npm - @le-space/orbitdb-identity-provider-webauthn-did - Versions diffs - 0.1.0 → 0.2.1 - Mend

@le-space/orbitdb-identity-provider-webauthn-did 0.1.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/README.md +132 -410
package/package.json +35 -5
package/src/index.js +58 -503
package/src/keystore/encryption.js +579 -0
package/src/keystore/index.js +6 -0
package/src/keystore/provider.js +555 -0
package/src/keystore-encryption.js +6 -0
package/src/varsig/assertion.js +205 -0
package/src/varsig/credential.js +144 -0
package/src/varsig/domain.js +11 -0
package/src/varsig/identity.js +161 -0
package/src/varsig/index.js +6 -0
package/src/varsig/provider.js +78 -0
package/src/varsig/storage.js +46 -0
package/src/varsig/utils.js +43 -0
package/src/verification.js +33 -33
package/src/webauthn/provider.js +542 -0
package/verification.js +1 -0

package/src/index.js CHANGED Viewed

@@ -6,514 +6,30 @@
  */
 import { useIdentityProvider } from '@orbitdb/core';
+import * as KeystoreEncryption from './keystore/encryption.js';
+import { WebAuthnDIDProvider } from './webauthn/provider.js';
+import {
+  OrbitDBWebAuthnIdentityProvider,
+  OrbitDBWebAuthnIdentityProviderFunction
+} from './keystore/provider.js';
+import {
+  WebAuthnVarsigProvider,
+  createWebAuthnVarsigIdentity,
+  createWebAuthnVarsigIdentities,
+  storeWebAuthnVarsigCredential,
+  loadWebAuthnVarsigCredential,
+  clearWebAuthnVarsigCredential
+} from './varsig/index.js';
-/**
- * WebAuthn DID Provider Core Implementation
- */
-export class WebAuthnDIDProvider {
-  constructor(credentialInfo) {
-    this.credentialId = credentialInfo.credentialId;
-    this.publicKey = credentialInfo.publicKey;
-    this.rawCredentialId = credentialInfo.rawCredentialId;
-    this.type = 'webauthn';
-  }
-  /**
-   * Check if WebAuthn is supported in current browser
-   */
-  static isSupported() {
-    return window.PublicKeyCredential &&
-           typeof window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable === 'function';
-  }
-  /**
-   * Check if platform authenticator (Face ID, Touch ID, Windows Hello) is available
-   */
-  static async isPlatformAuthenticatorAvailable() {
-    if (!this.isSupported()) return false;
-    try {
-      return await window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable();
-    } catch (error) {
-      console.warn('Failed to check platform authenticator availability:', error);
-      return false;
-    }
-  }
-  /**
-   * Create a WebAuthn credential for OrbitDB identity
-   * This triggers biometric authentication (Face ID, Touch ID, Windows Hello, etc.)
