Changeset

12713:52eead170bb8

util.paseto: Drop custom wrappers around key objects The PASETO spec recommends - no, *requires* - that implementations enforce type safety for keys, and e.g. do not pass them around as arbitrary byte strings. Typed wrapper objects are recommended. I originally followed this advice when starting the lib. However, key wrapping and type safety is now also a feature of util.crypto. All we're doing is duplicating it unnecessarily with this additional wrapper code.
author Matthew Wild <mwild1@gmail.com>
date Mon, 11 Jul 2022 14:30:39 +0100
parents 12712:719a72f14e90
children 12714:82bca7191f13
files spec/util_paseto_spec.lua util/paseto.lua
diffstat 2 files changed, 6 insertions(+), 47 deletions(-) [+]
line wrap: on
line diff
--- a/spec/util_paseto_spec.lua	Mon Jul 11 14:10:07 2022 +0100
+++ b/spec/util_paseto_spec.lua	Mon Jul 11 14:30:39 2022 +0100
@@ -73,7 +73,7 @@
 		describe("basic sign/verify", function ()
 			local function new_keypair()
 				local kp = paseto.v4_public.new_keypair();
-				return kp.private_key:export(), kp.public_key:export();
+				return kp:private_pem(), kp:public_pem();
 			end
 
 			local privkey1, pubkey1 = new_keypair();
--- a/util/paseto.lua	Mon Jul 11 14:10:07 2022 +0100
+++ b/util/paseto.lua	Mon Jul 11 14:30:39 2022 +0100
@@ -8,11 +8,6 @@
 
 local s_gsub = string.gsub;
 
-local pubkey_methods = {};
-local privkey_methods = {};
-
-local v4_public_pubkey_mt = { __index = pubkey_methods };
-local v4_public_privkey_mt = { __index = privkey_methods };
 local v4_public = {};
 
 local b64url_rep = { ["+"] = "-", ["/"] = "_", ["="] = "", ["-"] = "+", ["_"] = "/" };
@@ -35,25 +30,14 @@
 	return table.concat(o);
 end
 
-function privkey_methods:export()
-	return self.key:private_pem();
-end
-
-function pubkey_methods:export()
-	return self.key:public_pem();
-end
-
 function v4_public.sign(m, sk, f, i)
-	if getmetatable(sk) ~= v4_public_privkey_mt then
-		error("cannot sign v4.public tokens with this key");
-	end
 	if type(m) ~= "table" then
 		return nil, "PASETO payloads must be a table";
 	end
 	m = json.encode(m);
 	local h = "v4.public.";
 	local m2 = pae({ h, m, f or "", i or "" });
-	local sig = crypto.ed25519_sign(sk.key, m2);
+	local sig = crypto.ed25519_sign(sk, m2);
 	if not f or f == "" then
 		return h..b64url(m..sig);
 	else
@@ -62,9 +46,6 @@
 end
 
 function v4_public.verify(tok, pk, expected_f, i)
-	if getmetatable(pk) ~= v4_public_pubkey_mt then
-		error("cannot verify v4.public tokens with this key");
-	end
 	local h, sm, f = tok:match("^(v4%.public%.)([^%.]+)%.?(.*)$");
 	if not h then
 		return nil, "invalid-token-format";
@@ -81,7 +62,7 @@
 	end
 	local s, m = raw_sm:sub(-64), raw_sm:sub(1, -65);
 	local m2 = pae({ h, m, f or "", i or "" });
-	local ok = crypto.ed25519_verify(pk.key, m2, s);
+	local ok = crypto.ed25519_verify(pk, m2, s);
 	if not ok then
 		return nil, "invalid-token";
 	end
@@ -92,32 +73,10 @@
 	return payload;
 end
 
+v4_public.import_private_key = crypto.import_private_pem;
+v4_public.import_public_key = crypto.import_public_pem;
 function v4_public.new_keypair()
-	local key = crypto.generate_ed25519_keypair();
-	return {
-		private_key = setmetatable({
-			key = key;
-		}, v4_public_privkey_mt);
-		public_key = setmetatable({
-			key = key;
-		}, v4_public_pubkey_mt);
-	};
-end
-
-function v4_public.import_public_key(pem)
-	local key = crypto.import_public_pem(pem);
-	assert(key:get_type() == "ED25519", "Invalid public key type for v4.public");
-	return setmetatable({
-		key = key;
-	}, v4_public_pubkey_mt);
-end
-
-function v4_public.import_private_key(pem)
-	local key = crypto.import_private_pem(pem);
-	assert(key:get_type() == "ED25519", "Invalid private key type for v4.public");
-	return setmetatable({
-		key = key;
-	}, v4_public_privkey_mt);
+	return crypto.generate_ed25519_keypair();
 end
 
 function v4_public.init(private_key_pem, public_key_pem, options)