feat: add PUBLIC_KEY_SIZE constant and update key handling in KEM and ticket modules

Author: dkmstr

crates/crypt/src/kem.rs

@@ -11,6 +11,7 @@ use libcrux_ml_kem::mlkem768::generate_key_pair as ml_kem_generate_key_pair;
 
 // Note, changes to kem size (1024, 768 or 512) will need to update also SECRET_KEY_SIZE and CIPHERTEXT_SIZE
 pub const SECRET_KEY_SIZE: usize = 2400;
+pub const PUBLIC_KEY_SIZE: usize = 1184;
 pub const CIPHERTEXT_SIZE: usize = 1088;
 
 /// Generate a new KEM keypair (private key and public key)

crates/crypt/src/lib.rs

@@ -5,7 +5,7 @@ mod ticket;
 pub use ticket::{Ticket, TunnelMaterial};
 
 mod kem;
-pub use kem::{CIPHERTEXT_SIZE, SECRET_KEY_SIZE, generate_key_pair};
+pub use kem::{CIPHERTEXT_SIZE, SECRET_KEY_SIZE, PUBLIC_KEY_SIZE, generate_key_pair};
 
 #[cfg(test)]
 mod tests;

crates/crypt/src/tests.rs

@@ -65,22 +65,22 @@ const TEST_TICKET_JSON: &str = r#"{
 //   }
 // }
 
-fn get_private_key_bytes() -> Result<Vec<u8>> {
+fn get_private_key_bytes() -> Result<[u8; SECRET_KEY_SIZE]> {
     let kem_private_key_bytes = general_purpose::STANDARD
         .decode(PRIVATE_KEY_768_TESTING)
         .map_err(|e| anyhow::format_err!("Failed to decode base64 KEM private key: {}", e))?;
     let kem_private_key_bytes: [u8; SECRET_KEY_SIZE] = kem_private_key_bytes
         .try_into()
         .map_err(|_| anyhow::format_err!("Invalid KEM private key size"))?;
-    Ok(kem_private_key_bytes.to_vec())
+    Ok(kem_private_key_bytes)
 }
 
 #[test]
 fn test_recover_invalid_data_from_json() {
     let ticket = Ticket::new("AES-256-GCM", "", "");
 
     let result =
-        ticket.recover_data_from_json(TICKET_ID_TESTING.as_bytes(), get_private_key_bytes().unwrap());
+        ticket.recover_data_from_json(TICKET_ID_TESTING.as_bytes(), &get_private_key_bytes().unwrap());
     assert!(result.is_err());
 }
 
@@ -89,7 +89,7 @@ fn test_recover_valid_data_from_json() {
     let ticket: Ticket = serde_json::from_str(TEST_TICKET_JSON).unwrap();
 
     let result =
-        ticket.recover_data_from_json(TICKET_ID_TESTING.as_bytes(), get_private_key_bytes().unwrap());
+        ticket.recover_data_from_json(TICKET_ID_TESTING.as_bytes(), &get_private_key_bytes().unwrap());
     assert!(
         result.is_ok(),
         "Failed to recover data from JSON ticket: {:?}",

crates/crypt/src/ticket.rs

@@ -72,12 +72,8 @@ impl Ticket {
     pub fn recover_data_from_json(
         &self,
         ticket_id: &[u8],
-        kem_private_key: Vec<u8>,
+        kem_private_key: &[u8; SECRET_KEY_SIZE],
     ) -> Result<serde_json::Value> {
-        let kem_private_key: [u8; SECRET_KEY_SIZE] = kem_private_key
-            .try_into()
-            .map_err(|_| anyhow::format_err!("Invalid KEM private key size"))?;
-
         let kem_private_key = PrivateKey::from(kem_private_key);
 
         // Extract shared_secret from KEM ciphertext

crates/shared/src/broker/api/mod.rs

@@ -31,11 +31,11 @@
 
 use anyhow::Result;
 use async_trait::async_trait;
-use reqwest::{Client, ClientBuilder};
 use base64::{Engine as _, engine::general_purpose};
+use reqwest::{Client, ClientBuilder};
 
 use crate::{consts, log};
-use crypt::{Ticket, generate_key_pair};
+use crypt::{PUBLIC_KEY_SIZE, SECRET_KEY_SIZE, Ticket, generate_key_pair};
 
 pub mod types;
 
