@fedify/fedify 0.10.0-dev.199 → 0.10.0-dev.200

package/CHANGES.md

@@ -74,7 +74,7 @@ To be released.
     [[FEP-8b32], [#54]]
 
  -  Added `proof` property to the `Object` class in the Activity
-    Vocabulary API.   [[FEP-8b32], [#54]]
+    Vocabulary API.  [[FEP-8b32], [#54]]
 
      -  Added `Object.getProof()` method.
      -  Added `Object.getProofs()` method.
@@ -83,6 +83,19 @@ To be released.
      -  `Object.clone()` method now accepts `proof` option.
      -  `Object.clone()` method now accepts `proofs` option.
 
+ -  Implemented Object Integrity Proofs.  [[FEP-8b32], [#54]]
+
+     -  Added `signObject()` function.
+     -  Added `SignObjectOptions` interface.
+     -  Added `createProof()` function.
+     -  Added `CreateProofOptions` interface.
+     -  Added `verifyObject()` function.
+     -  Added `VerifyObjectOptions` interface.
+     -  Added `verifyProof()` function.
+     -  Added `VerifyProofOptions` interface.
+     -  Added `fetchKey()` function.
+     -  Added `FetchKeyOptions` interface.
+
  -  Added `context` option to `Object.toJsonLd()` method.  This applies to
     any subclasses of the `Object` class too.
 
@@ -97,6 +110,12 @@ To be released.
         `following`, `followers`, `outbox`, `manuallyApprovesFollowers`, and
         `url`.
 
+ -  Added more log messages using the [LogTape] library.  Currently the below
+    logger categories are used:
+
+     -  `["fedify", "sig", "proof"]`
+     -  `["fedify", "sig", "key"]`
+
 [#54]: https://github.com/dahlia/fedify/issues/54
 [#55]: https://github.com/dahlia/fedify/issues/55
 [FEP-521a]: https://codeberg.org/fediverse/fep/src/branch/main/fep/521a/fep-521a.md

package/esm/codegen/schema.yaml

@@ -28,6 +28,11 @@ $defs:
               Whether to generate singular property accessors.  Regardless of
               this flag, plural property accessors are generated
               (unless functional is turned on).
+            type: boolean
+          container:
+            description: >-
+              The container type of the property values.  It can be unspecified.
+            const: "graph"
         required:
         - pluralName
     - allOf:
@@ -167,7 +172,7 @@ properties:
       Marks the type an entity type rather than a value type.  Turning on this
       flag will make property accessors for the type asynchronous, so that they
       can load the values of the properties from the remote server.
-      
+
       The extended subtypes must have the consistent value of this flag.
     type: boolean
   description:

package/esm/runtime/key.js

@@ -78,7 +78,7 @@ export async function importMultibaseKey(key) {
         return await dntShim.crypto.subtle.importKey("raw", content, "Ed25519", true, ["verify"]);
     }
     else {
-        throw new TypeError("Unsupported key type: " + code);
+        throw new TypeError("Unsupported key type: 0x" + code.toString(16));
     }
 }
 /**

