selfsdk 0.0.124 → 0.0.129

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: df6729e3320be7cc2abd4ea22a94ff757b8e8d72ee5e1f2b2ddbafed509483c4
-  data.tar.gz: c7202790ad7ac8c0fcb984a3c494983b08549e9e516b238cc247d869a630d2a2
+  metadata.gz: 7ba1c83bef5db464131c2343e7f81500c1e5175fd9f740b7563dad90613dd73c
+  data.tar.gz: 12c89161d2837b4f6dba855b43bd554fcb6380dbd207fe7482e9f9fcef4d8493
 SHA512:
-  metadata.gz: 860606a05e95e553e6c1e36c63b15a1e3b93922d56e0a58a773d911da0ea29d95f5395406b13124b005e05c468d1c2740308e55908decffc77eb79d6c569ac14
-  data.tar.gz: 7a3ba36d29276730966cc01ce4d2730c0613142ce6d844deb61380a3b3055596e724bfe78160061436cf43f9f510b49b7407a3a9eb107e0e057c094f9d8e7f32
+  metadata.gz: bd1a8234d5d4ba9ef9589ed41e2a60e9313aa2ba45d3de46f428db95e716125dc9213dff852025643e2c1bafc9342cb3e823eb435e3ed903947161d08c9252bb
+  data.tar.gz: 52c50572cf2587106fb160b3042faeb8c129d2bc35d8df9ee6a29a1b7617af7723be54a16b43190c774ed93a4d694a0cfacc85e0882b5867229f8fdd0ce0c390

data/lib/client.rb

@@ -59,11 +59,21 @@ module SelfSDK
     # Lists all public keys stored on self for the given ID
     #
     # @param id [string] identity id
+    # DEPRECATED
     def public_keys(id)
       i = entity(id)
       i[:public_keys]
     end
 
+    # Lists all public keys stored on self for the given ID
+    #
+    # @param id [string] identity id
+    def public_key(id, kid)
+      i = entity(id)
+      sg = SelfSDK::SignatureGraph.new(i[:history])
+      sg.key_by_id(kid)
+    end
+
     private
 
     def get_identity(endpoint)

data/lib/jwt_service.rb

@@ -5,7 +5,7 @@ require 'json'
 
 module SelfSDK
   class JwtService
-    attr_reader :id, :key
+    attr_reader :id, :key, :key_id
 
     # Jwt initializer
     #
@@ -13,7 +13,14 @@ module SelfSDK
     # @param app_key [string] the app api key provided by developer portal.
     def initialize(app_id, app_key)
       @id = app_id
-      @key = app_key
+      parts = app_key.split(':')
+      if parts.length > 1
+        @key_id = parts[0]
+        @key = parts[1]
+      else
+        @key_id = "1"
+        @key = app_key
+      end
     end
 
     # Prepares a jwt object based on an input
@@ -85,7 +92,7 @@ module SelfSDK
     private
 
     def header
-      encode({ alg: "EdDSA", typ: "JWT" }.to_json)
+      encode({ alg: "EdDSA", typ: "JWT", kid: "#{@key_id}" }.to_json)
     end
   end
 end

data/lib/messages/attestation.rb

@@ -15,7 +15,8 @@ module SelfSDK
         @to = payload[:sub]
         @audience = payload[:aud]
         @source = payload[:source]
-        @verified = valid_signature?(attestation)
+        header = JSON.parse(@messaging.jwt.decode(attestation[:protected]), symbolize_names: true)
+        @verified = valid_signature?(attestation, header[:kid])
         @expected_value = payload[:expected_value]
         @operator = payload[:operator]
         @fact_name = name.to_s
@@ -24,8 +25,8 @@ module SelfSDK
         end
       end
 
