@passportsign/core 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/badge.d.ts +5 -0
- package/dist/badge.d.ts.map +1 -1
- package/dist/badge.js +8 -2
- package/dist/badge.js.map +1 -1
- package/dist/bind.d.ts.map +1 -1
- package/dist/bind.js +2 -8
- package/dist/bind.js.map +1 -1
- package/dist/bundle-fs.d.ts +16 -0
- package/dist/bundle-fs.d.ts.map +1 -0
- package/dist/bundle-fs.js +31 -0
- package/dist/bundle-fs.js.map +1 -0
- package/dist/bundle.d.ts +13 -5
- package/dist/bundle.d.ts.map +1 -1
- package/dist/bundle.js +18 -20
- package/dist/bundle.js.map +1 -1
- package/dist/canonical.d.ts.map +1 -1
- package/dist/canonical.js +3 -4
- package/dist/canonical.js.map +1 -1
- package/dist/classify.d.ts +68 -0
- package/dist/classify.d.ts.map +1 -0
- package/dist/classify.js +117 -0
- package/dist/classify.js.map +1 -0
- package/dist/dsse-common.d.ts +32 -0
- package/dist/dsse-common.d.ts.map +1 -0
- package/dist/dsse-common.js +26 -0
- package/dist/dsse-common.js.map +1 -0
- package/dist/dsse-web.d.ts +28 -0
- package/dist/dsse-web.d.ts.map +1 -0
- package/dist/dsse-web.js +81 -0
- package/dist/dsse-web.js.map +1 -0
- package/dist/dsse.d.ts +2 -26
- package/dist/dsse.d.ts.map +1 -1
- package/dist/dsse.js +2 -19
- package/dist/dsse.js.map +1 -1
- package/dist/encoding.d.ts +20 -0
- package/dist/encoding.d.ts.map +1 -0
- package/dist/encoding.js +88 -0
- package/dist/encoding.js.map +1 -0
- package/dist/github.js +2 -2
- package/dist/github.js.map +1 -1
- package/dist/index.d.ts +9 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +8 -2
- package/dist/index.js.map +1 -1
- package/dist/log/rekor.d.ts +1 -1
- package/dist/log/rekor.d.ts.map +1 -1
- package/dist/log/rekor.js +7 -10
- package/dist/log/rekor.js.map +1 -1
- package/dist/lookup.d.ts +46 -0
- package/dist/lookup.d.ts.map +1 -0
- package/dist/lookup.js +101 -0
- package/dist/lookup.js.map +1 -0
- package/dist/merkle.js +3 -3
- package/dist/merkle.js.map +1 -1
- package/dist/nonce.js +1 -1
- package/dist/nonce.js.map +1 -1
- package/dist/profile-index.d.ts +64 -0
- package/dist/profile-index.d.ts.map +1 -0
- package/dist/profile-index.js +161 -0
- package/dist/profile-index.js.map +1 -0
- package/dist/revoke.d.ts +30 -0
- package/dist/revoke.d.ts.map +1 -0
- package/dist/revoke.js +42 -0
- package/dist/revoke.js.map +1 -0
- package/dist/sdk-payload.d.ts.map +1 -1
- package/dist/sdk-payload.js +4 -6
- package/dist/sdk-payload.js.map +1 -1
- package/dist/statement.d.ts +41 -0
- package/dist/statement.d.ts.map +1 -1
- package/dist/statement.js +43 -0
- package/dist/statement.js.map +1 -1
- package/dist/submit.d.ts +3 -3
- package/dist/submit.d.ts.map +1 -1
- package/dist/submit.js +3 -14
- package/dist/submit.js.map +1 -1
- package/dist/verifier.d.ts.map +1 -1
- package/dist/verifier.js +4 -14
- package/dist/verifier.js.map +1 -1
- package/dist/web.d.ts +35 -0
- package/dist/web.d.ts.map +1 -0
- package/dist/web.js +35 -0
- package/dist/web.js.map +1 -0
- package/package.json +6 -2
- package/src/badge.ts +124 -113
- package/src/bind.ts +128 -137
- package/src/bundle-fs.ts +40 -0
- package/src/bundle.ts +138 -127
- package/src/canonical.ts +33 -33
- package/src/classify.ts +165 -0
- package/src/dsse-common.ts +45 -0
- package/src/dsse-web.ts +97 -0
- package/src/dsse.ts +63 -91
- package/src/encoding.ts +96 -0
- package/src/github.ts +196 -196
- package/src/index.ts +59 -2
- package/src/log/rekor.ts +330 -334
- package/src/lookup.ts +175 -0
- package/src/merkle.ts +187 -187
- package/src/nonce.ts +53 -53
- package/src/profile-index.ts +222 -0
- package/src/revoke.ts +67 -0
- package/src/sdk-payload.ts +60 -62
- package/src/statement.ts +203 -119
- package/src/submit.ts +38 -54
- package/src/verifier.ts +304 -317
- package/src/web.ts +175 -0
package/dist/lookup.js
ADDED
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Resolve a user's published bindings: index file → Rekor entries →
|
|
3
|
+
* integrity + sanity checks → state classification.
