feat(rust/signed-doc): mk_signed_doc cli tool to accept bip32 extended private keys (#279)

* modify signature generation

* fix spelling

* fix clippy

Author: Mr-Leshiy

rust/signed_doc/Cargo.toml

@@ -26,6 +26,8 @@ clap = { version = "4.5.23",  features = ["derive", "env"] }
 jsonschema = "0.28.3"
 jsonpath-rust = "0.7.5"
 futures = "0.3.31"
+ed25519-bip32 = "0.4.1" # used by the `mk_signed_doc` cli tool
+
 
 [dev-dependencies]
 base64-url = "3.0.0"

rust/signed_doc/bins/mk_signed_doc.rs

@@ -3,15 +3,14 @@
 #![allow(missing_docs, clippy::missing_docs_in_private_items)]
 
 use std::{
-    fs::{read_to_string, File},
+    fs::File,
     io::{Read, Write},
     path::PathBuf,
 };
 
 use anyhow::Context;
 use catalyst_signed_doc::{Builder, CatalystSignedDocument, IdUri};
 use clap::Parser;
-use ed25519_dalek::pkcs8::DecodePrivateKey;
 
 fn main() {
     if let Err(err) = Cli::parse().exec() {
@@ -37,8 +36,8 @@ enum Cli {
         /// Path to the formed (could be empty, without any signatures) COSE document
         /// This exact file would be modified and new signature would be added
         doc: PathBuf,
-        /// Path to the secret key in PEM format
-        sk: PathBuf,
+        /// Bip32 extended secret key hex bytes (includes `chain_code`)
+        sk_hex: String,
         /// Signer kid
         kid: IdUri,
     },
@@ -77,13 +76,14 @@ impl Cli {
                 );
                 save_signed_doc(signed_doc, &output)?;
             },
-            Self::Sign { sk, doc, kid } => {
-                let sk = load_secret_key_from_file(&sk).context("Failed to load SK FILE")?;
+            Self::Sign { doc, sk_hex, kid } => {
+                let sk = load_secret_key(&sk_hex)?;
                 let cose_bytes = read_bytes_from_file(&doc)?;
                 let signed_doc = signed_doc_from_bytes(cose_bytes.as_slice())?;
+
                 let new_signed_doc = signed_doc
                     .into_builder()
-                    .add_signature(sk.to_bytes(), kid)?
+                    .add_signature(|message| sk.sign::<()>(&message).to_bytes().to_vec(), kid)?
                     .build();
                 save_signed_doc(new_signed_doc, &doc)?;
             },
@@ -144,8 +144,8 @@ fn write_bytes_to_file(bytes: &[u8], output: &PathBuf) -> anyhow::Result<()> {
         .context(format!("Failed to write to file {output:?}"))
 }
 
-fn load_secret_key_from_file(sk_path: &PathBuf) -> anyhow::Result<ed25519_dalek::SigningKey> {
-    let sk_str = read_to_string(sk_path)?;
-    let sk = ed25519_dalek::SigningKey::from_pkcs8_pem(&sk_str)?;
+fn load_secret_key(sk_hex: &str) -> anyhow::Result<ed25519_bip32::XPrv> {
+    let sk_bytes = hex::decode(sk_hex)?;
+    let sk = ed25519_bip32::XPrv::from_slice_verified(&sk_bytes)?;
     Ok(sk)
 }

rust/signed_doc/src/builder.rs

@@ -1,6 +1,5 @@
 //! Catalyst Signed Document Builder.
 use catalyst_types::{id_uri::IdUri, problem_report::ProblemReport};
-use ed25519_dalek::{ed25519::signature::Signer, SecretKey};
 
 use crate::{
     CatalystSignedDocument, Content, InnerCatalystSignedDocument, Metadata, Signatures,
@@ -55,20 +54,21 @@ impl Builder {
     /// Fails if a `CatalystSignedDocument` cannot be created due to missing metadata or
     /// content, due to malformed data, or when the signed document cannot be
     /// converted into `coset::CoseSign`.
-    pub fn add_signature(mut self, sk: SecretKey, kid: IdUri) -> anyhow::Result<Self> {
+    pub fn add_signature(
+        mut self, sign_fn: impl FnOnce(Vec<u8>) -> Vec<u8>, kid: IdUri,
+    ) -> anyhow::Result<Self> {
         let cose_sign = self
             .0
             .as_cose_sign()
             .map_err(|e| anyhow::anyhow!("Failed to sign: {e}"))?;
 
-        let sk = ed25519_dalek::SigningKey::from_bytes(&sk);
         let protected_header = coset::HeaderBuilder::new().key_id(kid.to_string().into_bytes());
 
         let mut signature = coset::CoseSignatureBuilder::new()
             .protected(protected_header.build())
             .build();
         let data_to_sign = cose_sign.tbs_data(&[], &signature);
-        signature.signature = sk.sign(&data_to_sign).to_vec();
+        signature.signature = sign_fn(data_to_sign);
         self.0.signatures.push(kid, signature);
 
         Ok(self)

rust/signed_doc/src/validator/rules/signature_kid.rs

@@ -44,6 +44,7 @@ mod tests {
         id_uri::IdUri,
         uuid::{UuidV4, UuidV7},
     };
+    use ed25519_dalek::ed25519::signature::Signer;
 
     use super::*;
     use crate::{Builder, ContentType};
@@ -67,7 +68,7 @@ mod tests {
                 "content-type": ContentType::Json.to_string(),
             }))
             .unwrap()
-            .add_signature(sk.to_bytes(), kid)
+            .add_signature(|m| sk.sign(&m).to_vec(), kid)
             .unwrap()
             .build();
 

rust/signed_doc/tests/common/mod.rs

@@ -4,6 +4,7 @@ use std::str::FromStr;
 
 use catalyst_signed_doc::*;
 use catalyst_types::id_uri::role_index::RoleIndex;
+use ed25519_dalek::ed25519::signature::Signer;
 
 pub fn test_metadata() -> (UuidV7, UuidV4, serde_json::Value) {
     let uuid_v7 = UuidV7::new();
@@ -84,7 +85,7 @@ pub fn create_dummy_signed_doc(
     let signed_doc = Builder::new()
         .with_decoded_content(content)
         .with_json_metadata(with_metadata.unwrap_or(metadata))?
-        .add_signature(sk.to_bytes(), kid.clone())?
+        .add_signature(|m| sk.sign(&m).to_vec(), kid.clone())?
         .build();
 
     Ok((signed_doc, pk, kid))

rust/signed_doc/tests/signature.rs

@@ -2,6 +2,7 @@
 
 use catalyst_signed_doc::{providers::tests::TestVerifyingKeyProvider, *};
 use catalyst_types::id_uri::role_index::RoleIndex;
+use ed25519_dalek::ed25519::signature::Signer;
 
 mod common;
 
@@ -36,11 +37,11 @@ async fn multiple_signatures_validation_test() {
         .with_decoded_content(serde_json::to_vec(&serde_json::Value::Null).unwrap())
         .with_json_metadata(common::test_metadata().2)
         .unwrap()
-        .add_signature(sk1.to_bytes(), kid1.clone())
+        .add_signature(|m| sk1.sign(&m).to_vec(), kid1.clone())
         .unwrap()
-        .add_signature(sk2.to_bytes(), kid2.clone())
+        .add_signature(|m| sk2.sign(&m).to_vec(), kid2.clone())
         .unwrap()
-        .add_signature(sk3.to_bytes(), kid3.clone())
+        .add_signature(|m| sk3.sign(&m).to_vec(), kid3.clone())
         .unwrap()
         .build();