@atproto/crypto 0.2.3 → 0.3.1-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (91) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/LICENSE.txt +1 -1
  3. package/dist/const.d.ts +1 -0
  4. package/dist/const.d.ts.map +1 -0
  5. package/dist/const.js +10 -0
  6. package/dist/const.js.map +1 -0
  7. package/dist/did.d.ts +2 -1
  8. package/dist/did.d.ts.map +1 -0
  9. package/dist/did.js +68 -0
  10. package/dist/did.js.map +1 -0
  11. package/dist/index.d.ts +1 -0
  12. package/dist/index.d.ts.map +1 -0
  13. package/dist/index.js +27 -3327
  14. package/dist/index.js.map +1 -7
  15. package/dist/multibase.d.ts +1 -0
  16. package/dist/multibase.d.ts.map +1 -0
  17. package/dist/multibase.js +76 -0
  18. package/dist/multibase.js.map +1 -0
  19. package/dist/p256/encoding.d.ts +1 -0
  20. package/dist/p256/encoding.d.ts.map +1 -0
  21. package/dist/p256/encoding.js +18 -0
  22. package/dist/p256/encoding.js.map +1 -0
  23. package/dist/p256/keypair.d.ts +3 -2
  24. package/dist/p256/keypair.d.ts.map +1 -0
  25. package/dist/p256/keypair.js +94 -0
  26. package/dist/p256/keypair.js.map +1 -0
  27. package/dist/p256/operations.d.ts +2 -0
  28. package/dist/p256/operations.d.ts.map +1 -0
  29. package/dist/p256/operations.js +41 -0
  30. package/dist/p256/operations.js.map +1 -0
  31. package/dist/p256/plugin.d.ts +1 -0
  32. package/dist/p256/plugin.d.ts.map +1 -0
  33. package/dist/p256/plugin.js +15 -0
  34. package/dist/p256/plugin.js.map +1 -0
  35. package/dist/plugins.d.ts +1 -0
  36. package/dist/plugins.d.ts.map +1 -0
  37. package/dist/plugins.js +11 -0
  38. package/dist/plugins.js.map +1 -0
  39. package/dist/random.d.ts +1 -0
  40. package/dist/random.d.ts.map +1 -0
  41. package/dist/random.js +44 -0
  42. package/dist/random.js.map +1 -0
  43. package/dist/secp256k1/encoding.d.ts +1 -0
  44. package/dist/secp256k1/encoding.d.ts.map +1 -0
  45. package/dist/secp256k1/encoding.js +18 -0
  46. package/dist/secp256k1/encoding.js.map +1 -0
  47. package/dist/secp256k1/keypair.d.ts +3 -2
  48. package/dist/secp256k1/keypair.d.ts.map +1 -0
  49. package/dist/secp256k1/keypair.js +94 -0
  50. package/dist/secp256k1/keypair.js.map +1 -0
  51. package/dist/secp256k1/operations.d.ts +2 -0
  52. package/dist/secp256k1/operations.d.ts.map +1 -0
  53. package/dist/secp256k1/operations.js +64 -0
  54. package/dist/secp256k1/operations.js.map +1 -0
  55. package/dist/secp256k1/plugin.d.ts +1 -0
  56. package/dist/secp256k1/plugin.d.ts.map +1 -0
  57. package/dist/secp256k1/plugin.js +15 -0
  58. package/dist/secp256k1/plugin.js.map +1 -0
  59. package/dist/sha.d.ts +2 -0
  60. package/dist/sha.d.ts.map +1 -0
  61. package/dist/sha.js +40 -0
  62. package/dist/sha.js.map +1 -0
  63. package/dist/types.d.ts +9 -3
  64. package/dist/types.d.ts.map +1 -0
  65. package/dist/types.js +3 -0
  66. package/dist/types.js.map +1 -0
  67. package/dist/utils.d.ts +4 -0
  68. package/dist/utils.d.ts.map +1 -0
  69. package/dist/utils.js +47 -0
  70. package/dist/utils.js.map +1 -0
  71. package/dist/verify.d.ts +1 -0
  72. package/dist/verify.d.ts.map +1 -0
  73. package/dist/verify.js +48 -0
  74. package/dist/verify.js.map +1 -0
  75. package/jest.config.js +3 -3
  76. package/package.json +8 -6
  77. package/src/did.ts +13 -35
  78. package/src/p256/keypair.ts +8 -6
  79. package/src/p256/operations.ts +23 -5
  80. package/src/p256/plugin.ts +7 -2
  81. package/src/secp256k1/keypair.ts +9 -7
  82. package/src/secp256k1/operations.ts +23 -5
  83. package/src/secp256k1/plugin.ts +7 -2
  84. package/src/sha.ts +7 -0
  85. package/src/types.ts +8 -1
  86. package/src/utils.ts +23 -0
  87. package/tests/signatures.test.ts +94 -3
  88. package/tsconfig.build.json +6 -2
  89. package/tsconfig.json +5 -7
  90. package/tsconfig.tests.json +7 -0
  91. package/build.js +0 -14
package/src/did.ts CHANGED
@@ -1,13 +1,8 @@
1
1
  import * as uint8arrays from 'uint8arrays'
2
- import * as p256 from './p256/encoding'
3
- import * as secp from './secp256k1/encoding'
2
+
3
+ import { BASE58_MULTIBASE_PREFIX, DID_KEY_PREFIX } from './const'
4
4
  import plugins from './plugins'
5
- import {
6
- BASE58_MULTIBASE_PREFIX,
7
- DID_KEY_PREFIX,
8
- P256_JWT_ALG,
9
- SECP256K1_JWT_ALG,
10
- } from './const'
5
+ import { extractMultikey, extractPrefixedBytes, hasPrefix } from './utils'
11
6
 
