refactor(server): moved shared module crypto into arbiter-crypto

2026-04-07 15:41:50 +02:00
parent a845181ef6
commit d22ab49e3d
40 changed files with 319 additions and 209 deletions
--- a/server/crates/arbiter-client/src/auth.rs
+++ b/server/crates/arbiter-client/src/auth.rs
@@ -1,5 +1,5 @@
 use arbiter_proto::{
-    CLIENT_CONTEXT, ClientMetadata, format_challenge,
+    ClientMetadata,
    proto::{
        client::{
            ClientRequest,
@@ -14,7 +14,7 @@ use arbiter_proto::{
        shared::ClientInfo as ProtoClientInfo,
    },
 };
-use ml_dsa::{MlDsa87, SigningKey, signature::Keypair as _};
+use arbiter_crypto::authn::{CLIENT_CONTEXT, PublicKey, Signature, SigningKey, format_challenge};

 use crate::{
    storage::StorageError,
@@ -54,14 +54,14 @@ fn map_auth_result(code: i32) -> AuthError {
 async fn send_auth_challenge_request(
    transport: &mut ClientTransport,
    metadata: ClientMetadata,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
 ) -> std::result::Result<(), AuthError> {
    transport
        .send(ClientRequest {
            request_id: next_request_id(),
            payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
                payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
-                    pubkey: key.verifying_key().encode().to_vec(),
+                    pubkey: key.public_key().to_bytes(),
                    client_info: Some(ProtoClientInfo {
                        name: metadata.name,
                        description: metadata.description,
@@ -95,16 +95,14 @@ async fn receive_auth_challenge(

 async fn send_auth_challenge_solution(
    transport: &mut ClientTransport,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
    challenge: AuthChallenge,
 ) -> std::result::Result<(), AuthError> {
    let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
    let signature = key
-        .signing_key()
-        .sign_deterministic(&challenge_payload, CLIENT_CONTEXT)
+        .sign_message(&challenge_payload, CLIENT_CONTEXT)
        .map_err(|_| AuthError::UnexpectedAuthResponse)?
-        .encode()
-        .to_vec();
+        .to_bytes();

    transport
        .send(ClientRequest {
@@ -145,7 +143,7 @@ async fn receive_auth_confirmation(
 pub(crate) async fn authenticate(
    transport: &mut ClientTransport,
    metadata: ClientMetadata,
-    key: &SigningKey<MlDsa87>,
+    key: &SigningKey,
 ) -> std::result::Result<(), AuthError> {
    send_auth_challenge_request(transport, metadata, key).await?;
    let challenge = receive_auth_challenge(transport).await?;
--- a/server/crates/arbiter-client/src/client.rs
+++ b/server/crates/arbiter-client/src/client.rs
@@ -1,7 +1,7 @@
+use arbiter_crypto::authn::SigningKey;
 use arbiter_proto::{
    ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
 };
-use ml_dsa::{MlDsa87, SigningKey};
 use std::sync::Arc;
 use tokio::sync::{Mutex, mpsc};
 use tokio_stream::wrappers::ReceiverStream;
@@ -61,7 +61,7 @@ impl ArbiterClient {
    pub async fn connect_with_key(
        url: ArbiterUrl,
        metadata: ClientMetadata,
-        key: SigningKey<MlDsa87>,
+        key: SigningKey,
    ) -> Result<Self, Error> {
        let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
        let tls = ClientTlsConfig::new().trust_anchor(anchor);
--- a/server/crates/arbiter-client/src/storage.rs
+++ b/server/crates/arbiter-client/src/storage.rs
@@ -1,5 +1,5 @@
+use arbiter_crypto::authn::SigningKey;
 use arbiter_proto::home_path;
-use ml_dsa::{KeyGen, MlDsa87, Seed, SigningKey};
 use std::path::{Path, PathBuf};

 #[derive(Debug, thiserror::Error)]
@@ -12,7 +12,7 @@ pub enum StorageError {
 }

 pub trait SigningKeyStorage {
-    fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError>;
+    fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError>;
 }

 #[derive(Debug, Clone)]
@@ -31,20 +31,21 @@ impl FileSigningKeyStorage {
        Ok(Self::new(home_path()?.join(Self::DEFAULT_FILE_NAME)))
    }

-    fn read_key(path: &Path) -> std::result::Result<SigningKey<MlDsa87>, StorageError> {
+    fn read_key(path: &Path) -> std::result::Result<SigningKey, StorageError> {
        let bytes = std::fs::read(path)?;
-        let raw: [u8; 32] = bytes
-            .try_into()
-            .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
-                expected: 32,
-                actual: v.len(),
-            })?;
-        Ok(MlDsa87::from_seed(&Seed::from(raw)))
+        let raw: [u8; 32] =
+            bytes
+                .try_into()
+                .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
+                    expected: 32,
+                    actual: v.len(),
+                })?;
+        Ok(SigningKey::from_seed(raw))
    }
 }

 impl SigningKeyStorage for FileSigningKeyStorage {
-    fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError> {
+    fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError> {
        if let Some(parent) = self.path.parent() {
            std::fs::create_dir_all(parent)?;
        }
@@ -53,7 +54,7 @@ impl SigningKeyStorage for FileSigningKeyStorage {
            return Self::read_key(&self.path);
        }

-        let key = MlDsa87::key_gen(&mut rand::rng());
+        let key = SigningKey::generate();
        let raw_key = key.to_seed();

        // Use create_new to prevent accidental overwrite if another process creates the key first.