MarketTakers/arbiter
5
0
Fork 0
Code Issues 27 Pull Requests 4 Packages Projects Releases Wiki Activity

refactor(server): moved shared module crypto into arbiter-crypto

Browse Source
This commit is contained in:
hdbg
2026-04-07 15:41:50 +02:00
parent a845181ef6
commit d22ab49e3d
40 changed files with 319 additions and 209 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
server/Cargo.lock generated
View File

@@ -680,10 +680,10 @@ name = "arbiter-client"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"alloy", "alloy",
"arbiter-crypto",
"arbiter-proto", "arbiter-proto",
"async-trait", "async-trait",
"http", "http",
"ml-dsa",
"rand 0.10.0", "rand 0.10.0",
"rustls-webpki", "rustls-webpki",
"thiserror 2.0.18", "thiserror 2.0.18",
@@ -692,6 +692,16 @@ dependencies = [
"tonic", "tonic",
] ]
[[package]]
name = "arbiter-crypto"
version = "0.1.0"
dependencies = [
"base64",
"memsafe",
"ml-dsa",
"rand 0.10.0",
]
[[package]] [[package]]
name = "arbiter-proto" name = "arbiter-proto"
version = "0.1.0" version = "0.1.0"
@@ -725,6 +735,7 @@ version = "0.1.0"
dependencies = [ dependencies = [
"alloy", "alloy",
"anyhow", "anyhow",
"arbiter-crypto",
"arbiter-proto", "arbiter-proto",
"arbiter-tokens-registry", "arbiter-tokens-registry",
"argon2", "argon2",
@@ -742,7 +753,6 @@ dependencies = [
"insta", "insta",
"k256", "k256",
"kameo", "kameo",
"memsafe",
"ml-dsa", "ml-dsa",
"mutants", "mutants",
"pem", "pem",

1
server/Cargo.toml
View File

@@ -46,3 +46,4 @@ prost = "0.14.3"
miette = { version = "7.6.0", features = ["fancy", "serde"] } miette = { version = "7.6.0", features = ["fancy", "serde"] }
mutants = "0.0.4" mutants = "0.0.4"
ml-dsa = { version = "0.1.0-rc.8", features = ["zeroize"] } ml-dsa = { version = "0.1.0-rc.8", features = ["zeroize"] }
base64 = "0.22.1"

2
server/crates/arbiter-client/Cargo.toml
View File

@@ -13,12 +13,12 @@ evm = ["dep:alloy"]
[dependencies] [dependencies]
arbiter-proto.path = "../arbiter-proto" arbiter-proto.path = "../arbiter-proto"
arbiter-crypto.path = "../arbiter-crypto"
alloy = { workspace = true, optional = true } alloy = { workspace = true, optional = true }
tonic.workspace = true tonic.workspace = true
tonic.features = ["tls-aws-lc"] tonic.features = ["tls-aws-lc"]
tokio.workspace = true tokio.workspace = true
tokio-stream.workspace = true tokio-stream.workspace = true
ml-dsa.workspace = true
thiserror.workspace = true thiserror.workspace = true
http = "1.4.0" http = "1.4.0"
rustls-webpki = { version = "0.103.10", features = ["aws-lc-rs"] } rustls-webpki = { version = "0.103.10", features = ["aws-lc-rs"] }

18
server/crates/arbiter-client/src/auth.rs
View File

@@ -1,5 +1,5 @@
use arbiter_proto::{ use arbiter_proto::{
CLIENT_CONTEXT, ClientMetadata, format_challenge, ClientMetadata,
proto::{ proto::{
client::{ client::{
ClientRequest, ClientRequest,
@@ -14,7 +14,7 @@ use arbiter_proto::{
shared::ClientInfo as ProtoClientInfo, shared::ClientInfo as ProtoClientInfo,
}, },
}; };
use ml_dsa::{MlDsa87, SigningKey, signature::Keypair as _}; use arbiter_crypto::authn::{CLIENT_CONTEXT, PublicKey, Signature, SigningKey, format_challenge};
use crate::{ use crate::{
storage::StorageError, storage::StorageError,
@@ -54,14 +54,14 @@ fn map_auth_result(code: i32) -> AuthError {
async fn send_auth_challenge_request( async fn send_auth_challenge_request(
transport: &mut ClientTransport, transport: &mut ClientTransport,
metadata: ClientMetadata, metadata: ClientMetadata,
key: &SigningKey<MlDsa87>, key: &SigningKey,
) -> std::result::Result<(), AuthError> { ) -> std::result::Result<(), AuthError> {
transport transport
.send(ClientRequest { .send(ClientRequest {
request_id: next_request_id(), request_id: next_request_id(),
payload: Some(ClientRequestPayload::Auth(proto_auth::Request { payload: Some(ClientRequestPayload::Auth(proto_auth::Request {
payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest { payload: Some(AuthRequestPayload::ChallengeRequest(AuthChallengeRequest {
pubkey: key.verifying_key().encode().to_vec(), pubkey: key.public_key().to_bytes(),
client_info: Some(ProtoClientInfo { client_info: Some(ProtoClientInfo {
name: metadata.name, name: metadata.name,
description: metadata.description, description: metadata.description,
@@ -95,16 +95,14 @@ async fn receive_auth_challenge(
async fn send_auth_challenge_solution( async fn send_auth_challenge_solution(
transport: &mut ClientTransport, transport: &mut ClientTransport,
key: &SigningKey<MlDsa87>, key: &SigningKey,
challenge: AuthChallenge, challenge: AuthChallenge,
) -> std::result::Result<(), AuthError> { ) -> std::result::Result<(), AuthError> {
let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey); let challenge_payload = format_challenge(challenge.nonce, &challenge.pubkey);
let signature = key let signature = key
.signing_key() .sign_message(&challenge_payload, CLIENT_CONTEXT)
.sign_deterministic(&challenge_payload, CLIENT_CONTEXT)
.map_err(|_| AuthError::UnexpectedAuthResponse)? .map_err(|_| AuthError::UnexpectedAuthResponse)?
.encode() .to_bytes();
.to_vec();
transport transport
.send(ClientRequest { .send(ClientRequest {
@@ -145,7 +143,7 @@ async fn receive_auth_confirmation(
pub(crate) async fn authenticate( pub(crate) async fn authenticate(
transport: &mut ClientTransport, transport: &mut ClientTransport,
metadata: ClientMetadata, metadata: ClientMetadata,
key: &SigningKey<MlDsa87>, key: &SigningKey,
) -> std::result::Result<(), AuthError> { ) -> std::result::Result<(), AuthError> {
send_auth_challenge_request(transport, metadata, key).await?; send_auth_challenge_request(transport, metadata, key).await?;
let challenge = receive_auth_challenge(transport).await?; let challenge = receive_auth_challenge(transport).await?;

