From a3a040ceca6bd1b812882c7567e125ebedcb7e96 Mon Sep 17 00:00:00 2001
From: Clement Delafargue <clement.delafargue@outscale.com>
Date: Mon, 27 Jan 2025 10:29:17 +0100
Subject: [PATCH 1/2] `UnverifiedBiscuit.external_public_keys()` now returns
 `PublicKey`s

Same as `Biscuit`
---
 biscuit-auth/CHANGELOG.md            | 1 +
 biscuit-auth/src/token/unverified.rs | 9 ++-------
 2 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/biscuit-auth/CHANGELOG.md b/biscuit-auth/CHANGELOG.md
index 7cccffed..62152908 100644
--- a/biscuit-auth/CHANGELOG.md
+++ b/biscuit-auth/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Support for P256 signatures (#108)
 - `query_exactly_once()` (#260) (Baran Yildirim)
 - include algorithm prefix in public/private key strings (#261)
+- `UnverifiedBiscuit.external_public_keys()` now returns `PublicKey`s, not byte vecs (#263)
 
 # `5.0.0`
 
diff --git a/biscuit-auth/src/token/unverified.rs b/biscuit-auth/src/token/unverified.rs
index 20d07bae..fe707b66 100644
--- a/biscuit-auth/src/token/unverified.rs
+++ b/biscuit-auth/src/token/unverified.rs
@@ -216,16 +216,11 @@ impl UnverifiedBiscuit {
     /// Blocks carrying an external public key are _third-party blocks_
     /// and their contents can be trusted as coming from the holder of
     /// the corresponding private key
-    pub fn external_public_keys(&self) -> Vec<Option<Vec<u8>>> {
+    pub fn external_public_keys(&self) -> Vec<Option<PublicKey>> {
         let mut res = vec![None];
 
         for block in self.container.blocks.iter() {
-            res.push(
-                block
-                    .external_signature
-                    .as_ref()
-                    .map(|sig| sig.public_key.to_bytes().to_vec()),
-            );
+            res.push(block.external_signature.as_ref().map(|sig| sig.public_key));
         }
 
         res

From 1066bd55d831a88393d55fae98edc29cebf5b275 Mon Sep 17 00:00:00 2001
From: Clement Delafargue <clement.delafargue@outscale.com>
Date: Mon, 27 Jan 2025 11:42:25 +0100
Subject: [PATCH 2/2] UnverifiedBiscuit: add consistency tests with Biscuit

---
 biscuit-auth/src/token/unverified.rs | 41 ++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/biscuit-auth/src/token/unverified.rs b/biscuit-auth/src/token/unverified.rs
index fe707b66..6f45143d 100644
--- a/biscuit-auth/src/token/unverified.rs
+++ b/biscuit-auth/src/token/unverified.rs
@@ -374,3 +374,44 @@ impl UnverifiedBiscuit {
         self.append_third_party(&decoded)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::{BiscuitBuilder, BlockBuilder, KeyPair};
+
+    use super::UnverifiedBiscuit;
+
+    #[test]
+    fn consistent_with_biscuit() {
+        let root_key = KeyPair::new();
+        let external_key = KeyPair::new();
+        let biscuit = BiscuitBuilder::new()
+            .fact("test(true)")
+            .unwrap()
+            .build(&root_key)
+            .unwrap()
+            .append(BlockBuilder::new().fact("test(false)").unwrap())
+            .unwrap();
+        let req = biscuit.third_party_request().unwrap();
+        let res = req
+            .create_block(
+                &external_key.private(),
+                BlockBuilder::new().fact("third_party(true)").unwrap(),
+            )
+            .unwrap();
+        let biscuit = biscuit
+            .append_third_party(external_key.public(), res)
+            .unwrap();
+
+        let unverified = UnverifiedBiscuit::from_base64(biscuit.to_base64().unwrap()).unwrap();
+
+        unverified.clone().verify(root_key.public()).unwrap();
+
+        assert_eq!(unverified.blocks, biscuit.blocks);
+
+        assert_eq!(
+            unverified.external_public_keys(),
+            biscuit.external_public_keys()
+        );
+    }
+}