beaconcrypt 0.3.1__tar.gz → 0.3.4__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/.github/workflows/python.yml +5 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/Cargo.lock +1 -1
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/Cargo.toml +1 -1
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/PKG-INFO +1 -1
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/README.md +1 -1
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/beaconcrypt_test.go +26 -6
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/pyproject.toml +4 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/lib.rs +2 -2
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/pqxdh.rs +10 -9
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/tests/test_encryption.py +9 -5
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/tests/test_registration.py +2 -1
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/.cargo/config.toml +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/.github/workflows/go.yml +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/.github/workflows/release.yml +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/.github/workflows/rust.yml +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/.gitignore +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/LICENSE +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/beaconcrypt.go +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/bindings.h +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/build.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/clippy.toml +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/doc/protocol.md +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/doc/rationale.md +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/doc/threat_model.md +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/go.mod +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/rustfmt.toml +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/beacon.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/cnsa2.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/error.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/schema/cryptoframe.capnp +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/schema/phase1.capnp +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/schema/phase2.capnp +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/schema/protogram.capnp +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/server.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/src/shared.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/tests/beacon.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/tests/server.rs +0 -0
- {beaconcrypt-0.3.1 → beaconcrypt-0.3.4}/uv.lock +0 -0
|
@@ -31,6 +31,11 @@ jobs:
|
|
|
31
31
|
run: |
|
|
32
32
|
sudo apt install capnproto
|
|
33
33
|
|
|
34
|
+
- name: Run Python tests
|
|
35
|
+
run: |
|
|
36
|
+
uv run --group dev maturin develop --bindings pyo3 --features pybinds
|
|
37
|
+
uv run --group dev pytest tests
|
|
38
|
+
|
|
34
39
|
- name: Build source distribution
|
|
35
40
|
run: uvx maturin sdist --out dist
|
|
36
41
|
|
|
@@ -57,7 +57,7 @@ The reference implementation has two profiles: `PQXDH` and `CNSA2`. Profiles are
|
|
|
57
57
|
## Usage
|
|
58
58
|
The reference implementation is a library that can currently be used either from rust or through C FFI. The C interface is currently not tested.
|
|
59
59
|
|
|
60
|
-
From rust, usage is mostly just instanciating `CryptoProvider` objects. When using the C FFI, the library creates a global `CryptoProvider` object, whose methods are wrapped by the various functions in the interface.
|
|
60
|
+
From rust, usage is mostly just instanciating `CryptoProvider` objects. When using the C FFI, the library creates a global `CryptoProvider` object, whose methods are wrapped by the various functions in the interface. Look at tests for examples.
|
|
61
61
|
|
|
62
62
|
# Copyright
|
|
63
63
|
This work is dedicated to the public domain.
|
|
@@ -58,7 +58,11 @@ func newBeacon(t *testing.T, serverPK []byte) *Beacon {
|
|
|
58
58
|
|
|
59
59
|
func TestRegister(t *testing.T) {
|
|
60
60
|
server := newServer(t)
|
|
61
|
-
|
|
61
|
+
serverPK, err := server.IdentityPK()
|
|
62
|
+
if err != nil {
|
|
63
|
+
t.Fatal(err)
|
|
64
|
+
}
|
|
65
|
+
beacon := newBeacon(t, serverPK)
|
|
62
66
|
|
|
63
67
|
if registerBeacon(t, server, beacon) == nil {
|
|
64
68
|
t.Fatal("expected registration to return initial message")
|
|
@@ -67,8 +71,12 @@ func TestRegister(t *testing.T) {
|
|
|
67