4
server/crates/arbiter-client/src/client.rs
View File

@@ -1,7 +1,7 @@
use arbiter_crypto::authn::SigningKey;
use arbiter_proto::{ use arbiter_proto::{
ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl, ClientMetadata, proto::arbiter_service_client::ArbiterServiceClient, url::ArbiterUrl,
}; };
use ml_dsa::{MlDsa87, SigningKey};
use std::sync::Arc; use std::sync::Arc;
use tokio::sync::{Mutex, mpsc}; use tokio::sync::{Mutex, mpsc};
use tokio_stream::wrappers::ReceiverStream; use tokio_stream::wrappers::ReceiverStream;
@@ -61,7 +61,7 @@ impl ArbiterClient {
pub async fn connect_with_key( pub async fn connect_with_key(
url: ArbiterUrl, url: ArbiterUrl,
metadata: ClientMetadata, metadata: ClientMetadata,
key: SigningKey<MlDsa87>, key: SigningKey,
) -> Result<Self, Error> { ) -> Result<Self, Error> {
let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned(); let anchor = webpki::anchor_from_trusted_cert(&url.ca_cert)?.to_owned();
let tls = ClientTlsConfig::new().trust_anchor(anchor); let tls = ClientTlsConfig::new().trust_anchor(anchor);

15
server/crates/arbiter-client/src/storage.rs
View File

@@ -1,5 +1,5 @@
use arbiter_crypto::authn::SigningKey;
use arbiter_proto::home_path; use arbiter_proto::home_path;
use ml_dsa::{KeyGen, MlDsa87, Seed, SigningKey};
use std::path::{Path, PathBuf}; use std::path::{Path, PathBuf};
#[derive(Debug, thiserror::Error)] #[derive(Debug, thiserror::Error)]
@@ -12,7 +12,7 @@ pub enum StorageError {
} }
pub trait SigningKeyStorage { pub trait SigningKeyStorage {
fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError>; fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError>;
} }
#[derive(Debug, Clone)] #[derive(Debug, Clone)]
@@ -31,20 +31,21 @@ impl FileSigningKeyStorage {
Ok(Self::new(home_path()?.join(Self::DEFAULT_FILE_NAME))) Ok(Self::new(home_path()?.join(Self::DEFAULT_FILE_NAME)))
} }
fn read_key(path: &Path) -> std::result::Result<SigningKey<MlDsa87>, StorageError> { fn read_key(path: &Path) -> std::result::Result<SigningKey, StorageError> {
let bytes = std::fs::read(path)?; let bytes = std::fs::read(path)?;
let raw: [u8; 32] = bytes let raw: [u8; 32] =
bytes
.try_into() .try_into()
.map_err(|v: Vec<u8>| StorageError::InvalidKeyLength { .map_err(|v: Vec<u8>| StorageError::InvalidKeyLength {
expected: 32, expected: 32,
actual: v.len(), actual: v.len(),
})?; })?;
Ok(MlDsa87::from_seed(&Seed::from(raw))) Ok(SigningKey::from_seed(raw))
} }
} }
impl SigningKeyStorage for FileSigningKeyStorage { impl SigningKeyStorage for FileSigningKeyStorage {
fn load_or_create(&self) -> std::result::Result<SigningKey<MlDsa87>, StorageError> { fn load_or_create(&self) -> std::result::Result<SigningKey, StorageError> {
if let Some(parent) = self.path.parent() { if let Some(parent) = self.path.parent() {
std::fs::create_dir_all(parent)?; std::fs::create_dir_all(parent)?;
} }
@@ -53,7 +54,7 @@ impl SigningKeyStorage for FileSigningKeyStorage {
return Self::read_key(&self.path); return Self::read_key(&self.path);
} }
let key = MlDsa87::key_gen(&mut rand::rng()); let key = SigningKey::generate();
let raw_key = key.to_seed(); let raw_key = key.to_seed();
// Use create_new to prevent accidental overwrite if another process creates the key first. // Use create_new to prevent accidental overwrite if another process creates the key first.

1
server/crates/arbiter-crypto/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
/target

18
server/crates/arbiter-crypto/Cargo.toml Normal file
View File

@@ -0,0 +1,18 @@
[package]
name = "arbiter-crypto"
version = "0.1.0"
edition = "2024"
[dependencies]
ml-dsa = {workspace = true, optional = true }
rand = {workspace = true, optional = true}
base64 = {workspace = true, optional = true }
memsafe = {version = "0.4.0", optional = true}
[lints]
workspace = true
[features]
default = ["authn", "safecell"]
authn = ["dep:ml-dsa", "dep:rand", "dep:base64"]
safecell = ["dep:memsafe"]

1
server/crates/arbiter-server/src/crypto/authn/mod.rs → server/crates/arbiter-crypto/src/authn/mod.rs
View File

@@ -1,3 +1,2 @@
pub mod v1; pub mod v1;
pub use v1::*; pub use v1::*;

