From 71ae7c1a6b7d945aaec78239ff7d4b65a9b1cd7d Mon Sep 17 00:00:00 2001
From: Felix Gohla <felix.gohla@student.hpi.de>
Date: Thu, 11 Aug 2022 07:30:06 +0200
Subject: [PATCH] Use ED25519 For Large Blob Data Signature

---
 README.md |  2 +-
 app.py    | 14 +++++++++++---
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 3337e28..b2ac340 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@ For the app to work properly, some environment variables need to be set:
 
 Generate the OIDC config file using the environment variables by running `envsubst < client_secrets.tmpl.json > client_secrets.json`
 
-Generate the signing key by running `openssl ecparam -name prime192v1 -genkey -out sk.pem`
+Generate the signing key by running `openssl genpkey -algorithm Ed25519 -out sk.pem`
 You can export the verifying key for the locks by running `openssl ec -in sk.pem -pubout -out vk.pem`
 
 ### Running in current shell session
diff --git a/app.py b/app.py
index 14520a0..ee41b95 100644
--- a/app.py
+++ b/app.py
@@ -1,13 +1,12 @@
-import hashlib
 import json
 import os
 from base64 import b64encode
 import re
+import sys
 
 import cbor2
 from cryptography.hazmat.primitives import serialization
-from cryptography.hazmat.primitives.asymmetric import ec
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.asymmetric import ed25519
 from flask import Flask, render_template, request, redirect, session
 from flask_oidc import OpenIDConnect
 from keycloak import KeycloakAdmin
@@ -36,6 +35,12 @@
 if "WAU_SIGNING_KEY_PATH" in os.environ:
     with open(os.environ["WAU_SIGNING_KEY_PATH"], "rb") as f:
         signing_key = serialization.load_pem_private_key(f.read(), None)
+        verification_key = signing_key.public_key()
+        verification_key_bytes = verification_key.public_bytes(
+            encoding=serialization.Encoding.Raw,
+            format=serialization.PublicFormat.Raw,
+        )
+        print('WAU verification key is: ', verification_key_bytes.hex(), file=sys.stderr)
 
 keycloak_admin = KeycloakAdmin(server_url=f"https://{os.environ['WAU_KEYCLOAK_HOST_NAME']}/auth/",
                                client_id=os.environ['WAU_KEYCLOAK_CLIENT_ID'],
@@ -56,6 +61,9 @@ def get_credentials_for_user(user_id):
 
 
 def get_signed_access_rights():
+    public_key = cbor2.loads(base64url_to_bytes(session["selected_credential_publicKey"]))[-2]
+    signature = signing_key.sign(public_key) if signing_key is not None else bytes()
+    return public_key + signature
     access_rights = str(oidc.user_getfield("access_rights")).encode('utf-8')
     public_key = base64url_to_bytes(session["selected_credential_publicKey"])
     signature = signing_key.sign(access_rights + public_key, ec.ECDSA(hashes.SHA256())) if signing_key is not None else bytes()