71
|
|
|
68
72
|
func TestEncryptToMultiple(t *testing.T) {
|
|
69
73
|
server := newServer(t)
|
|
70
|
-
|
|
71
|
-
|
|
74
|
+
serverPK, err := server.IdentityPK()
|
|
75
|
+
if err != nil {
|
|
76
|
+
t.Fatal(err)
|
|
77
|
+
}
|
|
78
|
+
b1 := newBeacon(t, serverPK)
|
|
79
|
+
b2 := newBeacon(t, serverPK)
|
|
72
80
|
message := bytes.Repeat([]byte{0x01}, 32)
|
|
73
81
|
|
|
74
82
|
b1Initial := registerBeacon(t, server, b1)
|
|
@@ -92,7 +100,11 @@ func TestEncryptToMultiple(t *testing.T) {
|
|
|
92
100
|
|
|
93
101
|
func TestEncryptMultiple(t *testing.T) {
|
|
94
102
|
server := newServer(t)
|
|
95
|
-
|
|
103
|
+
serverPK, err := server.IdentityPK()
|
|
104
|
+
if err != nil {
|
|
105
|
+
t.Fatal(err)
|
|
106
|
+
}
|
|
107
|
+
b1 := newBeacon(t, serverPK)
|
|
96
108
|
message := bytes.Repeat([]byte{0x01}, 32)
|
|
97
109
|
|
|
98
110
|
registerBeacon(t, server, b1)
|
|
@@ -112,7 +124,11 @@ func TestEncryptMultiple(t *testing.T) {
|
|
|
112
124
|
|
|
113
125
|
func TestDecryptMultiple(t *testing.T) {
|
|
114
126
|
server := newServer(t)
|
|
115
|
-
|
|
127
|
+
serverPK, err := server.IdentityPK()
|
|
128
|
+
if err != nil {
|
|
129
|
+
t.Fatal(err)
|
|
130
|
+
}
|
|
131
|
+
beacon := newBeacon(t, serverPK)
|
|
116
132
|
message := bytes.Repeat([]byte{0x01}, 32)
|
|
117
133
|
|
|
118
134
|
registerBeacon(t, server, beacon)
|
|
@@ -143,7 +159,11 @@ func TestDecryptMultiple(t *testing.T) {
|
|
|
143
159
|
|
|
144
160
|
func TestDecryptMultipleSigned(t *testing.T) {
|
|
145
161
|
server := newServer(t)
|
|
146
|
-
|
|
162
|
+
serverPK, err := server.IdentityPK()
|
|
163
|
+
if err != nil {
|
|
164
|
+
t.Fatal(err)
|
|
165
|
+
}
|
|
166
|
+
beacon := newBeacon(t, serverPK)
|
|
147
167
|
message := bytes.Repeat([]byte{0x01}, 32)
|
|
148
168
|
|
|
149
169
|
registerBeacon(t, server, beacon)
|
|
@@ -475,9 +475,9 @@ pub mod beaconcrypt_py {
|
|
|
475
475
|
#[pymethods]
|
|
476
476
|
impl Beacon {
|
|
477
477
|
#[new]
|
|
478
|
-
fn new(server_kid: u64, server_id_pk:
|
|
478
|
+
fn new(server_kid: u64, server_id_pk: &[u8]) -> Self {
|
|
479
479
|
Self {
|
|
480
|
-
_0: BeaconCryptPqxdh::new(true, server_kid, server_id_pk, None),
|
|
480
|
+
_0: BeaconCryptPqxdh::new(true, server_kid, Some(server_id_pk), None),
|
|
481
481
|
}
|
|
482
482
|
}
|
|
483
483
|
|
|
@@ -143,7 +143,7 @@ impl CryptoProvider for BeaconCryptPqxdh {
|
|
|
143
143
|
let signed = crypto_sign::sign(data, self.identity_sk()).ok()?;
|
|
144
144
|
builder.set_data(&signed);
|
|
145
145
|
let mut buffer = vec![];
|
|
146
|
-
capnp::serialize_packed::write_message(&mut buffer, t_builder.borrow_inner()).
|
|
146
|
+
capnp::serialize_packed::write_message(&mut buffer, t_builder.borrow_inner()).ok()?;
|
|
147
147
|
Some(buffer)
|
|
148
148
|
}
|
|
149
149
|
|
|
@@ -315,7 +315,7 @@ impl ProviderBeacon for BeaconCryptPqxdh {
|
|
|
315
315
|
bundle.set_pq_key(&pq_sig);
|
|
316
316
|
|
|
317
317
|
let mut buffer = vec![];
|
|
318
|
-
capnp::serialize::write_message(&mut buffer, msg.borrow_inner()).
|
|
318
|
+
capnp::serialize::write_message(&mut buffer, msg.borrow_inner()).ok()?;
|
|
319
319
|
Some(buffer)
|
|
320
320
|
}
|
|
321
321
|
|
|
@@ -331,6 +331,9 @@ impl ProviderBeacon for BeaconCryptPqxdh {
|
|
|
331
331
|
crypto_kx::PublicKey::from_bytes(response.get_ephemeral_key().ok()?).ok()?;
|
|
332
332
|
let server_id =
|
|
333
333
|
crypto_sign::PublicKey::from_bytes(response.get_identity_key().ok()?).ok()?;
|
|
334
|
+
if server_id != self.server_id()?.clone() {
|
|
335
|
+
return None;
|
|
336
|
+
}
|
|
334
337
|
let server_kex_id = crypto_sign::ed25519_pk_to_curve25519(&server_id).ok()?;
|
|
335
338
|
let beacon_kex_id = crypto_sign::ed25519_sk_to_curve25519(self.identity_sk()).ok()?;
|
|
336
339
|
let shared_secret =
|
|
@@ -353,7 +356,6 @@ impl ProviderBeacon for BeaconCryptPqxdh {
|
|
|
353
356
|
let derived_secret = derive_root_key(dh1, dh2, dh3, dh4, shared_secret).ok()?;
|
|
354
357
|
self.delete_onetime_keypair();
|
|
355
358
|
|
|
356
|
-
self.add_server_pk(server_id.clone());
|
|
357
359
|
self.set_identity_kid(response.get_key_id());
|
|
358
360
|
let id = self.identity_pk().clone();
|
|
359
361
|
self.set_associated_data(build_additional_data(server_id, id));
|
|
@@ -372,17 +374,16 @@ impl ProviderBeacon for BeaconCryptPqxdh {
|
|
|
372
374
|
#[cfg(feature = "server")]
|
|
373
375
|
impl ProviderServer for BeaconCryptPqxdh {
|
|
374
376
|
fn get_shared_secret(&mut self, buffer: &[u8]) -> Option<RegistrationOutput> {
|
|
375
|
-
let reader = capnp::serialize::read_message(buffer, ReaderOptions::new()).
