@objectstack/core 0.8.2 → 0.9.1

package/dist/security/plugin-signature-verifier.js

@@ -0,0 +1,250 @@
+// Conditionally import crypto for Node.js environments
+let cryptoModule = null;
+if (typeof globalThis.window === 'undefined') {
+    try {
+        // Dynamic import for Node.js crypto module (using eval to avoid bundling issues)
+        // @ts-ignore - dynamic require for Node.js
+        cryptoModule = eval('require("crypto")');
+    }
+    catch {
+        // Crypto module not available (e.g., browser environment)
+    }
+}
+/**
+ * Plugin Signature Verifier
+ *
+ * Implements cryptographic verification of plugin signatures to ensure:
+ * 1. Plugin integrity - code hasn't been tampered with
+ * 2. Publisher authenticity - plugin comes from trusted source
+ * 3. Non-repudiation - publisher cannot deny signing
+ *
+ * Architecture:
+ * - Uses Node.js crypto module for signature verification
+ * - Supports RSA (RS256) and ECDSA (ES256) algorithms
+ * - Verifies against trusted public key registry
+ * - Computes hash of plugin code for integrity check
+ *
+ * Security Model:
+ * - Public keys are pre-registered and trusted
+ * - Plugin signature is verified before loading
+ * - Strict mode rejects unsigned plugins
+ * - Development mode allows self-signed plugins
+ */
+export class PluginSignatureVerifier {
+    constructor(config, logger) {
+        this.config = config;
+        this.logger = logger;
+        this.validateConfig();
+    }
+    /**
+     * Verify plugin signature
+     *
+     * @param plugin - Plugin metadata with signature
+     * @returns Verification result
+     * @throws Error if verification fails in strict mode
+     */
+    async verifyPluginSignature(plugin) {
+        // Handle unsigned plugins
+        if (!plugin.signature) {
+            return this.handleUnsignedPlugin(plugin);
+        }
+        try {
+            // 1. Extract publisher ID from plugin name (reverse domain notation)
+            const publisherId = this.extractPublisherId(plugin.name);
+            // 2. Get trusted public key for publisher
+            const publicKey = this.config.trustedPublicKeys.get(publisherId);
+            if (!publicKey) {
+                const error = `No trusted public key for publisher: ${publisherId}`;
+                this.logger.warn(error, { plugin: plugin.name, publisherId });
+                if (this.config.strictMode && !this.config.allowSelfSigned) {
+                    throw new Error(error);
+                }
+                return {
+                    verified: false,
+                    error,
+                    publisherId,
+                };
+            }
+            // 3. Compute plugin code hash
+            const pluginHash = this.computePluginHash(plugin);
+            // 4. Verify signature using crypto module
+            const isValid = await this.verifyCryptoSignature(pluginHash, plugin.signature, publicKey);
+            if (!isValid) {
+                const error = `Signature verification failed for plugin: ${plugin.name}`;
+                this.logger.error(error, undefined, { plugin: plugin.name, publisherId });
+                throw new Error(error);
+            }
+            this.logger.info(`✅ Plugin signature verified: ${plugin.name}`, {
+                plugin: plugin.name,
+                publisherId,
+                algorithm: this.config.algorithm,
+            });
+            return {
+                verified: true,
+                publisherId,
+                algorithm: this.config.algorithm,
+            };
+        }
+        catch (error) {
+            this.logger.error(`Signature verification error: ${plugin.name}`, error);
+            if (this.config.strictMode) {
+                throw error;
+            }
+            return {
+                verified: false,
+                error: error.message,
+            };
+        }
+    }
+    /**
+     * Register a trusted public key for a publisher
+     */
+    registerPublicKey(publisherId, publicKey) {
+        this.config.trustedPublicKeys.set(publisherId, publicKey);
+        this.logger.info(`Trusted public key registered for: ${publisherId}`);
+    }
+    /**
+     * Remove a trusted public key
+     */
+    revokePublicKey(publisherId) {
+        this.config.trustedPublicKeys.delete(publisherId);
+        this.logger.warn(`Public key revoked for: ${publisherId}`);
+    }
+    /**
+     * Get list of trusted publishers
+     */
+    getTrustedPublishers() {
+        return Array.from(this.config.trustedPublicKeys.keys());
+    }
+    // Private methods
+    handleUnsignedPlugin(plugin) {
+        if (this.config.strictMode) {
+            const error = `Plugin missing signature (strict mode): ${plugin.name}`;
+            this.logger.error(error, undefined, { plugin: plugin.name });
+            throw new Error(error);
+        }
+        this.logger.warn(`⚠️  Plugin not signed: ${plugin.name}`, {
+            plugin: plugin.name,
+            recommendation: 'Consider signing plugins for production environments',
