Move verify_signature_json to new file and add test

Author: tulir

mautrix/crypto/base.py

@@ -5,26 +5,18 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 from __future__ import annotations
 
-from typing import Any, Awaitable, Callable, TypedDict
+from typing import Awaitable, Callable
 import asyncio
-import functools
-import json
-
-import olm
 
 from mautrix.errors import MForbidden, MNotFound
 from mautrix.types import (
-    DeviceID,
-    EncryptionKeyAlgorithm,
     EventType,
     IdentityKey,
-    KeyID,
     RequestedKeyInfo,
     RoomEncryptionStateEventContent,
     RoomID,
     RoomKeyEventContent,
     SessionID,
-    SigningKey,
     TrustState,
     UserID,
 )
@@ -34,11 +26,6 @@
 from .ssss import Machine as SSSSMachine
 
 
-class SignedObject(TypedDict):
-    signatures: dict[UserID, dict[str, str]]
-    unsigned: Any
-
-
 class BaseOlmMachine:
     client: cli.Client
     ssss: SSSSMachine
@@ -118,27 +105,3 @@ async def _fill_encryption_info(self, evt: RoomKeyEventContent) -> None:
             evt.beeper_max_age_ms = encryption_info.rotation_period_ms
         if not evt.beeper_max_messages:
             evt.beeper_max_messages = encryption_info.rotation_period_msgs
-
-
-canonical_json = functools.partial(
-    json.dumps, ensure_ascii=False, separators=(",", ":"), sort_keys=True
-)
-
-
-def verify_signature_json(
-    data: "SignedObject", user_id: UserID, key_name: DeviceID | str, key: SigningKey
-) -> bool:
-    data_copy = {**data}
-    data_copy.pop("unsigned", None)
-    signatures = data_copy.pop("signatures")
-    key_id = str(KeyID(EncryptionKeyAlgorithm.ED25519, key_name))
-    try:
-        signature = signatures[user_id][key_id]
-    except KeyError:
-        return False
-    signed_data = canonical_json(data_copy)
-    try:
-        olm.ed25519_verify(key, signed_data, signature)
-        return True
-    except olm.OlmVerifyError:
-        return False

mautrix/crypto/device_lists.py

@@ -23,7 +23,8 @@
     UserID,
 )
 
-from .base import BaseOlmMachine, verify_signature_json
+from .base import BaseOlmMachine
+from .signature import verify_signature_json
 
 
 class DeviceListMachine(BaseOlmMachine):

mautrix/crypto/encrypt_olm.py

@@ -18,8 +18,9 @@
     UserID,
 )
 
-from .base import BaseOlmMachine, verify_signature_json
+from .base import BaseOlmMachine
 from .sessions import Session
+from .signature import verify_signature_json
 
 ClaimKeysList = Dict[UserID, Dict[DeviceID, DeviceIdentity]]
 

mautrix/crypto/signature.py

@@ -0,0 +1,47 @@
+# Copyright (c) 2025 Tulir Asokan
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+from typing import Any, TypedDict
+import functools
+import json
+
+import olm
+
+from mautrix.types import DeviceID, EncryptionKeyAlgorithm, KeyID, SigningKey, UserID
+
+try:
+    from Crypto.PublicKey import ECC
+    from Crypto.Signature import eddsa
+except ImportError:
+    from Cryptodome.PublicKey import ECC
+    from Cryptodome.Signature import eddsa
+
+canonical_json = functools.partial(
+    json.dumps, ensure_ascii=False, separators=(",", ":"), sort_keys=True
+)
+
+
+class SignedObject(TypedDict):
+    signatures: dict[UserID, dict[str, str]]
+    unsigned: Any
+
+
+def verify_signature_json(
+    data: "SignedObject", user_id: UserID, key_name: DeviceID | str, key: SigningKey
+) -> bool:
+    data_copy = {**data}
+    data_copy.pop("unsigned", None)
+    signatures = data_copy.pop("signatures")
+    key_id = str(KeyID(EncryptionKeyAlgorithm.ED25519, key_name))
+    try:
+        signature = signatures[user_id][key_id]
+    except KeyError:
+        return False
+    signed_data = canonical_json(data_copy)
+    try:
+        olm.ed25519_verify(key, signed_data, signature)
+        return True
+    except olm.OlmVerifyError:
+        return False

mautrix/crypto/signature_test.py

@@ -0,0 +1,39 @@
+# Copyright (c) 2025 Tulir Asokan
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+from mautrix.types import SigningKey, UserID
+
+from .signature import verify_signature_json
+
+
+def test_verify_signature_json() -> None:
+    assert verify_signature_json(
+        # This is actually a federation PDU rather than a device signature,
+        # but they're both 25519 curves so it doesn't make a difference.
+        {
+            "auth_events": [
+                "$L8Ak6A939llTRIsZrytMlLDXQhI4uLEjx-wb1zSg-Bw",
+                "$QJmr7mmGeXGD4Tof0ZYSPW2oRGklseyHTKtZXnF-YNM",
+                "$7bkKK_Z-cGQ6Ae4HXWGBwXyZi3YjC6rIcQzGfVyl3Eo",
+            ],
+            "content": {},
+            "depth": 3212,
+            "hashes": {"sha256": "K549YdTnv62Jn84Y7sS5ZN3+AdmhleZHbenbhUpR2R8"},
+            "origin_server_ts": 1754242687127,
+            "prev_events": ["$DAhJg4jVsqk5FRatE2hbT1dSA8D2ASy5DbjEHIMSHwY"],
+            "room_id": "!offtopic-2:continuwuity.org",
+            "sender": "@tulir:maunium.net",
+            "type": "m.room.message",
+            "signatures": {
+                UserID("maunium.net"): {
+                    "ed25519:a_xxeS": "SkzZdZ+rH22kzCBBIAErTdB0Vg6vkFmzvwjlOarGul72EnufgtE/tJcd3a8szAdK7f1ZovRyQxDgVm/Ib2u0Aw"
+                }
+            },
+            "unsigned": {"age_ts": 1754242687146},
+        },
+        UserID("maunium.net"),
+        "a_xxeS",
+        SigningKey("lVt/CC3tv74OH6xTph2JrUmeRj/j+1q0HVa0Xf4QlCg"),
+    )

mautrix/crypto/ssss/util.py

@@ -5,7 +5,6 @@
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 import hashlib
 import hmac
-import struct
 
 import base58
 import unpaddedbase64