186
server/crates/arbiter-crypto/src/authn/v1.rs Normal file
View File

@@ -0,0 +1,186 @@
use base64::{Engine as _, prelude::BASE64_STANDARD};
use ml_dsa::{
EncodedVerifyingKey, Error, KeyGen, MlDsa87, Seed, Signature as MlDsaSignature,
SigningKey as MlDsaSigningKey, VerifyingKey as MlDsaVerifyingKey, signature::Keypair as _,
};
pub static CLIENT_CONTEXT: &[u8] = b"arbiter_client";
pub static USERAGENT_CONTEXT: &[u8] = b"arbiter_user_agent";
pub fn format_challenge(nonce: i32, pubkey: &[u8]) -> Vec<u8> {
let concat_form = format!("{}:{}", nonce, BASE64_STANDARD.encode(pubkey));
concat_form.into_bytes()
}
pub type KeyParams = MlDsa87;
#[derive(Clone, Debug, PartialEq)]
pub struct PublicKey(Box<MlDsaVerifyingKey<KeyParams>>);
#[derive(Clone, Debug, PartialEq)]
pub struct Signature(Box<MlDsaSignature<KeyParams>>);
#[derive(Debug)]
pub struct SigningKey(Box<MlDsaSigningKey<KeyParams>>);
impl PublicKey {
pub fn to_bytes(&self) -> Vec<u8> {
self.0.encode().to_vec()
}
pub fn verify(&self, nonce: i32, context: &[u8], signature: &Signature) -> bool {
self.0.verify_with_context(
&format_challenge(nonce, &self.to_bytes()),
context,
&signature.0,
)
}
}
impl Signature {
pub fn to_bytes(&self) -> Vec<u8> {
self.0.encode().to_vec()
}
}
impl SigningKey {
pub fn generate() -> Self {
Self(Box::new(KeyParams::key_gen(&mut rand::rng())))
}
pub fn from_seed(seed: [u8; 32]) -> Self {
Self(Box::new(KeyParams::from_seed(&Seed::from(seed))))
}
pub fn to_seed(&self) -> [u8; 32] {
self.0.to_seed().into()
}
pub fn public_key(&self) -> PublicKey {
self.0.verifying_key().into()
}
pub fn sign_message(&self, message: &[u8], context: &[u8]) -> Result<Signature, Error> {
self.0
.signing_key()
.sign_deterministic(message, context)
.map(Into::into)
}
pub fn sign_challenge(&self, nonce: i32, context: &[u8]) -> Result<Signature, Error> {
self.sign_message(
&format_challenge(nonce, &self.public_key().to_bytes()),
context,
)
}
}
impl From<MlDsaVerifyingKey<KeyParams>> for PublicKey {
fn from(value: MlDsaVerifyingKey<KeyParams>) -> Self {
Self(Box::new(value))
}
}
impl From<MlDsaSignature<KeyParams>> for Signature {
fn from(value: MlDsaSignature<KeyParams>) -> Self {
Self(Box::new(value))
}
}
impl From<MlDsaSigningKey<KeyParams>> for SigningKey {
fn from(value: MlDsaSigningKey<KeyParams>) -> Self {
Self(Box::new(value))
}
}
impl TryFrom<Vec<u8>> for PublicKey {
type Error = ();
fn try_from(value: Vec<u8>) -> Result<Self, Self::Error> {
Self::try_from(value.as_slice())
}
}
impl TryFrom<&'_ [u8]> for PublicKey {
type Error = ();
fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
let encoded = EncodedVerifyingKey::<KeyParams>::try_from(value).map_err(|_| ())?;
Ok(Self(Box::new(MlDsaVerifyingKey::decode(&encoded))))
}
}
impl TryFrom<Vec<u8>> for Signature {
type Error = ();
fn try_from(value: Vec<u8>) -> Result<Self, Self::Error> {
Self::try_from(value.as_slice())
}
}
impl TryFrom<&'_ [u8]> for Signature {
type Error = ();
fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
MlDsaSignature::try_from(value)
.map(|sig| Self(Box::new(sig)))
.map_err(|_| ())
}
}
#[cfg(test)]
mod tests {
use ml_dsa::{KeyGen, MlDsa87, signature::Keypair as _};
use super::{CLIENT_CONTEXT, PublicKey, Signature, SigningKey, USERAGENT_CONTEXT};
#[test]
fn public_key_round_trip_decodes() {
let key = MlDsa87::key_gen(&mut rand::rng());
let encoded = PublicKey::from(key.verifying_key()).to_bytes();
let decoded = PublicKey::try_from(encoded.as_slice()).expect("public key should decode");
assert_eq!(decoded, PublicKey::from(key.verifying_key()));
}
#[test]
fn signature_round_trip_decodes() {
let key = SigningKey::generate();
let signature = key
.sign_message(b"challenge", CLIENT_CONTEXT)
.expect("signature should be created");
let decoded =
Signature::try_from(signature.to_bytes().as_slice()).expect("signature should decode");
assert_eq!(decoded, signature);
}
#[test]
fn challenge_verification_uses_context_and_canonical_key_bytes() {
let key = SigningKey::generate();
let public_key = key.public_key();
let nonce = 17;
let signature = key
.sign_challenge(nonce, CLIENT_CONTEXT)
.expect("signature should be created");
assert!(public_key.verify(nonce, CLIENT_CONTEXT, &signature));
assert!(!public_key.verify(nonce, USERAGENT_CONTEXT, &signature));
}
#[test]
fn signing_key_round_trip_seed_preserves_public_key_and_signing() {
let original = SigningKey::generate();
let restored = SigningKey::from_seed(original.to_seed());
assert_eq!(restored.public_key(), original.public_key());
let signature = restored
.sign_challenge(9, CLIENT_CONTEXT)
.expect("signature should be created");
assert!(restored.public_key().verify(9, CLIENT_CONTEXT, &signature));
}
}