-   */
-  static async createCredential(options = {}) {
-    const { userId, displayName, domain } = {
-      userId: `orbitdb-user-${Date.now()}`,
-      displayName: 'Local-First Peer-to-Peer OrbitDB User',
-      domain: window.location.hostname,
-      ...options
-    };
-    if (!this.isSupported()) {
-      throw new Error('WebAuthn is not supported in this browser');
-    }
-    // Generate challenge for credential creation
-    const challenge = crypto.getRandomValues(new Uint8Array(32));
-    const userIdBytes = new TextEncoder().encode(userId);
-    try {
-      const credential = await navigator.credentials.create({
-        publicKey: {
-          challenge,
-          rp: {
-            name: 'OrbitDB Identity',
-            id: domain
-          },
-          user: {
-            id: userIdBytes,
-            name: userId,
-            displayName
-          },
-          pubKeyCredParams: [
-            { alg: -7, type: 'public-key' }, // ES256 (P-256 curve)
-            { alg: -257, type: 'public-key' } // RS256 fallback
-          ],
-          authenticatorSelection: {
-            authenticatorAttachment: 'platform', // Prefer built-in authenticators
-            requireResidentKey: false,
-            residentKey: 'preferred',
-            userVerification: 'required' // Require biometric/PIN
-          },
-          timeout: 60000,
-          attestation: 'none' // Don't need attestation for DID creation
-        }
-      });
-      if (!credential) {
-        throw new Error('Failed to create WebAuthn credential');
-      }
-      console.log('✅ WebAuthn credential created successfully, extracting public key...');
-      // Extract public key from credential with timeout
-      const publicKey = await Promise.race([
-        this.extractPublicKey(credential),
-        new Promise((_, reject) => setTimeout(() => reject(new Error('Public key extraction timeout')), 10000))
-      ]);
-      const result = {
-        credentialId: WebAuthnDIDProvider.arrayBufferToBase64url(credential.rawId),
-        rawCredentialId: new Uint8Array(credential.rawId),
-        publicKey,
-        userId,
-        displayName,
-        attestationObject: new Uint8Array(credential.response.attestationObject)
-      };
-      return result;
-    } catch (error) {
-      console.error('WebAuthn credential creation failed:', error);
-      // Provide user-friendly error messages
-      if (error.name === 'NotAllowedError') {
-        throw new Error('Biometric authentication was cancelled or failed');
-      } else if (error.name === 'InvalidStateError') {
-        throw new Error('A credential with this ID already exists');
-      } else if (error.name === 'NotSupportedError') {
-        throw new Error('WebAuthn is not supported on this device');
-      } else {
-        throw new Error(`WebAuthn error: ${error.message}`);
-      }
-    }
-  }
-  /**
-   * Extract P-256 public key from WebAuthn credential
-   * Parses the CBOR attestation object to get the real public key
-   */
-  static async extractPublicKey(credential) {
-    try {
-      // Import CBOR decoder for parsing attestation object
-      const { decode } = await import('cbor-web');
-      const attestationObject = decode(new Uint8Array(credential.response.attestationObject));
-      const authData = attestationObject.authData;
-      // Parse authenticator data structure
-      // Skip: rpIdHash (32 bytes) + flags (1 byte) + signCount (4 bytes)
-      const credentialDataStart = 32 + 1 + 4 + 16 + 2; // +16 for AAGUID, +2 for credentialIdLength
-      const credentialIdLength = new DataView(authData.buffer, 32 + 1 + 4 + 16, 2).getUint16(0);
-      const publicKeyDataStart = credentialDataStart + credentialIdLength;
-      // Extract and decode the public key (CBOR format)
-      const publicKeyData = authData.slice(publicKeyDataStart);
-      const publicKeyObject = decode(publicKeyData);
-      // Extract P-256 coordinates (COSE key format)
-      return {
-        algorithm: publicKeyObject[3], // alg parameter
-        x: new Uint8Array(publicKeyObject[-2]), // x coordinate
-        y: new Uint8Array(publicKeyObject[-3]), // y coordinate
-        keyType: publicKeyObject[1], // kty parameter
-        curve: publicKeyObject[-1]   // crv parameter
-      };
-    } catch (error) {
-      console.warn('Failed to extract real public key from WebAuthn credential, using fallback:', error);
-      // Fallback: Create deterministic public key from credential ID