package/esm/sig/http.js

@@ -2,10 +2,8 @@ import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
 import { equals } from "../deps/jsr.io/@std/bytes/0.224.0/mod.js";
 import { decodeBase64, encodeBase64 } from "../deps/jsr.io/@std/encoding/0.224.3/base64.js";
-import { fetchDocumentLoader, } from "../runtime/docloader.js";
-import { isActor } from "../vocab/actor.js";
-import { CryptographicKey, Object as ASObject } from "../vocab/vocab.js";
-import { validateCryptoKey } from "./key.js";
+import { CryptographicKey } from "../vocab/vocab.js";
+import { fetchKey, validateCryptoKey } from "./key.js";
 /**
  * Signs a request using the given private key.
  * @param request The request to sign.
@@ -17,6 +15,9 @@ import { validateCryptoKey } from "./key.js";
  */
 export async function signRequest(request, privateKey, keyId) {
     validateCryptoKey(privateKey, "private");
+    if (privateKey.algorithm.name !== "RSASSA-PKCS1-v1_5") {
+        throw new TypeError("Unsupported algorithm: " + privateKey.algorithm.name);
+    }
     const url = new URL(request.url);
     const body = request.method !== "GET" && request.method !== "HEAD"
         ? await request.arrayBuffer()
@@ -141,64 +142,12 @@ export async function verifyRequest(request, { documentLoader, contextLoader, ti
         return null;
     }
     const { keyId, headers, signature } = sigValues;
-    logger.debug("Fetching key {keyId} to verify signature...", { keyId });
-    let document;
-    try {
-        const remoteDocument = await (documentLoader ?? fetchDocumentLoader)(keyId);
-        document = remoteDocument.document;
-    }
-    catch (_) {
-        logger.debug("Failed to fetch key {keyId}.", { keyId });
-        return null;
-    }
-    let object;
-    try {
-        object = await ASObject.fromJsonLd(document, {
-            documentLoader,
-            contextLoader,
-        });
-    }
-    catch (e) {
-        if (!(e instanceof TypeError))
-            throw e;
-        try {
-            object = await CryptographicKey.fromJsonLd(document, {
-                documentLoader,
-                contextLoader,
-            });
-        }
-        catch (e) {
-            if (e instanceof TypeError) {
-                logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
-                return null;
-            }
-            throw e;
-        }
-    }
-    let key = null;
-    if (object instanceof CryptographicKey)
-        key = object;
-    else if (isActor(object)) {
-        for await (const k of object.getPublicKeys({ documentLoader, contextLoader })) {
-            if (k.id?.href === keyId) {
-                key = k;
-                break;
-            }
-        }
-        if (key == null) {
-            logger.debug("Failed to verify; object {keyId} returned an {actorType}, " +
-                "but has no key matching {keyId}.", { keyId, actorType: object.constructor.name });
-            return null;
-        }
-    }
-    else {
-        logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
-        return null;
-    }
-    if (key.publicKey == null) {
-        logger.debug("Failed to verify; key {keyId} has no publicKeyPem field.", { keyId });
+    const key = await fetchKey(new URL(keyId), CryptographicKey, {
+        documentLoader,
+        contextLoader,
+    });
+    if (key == null)
         return null;
-    }
     const headerNames = headers.split(/\s+/g);
     if (!headerNames.includes("(request-target)") || !headerNames.includes("date")) {
         logger.debug("Failed to verify; required headers missing in the Signature header: " +

package/esm/sig/key.js

@@ -1,5 +1,8 @@
 import * as dntShim from "../_dnt.shims.js";
 import { getLogger } from "@logtape/logtape";
+import { fetchDocumentLoader, } from "../runtime/docloader.js";
+import { isActor } from "../vocab/actor.js";
+import { CryptographicKey, Object } from "../vocab/vocab.js";
 /**
  * Checks if the given key is valid and supported.  No-op if the key is valid,
  * otherwise throws an error.
@@ -88,3 +91,85 @@ export async function importJwk(jwk, type) {
     validateCryptoKey(key, type);
     return key;
 }
+/**
+ * Fetches a {@link CryptographicKey} or {@link Multikey} from the given URL.
+ * If the given URL contains an {@link Actor} object, it tries to find
+ * the corresponding key in the `publicKey` or `assertionMethod` property.
+ * @typeParam T The type of the key to fetch.  Either {@link CryptographicKey}
+ *              or {@link Multikey}.
+ * @param keyId The URL of the key.
+ * @param cls The class of the key to fetch.  Either {@link CryptographicKey}
+ *            or {@link Multikey}.
+ * @param options Options for fetching the key.  See {@link FetchKeyOptions}.
+ * @returns The fetched key or `null` if the key is not found.
+ * @since 0.10.0
+ */
+export async function fetchKey(keyId, 
+// deno-lint-ignore no-explicit-any
+cls, { documentLoader, contextLoader } = {}) {
+    const logger = getLogger(["fedify", "sig", "key"]);
+    keyId = typeof keyId === "string" ? keyId : keyId.href;
+    logger.debug("Fetching key {keyId} to verify signature...", { keyId });
+    let document;
+    try {
+        const remoteDocument = await (documentLoader ?? fetchDocumentLoader)(keyId);
+        document = remoteDocument.document;
+    }
+    catch (_) {
+        logger.debug("Failed to fetch key {keyId}.", { keyId });
+        return null;
+    }
+    let object;
+    try {
+        object = await Object.fromJsonLd(document, {
+            documentLoader,
+            contextLoader,
+        });
+    }
+    catch (e) {
+        if (!(e instanceof TypeError))
+            throw e;
+        try {
+            object = await cls.fromJsonLd(document, {
+                documentLoader,
+                contextLoader,
+            });
+        }
+        catch (e) {
+            if (e instanceof TypeError) {
+                logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+                return null;
+            }
+            throw e;
+        }
+    }
+    let key = null;
+    if (object instanceof cls)
+        key = object;
+    else if (isActor(object)) {
+        // @ts-ignore: cls is either CryptographicKey or Multikey
+        const keys = cls === CryptographicKey
+            ? object.getPublicKeys({ documentLoader, contextLoader })
+            : object.getAssertionMethods({ documentLoader, contextLoader });
+        for await (const k of keys) {
+            if (k.id?.href === keyId) {
+                key = k;
+                break;
+            }
+        }
+        if (key == null) {
+            logger.debug("Failed to verify; object {keyId} returned an {actorType}, " +
+                "but has no key matching {keyId}.", { keyId, actorType: object.constructor.name });
+            return null;
+        }
+    }
+    else {
+        logger.debug("Failed to verify; key {keyId} returned an invalid object.", { keyId });
+        return null;
+    }
+    if (key.publicKey == null) {
+        logger.debug("Failed to verify; key {keyId} has no publicKeyPem field.", { keyId });
+        return null;
+    }
+    return key;
+}

