@blocklet/meta 1.16.40-beta-20250314-125842-4252b590 → 1.16.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/security.d.ts +4 -1
- package/lib/security.js +69 -10
- package/package.json +5 -5
package/lib/security.d.ts
CHANGED
|
@@ -10,6 +10,9 @@ type VaultRecord = {
|
|
|
10
10
|
did: string;
|
|
11
11
|
at: number;
|
|
12
12
|
sig: string;
|
|
13
|
+
approverSig?: string;
|
|
14
|
+
approverDid?: string;
|
|
15
|
+
approverPk?: string;
|
|
13
16
|
};
|
|
14
|
-
export declare function verifyVault(vaults: VaultRecord[],
|
|
17
|
+
export declare function verifyVault(vaults: VaultRecord[], appPid: string, throwOnError?: boolean): Promise<string>;
|
|
15
18
|
export {};
|
package/lib/security.js
CHANGED
|
@@ -22,11 +22,11 @@ function verifyResponse(signed, wallet) {
|
|
|
22
22
|
}
|
|
23
23
|
return Promise.resolve(wallet.verify((0, json_stable_stringify_1.default)((0, omit_1.default)(signed, '$signature')), signed.$signature));
|
|
24
24
|
}
|
|
25
|
-
async function verifyVault(vaults,
|
|
25
|
+
async function verifyVault(vaults, appPid, throwOnError = false) {
|
|
26
26
|
// return empty string if the vaults list is empty
|
|
27
27
|
if (!Array.isArray(vaults) || vaults.length === 0) {
|
|
28
28
|
if (throwOnError) {
|
|
29
|
-
throw new Error('
|
|
29
|
+
throw new Error('vaults list is empty');
|
|
30
30
|
}
|
|
31
31
|
return '';
|
|
32
32
|
}
|
|
@@ -34,7 +34,7 @@ async function verifyVault(vaults, appId, throwOnError = false) {
|
|
|
34
34
|
for (let i = 1; i < vaults.length; i++) {
|
|
35
35
|
if (vaults[i].at <= vaults[i - 1].at) {
|
|
36
36
|
if (throwOnError) {
|
|
37
|
-
throw new Error('
|
|
37
|
+
throw new Error('vaults are not in ascending order');
|
|
38
38
|
}
|
|
39
39
|
return '';
|
|
40
40
|
}
|
|
@@ -43,31 +43,90 @@ async function verifyVault(vaults, appId, throwOnError = false) {
|
|
|
43
43
|
const uniqueVaults = new Set(vaults.map((vault) => vault.did));
|
|
44
44
|
if (uniqueVaults.size !== vaults.length) {
|
|
45
45
|
if (throwOnError) {
|
|
46
|
-
throw new Error('
|
|
46
|
+
throw new Error('vaults list has duplicate vaults');
|
|
47
47
|
}
|
|
48
48
|
return '';
|
|
49
49
|
}
|
|
50
|
-
// verify signature for each vault
|
|
51
|
-
let data = Buffer.from(`vault:${appId}`);
|
|
50
|
+
// verify signature for each vault: approve and commit
|
|
52
51
|
for (let i = 0; i < vaults.length; i++) {
|
|
53
52
|
const vault = vaults[i];
|
|
54
|
-
|
|
55
|
-
|
|
53
|
+
if (!(0, did_1.isFromPublicKey)(vault.did, vault.pk)) {
|
|
54
|
+
if (throwOnError) {
|
|
55
|
+
throw new Error(`vault did and pk mismatch: ${vault.did}(${vault.pk})`);
|
|
56
|
+
}
|
|
57
|
+
return '';
|
|
58
|
+
}
|
|
59
|
+
let data = Buffer.from(`vault:${appPid}`);
|
|
60
|
+
for (let j = 0; j <= i; j++) {
|
|
61
|
+
data = Buffer.concat([data, Buffer.from(`:${vaults[j].did}`)]);
|
|
62
|
+
}
|
|
63
|
+
// verify approve signature for non-first vault
|
|
64
|
+
if (!vault.approverSig) {
|
|
65
|
+
if (throwOnError) {
|
|
66
|
+
throw new Error(`vault approve signature missing for ${vault.did}`);
|
|
67
|
+
}
|
|
68
|
+
return '';
|
|
69
|
+
}
|
|
70
|
+
try {
|
|
71
|
+
let wallet;
|
|
72
|
+
if (i > 0) {
|
|
73
|
+
const prevVault = vaults[i - 1];
|
|
74
|
+
wallet = (0, wallet_1.fromPublicKey)(prevVault.pk, (0, did_1.toTypeInfo)(prevVault.did));
|
|
75
|
+
}
|
|
76
|
+
else {
|
|
77
|
+
if (!vault.approverPk || !vault.approverDid || !(0, did_1.isFromPublicKey)(vault.approverDid, vault.approverPk)) {