-      // This ensures the SAME public key is generated every time for the same credential
-      const credentialId = new Uint8Array(credential.rawId);
-      const hash = await crypto.subtle.digest('SHA-256', credentialId);
-      const seed = new Uint8Array(hash);
-      // Create a second hash for the y coordinate to ensure uniqueness but determinism
-      const yData = new Uint8Array(credentialId.length + 4);
-      yData.set(credentialId, 0);
-      yData.set([0x59, 0x43, 0x4F, 0x4F], credentialId.length); // "YCOO" marker
-      const yHash = await crypto.subtle.digest('SHA-256', yData);
-      const ySeed = new Uint8Array(yHash);
-      const fallbackKey = {
-        algorithm: -7, // ES256
-        x: seed.slice(0, 32), // Use first 32 bytes as x coordinate
-        y: ySeed.slice(0, 32), // Deterministic y coordinate based on credential
-        keyType: 2, // EC2 key type
-        curve: 1    // P-256 curve
-      };
-      return fallbackKey;
-    }
-  }
-  /**
-   * Generate DID from WebAuthn credential using did:key format for P-256 keys
-   * This ensures compatibility with ucanto and other DID:key implementations
-   */
-  static async createDID(credentialInfo) {
-    const pubKey = credentialInfo.publicKey;
-    if (!pubKey || !pubKey.x || !pubKey.y) {
-      throw new Error('Invalid public key: missing x or y coordinates');
-    }
-    try {
-      // Import multiformats modules with correct exports
-      const multiformats = await import('multiformats');
-      const varint = multiformats.varint;
-      const { base58btc } = await import('multiformats/bases/base58');
-      const x = new Uint8Array(pubKey.x);
-      const y = new Uint8Array(pubKey.y);
-      // Determine compression flag based on y coordinate parity
-      const yLastByte = y[y.length - 1];
-      const compressionFlag = (yLastByte & 1) === 0 ? 0x02 : 0x03;
-      // Create compressed public key: compression_flag + x_coordinate (33 bytes total)
-      const compressedPubKey = new Uint8Array(33);
-      compressedPubKey[0] = compressionFlag;
-      compressedPubKey.set(x, 1);
-      // P-256 multicodec code (0x1200)
-      const P256_MULTICODEC = 0x1200;
-      const codecLength = varint.encodingLength(P256_MULTICODEC);
-      const codecBytes = new Uint8Array(codecLength);
-      varint.encodeTo(P256_MULTICODEC, codecBytes, 0);
-      if (codecBytes.length === 0) {
-        throw new Error('Failed to encode P256_MULTICODEC with varint');
-      }
-      // Combine multicodec prefix + compressed public key
-      const multikey = new Uint8Array(codecBytes.length + compressedPubKey.length);
-      multikey.set(codecBytes, 0);
-      multikey.set(compressedPubKey, codecBytes.length);
-      // Encode as base58btc and create did:key
-      const multikeyEncoded = base58btc.encode(multikey);
-      return `did:key:${multikeyEncoded}`;
-    } catch (error) {
-      console.error('Failed to create proper did:key format, using fallback:', error);
-      // Fallback: create a deterministic did:key using simplified encoding
-      const x = new Uint8Array(pubKey.x);
-      const y = new Uint8Array(pubKey.y);
-      // Create a hash-based approach for consistency
-      const combined = new Uint8Array(x.length + y.length);
-      combined.set(x, 0);
-      combined.set(y, x.length);
-      // Simple base58-like encoding for fallback
-      const base58Chars = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz';
-      let encoded = 'z'; // base58btc prefix
-      for (let i = 0; i < Math.min(combined.length, 32); i += 4) {
-        const chunk = combined.slice(i, i + 4);
-        let value = 0;
-        for (let j = 0; j < chunk.length; j++) {
-          value = value * 256 + chunk[j];
-        }
-        for (let k = 0; k < 6; k++) {
-          encoded += base58Chars[value % 58];
-          value = Math.floor(value / 58);
-        }
-      }
-      return `did:key:${encoded}`;
-    }
-  }
-  /**
-   * Sign data using WebAuthn (requires biometric authentication)
-   * Creates a persistent signature that can be verified multiple times
-   */
-  async sign(data) {
-    if (!WebAuthnDIDProvider.isSupported()) {
-      throw new Error('WebAuthn is not supported in this browser');
-    }
-    try {
-      // For OrbitDB compatibility, we need to create a signature that can be verified
-      // against different data. Since WebAuthn private keys are hardware-secured,
-      // we'll create a deterministic signature based on our credential and the data.
