@bsv/sdk 1.9.31 → 1.10.2

package/src/identity/IdentityClient.ts

@@ -13,11 +13,16 @@ import {
 } from '../wallet/index.js'
 import { BroadcastFailure, BroadcastResponse, Transaction } from '../transaction/index.js'
 import Certificate from '../auth/certificates/Certificate.js'
+import { VerifiableCertificate } from '../auth/certificates/VerifiableCertificate.js'
 import { PushDrop } from '../script/index.js'
 import { PrivateKey, Utils } from '../primitives/index.js'
+import ProtoWallet from '../wallet/ProtoWallet.js'
 import { LookupResolver, SHIPBroadcaster, TopicBroadcaster, withDoubleSpendRetry } from '../overlay-tools/index.js'
 import { ContactsManager, Contact } from './ContactsManager.js'
 
+// Default SocialCert certifier for fallback resolution when no wallet is available
+const DEFAULT_CERTIFIER = '02cf6cdf466951d8dfc9e7c9367511d0007ed6fba35ed42d425cc412fd6cfd4a17'
+
 /**
  * IdentityClient lets you discover who others are, and let the world know who you are.
  */
@@ -30,7 +35,7 @@ export class IdentityClient {
     private readonly originator?: OriginatorDomainNameStringUnder250Bytes
   ) {
     this.originator = originator
-    this.wallet = wallet ?? new WalletClient()
+    this.wallet = wallet ?? new WalletClient('auto', this.originator)
     this.contactsManager = new ContactsManager(this.wallet, this.originator)
   }
 
@@ -140,19 +145,33 @@ export class IdentityClient {
   ): Promise<DisplayableIdentity[]> {
     if (overrideWithContacts) {
       // Override results with personal contacts if available
-      const contacts = await this.contactsManager.getContacts(args.identityKey)
-      if (contacts.length > 0) {
-        return contacts
+      try {
+        const contacts = await this.contactsManager.getContacts(args.identityKey)
+        if (contacts.length > 0) {
+          return contacts
+        }
+      } catch (e) {
+        // Contacts require wallet - continue to try discovery
       }
     }
 
-    const { certificates } = await this.wallet.discoverByIdentityKey(
-      args,
-      this.originator
-    )
-    return certificates.map((cert) => {
-      return IdentityClient.parseIdentity(cert)
-    })
+    try {
+      const { certificates } = await this.wallet.discoverByIdentityKey(
+        args,
+        this.originator
+      )
+      return certificates.map((cert) => {
+        return IdentityClient.parseIdentity(cert)
+      })
+    } catch (error: unknown) {
+      // Fallback to LookupResolver if no wallet is available
+      const errorMessage = error instanceof Error ? error.message : ''
+      if (errorMessage.includes('No wallet available')) {
+        const certificates = await this.resolveViaLookup({ identityKey: args.identityKey })
+        return certificates.map((cert) => IdentityClient.parseIdentity(cert))
+      }
+      throw error
+    }
   }
 
   /**
@@ -167,26 +186,131 @@ export class IdentityClient {
     overrideWithContacts = true
   ): Promise<DisplayableIdentity[]> {
     // Run both queries in parallel for better performance
-    const [contacts, certificatesResult] = await Promise.all([
-      overrideWithContacts
-        ? this.contactsManager.getContacts()
-        : Promise.resolve([]),
-      this.wallet.discoverByAttributes(args, this.originator)
-    ])
-
-    // Fast lookup by identityKey
-    const contactByKey = new Map<PubKeyHex, Contact>(
-      contacts.map((contact) => [contact.identityKey, contact] as const)
-    )
+    const contactsPromise = overrideWithContacts
+      ? this.contactsManager.getContacts().catch(() => [] as Contact[])
+      : Promise.resolve([] as Contact[])
 
-    // Guard if certificates might be absent
-    const certs = certificatesResult?.certificates ?? []
+    try {
+      const [contacts, certificatesResult] = await Promise.all([
+        contactsPromise,
+        this.wallet.discoverByAttributes(args, this.originator)
+      ])
+
+      // Fast lookup by identityKey
+      const contactByKey = new Map<PubKeyHex, Contact>(
+        contacts.map((contact) => [contact.identityKey, contact] as const)
+      )
 