-      def valid_signature?(body)
-        k = @messaging.client.public_keys(@origin).first[:key]
+      def valid_signature?(body, kid)
+        k = @messaging.client.public_key(@origin, kid).raw_public_key
         raise ::StandardError.new("invalid signature") unless @messaging.jwt.verify(body, k)
 
         true

data/lib/messages/base.rb

@@ -72,13 +72,14 @@ module SelfSDK
 
         jwt = JSON.parse(body, symbolize_names: true)
         payload = JSON.parse(@jwt.decode(jwt[:payload]), symbolize_names: true)
+        header = JSON.parse(@jwt.decode(jwt[:protected]), symbolize_names: true)
         @from = payload[:iss]
-        verify! jwt
+        verify! jwt, header[:kid]
         payload
       end
 
-      def verify!(jwt)
-        k = @client.public_keys(@from).first[:key]
+      def verify!(jwt, kid)
+        k = @client.public_key(@from, kid).raw_public_key
         return if @jwt.verify(jwt, k)
 
         SelfSDK.logger.info "skipping message, invalid signature"

data/lib/messaging.rb

@@ -44,7 +44,7 @@ module SelfSDK
       @offset_file = "#{@storage_dir}/#{@jwt.id}:#{@device_id}.offset"
       @offset = read_offset
 
-      FileUtils.mkdir_p @storage_dir unless File.exists? @storage_dir
+      FileUtils.mkdir_p @storage_dir unless File.exist? @storage_dir
 
       if options.include? :ws
         @ws = options[:ws]

data/lib/selfsdk.rb

@@ -7,6 +7,7 @@ require 'net/http'
 require 'rqrcode'
 require_relative 'log'
 require_relative 'jwt_service'
+require_relative 'signature_graph'
 require_relative 'client'
 require_relative 'messaging'
 require_relative 'ntptime'
@@ -26,8 +27,8 @@ module SelfSDK
   # @attr_reader [Types] app_id the identifier of the current app.
   # @attr_reader [Types] app_key the api key for the current app.
   class App
-    BASE_URL = "https://api.selfid.net".freeze
-    MESSAGING_URL = "wss://messaging.selfid.net/v1/messaging".freeze
+    BASE_URL = "https://api.joinself.com".freeze
+    MESSAGING_URL = "wss://messaging.joinself.com/v1/messaging".freeze
 
     attr_reader :client
     attr_accessor :messaging_client
@@ -95,13 +96,13 @@ module SelfSDK
 
       def base_url(opts)
         return opts[:base_url] if opts.key? :base_url
-        return "https://api.#{opts[:env].to_s}.selfid.net" if opts.key? :env
+        return "https://api.#{opts[:env].to_s}.joinself.com" if opts.key? :env
         BASE_URL
       end
 
       def messaging_url(opts)
         return opts[:messaging_url] if opts.key? :messaging_url
-        return "wss://messaging.#{opts[:env].to_s}.selfid.net/v1/messaging" if opts.key? :env
+        return "wss://messaging.#{opts[:env].to_s}.joinself.com/v1/messaging" if opts.key? :env
         MESSAGING_URL
       end
 

data/lib/services/identity.rb

@@ -27,9 +27,10 @@ module SelfSDK
       # Gets an identity public keys
       #
       # @param [String] selfid gets the identity details (app/user)
+      # @param [String] kid the public key id.
       # @return [Array] with the identity public keys
-      def public_keys(selfid)
-        @client.public_keys(selfid)
+      def public_key(selfid, kid)
+        @client.public_key(selfid, kid).public_key
       end
 
