@enactprotocol/trust 2.0.0

package/README.md

@@ -0,0 +1,38 @@
+# @enactprotocol/trust
+
+Sigstore integration, attestations, and verification for Enact.
+
+## Overview
+
+This package provides:
+- Sigstore integration for keyless signing and verification
+- Attestation generation and validation (in-toto, SLSA)
+- Bundle signature verification
+- Certificate chain validation
+- Trust policy enforcement
+
+## Status
+
+Currently in Phase 1 (scaffolding). Full implementation will be completed in Phase 2.
+
+## Development
+
+```bash
+# Build
+bun run build
+
+# Test
+bun test
+
+# Type check
+bun run typecheck
+```
+
+## Planned Features (Phase 2)
+
+- [ ] Hash utilities with streaming support
+- [ ] Sigstore keyless signing via OIDC
+- [ ] Bundle verification with certificate chain validation
+- [ ] In-toto attestation format support
+- [ ] SLSA provenance support
+- [ ] Comprehensive test coverage

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@enactprotocol/trust",
+  "version": "2.0.0",
+  "description": "Sigstore integration, attestations, and verification for Enact",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rm -rf dist",
+    "test": "bun test",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "open": "^11.0.0",
+    "openid-client": "5",
+    "sigstore": "^4.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.10.1",
+    "typescript": "^5.7.2"
+  },
+  "keywords": ["cryptography", "sigstore", "attestation", "verification"],
+  "author": "Enact Protocol",
+  "license": "Apache-2.0"
+}

package/src/hash.ts

@@ -0,0 +1,120 @@
+/**
+ * Hash utilities for content integrity verification
+ */
+
+import { type Hash, createHash } from "node:crypto";
+import { createReadStream, statSync } from "node:fs";
+import type { FileHashOptions, HashAlgorithm, HashResult } from "./types";
+
+/**
+ * Hash a string or buffer using the specified algorithm
+ *
+ * @param content - The content to hash
+ * @param algorithm - The hash algorithm to use (default: sha256)
+ * @returns Hash result with algorithm and digest
+ *
+ * @example
+ * ```ts
+ * const result = hashContent("hello world");
+ * console.log(result.digest); // "b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9"
+ * ```
+ */
+export function hashContent(
+  content: string | Buffer,
+  algorithm: HashAlgorithm = "sha256"
+): HashResult {
+  const hash: Hash = createHash(algorithm);
+  hash.update(content);
+  const digest = hash.digest("hex");
+
+  return {
+    algorithm,
+    digest,
+  };
+}
+
+/**
+ * Hash a buffer directly
+ *
+ * @param buffer - The buffer to hash
+ * @param algorithm - The hash algorithm to use (default: sha256)
+ * @returns Hash result with algorithm and digest
+ *
+ * @example
+ * ```ts
+ * const buffer = Buffer.from("hello world");
+ * const result = hashBuffer(buffer);
+ * ```
+ */
+export function hashBuffer(buffer: Buffer, algorithm: HashAlgorithm = "sha256"): HashResult {
+  return hashContent(buffer, algorithm);
+}
+
+/**
+ * Hash a file using streaming to support large files
+ *
+ * @param filePath - Path to the file to hash
+ * @param options - Hashing options including algorithm and progress callback
+ * @returns Promise resolving to hash result
+ *
+ * @throws Error if file doesn't exist or cannot be read
+ *
+ * @example
+ * ```ts
+ * const result = await hashFile("/path/to/file.txt", {
+ *   algorithm: "sha256",
+ *   onProgress: (read, total) => {
+ *     console.log(`${(read / total * 100).toFixed(1)}% complete`);
+ *   }
+ * });
+ * ```
+ */
+export async function hashFile(
+  filePath: string,
+  options: FileHashOptions = {}
+): Promise<HashResult> {
+  const { algorithm = "sha256", onProgress } = options;
+
+  // Validate file exists and get size
+  let fileSize: number;
+  try {
+    const stats = statSync(filePath);
+    if (!stats.isFile()) {
+      throw new Error(`Path is not a file: ${filePath}`);
+    }
+    fileSize = stats.size;
+  } catch (error) {
+    if (error instanceof Error) {
+      throw new Error(`Failed to access file: ${error.message}`);
+    }
+    throw error;
+  }
+
+  return new Promise((resolve, reject) => {
+    const hash: Hash = createHash(algorithm);
+    const stream = createReadStream(filePath);
+    let bytesRead = 0;
+
+    stream.on("data", (chunk: string | Buffer) => {
+      hash.update(chunk);
+      const chunkSize = typeof chunk === "string" ? Buffer.byteLength(chunk) : chunk.length;
+      bytesRead += chunkSize;
+
+      if (onProgress) {
+        onProgress(bytesRead, fileSize);
+      }
+    });
+
+    stream.on("end", () => {
+      const digest = hash.digest("hex");
+      resolve({
+        algorithm,
+        digest,
+      });
+    });
+
+    stream.on("error", (error: Error) => {
+      reject(new Error(`Failed to read file: ${error.message}`));
+    });
+  });
+}