-    // Parse certificates and substitute with contacts where available
-    return certs.map(
-      (cert) =>
-        contactByKey.get(cert.subject) ?? IdentityClient.parseIdentity(cert)
-    )
+      // Guard if certificates might be absent
+      const certs = certificatesResult?.certificates ?? []
+
+      // Parse certificates and substitute with contacts where available
+      return certs.map(
+        (cert) =>
+          contactByKey.get(cert.subject) ?? IdentityClient.parseIdentity(cert)
+      )
+    } catch (error: unknown) {
+      // Fallback to LookupResolver if no wallet is available
+      const errorMessage = error instanceof Error ? error.message : ''
+      if (errorMessage.includes('No wallet available')) {
+        const certificates = await this.resolveViaLookup({ attributes: args.attributes })
+        return certificates.map((cert) => IdentityClient.parseIdentity(cert))
+      }
+      throw error
+    }
+  }
+
+  /**
+   * Fallback method to resolve identity certificates via LookupResolver when no wallet is available.
+   * Uses the ls_identity overlay with a default SocialCert certifier.
+   *
+   * @param query - Query parameters: either identityKey or attributes
+   * @returns {Promise<IdentityCertificate[]>} Array of identity certificates
+   */
+  private async resolveViaLookup (
+    query: { identityKey?: PubKeyHex, attributes?: Record<string, string> }
+  ): Promise<IdentityCertificate[]> {
+    const resolver = new LookupResolver({ networkPreset: 'mainnet' })
+
+    // Build the lookup query based on what was provided
+    const lookupQuery: Record<string, any> = {
+      certifiers: [DEFAULT_CERTIFIER]
+    }
+
+    if (query.identityKey !== undefined) {
+      lookupQuery.identityKey = query.identityKey
+    } else if (query.attributes !== undefined) {
+      // For attribute search, use the 'any' matcher for flexible matching
+      const attributeValues = Object.values(query.attributes)
+      if (attributeValues.length === 1) {
+        lookupQuery.attributes = { any: attributeValues[0] }
+      } else {
+        lookupQuery.attributes = query.attributes
+      }
+    }
+
+    const lookupResult = await resolver.query({
+      service: 'ls_identity',
+      query: lookupQuery
+    })
+
+    if (lookupResult.type !== 'output-list' || lookupResult.outputs.length === 0) {
+      return []
+    }
+
+    const certificates: IdentityCertificate[] = []
+    const anyoneWallet = new ProtoWallet('anyone')
+
+    for (const output of lookupResult.outputs) {
+      try {
+        const tx = Transaction.fromBEEF(output.beef)
+        const decodedOutput = PushDrop.decode(tx.outputs[output.outputIndex].lockingScript)
+        const certData = JSON.parse(Utils.toUTF8(decodedOutput.fields[0]))
+
+        const verifiableCert = new VerifiableCertificate(
+          certData.type,
+          certData.serialNumber,
+          certData.subject,
+          certData.certifier,
+          certData.revocationOutpoint,
+          certData.fields,
+          certData.keyring,
+          certData.signature
+        )
+
+        // Decrypt fields using 'anyone' wallet for publicly revealed certificates
+        const decryptedFields = await verifiableCert.decryptFields(anyoneWallet)
+
+        // Verify the certificate is valid
+        await verifiableCert.verify()
+
+        // Construct IdentityCertificate with default certifier info
+        const identityCert: IdentityCertificate = {
+          type: certData.type,
+          serialNumber: certData.serialNumber,
+          subject: certData.subject,
+          certifier: certData.certifier,
+          revocationOutpoint: certData.revocationOutpoint,
+          fields: certData.fields,
+          signature: certData.signature,
+          certifierInfo: {
+            name: 'SocialCert',
+            iconUrl: 'https://socialcert.net/favicon.ico',
+            description: 'Social identity verification',
+            trust: 5
+          },
+          publiclyRevealedKeyring: certData.keyring,
+          decryptedFields
+        }
+
+        certificates.push(identityCert)
+      } catch (e) {
+        // Skip invalid certificates and continue processing
+        continue
+      }
+    }
+
+    return certificates
   }
 
   /**

package/src/identity/__tests/IdentityClient.test.ts

@@ -15,14 +15,41 @@ jest.mock('../../script', () => {
   }
 })
 
+// Store mock functions for LookupResolver so tests can configure them
+const mockLookupResolverQuery = jest.fn()
+
 jest.mock('../../overlay-tools/index.js', () => {
   return {
     TopicBroadcaster: jest.fn().mockImplementation(() => ({
       broadcast: jest.fn().mockResolvedValue('broadcastResult')
+    })),
+    LookupResolver: jest.fn().mockImplementation(() => ({
+      query: mockLookupResolverQuery
+    }))
+  }
+})
+
+// Mock VerifiableCertificate for resolveViaLookup tests
+const mockDecryptFields = jest.fn()
+const mockVerify = jest.fn()
+
+jest.mock('../../auth/certificates/VerifiableCertificate.js', () => {
+  return {
+    VerifiableCertificate: jest.fn().mockImplementation(() => ({
+      decryptFields: mockDecryptFields,
+      verify: mockVerify
     }))
   }
 })
 
