selfsdk 0.0.127 → 0.0.128

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7d9d4b995fb2ea36f3e01c5910bf15755797c1afb3ba13c2ab58c8c89ff73e3a
-  data.tar.gz: 1c22b973f561e4c47f5883d91a15409989fa34b192712a7195f391a6d7854b41
+  metadata.gz: 125110bf24194be23beb2ef32eaffc67cdd4fb0f0124c8b6bc2da283fc7cf999
+  data.tar.gz: f058e20f529c0c71480b673cb78d511bee67056a2c8aa215663552443311be4d
 SHA512:
-  metadata.gz: 3ae863e903d8ee9f59c74473a44e7f9312f76d2f5a54e14b8959f3ff6e5b36593c5f04eaf0b6718a5868f91ab8e8f3cda6edaaeb3a46787f761362bedcb3691a
-  data.tar.gz: 71fbc1f03e5c7df88bee3d991b3d7fb8ba37797fea605c60af83a9168be89f7aa76df42b9b2680a0082054fe5bd5f0c0cfaf24ca3427a5423d4961147deaff0b
+  metadata.gz: 1748a529d80ef342b18d4a8a8e9b2ab14191d478ce7d431c5ce192ac6052e05a20b62cc27851cc3f890eacbef65fe2f4850a934d99a50f3879f90698b6abbd86
+  data.tar.gz: 1648159549fa5474b98a141a7df7fe2901a50f0472e9e0cc03da0e65ab923ed52c8589344b34aff25b9dd9c32e1ad9e9abe65ed6b52c11364520139dde1aae61

data/lib/client.rb

@@ -64,6 +64,15 @@ module SelfSDK
       i[:public_keys]
     end
 
+    # Lists all public keys stored on self for the given ID
+    #
+    # @param id [string] identity id
+    def public_key(id, kid)
+      i = entity(id)
+      sg = SelfSDK::SignatureGraph.new(i[:history])
+      sg.key_by_id(kid)
+    end
+
     private
 
     def get_identity(endpoint)

data/lib/selfsdk.rb

@@ -7,6 +7,7 @@ require 'net/http'
 require 'rqrcode'
 require_relative 'log'
 require_relative 'jwt_service'
+require_relative 'signature_graph'
 require_relative 'client'
 require_relative 'messaging'
 require_relative 'ntptime'

