feat(keys): VerifyingKeys can be transcoded to/from SPKI DER/PEM

[jns-ps]

Summary by CodeRabbit

• New Features

  • Added support for exporting and importing verifying keys using standardized SPKI DER and PEM formats for Ed25519, Secp256k1, and Secp256r1.
  • Enabled saving verifying keys to PEM files and loading them from PEM files.

• Bug Fixes

  • Improved error handling for unsupported key types during encoding and decoding.

• Tests

  • Updated tests to verify SPKI DER and PEM serialization and deserialization for supported key types, including Ed25519.

• Chores

  • Updated cryptographic verification keys used in the system.
  • Upgraded Rust base image version in the build environment.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
prism	⬜️ Ignored (Inspect)	Visit Preview		Apr 15, 2025 8:14am

[coderabbitai]

Walkthrough

This change refactors the way verifying keys are serialized and deserialized in the codebase. It removes ad-hoc DER encoding/decoding methods and introduces standardized Subject Public Key Info (SPKI) DER and PEM methods for Ed25519, Secp256k1, and Secp256r1 key types. The test suite is updated to use these new SPKI-based methods, including serialization to and from PEM files, and explicit error handling is added for unsupported algorithms. The verification keys JSON file is updated with new key values. The Dockerfile updates the Rust base image version. No changes are made to the signatures of exported or public entities outside of the verifying key serialization/deserialization API.

Changes

File(s)	Change Summary
crates/keys/src/verifying_keys.rs	Removed to_der and from_algorithm_and_der methods; added SPKI-based DER/PEM serialization/deserialization methods with error handling for unsupported algorithms; updated imports.
crates/keys/src/tests.rs	Modified existing test to use SPKI DER encoding/decoding for verifying keys; added new test for SPKI PEM file serialization/deserialization; updated comments and excluded certain key types from tests.
verification_keys/keys.json	Replaced "base_vk" and "recursive_vk" hexadecimal strings with new verification key values; no structural changes.
Dockerfile	Updated Rust base image version from rust:1.83-slim-bookworm to rust:1.86-slim-bookworm; removed trailing newline.

Sequence Diagram(s)

sequenceDiagram
    participant Test
    participant VerifyingKey
    participant FileSystem

    Test->>VerifyingKey: to_spki_der()
    VerifyingKey->>VerifyingKey: to_spki_der_doc()
    VerifyingKey-->>Test: DER bytes

    Test->>VerifyingKey: from_spki_der(DER bytes)
    VerifyingKey->>VerifyingKey: from_spki(SubjectPublicKeyInfoRef)
    VerifyingKey-->>Test: VerifyingKey instance

    Test->>VerifyingKey: to_spki_pem_file(filename)
    VerifyingKey->>FileSystem: Write PEM file

    Test->>VerifyingKey: from_spki_pem_file(filename)
    VerifyingKey->>FileSystem: Read PEM file
    VerifyingKey->>VerifyingKey: from_spki(SubjectPublicKeyInfoRef)
    VerifyingKey-->>Test: VerifyingKey instance

Loading

Possibly related PRs

• feature(keys): crypto algorithm as enum #188: Introduces the CryptoAlgorithm enum used in the current PR for algorithm handling, directly related at the code level.
• refactor(common): use underlying VK types instead of Vec<u8> #150: Refactors internal representation of verifying keys from raw bytes to typed key structs, related to VerifyingKey but focusing on internal structure rather than serialization format.
• feature(keys): support der and sec1 as input formats separately #187: Adds DER and SEC1 format support methods to VerifyingKey; related in handling DER but does not implement SPKI PEM handling or remove old DER methods.

Poem

In the warren where keys are kept,
Old DER methods quietly slept.
SPKI now hops in with cheer,
Standardized bytes, no bugs to fear!
Ed and Secp, all in a line,
Encoded and parsed—now things are fine.
🐇✨

Tip

⚡💬 Agentic Chat (Pro Plan, General Availability)

• We're introducing multi-step agentic chat in review comments and issue comments, within and outside of PR's. This feature enhances review and issue discussions with the CodeRabbit agentic chat by enabling advanced interactions, including the ability to create pull requests directly from comments and add commits to existing pull requests.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4b8c675 and 01dbd13.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: unused dependencies
• GitHub Check: unit-test
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: integration-test
• GitHub Check: build-and-push-image

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

crates/keys/src/tests.rs (1)

54-71: Add a verifying-key test for SPKI PEM files.

A previous reviewer suggested adding a test that reads verifying keys from SPKI PEM files, similar to the SigningKey tests. This would ensure consistent coverage of the new PEM-based functionality.

🧹 Nitpick comments (4)

crates/keys/src/verifying_keys.rs (4)

169-181: Consider returning typed errors for unimplemented algorithms.

For EIP-191 and Cosmos ADR-36, you currently bail with a generic message. Introducing a dedicated error variant (for example, a custom enum) can help downstream callers distinguish between actual decoding errors and “not implemented yet” scenarios.

---

187-191: Preserve underlying error details in the error message.

You’re discarding the original I/O error details with map_err(|_| anyhow!("Creating PKCS8 PEM file failed")). Retaining the original error message will make debugging issues easier:

-  .map_err(|_| anyhow!("Creating PKCS8 PEM file failed"))
+  .map_err(|err| anyhow!("Creating PKCS8 PEM file failed: {}", err))

---

193-215: Use a consistent approach to handle unsupported algorithms.

Just like in to_spki_der_doc, you bail out for EIP-191 and Cosmos ADR-36. Consider returning a typed error to unify your approach. This yields more clarity when distinguishing between a corrupted DER and an unimplemented algorithm.

---

222-227: Improve PEM label error message clarity.

Similar to writing the PEM file, you discard the underlying error with map_err(|_| anyhow!("Incorrect PEM label")). Preserving the original error details will help diagnose label mismatch cases:

-map_err(|_| anyhow!("Incorrect PEM label"))
+map_err(|err| anyhow!("Incorrect PEM label: {}", err))

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6c94076 and ba3b813.

📒 Files selected for processing (2)

• crates/keys/src/tests.rs (1 hunks)
• crates/keys/src/verifying_keys.rs (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: unused dependencies
• GitHub Check: integration-test
• GitHub Check: unit-test
• GitHub Check: build-and-push-image
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

crates/keys/src/verifying_keys.rs (1)

217-220: SPKI DER parsing logic looks good.

This straightforward wrapper on from_spki is clear and efficient. Great job!