Merge pull request #12 from banyancomputer/alex/blake3-fingerprint

fix: normalize fingerprints on blake3

Cargo.toml

@@ -15,8 +15,8 @@ rand = "^0.8"
 p384 = { version = "^0.13", features = ["arithmetic", "alloc", "pkcs8", "pem"] }
 rand_core = "^0.6"
 base64ct = "^1.6"
-sha1 = "^0.10"
 hkdf = "^0.12"
+blake3 = "^1.4"
 sha2 = "^0.10"
 aes-gcm = "^0.10"
 chrono = "^0.4"

src/key_seal.rs

@@ -36,7 +36,9 @@ pub fn pretty_fingerprint(fingerprint_bytes: &[u8]) -> String {
 }
 
 pub fn hex_fingerprint(fingerprint_bytes: &[u8]) -> String {
-    pretty_fingerprint(fingerprint_bytes).replace(':', "")
+    fingerprint_bytes
+        .iter()
+        .fold(String::new(), |chain, byte| format!("{chain}{byte:02x}"))
 }
 
 #[cfg(test)]
@@ -48,32 +50,32 @@ mod tests {
         45, 45, 45, 45, 45, 66, 69, 71, 73, 78, 32, 80, 82, 73, 86, 65, 84, 69, 32, 75, 69, 89, 45,
         45, 45, 45, 45, 10, 77, 73, 71, 50, 65, 103, 69, 65, 77, 66, 65, 71, 66, 121, 113, 71, 83,
         77, 52, 57, 65, 103, 69, 71, 66, 83, 117, 66, 66, 65, 65, 105, 66, 73, 71, 101, 77, 73, 71,
-        98, 65, 103, 69, 66, 66, 68, 67, 78, 101, 114, 100, 114, 74, 76, 104, 85, 89, 49, 81, 79,
-        81, 116, 85, 50, 10, 108, 54, 86, 118, 113, 55, 90, 108, 89, 66, 43, 97, 52, 56, 114, 88,
-        43, 47, 111, 119, 122, 43, 69, 68, 103, 75, 118, 74, 114, 99, 111, 82, 114, 54, 117, 50,
-        121, 78, 50, 87, 53, 119, 102, 51, 119, 68, 109, 104, 90, 65, 78, 105, 65, 65, 84, 109, 66,
-        57, 99, 69, 53, 54, 105, 57, 10, 89, 88, 70, 106, 107, 85, 54, 122, 73, 100, 98, 97, 118,
-        83, 102, 102, 117, 115, 112, 119, 98, 114, 71, 104, 102, 80, 122, 103, 106, 77, 82, 43, 71,
-        98, 65, 77, 103, 57, 116, 84, 78, 102, 99, 121, 122, 81, 55, 66, 86, 99, 106, 97, 102, 90,
-        114, 84, 56, 90, 75, 87, 85, 82, 74, 68, 10, 73, 112, 67, 76, 119, 102, 89, 106, 66, 52,
-        98, 89, 107, 100, 87, 85, 115, 121, 82, 101, 88, 53, 121, 79, 73, 100, 74, 88, 80, 112, 50,
-        82, 100, 106, 68, 118, 80, 82, 116, 67, 117, 76, 67, 117, 76, 72, 57, 88, 52, 116, 122,
-        100, 47, 65, 107, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 82, 73, 86, 65, 84, 69,
-        32, 75, 69, 89, 45, 45, 45, 45, 45, 10,
+        98, 65, 103, 69, 66, 66, 68, 68, 80, 48, 106, 53, 117, 69, 112, 122, 43, 102, 67, 100, 120,
+        51, 84, 76, 114, 10, 79, 56, 121, 50, 72, 77, 100, 49, 113, 107, 105, 82, 86, 53, 97, 66,
+        108, 73, 69, 73, 49, 104, 103, 73, 50, 56, 67, 73, 110, 67, 53, 98, 106, 99, 75, 69, 97,
+        118, 115, 103, 79, 106, 53, 111, 97, 82, 79, 104, 90, 65, 78, 105, 65, 65, 84, 79, 66, 51,
+        54, 47, 114, 52, 56, 69, 10, 72, 102, 100, 99, 77, 48, 104, 117, 105, 66, 107, 102, 101,
+        101, 108, 71, 67, 100, 115, 55, 100, 53, 48, 56, 115, 47, 111, 57, 121, 104, 104, 112, 117,
+        117, 51, 70, 84, 104, 102, 53, 79, 54, 71, 114, 84, 98, 87, 73, 72, 54, 99, 110, 99, 71,
+        83, 55, 102, 100, 47, 86, 109, 48, 90, 90, 10, 52, 57, 90, 75, 49, 86, 53, 74, 119, 85,
+        111, 81, 76, 117, 71, 68, 113, 114, 69, 103, 73, 102, 113, 75, 65, 83, 82, 70, 102, 82, 86,
+        81, 114, 52, 76, 70, 116, 115, 121, 80, 100, 51, 47, 51, 77, 57, 83, 90, 82, 43, 80, 97,
+        68, 65, 81, 61, 10, 45, 45, 45, 45, 45, 69, 78, 68, 32, 80, 82, 73, 86, 65, 84, 69, 32, 75,
+        69, 89, 45, 45, 45, 45, 45, 10,
     ];
 