package/esm/testing/fixtures/example.com/person2

@@ -1,23 +1,40 @@
 {
   "@context": [
     "https://www.w3.org/ns/activitystreams",
-    "https://w3id.org/security/v1"
+    "https://w3id.org/security/v1",
+    "https://w3id.org/security/multikey/v1",
+    "https://w3id.org/security/data-integrity/v1",
+    "https://www.w3.org/ns/did/v1"
   ],
   "id": "https://example.com/person2",
   "type": "Person",
   "name": "Jane Doe",
   "publicKey": [
     {
-      "id": "https://example.com/key3",
+      "id": "https://example.com/person2#key3",
       "type": "CryptographicKey",
       "owner": "https://example.com/person2",
       "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4GUqWgdiYlN3Su5Gr4l6\ni+xRS8gDDVKZ718vpGk6eIpvqs33q430nRbHIzbHRXRaAhc/1++rUBcK0V4/kjZl\nCSzVtRgGU6HMkmjcD+uE56a8XbTczfltbEDj7afoEuB2F3UhQEWrSz+QJ29DPXaL\nMIa1Yv61NR2vxGqNbdtoMjDORMBYtg77CYbcFkiJHw65PDa7+f/yjLxuCRPye5L7\nhncN0UZuuFoRJmHNRLSg5omBad9WTvQXmSyXEhEdk9fHwlI022AqAzlWbT79hldc\nDSKGGLLbQIs1c3JZIG8G5i6Uh5Vy0Z7tSNBcxbhqoI9i9je4f/x/OPIVc19f04BE\n1LgWuHsftZzRgW9Sdqz53W83XxVdxlyHeywXOnstSWT11f8dkLyQUcHKTH+E6urb\nH+aiPLiRpYK8W7D9KTQA9kZ5JXaEuveBd5vJX7wakhbzAn8pWJU7GYIHNY38Ycok\nmivkU5pY8S2cKFMwY0b7ade3MComlir5P3ZYSjF+n6gRVsT96P+9mNfCu9gXt/f8\nXCyjKlH89kGwuJ7HhR8CuVdm0l+jYozVt6GsDy0hHYyn79NCCAEzP7ZbhBMR0T5V\nrkl+TIGXoJH9WFiz4VxO+NnglF6dNQjDS5IzYLoFRXIK1f3cmQiEB4FZmL70l9HL\nrgwR+Xys83xia79OqFDRezMCAwEAAQ==\n-----END PUBLIC KEY-----\n"
     },
     {
-      "id": "https://example.com/key4",
+      "id": "https://example.com/person2#key4",
       "type": "CryptographicKey",
       "owner": "https://example.com/person2",
       "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEALR8epAGDe+cVq5p2Tx49CCfphpk1rNhkNoY9i+XEUfg=\n-----END PUBLIC KEY-----\n"
     }
+  ],
+  "assertionMethod": [
+    {
+      "id": "https://example.com/peson2#key3",
+      "type": "Multikey",
+      "controller": "https://example.com/person2",
+      "publicKeyMultibase": "zgghBUVkqmWS8e1j4aN2yowLAEkJC6wowB9wWmLRACYCok7UzstWcTBp3waKiDUM7wqL9bbBD9W9FvNaXEK2KPCZ9ffhvd5dxChJL9bdPQSrMwa28FEYMGDtcF1uocrYNmZm2dBBMaWrCu8U3s4PpVVhn4hsWDL8GLuE466pkJs9Hy8xmECoaaVgAZLiYDw2gwrjHDiX2i7aDHKfE7aSZWUWmC8nAGNZ7DX5pXoyXK3pxuaCWxNxXwPmaFwgKDyy9uhtBJ8znp9NZXkXHBTQe5uAi8GFwHY5asvqCmYPrAGWxcT6pdbZaJHdWkM7nw6apBHfakKs42oMqdBoJ2WkkresoT1qHrX2GW7gNP9PLtveF4vfEd6cwgHKQCdYgayG3muGfZiPvML75cyfkNrjkctvuQUfMxY9umbd2TG3V3mPnLrvQnqHpuRMZYtCn3nX1qfZaqFhTwT4NFPqVNLqvgR6k9vcuGXn6Ndaumhd5xtTK64jk3e2gPBit9iq6MrFUSoxNsbTty4kqcHAodtkK8CMSxUxbFP1kK3nyy8ZfeMgDCts1KboBcT2m5FMpQpYxKtNBfvhTuyeDDC34uhbY8itmTAnDwSr5mKrniwwDUGPZFejda51TYs1N9D9Ejzaw5Mvr8qN6wahHmsDBWTbWwV6YKVMD1MjAhJBUopWJWB5x6mEBAX25MssKfAEhJyDtqYWjq63uQHUJCsPJp"
+    },
+    {
+      "id": "https://example.com/person2#key4",
+      "type": "Multikey",
+      "controller": "https://example.com/person2",
+      "publicKeyMultibase": "z6MkhVPuyvgG1RkMv67azDqDCDERPXVrUg1i3qchXY5EACE3"
+    }
   ]
 }

