@o-lang/olang 1.2.18 → 1.2.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/runtime/index.js +21 -14
package/package.json
CHANGED
package/src/runtime/index.js
CHANGED
|
@@ -20,25 +20,29 @@ function getKernelPrivateKey() {
|
|
|
20
20
|
}
|
|
21
21
|
|
|
22
22
|
KERNEL_PRIVATE_KEY = fs.readFileSync(absolutePath, 'utf8');
|
|
23
|
+
console.log('[kernel] ✅ Private key loaded for signing');
|
|
23
24
|
return KERNEL_PRIVATE_KEY;
|
|
24
25
|
}
|
|
25
26
|
|
|
26
|
-
// ✅ Sign audit data with
|
|
27
|
-
function signAuditData(auditData,
|
|
28
|
-
if (!
|
|
27
|
+
// ✅ Sign audit data with ED25519 (Node.js crypto.sign)
|
|
28
|
+
function signAuditData(auditData, privateKeyPem) {
|
|
29
|
+
if (!privateKeyPem) return null;
|
|
29
30
|
|
|
30
31
|
try {
|
|
31
|
-
// Serialize audit data EXACTLY as it will be verified
|
|
32
|
-
// (sorted keys for deterministic serialization)
|
|
32
|
+
// Serialize audit data EXACTLY as it will be verified (sorted keys)
|
|
33
33
|
const serialized = JSON.stringify(auditData, Object.keys(auditData).sort());
|
|
34
34
|
|
|
35
|
-
//
|
|
36
|
-
const
|
|
37
|
-
|
|
38
|
-
|
|
35
|
+
// ED25519 signing: use crypto.sign() directly
|
|
36
|
+
const signature = crypto.sign(
|
|
37
|
+
null, // For ED25519, hash algorithm is implicit
|
|
38
|
+
Buffer.from(serialized, 'utf8'),
|
|
39
|
+
{
|
|
40
|
+
key: privateKeyPem,
|
|
41
|
+
dsaEncoding: 'ieee-p1363', // Required for ED25519
|
|
42
|
+
}
|
|
43
|
+
);
|
|
39
44
|
|
|
40
|
-
|
|
41
|
-
return signature;
|
|
45
|
+
return signature.toString('hex');
|
|
42
46
|
} catch (err) {
|
|
43
47
|
console.error('[kernel] Signature error:', err.message);
|
|
44
48
|
return null;
|
|
@@ -75,8 +79,11 @@ async function execute(workflow, inputs, agentResolver, verbose = false) {
|
|
|
75
79
|
if (privateKey) {
|
|
76
80
|
try {
|
|
77
81
|
const pubKeyPath = process.env.KERNEL_PUBLIC_KEY_PATH || './kernel-keys/kernel-public.pem';
|
|
78
|
-
const absolutePubPath = path.isAbsolute(pubKeyPath)
|
|
82
|
+
const absolutePubPath = path.isAbsolute(pubKeyPath)
|
|
83
|
+
? pubKeyPath
|
|
84
|
+
: path.join(process.cwd(), pubKeyPath);
|
|
79
85
|
if (fs.existsSync(absolutePubPath)) {
|
|
86
|
+
// Read and clean PEM for storage
|
|
80
87
|
publicKey = fs.readFileSync(absolutePubPath, 'utf8')
|
|
81
88
|
.replace('-----BEGIN PUBLIC KEY-----', '')
|
|
82
89
|
.replace('-----END PUBLIC KEY-----', '')
|
|
@@ -89,8 +96,8 @@ async function execute(workflow, inputs, agentResolver, verbose = false) {
|
|
|
89
96
|
|
|
90
97
|
result.__audit = {
|
|
91
98
|
...auditData,
|
|
92
|
-
signature, // ✅ Cryptographic signature
|
|
93
|
-
publicKey, // ✅ Public key for verification
|
|
99
|
+
signature, // ✅ Cryptographic signature (hex string)
|
|
100
|
+
publicKey, // ✅ Public key for verification (cleaned PEM)
|
|
94
101
|
};
|
|
95
102
|
|
|
96
103
|
return result;
|