@docknetwork/wallet-sdk-wasm 1.7.0 → 1.7.7-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/index.js +1 -0
- package/lib/index.mjs +1 -0
- package/lib/modules/network-manager.js +15 -12
- package/lib/modules/network-manager.mjs +15 -12
- package/lib/rpc-server.js +1 -0
- package/lib/rpc-server.mjs +1 -0
- package/lib/services/blockchain/service.js +22 -9
- package/lib/services/blockchain/service.mjs +23 -10
- package/lib/services/credential/bound-check.js +1 -1
- package/lib/services/credential/bound-check.mjs +1 -1
- package/lib/services/credential/delegatable-credentials.js +300 -0
- package/lib/services/credential/delegatable-credentials.mjs +263 -0
- package/lib/services/credential/index.js +39 -0
- package/lib/services/credential/index.mjs +4 -0
- package/lib/services/credential/pex-helpers.js +4 -4
- package/lib/services/credential/pex-helpers.mjs +4 -4
- package/lib/services/edv/index.js +1 -0
- package/lib/services/edv/index.mjs +1 -0
- package/lib/services/edv/service-rpc.js +23 -0
- package/lib/services/edv/service-rpc.mjs +23 -0
- package/lib/services/edv/service.js +81 -1
- package/lib/services/edv/service.mjs +78 -2
- package/lib/services/index.js +1 -0
- package/lib/services/index.mjs +1 -0
- package/lib/services/pex/config.js +4 -0
- package/lib/services/pex/config.mjs +4 -0
- package/lib/services/pex/service-rpc.js +4 -0
- package/lib/services/pex/service-rpc.mjs +4 -0
- package/lib/services/pex/service.js +7 -0
- package/lib/services/pex/service.mjs +7 -0
- package/lib/setup-nodejs.js +1 -0
- package/lib/setup-nodejs.mjs +1 -0
- package/lib/setup-tests.js +1 -0
- package/lib/setup-tests.mjs +1 -0
- package/lib/src/modules/event-manager.d.ts +0 -1
- package/lib/src/modules/event-manager.d.ts.map +1 -1
- package/lib/src/modules/network-manager.d.ts +2 -4
- package/lib/src/modules/network-manager.d.ts.map +1 -1
- package/lib/src/services/blockchain/configs.d.ts +1 -2
- package/lib/src/services/blockchain/configs.d.ts.map +1 -1
- package/lib/src/services/blockchain/service.d.ts +4 -3
- package/lib/src/services/blockchain/service.d.ts.map +1 -1
- package/lib/src/services/credential/bbs-revocation.d.ts +1 -1
- package/lib/src/services/credential/bbs-revocation.d.ts.map +1 -1
- package/lib/src/services/credential/bound-check.d.ts.map +1 -1
- package/lib/src/services/credential/delegatable-credentials.d.ts +272 -0
- package/lib/src/services/credential/delegatable-credentials.d.ts.map +1 -0
- package/lib/src/services/credential/index.d.ts +1 -0
- package/lib/src/services/credential/index.d.ts.map +1 -1
- package/lib/src/services/credential/pex-helpers.d.ts +2 -2
- package/lib/src/services/credential/pex-helpers.d.ts.map +1 -1
- package/lib/src/services/dids/keypair-utils.d.ts +2 -2
- package/lib/src/services/dids/keypair-utils.d.ts.map +1 -1
- package/lib/src/services/dids/service.d.ts +35 -3
- package/lib/src/services/dids/service.d.ts.map +1 -1
- package/lib/src/services/edv/service.d.ts +50 -1
- package/lib/src/services/edv/service.d.ts.map +1 -1
- package/lib/src/services/pex/config.d.ts +1 -0
- package/lib/src/services/pex/config.d.ts.map +1 -1
- package/lib/src/services/pex/service.d.ts +1 -0
- package/lib/src/services/pex/service.d.ts.map +1 -1
- package/lib/src/services/relay-service/service.d.ts +19 -7
- package/lib/src/services/relay-service/service.d.ts.map +1 -1
- package/lib/src/services/storage/service.d.ts.map +1 -1
- package/lib/src/services/util-crypto/service.d.ts +2 -2
- package/lib/src/services/util-crypto/service.d.ts.map +1 -1
- package/lib/tsconfig.tsbuildinfo +1 -1
- package/package.json +36 -16
- package/rollup.config.mjs +5 -3
- package/src/globals.d.ts +3 -0
- package/src/modules/network-manager.ts +15 -14
- package/src/services/blockchain/configs.ts +1 -2
- package/src/services/blockchain/service.ts +26 -10
- package/src/services/credential/bound-check.ts +1 -1
- package/src/services/credential/delegatable-credentials.ts +409 -0
- package/src/services/credential/index.ts +16 -0
- package/src/services/credential/pex-helpers.js +4 -4
- package/src/services/credential/pex-helpers.test.js +2 -2
- package/src/services/edv/index.test.js +229 -0
- package/src/services/edv/service-rpc.js +23 -0
- package/src/services/edv/service.ts +119 -0
- package/src/services/pex/config.ts +4 -0
- package/src/services/pex/service-rpc.js +4 -0
- package/src/services/pex/service.ts +13 -0
