Add E2EE API (#13820)

2 files changed, 48 insertions, 0 deletions

diff --git a/app/validators/ed25519_key_validator.rb b/app/validators/ed25519_key_validator.rb
new file mode 100644
index 000000000..00a448d5a
--- /dev/null
+++ b/app/validators/ed25519_key_validator.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class Ed25519KeyValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    return if value.blank?
+
+    key = Base64.decode64(value)
+
+    record.errors[attribute] << I18n.t('crypto.errors.invalid_key') unless verified?(key)
+  end
+
+  private
+
+  def verified?(key)
+    Ed25519.validate_key_bytes(key)
+  rescue ArgumentError
+    false
+  end
+end
diff --git a/app/validators/ed25519_signature_validator.rb b/app/validators/ed25519_signature_validator.rb
new file mode 100644
index 000000000..77a21b837
--- /dev/null
+++ b/app/validators/ed25519_signature_validator.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+class Ed25519SignatureValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    return if value.blank?
+
+    verify_key = Ed25519::VerifyKey.new(Base64.decode64(option_to_value(record, :verify_key)))
+    signature  = Base64.decode64(value)
+    message    = option_to_value(record, :message)
+
+    record.errors[attribute] << I18n.t('crypto.errors.invalid_signature') unless verified?(verify_key, signature, message)
+  end
+
+  private
+
+  def verified?(verify_key, signature, message)
+    verify_key.verify(signature, message)
+  rescue Ed25519::VerifyError, ArgumentError
+    false
+  end
+
+  def option_to_value(record, key)
+    if options[key].is_a?(Proc)
+      options[key].call(record)
+    else
+      record.public_send(options[key])
+    end
+  end
+end