@le-space/orbitdb-identity-provider-webauthn-did 0.0.1 → 0.2.1

package/src/index.js

@@ -1,466 +1,35 @@
 /**
  * WebAuthn DID Provider for OrbitDB
  *
- * Creates hardware-secured DIDs using WebAuthn biometric authentication
+ * Creates hardware-secured DIDs using WebAuthn authentication (Passkey, Yubikey, Ledger, etc.)
  * Integrates with OrbitDB's identity system while keeping private keys in secure hardware
  */
 
 import { useIdentityProvider } from '@orbitdb/core';
-
-/**
- * WebAuthn DID Provider Core Implementation
- */
-export class WebAuthnDIDProvider {
-  constructor(credentialInfo) {
-    this.credentialId = credentialInfo.credentialId;
-    this.publicKey = credentialInfo.publicKey;
-    this.rawCredentialId = credentialInfo.rawCredentialId;
-    this.type = 'webauthn';
-  }
-
-  /**
-   * Check if WebAuthn is supported in current browser
-   */
-  static isSupported() {
-    return window.PublicKeyCredential &&
-           typeof window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable === 'function';
-  }
-
-  /**
-   * Check if platform authenticator (Face ID, Touch ID, Windows Hello) is available
-   */
-  static async isPlatformAuthenticatorAvailable() {
-    if (!this.isSupported()) return false;
-
-    try {
-      return await window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
-    } catch (error) {
-      console.warn('Failed to check platform authenticator availability:', error);
-      return false;
-    }
-  }
-
-  /**
-   * Create a WebAuthn credential for OrbitDB identity
-   * This triggers biometric authentication (Face ID, Touch ID, Windows Hello, etc.)
-   */
-  static async createCredential(options = {}) {
-    const { userId, displayName, domain } = {
-      userId: `orbitdb-user-${Date.now()}`,
-      displayName: 'Local-First Peer-to-Peer OrbitDB User',
-      domain: window.location.hostname,
-      ...options
-    };
-
-    if (!this.isSupported()) {
-      throw new Error('WebAuthn is not supported in this browser');
-    }
-
-    // Generate challenge for credential creation
-    const challenge = crypto.getRandomValues(new Uint8Array(32));
-    const userIdBytes = new TextEncoder().encode(userId);
-
-    try {
-      const credential = await navigator.credentials.create({
-        publicKey: {
-          challenge,
-          rp: {
-            name: 'OrbitDB Identity',
-            id: domain
-          },
-          user: {
-            id: userIdBytes,
-            name: userId,
-            displayName
-          },
-          pubKeyCredParams: [
-            { alg: -7, type: 'public-key' }, // ES256 (P-256 curve)
-            { alg: -257, type: 'public-key' } // RS256 fallback
-          ],
-          authenticatorSelection: {
-            authenticatorAttachment: 'platform', // Prefer built-in authenticators
-            requireResidentKey: false,
-            residentKey: 'preferred',
-            userVerification: 'required' // Require biometric/PIN
-          },
-          timeout: 60000,
-          attestation: 'none' // Don't need attestation for DID creation
-        }
-      });
-
-      if (!credential) {
-        throw new Error('Failed to create WebAuthn credential');
-      }
-
-      console.log('✅ WebAuthn credential created successfully, extracting public key...');
-
-      // Extract public key from credential with timeout
-      const publicKey = await Promise.race([
-        this.extractPublicKey(credential),
-        new Promise((_, reject) => setTimeout(() => reject(new Error('Public key extraction timeout')), 10000))
-      ]);
-
-      const result = {
-        credentialId: WebAuthnDIDProvider.arrayBufferToBase64url(credential.rawId),
-        rawCredentialId: new Uint8Array(credential.rawId),
-        publicKey,
-        userId,
-        displayName,
-        attestationObject: new Uint8Array(credential.response.attestationObject)
-      };
-
-
-      return result;
-
-    } catch (error) {
-      console.error('WebAuthn credential creation failed:', error);
-
-      // Provide user-friendly error messages
-      if (error.name === 'NotAllowedError') {
-        throw new Error('Biometric authentication was cancelled or failed');
-      } else if (error.name === 'InvalidStateError') {
-        throw new Error('A credential with this ID already exists');