- package/src/services/pex/tests/pex-service.test.js +210 -0
|
@@ -0,0 +1,263 @@
|
|
|
1
|
+
import * as cedar from '@cedar-policy/cedar-wasm/nodejs';
|
|
2
|
+
export { cedar };
|
|
3
|
+
import { issueCredential, signPresentation, documentLoader, verifyPresentation } from '@docknetwork/credential-sdk/vc';
|
|
4
|
+
import { MAY_CLAIM_IRI } from '@docknetwork/vc-delegation-engine';
|
|
5
|
+
export { MAY_CLAIM_IRI } from '@docknetwork/vc-delegation-engine';
|
|
6
|
+
import { getKeypairFromDoc } from '@docknetwork/universal-wallet/methods/keypairs';
|
|
7
|
+
import { blockchainService } from '../blockchain/service.mjs';
|
|
8
|
+
import '@cosmjs/proto-signing';
|
|
9
|
+
import '@docknetwork/cheqd-blockchain-api';
|
|
10
|
+
import '@docknetwork/cheqd-blockchain-modules';
|
|
11
|
+
import '@docknetwork/credential-sdk/modules';
|
|
12
|
+
import '@docknetwork/credential-sdk/resolver';
|
|
13
|
+
import '@docknetwork/crypto-wasm-ts/lib/index';
|
|
14
|
+
import 'events';
|
|
15
|
+
import '../../core/logger.mjs';
|
|
16
|
+
import '../../modules/event-manager.mjs';
|
|
17
|
+
import 'assert';
|
|
18
|
+
import '../util-crypto/service.mjs';
|
|
19
|
+
import '@docknetwork/credential-sdk/utils';
|
|
20
|
+
import '@scure/bip39';
|
|
21
|
+
import '@scure/bip39/wordlists/english';
|
|
22
|
+
import '../util-crypto/configs.mjs';
|
|
23
|
+
import '@docknetwork/credential-sdk/types';
|
|
24
|
+
import '../blockchain/cached-did-resolver.mjs';
|
|
25
|
+
import '../storage/index.mjs';
|
|
26
|
+
import '../storage/service.mjs';
|
|
27
|
+
import '../storage/service-rpc.mjs';
|
|
28
|
+
import '../rpc-service-client.mjs';
|
|
29
|
+
import '../../rpc-client.mjs';
|
|
30
|
+
import 'json-rpc-2.0';
|
|
31
|
+
import '../../core/crypto.mjs';
|
|
32
|
+
import 'crypto';
|
|
33
|
+
import '../../logger.mjs';
|
|
34
|
+
import '../../rpc-util.mjs';
|
|
35
|
+
|
|
36
|
+
// @ts-nocheck
|
|
37
|
+
/**
|
|
38
|
+
* Prepares a key document for signing by creating a proper keypair with signer capability
|
|
39
|
+
* @param keyDoc - The key document with id, controller, type, and key material
|
|
40
|
+
* @returns A key document with an active signer
|
|
41
|
+
*/
|
|
42
|
+
function prepareKeyForSigning(keyDoc) {
|
|
43
|
+
const kp = getKeypairFromDoc(keyDoc);
|
|
44
|
+
// Get the signer from the keypair - this returns an object with id and sign method
|
|
45
|
+
const signer = kp.signer();
|
|
46
|
+
// Set the id on the signer to match the verification method
|
|
47
|
+
signer.id = keyDoc.id;
|
|
48
|
+
return {
|
|
49
|
+
...keyDoc,
|
|
50
|
+
keypair: kp,
|
|
51
|
+
signer,
|
|
52
|
+
};
|
|
53
|
+
}
|
|
54
|
+
/**
|
|
55
|
+
* W3C Credentials V1 context URL
|
|
56
|
+
*/
|
|
57
|
+
const W3C_CREDENTIALS_V1 = 'https://www.w3.org/2018/credentials/v1';
|
|
58
|
+
/**
|
|
59
|
+
* Namespace used by the vc-delegation-engine for delegation properties
|
|
60
|
+
*/
|
|
61
|
+
const DELEGATION_ENGINE_NS = 'https://ld.truvera.io/credentials/delegation#';
|
|
62
|
+
/**
|
|
63
|
+
* Base delegation context terms required for delegation credentials.
|
|
64
|
+
* These terms define the JSON-LD mappings needed for the vc-delegation-engine
|
|
65
|
+
* to properly process delegation chains.
|
|
66
|
+
*
|
|
67
|
+
* Use this as a base and extend with your own application-specific terms:
|
|
68
|
+
* @example
|
|
69
|
+
* const myContext = [
|
|
70
|
+
* W3C_CREDENTIALS_V1,
|
|
71
|
+
* {
|
|
72
|
+
* ...DELEGATION_CONTEXT_TERMS,
|
|
73
|
+
* // Add your custom terms here
|
|
74
|
+
* MyCredentialType: 'https://example.org/MyCredentialType',
|
|
75
|
+
* myField: 'https://example.org/myField',
|
|
76
|
+
* },
|
|
77
|
+
* ];
|
|
78
|
+
*/
|
|
79
|
+
const DELEGATION_CONTEXT_TERMS = {
|
|
80
|
+
'@version': 1.1,
|
|
81
|
+
'@protected': true,
|
|
82
|
+
DelegationCredential: `${DELEGATION_ENGINE_NS}DelegationCredential`,
|
|
83
|
+
mayClaim: { '@id': MAY_CLAIM_IRI, '@container': '@set' },
|
|
84
|
+
rootCredentialId: { '@id': `${DELEGATION_ENGINE_NS}rootCredentialId`, '@type': '@id' },
|
|
85
|
+
previousCredentialId: { '@id': `${DELEGATION_ENGINE_NS}previousCredentialId`, '@type': '@id' },
|
|
86
|
+
};
|
|
87
|
+
/**
|
|
88
|
+
* Default context for verifiable presentations
|
|
89
|
+
*/
|
|
90
|
+
const PRESENTATION_CONTEXT = [W3C_CREDENTIALS_V1];
|
|
91
|
+
/**
|
|
92
|
+
* Issues a delegation credential that grants authority to a delegate