7
server/crates/arbiter-crypto/src/lib.rs Normal file
View File

@@ -0,0 +1,7 @@
#[cfg(feature = "authn")]
pub mod authn;
#[cfg(feature = "safecell")]
pub mod safecell;

5
server/crates/arbiter-server/src/safe_cell.rs → server/crates/arbiter-crypto/src/safecell.rs
View File

@@ -105,6 +105,11 @@ impl<T> SafeCellHandle<T> for MemSafeCell<T> {
fn abort_memory_breach(action: &str, err: &memsafe::error::MemoryError) -> ! { fn abort_memory_breach(action: &str, err: &memsafe::error::MemoryError) -> ! {
eprintln!("fatal {action}: {err}"); eprintln!("fatal {action}: {err}");
// SAFETY: Intentionally cause a segmentation fault to prevent further execution in a compromised state.
unsafe {
let unsafe_pointer = 0x0 as *mut u8;
std::ptr::write_volatile(unsafe_pointer, 0);
}
std::process::abort(); std::process::abort();
} }

2
server/crates/arbiter-proto/Cargo.toml
View File

@@ -17,7 +17,7 @@ url = "2.5.8"
miette.workspace = true miette.workspace = true
thiserror.workspace = true thiserror.workspace = true
rustls-pki-types.workspace = true rustls-pki-types.workspace = true
base64 = "0.22.1" base64.workspace = true
prost-types.workspace = true prost-types.workspace = true
tracing.workspace = true tracing.workspace = true
async-trait.workspace = true async-trait.workspace = true

8
server/crates/arbiter-proto/src/lib.rs
View File

@@ -63,9 +63,6 @@ pub mod proto {
} }
} }
pub static CLIENT_CONTEXT: &[u8] = b"arbiter_client";
pub static USERAGENT_CONTEXT: &[u8] = b"arbiter_user_agent";
#[derive(Debug, Clone, PartialEq, Eq)] #[derive(Debug, Clone, PartialEq, Eq)]
pub struct ClientMetadata { pub struct ClientMetadata {
pub name: String, pub name: String,
@@ -87,8 +84,3 @@ pub fn home_path() -> Result<std::path::PathBuf, std::io::Error> {
Ok(arbiter_home) Ok(arbiter_home)
} }
pub fn format_challenge(nonce: i32, pubkey: &[u8]) -> Vec<u8> {
let concat_form = format!("{}:{}", nonce, BASE64_STANDARD.encode(pubkey));
concat_form.into_bytes()
}

2
server/crates/arbiter-server/Cargo.toml
View File

@@ -17,6 +17,7 @@ diesel-async = { version = "0.8.0", features = [
"tokio", "tokio",
] } ] }
arbiter-proto.path = "../arbiter-proto" arbiter-proto.path = "../arbiter-proto"
arbiter-crypto.path = "../arbiter-crypto"
tracing.workspace = true tracing.workspace = true
tracing-subscriber = { version = "0.3", features = ["env-filter"] } tracing-subscriber = { version = "0.3", features = ["env-filter"] }
tonic.workspace = true tonic.workspace = true
@@ -35,7 +36,6 @@ dashmap = "6.1.0"
rand.workspace = true rand.workspace = true
rcgen.workspace = true rcgen.workspace = true
chrono.workspace = true chrono.workspace = true
memsafe = "0.4.0"
zeroize = { version = "1.8.2", features = ["std", "simd"] } zeroize = { version = "1.8.2", features = ["std", "simd"] }
kameo.workspace = true kameo.workspace = true
chacha20poly1305 = { version = "0.10.1", features = ["std"] } chacha20poly1305 = { version = "0.10.1", features = ["std"] }

11
server/crates/arbiter-server/src/actors/client/auth.rs
View File

@@ -1,5 +1,6 @@
use arbiter_crypto::authn::{self, CLIENT_CONTEXT};
use arbiter_proto::{ use arbiter_proto::{
CLIENT_CONTEXT, ClientMetadata, ClientMetadata,
transport::{Bi, expect_message}, transport::{Bi, expect_message},
}; };
use chrono::Utc; use chrono::Utc;
@@ -17,7 +18,6 @@ use crate::{
flow_coordinator::{self, RequestClientApproval}, flow_coordinator::{self, RequestClientApproval},
keyholder::KeyHolder, keyholder::KeyHolder,
}, },
crypto::authn,
crypto::integrity::{self, AttestationStatus}, crypto::integrity::{self, AttestationStatus},
db::{ db::{
self, self,
@@ -26,8 +26,6 @@ use crate::{
}, },
}; };
#[derive(thiserror::Error, Debug, Clone, PartialEq, Eq)] #[derive(thiserror::Error, Debug, Clone, PartialEq, Eq)]
pub enum Error { pub enum Error {
#[error("Database pool unavailable")] #[error("Database pool unavailable")]
@@ -355,7 +353,10 @@ where
T: Bi<Inbound, Result<Outbound, Error>> + ?Sized, T: Bi<Inbound, Result<Outbound, Error>> + ?Sized,
{ {
transport transport
.send(Ok(Outbound::AuthChallenge { pubkey: pubkey.clone(), nonce })) .send(Ok(Outbound::AuthChallenge {
pubkey: pubkey.clone(),
nonce,
}))
.await .await
.map_err(|e| { .map_err(|e| {
error!(error = ?e, "Failed to send auth challenge"); error!(error = ?e, "Failed to send auth challenge");