package/esm/testing/fixtures/server.example/users/alice

@@ -0,0 +1,20 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://w3id.org/security/data-integrity/v1",
+    "https://w3id.org/security/multikey/v1",
+    "https://www.w3.org/ns/did/v1"
+  ],
+  "type": "Person",
+  "id": "https://server.example/users/alice",
+  "inbox": "https://server.example/users/alice/inbox",
+  "outbox": "https://server.example/users/alice/outbox",
+  "assertionMethod": [
+    {
+      "id": "https://server.example/users/alice#ed25519-key",
+      "type": "Multikey",
+      "controller": "https://server.example/users/alice",
+      "publicKeyMultibase": "z6MkrJVnaZkeFzdQyMZu1cgjg7k1pZZ6pvBQ7XJPt4swbTQ2"
+    }
+  ]
+}

package/esm/testing/fixtures/wizard.casa/users/hongminhee

@@ -0,0 +1,69 @@
+{
+  "@context": [
+    "https://www.w3.org/ns/activitystreams",
+    "https://www.w3.org/ns/did/v1",
+    "https://w3id.org/security/v1",
+    "https://w3id.org/security/data-integrity/v1",
+    "https://w3id.org/security/multikey/v1",
+    {
+      "MitraJcsEip191Signature2022": "mitra:MitraJcsEip191Signature2022",
+      "PropertyValue": "schema:PropertyValue",
+      "VerifiableIdentityStatement": "mitra:VerifiableIdentityStatement",
+      "featured": "toot:featured",
+      "gateways": "mitra:gateways",
+      "manuallyApprovesFollowers": "as:manuallyApprovesFollowers",
+      "mitra": "http://jsonld.mitra.social#",
+      "proofPurpose": "sec:proofPurpose",
+      "proofValue": "sec:proofValue",
+      "schema": "http://schema.org/",
+      "subscribers": "mitra:subscribers",
+      "toot": "http://joinmastodon.org/ns#",
+      "value": "schema:value"
+    }
+  ],
+  "assertionMethod": [
+    {
+      "controller": "https://wizard.casa/users/hongminhee",
+      "id": "https://wizard.casa/users/hongminhee#main-key",
+      "publicKeyMultibase": "z4MXj1wBzi9jUstyPzDJGKjQPQWMi9NPMz1xNE4MeJjMpUcPYR7LfniZmXoXhfQ6motM7AAgWw9nHbFmhnNvAfaZMdQgBo2j1ptQNRogJPGzesYi7Yf81T2Kqju3CTCEJje5brBDdhKMpq56h6SwFAtcbPZBykN527ocN2JfvmiqVYNTqPVwoKGuVGKXNx6h87jVGq1kxzj7Q9LBFQnMHbCnMeUJ3KtqJQcPdGwbMw7LWjz4jpHpi6wb7KXBdVnSyKMwB7KyNJFJYqzauPi1UgtTKRzEMNUdCjAFsYff7v93Rr7Yzy4siE4cRVCdMNSQp3KphqczgLNejPKLjMMT9UC7XLitDdd2t3xaEzuamHVBNrFVBFEJ4",
+      "type": "Multikey"
+    },
+    {
+      "controller": "https://wizard.casa/users/hongminhee",
+      "id": "https://wizard.casa/users/hongminhee#ed25519-key",
+      "publicKeyMultibase": "z6MkweqJajqa5jRAJTBVxxu47oCdB7HzmYbBKN8VGbFJmKkC",
+      "type": "Multikey"
+    }
+  ],
+  "authentication": [
+    {
+      "controller": "https://wizard.casa/users/hongminhee",