package/src/index.ts

@@ -0,0 +1,28 @@
+/**
+ * @enactprotocol/trust
+ *
+ * Sigstore integration, attestation generation/verification,
+ * and trust system for Enact.
+ */
+
+export const version = "0.1.0";
+
+// Hash utilities
+export { hashContent, hashBuffer, hashFile } from "./hash";
+
+// Key management
+export { generateKeyPair, isValidPEMKey, getKeyTypeFromPEM } from "./keys";
+
+// Sigstore integration (attestation signing, verification, trust policies)
+export * from "./sigstore";
+
+// TypeScript types for hash/key operations
+export type {
+  HashAlgorithm,
+  HashResult,
+  FileHashOptions,
+  KeyType,
+  KeyFormat,
+  KeyPair,
+  KeyGenerationOptions,
+} from "./types";

package/src/keys.ts

@@ -0,0 +1,157 @@
+/**
+ * Key management utilities for cryptographic operations
+ */
+
+import { generateKeyPairSync } from "node:crypto";
+import type { KeyGenerationOptions, KeyPair, KeyType } from "./types";
+
+/**
+ * Generate a new cryptographic key pair
+ *
+ * @param options - Key generation options
+ * @returns Generated key pair with public and private keys
+ *
+ * @example
+ * ```ts
+ * // Generate RSA key pair
+ * const rsaKeys = generateKeyPair({
+ *   type: "rsa",
+ *   modulusLength: 2048
+ * });
+ *
+ * // Generate Ed25519 key pair
+ * const ed25519Keys = generateKeyPair({
+ *   type: "ed25519"
+ * });
+ * ```
+ */
+export function generateKeyPair(options: KeyGenerationOptions): KeyPair {
+  const { type, format = "pem", modulusLength = 2048, passphrase } = options;
+
+  const keyPairOptions = getKeyPairOptions(type, modulusLength, format, passphrase);
+  const nodeKeyType = getNodeKeyType(type);
+
+  // TypeScript has very strict overloads for generateKeyPairSync
+  // We use any here as we've validated the types through our own KeyType
+  // biome-ignore lint/suspicious/noExplicitAny: Node.js crypto API has complex overloads
+  const { publicKey, privateKey } = generateKeyPairSync(nodeKeyType as any, keyPairOptions as any);
+
+  return {
+    publicKey: publicKey.toString(),
+    privateKey: privateKey.toString(),
+    type,
+    format,
+  };
+}
+
+/**
+ * Convert our KeyType to Node.js crypto key type
+ */
+function getNodeKeyType(type: KeyType): "rsa" | "ed25519" | "ec" {
+  switch (type) {
+    case "rsa":
+      return "rsa";
+    case "ed25519":
+      return "ed25519";
+    case "ecdsa":
+      return "ec";
+  }
+}
+
+/**
+ * Get key pair generation options for Node.js crypto
+ */
+function getKeyPairOptions(
+  type: KeyType,
+  modulusLength: number,
+  format: "pem" | "der" | "jwk",
+  passphrase?: string
+): Parameters<typeof generateKeyPairSync>[1] {
+  const baseOptions: Record<string, unknown> = {
+    publicKeyEncoding: {
+      type: "spki",
+      format,
+    },
+    privateKeyEncoding: {
+      type: "pkcs8",
+      format,
+      ...(passphrase && {
+        cipher: "aes-256-cbc",
+        passphrase,
+      }),
+    },
+  };
+
+  // Add type-specific options
+  if (type === "rsa") {
+    return {
+      ...baseOptions,
+      modulusLength,
+    };
+  }
+
+  if (type === "ecdsa") {
+    return {
+      ...baseOptions,
+      namedCurve: "prime256v1", // Also known as secp256r1 or P-256
+    };
+  }
+
+  // Ed25519 doesn't need additional options
+  return baseOptions;
+}
+
+/**
+ * Validate a PEM-formatted key
+ *
+ * @param key - The key to validate (public or private)
+ * @param expectedType - Expected key type (public or private)
+ * @returns True if key is valid PEM format
+ */
+export function isValidPEMKey(
+  key: string,
+  expectedType: "public" | "private" = "private"
+): boolean {
+  if (expectedType === "public") {
+    return key.includes("-----BEGIN PUBLIC KEY-----") && key.includes("-----END PUBLIC KEY-----");
+  }
+
+  return (
+    (key.includes("-----BEGIN PRIVATE KEY-----") && key.includes("-----END PRIVATE KEY-----")) ||
+    (key.includes("-----BEGIN ENCRYPTED PRIVATE KEY-----") &&
+      key.includes("-----END ENCRYPTED PRIVATE KEY-----"))
+  );
+}
+
+/**
+ * Parse key type from a PEM key string
+ *
+ * @param key - PEM-formatted key string
+ * @returns Detected key type or undefined if cannot be determined
+ */
+export function getKeyTypeFromPEM(key: string): KeyType | undefined {
+  // Check if it's a valid PEM key first
+  if (!isValidPEMKey(key, "private") && !isValidPEMKey(key, "public")) {
+    return undefined;
+  }
+
+  // Check for explicit algorithm markers
+  if (key.includes("RSA")) {
+    return "rsa";
+  }
+
+  // Length-based heuristic (RSA keys are much longer)
+  // RSA 2048: ~1700 chars, RSA 4096: ~3200 chars
+  // Ed25519: ~120 chars
+  // ECDSA P-256: ~200-300 chars
+  if (key.length > 1000) {
+    return "rsa";
+  }
+
+  if (key.length < 200) {
+    return "ed25519";
+  }
+
+  // ECDSA falls somewhere in between
+  return "ecdsa";
+}