7
server/crates/arbiter-server/src/actors/client/mod.rs
View File

@@ -1,10 +1,10 @@
use arbiter_crypto::authn;
use arbiter_proto::{ClientMetadata, transport::Bi}; use arbiter_proto::{ClientMetadata, transport::Bi};
use kameo::actor::Spawn; use kameo::actor::Spawn;
use tracing::{error, info}; use tracing::{error, info};
use crate::{ use crate::{
actors::{GlobalActors, client::session::ClientSession}, actors::{GlobalActors, client::session::ClientSession},
crypto::authn,
crypto::integrity::{Integrable, hashing::Hashable}, crypto::integrity::{Integrable, hashing::Hashable},
db, db,
}; };
@@ -50,10 +50,7 @@ where
T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized, T: Bi<auth::Inbound, Result<auth::Outbound, auth::Error>> + Send + ?Sized,
{ {
let fut = auth::authenticate(&mut props, transport); let fut = auth::authenticate(&mut props, transport);
println!( println!("authenticate future size: {}", std::mem::size_of_val(&fut));
"authenticate future size: {}",
std::mem::size_of_val(&fut)
);
match fut.await { match fut.await {
Ok(client_id) => { Ok(client_id) => {
ClientSession::spawn(ClientSession::new(props, client_id)); ClientSession::spawn(ClientSession::new(props, client_id));

3
server/crates/arbiter-server/src/actors/evm/mod.rs
View File

@@ -21,8 +21,9 @@ use crate::{
ether_transfer::EtherTransfer, token_transfers::TokenTransfer, ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
}, },
}, },
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
pub use crate::evm::safe_signer; pub use crate::evm::safe_signer;

5
server/crates/arbiter-server/src/actors/keyholder/mod.rs
View File

@@ -15,7 +15,6 @@ use crate::{
encryption::v1::{self, Nonce}, encryption::v1::{self, Nonce},
integrity::v1::HmacSha256, integrity::v1::HmacSha256,
}, },
safe_cell::SafeCell,
}; };
use crate::{ use crate::{
db::{ db::{
@@ -23,8 +22,8 @@ use crate::{
models::{self, RootKeyHistory}, models::{self, RootKeyHistory},
schema::{self}, schema::{self},
}, },
safe_cell::SafeCellHandle as _,
}; };
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
#[derive(Default, EnumDiscriminants)] #[derive(Default, EnumDiscriminants)]
#[strum_discriminants(derive(Reply), vis(pub), name(KeyHolderState))] #[strum_discriminants(derive(Reply), vis(pub), name(KeyHolderState))]
@@ -402,8 +401,8 @@ mod tests {
use crate::{ use crate::{
db::{self}, db::{self},
safe_cell::SafeCell,
}; };
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
use super::*; use super::*;

3
server/crates/arbiter-server/src/actors/user_agent/auth.rs
View File

@@ -1,3 +1,4 @@
use arbiter_crypto::authn;
use arbiter_proto::transport::Bi; use arbiter_proto::transport::Bi;
use tracing::error; use tracing::error;
@@ -5,8 +6,6 @@ use crate::actors::user_agent::{
UserAgentConnection, UserAgentConnection,
auth::state::{AuthContext, AuthStateMachine}, auth::state::{AuthContext, AuthStateMachine},
}; };
use crate::crypto::authn;
mod state; mod state;
use state::*; use state::*;

4
server/crates/arbiter-server/src/actors/user_agent/auth/state.rs
View File

@@ -1,4 +1,5 @@
use arbiter_proto::{USERAGENT_CONTEXT, transport::Bi}; use arbiter_crypto::authn::{self, USERAGENT_CONTEXT};
use arbiter_proto::{transport::Bi};
use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, update}; use diesel::{ExpressionMethods as _, OptionalExtension as _, QueryDsl, update};
use diesel_async::{AsyncConnection, RunQueryDsl}; use diesel_async::{AsyncConnection, RunQueryDsl};
use kameo::actor::ActorRef; use kameo::actor::ActorRef;
@@ -11,7 +12,6 @@ use crate::{
keyholder::KeyHolder, keyholder::KeyHolder,
user_agent::{UserAgentConnection, UserAgentCredentials, auth::Outbound}, user_agent::{UserAgentConnection, UserAgentCredentials, auth::Outbound},
}, },
crypto::authn,
crypto::integrity, crypto::integrity,
db::{DatabasePool, schema::useragent_client}, db::{DatabasePool, schema::useragent_client},
}; };

3
server/crates/arbiter-server/src/actors/user_agent/mod.rs
View File

@@ -1,9 +1,10 @@
use crate::{ use crate::{
actors::{GlobalActors, client::ClientProfile}, actors::{GlobalActors, client::ClientProfile},
crypto::authn,
crypto::integrity::Integrable, crypto::integrity::Integrable,
db, db,
}; };
use arbiter_crypto::authn;
#[derive(Debug)] #[derive(Debug)]
pub struct UserAgentCredentials { pub struct UserAgentCredentials {

7
server/crates/arbiter-server/src/actors/user_agent/session.rs
View File

@@ -1,3 +1,5 @@
use arbiter_crypto::authn;
use std::{borrow::Cow, collections::HashMap}; use std::{borrow::Cow, collections::HashMap};
use arbiter_proto::transport::Sender; use arbiter_proto::transport::Sender;
@@ -11,8 +13,6 @@ use crate::actors::{
flow_coordinator::{RegisterUserAgent, client_connect_approval::ClientApprovalController}, flow_coordinator::{RegisterUserAgent, client_connect_approval::ClientApprovalController},
user_agent::{OutOfBand, UserAgentConnection}, user_agent::{OutOfBand, UserAgentConnection},
}; };
use crate::crypto::authn;
mod state; mod state;
use state::{DummyContext, UserAgentEvents, UserAgentStateMachine}; use state::{DummyContext, UserAgentEvents, UserAgentStateMachine};
@@ -119,8 +119,7 @@ impl UserAgentSession {
return; return;
} }
self.pending_client_approvals self.pending_client_approvals.insert(
.insert(
client.pubkey.to_bytes(), client.pubkey.to_bytes(),
PendingClientApproval { PendingClientApproval {
pubkey: client.pubkey, pubkey: client.pubkey,

