Add keyid to reference implementation.

Author: MarkLodato

implementation/ecdsa.py

@@ -28,6 +28,10 @@ def sign(self, message: bytes) -> bytes:
         h = SHA256.new(message)
         return DSS.new(self.secret_key, 'deterministic-rfc6979').sign(h)
 
+    def keyid(self) -> str:
+        """Returns a fingerprint of the public key."""
+        return Verifier(self.public_key).keyid()
+
 
 class Verifier:
     def __init__(self, public_key):
@@ -41,3 +45,10 @@ def verify(self, message: bytes, signature: bytes) -> bool:
             return True
         except ValueError:
             return False
+
+    def keyid(self) -> str:
+        """Returns a fingerprint of the public key."""
+        # Note: This is a hack for demonstration purposes. A proper fingerprint
+        # should be used.
+        key = self.public_key.export_key(format='OpenSSH').encode('ascii')
+        return SHA256.new(key).hexdigest()[:8]

implementation/signing_spec.py

@@ -26,7 +26,8 @@
 >>> pprint(json.loads(signature_json))
 {'payload': 'aGVsbG8gd29ybGQ=',
  'payloadType': 'http://example.com/HelloWorld',
- 'signatures': [{'sig': 'A3JqsQGtVsJ2O2xqrI5IcnXip5GToJ3F+FnZ+O88SjtR6rDAajabZKciJTfUiHqJPcIAriEGAHTVeCUjW2JIZA=='}]}
+ 'signatures': [{'keyid': '66301bbf',
+                 'sig': 'A3JqsQGtVsJ2O2xqrI5IcnXip5GToJ3F+FnZ+O88SjtR6rDAajabZKciJTfUiHqJPcIAriEGAHTVeCUjW2JIZA=='}]}
 
 Verification example:
 
@@ -43,20 +44,28 @@
 import base64, binascii, dataclasses, json, struct
 
 # Protocol requires Python 3.8+.
-from typing import Iterable, List, Protocol, Tuple
+from typing import Iterable, List, Optional, Protocol, Tuple
 
 
 class Signer(Protocol):
     def sign(self, message: bytes) -> bytes:
         """Returns the signature of `message`."""
         ...
 
+    def keyid(self) -> Optional[str]:
+        """Returns the ID of this key, or None if not supported."""
+        ...
+
 
 class Verifier(Protocol):
     def verify(self, message: bytes, signature: bytes) -> bool:
         """Returns true if `message` was signed by `signature`."""
         ...
 
+    def keyid(self) -> Optional[str]:
+        """Returns the ID of this key, or None if not supported."""
+        ...
+
 
 # Collection of verifiers, each of which is associated with a name.
 VerifierList = Iterable[Tuple[str, Verifier]]
@@ -88,14 +97,16 @@ def PAE(payloadType: str, payload: bytes) -> bytes:
 
 
 def Sign(payloadType: str, payload: bytes, signer: Signer) -> str:
+    signature = {
+        'keyid': signer.keyid(),
+        'sig': b64enc(signer.sign(PAE(payloadType, payload))),
+    }
+    if not signature['keyid']:
+        del signature['keyid']
     return json.dumps({
-        'payload':
-        b64enc(payload),
-        'payloadType':
-        payloadType,
-        'signatures': [{
-            'sig': b64enc(signer.sign(PAE(payloadType, payload)))
-        }],
+        'payload': b64enc(payload),
+        'payloadType': payloadType,
+        'signatures': [signature],
     })
 
 
@@ -107,6 +118,10 @@ def Verify(json_signature: str, verifiers: VerifierList) -> VerifiedPayload:
     recognizedSigners = []
     for signature in wrapper['signatures']:
         for name, verifier in verifiers:
+            if (signature.get('keyid') is not None and
+                verifier.keyid() is not None and
+                signature.get('keyid') != verifier.keyid()):
+                continue
             if verifier.verify(pae, b64dec(signature['sig'])):
                 recognizedSigners.append(name)
     if not recognizedSigners: