Disallow setting FactorSource for ROLA to one with an unsupported/dis…

apple/Tests/TestCases/Profile/MFA/SecurityShieldsBuilderTests.swift

@@ -104,6 +104,9 @@ struct ShieldTests {
 
 		#expect(builder.validate() == .ConfirmationRoleMustHaveAtLeastOneFactor)
 		builder.addFactorSourceToConfirmationOverride(factorSourceId: .sampleArculus)
+
+		builder.setAuthenticationSigningFactor(new: .sampleDevice)
+
 		#expect(builder.validate() == nil)
 		#expect((try? builder.build()) != nil)
 	}
@@ -173,6 +176,8 @@ struct ShieldTests {
 		builder.addFactorSourceToRecoveryOverride(factorSourceId: .sampleArculus)
 		builder.addFactorSourceToConfirmationOverride(factorSourceId: .sampleArculusOther)
 
+		builder.setAuthenticationSigningFactor(new: .sampleDevice)
+
 		let shield = try! builder.build()
 
 		#expect(shield.matrixOfFactors.primaryRole.overrideFactors.isEmpty)
@@ -205,6 +210,8 @@ struct ShieldTests {
 		builder.removeFactorFromPrimary(factorSourceId: .sampleArculusOther)
 		builder.removeFactorFromRecovery(factorSourceId: .sampleLedgerOther)
 
+		builder.setAuthenticationSigningFactor(new: .sampleDevice)
+
 		// Validate
 		#expect(builder.validate() == nil)
 

crates/sargon-uniffi/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "sargon-uniffi"
 # Don't forget to update version in crates/sargon/Cargo.toml
-version = "1.1.92"
+version = "1.1.93"
 edition = "2021"
 build = "build.rs"
 

crates/sargon-uniffi/src/core/error/common_error.rs

@@ -862,6 +862,15 @@ pub enum CommonError {
 
     #[error("Cannot securify entity that has provisional security config")]
     CannotSecurifyEntityHasProvisionalSecurityConfig = 10241,
+
+    #[error("Too few FactorInstances derived")]
+    TooFewFactorInstancesDerived = 10242,
+
+    #[error("Missing Authentication Signing FactorInstance mapping SecurityStructureOfFactorSources into SecurityStructureOfFactorInstances.")]
+    MissingRolaKeyForSecurityStructureOfFactorInstances = 10243,
+
+    #[error("SecurityStateAccessController address mismatch")]
+    SecurityStateAccessControllerAddressMismatch = 10244,
 }
 
 #[uniffi::export]

crates/sargon-uniffi/src/keys_collector/derivation_purpose.rs

@@ -23,6 +23,10 @@ pub enum DerivationPurpose {
     /// for identity MFA
     SecurifyingPersona,
 
+    /// When applying a security shield to accounts and personas mixed, initiates keys collection
+    /// for account MFA
+    SecurifyingAccountsAndPersonas,
+
     /// When adding a new factor source, initiates keys collection
     /// for collecting various factor instances.
     PreDerivingKeys,

crates/sargon-uniffi/src/profile/mfa/security_structures/security_shield_builder.rs

@@ -109,6 +109,11 @@ impl SecurityShieldBuilder {
         self.get(|builder| builder.get_name())
     }
 
+    pub fn get_authentication_signing_factor(&self) -> Option<FactorSourceID> {
+        self.get(|builder| builder.get_authentication_signing_factor())
+            .map(|x| x.into())
+    }
+
     pub fn get_primary_threshold_factors(&self) -> Vec<FactorSourceID> {
         self.get_factors(|builder| builder.get_primary_threshold_factors())
     }
@@ -135,6 +140,17 @@ impl SecurityShieldBuilder {
         self.set(|builder| builder.set_name(&name));
     }
 
+    pub fn set_authentication_signing_factor(
+        &self,
+        new: Option<FactorSourceID>,
+    ) {
+        self.set(|builder| {
+            builder.set_authentication_signing_factor(
+                new.clone().map(|x| x.into_internal()),
+            )
+        });
+    }
+
     pub fn remove_factor_from_all_roles(
         &self,
         factor_source_id: FactorSourceID,
@@ -236,6 +252,29 @@ impl SecurityShieldBuilder {
 
 #[uniffi::export]
 impl SecurityShieldBuilder {
+    /// "Statically" queries which FactorSourceKinds are disallowed for authentication signing.
+    pub fn disallowed_factor_source_kinds_for_authentication_signing(
+        &self,
+    ) -> Vec<FactorSourceKind> {
+        sargon::SecurityShieldBuilder::disallowed_factor_source_kinds_for_authentication_signing().into_type()
+    }
+
+    /// "Statically" queries which FactorSourceKinds are allowed for authentication signing.
+    pub fn allowed_factor_source_kinds_for_authentication_signing(
+        &self,
+    ) -> Vec<FactorSourceKind> {
+        sargon::SecurityShieldBuilder::allowed_factor_source_kinds_for_authentication_signing().into_type()
+    }
+
+    /// "Statically" queries if `factor_source_kind`` is allowed for authentication signing.
+    pub fn is_allowed_factor_source_kind_for_authentication_signing(
+        &self,
+        factor_source_kind: FactorSourceKind,
+    ) -> bool {
+        sargon::SecurityShieldBuilder::is_allowed_factor_source_kind_for_authentication_signing(
+                factor_source_kind.clone().into())
+    }
+
     pub fn addition_of_factor_source_of_kind_to_primary_threshold_is_fully_valid(
         &self,
         factor_source_kind: FactorSourceKind,
@@ -545,6 +584,35 @@ mod tests {
     #[allow(clippy::upper_case_acronyms)]
     type SUT = SecurityShieldBuilder;
 
+    #[test]
+    fn rola() {
+        let sut = SUT::new();
+        assert_eq!(sut.disallowed_factor_source_kinds_for_authentication_signing().len(), sargon::SecurityShieldBuilder::disallowed_factor_source_kinds_for_authentication_signing().len());
+
+        assert_eq!(sut.allowed_factor_source_kinds_for_authentication_signing().len(), sargon::SecurityShieldBuilder::allowed_factor_source_kinds_for_authentication_signing().len());
+
+        assert!(
+            sut.is_allowed_factor_source_kind_for_authentication_signing(
+                FactorSourceKind::Device
+            )
+        );
+        assert!(
+            !sut.is_allowed_factor_source_kind_for_authentication_signing(
+                FactorSourceKind::Password
+            )
+        );
+        assert!(
+            !sut.is_allowed_factor_source_kind_for_authentication_signing(
+                FactorSourceKind::TrustedContact
+            )
+        );
+        assert!(
+            !sut.is_allowed_factor_source_kind_for_authentication_signing(
+                FactorSourceKind::SecurityQuestions
+            )
+        );
+    }
+
     #[test]
     fn test() {
         let sut = SUT::new();
@@ -756,6 +824,18 @@ mod tests {
         sut.remove_factor_from_confirmation(f.clone());
         assert_eq!(xs, sut.get_confirmation_factors());
 
+        assert_eq!(
+            sut.validate().unwrap(),
+            SecurityShieldBuilderInvalidReason::MissingAuthSigningFactor
+        );
+        sut.set_authentication_signing_factor(Some(
+            FactorSourceID::sample_device_other(),
+        ));
+        assert_eq!(
+            sut.get_authentication_signing_factor(),
+            Some(FactorSourceID::sample_device_other())
+        );
+
         let v0 = sut.validate();
         let v1 = sut.validate(); // can call validate many times!
         assert_eq!(v0, v1);
@@ -764,6 +844,10 @@ mod tests {
         let shield = sut.build().unwrap(); // can call build many times!
         assert_eq!(shield0, shield);
 