@@ -54,6 +54,8 @@ pub struct UdsBrokerApi {
     client: Client,
     broker_url: String,
     hostname: String,
+    public_key: [u8; PUBLIC_KEY_SIZE],
+    private_key: [u8; SECRET_KEY_SIZE],
 }
 
 impl UdsBrokerApi {
@@ -74,13 +76,31 @@ impl UdsBrokerApi {
             builder = builder.no_proxy();
         }
 
-        // panic if client cannot be built, as this is a programming error (invalid URL, etc)
+
+        // Note: unwraps are intentinonal here, if we cannot build the client, we want to
+        // abort early.
+
         let client = builder.build().unwrap();
 
+        // Generate ephemeral KEM keypair
+        let (private_key, public_key) = generate_key_pair().unwrap();
+
         Self {
             client,
             broker_url: broker_url.to_string().trim_end_matches('/').to_string(),
             hostname: hostname::get().unwrap().to_string_lossy().to_string(),
+            public_key: public_key.try_into().unwrap(),
+            private_key: private_key.try_into().unwrap(),
+        }
+    }
+
+    // Only for tests
+    #[cfg(test)]
+    pub fn with_keys(self, private_key: [u8; SECRET_KEY_SIZE], public_key: [u8; PUBLIC_KEY_SIZE]) -> Self {
+        Self {
+            public_key,
+            private_key,
+            ..self
         }
     }
 
@@ -126,43 +146,35 @@ impl BrokerApi for UdsBrokerApi {
             scrambler
         );
 
-        // Generate ephemeral KEM keypair
-        let (private_key, public_key) = generate_key_pair()?;
-        
         // Prepare request body
         let req: types::TicketReqBody = types::TicketReqBody {
             scrambler,
-            kem_kyber_key: &general_purpose::STANDARD.encode(&public_key),
+            kem_kyber_key: &general_purpose::STANDARD.encode(self.public_key),
             hostname: &self.hostname,
             version: consts::UDS_CLIENT_VERSION,
         };
 
         let response = self
             .client
-            .post(format!(
-                "{}/{}/ticket",
-                self.broker_url,
-                ticket,
-            ))
+            .post(format!("{}/{}/ticket", self.broker_url, ticket,))
             .json(&req)
             .headers(self.headers())
             .send()
             .await?;
 
         // Extract real script info from Ticket
         response
-           .json::<types::BrokerResponse<Ticket>>()
-           .await?
-           .into_result()?
-           .recover_data_from_json(ticket.as_bytes(), private_key)
-           .map(|json_value| {
-               serde_json::from_value::<types::Script>(json_value)
-                   .map_err(|e| types::Error {
-                       message: format!("Failed to parse script from ticket data: {}", e),
-                       is_retryable: false,
-                       percent: 0,
-                   })
-           })?
+            .json::<types::BrokerResponse<Ticket>>()
+            .await?
+            .into_result()?
+            .recover_data_from_json(ticket.as_bytes(), &self.private_key)
+            .map(|json_value| {
+                serde_json::from_value::<types::Script>(json_value).map_err(|e| types::Error {
+                    message: format!("Failed to parse script from ticket data: {}", e),
+                    is_retryable: false,
+                    percent: 0,
+                })
+            })?
 
         // response
         //     .json::<types::BrokerResponse<types::Script>>()

crates/shared/src/broker/api/tests.rs

@@ -35,6 +35,68 @@ use crate::log;
 
 use mockito::Server;
 