+        });
+        return {
+            verified: false,
+            error: 'Plugin not signed',
+        };
+    }
+    extractPublisherId(pluginName) {
+        // Extract publisher from reverse domain notation
+        // Example: "com.objectstack.engine.objectql" -> "com.objectstack"
+        const parts = pluginName.split('.');
+        if (parts.length < 2) {
+            throw new Error(`Invalid plugin name format: ${pluginName} (expected reverse domain notation)`);
+        }
+        // Return first two parts (domain reversed)
+        return `${parts[0]}.${parts[1]}`;
+    }
+    computePluginHash(plugin) {
+        // In browser environment, use SubtleCrypto
+        if (typeof globalThis.window !== 'undefined') {
+            return this.computePluginHashBrowser(plugin);
+        }
+        // In Node.js environment, use crypto module
+        return this.computePluginHashNode(plugin);
+    }
+    computePluginHashNode(plugin) {
+        // Use pre-loaded crypto module
+        if (!cryptoModule) {
+            this.logger.warn('crypto module not available, using fallback hash');
+            return this.computePluginHashFallback(plugin);
+        }
+        // Compute hash of plugin code
+        const pluginCode = this.serializePluginCode(plugin);
+        return cryptoModule.createHash('sha256').update(pluginCode).digest('hex');
+    }
+    computePluginHashBrowser(plugin) {
+        // Browser environment - use simple hash for now
+        // In production, should use SubtleCrypto for proper cryptographic hash
+        this.logger.debug('Using browser hash (SubtleCrypto integration pending)');
+        return this.computePluginHashFallback(plugin);
+    }
+    computePluginHashFallback(plugin) {
+        // Simple hash fallback (not cryptographically secure)
+        const pluginCode = this.serializePluginCode(plugin);
+        let hash = 0;
+        for (let i = 0; i < pluginCode.length; i++) {
+            const char = pluginCode.charCodeAt(i);
+            hash = ((hash << 5) - hash) + char;
+            hash = hash & hash; // Convert to 32-bit integer
+        }
+        return hash.toString(16);
+    }
+    serializePluginCode(plugin) {
+        // Serialize plugin code for hashing
+        // Include init, start, destroy functions
+        const parts = [
+            plugin.name,
+            plugin.version,
+            plugin.init.toString(),
+        ];
+        if (plugin.start) {
+            parts.push(plugin.start.toString());
+        }
+        if (plugin.destroy) {
+            parts.push(plugin.destroy.toString());
+        }
+        return parts.join('|');
+    }
+    async verifyCryptoSignature(data, signature, publicKey) {
+        // In browser environment, use SubtleCrypto
+        if (typeof globalThis.window !== 'undefined') {
+            return this.verifyCryptoSignatureBrowser(data, signature, publicKey);
+        }
+        // In Node.js environment, use crypto module
+        return this.verifyCryptoSignatureNode(data, signature, publicKey);
+    }
+    verifyCryptoSignatureNode(data, signature, publicKey) {
+        if (!cryptoModule) {
+            this.logger.error('Crypto module not available for signature verification');
+            return false;
+        }
+        try {
+            // Create verify object based on algorithm
+            if (this.config.algorithm === 'ES256') {
+                // ECDSA verification - requires lowercase 'sha256'
+                const verify = cryptoModule.createVerify('sha256');
+                verify.update(data);
+                return verify.verify({
+                    key: publicKey,
+                    format: 'pem',
+                    type: 'spki',
+                }, signature, 'base64');
+            }
+            else {
+                // RSA verification (RS256)
+                const verify = cryptoModule.createVerify('RSA-SHA256');
+                verify.update(data);
+                return verify.verify(publicKey, signature, 'base64');
+            }
+        }
+        catch (error) {
+            this.logger.error('Signature verification failed', error);
+            return false;
+        }
+    }
+    async verifyCryptoSignatureBrowser(_data, _signature, _publicKey) {
+        // Browser implementation using SubtleCrypto
+        // TODO: Implement SubtleCrypto-based verification
+        this.logger.warn('Browser signature verification not yet implemented');
+        return false;
+    }
+    validateConfig() {
+        if (!this.config.trustedPublicKeys || this.config.trustedPublicKeys.size === 0) {
+            this.logger.warn('No trusted public keys configured - all signatures will fail');
+        }
+        if (!this.config.algorithm) {
+            throw new Error('Signature algorithm must be specified');
+        }
+        if (!['RS256', 'ES256'].includes(this.config.algorithm)) {
+            throw new Error(`Unsupported algorithm: ${this.config.algorithm}`);
+        }
+    }
+}