|
|
93
|
+
* @param keyPair - The key pair to sign the credential
|
|
94
|
+
* @param params - Delegation parameters
|
|
95
|
+
* @returns Signed delegation credential
|
|
96
|
+
*/
|
|
97
|
+
async function issueDelegationCredential(keyPair, credential) {
|
|
98
|
+
const preparedKey = prepareKeyForSigning(keyPair);
|
|
99
|
+
return issueCredential(preparedKey, credential);
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* Issues a credential as a delegate (with delegation chain reference)
|
|
103
|
+
* @param keyPair - The delegate's key pair to sign the credential
|
|
104
|
+
* @param params - Credential parameters
|
|
105
|
+
* @returns Signed credential
|
|
106
|
+
*/
|
|
107
|
+
async function issueDelegatedCredential(keyPair, credential) {
|
|
108
|
+
const preparedKey = prepareKeyForSigning(keyPair);
|
|
109
|
+
return issueCredential(preparedKey, credential);
|
|
110
|
+
}
|
|
111
|
+
/**
|
|
112
|
+
* Creates and signs a verifiable presentation with delegation credentials
|
|
113
|
+
* @param keyPair - The key pair to sign the presentation
|
|
114
|
+
* @param params - Presentation parameters
|
|
115
|
+
* @returns Signed verifiable presentation
|
|
116
|
+
*/
|
|
117
|
+
async function createSignedPresentation(keyPair, params) {
|
|
118
|
+
const { credentials, holderDid, challenge, domain, context = PRESENTATION_CONTEXT, } = params;
|
|
119
|
+
const presentation = {
|
|
120
|
+
'@context': context,
|
|
121
|
+
type: ['VerifiablePresentation'],
|
|
122
|
+
holder: holderDid,
|
|
123
|
+
verifiableCredential: credentials,
|
|
124
|
+
};
|
|
125
|
+
// Create key document for signing with proper keypair
|
|
126
|
+
const keyDoc = {
|
|
127
|
+
...keyPair,
|
|
128
|
+
id: keyPair.id || `${holderDid}#keys-1`,
|
|
129
|
+
controller: keyPair.controller || holderDid,
|
|
130
|
+
};
|
|
131
|
+
const preparedKey = prepareKeyForSigning(keyDoc);
|
|
132
|
+
return signPresentation(presentation, preparedKey, challenge, domain);
|
|
133
|
+
}
|
|
134
|
+
/**
|
|
135
|
+
* Verifies a verifiable presentation with optional delegation chain validation
|
|
136
|
+
* Uses the credential-sdk's verifyPresentation which automatically:
|
|
137
|
+
* 1. Verifies the presentation signature
|
|
138
|
+
* 2. Verifies all credentials
|
|
139
|
+
* 3. Detects delegation credentials
|
|
140
|
+
* 4. Validates the delegation chain
|
|
141
|
+
* 5. Applies Cedar policies if provided
|
|
142
|
+
*
|
|
143
|
+
* @param vp - The verifiable presentation to verify
|
|
144
|
+
* @param options - Verification options
|
|
145
|
+
* @returns Verification result with delegation info if applicable
|
|
146
|
+
*/
|
|
147
|
+
async function verifyDelegatablePresentation(vp, options = {}) {
|
|
148
|
+
const { challenge = vp.proof?.challenge || 'default-challenge', domain = vp.proof?.domain || 'default-domain', unsignedPresentation = false, failOnUnauthorizedClaims = true, policies, } = options;
|
|
149
|
+
const verifyOptions = {
|
|
150
|
+
challenge,
|
|
151
|
+
domain,
|
|
152
|
+
documentLoader: documentLoader(blockchainService.resolver),
|
|
153
|
+
unsignedPresentation,
|
|
154
|
+
failOnUnauthorizedClaims,
|
|
155
|
+
};
|
|
156
|
+
// Add Cedar authorization if policies are provided
|
|
157
|
+
if (policies) {
|
|
158
|
+
verifyOptions.cedarAuth = {
|
|
159
|
+
policies,
|
|
160
|
+
cedar,
|
|
161
|
+
};
|
|
162
|
+
}
|
|
163
|
+
return verifyPresentation(vp, verifyOptions);
|
|
164
|
+
}
|
|
165
|
+
/**
|
|
166
|
+
* Creates a Cedar policy for delegation verification
|
|
167
|
+
* @param config - Policy configuration
|
|
168
|
+
* @returns Cedar policy object
|
|
169
|
+
*/
|
|
170
|
+
function createCedarPolicy(config) {
|
|
171
|
+
const { maxDepth = 2, rootIssuer, requiredClaims = {} } = config;
|
|
172
|
+
let claimsConditions = '';
|
|
173
|
+
for (const [key, value] of Object.entries(requiredClaims)) {
|
|
174
|
+
if (typeof value === 'number') {
|
|
175
|
+
claimsConditions += ` &&\n context.authorizedClaims.${key} >= ${value}`;
|
|
176
|
+
}
|
|
177
|
+
else if (typeof value === 'string') {
|
|
178
|
+
claimsConditions += ` &&\n context.authorizedClaims.${key} == "${value}"`;
|
|
179
|
+
}
|
|
180
|
+
}
|
|
181
|
+
const policyText = `
|
|
182
|
+
permit(
|
|
183
|
+
principal in Credential::Chain::"Action:Verify",
|
|
184
|
+
action == Credential::Action::"Verify",
|
|
185
|
+
resource
|
|
186
|