+const PRIVATE_KEY_768_TESTING: &str = "TzpPr8sQk1BBjmEFpTqCqdhTNfGdTpK37GBFaQWnigW8AZqMzrlSxRa+grYDdjJ1JiaiuSkpptCtIKsf\
+    6QiD6HRJrAPNCJyxbmihz3KS0IOmjzUx4BYh/Ap/nYbE/0qWZFG0KdGKtSKWnOoQFCph0vOLQKnN8HGq\
+    ZMty+qxBWDZ7qJAQxaU2SpJSzPEeakmP6jxvQTjIMXTGN/iD8ViqntbIn7uyWoZmhpwMu0ioCvYZiahl\
+    UlgGOkdnlEojxIphbBaAoaoZ6im1u+g8SeTKnEaQGkWZLJSak9RSuLin5AgFS6KomFY1ddkYpSMAN+dC\
+    3fWh3FHLicevB2hnxLsiaDxUvaduApavjCc3JMBQtkgvx1d5YaERlFaKIjAbAIoCqwyX7TOih5YtmdVk\
+    BGRRVscr9TYz4QKPAJRjskoF0kqeskGzU/kSzfynnDvK+mmCP8Cd3fCVraMarQZHJAxjZhsQeheu0CgN\
+    k+iDq3MyITxOSyR/POdasAVTmfZ6O/GdN0UcDtuDB6hNQrQ2CNSZAcGkQfqHaTt+vbJfpkKwf1UCGAoq\
+    mEKk77Z5eueqMMZWffQhCARScRCWGOgscjQ+z1ItTpGKD2Rbqvk6hvOZYIxauiZfXtC02gchxaKg39x+\
+    nzzHLcxzhWYK9RERiUsS8IuDvqaCcwJEOpQfSOGgYcZk8uRRf5ioGGlcUErID/SL9lZLqUxIDXMq4ygr\
+    yXsvYWzMhPhTMUy2irsAtNiBdFNjKvR1HAaVYEfAWXJMaJzBagF0NRmza8pIxWF7paQZvteLdVDOjExe\
+    RogBc4uUjFTA6vpsP2IeOBpPcqR/wBZcjosAcyQA75Chk+KNlmAiy4rAYFi5i+gzK2mSJPw7wOy5eppz\
+    ZCJ2Q9eOAzlLfJU+5yAStGRngxBw8OXIO/cSU9JtHNUXPtaoDfDGkJkEfwifdbJDOMSyi1yxq+ZJ4TGm\
+    faRItvUeuRiJSXV7x6kMGfqpzfN8P6cCRlqM8cqkRWG3uCGcxFWQh7UYVgNo6xNQPQafFpkm/KoW2Esg\
+    ZaUpJBJeF0kMA7hGd7G/zdHDDFsRtcUV/GQcM+ERZwwswnYm1IlYRaRK3/gQxKNANsS9+GIDsvUU1Xd+\
+    D2NIftaW4HifZWN08VWHdICU85TIlgAfStFSsPZQV9VmZnaEulsaFYCkcUjGFhkdezIcVJKymyWV5Gyi\
+    KCJqAGSez8SMmtyBb+FonMKrezZXY0NMJUmvw4N8ybw+bHLM2tGgPtp3ZKnLN7Ek2nSijDYdtXuNZsAu\
+    Q7xzF6ZC9giNBBkFf1MtDsyUZahpPVXJLnigewV7SCZTj9vDkzy05Tkf1Wtt46DKnqLK78ycRQkP6eeM\
+    L7UJjuVejXmrAyOO5Ctmp7Wt/up5yZecxIcRpxCHV4d5kzZ0PsaLQTE6sRqcQLghnQVJhIxYECqEODoQ\
+    sRm17nJAu/QMj3GRnNVzUTM+bxczopRntppe+hqenNAcx1Snv3lGblw0d/ZfZWExkpPMP0IhJwu2ZEzA\
+    LCgc95w/uVOTzSd9d7qwr9yBu2K0fpAAsYdTyHRCL+iLaxBf5/F019DFOFbC+HY8PgVOH+y2uicK/5td\
+    3lpfzjm302eDDxJ98+O2Cpt9R7yQEWCOVWvH26Z2k2BgXSmsovxqvtu5xVKvLOkpKEZyHpGgiumpSxS+\
+    0TE5Dgh2eQBJhmSkrysKbFWB0QUCQXAaH7BbQMhftKfIJ0W7ckeNilyZDGh2dVlN7Ohl1Bq0L0wvgvNm\
+    prFne3uCYmddE2F1Xrh/rwbDZvzKf5WRT+DJStdIOVxSV8c4PHkLnls1/XllgaM/9uNEgMtyWKOBHDmY\
+    FqCWnsMMlgoB8IGDIJKuDCSJuVNQVBuLGiDDrVye16dJpOS9B0uBt3sntvgy/PKSooVuamq3A8k/LzGc\
+    Ffw9fIOLccKfFhhIcbllN9y1C2kYBHo6Lxxb5yNPmUsIdFAsRkg5cWaHh/gA1uEAXDIzttF2WYJEZfej\
+    6Hd+dWAJfowOAEnAe0KPz2KZBxocJRhndjFp6gxpapesa1mmd2dhu7aqZptAbmCt5tUyXNsjguGCmbqQ\
+    7cMc5zKLQbu/U0K8i2SD1pxrMgxa4UkKsTVWeMUKKzufCllPdYiiLmAgIZUO3xxK0vsQ45Cq+9xhlWWG\
+    61olnlqyx9EoffQh3IAR1HO0twEXqCt+BNU5x2ue3cpgZhwWBLfDBpyRWpeW3eGkbHtLt9OYolQCOMRO\
+    kLKMEyM1k/pfrtYOl6NDYbEKwJY3NdkKaFG5ROs5dbIcO1IZ8kyzMfhyTRYkNqLAW+ISRTl0+MdPaIU6\
+    MtVHA2h7fpsVw6NxoaASIdEhNIaOy0NRIFZQILsvXSTM3pcHmYkk6QhgIcN/s/anc7KWNsS/TQsvuzXE\
+    wFS4GDsAv+rPG3jAvrh/MqMAgMAh2GWI9LBaYgFngrA3U2xNGho69jFG2QtcVgc93kyns1cQuGWSL2li\