+// Mock ProtoWallet for resolveViaLookup tests
+jest.mock('../../wallet/ProtoWallet.js', () => {
+  return {
+    __esModule: true,
+    default: jest.fn().mockImplementation(() => ({}))
+  }
+})
+
 jest.mock('../../transaction/index.js', () => {
   return {
     Transaction: {
@@ -267,6 +294,187 @@ describe('IdentityClient', () => {
       // Wallet method should not be called when contact is found
       expect(walletMock.discoverByIdentityKey).not.toHaveBeenCalled()
     })
+
+    it('should fallback to LookupResolver when no wallet is available', async () => {
+      // Mock wallet methods to throw "No wallet available" error
+      walletMock.discoverByIdentityKey = jest.fn().mockRejectedValue(
+        new Error('No wallet available over any communication substrate. Install a BSV wallet today!')
+      )
+
+      // Mock ContactsManager to also throw (since it requires wallet)
+      const mockContactsManager = identityClient['contactsManager']
+      mockContactsManager.getContacts = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      // Setup mock certificate data that would come from lookup
+      const certData = {
+        type: KNOWN_IDENTITY_TYPES.xCert,
+        serialNumber: 'serial123',
+        subject: 'test-identity-key',
+        certifier: '02cf6cdf466951d8dfc9e7c9367511d0007ed6fba35ed42d425cc412fd6cfd4a17',
+        revocationOutpoint: 'outpoint',
+        fields: { userName: 'encrypted', profilePhoto: 'encrypted' },
+        keyring: { fieldKey: 'keyringValue' },
+        signature: 'sig123'
+      }
+
+      // Mock LookupResolver to return output-list with certificate data
+      mockLookupResolverQuery.mockResolvedValue({
+        type: 'output-list',
+        outputs: [{
+          beef: new Uint8Array([1, 2, 3]),
+          outputIndex: 0
+        }]
+      })
+
+      // Mock PushDrop.decode to return certificate JSON
+      const { PushDrop } = require('../../script')
+      PushDrop.decode.mockReturnValue({
+        fields: [new TextEncoder().encode(JSON.stringify(certData))]
+      })
+
+      // Mock VerifiableCertificate methods
+      mockDecryptFields.mockResolvedValue({
+        userName: 'TestUser',
+        profilePhoto: 'test-photo-url'
+      })
+      mockVerify.mockResolvedValue(true)
+
+      const identities = await identityClient.resolveByIdentityKey(
+        { identityKey: 'test-identity-key' },
+        false // Don't override with contacts
+      )
+
+      // Verify wallet was called and threw
+      expect(walletMock.discoverByIdentityKey).toHaveBeenCalled()
+
+      // Verify LookupResolver was queried
+      expect(mockLookupResolverQuery).toHaveBeenCalledWith({
+        service: 'ls_identity',
+        query: {
+          certifiers: ['02cf6cdf466951d8dfc9e7c9367511d0007ed6fba35ed42d425cc412fd6cfd4a17'],
+          identityKey: 'test-identity-key'
+        }
+      })
+
+      // Verify results were returned from fallback
+      expect(identities).toHaveLength(1)
+      expect(identities[0].name).toBe('TestUser')
+      expect(identities[0].identityKey).toBe('test-identity-key')
+    })
+
+    it('should return empty array when LookupResolver returns no results', async () => {
+      walletMock.discoverByIdentityKey = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      const mockContactsManager = identityClient['contactsManager']
+      mockContactsManager.getContacts = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      // Mock LookupResolver to return empty results
+      mockLookupResolverQuery.mockResolvedValue({
+        type: 'output-list',
+        outputs: []
+      })
+
+      const identities = await identityClient.resolveByIdentityKey(
+        { identityKey: 'nonexistent-key' },
+        false
+      )
+
+      expect(identities).toHaveLength(0)
+    })
+
+    it('should return empty array when LookupResolver returns non-output-list type', async () => {
+      walletMock.discoverByIdentityKey = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      const mockContactsManager = identityClient['contactsManager']
+      mockContactsManager.getContacts = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      // Mock LookupResolver to return different type
+      mockLookupResolverQuery.mockResolvedValue({
+        type: 'freeform',
+        result: {}
+      })
+
+      const identities = await identityClient.resolveByIdentityKey(
+        { identityKey: 'some-key' },
+        false
+      )
+
+      expect(identities).toHaveLength(0)
+    })
+
+    it('should skip invalid certificates and continue processing', async () => {
+      walletMock.discoverByIdentityKey = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      const mockContactsManager = identityClient['contactsManager']
+      mockContactsManager.getContacts = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      // Mock LookupResolver to return multiple outputs
+      mockLookupResolverQuery.mockResolvedValue({
+        type: 'output-list',
+        outputs: [
+          { beef: new Uint8Array([1]), outputIndex: 0 },
+          { beef: new Uint8Array([2]), outputIndex: 0 }
+        ]
+      })
+
+      // First call throws (invalid cert), second succeeds
+      const { PushDrop } = require('../../script')
+      PushDrop.decode
+        .mockImplementationOnce(() => { throw new Error('Invalid script') })
+        .mockImplementationOnce(() => ({
+          fields: [new TextEncoder().encode(JSON.stringify({
+            type: KNOWN_IDENTITY_TYPES.xCert,
+            serialNumber: 'serial',
+            subject: 'valid-key',
+            certifier: 'certifier',
+            revocationOutpoint: 'outpoint',
+            fields: {},
+            keyring: {},
+            signature: 'sig'
+          }))]
+        }))
+
+      mockDecryptFields.mockResolvedValue({ userName: 'ValidUser' })
+      mockVerify.mockResolvedValue(true)
+
+      const identities = await identityClient.resolveByIdentityKey(
+        { identityKey: 'some-key' },
+        false
+      )
+
+      // Should have 1 identity (the valid one)
+      expect(identities).toHaveLength(1)
+      expect(identities[0].name).toBe('ValidUser')
+    })
+
+    it('should re-throw non-wallet errors', async () => {
+      walletMock.discoverByIdentityKey = jest.fn().mockRejectedValue(
+        new Error('Network timeout')
+      )
+
+      const mockContactsManager = identityClient['contactsManager']
+      mockContactsManager.getContacts = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      await expect(
+        identityClient.resolveByIdentityKey({ identityKey: 'test-key' }, false)
+      ).rejects.toThrow('Network timeout')
+    })
   })
 
