refactor(server): moved shared module crypto into arbiter-crypto

server/crates/arbiter-client/Cargo.toml

@@ -13,12 +13,12 @@ evm = ["dep:alloy"]
 
 [dependencies]
 arbiter-proto.path = "../arbiter-proto"
+arbiter-crypto.path = "../arbiter-crypto"
 alloy = { workspace = true, optional = true }
 tonic.workspace = true
 tonic.features = ["tls-aws-lc"]
 tokio.workspace = true
 tokio-stream.workspace = true
-ml-dsa.workspace = true
 thiserror.workspace = true
 http = "1.4.0"
 rustls-webpki = { version = "0.103.10", features = ["aws-lc-rs"] }

server/crates/arbiter-client/src/auth.rs

@@ -1,5 +1,5 @@
 use arbiter_proto::{
-    CLIENT_CONTEXT, ClientMetadata, format_challenge,
+    ClientMetadata,
     proto::{
         client::{
             ClientRequest,
@@ -14,7 +14,7 @@ use arbiter_proto::{
         shared::ClientInfo as ProtoClientInfo,
     },
 };
-use ml_dsa::{MlDsa87, SigningKey, signature::Keypair as _};
+use arbiter_crypto::authn::{CLIENT_CONTEXT, PublicKey, Signature, SigningKey, format_challenge};
 
 use crate::{
     storage::StorageError,
@@ -54,14 +54,14 @@ fn map_auth_result(code: i32) -> AuthError {
 async fn send_auth_challenge_request(
     transport: &mut ClientTransport,
     metadata: ClientMetadata,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
 ) -> std::result::Result<(), AuthError> {
     transport
         .send(ClientRequest {
             request_id: next_request_id(),
             payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
                 payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
-                    pubkey: key.verifying_key().encode().to_vec(),
+                    pubkey: key.public_key().to_bytes(),
                     client_info: Some(ProtoClientInfo {
                         name: metadata.name,
                         description: metadata.description,
@@ -95,16 +95,14 @@ async fn receive_auth_challenge(
 
 async fn send_auth_challenge_solution(
     transport: &mut ClientTransport,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
     challenge: AuthChallenge,
 ) -> std::result::Result<(), AuthError> {
     let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
     let signature = key
-        .signing_key()
-        .sign_deterministic(&challenge_payload, CLIENT_CONTEXT)
+        .sign_message(&challenge_payload, CLIENT_CONTEXT)
         .map_err(|_| AuthError::UnexpectedAuthResponse)?
-        .encode()
-        .to_vec();
+        .to_bytes();
 
     transport
         .send(ClientRequest {
@@ -145,7 +143,7 @@ async fn receive_auth_confirmation(
 pub(crate) async fn authenticate(
     transport: &mut ClientTransport,
     metadata: ClientMetadata,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
 ) -> std::result::Result<(), AuthError> {
     send_auth_challenge_request(transport, metadata, key).await?;
     let challenge = receive_auth_challenge(transport).await?;

server/crates/arbiter-client/src/client.rs

@@ -1,7 +1,7 @@
+use arbiter_crypto::authn::SigningKey;
 use arbiter_proto::{
     ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
 };
-use ml_dsa::{MlDsa87, SigningKey};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
@@ -61,7 +61,7 @@ impl ArbiterClient {
     pub async fn connect_with_key(
         url: ArbiterUrl,
         metadata: ClientMetadata,
-        key: SigningKey<MlDsa87>,
+        key: SigningKey,
     ) -> Result<Self, Error> {
         let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
         let tls = ClientTlsConfig::new().trust_anchor(anchor);

server/crates/arbiter-client/src/storage.rs

@@ -1,5 +1,5 @@
+use arbiter_crypto::authn::SigningKey;
 use arbiter_proto::home_path;
-use ml_dsa::{KeyGen, MlDsa87, Seed, SigningKey};
 use std::path::{Path, PathBuf};
 
 #[derive(Debug, thiserror::Error)]
@@ -12,7 +12,7 @@ pub enum StorageError {
 }
 
 pub trait SigningKeyStorage {
-    fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError>;
+    fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError>;
 }
 
 #[derive(Debug, Clone)]
@@ -31,20 +31,21 @@ impl FileSigningKeyStorage {
         Ok(Self::new(home_path()?.join(Self::DEFAULT_FILE_NAME)))
     }
 
-    fn read_key(path: &Path) -> std::result::Result<SigningKey<MlDsa87>, StorageError> {
+    fn read_key(path: &Path) -> std::result::Result<SigningKey, StorageError> {
         let bytes = std::fs::read(path)?;
-        let raw: [u8; 32] = bytes
-            .try_into()
-            .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
-                expected: 32,
-                actual: v.len(),
-            })?;
-        Ok(MlDsa87::from_seed(&Seed::from(raw)))
+        let raw: [u8; 32] =
+            bytes
+                .try_into()
+                .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
+                    expected: 32,
+                    actual: v.len(),
+                })?;
+        Ok(SigningKey::from_seed(raw))
     }
 }
 
 impl SigningKeyStorage for FileSigningKeyStorage {
-    fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError> {
+    fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError> {
         if let Some(parent) = self.path.parent() {
             std::fs::create_dir_all(parent)?;
         }
@@ -53,7 +54,7 @@ impl SigningKeyStorage for FileSigningKeyStorage {
             return Self::read_key(&self.path);
         }
 
-        let key = MlDsa87::key_gen(&mut rand::rng());
+        let key = SigningKey::generate();
         let raw_key = key.to_seed();
 
         // Use create_new to prevent accidental overwrite if another process creates the key first.