12
7
  export type ParsedMultikey = {
13
8
  jwtAlg: string
@@ -15,23 +10,14 @@ export type ParsedMultikey = {
15
10
  }
16
11
 
17
12
  export const parseMultikey = (multikey: string): ParsedMultikey => {
18
- if (!multikey.startsWith(BASE58_MULTIBASE_PREFIX)) {
19
- throw new Error(`Incorrect prefix for multikey: ${multikey}`)
20
- }
21
- const prefixedBytes = uint8arrays.fromString(
22
- multikey.slice(BASE58_MULTIBASE_PREFIX.length),
23
- 'base58btc',
24
- )
13
+ const prefixedBytes = extractPrefixedBytes(multikey)
25
14
  const plugin = plugins.find((p) => hasPrefix(prefixedBytes, p.prefix))
26
15
  if (!plugin) {
27
16
  throw new Error('Unsupported key type')
28
17
  }
29
- let keyBytes = prefixedBytes.slice(plugin.prefix.length)
30
- if (plugin.jwtAlg === P256_JWT_ALG) {
31
- keyBytes = p256.decompressPubkey(keyBytes)
32
- } else if (plugin.jwtAlg === SECP256K1_JWT_ALG) {
33
- keyBytes = secp.decompressPubkey(keyBytes)
34
- }
18
+ const keyBytes = plugin.decompressPubkey(
19
+ prefixedBytes.slice(plugin.prefix.length),
20
+ )
35
21
  return {
36
22
  jwtAlg: plugin.jwtAlg,
37
23
  keyBytes,
@@ -46,28 +32,20 @@ export const formatMultikey = (
46
32
  if (!plugin) {
47
33
  throw new Error('Unsupported key type')
48
34
  }
49
- if (jwtAlg === P256_JWT_ALG) {
50
- keyBytes = p256.compressPubkey(keyBytes)
51
- } else if (jwtAlg === SECP256K1_JWT_ALG) {
52
- keyBytes = secp.compressPubkey(keyBytes)
53
- }
54
- const prefixedBytes = uint8arrays.concat([plugin.prefix, keyBytes])
35
+ const prefixedBytes = uint8arrays.concat([
36
+ plugin.prefix,
37
+ plugin.compressPubkey(keyBytes),
38
+ ])
55
39
  return (
56
40
  BASE58_MULTIBASE_PREFIX + uint8arrays.toString(prefixedBytes, 'base58btc')
57
41
  )
58
42
  }
59
43
 
60
44
  export const parseDidKey = (did: string): ParsedMultikey => {
61
- if (!did.startsWith(DID_KEY_PREFIX)) {
62
- throw new Error(`Incorrect prefix for did:key: ${did}`)
63
- }
64
- return parseMultikey(did.slice(DID_KEY_PREFIX.length))
45
+ const multikey = extractMultikey(did)
46
+ return parseMultikey(multikey)
65
47
  }
66
48
 
