fix(rust/signed-doc): use rbac-registration type for public key and algorithm verification

saibatizoku · saibatizoku · commit 2cc67e17e639 · 2025-02-02T22:38:34.000-06:00
diff --git a/rust/signed_doc/Cargo.toml b/rust/signed_doc/Cargo.toml
@@ -11,6 +11,7 @@ license.workspace = true
 workspace = true
 
 [dependencies]
+rbac-registration = { version = "0.0.2", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250128-01" }
 catalyst-types = { version = "0.0.1", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250128-01" }
 anyhow = "1.0.95"
 serde = { version = "1.0.217", features = ["derive"] }
diff --git a/rust/signed_doc/examples/mk_signed_doc.rs b/rust/signed_doc/examples/mk_signed_doc.rs
@@ -8,7 +8,7 @@ use std::{
     path::PathBuf,
 };
 
-use catalyst_signed_doc::{Builder, CatalystSignedDocument, IdUri, Metadata};
+use catalyst_signed_doc::{Builder, CatalystSignedDocument, IdUri, Metadata, SimplePublicKeyType};
 use clap::Parser;
 use ed25519_dalek::pkcs8::{DecodePrivateKey, DecodePublicKey};
 
@@ -107,9 +107,9 @@ impl Cli {
                 signed_doc
                     .verify(|k| {
                         if k.to_string() == kid.to_string() {
-                            pk
+                            SimplePublicKeyType::Ed25519(pk)
                         } else {
-                            k.role0_pk()
+                            SimplePublicKeyType::Undefined
                         }
                     })
                     .map_err(|e| anyhow::anyhow!("Catalyst Document Verification failed: {e}"))?;
diff --git a/rust/signed_doc/src/lib.rs b/rust/signed_doc/src/lib.rs
@@ -17,10 +17,10 @@ pub use builder::Builder;
 use catalyst_types::problem_report::ProblemReport;
 pub use content::Content;
 use coset::{CborSerializable, Header};
-use ed25519_dalek::VerifyingKey;
 use error::CatalystSignedDocError;
 pub use metadata::{DocumentRef, ExtraFields, Metadata, UuidV4, UuidV7};
 pub use minicbor::{decode, encode, Decode, Decoder, Encode};
+pub use rbac_registration::cardano::cip509::SimplePublicKeyType;
 pub use signature::{IdUri, Signatures};
 use utils::context::DecodeSignDocCtx;
 
@@ -131,34 +131,50 @@ impl CatalystSignedDocument {
     /// Returns a report of verification failures and the source error.
     #[allow(clippy::indexing_slicing)]
     pub fn verify<P>(&self, pk_getter: P) -> Result<(), CatalystSignedDocError>
-    where P: Fn(&IdUri) -> VerifyingKey {
+    where P: Fn(&IdUri) -> SimplePublicKeyType {
         let error_report = ProblemReport::new("Catalyst Signed Document Verification");
 
         match self.as_cose_sign() {
             Ok(cose_sign) => {
                 let signatures = self.signatures().cose_signatures();
                 for (idx, kid) in self.signatures().kids().iter().enumerate() {
-                    let pk = pk_getter(kid);
-                    let signature = &signatures[idx];
-                    let tbs_data = cose_sign.tbs_data(&[], signature);
-                    match signature.signature.as_slice().try_into() {
-                        Ok(signature_bytes) => {
-                            let signature = ed25519_dalek::Signature::from_bytes(signature_bytes);
-                            if let Err(e) = pk.verify_strict(&tbs_data, &signature) {
-                                error_report.functional_validation(
-                                    &format!(
-                                        "Verification failed for signature with Key ID {kid}: {e}"
-                                    ),
-                                    "During signature validation with verifying key",
-                                );
+                    match pk_getter(kid) {
+                        SimplePublicKeyType::Ed25519(pk) => {
+                            let signature = &signatures[idx];
+                            let tbs_data = cose_sign.tbs_data(&[], signature);
+                            match signature.signature.as_slice().try_into() {
+                                Ok(signature_bytes) => {
+                                    let signature =
+                                        ed25519_dalek::Signature::from_bytes(signature_bytes);
+                                    if let Err(e) = pk.verify_strict(&tbs_data, &signature) {
+                                        error_report.functional_validation(
+                                            &format!(
+                                                "Verification failed for signature with Key ID {kid}: {e}"
+                                            ),
+                                            "During signature validation with verifying key",
+                                        );
+                                    }
+                                },
+                                Err(_) => {
+                                    error_report.invalid_value(
+                                        "cose signature",
+                                        &format!("{}", signature.signature.len()),
+                                        &format!("must be {}", ed25519_dalek::Signature::BYTE_SIZE),
+                                        "During encoding cose signature to bytes",
+                                    );
+                                },
                             }
                         },
-                        Err(_) => {
-                            error_report.invalid_value(
-                                "cose signature",
-                                &format!("{}", signature.signature.len()),
-                                &format!("must be {}", ed25519_dalek::Signature::BYTE_SIZE),
-                                "During encoding cose signature to bytes",
+                        SimplePublicKeyType::Deleted => {
+                            error_report.other(
+                                &format!("Public key for {kid} has been deleted."),
+                                "During public key extraction",
+                            );
+                        },
+                        SimplePublicKeyType::Undefined => {
+                            error_report.other(
+                                &format!("Public key for {kid} is undefined."),
+                                "During public key extraction",
                             );
                         },
                     }
@@ -417,6 +433,8 @@ mod tests {
             .build()
             .unwrap();
 
-        assert!(signed_doc.verify(|_| { pk }).is_ok());
+        assert!(signed_doc
+            .verify(|_| { SimplePublicKeyType::Ed25519(pk) })
+            .is_ok());
     }
 }