9
server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
View File

@@ -1,6 +1,7 @@
use std::sync::Mutex; use std::sync::Mutex;
use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature}; use alloy::{consensus::TxEip1559, primitives::Address, signers::Signature};
use arbiter_crypto::{authn, safecell::{SafeCell, SafeCellHandle as _}};
use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit}; use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper}; use diesel::{ExpressionMethods as _, QueryDsl as _, SelectableHelper};
use diesel_async::{AsyncConnection, RunQueryDsl}; use diesel_async::{AsyncConnection, RunQueryDsl};
@@ -13,12 +14,10 @@ use x25519_dalek::{EphemeralSecret, PublicKey};
use crate::actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer; use crate::actors::flow_coordinator::client_connect_approval::ClientApprovalAnswer;
use crate::actors::keyholder::KeyHolderState; use crate::actors::keyholder::KeyHolderState;
use crate::actors::user_agent::session::Error; use crate::actors::user_agent::session::Error;
use crate::crypto::authn;
use crate::db::models::{ use crate::db::models::{
EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata, EvmWalletAccess, NewEvmWalletAccess, ProgramClient, ProgramClientMetadata,
}; };
use crate::evm::policies::{Grant, SpecificGrant}; use crate::evm::policies::{Grant, SpecificGrant};
use crate::safe_cell::SafeCell;
use crate::{ use crate::{
actors::{ actors::{
evm::{ evm::{
@@ -31,7 +30,6 @@ use crate::{
state::{UnsealContext, UserAgentEvents, UserAgentStates}, state::{UnsealContext, UserAgentEvents, UserAgentStates},
}, },
}, },
safe_cell::SafeCellHandle as _,
}; };
impl UserAgentSession { impl UserAgentSession {
@@ -477,10 +475,7 @@ impl UserAgentSession {
pubkey: authn::PublicKey, pubkey: authn::PublicKey,
ctx: &mut Context<Self, Result<(), Error>>, ctx: &mut Context<Self, Result<(), Error>>,
) -> Result<(), Error> { ) -> Result<(), Error> {
let pending_approval = match self let pending_approval = match self.pending_client_approvals.remove(&pubkey.to_bytes()) {
.pending_client_approvals
.remove(&pubkey.to_bytes())
{
Some(approval) => approval, Some(approval) => approval,
None => { None => {
error!("Received client connection response for unknown client"); error!("Received client connection response for unknown client");

110
server/crates/arbiter-server/src/crypto/authn/v1/mod.rs
View File

@@ -1,110 +0,0 @@
use ml_dsa::{
EncodedVerifyingKey, MlDsa87, Signature as MlDsaSignature, VerifyingKey as MlDsaVerifyingKey,
};
pub type KeyParams = MlDsa87;
#[derive(Clone, Debug, PartialEq)]
pub struct PublicKey(Box<MlDsaVerifyingKey<KeyParams>>);
#[derive(Clone, Debug, PartialEq)]
pub struct Signature(Box<MlDsaSignature<KeyParams>>);
impl PublicKey {
pub fn to_bytes(&self) -> Vec<u8> {
self.0.encode().to_vec()
}
pub fn verify(&self, nonce: i32, context: &[u8], signature: &Signature) -> bool {
self.0.verify_with_context(&format_challenge(nonce, self), context, &signature.0)
}
}
impl Signature {
pub fn to_bytes(&self) -> Vec<u8> {
self.0.encode().to_vec()
}
}
impl From<MlDsaVerifyingKey<KeyParams>> for PublicKey {
fn from(value: MlDsaVerifyingKey<KeyParams>) -> Self {
Self(Box::new(value))
}
}
impl From<MlDsaSignature<KeyParams>> for Signature {
fn from(value: MlDsaSignature<KeyParams>) -> Self {
Self(Box::new(value))
}
}
impl TryFrom<&'_ [u8]> for PublicKey {
type Error = ();
fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
let encoded = EncodedVerifyingKey::<KeyParams>::try_from(value).map_err(|_| ())?;
Ok(Self(Box::new(MlDsaVerifyingKey::decode(&encoded))))
}
}
impl TryFrom<&'_ [u8]> for Signature {
type Error = ();
fn try_from(value: &[u8]) -> Result<Self, Self::Error> {
MlDsaSignature::try_from(value)
.map(|sig| Self(Box::new(sig)))
.map_err(|_| ())
}
}
pub fn format_challenge(nonce: i32, pubkey: &PublicKey) -> Vec<u8> {
arbiter_proto::format_challenge(nonce, &pubkey.to_bytes())
}
#[cfg(test)]
mod tests {
use ml_dsa::{KeyGen, MlDsa87, signature::Keypair as _};
use super::{PublicKey, Signature};
#[test]
fn public_key_round_trip_decodes() {
let key = MlDsa87::key_gen(&mut rand::rng());
let encoded = PublicKey::from(key.verifying_key()).to_bytes();
let decoded = PublicKey::try_from(encoded.as_slice()).expect("public key should decode");
assert_eq!(decoded, PublicKey::from(key.verifying_key()));
}
#[test]
fn signature_round_trip_decodes() {
let key = MlDsa87::key_gen(&mut rand::rng());
let challenge = b"challenge";
let signature = key
.signing_key()
.sign_deterministic(challenge, arbiter_proto::CLIENT_CONTEXT)
.expect("signature should be created");
let decoded = Signature::try_from(signature.encode().to_vec().as_slice()).expect("signature should decode");
assert_eq!(decoded, Signature::from(signature));
}
#[test]
fn challenge_verification_uses_context_and_canonical_key_bytes() {
let key = MlDsa87::key_gen(&mut rand::rng());
let public_key = PublicKey::from(key.verifying_key());
let nonce = 17;
let challenge =
arbiter_proto::format_challenge(nonce, &public_key.to_bytes());
let signature = key
.signing_key()
.sign_deterministic(&challenge, arbiter_proto::CLIENT_CONTEXT)
.expect("signature should be created")
.into();
assert!(public_key.verify(nonce, arbiter_proto::CLIENT_CONTEXT, &signature));
assert!(!public_key.verify(nonce, arbiter_proto::USERAGENT_CONTEXT, &signature));
}
}