+    xdDGcwUjTetjegNJUehiz2ZJ7qadQlNPvJOT1dpOcPWKH/moz6gNOrw2LrRHZAOLdiS6arcmCWm/Xhq8\
+    gznKn7k178w0lRatnGUspBOZDXMNedYjPvKLmGV01ZhUUcET6wWpsbjLLhdEpfMMICW4HZI9GamENvEE\
+    jZkHzjEXJGWSMFnIvcxLUaWJW/MOqMmjjaabctRzo7dCJ8dKAN2l03UMkkyjF2s1DKlVSkrK+6Mwnnt7\
+    smF1k3BWU0ctt5BGU8xjP2Vm4npBPTEhpwUJ6LsfZ4pLANddBDHELDAerLuPcWuVc/hnbVxAIUpYK3AS\
+    eWKi1gdfCymQWaI15OTKSwtXGNUh7bObbmkzjRofhRgTLCmnXhgL9pmX1SUcfck1drunDjjAPPsl3oO2\
+    99e17AV4CMMugYKXsJZwl6BekOYG1ygz1DgUB0mDPaFVDucPbokk8DMtLOrKu+Bu9rOa7+MdxwYJ+mMj\
+    Leae9+MURrdHwtYhvaSdDPA8O1h8sGhck2ewpLR3dGCHeyeJsEws1IiCnRa2cqxA+LxenDJV1WeGjWog\
+    d+MiNioBJ+kzpLpeAFohLlJG5zmHijRc/O4OYbzvH/NisQARHwX3ScApN7qAjG49j2fwJgcrKCNylIo4\
+    m4CYr3v+mJpFf/v5QyZ8UujroFWV67dujs9/Cre9D31ylzSP2c8CCOg2X9M6bEfY1mzMsGaLau3oXgR2";
+
+const PUBLIC_KEY_768_TESTING: &str = "d7qwr9yBu2K0fpAAsYdTyHRCL+iLaxBf5/F019DFOFbC+HY8PgVOH+y2uicK/5td3lpfzjm302eDDxJ9\
+8+O2Cpt9R7yQEWCOVWvH26Z2k2BgXSmsovxqvtu5xVKvLOkpKEZyHpGgiumpSxS+0TE5Dgh2eQBJhmSk\
+rysKbFWB0QUCQXAaH7BbQMhftKfIJ0W7ckeNilyZDGh2dVlN7Ohl1Bq0L0wvgvNmprFne3uCYmddE2F1\
+Xrh/rwbDZvzKf5WRT+DJStdIOVxSV8c4PHkLnls1/XllgaM/9uNEgMtyWKOBHDmYFqCWnsMMlgoB8IGD\
+IJKuDCSJuVNQVBuLGiDDrVye16dJpOS9B0uBt3sntvgy/PKSooVuamq3A8k/LzGcFfw9fIOLccKfFhhI\
+cbllN9y1C2kYBHo6Lxxb5yNPmUsIdFAsRkg5cWaHh/gA1uEAXDIzttF2WYJEZfej6Hd+dWAJfowOAEnA\
+e0KPz2KZBxocJRhndjFp6gxpapesa1mmd2dhu7aqZptAbmCt5tUyXNsjguGCmbqQ7cMc5zKLQbu/U0K8\
+i2SD1pxrMgxa4UkKsTVWeMUKKzufCllPdYiiLmAgIZUO3xxK0vsQ45Cq+9xhlWWG61olnlqyx9EoffQh\
+3IAR1HO0twEXqCt+BNU5x2ue3cpgZhwWBLfDBpyRWpeW3eGkbHtLt9OYolQCOMROkLKMEyM1k/pfrtYO\
+l6NDYbEKwJY3NdkKaFG5ROs5dbIcO1IZ8kyzMfhyTRYkNqLAW+ISRTl0+MdPaIU6MtVHA2h7fpsVw6Nx\
+oaASIdEhNIaOy0NRIFZQILsvXSTM3pcHmYkk6QhgIcN/s/anc7KWNsS/TQsvuzXEwFS4GDsAv+rPG3jA\
+vrh/MqMAgMAh2GWI9LBaYgFngrA3U2xNGho69jFG2QtcVgc93kyns1cQuGWSL2lixdDGcwUjTetjegNJ\
+Uehiz2ZJ7qadQlNPvJOT1dpOcPWKH/moz6gNOrw2LrRHZAOLdiS6arcmCWm/Xhq8gznKn7k178w0lRat\
+nGUspBOZDXMNedYjPvKLmGV01ZhUUcET6wWpsbjLLhdEpfMMICW4HZI9GamENvEEjZkHzjEXJGWSMFnI\
+vcxLUaWJW/MOqMmjjaabctRzo7dCJ8dKAN2l03UMkkyjF2s1DKlVSkrK+6Mwnnt7smF1k3BWU0ctt5BG\
+U8xjP2Vm4npBPTEhpwUJ6LsfZ4pLANddBDHELDAerLuPcWuVc/hnbVxAIUpYK3ASeWKi1gdfCymQWaI1\
+5OTKSwtXGNUh7bObbmkzjRofhRgTLCmnXhgL9pmX1SUcfck1drunDjjAPPsl3oO299e17AV4CMMugYKX\
+sJZwl6BekOYG1ygz1DgUB0mDPaFVDucPbokk8DMtLOrKu+Bu9rOa7+MdxwYJ+mMjLeae9+MURrdHwtYh\
+vaSdDPA8O1h8sGhck2ewpLR3dGCHeyeJsEws1IiCnRa2cqxA+LxenDJV1WeGjWogd+MiNioBJ+kzpLpe\
+AFohLlJG5zmHijRc/O4OYbzvH/NisQARHwX3ScApN7qAjG49j2fwJgcrKCM=";
+
 const TICKET_RESPONSE_JSON: &str = r#"{
   "result": {
     "algorithm": "AES-256-GCM",
@@ -44,6 +106,22 @@ const TICKET_RESPONSE_JSON: &str = r#"{
 }"#;
 const TICKET_ID: &str = "c6s9FAa5fhb854BVMckqUBJ4hOXg2iE5i1FYPCuktks4eNZD";
 