+        assert_eq!(
+            shield.authentication_signing_factor,
+            FactorSourceID::sample_device_other()
+        );
         assert_eq!(shield.metadata.display_name.value, "S.H.I.E.L.D.");
         assert_eq!(
             shield.matrix_of_factors.primary_role.override_factors,

crates/sargon-uniffi/src/profile/mfa/security_structures/security_shield_builder_invalid_reason.rs

@@ -8,6 +8,9 @@ use thiserror::Error as ThisError;
     Clone, Debug, ThisError, PartialEq, InternalConversion, uniffi::Error,
 )]
 pub enum SecurityShieldBuilderInvalidReason {
+    #[error("Auth Signing Factor Missing")]
+    MissingAuthSigningFactor,
+
     #[error("Shield name is invalid")]
     ShieldNameInvalid,
 

crates/sargon-uniffi/src/profile/mfa/security_structures/security_structures/security_structure_of_factor_source_ids.rs

@@ -15,6 +15,9 @@ pub struct SecurityStructureOfFactorSourceIDs {
     /// The structure of factors to use for certain roles, Primary, Recovery
     /// and Confirmation role.
     pub matrix_of_factors: MatrixOfFactorSourceIDs,
+
+    /// The factor to use for authentication signing aka true Rola Key.
+    pub authentication_signing_factor: FactorSourceID,
 }
 
 delegate_debug_into!(

crates/sargon-uniffi/src/profile/mfa/security_structures/security_structures/security_structure_of_factor_sources.rs

@@ -12,6 +12,9 @@ pub struct SecurityStructureOfFactorSources {
     /// The structure of factors to use for certain roles, Primary, Recovery
     /// and Confirmation role.
     pub matrix_of_factors: MatrixOfFactorSources,
+
+    /// The factor to use for authentication signing aka true Rola Key.
+    pub authentication_signing_factor: FactorSource,
 }
 
 #[uniffi::export]

crates/sargon/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "sargon"
 # Don't forget to update version in crates/sargon-uniffi/Cargo.toml
-version = "1.1.92"
+version = "1.1.93"
 edition = "2021"
 build = "build.rs"
 

crates/sargon/src/core/error/common_error.rs

@@ -859,6 +859,15 @@ pub enum CommonError {
 
     #[error("Cannot securify entity that has provisional security config")]
     CannotSecurifyEntityHasProvisionalSecurityConfig = 10241,
+
+    #[error("Too few FactorInstances derived")]
+    TooFewFactorInstancesDerived = 10242,
+
+    #[error("Missing Authentication Signing FactorInstance mapping SecurityStructureOfFactorSources into SecurityStructureOfFactorInstances.")]
+    MissingRolaKeyForSecurityStructureOfFactorInstances = 10243,
+
+    #[error("SecurityStateAccessController address mismatch")]
+    SecurityStateAccessControllerAddressMismatch = 10244,
 }
 
 impl CommonError {

crates/sargon/src/core/types/keys/key_agreement/private_key.rs

@@ -156,7 +156,6 @@ mod tests {
     fn public_key() {
         let private_key = SUT::sample();
         let public_key = private_key.public_key();
-        println!("{:?}", public_key);
         assert_eq!(
             public_key,
              KeyAgreementPublicKey::from_hex("8679bc1fe3210b2ce84793668b05218fdc4c220bc05387b7d2ac0d4c7b7c5d10".to_owned())

crates/sargon/src/factor_instances_provider/agnostic_paths/derivation_preset.rs

@@ -24,6 +24,12 @@ pub enum DerivationPreset {
     #[debug("A-MFA")]
     AccountMfa,
 