4
server/crates/arbiter-server/src/crypto/encryption/v1.rs
View File

@@ -60,9 +60,9 @@ mod tests {
use super::*; use super::*;
use crate::{ use crate::{
crypto::derive_key, crypto::derive_key
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
#[test] #[test]
pub fn derive_seal_key_deterministic() { pub fn derive_seal_key_deterministic() {

6
server/crates/arbiter-server/src/crypto/integrity/v1.rs
View File

@@ -1,6 +1,7 @@
use crate::{ use crate::{
actors::keyholder, crypto::integrity::hashing::Hashable, safe_cell::SafeCellHandle as _, actors::keyholder, crypto::integrity::hashing::Hashable
}; };
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
use hmac::{Hmac, Mac as _}; use hmac::{Hmac, Mac as _};
use sha2::Sha256; use sha2::Sha256;
@@ -212,8 +213,9 @@ mod tests {
use crate::{ use crate::{
actors::keyholder::{Bootstrap, KeyHolder}, actors::keyholder::{Bootstrap, KeyHolder},
db::{self, schema}, db::{self, schema},
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
use super::{Error, Integrable, sign_entity, verify_entity}; use super::{Error, Integrable, sign_entity, verify_entity};
use super::{hashing::Hashable, payload_hash}; use super::{hashing::Hashable, payload_hash};

5
server/crates/arbiter-server/src/crypto/mod.rs
View File

@@ -10,9 +10,8 @@ use rand::{
rngs::{StdRng, SysRng}, rngs::{StdRng, SysRng},
}; };
use crate::safe_cell::{SafeCell, SafeCellHandle as _}; use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
pub mod authn;
pub mod encryption; pub mod encryption;
pub mod integrity; pub mod integrity;
@@ -142,7 +141,7 @@ mod tests {
derive_key, derive_key,
encryption::v1::{Nonce, generate_salt}, encryption::v1::{Nonce, generate_salt},
}; };
use crate::safe_cell::{SafeCell, SafeCellHandle as _}; use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
#[test] #[test]
pub fn encrypt_decrypt() { pub fn encrypt_decrypt() {

2
server/crates/arbiter-server/src/evm/safe_signer.rs
View File

@@ -1,6 +1,6 @@
use std::sync::Mutex; use std::sync::Mutex;
use crate::safe_cell::{SafeCell, SafeCellHandle as _}; use arbiter_crypto::safecell::{SafeCell, SafeCellHandle as _};
use alloy::{ use alloy::{
consensus::SignableTransaction, consensus::SignableTransaction,
network::{TxSigner, TxSignerSync}, network::{TxSigner, TxSignerSync},

2
server/crates/arbiter-server/src/grpc/client/auth.rs
View File

@@ -1,3 +1,4 @@
use arbiter_crypto::authn;
use arbiter_proto::{ use arbiter_proto::{
ClientMetadata, ClientMetadata,
proto::{ proto::{
@@ -22,7 +23,6 @@ use tracing::warn;
use crate::{ use crate::{
actors::client::{self, ClientConnection, auth}, actors::client::{self, ClientConnection, auth},
crypto::authn,
grpc::request_tracker::RequestTracker, grpc::request_tracker::RequestTracker,
}; };

2
server/crates/arbiter-server/src/grpc/user_agent/auth.rs
View File

@@ -1,3 +1,4 @@
use arbiter_crypto::authn;
use arbiter_proto::{ use arbiter_proto::{
proto::user_agent::{ proto::user_agent::{
UserAgentRequest, UserAgentResponse, UserAgentRequest, UserAgentResponse,
@@ -18,7 +19,6 @@ use tracing::warn;
use crate::{ use crate::{
actors::user_agent::{UserAgentConnection, auth}, actors::user_agent::{UserAgentConnection, auth},
crypto::authn,
grpc::request_tracker::RequestTracker, grpc::request_tracker::RequestTracker,
}; };

2
server/crates/arbiter-server/src/grpc/user_agent/sdk_client.rs
View File

@@ -1,3 +1,4 @@
use arbiter_crypto::authn;
use arbiter_proto::proto::{ use arbiter_proto::proto::{
shared::ClientInfo as ProtoClientMetadata, shared::ClientInfo as ProtoClientMetadata,
user_agent::{ user_agent::{
@@ -27,7 +28,6 @@ use crate::{
HandleRevokeEvmWalletAccess, HandleSdkClientList, HandleRevokeEvmWalletAccess, HandleSdkClientList,
}, },
}, },
crypto::authn,
db::models::NewEvmWalletAccess, db::models::NewEvmWalletAccess,
grpc::Convert, grpc::Convert,
}; };

1
server/crates/arbiter-server/src/lib.rs
View File

@@ -7,7 +7,6 @@ pub mod crypto;
pub mod db; pub mod db;
pub mod evm; pub mod evm;
pub mod grpc; pub mod grpc;
pub mod safe_cell;
pub mod utils; pub mod utils;
pub struct Server { pub struct Server {