       # Gets an app/identity details

data/lib/signature_graph.rb

@@ -0,0 +1,283 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'json'
+
+module SelfSDK
+
+  ACTION_ADD = "key.add"
+  ACTION_REVOKE = "key.revoke"
+  KEY_TYPE_DEVICE = "device.key"
+  KEY_TYPE_RECOVERY = "recovery.key"
+  
+  class Operation
+
+    attr_reader :sequence, :previous, :timestamp, :actions, :signing_key, :jws
+
+    def initialize(operation)
+      @jws = operation
+
+      payload = Base64.urlsafe_decode64(@jws[:payload])
+      header = Base64.urlsafe_decode64(@jws[:protected])
+
+      op = JSON.parse(payload, symbolize_names: true)
+      hdr = JSON.parse(header, symbolize_names: true)
+
+      @sequence = op[:sequence]
+      @previous = op[:previous]
+      @timestamp = op[:timestamp]
+      @version = op[:version]
+      @actions = op[:actions]
+      @signing_key = hdr[:kid]
+
+      validate!
+    end
+
+    def validate!
+      raise "unknown operation version" if @version != "1.0.0"
+      raise "invalid operation sequence" if @sequence < 0
+      raise "operation does not specify a previous signature" if @previous.nil?
+      raise "invalid operation timestamp" if @timestamp < 1
+      raise "operation does not specify any actions" if @actions.nil?
+      raise "operation does not specify any actions" if @actions.length < 1
+      raise "operation does not specify an identifier for the signing key" if @signing_key.nil?
+    end
+
+    def revokes(kid)
+      @actions.each do |action|
+        if action[:kid] == kid && action[:action] == ACTION_REVOKE
+          return true 
+        end
+      end
+      return false
+    end
+  end
+
+  class Key
+
+    attr_reader :kid, :did, :type, :created, :revoked, :public_key, :raw_public_key, :incoming, :outgoing
+
+    def initialize(action)
+      @kid = action[:kid]
+      @did = action[:did]
+      @type = action[:type]
+      @created = action[:from]
+      @revoked = 0
+
+      @raw_public_key = Base64.urlsafe_decode64(action[:key])
+      @public_key = Ed25519::VerifyKey.new(@raw_public_key)
+
+      @incoming = Array.new
+      @outgoing = Array.new
+    end
+
+    def valid_at(at)
+      created <= at && revoked == 0 || created <= at && revoked > at
+    end
+
+    def revoke(at)
+      @revoked = at
+    end
+
+    def revoked?
+      @revoked > 0
+    end
+
+    def child_keys
+      keys = @outgoing.dup
+
+      @outgoing.each do |k|
+        keys.concat k.child_keys
+      end
+
+      keys
+    end
+  end
+
+  class SignatureGraph
+    def initialize(history)
+      @root = nil
+      @keys = Hash.new
+      @devices = Hash.new
+      @signatures = Hash.new
+      @operations = Array.new
+      @recovery_key = nil
+
+      history.each do |operation|
+        execute(operation)        
+      end
+    end
+
+    def key_by_id(kid)
+      k = @keys[kid]
+      raise "key not found" if k.nil?
+      k
+    end
+
+    def key_by_device(did)
+      k = @devices[did]
+      raise "key not found" if k.nil?
+      k
+    end
+
+    def execute(operation)
+      op = Operation.new(operation)
+
+      raise "operation sequence is out of order" if op.sequence != @operations.length
+        
+      if op.sequence > 0 
+        if @signatures[op.previous] != op.sequence - 1
+          raise "operation previous signature does not match" 
+        end
+
+        if @operations[op.sequence - 1].timestamp >= op.timestamp
+          raise "operation timestamp occurs before previous operation"
+        end
+
+        sk = @keys[op.signing_key]
+ 
+        raise "operation specifies a signing key that does not exist" if sk.nil?
+
+        if sk.revoked? && op.timestamp > sk.revoked
+          raise "operation was signed by a key that was revoked at the time of signing"
+        end
+
+        if sk.type == KEY_TYPE_RECOVERY && op.revokes(op.signing_key) != true
+          raise "account recovery operation does not revoke the current active recovery key"
+        end        
+      end
+
+      execute_actions(op)
+
+      sk = @keys[op.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if sk.nil?
+
+      if op.timestamp < sk.created || sk.revoked? && op.timestamp > sk.revoked
+        raise "operation was signed with a key that was revoked"  
