coltfred
commented
5 years ago We need to verify that the key that was passed in was for a specific provided user as well. (Can make expected UID optional.) This might need a new endpoint to look up the users signing key in the ironcore service.
Add two new public methods to the
Useroperations:device_sign_datadevice_verify_datadevice_sign_datatakes a borrowed reference to an array of bytes to sign. It should append a byte string containing the current device public signing key (base64 encoded), the current date-time (RFC3339 format), and the provided user ID, then use the current device's private signing key to generate the ed25519 signature (as a base64 encoded string) and return the byte string with the signing key date-time, provided user id, and signature.device_verify_datatakes borrowed reference to an array of bytes to verify and another borrowed reference to a string containing the public signing key, date-time, and provided user id, followed by the signature. It should extract the public key, pull off the signature, and validate the signature using the public key. Return boolean