3rd party: verify third party signatures

divarvel · divarvel · commit 15aac87016a8 · 2022-06-16T01:08:03.000+02:00
diff --git a/biscuit.go b/biscuit.go
@@ -290,6 +290,7 @@ func (b *Biscuit) Authorizer(root ed25519.PublicKey) (Authorizer, error) {
 	}
 
 	currentKey = b.container.Authority.NextKey.Key
+	currentAlgorithm := b.container.Authority.NextKey.Algorithm
 	if len(currentKey) != 32 {
 		return nil, ErrInvalidKeySize
 	}
@@ -308,7 +309,26 @@ func (b *Biscuit) Authorizer(root ed25519.PublicKey) (Authorizer, error) {
 			return nil, ErrInvalidSignature
 		}
 
+		if block.ExternalSignature != nil {
+			// an external signature is present, we need to verify it
+			if *block.ExternalSignature.PublicKey.Algorithm != pb.PublicKey_Ed25519 {
+				return nil, UnsupportedAlgorithm
+			}
+
+			// the public key that's part of the signed block is the public key used to sign
+			// the previous block
+			algorithm := make([]byte, 4)
+			binary.LittleEndian.PutUint32(algorithm[0:], uint32(currentAlgorithm.Number()))
+			toVerify := append(block.Block[:], algorithm...)
+			toVerify = append(toVerify, currentKey[:]...)
+
+			if ok := ed25519.Verify(block.ExternalSignature.PublicKey.Key, toVerify, block.ExternalSignature.Signature); !ok {
+				return nil, ErrInvalidSignature
+			}
+		}
+
 		currentKey = block.NextKey.Key
+		currentAlgorithm = block.NextKey.Algorithm
 		if len(currentKey) != 32 {
 			return nil, ErrInvalidKeySize
 		}