67
49
  export const formatDidKey = (jwtAlg: string, keyBytes: Uint8Array): string => {
68
50
  return DID_KEY_PREFIX + formatMultikey(jwtAlg, keyBytes)
69
51
  }
70
-
71
- const hasPrefix = (bytes: Uint8Array, prefix: Uint8Array): boolean => {
72
- return uint8arrays.equals(prefix, bytes.subarray(0, prefix.byteLength))
73
- }
@@ -1,7 +1,11 @@
1
1
  import { p256 } from '@noble/curves/p256'
2
2
  import { sha256 } from '@noble/hashes/sha256'
3
- import * as uint8arrays from 'uint8arrays'
4
- import { SupportedEncodings } from 'uint8arrays/util/bases'
3
+ import { SupportedEncodings } from 'uint8arrays/to-string'
4
+ import {
5
+ fromString as ui8FromString,
6
+ toString as ui8ToString,
7
+ } from 'uint8arrays'
8
+
5
9
  import * as did from '../did'
6
10
  import { P256_JWT_ALG } from '../const'
7
11
  import { Keypair } from '../types'
@@ -32,9 +36,7 @@ export class P256Keypair implements Keypair {
32
36
  ): Promise<P256Keypair> {
33
37
  const { exportable = false } = opts || {}
34
38
  const privKeyBytes =
35
- typeof privKey === 'string'
36
- ? uint8arrays.fromString(privKey, 'hex')
37
- : privKey
39
+ typeof privKey === 'string' ? ui8FromString(privKey, 'hex') : privKey
38
40
  return new P256Keypair(privKeyBytes, exportable)
39
41
  }
40
42
 
@@ -43,7 +45,7 @@ export class P256Keypair implements Keypair {
43
45
  }
44
46
 
45
47
  publicKeyStr(encoding: SupportedEncodings = 'base64pad'): string {
46
- return uint8arrays.toString(this.publicKey, encoding)
48
+ return ui8ToString(this.publicKey, encoding)
47
49
  }
48
50
 
49
51
  did(): string {
@@ -1,8 +1,10 @@
1
1
  import { p256 } from '@noble/curves/p256'
2
2
  import { sha256 } from '@noble/hashes/sha256'
3
- import { P256_JWT_ALG } from '../const'
4
- import { parseDidKey } from '../did'
3
+ import { equals as ui8equals } from 'uint8arrays'
4
+
5
+ import { P256_DID_PREFIX } from '../const'
5
6
  import { VerifyOptions } from '../types'
7
+ import { extractMultikey, extractPrefixedBytes, hasPrefix } from '../utils'
6
8
 
7
9
  export const verifyDidSig = async (
8
10
  did: string,
@@ -10,10 +12,11 @@ export const verifyDidSig = async (
10
12
  sig: Uint8Array,
11
13
  opts?: VerifyOptions,
12
14
  ): Promise<boolean> => {
13
- const { jwtAlg, keyBytes } = parseDidKey(did)
14
- if (jwtAlg !== P256_JWT_ALG) {
15
+ const prefixedBytes = extractPrefixedBytes(extractMultikey(did))
16
+ if (!hasPrefix(prefixedBytes, P256_DID_PREFIX)) {
15
17
  throw new Error(`Not a P-256 did:key: ${did}`)
16
18
  }
19
+ const keyBytes = prefixedBytes.slice(P256_DID_PREFIX.length)
17
20
  return verifySig(keyBytes, data, sig, opts)
18
21
  }
19
22
 
@@ -23,8 +26,23 @@ export const verifySig = async (
23
26
  sig: Uint8Array,
24
27
  opts?: VerifyOptions,
25
28
  ): Promise<boolean> => {
29
+ const allowMalleable = opts?.allowMalleableSig ?? false
26
30
  const msgHash = await sha256(data)
31
+ // parse as compact sig to prevent signature malleability
32
+ // library supports sigs in 2 different formats: https://github.com/paulmillr/noble-curves/issues/99
33
+ if (!allowMalleable && !isCompactFormat(sig)) {
34
+ return false
35
+ }
27
36
  return p256.verify(sig, msgHash, publicKey, {
28
- lowS: opts?.lowS ?? true,
37
+ lowS: !allowMalleable,
29
38
  })
30
39
  }
40
+
41
+ export const isCompactFormat = (sig: Uint8Array) => {
42
+ try {
43
+ const parsed = p256.Signature.fromCompact(sig)
44
+ return ui8equals(parsed.toCompactRawBytes(), sig)
45
+ } catch {
46
+ return false
47
+ }
48
+ }
@@ -1,11 +1,16 @@
1
- import * as operations from './operations'
1
+ import { verifyDidSig } from './operations'
2
+ import { compressPubkey, decompressPubkey } from './encoding'
3
+
2
4
  import { DidKeyPlugin } from '../types'
3
5
  import { P256_DID_PREFIX, P256_JWT_ALG } from '../const'
4
6
 