     const TEST_DER_KEY: &[u8] = &[
-        48, 129, 155, 2, 1, 1, 4, 48, 141, 122, 183, 107, 36, 184, 84, 99, 84, 14, 66, 213, 54,
-        151, 165, 111, 171, 182, 101, 96, 31, 154, 227, 202, 215, 251, 250, 48, 207, 225, 3, 128,
-        171, 201, 173, 202, 17, 175, 171, 182, 200, 221, 150, 231, 7, 247, 192, 57, 161, 100, 3,
-        98, 0, 4, 230, 7, 215, 4, 231, 168, 189, 97, 113, 99, 145, 78, 179, 33, 214, 218, 189, 39,
-        223, 186, 202, 112, 110, 177, 161, 124, 252, 224, 140, 196, 126, 25, 176, 12, 131, 219, 83,
-        53, 247, 50, 205, 14, 193, 85, 200, 218, 125, 154, 211, 241, 146, 150, 81, 18, 67, 34, 144,
-        139, 193, 246, 35, 7, 134, 216, 145, 213, 148, 179, 36, 94, 95, 156, 142, 33, 210, 87, 62,
-        157, 145, 118, 48, 239, 61, 27, 66, 184, 176, 174, 44, 127, 87, 226, 220, 221, 252, 9,
+        48, 129, 155, 2, 1, 1, 4, 48, 207, 210, 62, 110, 18, 156, 254, 124, 39, 113, 221, 50, 235,
+        59, 204, 182, 28, 199, 117, 170, 72, 145, 87, 150, 129, 148, 129, 8, 214, 24, 8, 219, 192,
+        136, 156, 46, 91, 141, 194, 132, 106, 251, 32, 58, 62, 104, 105, 19, 161, 100, 3, 98, 0, 4,
+        206, 7, 126, 191, 175, 143, 4, 29, 247, 92, 51, 72, 110, 136, 25, 31, 121, 233, 70, 9, 219,
+        59, 119, 157, 60, 179, 250, 61, 202, 24, 105, 186, 237, 197, 78, 23, 249, 59, 161, 171, 77,
+        181, 136, 31, 167, 39, 112, 100, 187, 125, 223, 213, 155, 70, 89, 227, 214, 74, 213, 94,
+        73, 193, 74, 16, 46, 225, 131, 170, 177, 32, 33, 250, 138, 1, 36, 69, 125, 21, 80, 175,
+        130, 197, 182, 204, 143, 119, 127, 247, 51, 212, 153, 71, 227, 218, 12, 4,
     ];
 
-    const SEALED_KEY: &str = "gWpi+A3+mAm9IaeeI1Fq+g==./7hxZHDThkpnUr58.zLfay5f24Ou/gpXeTn/UTdTLO2vf/65U8hk70Xt6aWTO4gPKmfEdXeDwfIR+q1hX.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJR9Nd3p/UA8UPut9wRt+r7mx5Fv9wxopA+B5gm0lyFSzhJRZO6D4x57sJ68YiDvxSUfSCaOhWWhYTRJ6WxShf/g0bdLdkPrtxelSKHcUj3orr9rELWYUl1fxE6kOfSS4";
+    const SEALED_KEY: &str = "IsOZbU9AuHemDVCvvD9WnQ==.GajZ6uqi6siOA9ck.FVtz65k9YE5ETzSsLXSgEuyM2rsNQMaD8aO97HtdKuNB2ytZSa7yhm8HTNvcSCwr.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEoHUTBQwf8mOFzlX0cEw/RPdjCiysFYcBj2vpPo1smqVXEb/jXjewWjDlTQAInRF52I/itE1wc9E0wvtUYpoZUjbWOAQkGebVZ6CFl3lLqaw7mAOkK/6I1t1S/Y4xr8mx";
 
     async fn test_encryption_end_to_end() -> Result<(), TombCryptError> {
         use crate::key_seal::common::PrivateKey;
@@ -162,7 +164,7 @@ mod tests {
         let token = claims.encode_to(&key).await?;
         let _ = ApiToken::decode_from(&token, &public_key).await?;
         let metadata = ApiTokenMetadata::try_from(token)?;
-        let key_id = pretty_fingerprint(public_key.fingerprint().await?.as_slice());
+        let key_id = hex_fingerprint(public_key.fingerprint().await?.as_slice());
 
         // Check the metadata
         assert_eq!(metadata.alg(), "ES384");

src/key_seal/internal.rs

@@ -1,11 +1,11 @@
 use base64ct::LineEnding;
+use blake3::Hasher;
 use p384::elliptic_curve::sec1::ToEncodedPoint;
 use p384::{
     pkcs8::{DecodePrivateKey, DecodePublicKey, EncodePrivateKey, EncodePublicKey},
     PublicKey as P384PublicKey, SecretKey as P384SecretKey,
 };
 use rand::RngCore;
-use sha1::Digest;
 
 use crate::key_seal::common::{FINGERPRINT_SIZE, SALT_SIZE};
 use crate::prelude::TombCryptError;
@@ -17,15 +17,17 @@ pub fn generate_salt() -> [u8; SALT_SIZE] {
     salt
 }
 
-/// SHA1 compressed point fingerprint function
+/// Blake3 compressed point fingerprint function
 pub fn fingerprint<'a>(public_key: impl Into<&'a P384PublicKey>) -> [u8; FINGERPRINT_SIZE] {
     let public_key = public_key.into();
     let compressed_point = public_key.as_ref().to_encoded_point(true);
-
-    let mut hasher = sha1::Sha1::new();
+    let compressed_point = compressed_point.as_bytes();
+    let mut hasher = Hasher::new();
     hasher.update(compressed_point);
-    let hashed_bytes = hasher.finalize();
-    hashed_bytes.into()
+    let mut output = [0u8; FINGERPRINT_SIZE];
+    let mut output_reader = hasher.finalize_xof();
+    output_reader.fill(&mut output);
+    output
 }
 
 pub fn gen_ec_key() -> P384SecretKey {