|
|
377
|
+
let reader = capnp::serialize::read_message(buffer, ReaderOptions::new()).ok()?;
|
|
376
378
|
let typed_reader = TypedReader::<_, phase1_capnp::init_kex::Owned>::new(reader);
|
|
377
|
-
let registration = typed_reader.get().
|
|
379
|
+
let registration = typed_reader.get().ok()?;
|
|
378
380
|
|
|
379
381
|
let decoded_beacon_id = decode_sign(registration.get_identity_key().ok()?).ok()?;
|
|
380
382
|
let remote_id = crypto_sign::PublicKey::from_bytes(&decoded_beacon_id).ok()?;
|
|
381
|
-
let pq_verified = crypto_sign::verify(registration.get_pq_key().ok()?, &remote_id)
|
|
382
|
-
let prekey_verified =
|
|
383
|
-
crypto_sign::verify(registration.get_pre_key().ok()?, &remote_id).unwrap();
|
|
383
|
+
let pq_verified = crypto_sign::verify(registration.get_pq_key().ok()?, &remote_id)?;
|
|
384
|
+
let prekey_verified = crypto_sign::verify(registration.get_pre_key().ok()?, &remote_id)?;
|
|
384
385
|
let onetime_verified =
|
|
385
|
-
crypto_sign::verify(registration.get_one_time_key().ok()?, &remote_id)
|
|
386
|
+
crypto_sign::verify(registration.get_one_time_key().ok()?, &remote_id)?;
|
|
386
387
|
|
|
387
388
|
let beacon_prekey =
|
|
388
389
|
crypto_kx::PublicKey::from_bytes(&decode_kem(&prekey_verified).ok()?).ok()?;
|
|
@@ -18,8 +18,9 @@ def register_beacon(
|
|
|
18
18
|
|
|
19
19
|
def test_encrypt_to_multiple():
|
|
20
20
|
server = BeaconCryptServer(0, None)
|
|
21
|
-
|
|
22
|
-
|
|
21
|
+
server_pk = server.id_pk()
|
|
22
|
+
b1 = BeaconCryptBeacon(0, server_pk)
|
|
23
|
+
b2 = BeaconCryptBeacon(0, server_pk)
|
|
23
24
|
message = bytes(0x1 * 32)
|
|
24
25
|
|
|
25
26
|
b1_initial = register_beacon(server, b1)
|
|
@@ -33,7 +34,8 @@ def test_encrypt_to_multiple():
|
|
|
33
34
|
|
|
34
35
|
def test_encrypt_multiple():
|
|
35
36
|
server = BeaconCryptServer(0, None)
|
|
36
|
-
|
|
37
|
+
server_pk = server.id_pk()
|
|
38
|
+
b1 = BeaconCryptBeacon(0, server_pk)
|
|
37
39
|
message = bytes(0x1 * 32)
|
|
38
40
|
|
|
39
41
|
_ = register_beacon(server, b1)
|
|
@@ -45,7 +47,8 @@ def test_encrypt_multiple():
|
|
|
45
47
|
|
|
46
48
|
def test_decrypt_multiple():
|
|
47
49
|
server = BeaconCryptServer(0, None)
|
|
48
|
-
|
|
50
|
+
server_pk = server.id_pk()
|
|
51
|
+
beacon = BeaconCryptBeacon(0, server_pk)
|
|
49
52
|
message = bytes(0x1 * 32)
|
|
50
53
|
|
|
51
54
|
_ = register_beacon(server, beacon)
|
|
@@ -61,7 +64,8 @@ def test_decrypt_multiple():
|
|
|
61
64
|
|
|
62
65
|
def test_decrypt_multiple_signed():
|
|
63
66
|
server = BeaconCryptServer(0, None)
|
|
64
|
-
|
|
67
|
+
server_pk = server.id_pk()
|
|
68
|
+
beacon = BeaconCryptBeacon(0, server_pk)
|
|
65
69
|
message = bytes(0x1 * 32)
|
|
66
70
|
|
|
67
71
|
_ = register_beacon(server, beacon)
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|