+
) when {
|
|
187
|
+
principal == context.vpSigner &&
|
|
188
|
+
context.tailDepth <= ${maxDepth} &&
|
|
189
|
+
context.rootIssuer == Credential::Actor::"${rootIssuer}"${claimsConditions}
|
|
190
|
+
};
|
|
191
|
+
`;
|
|
192
|
+
return { staticPolicies: policyText };
|
|
193
|
+
}
|
|
194
|
+
/**
|
|
195
|
+
* Creates an unsigned verifiable presentation (for testing)
|
|
196
|
+
* @param credentials - Array of credentials to include
|
|
197
|
+
* @param proof - Optional proof object
|
|
198
|
+
* @param context - Optional context
|
|
199
|
+
* @returns Verifiable presentation object
|
|
200
|
+
*/
|
|
201
|
+
function createUnsignedPresentation(credentials, proof, context = PRESENTATION_CONTEXT) {
|
|
202
|
+
const vp = {
|
|
203
|
+
'@context': context,
|
|
204
|
+
type: ['VerifiablePresentation'],
|
|
205
|
+
verifiableCredential: credentials,
|
|
206
|
+
};
|
|
207
|
+
if (proof) {
|
|
208
|
+
vp.proof = proof;
|
|
209
|
+
}
|
|
210
|
+
return vp;
|
|
211
|
+
}
|
|
212
|
+
/**
|
|
213
|
+
* Service class for delegatable credentials operations
|
|
214
|
+
*/
|
|
215
|
+
class DelegatableCredentialsService {
|
|
216
|
+
name = 'delegatable-credentials';
|
|
217
|
+
rpcMethods = [
|
|
218
|
+
DelegatableCredentialsService.prototype.issueDelegation,
|
|
219
|
+
DelegatableCredentialsService.prototype.issueDelegatedCredential,
|
|
220
|
+
DelegatableCredentialsService.prototype.createPresentation,
|
|
221
|
+
DelegatableCredentialsService.prototype.verifyPresentation,
|
|
222
|
+
DelegatableCredentialsService.prototype.createPolicy,
|
|
223
|
+
];
|
|
224
|
+
/**
|
|
225
|
+
* Issues a delegation credential
|
|
226
|
+
*/
|
|
227
|
+
async issueDelegation(params) {
|
|
228
|
+
return issueDelegationCredential(params.keyPair, params);
|
|
229
|
+
}
|
|
230
|
+
/**
|
|
231
|
+
* Issues a credential as a delegate
|
|
232
|
+
*/
|
|
233
|
+
async issueDelegatedCredential(params) {
|
|
234
|
+
return issueDelegatedCredential(params.keyPair, params);
|
|
235
|
+
}
|
|
236
|
+
/**
|
|
237
|
+
* Creates and signs a verifiable presentation
|
|
238
|
+
*/
|
|
239
|
+
async createPresentation(params) {
|
|
240
|
+
return createSignedPresentation(params.keyPair, params);
|
|
241
|
+
}
|
|
242
|
+
/**
|
|
243
|
+
* Verifies a verifiable presentation with delegation chain
|
|
244
|
+
*/
|
|
245
|
+
async verifyPresentation(params) {
|
|
246
|
+
return verifyDelegatablePresentation(params.presentation, {
|
|
247
|
+
challenge: params.challenge,
|
|
248
|
+
domain: params.domain,
|
|
249
|
+
unsignedPresentation: params.unsignedPresentation,
|
|
250
|
+
failOnUnauthorizedClaims: params.failOnUnauthorizedClaims,
|
|
251
|
+
policies: params.policies,
|
|
252
|
+
});
|
|
253
|
+
}
|
|
254
|
+
/**
|
|
255
|
+
* Creates a Cedar policy for delegation verification
|
|
256
|
+
*/
|
|
257
|
+
createPolicy(params) {
|
|
258
|
+
return createCedarPolicy(params);
|
|
259
|
+
}
|
|
260
|
+
}
|
|
261
|
+
const delegatableCredentialsService = new DelegatableCredentialsService();
|
|
262
|
+
|
|
263
|
+
export { DELEGATION_CONTEXT_TERMS, DELEGATION_ENGINE_NS, PRESENTATION_CONTEXT, W3C_CREDENTIALS_V1, createCedarPolicy, createSignedPresentation, createUnsignedPresentation, delegatableCredentialsService, issueDelegatedCredential, issueDelegationCredential, verifyDelegatablePresentation };
|
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
4
|
|
|
5
5
|
var services_credential_service = require('./service.js');
|
|
6
|
+
var services_credential_delegatableCredentials = require('./delegatable-credentials.js');
|
|
7
|
+
var cedar = require('@cedar-policy/cedar-wasm/nodejs');
|
|
8
|
+
var vcDelegationEngine = require('@docknetwork/vc-delegation-engine');
|
|
6
9
|
require('./config.js');
|
|
7
10
|
require('assert');
|
|
8
11
|
require('@docknetwork/crypto-wasm-ts');
|
|
@@ -60,8 +63,44 @@ require('./sd-jwt.js');
|
|
|
60
63
|
require('@sd-jwt/sd-jwt-vc');
|
|
61
64
|
require('@sd-jwt/crypto-nodejs');
|
|
62
65
|
|
|
66
|
+
function _interopNamespace(e) {
|
|
67
|
+
if (e && e.__esModule) return e;
|
|
68
|
+
var n = Object.create(null);
|
|
69
|
+
if (e) {
|
|
70
|
+
Object.keys(e).forEach(function (k) {
|
|
71
|
+
if (k !== 'default') {
|
|
72
|
+
var d = Object.getOwnPropertyDescriptor(e, k);
|
|
73
|
+
Object.defineProperty(n, k, d.get ? d : {
|
|
74
|
+
enumerable: true,
|
|
75
|
+
get: function () { return e[k]; }
|
|
76
|
+