   it('should throw if createAction returns no tx', async () => {
@@ -367,7 +575,11 @@ describe('IdentityClient', () => {
         {
           name: 'Alice Smith',
           identityKey: 'alice-key',
-          avatarURL: '', abbreviatedKey: 'alice-i...', badgeIconURL: '', badgeLabel: '', badgeClickURL: ''
+          avatarURL: '',
+          abbreviatedKey: 'alice-i...',
+          badgeIconURL: '',
+          badgeLabel: '',
+          badgeClickURL: ''
         }
       ]
 
@@ -416,6 +628,82 @@ describe('IdentityClient', () => {
       expect(identities[0].name).toBe('alice@example.com') // Should be discovered identity, not contact
       expect(mockContactsManager.getContacts).not.toHaveBeenCalled() // Should not fetch contacts
     })
+
+    it('should fallback to LookupResolver when no wallet is available for attribute search', async () => {
+      walletMock.discoverByAttributes = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      // Setup mock certificate data
+      const certData = {
+        type: KNOWN_IDENTITY_TYPES.emailCert,
+        serialNumber: 'serial123',
+        subject: 'found-identity-key',
+        certifier: '02cf6cdf466951d8dfc9e7c9367511d0007ed6fba35ed42d425cc412fd6cfd4a17',
+        revocationOutpoint: 'outpoint',
+        fields: { email: 'encrypted' },
+        keyring: { fieldKey: 'keyringValue' },
+        signature: 'sig123'
+      }
+
+      mockLookupResolverQuery.mockResolvedValue({
+        type: 'output-list',
+        outputs: [{
+          beef: new Uint8Array([1, 2, 3]),
+          outputIndex: 0
+        }]
+      })
+
+      const { PushDrop } = require('../../script')
+      PushDrop.decode.mockReturnValue({
+        fields: [new TextEncoder().encode(JSON.stringify(certData))]
+      })
+
+      mockDecryptFields.mockResolvedValue({ email: 'found@example.com' })
+      mockVerify.mockResolvedValue(true)
+
+      const identities = await identityClient.resolveByAttributes(
+        { attributes: { email: 'found@example.com' } },
+        false
+      )
+
+      // Verify LookupResolver was queried with attributes
+      expect(mockLookupResolverQuery).toHaveBeenCalledWith({
+        service: 'ls_identity',
+        query: {
+          certifiers: ['02cf6cdf466951d8dfc9e7c9367511d0007ed6fba35ed42d425cc412fd6cfd4a17'],
+          attributes: { any: 'found@example.com' }
+        }
+      })
+
+      expect(identities).toHaveLength(1)
+      expect(identities[0].name).toBe('found@example.com')
+    })
+
+    it('should use multi-attribute query when multiple attributes provided', async () => {
+      walletMock.discoverByAttributes = jest.fn().mockRejectedValue(
+        new Error('No wallet available')
+      )
+
+      mockLookupResolverQuery.mockResolvedValue({
+        type: 'output-list',
+        outputs: []
+      })
+
+      await identityClient.resolveByAttributes(
+        { attributes: { firstName: 'John', lastName: 'Doe' } },
+        false
+      )
+
+      // Verify query uses full attributes object when more than one
+      expect(mockLookupResolverQuery).toHaveBeenCalledWith({
+        service: 'ls_identity',
+        query: {
+          certifiers: ['02cf6cdf466951d8dfc9e7c9367511d0007ed6fba35ed42d425cc412fd6cfd4a17'],
+          attributes: { firstName: 'John', lastName: 'Doe' }
+        }
+      })
+    })
   })
 
