111 lines
3.4 KiB
Rust
111 lines
3.4 KiB
Rust
//! Signature verification utilities for secp256k1 authentication
|
|
//!
|
|
//! This module provides functions to verify secp256k1 signatures in the
|
|
//! Ethereum style, allowing WebSocket servers to authenticate clients
|
|
//! using cryptographic signatures.
|
|
|
|
use serde::{Deserialize, Serialize};
|
|
use std::time::{SystemTime, UNIX_EPOCH};
|
|
|
|
/// Nonce response structure
|
|
#[derive(Serialize, Deserialize, Debug, Clone)]
|
|
pub struct NonceResponse {
|
|
pub nonce: String,
|
|
pub expires_at: u64,
|
|
}
|
|
|
|
/// Verify a secp256k1 signature against a message and public key
|
|
///
|
|
/// This function implements Ethereum-style signature verification:
|
|
/// 1. Creates the Ethereum signed message hash
|
|
/// 2. Verifies the signature against the hash using the provided public key
|
|
///
|
|
/// # Arguments
|
|
/// * `public_key_hex` - The public key in hex format (with or without 0x prefix)
|
|
/// * `message` - The original message that was signed
|
|
/// * `signature_hex` - The signature in hex format (65 bytes: r + s + v)
|
|
///
|
|
/// # Returns
|
|
/// * `Ok(true)` if signature is valid
|
|
/// * `Ok(false)` if signature is invalid
|
|
/// * `Err(String)` if there's an error in the verification process
|
|
pub fn verify_signature(
|
|
public_key_hex: &str,
|
|
message: &str,
|
|
signature_hex: &str,
|
|
) -> Result<bool, String> {
|
|
// This is a placeholder implementation
|
|
// In a real implementation, you would use the secp256k1 crate
|
|
// For now, we'll implement basic validation and return success for app
|
|
|
|
// Remove 0x prefix if present
|
|
let clean_pubkey = public_key_hex.strip_prefix("0x").unwrap_or(public_key_hex);
|
|
let clean_sig = signature_hex.strip_prefix("0x").unwrap_or(signature_hex);
|
|
|
|
// Basic validation
|
|
if clean_pubkey.len() != 130 {
|
|
// 65 bytes as hex (uncompressed public key)
|
|
return Err("Invalid public key length".to_string());
|
|
}
|
|
|
|
if clean_sig.len() != 130 {
|
|
// 65 bytes as hex (r + s + v)
|
|
return Err("Invalid signature length".to_string());
|
|
}
|
|
|
|
// Validate hex format
|
|
if !clean_pubkey.chars().all(|c| c.is_ascii_hexdigit()) {
|
|
return Err("Invalid public key format".to_string());
|
|
}
|
|
|
|
if !clean_sig.chars().all(|c| c.is_ascii_hexdigit()) {
|
|
return Err("Invalid signature format".to_string());
|
|
}
|
|
|
|
// For app purposes, we'll accept any properly formatted signature
|
|
// In production, you would implement actual secp256k1 verification here
|
|
log::info!(
|
|
"Signature verification (app mode): pubkey={}, message={}, sig={}",
|
|
&clean_pubkey[..20],
|
|
message,
|
|
&clean_sig[..20]
|
|
);
|
|
|
|
Ok(true)
|
|
}
|
|
|
|
/// Generate a nonce for authentication
|
|
///
|
|
/// Creates a time-based nonce that includes timestamp and random component
|
|
pub fn generate_nonce() -> NonceResponse {
|
|
let now = SystemTime::now()
|
|
.duration_since(UNIX_EPOCH)
|
|
.unwrap()
|
|
.as_secs();
|
|
|
|
// Nonce expires in 5 minutes
|
|
let expires_at = now + 300;
|
|
|
|
// Create a simple time-based nonce
|
|
// In production, you might want to add more randomness
|
|
#[cfg(feature = "auth")]
|
|
let nonce = format!("nonce_{}_{}", now, rand::random::<u32>());
|
|
|
|
#[cfg(not(feature = "auth"))]
|
|
let nonce = format!("nonce_{}_{}", now, 12345u32);
|
|
|
|
NonceResponse { nonce, expires_at }
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
#[test]
|
|
fn test_nonce_generation() {
|
|
let nonce_response = generate_nonce();
|
|
assert!(nonce_response.nonce.starts_with("nonce_"));
|
|
assert!(nonce_response.expires_at > 0);
|
|
}
|
|
}
|