+      end
+
+      sig = Base64.urlsafe_decode64(op.jws[:signature])
+
+      sk.public_key.verify(sig, "#{op.jws[:protected]}.#{op.jws[:payload]}")
+
+      has_valid_key = false
+
+      @keys.each do |kid, k|
+        has_valid_key = true unless k.revoked?
+      end
+
+      raise "signature graph does not contain any active or valid keys" unless has_valid_key
+      raise "signature graph does not contain a valid recovery key" if @recovery_key.nil?
+      raise "signature graph does not contain a valid recovery key" if @recovery_key.revoked?
+
+      @operations.push(op)
+      @signatures[op.jws[:signature]] = op.sequence
+    end
+
+    private
+
+    def execute_actions(op)
+      op.actions.each do |action|
+        raise "operation action does not provide a key identifier" if action[:kid].nil?
+
+        if action[:type] != KEY_TYPE_DEVICE && action[:type] != KEY_TYPE_RECOVERY
+          raise "operation action does not provide a valid type"
+        end
+
+        if action[:action] != ACTION_ADD && action[:action] != ACTION_REVOKE
+          raise "operation action does not provide a valid action"
+        end
+
+        if action[:action] == ACTION_ADD && action[:key].nil?
+          raise "operation action does not provide a valid public key"
+        end
+
+        if action[:action] == ACTION_ADD && action[:type] == KEY_TYPE_DEVICE && action[:did].nil?
+          raise "operation action does not provide a valid device id"
+        end
+
+        if action[:from] < 0
+          raise "operation action does not provide a valid timestamp for the action to take effect from" 
+        end
+        
+        case action[:action]
+        when ACTION_ADD
+          action[:from] = op.timestamp
+          add(op, action)
+        when ACTION_REVOKE
+          revoke(op, action)
+        end
+      end
+    end
+
+    def add(operation, action)
+      if @keys[action[:kid]].nil? != true
+        raise "operation contains a key with a duplicate identifier" 
+      end
+
+      k = Key.new(action)
+
+      case action[:type]
+      when KEY_TYPE_DEVICE
+        dk = @devices[action[:did]]
+        unless dk.nil?
+          raise "operation contains more than one active key for a device" unless dk.revoked?
+        end
+      when KEY_TYPE_RECOVERY
+        unless @recovery_key.nil?
+          raise "operation contains more than one active recovery key" unless @recovery_key.revoked? 
+        end
+
+        @recovery_key = k
+      end
+
+      @keys[k.kid] = k
+      @devices[k.did] = k
+
+      if operation.sequence == 0 && operation.signing_key == action[:kid]
+        @root = k
+        return
+      end
+      
+      parent = @keys[operation.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if parent.nil?
+
+      k.incoming.push(parent)
+      parent.outgoing.push(k)
+    end
+
+    def revoke(operation, action)
+      k = @keys[action[:kid]]
+
+      raise "operation tries to revoke a key that does not exist" if k.nil?
+      raise "root operation cannot revoke keys" if operation.sequence < 1
+      raise "operation tries to revoke a key that has already been revoked" if k.revoked?
+
+      k.revoke(action[:from])
+
+      sk = @keys[operation.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if k.nil?
+
+      # if this is an account recovery, nuke all existing keys
+      if sk.type == KEY_TYPE_RECOVERY
+        @root.revoke(action[:from])
+
+        @root.child_keys.each do |ck|
+          ck.revoke(action[:from]) unless ck.revoked?
+        end
+
+        return
+      end
+      
+      k.child_keys.each do |ck|
+        ck.revoke(action[:from]) unless ck.created < action[:from]
+      end
+    end
+
+  end
+
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: selfsdk
 version: !ruby/object:Gem::Version
-  version: 0.0.124
+  version: 0.0.129
 platform: ruby
 authors:
 - Aldgate Ventures
@@ -325,6 +325,7 @@ files:
 - lib/services/facts.rb
 - lib/services/identity.rb
 - lib/services/messaging.rb
+- lib/signature_graph.rb
 - lib/sources.rb
 homepage: https://www.joinself.com/
 licenses: []
@@ -350,5 +351,5 @@ requirements: []
 rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: self id gem
+summary: joinself sdk
 test_files: []