Update crypto libraries (bluesky-social#3335)

* update crypto libs & use new format option * reinstall deps * changeset
brianolson · Jan 7, 2025 · 1abfd74 · 1abfd74
1 parent 513b832
commit 1abfd74
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 25 deletions.
diff --git a/.changeset/lucky-sloths-tie.md b/.changeset/lucky-sloths-tie.md
@@ -0,0 +1,5 @@
+---
+"@atproto/crypto": patch
+---
+
+Update noble crypto libraries
diff --git a/packages/aws/package.json b/packages/aws/package.json
@@ -26,7 +26,7 @@
     "@aws-sdk/client-kms": "^3.196.0",
     "@aws-sdk/client-s3": "^3.224.0",
     "@aws-sdk/lib-storage": "^3.226.0",
-    "@noble/curves": "^1.1.0",
+    "@noble/curves": "^1.7.0",
     "key-encoder": "^2.0.3",
     "multiformats": "^9.9.0",
     "uint8arrays": "3.0.0"

diff --git a/packages/crypto/package.json b/packages/crypto/package.json
@@ -20,8 +20,8 @@
     "build": "tsc --build tsconfig.build.json"
   },
   "dependencies": {
-    "@noble/curves": "^1.1.0",
-    "@noble/hashes": "^1.3.1",
+    "@noble/curves": "^1.7.0",
+    "@noble/hashes": "^1.6.1",
     "uint8arrays": "3.0.0"
   },
   "devDependencies": {

diff --git a/packages/crypto/src/p256/operations.ts b/packages/crypto/src/p256/operations.ts
@@ -28,12 +28,8 @@ export const verifySig = async (
 ): Promise<boolean> => {
   const allowMalleable = opts?.allowMalleableSig ?? false
   const msgHash = await sha256(data)
-  // parse as compact sig to prevent signature malleability
-  // library supports sigs in 2 different formats: https://github.com/paulmillr/noble-curves/issues/99
-  if (!allowMalleable && !isCompactFormat(sig)) {
-    return false
-  }
   return p256.verify(sig, msgHash, publicKey, {
+    format: allowMalleable ? undefined : 'compact', // prevent DER-encoded signatures
     lowS: !allowMalleable,
   })
 }

diff --git a/packages/crypto/src/secp256k1/operations.ts b/packages/crypto/src/secp256k1/operations.ts
@@ -28,12 +28,8 @@ export const verifySig = async (
 ): Promise<boolean> => {
   const allowMalleable = opts?.allowMalleableSig ?? false
   const msgHash = await sha256(data)
-  // parse as compact sig to prevent signature malleability
-  // library supports sigs in 2 different formats: https://github.com/paulmillr/noble-curves/issues/99
-  if (!allowMalleable && !isCompactFormat(sig)) {
-    return false
-  }
   return k256.verify(sig, msgHash, publicKey, {
+    format: allowMalleable ? undefined : 'compact', // prevent DER-encoded signatures
     lowS: !allowMalleable,
   })
 }

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml