Merge pull request #124 from preuss-adam/apreuss/public-key-fixes

Updates to key accessors and fix proof algorithm type

Author: Korbik

src/main/java/org/eclipse/biscuit/token/Biscuit.java

@@ -128,20 +128,18 @@ private static Biscuit make(
       throw container.getLeft();
     } else {
       SerializedBiscuit s = container.get();
-      List<byte[]> revocationIds = s.revocationIdentifiers();
 
       Option<SerializedBiscuit> c = Option.some(s);
-      return new Biscuit(authority, blocks, authority.getSymbolTable(), s, revocationIds);
+      return new Biscuit(authority, blocks, authority.getSymbolTable(), s);
     }
   }
 
   Biscuit(
       Block authority,
       List<Block> blocks,
       SymbolTable symbolTable,
-      SerializedBiscuit serializedBiscuit,
-      List<byte[]> revocationIds) {
-    super(authority, blocks, symbolTable, serializedBiscuit, revocationIds);
+      SerializedBiscuit serializedBiscuit) {
+    super(authority, blocks, symbolTable, serializedBiscuit);
   }
 
   /**
@@ -268,9 +266,7 @@ static Biscuit fromSerializedBiscuit(SerializedBiscuit ser, SymbolTable symbolTa
     Block authority = t._1;
     ArrayList<Block> blocks = t._2;
 
-    List<byte[]> revocationIds = ser.revocationIdentifiers();
-
-    return new Biscuit(authority, blocks, symbolTable, ser, revocationIds);
+    return new Biscuit(authority, blocks, symbolTable, ser);
   }
 
   /**
@@ -365,9 +361,8 @@ public Biscuit attenuate(final SecureRandom rng, final KeyPair keypair, Block bl
     blocks.add(block);
 
     SerializedBiscuit container = containerRes.get();
-    List<byte[]> revocationIds = container.revocationIdentifiers();
 
-    return new Biscuit(copiedBiscuit.authority, blocks, symbolTable, container, revocationIds);
+    return new Biscuit(copiedBiscuit.authority, blocks, symbolTable, container);
   }
 
   /** Generates a third party block request from a token */

src/main/java/org/eclipse/biscuit/token/UnverifiedBiscuit.java

@@ -17,6 +17,7 @@
 import java.util.Base64;
 import java.util.List;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import org.eclipse.biscuit.crypto.BlockSignatureBuffer;
 import org.eclipse.biscuit.crypto.KeyDelegate;
 import org.eclipse.biscuit.crypto.KeyPair;
@@ -36,19 +37,16 @@ public class UnverifiedBiscuit {
   protected final List<Block> blocks;
   protected final SymbolTable symbolTable;
   protected final SerializedBiscuit serializedBiscuit;
-  protected final List<byte[]> revocationIds;
 
   UnverifiedBiscuit(
       Block authority,
       List<Block> blocks,
       SymbolTable symbolTable,
-      SerializedBiscuit serializedBiscuit,
-      List<byte[]> revocationIds) {
+      SerializedBiscuit serializedBiscuit) {
     this.authority = authority;
     this.blocks = blocks;
     this.symbolTable = symbolTable;
     this.serializedBiscuit = serializedBiscuit;
-    this.revocationIds = revocationIds;
   }
 
   /**
@@ -98,9 +96,7 @@ private static UnverifiedBiscuit fromSerializedBiscuit(
     Block authority = t._1;
     ArrayList<Block> blocks = t._2;
 
-    List<byte[]> revocationIds = ser.revocationIdentifiers();
-
-    return new UnverifiedBiscuit(authority, blocks, symbolTable, ser, revocationIds);
+    return new UnverifiedBiscuit(authority, blocks, symbolTable, ser);
   }
 
   /**
@@ -139,17 +135,15 @@ public org.eclipse.biscuit.token.builder.Block createBlock() {
    * @return
    */
   public UnverifiedBiscuit attenuate(
-          org.eclipse.biscuit.token.builder.Block block, Algorithm algorithm) throws Error {
+      org.eclipse.biscuit.token.builder.Block block, Algorithm algorithm) throws Error {
     SecureRandom rng = new SecureRandom();
     KeyPair keypair = KeyPair.generate(algorithm, rng);
     SymbolTable builderSymbols = new SymbolTable(this.symbolTable);
     return attenuate(rng, keypair, block.build(builderSymbols));
   }
 
   public UnverifiedBiscuit attenuate(
-      final SecureRandom rng,
-      final KeyPair keypair,
-      org.eclipse.biscuit.token.builder.Block block)
+      final SecureRandom rng, final KeyPair keypair, org.eclipse.biscuit.token.builder.Block block)
       throws Error {
     SymbolTable builderSymbols = new SymbolTable(this.symbolTable);
     return attenuate(rng, keypair, block.build(builderSymbols));
@@ -189,20 +183,25 @@ private UnverifiedBiscuit attenuate(final SecureRandom rng, final KeyPair keypai
     blocks.add(block);
     SerializedBiscuit container = containerRes.get();
 
-    List<byte[]> revocationIds = container.revocationIdentifiers();
-
-    return new UnverifiedBiscuit(
-        copiedBiscuit.authority, blocks, symbols, container, revocationIds);
+    return new UnverifiedBiscuit(copiedBiscuit.authority, blocks, symbols, container);
   }
 