5
7
  export const p256Plugin: DidKeyPlugin = {
6
8
  prefix: P256_DID_PREFIX,
7
9
  jwtAlg: P256_JWT_ALG,
8
- verifySignature: operations.verifyDidSig,
10
+ verifySignature: verifyDidSig,
11
+
12
+ compressPubkey,
13
+ decompressPubkey,
9
14
  }
10
15
 
11
16
  export default p256Plugin
@@ -1,9 +1,13 @@
1
1
  import { secp256k1 as k256 } from '@noble/curves/secp256k1'
2
2
  import { sha256 } from '@noble/hashes/sha256'
3
- import * as uint8arrays from 'uint8arrays'
4
- import { SupportedEncodings } from 'uint8arrays/util/bases'
5
- import * as did from '../did'
3
+ import {
4
+ fromString as ui8FromString,
5
+ toString as ui8ToString,
6
+ } from 'uint8arrays'
7
+ import { SupportedEncodings } from 'uint8arrays/to-string'
8
+
6
9
  import { SECP256K1_JWT_ALG } from '../const'
10
+ import * as did from '../did'
7
11
  import { Keypair } from '../types'
8
12
 
9
13
  export type Secp256k1KeypairOptions = {
@@ -32,9 +36,7 @@ export class Secp256k1Keypair implements Keypair {
32
36
  ): Promise<Secp256k1Keypair> {
33
37
  const { exportable = false } = opts || {}
34
38
  const privKeyBytes =
35
- typeof privKey === 'string'
36
- ? uint8arrays.fromString(privKey, 'hex')
37
- : privKey
39
+ typeof privKey === 'string' ? ui8FromString(privKey, 'hex') : privKey
38
40
  return new Secp256k1Keypair(privKeyBytes, exportable)
39
41
  }
40
42
 
@@ -43,7 +45,7 @@ export class Secp256k1Keypair implements Keypair {
43
45
  }
44
46
 
45
47
  publicKeyStr(encoding: SupportedEncodings = 'base64pad'): string {
46
- return uint8arrays.toString(this.publicKey, encoding)
48
+ return ui8ToString(this.publicKey, encoding)
47
49
  }
48
50
 
49
51
  did(): string {
@@ -1,8 +1,10 @@
1
1
  import { secp256k1 as k256 } from '@noble/curves/secp256k1'
2
2
  import { sha256 } from '@noble/hashes/sha256'
3
- import { SECP256K1_JWT_ALG } from '../const'
4
- import { parseDidKey } from '../did'
3
+ import * as ui8 from 'uint8arrays'
4
+
5
+ import { SECP256K1_DID_PREFIX } from '../const'
5
6
  import { VerifyOptions } from '../types'
7
+ import { extractMultikey, extractPrefixedBytes, hasPrefix } from '../utils'
6
8
 
7
9
  export const verifyDidSig = async (
8
10
  did: string,
@@ -10,10 +12,11 @@ export const verifyDidSig = async (
10
12
  sig: Uint8Array,
11
13
  opts?: VerifyOptions,
12
14
  ): Promise<boolean> => {
13
- const { jwtAlg, keyBytes } = parseDidKey(did)
14
- if (jwtAlg !== SECP256K1_JWT_ALG) {
15
+ const prefixedBytes = extractPrefixedBytes(extractMultikey(did))
16
+ if (!hasPrefix(prefixedBytes, SECP256K1_DID_PREFIX)) {
15
17
  throw new Error(`Not a secp256k1 did:key: ${did}`)
16
18
  }
19
+ const keyBytes = prefixedBytes.slice(SECP256K1_DID_PREFIX.length)
17
20
  return verifySig(keyBytes, data, sig, opts)
18
21
  }
19
22
 