});
|
|
77
|
+
}
|
|
78
|
+
});
|
|
79
|
+
}
|
|
80
|
+
n["default"] = e;
|
|
81
|
+
return Object.freeze(n);
|
|
82
|
+
}
|
|
83
|
+
|
|
84
|
+
var cedar__namespace = /*#__PURE__*/_interopNamespace(cedar);
|
|
85
|
+
|
|
63
86
|
// @ts-nocheck
|
|
64
87
|
// TODO: rename it to credentialService, will need to update dock-app
|
|
65
88
|
const credentialServiceRPC = services_credential_service.credentialService;
|
|
66
89
|
|
|
90
|
+
exports.DELEGATION_CONTEXT_TERMS = services_credential_delegatableCredentials.DELEGATION_CONTEXT_TERMS;
|
|
91
|
+
exports.DELEGATION_ENGINE_NS = services_credential_delegatableCredentials.DELEGATION_ENGINE_NS;
|
|
92
|
+
exports.PRESENTATION_CONTEXT = services_credential_delegatableCredentials.PRESENTATION_CONTEXT;
|
|
93
|
+
exports.W3C_CREDENTIALS_V1 = services_credential_delegatableCredentials.W3C_CREDENTIALS_V1;
|
|
94
|
+
exports.createCedarPolicy = services_credential_delegatableCredentials.createCedarPolicy;
|
|
95
|
+
exports.createSignedPresentation = services_credential_delegatableCredentials.createSignedPresentation;
|
|
96
|
+
exports.createUnsignedPresentation = services_credential_delegatableCredentials.createUnsignedPresentation;
|
|
97
|
+
exports.delegatableCredentialsService = services_credential_delegatableCredentials.delegatableCredentialsService;
|
|
98
|
+
exports.issueDelegatedCredential = services_credential_delegatableCredentials.issueDelegatedCredential;
|
|
99
|
+
exports.issueDelegationCredential = services_credential_delegatableCredentials.issueDelegationCredential;
|
|
100
|
+
exports.verifyDelegatablePresentation = services_credential_delegatableCredentials.verifyDelegatablePresentation;
|
|
101
|
+
exports.cedar = cedar__namespace;
|
|
102
|
+
Object.defineProperty(exports, 'MAY_CLAIM_IRI', {
|
|
103
|
+
enumerable: true,
|
|
104
|
+
get: function () { return vcDelegationEngine.MAY_CLAIM_IRI; }
|
|
105
|
+
});
|
|
67
106
|
exports.credentialServiceRPC = credentialServiceRPC;
|
|
@@ -1,4 +1,8 @@
|
|
|
1
1
|
import { credentialService } from './service.mjs';
|
|
2
|
+
export { DELEGATION_CONTEXT_TERMS, DELEGATION_ENGINE_NS, PRESENTATION_CONTEXT, W3C_CREDENTIALS_V1, createCedarPolicy, createSignedPresentation, createUnsignedPresentation, delegatableCredentialsService, issueDelegatedCredential, issueDelegationCredential, verifyDelegatablePresentation } from './delegatable-credentials.mjs';
|
|
3
|
+
import * as cedar from '@cedar-policy/cedar-wasm/nodejs';
|
|
4
|
+
export { cedar };
|
|
5
|
+
export { MAY_CLAIM_IRI } from '@docknetwork/vc-delegation-engine';
|
|
2
6
|
import './config.mjs';
|
|
3
7
|
import 'assert';
|
|
4
8
|
import '@docknetwork/crypto-wasm-ts';
|
|
@@ -9,10 +9,10 @@ const EPSILON_INT = 1;
|
|
|
9
9
|
|
|
10
10
|
const MAX_DATE_PLACEHOLDER = 884541351600000;
|
|
11
11
|
const MIN_DATE_PLACEHOLDER = -17592186044415;
|
|
12
|
-
const MAX_INTEGER =
|
|
13
|
-
const MIN_INTEGER =
|
|
14
|
-
const MAX_NUMBER =
|
|
15
|
-
const MIN_NUMBER =
|
|
12
|
+
const MAX_INTEGER = Number.MAX_SAFE_INTEGER;
|
|
13
|
+
const MIN_INTEGER = Number.MIN_SAFE_INTEGER;
|
|
14
|
+
const MAX_NUMBER = Number.MAX_SAFE_INTEGER;
|
|
15
|
+
const MIN_NUMBER = Number.MIN_SAFE_INTEGER;
|
|
16
16
|
|
|
17
17
|
/*
|
|
18
18
|
PEX Filter rules:
|
|
@@ -5,10 +5,10 @@ const EPSILON_INT = 1;
|
|
|
5
5
|
|
|
6
6
|
const MAX_DATE_PLACEHOLDER = 884541351600000;
|
|
7
7
|
const MIN_DATE_PLACEHOLDER = -17592186044415;
|
|
8
|
-
const MAX_INTEGER =
|
|
9
|
-
const MIN_INTEGER =
|
|
10
|
-
const MAX_NUMBER =
|
|
11
|
-
const MIN_NUMBER =
|
|
8
|
+
const MAX_INTEGER = Number.MAX_SAFE_INTEGER;
|
|
9
|
+
const MIN_INTEGER = Number.MIN_SAFE_INTEGER;
|
|
10
|
+
const MAX_NUMBER = Number.MAX_SAFE_INTEGER;
|
|
11
|
+
const MIN_NUMBER = Number.MIN_SAFE_INTEGER;
|
|
12
12
|
|
|
13
13
|
/*
|
|
14
14
|
PEX Filter rules:
|
|
@@ -50,6 +50,29 @@ class EDVServiceRpc extends services_rpcServiceClient.RpcService {
|
|
|
50
50
|
delete(params ) {
|
|
51
51
|
return this.call('delete', params);
|
|
52
52
|
}
|
|
53
|
+
|
|
54
|
+
deriveBiometricKey(biometricData , identifier ) {
|
|
55
|
+
return this.call('deriveBiometricKey', {biometricData, identifier});
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
deriveBiometricEncryptionKey(biometricData , identifier ) {
|
|
59
|
+
return this.call('deriveBiometricEncryptionKey', {
|
|
60
|
+
biometricData,
|
|
61
|
+
identifier,