-      } else if (error.name === 'NotSupportedError') {
-        throw new Error('WebAuthn is not supported on this device');
-      } else {
-        throw new Error(`WebAuthn error: ${error.message}`);
-      }
-    }
-  }
-
-  /**
-   * Extract P-256 public key from WebAuthn credential
-   * Parses the CBOR attestation object to get the real public key
-   */
-  static async extractPublicKey(credential) {
-    try {
-      // Import CBOR decoder for parsing attestation object
-      const { decode } = await import('cbor-web');
-
-      const attestationObject = decode(new Uint8Array(credential.response.attestationObject));
-      const authData = attestationObject.authData;
-
-      // Parse authenticator data structure
-      // Skip: rpIdHash (32 bytes) + flags (1 byte) + signCount (4 bytes)
-      const credentialDataStart = 32 + 1 + 4 + 16 + 2; // +16 for AAGUID, +2 for credentialIdLength
-      const credentialIdLength = new DataView(authData.buffer, 32 + 1 + 4 + 16, 2).getUint16(0);
-      const publicKeyDataStart = credentialDataStart + credentialIdLength;
-
-      // Extract and decode the public key (CBOR format)
-      const publicKeyData = authData.slice(publicKeyDataStart);
-      const publicKeyObject = decode(publicKeyData);
-
-      // Extract P-256 coordinates (COSE key format)
-      return {
-        algorithm: publicKeyObject[3], // alg parameter
-        x: new Uint8Array(publicKeyObject[-2]), // x coordinate
-        y: new Uint8Array(publicKeyObject[-3]), // y coordinate
-        keyType: publicKeyObject[1], // kty parameter
-        curve: publicKeyObject[-1]   // crv parameter
-      };
-
-    } catch (error) {
-      console.warn('Failed to extract real public key from WebAuthn credential, using fallback:', error);
-
-      // Fallback: Create deterministic public key from credential ID
-      // This ensures the SAME public key is generated every time for the same credential
-      const credentialId = new Uint8Array(credential.rawId);
-
-      const hash = await crypto.subtle.digest('SHA-256', credentialId);
-      const seed = new Uint8Array(hash);
-
-      // Create a second hash for the y coordinate to ensure uniqueness but determinism
-      const yData = new Uint8Array(credentialId.length + 4);
-      yData.set(credentialId, 0);
-      yData.set([0x59, 0x43, 0x4F, 0x4F], credentialId.length); // "YCOO" marker
-      const yHash = await crypto.subtle.digest('SHA-256', yData);
-      const ySeed = new Uint8Array(yHash);
-
-      const fallbackKey = {
-        algorithm: -7, // ES256
-        x: seed.slice(0, 32), // Use first 32 bytes as x coordinate
-        y: ySeed.slice(0, 32), // Deterministic y coordinate based on credential
-        keyType: 2, // EC2 key type
-        curve: 1    // P-256 curve
-      };
-
-
-      return fallbackKey;
-    }
-  }
-
-  /**
-   * Generate DID from WebAuthn credential
-   */
-  static createDID(credentialInfo) {
-    // Create a deterministic DID based on the public key coordinates
-    // This ensures the DID is consistent with the actual key used for signing
-
-    const pubKey = credentialInfo.publicKey;
-    if (!pubKey || !pubKey.x || !pubKey.y) {
-      throw new Error('Invalid public key: missing x or y coordinates');
-    }
-
-    const xHex = Array.from(pubKey.x)
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('');
-    const yHex = Array.from(pubKey.y)
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('');
-
-    if (!xHex || !yHex) {
-      throw new Error('Failed to generate hex representation of public key coordinates');
-    }
-
-    const didSuffix = (xHex + yHex).slice(0, 32);
-    return `did:webauthn:${didSuffix}`;
-  }
-
-  /**
-   * Sign data using WebAuthn (requires biometric authentication)
-   * Creates a persistent signature that can be verified multiple times
-   */
-  async sign(data) {
-    if (!WebAuthnDIDProvider.isSupported()) {
-      throw new Error('WebAuthn is not supported in this browser');
-    }
-
-    try {
-
-      // For OrbitDB compatibility, we need to create a signature that can be verified
-      // against different data. Since WebAuthn private keys are hardware-secured,
-      // we'll create a deterministic signature based on our credential and the data.