|
|
78
|
+
if (throwOnError) {
|
|
79
|
+
throw new Error(`approver config missing for ${vault.did}`);
|
|
80
|
+
}
|
|
81
|
+
return '';
|
|
82
|
+
}
|
|
83
|
+
wallet = (0, wallet_1.fromPublicKey)(vault.approverPk, (0, did_1.toTypeInfo)(vault.approverDid));
|
|
84
|
+
}
|
|
85
|
+
// eslint-disable-next-line no-await-in-loop
|
|
86
|
+
if ((await wallet.verify(data, vault.approverSig)) === false) {
|
|
87
|
+
if (throwOnError) {
|
|
88
|
+
throw new Error(`signature verify failed for ${vault.did}`);
|
|
89
|
+
}
|
|
90
|
+
return '';
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
catch (err) {
|
|
94
|
+
/* istanbul ignore if */
|
|
95
|
+
if (process.env.NODE_ENV !== 'test') {
|
|
96
|
+
console.error(err);
|
|
97
|
+
}
|
|
98
|
+
if (throwOnError) {
|
|
99
|
+
throw new Error(`vault approve verify failed: ${err.message}`);
|
|
100
|
+
}
|
|
101
|
+
return '';
|
|
102
|
+
}
|
|
103
|
+
// verify commit signature for all vaults
|
|
104
|
+
if (!vault.sig) {
|
|
105
|
+
if (throwOnError) {
|
|
106
|
+
throw new Error(`vault commit signature missing for ${vault.did}`);
|
|
107
|
+
}
|
|
108
|
+
return '';
|
|
109
|
+
}
|
|
56
110
|
try {
|
|
111
|
+
const wallet = (0, wallet_1.fromPublicKey)(vault.pk, (0, did_1.toTypeInfo)(vault.did));
|
|
112
|
+
if (vault.approverSig) {
|
|
113
|
+
data = Buffer.concat([data, Buffer.from(`:${vault.approverSig}`)]);
|
|
114
|
+
}
|
|
57
115
|
// eslint-disable-next-line no-await-in-loop
|
|
58
116
|
if ((await wallet.verify(data, vault.sig)) === false) {
|
|
59
117
|
if (throwOnError) {
|
|
60
|
-
throw new Error(`
|
|
118
|
+
throw new Error(`commit signature verify failed for ${vault.did}`);
|
|
61
119
|
}
|
|
62
120
|
return '';
|
|
63
121
|
}
|
|
64
122
|
}
|
|
65
123
|
catch (err) {
|
|
124
|
+
/* istanbul ignore if */
|
|
66
125
|
if (process.env.NODE_ENV !== 'test') {
|
|
67
126
|
console.error(err);
|
|
68
127
|
}
|
|
69
128
|
if (throwOnError) {
|
|
70
|
-
throw new Error(`
|
|
129
|
+
throw new Error(`vault commit verify failed: ${err.message}`);
|
|
71
130
|
}
|
|
72
131
|
return '';
|
|
73
132
|
}
|
package/package.json
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
"publishConfig": {
|
|
4
4
|
"access": "public"
|
|
5
5
|
},
|
|
6
|
-
"version": "1.16.40
|
|
6
|
+
"version": "1.16.40",
|
|
7
7
|
"description": "Library to parse/validate/fix blocklet meta",
|
|
8
8
|
"main": "./lib/index.js",
|
|
9
9
|
"typings": "./lib/index.d.ts",
|
|
@@ -25,13 +25,13 @@
|
|
|
25
25
|
"author": "wangshijun <wangshijun2020@gmail.com> (http://github.com/wangshijun)",
|
|
26
26
|
"license": "Apache-2.0",
|
|
27
27
|
"dependencies": {
|
|
28
|
-
"@abtnode/constant": "1.16.40
|
|
29
|
-
"@abtnode/docker-utils": "1.16.40
|
|
28
|
+
"@abtnode/constant": "1.16.40",
|
|
29
|
+
"@abtnode/docker-utils": "1.16.40",
|
|
30
30
|
"@arcblock/did": "1.19.15",
|
|
31
31
|
"@arcblock/did-ext": "1.19.15",
|
|
32
32
|
"@arcblock/did-util": "1.19.15",
|
|
33
33
|
"@arcblock/jwt": "1.19.15",
|
|
34
|
-
"@blocklet/constant": "1.16.40
|
|
34
|
+
"@blocklet/constant": "1.16.40",
|
|
35
35
|
"@ocap/asset": "1.19.15",
|
|
36
36
|
"@ocap/mcrypto": "1.19.15",
|
|
37
37
|
"@ocap/types": "1.19.15",
|
|
@@ -80,5 +80,5 @@
|
|
|
80
80
|
"ts-node": "^10.9.1",
|
|
81
81
|
"typescript": "^5.6.3"
|
|
82
82
|
},
|
|
83
|
-
"gitHead": "
|
|
83
|
+
"gitHead": "f05e89c1f02e51f88d28b45225487d3241fc3636"
|
|
84
84
|
}
|