+      "id": "https://wizard.casa/users/hongminhee#main-key",
+      "publicKeyMultibase": "z4MXj1wBzi9jUstyPzDJGKjQPQWMi9NPMz1xNE4MeJjMpUcPYR7LfniZmXoXhfQ6motM7AAgWw9nHbFmhnNvAfaZMdQgBo2j1ptQNRogJPGzesYi7Yf81T2Kqju3CTCEJje5brBDdhKMpq56h6SwFAtcbPZBykN527ocN2JfvmiqVYNTqPVwoKGuVGKXNx6h87jVGq1kxzj7Q9LBFQnMHbCnMeUJ3KtqJQcPdGwbMw7LWjz4jpHpi6wb7KXBdVnSyKMwB7KyNJFJYqzauPi1UgtTKRzEMNUdCjAFsYff7v93Rr7Yzy4siE4cRVCdMNSQp3KphqczgLNejPKLjMMT9UC7XLitDdd2t3xaEzuamHVBNrFVBFEJ4",
+      "type": "Multikey"
+    },
+    {
+      "controller": "https://wizard.casa/users/hongminhee",
+      "id": "https://wizard.casa/users/hongminhee#ed25519-key",
+      "publicKeyMultibase": "z6MkweqJajqa5jRAJTBVxxu47oCdB7HzmYbBKN8VGbFJmKkC",
+      "type": "Multikey"
+    }
+  ],
+  "featured": "https://wizard.casa/users/hongminhee/collections/featured",
+  "followers": "https://wizard.casa/users/hongminhee/followers",
+  "following": "https://wizard.casa/users/hongminhee/following",
+  "id": "https://wizard.casa/users/hongminhee",
+  "inbox": "https://wizard.casa/users/hongminhee/inbox",
+  "manuallyApprovesFollowers": true,
+  "name": "洪 民憙 (Hong Minhee)",
+  "outbox": "https://wizard.casa/users/hongminhee/outbox",
+  "preferredUsername": "hongminhee",
+  "publicKey": {
+    "id": "https://wizard.casa/users/hongminhee#main-key",
+    "owner": "https://wizard.casa/users/hongminhee",
+    "publicKeyPem": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzUNdOf1fXnMDtcw/elvC\nLlw3TbZUAHSQMCD5su7UzYtHsRsSkErPemkJVUvRGvJnHUEVmb700lyNqcz2l3V0\nj35CAOFK77DY95rr1x7/SSJnOLwCDPA0Vff+RBInwck+8jzGigfkea+Z0/BhmfQE\nqhOSnYOsgQ+jWEJMIQBPA1boDW/636GAgbvfvSPkOPnvwMplCvT/ZUrmzcvGT8by\ntRT4QKrW7zjrYv0VaCHVF9aj+LLyOnCWgUKUHm4oKnq49P8UNen7sCsFRq2NRejK\nf9ymm77inWxrS0mNT4bm9J8/+u2mZjvQaiPiNcLUn4a3fvDnBelD4iKogUKaAQ2F\nzwIDAQAB\n-----END PUBLIC KEY-----\n"
+  },
+  "subscribers": "https://wizard.casa/users/hongminhee/subscribers",
+  "type": "Person",
+  "url": "https://wizard.casa/users/hongminhee"
+}

package/esm/vocab/dataintegrityproof.yaml

@@ -50,7 +50,7 @@ properties:
 
 - singularName: created
   functional: true
-  uri: "https://www.w3.org/ns/activitystreams#published"
+  uri: "http://purl.org/dc/terms/created"
   description: The date and time the proof was created.
   range:
   - "http://www.w3.org/2001/XMLSchema#dateTime"

package/esm/vocab/object.yaml

@@ -306,6 +306,7 @@ properties:
   pluralName: proofs
   singularAccessor: true
   uri: "https://w3id.org/security#proof"
+  container: graph
   description: |
     A cryptographic proof that can be used to verify the integrity of an object.
   range: