search

Ianleeclark / Paseto

An Elixir implementation of Paseto (Platform-Agnostic Security Tokens)
Other
97 stars 8 forks source link

Remove libsodium #86

Open sgessa opened 4 months ago

sgessa commented 4 months ago

This PR removes libsalty library because outdated and no longer maintained. libsalty was used for XChaCha20Poly1305 and Ed25519 crypto functions that are now implemented using Erlang native crypto functions. I also fixed an issue where V2.sign/3 expected a keypair (a binary composed with private + public key) with 64 bytes length to work. Only the secret key is needed for signing and must be 32 bytes.

Ianleeclark commented 3 months ago

Sorry for the delay, but I'll take a look at this before the end of the weekend and thank you again for the contribution!

-------- Ursprüngliche Nachricht -------- Am 24.05.24 14:36 um Stefano Gessa schrieb :

@sgessa commented on this pull request.

@.***(https://github.com/Ianleeclark) can you take a look? What do you think?

PS: should I bump the Elixir version too?

In lib/paseto/v2.ex:

   iex> Paseto.V2.sign("Test Message", sk)

"v2.public.VGVzdAJxQsXSrgYBkcwiOnWamiattqhhhNN_1jsY-LR_YbsoYpZ18-ogVSxWv7d8DlqzLSz9csqNtSzDk4y0JV5xaAE" """ @spec sign(String.t(), String.t(), String.t()) :: String.t() | {:error, String.t()}

  • def sign(data, secret_key, footer \ "") when byte_size(secret_key) == 64 do
  • def sign(data, secret_key, footer \ "") when byte_size(secret_key) == 32 do

each key in Ed25519 is 32 bytes

In test/fixtures/test_vectors/v2_public.exs:

@@ -3,17 +3,15 @@ vector: "v2-S-1", token: "v2.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiwiZXhwIjoiMjAxOS0wMS0wMVQwMDowMDowMCswMDowMCJ9HQr8URrGntTu7Dz9J2IF23d1M7-9lH9xiqdGyJNvzp4angPW5Esc7C5huy_M8I8_DjJK2ZXC2SUYuOFM-Q_5Cw",

  • private_key:
  • "b4cbfb43 df4ce210 727d953e 4a713307 fa19bb7d 9f850414 38d9e11b 942a3774 1eb9dbbb bc047c03 fd70604e 0071f098 7e16b28b 757225c1 1f00415d 0e20b1a2",
  • private_key: "b4cbfb43 df4ce210 727d953e 4a713307 fa19bb7d 9f850414 38d9e11b 942a3774",

removing the public key since it's not needed

In test/fixtures/test_vectors/v2_public.exs:

 public_key: "1eb9dbbb bc047c03 fd70604e 0071f098 7e16b28b 757225c1 1f00415d 0e20b1a2",

payload: ~s({"data":"this is a signed message","exp":"2019-01-01T00:00:00+00:00"}) ], [ vector: "v2-S-2", token: "v2.public.eyJkYXRhIjoidGhpcyBpcyBhIHNpZ25lZCBtZXNzYWdlIiwiZXhwIjoiMjAxOS0wMS0wMVQwMDowMDowMCswMDowMCJ9flsZsx_gYCR0N_Ec2QxJFFpvQAs7h9HtKwbVK2n1MJ3Rz-hwe8KUqjnd8FAnIJZ601tp7lGkguU63oGbomhoBw.eyJraWQiOiJ6VmhNaVBCUDlmUmYyc25FY1Q3Z0ZUaW9lQTlDT2NOeTlEZmdMMVc2MGhhTiJ9",

  • private_key:
  • "b4cbfb43 df4ce210 727d953e 4a713307 fa19bb7d 9f850414 38d9e11b 942a3774 1eb9dbbb bc047c03 fd70604e 0071f098 7e16b28b 757225c1 1f00415d 0e20b1a2",
  • private_key: "b4cbfb43 df4ce210 727d953e 4a713307 fa19bb7d 9f850414 38d9e11b 942a3774",

removing the public key since it's not needed

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>

Ianleeclark commented 3 months ago

Unfortunately I'm going to have to reject this as it increases the maintenance burden and quite frankly I'm stuffed to the gills at the moment.

Should things ease up, I'll leave this open and reassure