data/lib/signature_graph.rb

@@ -0,0 +1,283 @@
+# frozen_string_literal: true
+
+require 'base64'
+require 'json'
+
+module SelfSDK
+
+  ACTION_ADD = "key.add"
+  ACTION_REVOKE = "key.revoke"
+  KEY_TYPE_DEVICE = "device.key"
+  KEY_TYPE_RECOVERY = "recovery.key"
+  
+  class Operation
+
+    attr_reader :sequence, :previous, :timestamp, :actions, :signing_key, :jws
+
+    def initialize(operation)
+      @jws = operation
+
+      payload = Base64.urlsafe_decode64(@jws[:payload])
+      header = Base64.urlsafe_decode64(@jws[:protected])
+
+      op = JSON.parse(payload, symbolize_names: true)
+      hdr = JSON.parse(header, symbolize_names: true)
+
+      @sequence = op[:sequence]
+      @previous = op[:previous]
+      @timestamp = op[:timestamp]
+      @version = op[:version]
+      @actions = op[:actions]
+      @signing_key = hdr[:kid]
+
+      validate!
+    end
+
+    def validate!
+      raise "unknown operation version" if @version != "1.0.0"
+      raise "invalid operation sequence" if @sequence < 0
+      raise "operation does not specify a previous signature" if @previous.nil?
+      raise "invalid operation timestamp" if @timestamp < 1
+      raise "operation does not specify any actions" if @actions.nil?
+      raise "operation does not specify any actions" if @actions.length < 1
+      raise "operation does not specify an identifier for the signing key" if @signing_key.nil?
+    end
+
+    def revokes(kid)
+      @actions.each do |action|
+        if action[:kid] == kid && action[:action] == ACTION_REVOKE
+          return true 
+        end
+      end
+      return false
+    end
+  end
+
+  class Key
+
+    attr_reader :kid, :did, :type, :created, :revoked, :public_key, :raw_public_key, :incoming, :outgoing
+
+    def initialize(action)
+      @kid = action[:kid]
+      @did = action[:did]
+      @type = action[:type]
+      @created = action[:from]
+      @revoked = 0
+
+      @raw_public_key = Base64.urlsafe_decode64(action[:key])
+      @public_key = Ed25519::VerifyKey.new(@raw_public_key)
+
+      @incoming = Array.new
+      @outgoing = Array.new
+    end
+
+    def valid_at(at)
+      created <= at && revoked == 0 || created <= at && revoked > at
+    end
+
+    def revoke(at)
+      @revoked = at
+    end
+
+    def revoked?
+      @revoked > 0
+    end
+
+    def child_keys
+      keys = @outgoing.dup
+
+      @outgoing.each do |k|
+        keys.concat k.child_keys
+      end
+
+      keys
+    end
+  end
+
+  class SignatureGraph
+    def initialize(history)
+      @root = nil
+      @keys = Hash.new
+      @devices = Hash.new
+      @signatures = Hash.new
+      @operations = Array.new
+      @recovery_key = nil
+
+      history.each do |operation|
+        execute(operation)        
+      end
+    end
+
+    def key_by_id(kid)
+      k = @keys[kid]
+      raise "key not found" if k.nil?
+      k
+    end
+
+    def key_by_device(did)
+      k = @devices[did]
+      raise "key not found" if k.nil?
+      k
+    end
+
+    def execute(operation)
+      op = Operation.new(operation)
+
+      raise "operation sequence is out of order" if op.sequence != @operations.length
+        
+      if op.sequence > 0 
+        if @signatures[op.previous] != op.sequence - 1
+          raise "operation previous signature does not match" 
+        end
+
+        if @operations[op.sequence - 1].timestamp >= op.timestamp
+          raise "operation timestamp occurs before previous operation"
+        end
+
+        sk = @keys[op.signing_key]
+ 
+        raise "operation specifies a signing key that does not exist" if sk.nil?
+
+        if sk.revoked? && op.timestamp > sk.revoked
+          raise "operation was signed by a key that was revoked at the time of signing"
+        end
+
+        if sk.type == KEY_TYPE_RECOVERY && op.revokes(op.signing_key) != true
+          raise "account recovery operation does not revoke the current active recovery key"
+        end        
+      end
+
+      execute_actions(op)
+
+      sk = @keys[op.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if sk.nil?
+
+      if op.timestamp < sk.created || sk.revoked? && op.timestamp > sk.revoked
+        raise "operation was signed with a key that was revoked"  
+      end
+
+      sig = Base64.urlsafe_decode64(op.jws[:signature])
+
+      sk.public_key.verify(sig, "#{op.jws[:protected]}.#{op.jws[:payload]}")
+
+      has_valid_key = false
+
+      @keys.each do |kid, k|
+        has_valid_key = true unless k.revoked?
+      end
+
+      raise "signature graph does not contain any active or valid keys" unless has_valid_key
+      raise "signature graph does not contain a valid recovery key" if @recovery_key.nil?
+      raise "signature graph does not contain a valid recovery key" if @recovery_key.revoked?
+
+      @operations.push(op)
+      @signatures[op.jws[:signature]] = op.sequence
+    end
+
+    private
+
+    def execute_actions(op)
+      op.actions.each do |action|
+        raise "operation action does not provide a key identifier" if action[:kid].nil?
+
+        if action[:type] != KEY_TYPE_DEVICE && action[:type] != KEY_TYPE_RECOVERY
+          raise "operation action does not provide a valid type"
+        end
+
+        if action[:action] != ACTION_ADD && action[:action] != ACTION_REVOKE
+          raise "operation action does not provide a valid action"
+        end
+
+        if action[:action] == ACTION_ADD && action[:key].nil?
+          raise "operation action does not provide a valid public key"
+        end
+
+        if action[:action] == ACTION_ADD && action[:type] == KEY_TYPE_DEVICE && action[:did].nil?
+          raise "operation action does not provide a valid device id"
+        end
+
+        if action[:from] < 0
+          raise "operation action does not provide a valid timestamp for the action to take effect from" 
+        end
+        
+        case action[:action]
+        when ACTION_ADD
+          action[:from] = op.timestamp
+          add(op, action)
+        when ACTION_REVOKE
+          revoke(op, action)
+        end
+      end
+    end
+
+    def add(operation, action)
+      if @keys[action[:kid]].nil? != true
+        raise "operation contains a key with a duplicate identifier" 
+      end
+
+      k = Key.new(action)
+
+      case action[:type]
+      when KEY_TYPE_DEVICE
+        dk = @devices[action[:did]]
+        unless dk.nil?
+          raise "operation contains more than one active key for a device" unless dk.revoked?
+        end
+      when KEY_TYPE_RECOVERY
+        unless @recovery_key.nil?
+          raise "operation contains more than one active recovery key" unless @recovery_key.revoked? 
+        end
+
+        @recovery_key = k
+      end
+
+      @keys[k.kid] = k
+      @devices[k.did] = k
+
+      if operation.sequence == 0 && operation.signing_key == action[:kid]
+        @root = k
+        return
+      end
+      
+      parent = @keys[operation.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if parent.nil?
+
+      k.incoming.push(parent)
+      parent.outgoing.push(k)
+    end
+
+    def revoke(operation, action)
+      k = @keys[action[:kid]]
+
+      raise "operation tries to revoke a key that does not exist" if k.nil?
+      raise "root operation cannot revoke keys" if operation.sequence < 1
+      raise "operation tries to revoke a key that has already been revoked" if k.revoked?
+
+      k.revoke(action[:from])
+
+      sk = @keys[operation.signing_key]
+
+      raise "operation specifies a signing key that does not exist" if k.nil?
+
+      # if this is an account recovery, nuke all existing keys
+      if sk.type == KEY_TYPE_RECOVERY
+        @root.revoke(action[:from])
+
+        @root.child_keys.each do |ck|
+          ck.revoke(action[:from]) unless ck.revoked?
+        end
+
+        return
+      end
+      
+      k.child_keys.each do |ck|
+        ck.revoke(action[:from]) unless ck.created < action[:from]
+      end
+    end
+
+  end
+
+end
+

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: selfsdk
 version: !ruby/object:Gem::Version
-  version: 0.0.127
+  version: 0.0.128
 platform: ruby
 authors:
 - Aldgate Ventures
@@ -325,6 +325,7 @@ files:
 - lib/services/facts.rb
 - lib/services/identity.rb
 - lib/services/messaging.rb
+- lib/signature_graph.rb
 - lib/sources.rb
 homepage: https://www.joinself.com/
 licenses: []