wip

Author: Mr-Leshiy

rust/signed_doc/Cargo.toml

@@ -11,15 +11,14 @@ license.workspace = true
 workspace = true
 
 [dependencies]
-rbac-registration = { version = "0.0.2", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250128-01" }
 catalyst-types = { version = "0.0.1", git = "https://github.com/input-output-hk/catalyst-libs.git", tag = "r20250204-00" }
 anyhow = "1.0.95"
 serde = { version = "1.0.217", features = ["derive"] }
 serde_json = "1.0.134"
 coset = "0.3.8"
 minicbor = { version = "0.25.1", features = ["half"] }
 brotli = "7.0.0"
-ed25519-dalek = { version = "2.1.1", features = ["pem", "rand_core"] }
+ed25519-dalek = { version = "2.1.1" }
 hex = "0.4.3"
 strum = { version = "0.26.3", features = ["derive"] }
 clap = { version = "4.5.23",  features = ["derive", "env"] }
@@ -30,6 +29,7 @@ jsonpath-rust = "0.7.5"
 [dev-dependencies]
 base64-url = "3.0.0"
 rand = "0.8.5"
+tokio = "1.42.0"
 
 
 [[bin]]

rust/signed_doc/examples/mk_signed_doc.rs

@@ -8,9 +8,9 @@ use std::{
     path::PathBuf,
 };
 
-use catalyst_signed_doc::{Builder, CatalystSignedDocument, IdUri, Metadata, SimplePublicKeyType};
+use catalyst_signed_doc::{Builder, CatalystSignedDocument, IdUri, Metadata};
 use clap::Parser;
-use ed25519_dalek::pkcs8::{DecodePrivateKey, DecodePublicKey};
+use ed25519_dalek::pkcs8::DecodePrivateKey;
 
 fn main() {
     if let Err(err) = Cli::parse().exec() {
@@ -51,16 +51,6 @@ enum Cli {
         /// Hex-formatted COSE SIGN Bytes
         cose_sign_hex: String,
     },
-    /// Validates a signature by Key ID and verifying key
-    Verify {
-        /// Path to the formed (could be empty, without any signatures) COSE document
-        /// This exact file would be modified and new signature would be added
-        path: PathBuf,
-        /// Path to the verifying key in PEM format
-        pk: PathBuf,
-        /// Signer kid
-        kid: IdUri,
-    },
 }
 
 impl Cli {
@@ -99,22 +89,6 @@ impl Cli {
                 let cose_bytes = hex::decode(&cose_sign_hex)?;
                 inspect_signed_doc(&cose_bytes)?;
             },
-            Self::Verify { path, pk, kid } => {
-                let pk = load_public_key_from_file(&pk)
-                    .map_err(|e| anyhow::anyhow!("Failed to load PK FILE {pk:?}: {e}"))?;
-                let cose_bytes = read_bytes_from_file(&path)?;
-                let signed_doc = signed_doc_from_bytes(cose_bytes.as_slice())?;
-                signed_doc
-                    .verify(|k| {
-                        if k.to_string() == kid.to_string() {
-                            SimplePublicKeyType::Ed25519(pk)
-                        } else {
-                            SimplePublicKeyType::Undefined
-                        }
-                    })
-                    .map_err(|e| anyhow::anyhow!("Catalyst Document Verification failed: {e}"))?;
-                println!("Catalyst Signed Document is Verified.");
-            },
         }
         println!("Done");
         Ok(())
@@ -171,9 +145,3 @@ fn load_secret_key_from_file(sk_path: &PathBuf) -> anyhow::Result<ed25519_dalek:
     let sk = ed25519_dalek::SigningKey::from_pkcs8_pem(&sk_str)?;
     Ok(sk)
 }
-
-fn load_public_key_from_file(pk_path: &PathBuf) -> anyhow::Result<ed25519_dalek::VerifyingKey> {
-    let pk_str = read_to_string(pk_path)?;
-    let pk = ed25519_dalek::VerifyingKey::from_public_key_pem(&pk_str)?;
-    Ok(pk)
-}

rust/signed_doc/src/lib.rs

@@ -12,6 +12,7 @@ pub mod validator;
 use std::{
     convert::TryFrom,
     fmt::{Display, Formatter},
+    future::Future,
     sync::Arc,
 };
 