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
encryptMasterKey(masterKey , encryptionKey , iv ) {
|
|
66
|
+
return this.call('encryptMasterKey', {masterKey, encryptionKey, iv});
|
|
67
|
+
}
|
|
68
|
+
|
|
69
|
+
decryptMasterKey(
|
|
70
|
+
encryptedKey ,
|
|
71
|
+
decryptionKey ,
|
|
72
|
+
iv ,
|
|
73
|
+
) {
|
|
74
|
+
return this.call('decryptMasterKey', {encryptedKey, decryptionKey, iv});
|
|
75
|
+
}
|
|
53
76
|
}
|
|
54
77
|
|
|
55
78
|
exports.EDVServiceRpc = EDVServiceRpc;
|
|
@@ -46,6 +46,29 @@ class EDVServiceRpc extends RpcService {
|
|
|
46
46
|
delete(params ) {
|
|
47
47
|
return this.call('delete', params);
|
|
48
48
|
}
|
|
49
|
+
|
|
50
|
+
deriveBiometricKey(biometricData , identifier ) {
|
|
51
|
+
return this.call('deriveBiometricKey', {biometricData, identifier});
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
deriveBiometricEncryptionKey(biometricData , identifier ) {
|
|
55
|
+
return this.call('deriveBiometricEncryptionKey', {
|
|
56
|
+
biometricData,
|
|
57
|
+
identifier,
|
|
58
|
+
});
|
|
59
|
+
}
|
|
60
|
+
|
|
61
|
+
encryptMasterKey(masterKey , encryptionKey , iv ) {
|
|
62
|
+
return this.call('encryptMasterKey', {masterKey, encryptionKey, iv});
|
|
63
|
+
}
|
|
64
|
+
|
|
65
|
+
decryptMasterKey(
|
|
66
|
+
encryptedKey ,
|
|
67
|
+
decryptionKey ,
|
|
68
|
+
iv ,
|
|
69
|
+
) {
|
|
70
|
+
return this.call('decryptMasterKey', {encryptedKey, decryptionKey, iv});
|
|
71
|
+
}
|
|
49
72
|
}
|
|
50
73
|
|
|
51
74
|
export { EDVServiceRpc };
|
|
@@ -12,9 +12,10 @@ var keypairs = require('@docknetwork/universal-wallet/methods/keypairs');
|
|
|
12
12
|
var logger = require('@docknetwork/wallet-sdk-data-store/lib/logger');
|
|
13
13
|
var services_dids_service = require('../dids/service.js');
|
|
14
14
|
var keypairs$1 = require('@docknetwork/credential-sdk/keypairs');
|
|
15
|
+
var hkdf = require('futoin-hkdf');
|
|
16
|
+
var crypto = require('@docknetwork/universal-wallet/crypto');
|
|
15
17
|
require('assert');
|
|
16
18
|
require('base64url-universal');
|
|
17
|
-
require('@docknetwork/universal-wallet/crypto');
|
|
18
19
|
require('@docknetwork/wallet-sdk-dids/lib');
|
|
19
20
|
require('../dids/config.js');
|
|
20
21
|
require('base64url');
|
|
@@ -28,8 +29,12 @@ require('../dids/keypair-utils.js');
|
|
|
28
29
|
function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'default' in e ? e : { 'default': e }; }
|
|
29
30
|
|
|
30
31
|
var EDVHTTPStorageInterface__default = /*#__PURE__*/_interopDefaultLegacy(EDVHTTPStorageInterface);
|
|
32
|
+
var hkdf__default = /*#__PURE__*/_interopDefaultLegacy(hkdf);
|
|
33
|
+
var crypto__default = /*#__PURE__*/_interopDefaultLegacy(crypto);
|
|
31
34
|
|
|
32
35
|
// @ts-nocheck
|
|
36
|
+
const HKDF_LENGTH = 32;
|
|
37
|
+
const HKDF_HASH = 'SHA-256';
|
|
33
38
|
/**
|
|
34
39
|
* Service class for managing Encrypted Data Vaults
|
|
35
40
|
* @class
|
|
@@ -49,6 +54,10 @@ class EDVService {
|
|
|
49
54
|
EDVService.prototype.update,
|
|
50
55
|
EDVService.prototype.insert,
|
|
51
56
|
EDVService.prototype.delete,
|
|
57
|
+
EDVService.prototype.deriveBiometricKey,
|
|
58
|
+
EDVService.prototype.deriveBiometricEncryptionKey,
|
|
59
|
+
EDVService.prototype.encryptMasterKey,
|
|
60
|
+
EDVService.prototype.decryptMasterKey,
|
|
52
61
|
];
|
|
53
62
|
/**
|
|
54
63
|
* Creates a new EDVService instance
|
|
@@ -249,6 +258,75 @@ class EDVService {
|
|
|
249
258
|
delete(params) {
|
|
250
259
|
return this.storageInterface.delete(params);
|
|
251
260
|
}
|
|
261
|
+
/**
|
|
262
|
+
* Derives a key from biometric data using HKDF
|
|
263
|
+
* @param {Buffer} biometricData - Biometric data from provider
|
|
264
|
+
* @param {string} identifier - User's identifier as salt (email, phone number, etc.)
|
|
265
|
+
* @returns {Buffer} Derived key
|
|
266
|
+
* @example
|
|
267
|
+
* const key = edvService.deriveBiometricKey(biometricData, 'user@example.com');
|
|
268
|
+
*/
|
|
269
|
+
deriveBiometricKey(biometricData, identifier) {
|
|
270
|
+
const salt = identifier;
|
|
271
|
+
return hkdf__default["default"](biometricData, HKDF_LENGTH, { salt, hash: HKDF_HASH });
|
|
272
|
+
}
|
|
273
|
+
/**
|
|
274
|
+
* Generates a key for encrypting/decrypting the master key
|
|
275
|
+
* @param {Buffer} biometricData - Biometric data from provider
|
|
276
|
+
* @param {string} identifier - User's identifier as salt (email, phone number, etc.)
