Add traits to convert key types from and to Jwk (#1654)

* add traits to convert key types from and to `Jwk`

* enable identity_verification/jwk-conversion in identity_storage

* add tests and fix issues, that where found

---------

Co-authored-by: umr1352 <[email protected]>

Author: wulfraem

identity_iota_core/tests/e2e/asset.rs

@@ -1,8 +1,8 @@
 // Copyright 2020-2024 IOTA Stiftung
 // SPDX-License-Identifier: Apache-2.0
 
-use crate::common::get_funded_test_client;
-use crate::common::TEST_GAS_BUDGET;
+use std::str::FromStr as _;
+
 use identity_core::common::Object;
 use identity_core::common::Timestamp;
 use identity_core::common::Url;
@@ -20,13 +20,17 @@ use identity_iota_core::IotaDID;
 use identity_iota_core::IotaDocument;
 use identity_iota_interaction::IotaClientTrait;
 use identity_iota_interaction::MoveType as _;
+use identity_jose::jwk::ToJwk as _;
 use identity_storage::JwkDocumentExt;
 use identity_storage::JwsSignatureOptions;
 use identity_verification::VerificationMethod;
 use iota_sdk::types::TypeTag;
 use itertools::Itertools as _;
 use move_core_types::language_storage::StructTag;
-use std::str::FromStr;
+use secret_storage::Signer as _;
+
+use crate::common::get_funded_test_client;
+use crate::common::TEST_GAS_BUDGET;
 
 #[tokio::test]
 async fn creating_authenticated_asset_works() -> anyhow::Result<()> {
@@ -212,7 +216,7 @@ async fn hosting_vc_works() -> anyhow::Result<()> {
     .id(did.clone().into())
     .verification_method(VerificationMethod::new_from_jwk(
       did.clone(),
-      identity_client.signer().public_key().clone(),
+      identity_client.signer().public_key().await?.to_jwk()?,
       Some(identity_client.signer().key_id().as_str()),
     )?)
     .build()?;

identity_iota_core/tests/e2e/common.rs

@@ -25,6 +25,7 @@ use identity_iota_interaction::IotaKeySignature;
 use identity_iota_interaction::IotaTransactionBlockEffectsMutAPI;
 use identity_iota_interaction::OptionalSync;
 use identity_jose::jwk::Jwk;
+use identity_jose::jwk::ToJwk as _;
 use identity_jose::jws::JwsAlgorithm;
 use identity_storage::JwkMemStore;
 use identity_storage::JwkStorage;
@@ -292,7 +293,7 @@ impl TestClient {
     let public_key = identity_client.signer().public_key();
     let key_id = identity_client.signer().key_id();
     let fragment = key_id.as_str();
-    let method = VerificationMethod::new_from_jwk(did, public_key.clone(), Some(fragment))?;
+    let method = VerificationMethod::new_from_jwk(did, public_key.await?.to_jwk()?, Some(fragment))?;
     let method_digest: MethodDigest = MethodDigest::new(&method)?;
 
     self

identity_iota_core/tests/e2e/identity.rs

@@ -18,6 +18,7 @@ use identity_iota_core::rebased::proposals::ProposalResult;
 use identity_iota_core::IotaDID;
 use identity_iota_core::IotaDocument;
 use identity_iota_interaction::KeytoolSigner;
+use identity_jose::jwk::ToJwk as _;
 use identity_verification::MethodScope;
 use identity_verification::VerificationMethod;
 use iota_sdk::rpc_types::IotaObjectData;
@@ -29,6 +30,7 @@ use iota_sdk::types::transaction::ObjectArg;
 use iota_sdk::types::TypeTag;
 use iota_sdk::types::IOTA_FRAMEWORK_PACKAGE_ID;
 use move_core_types::ident_str;
+use secret_storage::Signer as _;
 
 #[tokio::test]
 async fn identity_deactivation_works() -> anyhow::Result<()> {
@@ -78,7 +80,7 @@ async fn updating_onchain_identity_did_doc_with_single_controller_works() -> any
     doc.insert_method(
       VerificationMethod::new_from_jwk(
         did,
-        identity_client.signer().public_key().clone(),
+        identity_client.signer().public_key().await?.to_jwk()?,
         Some(identity_client.signer().key_id().as_str()),
       )?,
       MethodScope::VerificationMethod,
@@ -122,7 +124,7 @@ async fn approving_proposal_works() -> anyhow::Result<()> {
     doc.insert_method(
       VerificationMethod::new_from_jwk(
         did,
-        alice_client.signer().public_key().clone(),
+        alice_client.signer().public_key().await?.to_jwk()?,
         Some(alice_client.signer().key_id().as_str()),
       )?,
       MethodScope::VerificationMethod,

identity_jose/Cargo.toml

@@ -11,18 +11,29 @@ repository.workspace = true
 description = "A library for JOSE (JSON Object Signing and Encryption)"
 
 [dependencies]
+anyhow = { version = "1", optional = true }
 bls12_381_plus.workspace = true
+fastcrypto = { git = "https://github.com/MystenLabs/fastcrypto", rev = "2f502fd8570fe4e9cff36eea5bbd6fef22002898", package = "fastcrypto", optional = true }
 identity_core = { version = "=1.6.0-alpha", path = "../identity_core" }
 iota-crypto = { version = "0.23.2", default-features = false, features = ["std", "sha"] }
 json-proof-token.workspace = true
+k256 = { version = "0.13.3", default-features = false, features = ["std", "ecdsa", "ecdsa-core", "jwk"], optional = true }
+p256 = { version = "0.13.2", default-features = false, features = ["std", "ecdsa", "ecdsa-core", "jwk"], optional = true }
 serde.workspace = true
 serde_json = { version = "1.0", default-features = false, features = ["std"] }
 thiserror.workspace = true
 zeroize = { version = "1.6", default-features = false, features = ["std", "zeroize_derive"] }
 