-      const dataBytes = typeof data === 'string' ? new TextEncoder().encode(data) : new Uint8Array(data);
-      // Create a deterministic challenge based on the credential ID and data
-      const combined = new Uint8Array(this.rawCredentialId.length + dataBytes.length);
-      combined.set(this.rawCredentialId, 0);
-      combined.set(dataBytes, this.rawCredentialId.length);
-      const challenge = await crypto.subtle.digest('SHA-256', combined);
-      // Use WebAuthn to authenticate (this proves the user is present and verified)
-      const assertion = await navigator.credentials.get({
-        publicKey: {
-          challenge,
-          allowCredentials: [{
-            id: this.rawCredentialId,
-            type: 'public-key'
-          }],
-          userVerification: 'required',
-          timeout: 60000
-        }
-      });
-      if (!assertion) {
-        throw new Error('WebAuthn authentication failed');
-      }
-      // Create a signature that includes the original data and credential proof
-      // This allows verification without requiring WebAuthn again
-      const webauthnProof = {
-        credentialId: this.credentialId,
-        dataHash: WebAuthnDIDProvider.arrayBufferToBase64url(await crypto.subtle.digest('SHA-256', dataBytes)),
-        authenticatorData: WebAuthnDIDProvider.arrayBufferToBase64url(assertion.response.authenticatorData),
-        clientDataJSON: new TextDecoder().decode(assertion.response.clientDataJSON),
-        timestamp: Date.now()
-      };
-      // Return the proof as a base64url encoded string for OrbitDB
-      return WebAuthnDIDProvider.arrayBufferToBase64url(new TextEncoder().encode(JSON.stringify(webauthnProof)));
-    } catch (error) {
-      console.error('WebAuthn signing failed:', error);
-      if (error.name === 'NotAllowedError') {
-        throw new Error('Biometric authentication was cancelled');
-      } else {
-        throw new Error(`WebAuthn signing error: ${error.message}`);
-      }
-    }
-  }
-  /**
-   * Verify WebAuthn signature/proof for OrbitDB compatibility
-   */
-  async verify(signatureData) {
-    try {
-      // Decode the WebAuthn proof object
-      const proofBytes = WebAuthnDIDProvider.base64urlToArrayBuffer(signatureData);
-      const proofText = new TextDecoder().decode(proofBytes);
-      const webauthnProof = JSON.parse(proofText);
-      // Verify this proof was created by the same credential
-      if (webauthnProof.credentialId !== this.credentialId) {
-        console.warn('Credential ID mismatch in WebAuthn proof verification');
-        return false;
-      }
-      // For OrbitDB, we need flexible verification that works with different data
-      // The proof contains the original data hash, so we can verify the proof is valid
-      // without requiring the exact same data to be passed to verify()
-      // Verify the client data indicates a successful WebAuthn authentication
-      try {
-        const clientData = JSON.parse(webauthnProof.clientDataJSON);
-        if (clientData.type !== 'webauthn.get') {
-          console.warn('Invalid WebAuthn proof type');
-          return false;
-        }
-      } catch {
-        console.warn('Invalid client data in WebAuthn proof');
-        return false;
-      }
-      // Verify the proof is recent (within 5 minutes)
-      const proofAge = Date.now() - webauthnProof.timestamp;
-      if (proofAge > 5 * 60 * 1000) {
-        console.warn('WebAuthn proof is too old');
-        return false;
-      }
-      // Verify the authenticator data is present
-      if (!webauthnProof.authenticatorData) {
-        console.warn('Missing authenticator data in WebAuthn proof');
-        return false;
-      }
-      return true;
-    } catch (error) {
-      console.error('WebAuthn proof verification failed:', error);
-      return false;
-    }
-  }
-  /**
-   * Utility: Convert ArrayBuffer to base64url
-   */
-  static arrayBufferToBase64url(buffer) {
-    const bytes = new Uint8Array(buffer);
-    let binary = '';
-    for (let i = 0; i < bytes.byteLength; i++) {
-      binary += String.fromCharCode(bytes[i]);