@@ -23,8 +26,23 @@ export const verifySig = async (
23
26
  sig: Uint8Array,
24
27
  opts?: VerifyOptions,
25
28
  ): Promise<boolean> => {
29
+ const allowMalleable = opts?.allowMalleableSig ?? false
26
30
  const msgHash = await sha256(data)
31
+ // parse as compact sig to prevent signature malleability
32
+ // library supports sigs in 2 different formats: https://github.com/paulmillr/noble-curves/issues/99
33
+ if (!allowMalleable && !isCompactFormat(sig)) {
34
+ return false
35
+ }
27
36
  return k256.verify(sig, msgHash, publicKey, {
28
- lowS: opts?.lowS ?? true,
37
+ lowS: !allowMalleable,
29
38
  })
30
39
  }
40
+
41
+ export const isCompactFormat = (sig: Uint8Array) => {
42
+ try {
43
+ const parsed = k256.Signature.fromCompact(sig)
44
+ return ui8.equals(parsed.toCompactRawBytes(), sig)
45
+ } catch {
46
+ return false
47
+ }
48
+ }
@@ -1,11 +1,16 @@
1
- import * as operations from './operations'
1
+ import { verifyDidSig } from './operations'
2
+ import { compressPubkey, decompressPubkey } from './encoding'
3
+
2
4
  import { DidKeyPlugin } from '../types'
3
5
  import { SECP256K1_DID_PREFIX, SECP256K1_JWT_ALG } from '../const'
4
6
 
5
7
  export const secp256k1Plugin: DidKeyPlugin = {
6
8
  prefix: SECP256K1_DID_PREFIX,
7
9
  jwtAlg: SECP256K1_JWT_ALG,
8
- verifySignature: operations.verifyDidSig,
10
+ verifySignature: verifyDidSig,
11
+
12
+ compressPubkey,
13
+ decompressPubkey,
9
14
  }
10
15
 
11
16
  export default secp256k1Plugin
package/src/sha.ts CHANGED
@@ -9,3 +9,10 @@ export const sha256 = async (
9
9
  typeof input === 'string' ? uint8arrays.fromString(input, 'utf8') : input
10
10
  return noble.sha256(bytes)
11
11
  }
12
+
13
+ export const sha256Hex = async (
14
+ input: Uint8Array | string,
15
+ ): Promise<string> => {
16
+ const hash = await sha256(input)
17
+ return uint8arrays.toString(hash, 'hex')
18
+ }
package/src/types.ts CHANGED
@@ -9,6 +9,10 @@ export interface Didable {
9
9
 
10
10
  export interface Keypair extends Signer, Didable {}
11
11
 
12
+ export interface ExportableKeypair extends Keypair {
13
+ export(): Promise<Uint8Array>
14
+ }
15
+
12
16
  export type DidKeyPlugin = {
13
17
  prefix: Uint8Array
14
18
  jwtAlg: string
@@ -18,8 +22,11 @@ export type DidKeyPlugin = {
18
22
  data: Uint8Array,
19
23
  opts?: VerifyOptions,
20
24
  ) => Promise<boolean>
25
+
26
+ compressPubkey: (uncompressed: Uint8Array) => Uint8Array
27
+ decompressPubkey: (compressed: Uint8Array) => Uint8Array
21
28
  }
22
29
 
