Is there a DAML library I can use to verify an RSA signature using a private key?

Hi there,

it’s probably not the case but still, I was wondering if there is a DAML library that would allow me to verify a payload signature in a choice, given the payload (a Text), the signature itself (both choice parameters), and a public key (held inside the contract).

regards,
Emil

1 Like

Other than using Text.sha256 to hash a String there’s no other cryptographic primitives in Daml and it’s best to rely on Daml’s built in signatory functionality. Do you have a specific usecase where you’re trying to do this?

1 Like

It would be part of a defense in depth mechanism, I am working on a secure compute node inventory solution where each potential node is a DAML party, but also each node generates its own RSA key pair for encrypting data in transit and signing payloads., The public key is then registered in the DAML contract. A node would not be allowed to come up if not authorized by the DAML contract. Each node would then send status updates and life beat messages to the contract authenticated as its own party.

These compute nodes run highly sensitive workloads so as a second layer of defense I was thinking that with each life beat and status update, the node could also send the signatures of its identity (party name) and the contract could verify the signature.

This would protect against the situation where a node’s identity info is compromised and the attacker manages to craft an imposter JWT. Since the RSA key pair is only generated in memory in the compute node and it is regularly rotated, it would be much more difficult for the attacker to also break this 2nd defense layer.

it’s ok if this is not available, there are other ways to implement this 2nd layer of defense.

regards,
Emil.

1 Like

As @anthony said, there are no cryptography primitives in Daml, and as always I’d recommend thinking long and hard before embarking on a project to write your own.

But this may not be so much of a problem for your use-case, as there is nothing that forces your client nodes to be themselves written in Daml. You can make each node/party a gRPC client of the ledger and write them in Java, using all the existing Java crypto libraries you want.

The only downside here is that the Daml ledger will not be able to check the signatures (i.e. they will not be checked as an ensure clause) but what you can have is a trigger-like (also not written in Daml) bot that signs the heartbeats after having checked the signatures, and the rest of your system would only consider a heartbeat valid if it has been signed by that bot.

1 Like