+    /// Used to form DerivationPaths used to derive FactorInstances
+    /// for Authentication Signing (Securified) for accounts
+    /// `(EntityKind::Account, KeySpace::Securified, KeyKind::AuthenticationSigning)`
+    #[debug("A-Rola")]
+    AccountRola,
+
     /// Used to form DerivationPaths used to derive FactorInstances
     /// for "veci": Virtual Entity Creating (Factor)Instance for personas.
     /// `(EntityKind::Identity, KeySpace::Unsecurified, KeyKind::TransactionSigning)`
@@ -35,6 +41,12 @@ pub enum DerivationPreset {
     /// `(EntityKind::Identity, KeySpace::Securified, KeyKind::TransactionSigning)`
     #[debug("I-MFA")]
     IdentityMfa,
+
+    /// Used to form DerivationPaths used to derive FactorInstances
+    /// for Authentication Signing (Securified) for peresonas
+    /// `(EntityKind::Identity, KeySpace::Securified, KeyKind::AuthenticationSigning)`
+    #[debug("I-Rola")]
+    IdentityRola,
 }
 
 // =============
@@ -63,6 +75,15 @@ impl DerivationPreset {
             CAP26EntityKind::Identity => Self::IdentityMfa,
         }
     }
+
+    /// Selects a `DerivationPreset` for MFA based on `CAP26EntityKind`,
+    /// i.e. either `DerivationPreset::AccountRola` or `DerivationPreset::IdentityRola`.
+    pub fn rola_entity_kind(entity_kind: CAP26EntityKind) -> Self {
+        match entity_kind {
+            CAP26EntityKind::Account => Self::AccountRola,
+            CAP26EntityKind::Identity => Self::IdentityRola,
+        }
+    }
 }
 
 // =============
@@ -72,8 +93,12 @@ impl DerivationPreset {
     /// Returns the `CAP26EntityKind` of the `DerivationPreset`.
     pub fn entity_kind(&self) -> CAP26EntityKind {
         match self {
-            Self::AccountVeci | Self::AccountMfa => CAP26EntityKind::Account,
-            Self::IdentityVeci | Self::IdentityMfa => CAP26EntityKind::Identity,
+            Self::AccountVeci | Self::AccountMfa | Self::AccountRola => {
+                CAP26EntityKind::Account
+            }
+            Self::IdentityVeci | Self::IdentityMfa | Self::IdentityRola => {
+                CAP26EntityKind::Identity
+            }
         }
     }
 
@@ -84,6 +109,9 @@ impl DerivationPreset {
             | Self::IdentityVeci
             | Self::AccountMfa
             | Self::IdentityMfa => CAP26KeyKind::TransactionSigning,
+            Self::AccountRola | Self::IdentityRola => {
+                CAP26KeyKind::AuthenticationSigning
+            }
         }
     }
 
@@ -96,7 +124,10 @@ impl DerivationPreset {
                     is_hardened: true,
                 }
             }
-            Self::AccountMfa | Self::IdentityMfa => KeySpace::Securified,
+            Self::AccountMfa
+            | Self::IdentityMfa
+            | Self::AccountRola
+            | Self::IdentityRola => KeySpace::Securified,
         }
     }
 
@@ -136,4 +167,28 @@ mod tests {
     fn inequality() {
         assert_ne!(SUT::sample(), SUT::sample_other());
     }
+
+    #[test]
+    fn test_mfa_entity_kind() {
+        assert_eq!(
+            SUT::mfa_entity_kind(CAP26EntityKind::Account),
+            SUT::AccountMfa
+        );
+        assert_eq!(
+            SUT::mfa_entity_kind(CAP26EntityKind::Identity),
+            SUT::IdentityMfa
+        );
+    }
+
+    #[test]
+    fn test_rola_entity_kind() {
+        assert_eq!(
+            SUT::rola_entity_kind(CAP26EntityKind::Account),
+            SUT::AccountRola
+        );
+        assert_eq!(
+            SUT::rola_entity_kind(CAP26EntityKind::Identity),
+            SUT::IdentityRola
+        );
+    }
 }