23
30
  export type VerifyOptions = {
24
- lowS?: boolean
31
+ allowMalleableSig?: boolean
25
32
  }
package/src/utils.ts ADDED
@@ -0,0 +1,23 @@
1
+ import * as uint8arrays from 'uint8arrays'
2
+ import { BASE58_MULTIBASE_PREFIX, DID_KEY_PREFIX } from './const'
3
+
4
+ export const extractMultikey = (did: string): string => {
5
+ if (!did.startsWith(DID_KEY_PREFIX)) {
6
+ throw new Error(`Incorrect prefix for did:key: ${did}`)
7
+ }
8
+ return did.slice(DID_KEY_PREFIX.length)
9
+ }
10
+
11
+ export const extractPrefixedBytes = (multikey: string): Uint8Array => {
12
+ if (!multikey.startsWith(BASE58_MULTIBASE_PREFIX)) {
13
+ throw new Error(`Incorrect prefix for multikey: ${multikey}`)
14
+ }
15
+ return uint8arrays.fromString(
16
+ multikey.slice(BASE58_MULTIBASE_PREFIX.length),
17
+ 'base58btc',
18
+ )
19
+ }
20
+
21
+ export const hasPrefix = (bytes: Uint8Array, prefix: Uint8Array): boolean => {
22
+ return uint8arrays.equals(prefix, bytes.subarray(0, prefix.byteLength))
23
+ }
@@ -2,11 +2,11 @@ import fs from 'node:fs'
2
2
  import * as uint8arrays from 'uint8arrays'
3
3
  import { secp256k1 as nobleK256 } from '@noble/curves/secp256k1'
4
4
  import { p256 as nobleP256 } from '@noble/curves/p256'
5
+ import { cborEncode } from '@atproto/common'
5
6
  import EcdsaKeypair from '../src/p256/keypair'
6
7
  import Secp256k1Keypair from '../src/secp256k1/keypair'
7
8
  import * as p256 from '../src/p256/operations'
8
9
  import * as secp from '../src/secp256k1/operations'
9
- import { cborEncode } from '@atproto/common'
10
10
  import {
11
11
  bytesToMultibase,
12
12
  multibaseToBytes,
@@ -78,7 +78,46 @@ describe('signatures', () => {
78
78
  keyBytes,
79
79
  messageBytes,
80
80
  signatureBytes,
81
- { lowS: false },
81
+ { allowMalleableSig: true },
82
+ )
83
+ expect(verified).toEqual(true)
84
+ expect(vector.validSignature).toEqual(false) // otherwise would fail per low-s requirement
85
+ } else if (vector.algorithm === SECP256K1_JWT_ALG) {
86
+ const verified = await secp.verifySig(
87
+ keyBytes,
88
+ messageBytes,
89
+ signatureBytes,
90
+ { allowMalleableSig: true },
91
+ )
92
+ expect(verified).toEqual(true)
93
+ expect(vector.validSignature).toEqual(false) // otherwise would fail per low-s requirement
94
+ } else {
95
+ throw new Error('Unsupported test vector')
96
+ }
97
+ }
98
+ })
99
+
100
+ it('verifies der-encoded signatures with explicit option', async () => {
101
+ const DERVectors = vectors.filter((vec) => vec.tags.includes('der-encoded'))
102
+ expect(DERVectors.length).toBeGreaterThanOrEqual(2)
103
+ for (const vector of DERVectors) {
104
+ const messageBytes = uint8arrays.fromString(
105
+ vector.messageBase64,
106
+ 'base64',
107
+ )
108
+ const signatureBytes = uint8arrays.fromString(
109
+ vector.signatureBase64,
110
+ 'base64',
111
+ )
112
+ const keyBytes = multibaseToBytes(vector.publicKeyMultibase)
113
+ const didKey = parseDidKey(vector.publicKeyDid)
114
+ expect(uint8arrays.equals(keyBytes, didKey.keyBytes))
115
+ if (vector.algorithm === P256_JWT_ALG) {
116
+ const verified = await p256.verifySig(
117
+ keyBytes,
118
+ messageBytes,
119
+ signatureBytes,
120
+ { allowMalleableSig: true },
82
121
  )
83
122
  expect(verified).toEqual(true)
84
123
  expect(vector.validSignature).toEqual(false) // otherwise would fail per low-s requirement
@@ -87,7 +126,7 @@ describe('signatures', () => {
87
126
  keyBytes,
88
127
  messageBytes,
89
128
  signatureBytes,
90
- { lowS: false },
129
+ { allowMalleableSig: true },
91
130
  )
92
131
  expect(verified).toEqual(true)
93
132
  expect(vector.validSignature).toEqual(false) // otherwise would fail per low-s requirement
@@ -98,6 +137,7 @@ describe('signatures', () => {
98
137
  })
99
138
  })
100
139
 
