proto::{
        shared::ClientInfo as ProtoClientInfo,
    },
 };
-use ed25519_dalek::Signer as _;
+use ml_dsa::{MlDsa87, SigningKey, signature::Keypair as _};

 use crate::{
    storage::StorageError,
@@ -54,14 +54,14 @@ fn map_auth_result(code: i32) -> AuthError {
 async fn send_auth_challenge_request(
    transport: &mut ClientTransport,
    metadata: ClientMetadata,
-    key: &ed25519_dalek::SigningKey,
+    key: &SigningKey<MlDsa87>,
 ) -> std::result::Result<(), AuthError> {
    transport
        .send(ClientRequest {
            request_id: next_request_id(),
            payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
                payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
-                    pubkey: key.verifying_key().to_bytes().to_vec(),
+                    pubkey: key.verifying_key().encode().to_vec(),
                    client_info: Some(ProtoClientInfo {
                        name: metadata.name,
                        description: metadata.description,
@@ -95,11 +95,16 @@ async fn receive_auth_challenge(

 async fn send_auth_challenge_solution(
    transport: &mut ClientTransport,
-    key: &ed25519_dalek::SigningKey,
+    key: &SigningKey<MlDsa87>,
    challenge: AuthChallenge,
 ) -> std::result::Result<(), AuthError> {
    let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
-    let signature = key.sign(&challenge_payload).to_bytes().to_vec();
+    let signature = key
+        .signing_key()
+        .sign_deterministic(&challenge_payload, CLIENT_CONTEXT)
+        .map_err(|_| AuthError::UnexpectedAuthResponse)?
+        .encode()
+        .to_vec();

    transport
        .send(ClientRequest {
@@ -140,7 +145,7 @@ async fn receive_auth_confirmation(
 pub(crate) async fn authenticate(
    transport: &mut ClientTransport,
    metadata: ClientMetadata,
-    key: &ed25519_dalek::SigningKey,
+    key: &SigningKey<MlDsa87>,
 ) -> std::result::Result<(), AuthError> {
    send_auth_challenge_request(transport, metadata, key).await?;
    let challenge = receive_auth_challenge(transport).await?;