-
-      const dataBytes = typeof data === 'string' ? new TextEncoder().encode(data) : new Uint8Array(data);
-
-      // Create a deterministic challenge based on the credential ID and data
-      const combined = new Uint8Array(this.rawCredentialId.length + dataBytes.length);
-      combined.set(this.rawCredentialId, 0);
-      combined.set(dataBytes, this.rawCredentialId.length);
-      const challenge = await crypto.subtle.digest('SHA-256', combined);
-
-      // Use WebAuthn to authenticate (this proves the user is present and verified)
-      const assertion = await navigator.credentials.get({
-        publicKey: {
-          challenge,
-          allowCredentials: [{
-            id: this.rawCredentialId,
-            type: 'public-key'
-          }],
-          userVerification: 'required',
-          timeout: 60000
-        }
-      });
-
-      if (!assertion) {
-        throw new Error('WebAuthn authentication failed');
-      }
-
-
-      // Create a signature that includes the original data and credential proof
-      // This allows verification without requiring WebAuthn again
-      const webauthnProof = {
-        credentialId: this.credentialId,
-        dataHash: WebAuthnDIDProvider.arrayBufferToBase64url(await crypto.subtle.digest('SHA-256', dataBytes)),
-        authenticatorData: WebAuthnDIDProvider.arrayBufferToBase64url(assertion.response.authenticatorData),
-        clientDataJSON: new TextDecoder().decode(assertion.response.clientDataJSON),
-        timestamp: Date.now()
-      };
-
-
-      // Return the proof as a base64url encoded string for OrbitDB
-      return WebAuthnDIDProvider.arrayBufferToBase64url(new TextEncoder().encode(JSON.stringify(webauthnProof)));
-
-    } catch (error) {
-      console.error('WebAuthn signing failed:', error);
-
-      if (error.name === 'NotAllowedError') {
-        throw new Error('Biometric authentication was cancelled');
-      } else {
-        throw new Error(`WebAuthn signing error: ${error.message}`);
-      }
-    }
-  }
-
-  /**
-   * Verify WebAuthn signature/proof for OrbitDB compatibility
-   */
-  async verify(signatureData) {
-    try {
-      // Decode the WebAuthn proof object
-      const proofBytes = WebAuthnDIDProvider.base64urlToArrayBuffer(signatureData);
-      const proofText = new TextDecoder().decode(proofBytes);
-      const webauthnProof = JSON.parse(proofText);
-
-      // Verify this proof was created by the same credential
-      if (webauthnProof.credentialId !== this.credentialId) {
-        console.warn('Credential ID mismatch in WebAuthn proof verification');
-        return false;
-      }
-
-      // For OrbitDB, we need flexible verification that works with different data
-      // The proof contains the original data hash, so we can verify the proof is valid
-      // without requiring the exact same data to be passed to verify()
-
-      // Verify the client data indicates a successful WebAuthn authentication
-      try {
-        const clientData = JSON.parse(webauthnProof.clientDataJSON);
-        if (clientData.type !== 'webauthn.get') {
-          console.warn('Invalid WebAuthn proof type');
-          return false;
-        }
-      } catch {
-        console.warn('Invalid client data in WebAuthn proof');
-        return false;
-      }
-
-      // Verify the proof is recent (within 5 minutes)
-      const proofAge = Date.now() - webauthnProof.timestamp;
-      if (proofAge > 5 * 60 * 1000) {
-        console.warn('WebAuthn proof is too old');
-        return false;
-      }
-
-      // Verify the authenticator data is present
-      if (!webauthnProof.authenticatorData) {
-        console.warn('Missing authenticator data in WebAuthn proof');
-        return false;
-      }
-
-      return true;
-
-    } catch (error) {
-      console.error('WebAuthn proof verification failed:', error);
-      return false;
-    }
-  }
-
-  /**
-   * Utility: Convert ArrayBuffer to base64url
-   */
-  static arrayBufferToBase64url(buffer) {
-    const bytes = new Uint8Array(buffer);
-    let binary = '';
-    for (let i = 0; i < bytes.byteLength; i++) {
-      binary += String.fromCharCode(bytes[i]);
-    }
-    return btoa(binary)
-      .replace(/\+/g, '-')
-      .replace(/\//g, '_')
-      .replace(/=/g, '');
-  }
-
-  /**
-   * Utility: Convert base64url to ArrayBuffer
-   */