140
+ // @ts-expect-error
101
141
  // eslint-disable-next-line @typescript-eslint/no-unused-vars
102
142
  async function generateTestVectors(): Promise<TestVector[]> {
103
143
  const p256Key = await EcdsaKeypair.create({ exportable: true })
@@ -168,6 +208,39 @@ async function generateTestVectors(): Promise<TestVector[]> {
168
208
  validSignature: false,
169
209
  tags: ['high-s'],
170
210
  },
211
+ // these vectors test to ensure we don't allow der-encoded signatures
212
+ {
213
+ messageBase64,
214
+ algorithm: P256_JWT_ALG, // "ES256" / ecdsa p-256
215
+ publicKeyDid: p256Key.did(),
216
+ publicKeyMultibase: bytesToMultibase(
217
+ p256Key.publicKeyBytes(),
218
+ 'base58btc',
219
+ ),
220
+ signatureBase64: await makeDerEncodedSig(
221
+ messageBytes,
222
+ await p256Key.export(),
223
+ P256_JWT_ALG,
224
+ ),
225
+ validSignature: false,
226
+ tags: ['der-encoded'],
227
+ },
228
+ {
229
+ messageBase64,
230
+ algorithm: SECP256K1_JWT_ALG, // "ES256K" / secp256k
231
+ publicKeyDid: secpKey.did(),
232
+ publicKeyMultibase: bytesToMultibase(
233
+ secpKey.publicKeyBytes(),
234
+ 'base58btc',
235
+ ),
236
+ signatureBase64: await makeDerEncodedSig(
237
+ messageBytes,
238
+ await secpKey.export(),
239
+ SECP256K1_JWT_ALG,
240
+ ),
241
+ validSignature: false,
242
+ tags: ['der-encoded'],
243
+ },
171
244
  ]
172
245
  }
173
246
 
@@ -195,6 +268,24 @@ async function makeHighSSig(
195
268
  return sig
196
269
  }
197
270
 
271
+ async function makeDerEncodedSig(
272
+ msgBytes: Uint8Array,
273
+ keyBytes: Uint8Array,
274
+ alg: string,
275
+ ): Promise<string> {
276
+ const hash = await sha256(msgBytes)
277
+
278
+ let sig: string
279
+ if (alg === SECP256K1_JWT_ALG) {
280
+ const attempt = await nobleK256.sign(hash, keyBytes, { lowS: true })
281
+ sig = uint8arrays.toString(attempt.toDERRawBytes(), 'base64')
282
+ } else {
283
+ const attempt = await nobleP256.sign(hash, keyBytes, { lowS: true })
284
+ sig = uint8arrays.toString(attempt.toDERRawBytes(), 'base64')
285
+ }
286
+ return sig
287
+ }
288
+
198
289
  type TestVector = {
199
290
  algorithm: string
200
291
  publicKeyDid: string
@@ -1,4 +1,8 @@
1
1
  {
2
- "extends": "./tsconfig.json",
3
- "exclude": ["**/*.spec.ts", "**/*.test.ts"]
2
+ "extends": "../../tsconfig/isomorphic.json",
3
+ "compilerOptions": {
4
+ "rootDir": "./src",
5
+ "outDir": "./dist"
6
+ },
7
+ "include": ["./src"]
4
8
  }
package/tsconfig.json CHANGED
@@ -1,9 +1,7 @@
1
1
  {
2
- "extends": "../../tsconfig.json",
3
- "compilerOptions": {
4
- "rootDir": "./src",
5
- "outDir": "./dist", // Your outDir,
6
- "emitDeclarationOnly": true
7
- },
8
- "include": ["./src", "__tests__/**/**.ts"]
2
+ "include": [],
3
+ "references": [
4
+ { "path": "./tsconfig.build.json" },
5
+ { "path": "./tsconfig.tests.json" }
6
+ ]
9
7
  }
@@ -0,0 +1,7 @@
1
+ {
2
+ "extends": "../../tsconfig/tests.json",
3
+ "compilerOptions": {
4
+ "rootDir": "."
5
+ },
6
+ "include": ["./tests"]
7
+ }
package/build.js DELETED
@@ -1,14 +0,0 @@
1
- const { nodeExternalsPlugin } = require('esbuild-node-externals')
2
-
3
- const buildShallow =
4
- process.argv.includes('--shallow') || process.env.ATP_BUILD_SHALLOW === 'true'
5
-
6
- require('esbuild').build({
7
- logLevel: 'info',
8
- entryPoints: ['src/index.ts'],
9
- bundle: true,
10
- sourcemap: true,
11
- outdir: 'dist',
12
- platform: 'node',
13
- plugins: buildShallow ? [nodeExternalsPlugin()] : [],
14
- })