10
server/crates/arbiter-server/tests/client/auth.rs
View File

@@ -1,3 +1,7 @@
use arbiter_crypto::{
authn::{self, CLIENT_CONTEXT, format_challenge},
safecell::{SafeCell, SafeCellHandle as _},
};
use arbiter_proto::ClientMetadata; use arbiter_proto::ClientMetadata;
use arbiter_proto::transport::{Receiver, Sender}; use arbiter_proto::transport::{Receiver, Sender};
use arbiter_server::{ use arbiter_server::{
@@ -6,10 +10,8 @@ use arbiter_server::{
client::{ClientConnection, ClientCredentials, auth, connect_client}, client::{ClientConnection, ClientCredentials, auth, connect_client},
keyholder::Bootstrap, keyholder::Bootstrap,
}, },
crypto::authn,
crypto::integrity, crypto::integrity,
db::{self, schema}, db::{self, schema},
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use diesel::{ExpressionMethods as _, NullableExpressionMethods as _, QueryDsl as _, insert_into}; use diesel::{ExpressionMethods as _, NullableExpressionMethods as _, QueryDsl as _, insert_into};
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;
@@ -72,9 +74,9 @@ fn sign_client_challenge(
nonce: i32, nonce: i32,
pubkey: &authn::PublicKey, pubkey: &authn::PublicKey,
) -> authn::Signature { ) -> authn::Signature {
let challenge = arbiter_proto::format_challenge(nonce, &pubkey.to_bytes()); let challenge = format_challenge(nonce, &pubkey.to_bytes());
key.signing_key() key.signing_key()
.sign_deterministic(&challenge, arbiter_proto::CLIENT_CONTEXT) .sign_deterministic(&challenge, CLIENT_CONTEXT)
.unwrap() .unwrap()
.into() .into()
} }

3
server/crates/arbiter-server/tests/common/mod.rs
View File

@@ -2,8 +2,9 @@ use arbiter_proto::transport::{Bi, Error, Receiver, Sender};
use arbiter_server::{ use arbiter_server::{
actors::keyholder::KeyHolder, actors::keyholder::KeyHolder,
db::{self, schema}, db::{self, schema},
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::{authn::{self, format_challenge, CLIENT_CONTEXT}, safecell::{SafeCell, SafeCellHandle as _}};
use async_trait::async_trait; use async_trait::async_trait;
use diesel::QueryDsl; use diesel::QueryDsl;
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;

4
server/crates/arbiter-server/tests/keyholder/concurrency.rs
View File

@@ -3,8 +3,10 @@ use std::collections::{HashMap, HashSet};
use arbiter_server::{ use arbiter_server::{
actors::keyholder::{CreateNew, Error, KeyHolder}, actors::keyholder::{CreateNew, Error, KeyHolder},
db::{self, models, schema}, db::{self, models, schema},
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::{authn::{self, format_challenge, CLIENT_CONTEXT}, safecell::{SafeCell, SafeCellHandle as _}};
use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper, dsl::sql_query}; use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper, dsl::sql_query};
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;
use kameo::actor::{ActorRef, Spawn as _}; use kameo::actor::{ActorRef, Spawn as _};

3
server/crates/arbiter-server/tests/keyholder/lifecycle.rs
View File

@@ -2,8 +2,9 @@ use arbiter_server::{
actors::keyholder::{Error, KeyHolder}, actors::keyholder::{Error, KeyHolder},
crypto::encryption::v1::{Nonce, ROOT_KEY_TAG}, crypto::encryption::v1::{Nonce, ROOT_KEY_TAG},
db::{self, models, schema}, db::{self, models, schema},
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::{authn::{self, format_challenge, CLIENT_CONTEXT}, safecell::{SafeCell, SafeCellHandle as _}};
use diesel::{QueryDsl, SelectableHelper}; use diesel::{QueryDsl, SelectableHelper};
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;

4
server/crates/arbiter-server/tests/keyholder/storage.rs
View File

@@ -4,8 +4,10 @@ use arbiter_server::{
actors::keyholder::Error, actors::keyholder::Error,
crypto::encryption::v1::Nonce, crypto::encryption::v1::Nonce,
db::{self, models, schema}, db::{self, models, schema},
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::{authn::{self, format_challenge, CLIENT_CONTEXT}, safecell::{SafeCell, SafeCellHandle as _}};
use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper, dsl::update}; use diesel::{ExpressionMethods as _, QueryDsl, SelectableHelper, dsl::update};
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;

8
server/crates/arbiter-server/tests/user_agent/auth.rs
View File

@@ -1,3 +1,5 @@
use arbiter_crypto::{authn::{self, format_challenge, USERAGENT_CONTEXT}, safecell::{SafeCell, SafeCellHandle as _}};
use arbiter_proto::transport::{Receiver, Sender}; use arbiter_proto::transport::{Receiver, Sender};
use arbiter_server::{ use arbiter_server::{
actors::{ actors::{
@@ -6,10 +8,8 @@ use arbiter_server::{
keyholder::Bootstrap, keyholder::Bootstrap,
user_agent::{UserAgentConnection, UserAgentCredentials, auth}, user_agent::{UserAgentConnection, UserAgentCredentials, auth},
}, },
crypto::authn,
crypto::integrity, crypto::integrity,
db::{self, schema}, db::{self, schema},
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use diesel::{ExpressionMethods as _, QueryDsl, insert_into}; use diesel::{ExpressionMethods as _, QueryDsl, insert_into};
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;
@@ -22,9 +22,9 @@ fn sign_useragent_challenge(
nonce: i32, nonce: i32,
pubkey_bytes: &[u8], pubkey_bytes: &[u8],
) -> authn::Signature { ) -> authn::Signature {
let challenge = arbiter_proto::format_challenge(nonce, pubkey_bytes); let challenge = format_challenge(nonce, pubkey_bytes);
key.signing_key() key.signing_key()
.sign_deterministic(&challenge, arbiter_proto::USERAGENT_CONTEXT) .sign_deterministic(&challenge, USERAGENT_CONTEXT)
.unwrap() .unwrap()
.into() .into()
} }

4
server/crates/arbiter-server/tests/user_agent/unseal.rs
View File

@@ -8,8 +8,10 @@ use arbiter_server::{
}, },
}, },
db, db,
safe_cell::{SafeCell, SafeCellHandle as _},
}; };
use arbiter_crypto::{authn::{self, format_challenge, CLIENT_CONTEXT}, safecell::{SafeCell, SafeCellHandle as _}};
use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit}; use chacha20poly1305::{AeadInPlace, XChaCha20Poly1305, XNonce, aead::KeyInit};
use diesel::{ExpressionMethods as _, QueryDsl as _, insert_into}; use diesel::{ExpressionMethods as _, QueryDsl as _, insert_into};
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;