|
|
277
|
+
* @returns {Promise<Object>} Encryption key and IV for AES encryption
|
|
278
|
+
* @returns {Buffer} returns.key - Encryption key
|
|
279
|
+
* @returns {Buffer} returns.iv - Initialization vector
|
|
280
|
+
* @example
|
|
281
|
+
* const { key, iv } = await edvService.deriveBiometricEncryptionKey(biometricData, 'user@example.com');
|
|
282
|
+
*/
|
|
283
|
+
async deriveBiometricEncryptionKey(biometricData, identifier) {
|
|
284
|
+
const key = this.deriveBiometricKey(biometricData, identifier);
|
|
285
|
+
const randomBytes = crypto__default["default"].getRandomValues(new Uint8Array(16));
|
|
286
|
+
const iv = Buffer.from(randomBytes);
|
|
287
|
+
return {
|
|
288
|
+
key,
|
|
289
|
+
iv
|
|
290
|
+
};
|
|
291
|
+
}
|
|
292
|
+
/**
|
|
293
|
+
* Encrypts the master key using a key derived from biometric data
|
|
294
|
+
* @param {Uint8Array} masterKey - The CloudWalletVault master key to encrypt
|
|
295
|
+
* @param {Buffer} encryptionKey - Key derived from biometric data
|
|
296
|
+
* @param {Buffer} iv - Initialization vector
|
|
297
|
+
* @returns {Promise<Uint8Array>} Encrypted master key
|
|
298
|
+
* @example
|
|
299
|
+
* const encrypted = await edvService.encryptMasterKey(masterKey, encryptionKey, iv);
|
|
300
|
+
*/
|
|
301
|
+
async encryptMasterKey(masterKey, encryptionKey, iv) {
|
|
302
|
+
const keyData = new Uint8Array(encryptionKey);
|
|
303
|
+
const ivData = new Uint8Array(iv);
|
|
304
|
+
const key = await crypto__default["default"].subtle.importKey('raw', keyData, { name: 'AES-GCM' }, false, ['encrypt']);
|
|
305
|
+
const encryptedBuffer = await crypto__default["default"].subtle.encrypt({ name: 'AES-GCM', iv: ivData }, key, masterKey);
|
|
306
|
+
return new Uint8Array(encryptedBuffer);
|
|
307
|
+
}
|
|
308
|
+
/**
|
|
309
|
+
* Decrypts the master key using biometric-derived key
|
|
310
|
+
* @param {Uint8Array} encryptedKey - The encrypted master key
|
|
311
|
+
* @param {Buffer} decryptionKey - Key derived from biometric data
|
|
312
|
+
* @param {Buffer} iv - Initialization vector
|
|
313
|
+
* @returns {Promise<Uint8Array>} The decrypted master key
|
|
314
|
+
* @throws {Error} If decryption fails
|
|
315
|
+
* @example
|
|
316
|
+
* const masterKey = await edvService.decryptMasterKey(encryptedKey, decryptionKey, iv);
|
|
317
|
+
*/
|
|
318
|
+
async decryptMasterKey(encryptedKey, decryptionKey, iv) {
|
|
319
|
+
try {
|
|
320
|
+
const keyData = new Uint8Array(decryptionKey);
|
|
321
|
+
const ivData = new Uint8Array(iv);
|
|
322
|
+
const key = await crypto__default["default"].subtle.importKey('raw', keyData, { name: 'AES-GCM' }, false, ['decrypt']);
|
|
323
|
+
const decryptedBuffer = await crypto__default["default"].subtle.decrypt({ name: 'AES-GCM', iv: ivData }, key, encryptedKey);
|
|
324
|
+
return new Uint8Array(decryptedBuffer);
|
|
325
|
+
}
|
|
326
|
+
catch (error) {
|
|
327
|
+
throw new Error('Decryption failed: Invalid key or corrupted data');
|
|
328
|
+
}
|
|
329
|
+
}
|
|
252
330
|
}
|
|
253
331
|
/**
|
|
254
332
|
* Singleton instance of the EDV service
|
|
@@ -287,4 +365,6 @@ class EDVService {
|
|
|
287
365
|
const edvService = new EDVService();
|
|
288
366
|
|
|
289
367
|
exports.EDVService = EDVService;
|
|
368
|
+
exports.HKDF_HASH = HKDF_HASH;
|
|
369
|
+
exports.HKDF_LENGTH = HKDF_LENGTH;
|
|
290
370
|
exports.edvService = edvService;
|
|
@@ -8,9 +8,10 @@ import { getKeypairFromDoc } from '@docknetwork/universal-wallet/methods/keypair
|
|
|
8
8
|
import { logger } from '@docknetwork/wallet-sdk-data-store/lib/logger';
|
|
9
9
|
import { didService } from '../dids/service.mjs';
|
|
10
10
|
import { Ed25519Keypair } from '@docknetwork/credential-sdk/keypairs';
|
|
11
|
+
import hkdf from 'futoin-hkdf';
|
|
12
|
+
import crypto from '@docknetwork/universal-wallet/crypto';
|
|
11
13
|
import 'assert';
|
|
12
14
|
import 'base64url-universal';
|
|
13
|
-
import '@docknetwork/universal-wallet/crypto';
|
|
14
15
|
import '@docknetwork/wallet-sdk-dids/lib';
|
|
15
16
|
import '../dids/config.mjs';
|
|
16
17
|
import 'base64url';
|
|
@@ -22,6 +23,8 @@ import '@digitalbazaar/x25519-key-agreement-key-2019';
|
|
|
22
23
|
import '../dids/keypair-utils.mjs';
|
|
23
24
|
|
|
24
25
|
// @ts-nocheck
|
|
26
|
+
const HKDF_LENGTH = 32;
|
|
27
|
+
const HKDF_HASH = 'SHA-256';
|
|
25
28
|
/**
|
|
26
29
|
* Service class for managing Encrypted Data Vaults
|
|
27
30
|
* @class
|
|
@@ -41,6 +44,10 @@ class EDVService {
|
|
|
41
44
|
EDVService.prototype.update,
|
|
42
45
|
EDVService.prototype.insert,
|
|
43
46
|
EDVService.prototype.delete,
|
|
47
|
+
EDVService.prototype.deriveBiometricKey,
|
|
48
|
+
EDVService.prototype.deriveBiometricEncryptionKey,
|
|
49
|
+
EDVService.prototype.encryptMasterKey,
|
|
50
|
+
EDVService.prototype.decryptMasterKey,
|
|
44
51
|
];
|
|
45
52
|
/**
|
|
46
53
|
* Creates a new EDVService instance
|
|
@@ -241,6 +248,75 @@ class EDVService {
|
|
|
241
248
|
delete(params) {
|
|
242
249
|
return this.storageInterface.delete(params);
|
|
243
250
|
}
|
|
251
|
+
/**
|
|
252
|
+
* Derives a key from biometric data using HKDF
|
|
253
|
+
* @param {Buffer} biometricData - Biometric data from provider
|
|
254
|
+
* @param {string} identifier - User's identifier as salt (email, phone number, etc.)
