fix(useragent): unsafe, but working implementation of ml-dsa

2026-04-07 15:41:50 +02:00
parent 6b8da567dd
commit a4070e7df7
104 changed files with 11133 additions and 461 deletions
--- a/useragent/lib/features/identity/hazmat_mldsa.dart
+++ b/useragent/lib/features/identity/hazmat_mldsa.dart
@@ -0,0 +1,71 @@
+import 'dart:convert';
+
+import 'package:arbiter/src/rust/api.dart';
+import 'package:cryptography/cryptography.dart';
+import 'package:flutter_secure_storage/flutter_secure_storage.dart';
+import 'package:arbiter/features/identity/pk_manager.dart';
+
+final storage = FlutterSecureStorage(
+  aOptions: AndroidOptions.biometric(
+    enforceBiometrics: true,
+    biometricPromptTitle: 'Authentication Required',
+  ),
+  mOptions: MacOsOptions(
+    accessibility: KeychainAccessibility.unlocked_this_device,
+    label: "Arbiter",
+    description: "Confirm your identity to access vault",
+    synchronizable: false,
+    accessControlFlags: [AccessControlFlag.userPresence],
+    usesDataProtectionKeychain: true,
+  ),
+);
+
+class HazmatMldsa extends KeyHandle {
+  final MldsaKey _key;
+
+  HazmatMldsa({required MldsaKey key}) : _key = key;
+
+  @override
+  Future<List<int>> getPublicKey() async {
+    final publicKey = await _key.getPublicKey();
+    return publicKey;
+  }
+
+  @override
+  Future<List<int>> sign(List<int> data) async {
+    final signature = await _key.sign(message: data);
+    return signature;
+  }
+}
+
+class HazmatMLDSAManager extends KeyManager {
+  static const _storageKey = "ed25519_identity";
+
+  @override
+  Future<KeyHandle> create() async {
+    final storedKey = await get();
+    if (storedKey != null) {
+      return storedKey;
+    }
+
+    final newKeypair = await MldsaKey.generate();
+    final keyBytes = await newKeypair.toBytes();
+
+    await storage.write(key: _storageKey, value: base64Encode(keyBytes));
+
+    return HazmatMldsa(key: newKeypair);
+  }
+
+  @override
+  Future<KeyHandle?> get() async {
+    final storedKeyPair = await storage.read(key: _storageKey);
+    if (storedKeyPair == null) {
+      return null;
+    }
+
+    final keyBytes = base64Decode(storedKeyPair);
+    final key = await MldsaKey.fromBytes(bytes: keyBytes);
+
+    return HazmatMldsa(key: key);
+  }
+}
--- a/useragent/lib/features/identity/pk_manager.dart
+++ b/useragent/lib/features/identity/pk_manager.dart
@@ -1,11 +1,6 @@
-enum KeyAlgorithm {
-  rsa, ecdsa, ed25519
-}
-
-// The API to handle without storing the private key in memory. 
+// The API to handle without storing the private key in memory.
 //The implementation will use platform-specific secure storage and signing capabilities.
 abstract class KeyHandle {
-  KeyAlgorithm get alg;
  Future<List<int>> sign(List<int> data);
  Future<List<int>> getPublicKey();
 }
--- a/useragent/lib/features/identity/simple_ed25519.dart
+++ b/useragent/lib/features/identity/simple_ed25519.dart
@@ -1,93 +0,0 @@
-import 'dart:convert';
-
-import 'package:cryptography/cryptography.dart';
-import 'package:flutter_secure_storage/flutter_secure_storage.dart';
-import 'package:arbiter/features/identity/pk_manager.dart';
-
-final storage = FlutterSecureStorage(
-  aOptions: AndroidOptions.biometric(
-    enforceBiometrics: true,
-    biometricPromptTitle: 'Authentication Required',
-  ),
-  mOptions: MacOsOptions(
-    accessibility: KeychainAccessibility.unlocked_this_device,
-    label: "Arbiter",
-    description: "Confirm your identity to access vault",
-    synchronizable: false,
-    accessControlFlags: [
-      AccessControlFlag.userPresence,
-    ],
-    usesDataProtectionKeychain: true,
-  ),
-);
-
-final processor = Ed25519();
-
-class SimpleEd25519 extends KeyHandle {
-  final SimpleKeyPair _keyPair;
-
-  SimpleEd25519({required SimpleKeyPair keyPair}) : _keyPair = keyPair;
-
-  @override
-  KeyAlgorithm get alg => KeyAlgorithm.ed25519;
-
-  @override
-  Future<List<int>> getPublicKey() async {
-    final publicKey = await _keyPair.extractPublicKey();
-    return publicKey.bytes;
-  }
-
-  @override
-  Future<List<int>> sign(List<int> data) async {
-    final signature = await processor.sign(data, keyPair: _keyPair);
-    return signature.bytes;
-  }
-}
-
-class SimpleEd25519Manager extends KeyManager {
-  static const _storageKey = "ed25519_identity";
-  static const _storagePublicKey = "ed25519_public_key";
-
-  @override
-  Future<KeyHandle> create() async {
-    final storedKey = await get();
-    if (storedKey != null) {
-      return storedKey;
-    }
-
-    final newKey = await processor.newKeyPair();
-    final rawKey = await newKey.extract();
-
-    final keyData = base64Encode(rawKey.bytes);
-    await storage.write(key: _storageKey, value: keyData);
-
-    final publicKeyData = base64Encode(rawKey.publicKey.bytes);
-    await storage.write(key: _storagePublicKey, value: publicKeyData);
-
-    return SimpleEd25519(keyPair: newKey);
-  }
-
-  @override
-  Future<KeyHandle?> get() async {
-    final storedKeyPair = await storage.read(key: _storageKey);
-    if (storedKeyPair == null) {
-      return null;
-    }
-
-    final publicKeyData = await storage.read(key: _storagePublicKey);
-    final publicKeyRaw = base64Decode(publicKeyData!);
-    final publicKey = SimplePublicKey(
-      publicKeyRaw,
-      type: processor.keyPairType,
-    );
-
-    final keyBytes = base64Decode(storedKeyPair);
-    final keypair = SimpleKeyPairData(
-      keyBytes,
-      publicKey: publicKey,
-      type: processor.keyPairType,
-    );
-
-    return SimpleEd25519(keyPair: keypair);
-  }
-}