-    }
-    return btoa(binary)
-      .replace(/\+/g, '-')
-      .replace(/\//g, '_')
-      .replace(/=/g, '');
-  }
-  /**
-   * Utility: Convert base64url to ArrayBuffer
-   */
-  static base64urlToArrayBuffer(base64url) {
-    const base64 = base64url.replace(/-/g, '+').replace(/_/g, '/');
-    const binary = atob(base64);
-    const buffer = new ArrayBuffer(binary.length);
-    const bytes = new Uint8Array(buffer);
-    for (let i = 0; i < binary.length; i++) {
-      bytes[i] = binary.charCodeAt(i);
-    }
-    return buffer;
-  }
-}
-/**
- * OrbitDB Identity Provider that uses WebAuthn
- */
-export class OrbitDBWebAuthnIdentityProvider {
-  constructor({ webauthnCredential }) {
-    this.credential = webauthnCredential;
-    this.webauthnProvider = new WebAuthnDIDProvider(webauthnCredential);
-    this.type = 'webauthn'; // Set instance property
-  }
-  static get type() {
-    return 'webauthn';
-  }
-  async getId() {
-    // Return the proper DID format - this is the identity identifier
-    // OrbitDB will internally handle the hashing for log entries
-    return await WebAuthnDIDProvider.createDID(this.credential);
-  }
-  signIdentity(data) {
-    // Return Promise directly to avoid async function issues
-    return this.webauthnProvider.sign(data);
-  }
-  verifyIdentity(signature, data, publicKey) {
-    return this.webauthnProvider.verify(signature, data, publicKey || this.credential.publicKey);
-  }
-  /**
-   * Create OrbitDB identity using WebAuthn
-   */
-  static async createIdentity(options) {
-    const { webauthnCredential } = options;
-    const provider = new OrbitDBWebAuthnIdentityProvider({ webauthnCredential });
-    const id = await provider.getId();
-    return {
-      id,
-      publicKey: webauthnCredential.publicKey,
-      type: 'webauthn',
-      // Make sure sign method is NOT async to avoid Promise serialization
-      sign: (identity, data) => {
-        // Return the Promise directly, don't await here
-        return provider.signIdentity(data);
-      },
-      // Make sure verify method is NOT async to avoid Promise serialization
-      verify: (signature, data) => {
-        // Return the Promise directly, don't await here
-        return provider.verifyIdentity(signature, data, webauthnCredential.publicKey);
-      }
-    };
-  }
-}
-/**
- * WebAuthn Identity Provider Function for OrbitDB
- * This follows the same pattern as OrbitDBIdentityProviderDID
- * Returns a function that returns a promise resolving to the provider instance
- */
-export function OrbitDBWebAuthnIdentityProviderFunction(options = {}) {
-  // Return a function that returns a promise (as expected by OrbitDB)
-  return async () => {
-    return new OrbitDBWebAuthnIdentityProvider(options);
-  };
-}
-// Add static methods and properties that OrbitDB expects
-OrbitDBWebAuthnIdentityProviderFunction.type = 'webauthn';
-OrbitDBWebAuthnIdentityProviderFunction.verifyIdentity = async function(identity) {
-  try {
-    // For WebAuthn identities, we need to store the credential info in the identity
-    // Since WebAuthn verification requires the original credential, not just the public key,
-    // we'll create a simplified verification that checks the proof structure
-    // For WebAuthn, the identity should have been created with our provider,
-    // so we can trust it if it has the right structure
-    // Accept both DID format (did:key:...) and hash format (hex string) for backward compatibility
-    const isValidDID = identity.id && identity.id.startsWith('did:key:');
-    const isValidHash = identity.id && /^[a-f0-9]{64}$/.test(identity.id); // 64-char hex string (legacy)
-    if (identity.type === 'webauthn' && (isValidDID || isValidHash)) {
-      return true;
-    }
-    return false;
-  } catch (error) {
-    console.error('WebAuthn static identity verification failed:', error);
-    return false;
-  }
+export {
+  WebAuthnDIDProvider,
+  OrbitDBWebAuthnIdentityProvider,
+  OrbitDBWebAuthnIdentityProviderFunction
 };
 /**
  * Register WebAuthn identity provider with OrbitDB
+ * @returns {boolean} True if registration succeeded.