|
|
255
|
+
* @returns {Buffer} Derived key
|
|
256
|
+
* @example
|
|
257
|
+
* const key = edvService.deriveBiometricKey(biometricData, 'user@example.com');
|
|
258
|
+
*/
|
|
259
|
+
deriveBiometricKey(biometricData, identifier) {
|
|
260
|
+
const salt = identifier;
|
|
261
|
+
return hkdf(biometricData, HKDF_LENGTH, { salt, hash: HKDF_HASH });
|
|
262
|
+
}
|
|
263
|
+
/**
|
|
264
|
+
* Generates a key for encrypting/decrypting the master key
|
|
265
|
+
* @param {Buffer} biometricData - Biometric data from provider
|
|
266
|
+
* @param {string} identifier - User's identifier as salt (email, phone number, etc.)
|
|
267
|
+
* @returns {Promise<Object>} Encryption key and IV for AES encryption
|
|
268
|
+
* @returns {Buffer} returns.key - Encryption key
|
|
269
|
+
* @returns {Buffer} returns.iv - Initialization vector
|
|
270
|
+
* @example
|
|
271
|
+
* const { key, iv } = await edvService.deriveBiometricEncryptionKey(biometricData, 'user@example.com');
|
|
272
|
+
*/
|
|
273
|
+
async deriveBiometricEncryptionKey(biometricData, identifier) {
|
|
274
|
+
const key = this.deriveBiometricKey(biometricData, identifier);
|
|
275
|
+
const randomBytes = crypto.getRandomValues(new Uint8Array(16));
|
|
276
|
+
const iv = Buffer.from(randomBytes);
|
|
277
|
+
return {
|
|
278
|
+
key,
|
|
279
|
+
iv
|
|
280
|
+
};
|
|
281
|
+
}
|
|
282
|
+
/**
|
|
283
|
+
* Encrypts the master key using a key derived from biometric data
|
|
284
|
+
* @param {Uint8Array} masterKey - The CloudWalletVault master key to encrypt
|
|
285
|
+
* @param {Buffer} encryptionKey - Key derived from biometric data
|
|
286
|
+
* @param {Buffer} iv - Initialization vector
|
|
287
|
+
* @returns {Promise<Uint8Array>} Encrypted master key
|
|
288
|
+
* @example
|
|
289
|
+
* const encrypted = await edvService.encryptMasterKey(masterKey, encryptionKey, iv);
|
|
290
|
+
*/
|
|
291
|
+
async encryptMasterKey(masterKey, encryptionKey, iv) {
|
|
292
|
+
const keyData = new Uint8Array(encryptionKey);
|
|
293
|
+
const ivData = new Uint8Array(iv);
|
|
294
|
+
const key = await crypto.subtle.importKey('raw', keyData, { name: 'AES-GCM' }, false, ['encrypt']);
|
|
295
|
+
const encryptedBuffer = await crypto.subtle.encrypt({ name: 'AES-GCM', iv: ivData }, key, masterKey);
|
|
296
|
+
return new Uint8Array(encryptedBuffer);
|
|
297
|
+
}
|
|
298
|
+
/**
|
|
299
|
+
* Decrypts the master key using biometric-derived key
|
|
300
|
+
* @param {Uint8Array} encryptedKey - The encrypted master key
|
|
301
|
+
* @param {Buffer} decryptionKey - Key derived from biometric data
|
|
302
|
+
* @param {Buffer} iv - Initialization vector
|
|
303
|
+
* @returns {Promise<Uint8Array>} The decrypted master key
|
|
304
|
+
* @throws {Error} If decryption fails
|
|
305
|
+
* @example
|
|
306
|
+
* const masterKey = await edvService.decryptMasterKey(encryptedKey, decryptionKey, iv);
|
|
307
|
+
*/
|
|
308
|
+
async decryptMasterKey(encryptedKey, decryptionKey, iv) {
|
|
309
|
+
try {
|
|
310
|
+
const keyData = new Uint8Array(decryptionKey);
|
|
311
|
+
const ivData = new Uint8Array(iv);
|
|
312
|
+
const key = await crypto.subtle.importKey('raw', keyData, { name: 'AES-GCM' }, false, ['decrypt']);
|
|
313
|
+
const decryptedBuffer = await crypto.subtle.decrypt({ name: 'AES-GCM', iv: ivData }, key, encryptedKey);
|
|
314
|
+
return new Uint8Array(decryptedBuffer);
|
|
315
|
+
}
|
|
316
|
+
catch (error) {
|
|
317
|
+
throw new Error('Decryption failed: Invalid key or corrupted data');
|
|
318
|
+
}
|
|
319
|
+
}
|
|
244
320
|
}
|
|
245
321
|
/**
|
|
246
322
|
* Singleton instance of the EDV service
|
|
@@ -278,4 +354,4 @@ class EDVService {
|
|
|
278
354
|
*/
|
|
279
355
|
const edvService = new EDVService();
|
|
280
356
|
|
|
281
|
-
export { EDVService, edvService };
|
|
357
|
+
export { EDVService, HKDF_HASH, HKDF_LENGTH, edvService };
|
package/lib/services/index.js
CHANGED
|
@@ -77,6 +77,7 @@ require('./edv/hmac.js');
|
|
|
77
77
|
require('base64url-universal');
|
|
78
78
|
require('@docknetwork/universal-wallet/crypto');
|
|
79
79
|
require('@docknetwork/wallet-sdk-data-store/lib/logger');
|
|
80
|
+
require('futoin-hkdf');
|
|
80
81
|
|
|
81
82
|
var services = [
|
|
82
83
|
services_blockchain_service.blockchainService,
|