-  static base64urlToArrayBuffer(base64url) {
-    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
-    const binary = atob(base64);
-    const buffer = new ArrayBuffer(binary.length);
-    const bytes = new Uint8Array(buffer);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
-    return buffer;
-  }
-}
-/**
- * OrbitDB Identity Provider that uses WebAuthn
- */
-export class OrbitDBWebAuthnIdentityProvider {
-  constructor({ webauthnCredential }) {
-    this.credential = webauthnCredential;
-    this.webauthnProvider = new WebAuthnDIDProvider(webauthnCredential);
-    this.type = 'webauthn'; // Set instance property
-  }
-
-  static get type() {
-    return 'webauthn';
-  }
-
-  getId() {
-    // Return the proper DID format - this is the identity identifier
-    // OrbitDB will internally handle the hashing for log entries
-    return WebAuthnDIDProvider.createDID(this.credential);
-  }
-
-  signIdentity(data) {
-    // Return Promise directly to avoid async function issues
-    return this.webauthnProvider.sign(data);
-  }
-
-  verifyIdentity(signature, data, publicKey) {
-    return this.webauthnProvider.verify(signature, data, publicKey || this.credential.publicKey);
-  }
-
-  /**
-   * Create OrbitDB identity using WebAuthn
-   */
-  static async createIdentity(options) {
-    const { webauthnCredential } = options;
-
-    const provider = new OrbitDBWebAuthnIdentityProvider({ webauthnCredential });
-    const id = await provider.getId();
-
-    return {
-      id,
-      publicKey: webauthnCredential.publicKey,
-      type: 'webauthn',
-      // Make sure sign method is NOT async to avoid Promise serialization
-      sign: (identity, data) => {
-        // Return the Promise directly, don't await here
-        return provider.signIdentity(data);
-      },
-      // Make sure verify method is NOT async to avoid Promise serialization
-      verify: (signature, data) => {
-        // Return the Promise directly, don't await here
-        return provider.verifyIdentity(signature, data, webauthnCredential.publicKey);
-      }
-    };
-  }
-}
-
-/**
- * WebAuthn Identity Provider Function for OrbitDB
- * This follows the same pattern as OrbitDBIdentityProviderDID
- * Returns a function that returns a promise resolving to the provider instance
- */
-export function OrbitDBWebAuthnIdentityProviderFunction(options = {}) {
-  // Return a function that returns a promise (as expected by OrbitDB)
-  return async () => {
-    return new OrbitDBWebAuthnIdentityProvider(options);
-  };
-}
-
-// Add static methods and properties that OrbitDB expects
-OrbitDBWebAuthnIdentityProviderFunction.type = 'webauthn';
-OrbitDBWebAuthnIdentityProviderFunction.verifyIdentity = async function(identity) {
-  try {
-    // For WebAuthn identities, we need to store the credential info in the identity
-    // Since WebAuthn verification requires the original credential, not just the public key,
-    // we'll create a simplified verification that checks the proof structure
-
-
-    // For WebAuthn, the identity should have been created with our provider,
-    // so we can trust it if it has the right structure
-    // Accept both DID format (did:webauthn:...) and hash format (hex string)
-    const isValidDID = identity.id && identity.id.startsWith('did:webauthn:');
-    const isValidHash = identity.id && /^[a-f0-9]{64}$/.test(identity.id); // 64-char hex string
-
-    if (identity.type === 'webauthn' && (isValidDID || isValidHash)) {
-      return true;
-    }
-
-    return false;
-
-  } catch (error) {
-    console.error('WebAuthn static identity verification failed:', error);
-    return false;
-  }
+import * as KeystoreEncryption from './keystore/encryption.js';
+import { WebAuthnDIDProvider } from './webauthn/provider.js';
+import {
+  OrbitDBWebAuthnIdentityProvider,
+  OrbitDBWebAuthnIdentityProviderFunction
+} from './keystore/provider.js';
+import {
+  WebAuthnVarsigProvider,
+  createWebAuthnVarsigIdentity,
+  createWebAuthnVarsigIdentities,
+  storeWebAuthnVarsigCredential,
+  loadWebAuthnVarsigCredential,
+  clearWebAuthnVarsigCredential
+} from './varsig/index.js';
+
+export {
+  WebAuthnDIDProvider,
+  OrbitDBWebAuthnIdentityProvider,
+  OrbitDBWebAuthnIdentityProviderFunction
 };
 
 /**
  * Register WebAuthn identity provider with OrbitDB
+ * @returns {boolean} True if registration succeeded.