   describe('parseIdentity', () => {

package/src/primitives/BigNumber.ts

@@ -1305,47 +1305,43 @@ export default class BigNumber {
    * @param p - The `BigNumber` specifying the modulus field.
    * @returns The multiplicative inverse `BigNumber` in the modulus field specified by `p`.
    */
+  /**
+   * SECURITY NOTE:
+   * This implementation avoids variable-time extended Euclidean algorithms
+   * to reduce timing side-channel leakage. However, JavaScript BigInt arithmetic
+   * does not provide constant-time guarantees. This implementation is suitable
+   * for browser and single-tenant environments but is not hardened against
+   * high-resolution timing attacks in shared CPU contexts.
+  */
   _invmp (p: BigNumber): BigNumber {
     this.assert(p._sign === 0, 'p must not be negative for _invmp')
     this.assert(!p.isZero(), 'p must not be zero for _invmp')
 
-    const aBN: BigNumber = this.umod(p)
-
-    let aVal = aBN._magnitude
-    let bVal = p._magnitude
-    let x1Val = 1n
-    let x2Val = 0n
-    const modulus = p._magnitude
+    // Fermat inversion: a^(p-2) mod p
+    // NOTE: This assumes p is prime (true for all cryptographic use cases here).
+    // This avoids variable-time EEA loops but BigInt arithmetic itself
+    // is not constant-time (documented limitation).
 
-    while (aVal > 1n && bVal > 1n) {
-      let i = 0; while (((aVal >> BigInt(i)) & 1n) === 0n) i++
-      if (i > 0) {
-        aVal >>= BigInt(i)
-        for (let k = 0; k < i; ++k) { if ((x1Val & 1n) !== 0n) x1Val += modulus; x1Val >>= 1n }
-      }
+    const a = this.umod(p)
+    const exp = p.subn(2)
 
-      let j = 0; while (((bVal >> BigInt(j)) & 1n) === 0n) j++
-      if (j > 0) {
-        bVal >>= BigInt(j)
-        for (let k = 0; k < j; ++k) { if ((x2Val & 1n) !== 0n) x2Val += modulus; x2Val >>= 1n }
-      }
-
-      if (aVal >= bVal) { aVal -= bVal; x1Val -= x2Val } else { bVal -= aVal; x2Val -= x1Val }
+    // Use modular exponentiation via ReductionContext if available
+    if (a.red !== null) {
+      return a.redPow(exp)
     }
 
-    let resultVal: bigint
-    if (aVal === 1n) resultVal = x1Val
-    else if (bVal === 1n) resultVal = x2Val
-    else if (aVal === 0n && bVal === 1n) resultVal = x2Val
-    else if (bVal === 0n && aVal === 1n) resultVal = x1Val
-    else throw new Error('_invmp: GCD is not 1, inverse does not exist. aVal=' + aVal + ', bVal=' + bVal)
+    // Fallback: non-reduction context modular exponentiation
+    let result = new BigNumber(1n)
+    let base = a.clone()
+    const e = exp.clone()
 
-    resultVal %= modulus
-    if (resultVal < 0n) resultVal += modulus
+    while (!e.isZero()) {
+      if (e.isOdd()) result = result.mul(base).umod(p)
+      base = base.sqr().umod(p)
+      e.iushrn(1)
+    }
 
-    const resultBN = new BigNumber(0n)
-    resultBN._initializeState(resultVal, 0)
-    return resultBN
+    return result
   }
 
   /**