@@ -20,11 +21,11 @@ use catalyst_types::problem_report::ProblemReport;
 pub use catalyst_types::uuid::{Uuid, UuidV4, UuidV7};
 pub use content::Content;
 use coset::{CborSerializable, Header};
+use ed25519_dalek::VerifyingKey;
 use error::CatalystSignedDocError;
 use metadata::{ContentEncoding, ContentType};
 pub use metadata::{DocumentRef, ExtraFields, Metadata};
 pub use minicbor::{decode, encode, Decode, Decoder, Encode, Encoder};
-pub use rbac_registration::cardano::cip509::SimplePublicKeyType;
 pub use signature::{IdUri, Signatures};
 use utils::context::DecodeSignDocCtx;
 
@@ -141,68 +142,62 @@ impl CatalystSignedDocument {
     /// # Errors
     ///
     /// Returns a report of verification failures and the source error.
-    #[allow(clippy::indexing_slicing)]
-    pub fn verify<P>(&self, pk_getter: P) -> Result<(), CatalystSignedDocError>
-    where P: Fn(&IdUri) -> SimplePublicKeyType {
-        let error_report = ProblemReport::new("Catalyst Signed Document Verification");
-
-        match self.as_cose_sign() {
-            Ok(cose_sign) => {
-                let signatures = self.signatures().cose_signatures();
-                for (idx, kid) in self.kids().iter().enumerate() {
-                    match pk_getter(kid) {
-                        SimplePublicKeyType::Ed25519(pk) => {
-                            let signature = &signatures[idx];
-                            let tbs_data = cose_sign.tbs_data(&[], signature);
-                            match signature.signature.as_slice().try_into() {
-                                Ok(signature_bytes) => {
-                                    let signature =
-                                        ed25519_dalek::Signature::from_bytes(signature_bytes);
-                                    if let Err(e) = pk.verify_strict(&tbs_data, &signature) {
-                                        error_report.functional_validation(
-                                            &format!(
-                                                "Verification failed for signature with Key ID {kid}: {e}"
-                                            ),
-                                            "During signature validation with verifying key",
-                                        );
-                                    }
-                                },
-                                Err(_) => {
-                                    error_report.invalid_value(
-                                        "cose signature",
-                                        &format!("{}", signature.signature.len()),
-                                        &format!("must be {}", ed25519_dalek::Signature::BYTE_SIZE),
-                                        "During encoding cose signature to bytes",
-                                    );
-                                },
+    pub async fn verify<P, T>(&self, pk_getter: P) -> Result<(), CatalystSignedDocError>
+    where
+        P: Fn(&IdUri) -> T,
+        T: Future<Output = Option<VerifyingKey>>,
+    {
+        let report = ProblemReport::new("Catalyst Signed Document Verification");
+
+        let cose_sign = match self.as_cose_sign() {
+            Ok(cose_sign) => cose_sign,
+            Err(e) => {
+                report.other(
+                    "Cannot build a COSE sign object",
+                    "During encoding signed document as COSE SIGN",
+                );
+                return Err(CatalystSignedDocError::new(report, e));
+            },
+        };
+
+        for (signature, kid) in self.signatures().cose_signatures_with_kids() {
+            match pk_getter(kid).await {
+                Some(pk) => {
+                    let tbs_data = cose_sign.tbs_data(&[], signature);
+                    match signature.signature.as_slice().try_into() {
+                        Ok(signature_bytes) => {
+                            let signature = ed25519_dalek::Signature::from_bytes(signature_bytes);
+                            if let Err(e) = pk.verify_strict(&tbs_data, &signature) {
+                                report.functional_validation(
+                                    &format!(
+                                        "Verification failed for signature with Key ID {kid}: {e}"
+                                    ),
+                                    "During signature validation with verifying key",
+                                );
                             }
                         },
-                        SimplePublicKeyType::Deleted => {
-                            error_report.other(
-                                &format!("Public key for {kid} has been deleted."),
-                                "During public key extraction",
-                            );
-                        },
-                        SimplePublicKeyType::Undefined => {
-                            error_report.other(
-                                &format!("Public key for {kid} is undefined."),
-                                "During public key extraction",
+                        Err(_) => {
+                            report.invalid_value(
+                                "cose signature",
+                                &format!("{}", signature.signature.len()),
+                                &format!("must be {}", ed25519_dalek::Signature::BYTE_SIZE),
+                                "During encoding cose signature to bytes",
                             );
                         },
                     }
-                }
-            },
-            Err(e) => {
-                error_report.other(
-                    &format!("{e}"),
-                    "During encoding signed document as COSE SIGN",
-                );
-            },
+                },
+                None => {
+                    report.other(
+                        &format!("Missing public key for {kid}."),
+                        "During public key extraction",
+                    );
+                },
+            }
         }
 