+[target.'cfg(not(target_arch = "wasm32"))'.dependencies]
+identity_iota_interaction = { version = "=1.6.0-alpha", path = "../identity_iota_interaction" }
+
+[target.'cfg(target_arch = "wasm32")'.dependencies]
+identity_iota_interaction = { version = "=1.6.0-alpha", path = "../identity_iota_interaction", default-features = false }
+
 [dev-dependencies]
 iota-crypto = { version = "0.23", features = ["ed25519", "random", "hmac"] }
 p256 = { version = "0.13.0", default-features = false, features = ["std", "ecdsa", "ecdsa-core"] }
+rand = { version = "0.8.5", default-features = false, features = ["std", "std_rng"] }
 signature = { version = "2", default-features = false }
 
 [[example]]
@@ -33,7 +44,14 @@ test = true
 workspace = true
 
 [features]
+default = []
 custom_alg = []
+jwk-conversion = [
+  "dep:anyhow",
+  "dep:k256",
+  "dep:p256",
+  "fastcrypto/copy_key",
+]
 
 [[test]]
 name = "custom_alg"

identity_jose/src/error.rs

@@ -49,4 +49,10 @@ pub enum Error {
   /// Caused by a missing `alg` claim in the protected header.
   #[error("missing alg in protected header")]
   ProtectedHeaderWithoutAlg,
+  /// Caused by converting keys to different types.
+  #[error("failed to convert key: `{0}`")]
+  KeyConversion(String),
+  /// Key type not supported.
+  #[error("key type not supported; {0}")]
+  UnsupportedKeyType(String),
 }

identity_jose/src/jwk/conversion/ed25519.rs

@@ -0,0 +1,76 @@
+// Copyright 2020-2023 IOTA Stiftung
+// SPDX-License-Identifier: Apache-2.0
+
+use fastcrypto::ed25519::Ed25519KeyPair;
+use fastcrypto::ed25519::Ed25519PrivateKey;
+use fastcrypto::ed25519::Ed25519PublicKey;
+use fastcrypto::ed25519::Ed25519PublicKeyAsBytes;
+use fastcrypto::traits::KeyPair as _;
+use fastcrypto::traits::SigningKey;
+use fastcrypto::traits::ToFromBytes;
+
+use crate::error::Error;
+use crate::jwk::EdCurve;
+use crate::jwk::Jwk;
+use crate::jwk::JwkParamsOkp;
+use crate::jwu;
+use crate::jwu::decode_b64;
+use crate::jwu::encode_b64;
+
+pub(crate) fn from_public_jwk(jwk: &Jwk) -> anyhow::Result<Ed25519PublicKey> {
+  let bytes = decode_b64(&jwk.try_okp_params()?.x)?;
+  Ok(Ed25519PublicKey::from_bytes(&bytes)?)
+}
+
+pub(crate) fn jwk_to_keypair(jwk: &Jwk) -> Result<Ed25519KeyPair, Error> {
+  let params: &JwkParamsOkp = jwk.try_okp_params()?;
+
+  if params
+    .try_ed_curve()
+    .map_err(|err| Error::UnsupportedKeyType(err.to_string()))?
+    != EdCurve::Ed25519
+  {
+    return Err(Error::UnsupportedKeyType(format!(
+      "expected an {} key",
+      EdCurve::Ed25519.name()
+    )));
+  }
+
+  let sk: [u8; Ed25519PrivateKey::LENGTH] = params
+    .d
+    .as_deref()
+    .map(jwu::decode_b64)
+    .ok_or_else(|| Error::KeyConversion("expected Jwk `d` param to be present".to_string()))?
+    .map_err(|err| Error::KeyConversion(format!("unable to decode `d` param; {}", err)))?
+    .try_into()
+    .map_err(|_| Error::KeyConversion(format!("expected key of length {}", Ed25519PrivateKey::LENGTH)))?;
+
+  Ed25519KeyPair::from_bytes(&sk).map_err(|_| Error::KeyConversion("invalid key".to_string()))
+}
+
+#[allow(dead_code)]
+pub(crate) fn encode_jwk(key_pair: Ed25519KeyPair) -> Jwk {
+  let x = jwu::encode_b64(key_pair.public().as_ref());
+  let d = jwu::encode_b64(key_pair.private().as_ref());
+  let mut params = JwkParamsOkp::new();
+  params.x = x;
+  params.d = Some(d);
+  params.crv = EdCurve::Ed25519.name().to_string();
+  Jwk::from_params(params)
+}
+
+#[allow(dead_code)]
+pub(crate) fn pk_to_jwk(pk: &Ed25519PublicKeyAsBytes) -> Jwk {
+  use crate::jws::JwsAlgorithm;
+
+  let params = JwkParamsOkp {
+    crv: EdCurve::Ed25519.to_string(),
+    x: encode_b64(pk.0),
+    d: None,
+  };
+
+  let mut jwk = Jwk::from_params(params);
+  jwk.set_alg(JwsAlgorithm::EdDSA.name());
+
+  jwk
+}