  */
 export function registerWebAuthnProvider() {
   try {
@@ -474,6 +43,7 @@ export function registerWebAuthnProvider() {
 
 /**
  * Check WebAuthn support and provide user-friendly messages
+ * @returns {Promise<Object>} Support status and message.
  */
 export async function checkWebAuthnSupport() {
   const support = {
@@ -521,6 +91,7 @@ export function storeWebAuthnCredential(credential, key = 'webauthn-credential')
       ...credential,
       rawCredentialId: Array.from(credential.rawCredentialId),
       attestationObject: Array.from(credential.attestationObject),
+      prfInput: credential.prfInput ? Array.from(credential.prfInput) : undefined,
       publicKey: {
         ...credential.publicKey,
         x: Array.from(credential.publicKey.x),
@@ -548,6 +119,7 @@ export function loadWebAuthnCredential(key = 'webauthn-credential') {
         ...parsed,
         rawCredentialId: new Uint8Array(parsed.rawCredentialId),
         attestationObject: new Uint8Array(parsed.attestationObject),
+        prfInput: parsed.prfInput ? new Uint8Array(parsed.prfInput) : undefined,
         publicKey: {
           ...parsed.publicKey,
           x: new Uint8Array(parsed.publicKey.x),
@@ -574,6 +146,55 @@ export function clearWebAuthnCredential(key = 'webauthn-credential') {
   }
 }
 
+// Import verification utilities
+import * as VerificationUtils from './verification.js';
+
+export {
+  // Verification utilities
+  VerificationUtils,
+  // Keystore encryption utilities
+  KeystoreEncryption,
+};
+
+export {
+  WebAuthnVarsigProvider,
+  createWebAuthnVarsigIdentity,
+  createWebAuthnVarsigIdentities,
+  storeWebAuthnVarsigCredential,
+  loadWebAuthnVarsigCredential,
+  clearWebAuthnVarsigCredential
+} from './varsig/index.js';
+
+// Re-export individual verification functions for convenience
+export {
+  verifyDatabaseUpdate,
+  verifyIdentityStorage,
+  verifyDataEntries,
+  isValidWebAuthnDID,
+  extractWebAuthnDIDSuffix,
+  compareWebAuthnDIDs,
+  createVerificationResult
+} from './verification.js';
+
+// Re-export individual keystore encryption functions for convenience
+export {
+  generateSecretKey,
+  encryptWithAESGCM,
+  decryptWithAESGCM,
+  addLargeBlobToCredentialOptions,
+  addPRFToCredentialOptions,
+  retrieveSKFromLargeBlob,
+  addHmacSecretToCredentialOptions,
+  wrapSKWithPRF,
+  unwrapSKWithPRF,
+  wrapSKWithHmacSecret,
+  unwrapSKWithHmacSecret,
+  storeEncryptedKeystore,
+  loadEncryptedKeystore,
+  clearEncryptedKeystore,
+  checkExtensionSupport
+} from './keystore/encryption.js';
+
 export default {
   WebAuthnDIDProvider,
   OrbitDBWebAuthnIdentityProvider,
@@ -582,5 +203,13 @@ export default {
   checkWebAuthnSupport,
   storeWebAuthnCredential,
   loadWebAuthnCredential,
-  clearWebAuthnCredential
+  clearWebAuthnCredential,
+  WebAuthnVarsigProvider,
+  createWebAuthnVarsigIdentity,
+  createWebAuthnVarsigIdentities,
+  storeWebAuthnVarsigCredential,
+  loadWebAuthnVarsigCredential,
+  clearWebAuthnVarsigCredential,
+  // Include verification utilities in default export
+  VerificationUtils
 };