-        if error_report.is_problematic() {
+        if report.is_problematic() {
             return Err(CatalystSignedDocError::new(
-                error_report,
+                report,
                 anyhow::anyhow!("Verification failed for Catalyst Signed Document"),
             ));
         }
@@ -222,10 +217,17 @@ impl CatalystSignedDocument {
 
     /// Convert Catalyst Signed Document into `coset::CoseSign`
     fn as_cose_sign(&self) -> anyhow::Result<coset::CoseSign> {
-        let mut cose_bytes: Vec<u8> = Vec::new();
-        minicbor::encode(self, &mut cose_bytes)?;
-        coset::CoseSign::from_slice(&cose_bytes)
-            .map_err(|e| anyhow::anyhow!("encoding as COSE SIGN failed: {e}"))
+        let protected_header = Header::try_from(&self.inner.metadata)
+            .map_err(|e| anyhow::anyhow!("Failed to encode Document Metadata: {e}"))?;
+
+        let mut builder = coset::CoseSignBuilder::new()
+            .protected(protected_header)
+            .payload(self.inner.content.encoded_bytes()?);
+
+        for signature in self.signatures().cose_signatures() {
+            builder = builder.add_signature(signature);
+        }
+        Ok(builder.build())
     }
 }
 
@@ -335,24 +337,7 @@ impl Encode<()> for CatalystSignedDocument {
     fn encode<W: minicbor::encode::Write>(
         &self, e: &mut encode::Encoder<W>, _ctx: &mut (),
     ) -> Result<(), encode::Error<W::Error>> {
-        let protected_header = Header::try_from(&self.inner.metadata).map_err(|e| {
-            minicbor::encode::Error::message(format!("Failed to encode Document Metadata: {e}"))
-        })?;
-
-        let mut builder = coset::CoseSignBuilder::new()
-            .protected(protected_header)
-            .payload(
-                self.inner
-                    .content
-                    .encoded_bytes()
-                    .map_err(encode::Error::message)?,
-            );
-
-        for signature in self.signatures().cose_signatures() {
-            builder = builder.add_signature(signature);
-        }
-
-        let cose_sign = builder.build();
+        let cose_sign = self.as_cose_sign().map_err(encode::Error::message)?;
 
         let cose_bytes = cose_sign.to_vec().map_err(|e| {
             minicbor::encode::Error::message(format!("Failed to encode COSE Sign document: {e}"))
@@ -423,8 +408,8 @@ mod tests {
         assert_eq!(decoded.doc_meta(), metadata.extra());
     }
 
-    #[test]
-    fn signature_verification_test() {
+    #[tokio::test]
+    async fn signature_verification_test() {
         let mut csprng = OsRng;
         let sk: SigningKey = SigningKey::generate(&mut csprng);
         let content = serde_json::to_vec(&serde_json::Value::Null).unwrap();
@@ -445,16 +430,8 @@ mod tests {
             .build()
             .unwrap();
 
-        assert!(signed_doc
-            .verify(|_| { SimplePublicKeyType::Ed25519(pk) })
-            .is_ok());
-
-        assert!(signed_doc
-            .verify(|_| { SimplePublicKeyType::Undefined })
-            .is_err());
+        assert!(signed_doc.verify(|_| async { Some(pk) }).await.is_ok());
 