  */
 export function registerWebAuthnProvider() {
   try {
@@ -527,6 +43,7 @@ export function registerWebAuthnProvider() {
 /**
  * Check WebAuthn support and provide user-friendly messages
+ * @returns {Promise<Object>} Support status and message.
  */
 export async function checkWebAuthnSupport() {
   const support = {
@@ -574,6 +91,7 @@ export function storeWebAuthnCredential(credential, key = 'webauthn-credential')
       ...credential,
       rawCredentialId: Array.from(credential.rawCredentialId),
       attestationObject: Array.from(credential.attestationObject),
+      prfInput: credential.prfInput ? Array.from(credential.prfInput) : undefined,
       publicKey: {
         ...credential.publicKey,
         x: Array.from(credential.publicKey.x),
@@ -601,6 +119,7 @@ export function loadWebAuthnCredential(key = 'webauthn-credential') {
         ...parsed,
         rawCredentialId: new Uint8Array(parsed.rawCredentialId),
         attestationObject: new Uint8Array(parsed.attestationObject),
+        prfInput: parsed.prfInput ? new Uint8Array(parsed.prfInput) : undefined,
         publicKey: {
           ...parsed.publicKey,
           x: new Uint8Array(parsed.publicKey.x),
@@ -633,8 +152,19 @@ import * as VerificationUtils from './verification.js';
 export {
   // Verification utilities
   VerificationUtils,
+  // Keystore encryption utilities
+  KeystoreEncryption,
 };
+export {
+  WebAuthnVarsigProvider,
+  createWebAuthnVarsigIdentity,
+  createWebAuthnVarsigIdentities,
+  storeWebAuthnVarsigCredential,
+  loadWebAuthnVarsigCredential,
+  clearWebAuthnVarsigCredential
+} from './varsig/index.js';
 // Re-export individual verification functions for convenience
 export {
   verifyDatabaseUpdate,
@@ -646,6 +176,25 @@ export {
   createVerificationResult
 } from './verification.js';
+// Re-export individual keystore encryption functions for convenience
+export {
+  generateSecretKey,
+  encryptWithAESGCM,
+  decryptWithAESGCM,
+  addLargeBlobToCredentialOptions,
+  addPRFToCredentialOptions,
+  retrieveSKFromLargeBlob,
+  addHmacSecretToCredentialOptions,
+  wrapSKWithPRF,
+  unwrapSKWithPRF,
+  wrapSKWithHmacSecret,
+  unwrapSKWithHmacSecret,
+  storeEncryptedKeystore,
+  loadEncryptedKeystore,
+  clearEncryptedKeystore,
+  checkExtensionSupport
+} from './keystore/encryption.js';
 export default {
   WebAuthnDIDProvider,
   OrbitDBWebAuthnIdentityProvider,
@@ -655,6 +204,12 @@ export default {
   storeWebAuthnCredential,
   loadWebAuthnCredential,
   clearWebAuthnCredential,
+  WebAuthnVarsigProvider,
+  createWebAuthnVarsigIdentity,
+  createWebAuthnVarsigIdentities,
+  storeWebAuthnVarsigCredential,
+  loadWebAuthnVarsigCredential,
+  clearWebAuthnVarsigCredential,
   // Include verification utilities in default export
   VerificationUtils
 };