+fn get_keypair() -> Result<([u8; SECRET_KEY_SIZE], [u8; PUBLIC_KEY_SIZE])> {
+    let kem_private_key_bytes = general_purpose::STANDARD
+        .decode(PRIVATE_KEY_768_TESTING)
+        .map_err(|e| anyhow::format_err!("Failed to decode base64 KEM private key: {}", e))?;
+    let kem_private_key_bytes: [u8; SECRET_KEY_SIZE] = kem_private_key_bytes
+        .try_into()
+        .map_err(|_| anyhow::format_err!("Invalid KEM private key size"))?;
+    let kem_public_key_bytes = general_purpose::STANDARD
+        .decode(PUBLIC_KEY_768_TESTING)
+        .map_err(|e| anyhow::format_err!("Failed to decode base64 KEM public key: {}", e))?;
+    let kem_public_key_bytes: [u8; PUBLIC_KEY_SIZE] = kem_public_key_bytes
+        .try_into()
+        .map_err(|_| anyhow::format_err!("Invalid KEM public key size"))?;
+    Ok((kem_private_key_bytes, kem_public_key_bytes))
+}
+
 // Helper to create a ServerRestApi pointing to mockito server
 // Helper to create a mockito server and a ServerRestApi pointing to it
 async fn setup_server_and_api() -> (mockito::ServerGuard, UdsBrokerApi) {
@@ -89,6 +167,8 @@ async fn test_get_version() {
 async fn test_get_script() {
     log::setup_logging("debug", log::LogType::Tests);
     let (mut server, api) = setup_server_and_api().await;
+    let (privk, pubk) = get_keypair().unwrap();
+    let api = api.with_keys(privk, pubk);
     let _m = server
         .mock(
             "POST",
@@ -113,14 +193,14 @@ async fn test_get_script_fails() {
     let _m = server
         .mock(
             "POST",
-            mockito::Matcher::Regex(r"^/ticket/scrabler\?hostname=.*&version=.*$".to_string()),
+            mockito::Matcher::Regex(format!(r"^/{}/ticket", TICKET_ID)),
         )
         .match_header("content-type", "application/json")
         .with_body(result)
         .with_status(200)
         .create_async()
         .await;
-    let response = api.get_script("ticket", "scrabler").await;
+    let response = api.get_script(TICKET_ID, "scrabler").await;
     assert!(
         response.is_err(),
         "Get script succeeded unexpectedly: {:?}",