-        assert!(signed_doc
-            .verify(|_| { SimplePublicKeyType::Deleted })
-            .is_err());
+        assert!(signed_doc.verify(|_| async { None }).await.is_err());
     }
 }

rust/signed_doc/src/signature/mod.rs

@@ -19,32 +19,32 @@ pub struct Signature {
 pub struct Signatures(Vec<Signature>);
 
 impl Signatures {
-    /// Creates an empty signatures list.
-    #[must_use]
-    pub fn new() -> Self {
-        Self(Vec::new())
-    }
-
     /// Return a list of author IDs (short form of Catalyst IDs).
     #[must_use]
-    pub fn authors(&self) -> Vec<IdUri> {
+    pub(crate) fn authors(&self) -> Vec<IdUri> {
         self.kids().into_iter().map(|k| k.as_short_id()).collect()
     }
 
     /// Return a list of Document's Catalyst IDs.
     #[must_use]
-    pub fn kids(&self) -> Vec<IdUri> {
+    pub(crate) fn kids(&self) -> Vec<IdUri> {
         self.0.iter().map(|sig| sig.kid.clone()).collect()
     }
 
-    /// List of signatures.
-    #[must_use]
-    pub fn cose_signatures(&self) -> Vec<CoseSignature> {
-        self.0.iter().map(|sig| sig.signature.clone()).collect()
+    /// Iterator of COSE signatures object with kids.
+    pub(crate) fn cose_signatures_with_kids(
+        &self,
+    ) -> impl Iterator<Item = (&CoseSignature, &IdUri)> + use<'_> {
+        self.0.iter().map(|sig| (&sig.signature, &sig.kid))
+    }
+
+    /// List of COSE signatures object.
+    pub(crate) fn cose_signatures(&self) -> impl Iterator<Item = CoseSignature> + use<'_> {
+        self.0.iter().map(|sig| sig.signature.clone())
     }
 
     /// Add a new signature
-    pub fn push(&mut self, kid: IdUri, signature: CoseSignature) {
+    pub(crate) fn push(&mut self, kid: IdUri, signature: CoseSignature) {
         self.0.push(Signature { kid, signature });
     }
 

rust/signed_doc/src/validator/mod.rs

@@ -16,7 +16,7 @@ pub trait ValidationDataProvider {
     /// Get public keys
     fn get_public_key(&self, kid: &IdUri) -> Option<SimplePublicKeyType>;
     /// Get signed document by document reference
-    fn get_doc_ref(&self, doc_ref: &DocumentRef) -> Option<CatalystSignedDocument>;
+    fn get_doc(&self, doc_ref: &DocumentRef) -> Option<CatalystSignedDocument>;
 }
 
 /// Stateless validation function rule type
@@ -59,7 +59,7 @@ where Self: 'static
 ///
 /// Returns a report of validation failures and the source error.
 pub fn validate(
-    doc: &CatalystSignedDocument, provider: &impl ValidationDataProvider,
+    doc: &CatalystSignedDocument, doc_provider: &impl ValidationDataProvider,
 ) -> Result<(), CatalystSignedDocError> {
     let report = ProblemReport::new("Catalyst Signed Document Validation");
 
@@ -83,13 +83,13 @@ pub fn validate(
     match doc_type {
         DocumentType::ProposalDocument => {
             if let Ok(proposal_doc) = ProposalDocument::from_signed_doc(doc, &report) {
-                proposal_doc.statefull_validation(provider, &report);
+                proposal_doc.statefull_validation(doc_provider, &report);
             }
         },
         DocumentType::ProposalTemplate => {},
         DocumentType::CommentDocument => {
             if let Ok(comment_doc) = CommentDocument::from_signed_doc(doc, &report) {
-                comment_doc.statefull_validation(provider, &report);
+                comment_doc.statefull_validation(doc_provider, &report);
             }
         },
         DocumentType::CommentTemplate => {},

rust/signed_doc/src/validator/utils.rs

@@ -11,7 +11,7 @@ pub(crate) fn validate_provided_doc(
     doc_ref: &DocumentRef, doc_name: &str, provider: &dyn ValidationDataProvider,
     report: &ProblemReport, validator: impl Fn(CatalystSignedDocument) -> bool,
 ) -> bool {
-    if let Some(doc) = provider.get_doc_ref(doc_ref) {
+    if let Some(doc) = provider.get_doc(doc_ref) {
         validator(doc)
     } else {
         report.functional_validation(