   // FIXME: attenuate 3rd Party
 
   public List<RevocationIdentifier> revocationIdentifiers() {
-    return this.revocationIds.stream()
+    return this.serializedBiscuit.revocationIdentifiers().stream()
         .map(RevocationIdentifier::fromBytes)
         .collect(Collectors.toList());
   }
 
+  public List<Option<PublicKey>> externalPublicKeys() {
+    return Stream.<Option<PublicKey>>concat(
+            Stream.of(Option.none()),
+            this.serializedBiscuit.getBlocks().stream()
+                .map(b -> b.getExternalSignature().map(ExternalSignature::getKey)))
+        .collect(Collectors.toList());
+  }
+
   public List<List<Check>> getChecks() {
     ArrayList<List<Check>> l = new ArrayList<>();
     l.add(new ArrayList<>(this.authority.getChecks()));
@@ -237,6 +236,26 @@ public Option<Integer> getRootKeyId() {
     return this.serializedBiscuit.getRootKeyId();
   }
 
+  public int blockCount() {
+    return 1 + blocks.size();
+  }
+
+  public Option<PublicKey> blockExternalKey(int index) {
+    if (index == 0) {
+      return authority.getExternalKey();
+    } else {
+      return blocks.get(index - 1).getExternalKey();
+    }
+  }
+
+  public List<PublicKey> blockPublicKeys(int index) {
+    if (index == 0) {
+      return authority.getPublicKeys();
+    } else {
+      return blocks.get(index - 1).getPublicKeys();
+    }
+  }
+
   /** Generates a third party block request from a token */
   public ThirdPartyBlockRequest thirdPartyRequest() {
     PublicKey previousKey;
@@ -304,9 +323,7 @@ public UnverifiedBiscuit appendThirdPartyBlock(
     }
     blocks.add(block);
 
-    List<byte[]> revocationIds = container.revocationIdentifiers();
-    return new UnverifiedBiscuit(
-        copiedBiscuit.authority, blocks, symbols, container, revocationIds);
+    return new UnverifiedBiscuit(copiedBiscuit.authority, blocks, symbols, container);
   }
 
   /** Prints a token's content */

src/main/java/org/eclipse/biscuit/token/format/SerializedBiscuit.java

@@ -172,13 +172,18 @@ private static SerializedBiscuit deserialize(Schema.Biscuit data)
       throw new Error.FormatError.DeserializationError("invalid proof");
     }
 
-    final Proof proof =
-        data.getProof().hasFinalSignature()
-            ? new Proof.FinalSignature(data.getProof().getFinalSignature().toByteArray())
-            : new Proof.NextSecret(
-                KeyPair.generate(
-                    authority.getKey().getAlgorithm(),
-                    data.getProof().getNextSecret().toByteArray()));
+    final Proof proof;
+    if (data.getProof().hasFinalSignature()) {
+      proof = new Proof.FinalSignature(data.getProof().getFinalSignature().toByteArray());
+    } else {
+      final Schema.PublicKey.Algorithm proofAlgorithm =
+          blocks.isEmpty()
+              ? authority.getKey().getAlgorithm()
+              : blocks.get(blocks.size() - 1).getKey().getAlgorithm();
+      proof =
+          new Proof.NextSecret(
+              KeyPair.generate(proofAlgorithm, data.getProof().getNextSecret().toByteArray()));
+    }
 
     Option<Integer> rootKeyId =
         data.hasRootKeyId() ? Option.some(data.getRootKeyId()) : Option.none();

src/test/java/org/eclipse/biscuit/token/BiscuitTest.java

@@ -72,6 +72,7 @@ public void testBasic()
 
     System.out.println("deserializing the first token");
     Biscuit deser = Biscuit.fromBytes(data, root.getPublicKey());
+    assertEquals(1, deser.blockCount());
 
     System.out.println(deser.print());
 
@@ -105,6 +106,7 @@ public void testBasic()
 
     System.out.println("deserializing the second token");
     Biscuit deser2 = Biscuit.fromBytes(data2, root.getPublicKey());
+    assertEquals(2, deser2.blockCount());
 
     System.out.println(deser2.print());
 
@@ -135,6 +137,7 @@ public void testBasic()
 
     System.out.println("deserializing the third token");
     Biscuit finalToken = Biscuit.fromBytes(data3, root.getPublicKey());
+    assertEquals(3, finalToken.blockCount());
 
     System.out.println(finalToken.print());
 

src/test/java/org/eclipse/biscuit/token/ThirdPartyTest.java

@@ -8,13 +8,15 @@
 import static org.junit.jupiter.api.Assertions.assertEquals;
 
 import biscuit.format.schema.Schema;
+import io.vavr.control.Option;
 import java.io.IOException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.security.SignatureException;
 import java.time.Duration;
 import java.util.Arrays;
+import java.util.List;
 import org.eclipse.biscuit.crypto.KeyPair;
 import org.eclipse.biscuit.datalog.RunLimits;
 import org.eclipse.biscuit.error.Error;
@@ -66,6 +68,10 @@ public void testRoundTrip()
     byte[] data = b2.serialize();
     Biscuit deser = Biscuit.fromBytes(data, root.getPublicKey());
     assertEquals(b2.print(), deser.print());
+    assertEquals(
+        b2.externalPublicKeys(), List.of(Option.none(), Option.of(external.getPublicKey())));
+    assertEquals(Option.none(), b2.blockExternalKey(0));
+    assertEquals(Option.of(external.getPublicKey()), b2.blockExternalKey(1));
 
     System.out.println("will check the token for resource=file1");
     Authorizer authorizer = deser.authorizer();