|
|
4
|
+
*
|
|
5
|
+
* This is the shared read pipeline behind `passportsign list` and the
|
|
6
|
+
* hosted badge service. The index file is user-controlled, so nothing
|
|
7
|
+
* from it is trusted: every referenced entry is fetched from the log,
|
|
8
|
+
* its attestation integrity-checked ({@link parseIntotoEntry}), its
|
|
9
|
+
* inclusion proof verified, and its subject/predicateType checked
|
|
10
|
+
* against what the index claimed it was.
|
|
11
|
+
*/
|
|
12
|
+
import { PASSPORTSIGN_PREDICATE_TYPE, PASSPORTSIGN_REVOCATION_PREDICATE_TYPE, } from './statement.js';
|
|
13
|
+
import { classifyBindings, parseIntotoEntry, } from './classify.js';
|
|
14
|
+
import { base64ToBytes, hexToBytes } from './encoding.js';
|
|
15
|
+
import { hashLeaf, verifyInclusion } from './merkle.js';
|
|
16
|
+
import { fetchProfileIndex } from './profile-index.js';
|
|
17
|
+
import {} from './log/rekor.js';
|
|
18
|
+
function verifyEntryInclusion(entry) {
|
|
19
|
+
const proof = entry.verification.inclusionProof;
|
|
20
|
+
const leaf = hashLeaf(base64ToBytes(entry.body));
|
|
21
|
+
return verifyInclusion(leaf, proof.logIndex, proof.treeSize, proof.hashes.map(hexToBytes), hexToBytes(proof.rootHash));
|
|
22
|
+
}
|
|
23
|
+
async function fetchAndCheck(uuids, expectedPredicateType, githubUsername, rekor) {
|
|
24
|
+
const out = { parsed: [], unreachable: [], invalid: [] };
|
|
25
|
+
const results = await Promise.allSettled(uuids.map((uuid) => rekor.getEntry(uuid)));
|
|
26
|
+
results.forEach((result, i) => {
|
|
27
|
+
const uuid = uuids[i];
|
|
28
|
+
if (result.status === 'rejected') {
|
|
29
|
+
const reason = result.reason;
|
|
30
|
+
out.unreachable.push({
|
|
31
|
+
uuid,
|
|
32
|
+
error: reason instanceof Error ? reason.message : String(reason),
|
|
33
|
+
});
|
|
34
|
+
return;
|
|
35
|
+
}
|
|
36
|
+
try {
|
|
37
|
+
const entry = result.value;
|
|
38
|
+
if (!verifyEntryInclusion(entry)) {
|
|
39
|
+
out.invalid.push({ uuid, error: 'inclusion proof does not verify' });
|
|
40
|
+
return;
|
|
41
|
+
}
|
|
42
|
+
const parsed = parseIntotoEntry(entry);
|
|
43
|
+
if (parsed.predicateType !== expectedPredicateType) {
|
|
44
|
+
out.invalid.push({
|
|
45
|
+
uuid,
|
|
46
|
+
error: `predicateType ${parsed.predicateType} != expected ${expectedPredicateType}`,
|
|
47
|
+
});
|
|
48
|
+
return;
|
|
49
|
+
}
|
|
50
|
+
const subject = parsed.statement.subject[0]?.name ?? '';
|
|
51
|
+
if (subject.toLowerCase() !== `github.com/${githubUsername}`.toLowerCase()) {
|
|
52
|
+
out.invalid.push({
|
|
53
|
+
uuid,
|
|
54
|
+
error: `subject ${subject} does not match github.com/${githubUsername}`,
|
|
55
|
+
});
|
|
56
|
+
return;
|
|
57
|
+
}
|
|
58
|
+
out.parsed.push(parsed);
|
|
59
|
+
}
|
|
60
|
+
catch (err) {
|
|
61
|
+
out.invalid.push({ uuid, error: err instanceof Error ? err.message : String(err) });
|
|
62
|
+
}
|
|
63
|
+
});
|
|
64
|
+
return out;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Run the lookup pipeline over an already-obtained index (e.g. the
|
|
68
|
+
* user's file merged with an operator overlay).
|
|
69
|
+
*/
|
|
70
|
+
export async function lookupFromIndex(index, deps) {
|
|
71
|
+
const username = index.github_username;
|
|
72
|
+
const [bindings, revocations] = await Promise.all([
|
|
73
|
+
fetchAndCheck(index.bindings.map((b) => b.rekor_entry_hash), PASSPORTSIGN_PREDICATE_TYPE, username, deps.rekor),
|
|
74
|
+
fetchAndCheck(index.revocations.map((r) => r.rekor_entry_hash), PASSPORTSIGN_REVOCATION_PREDICATE_TYPE, username, deps.rekor),
|
|
75
|
+
]);
|
|
76
|
+
const classified = classifyBindings({
|
|
77
|
+
bindings: bindings.parsed,
|
|
78
|
+
revocations: revocations.parsed,
|
|
79
|
+
...(deps.now !== undefined ? { now: deps.now } : {}),
|
|
80
|
+
});
|
|
81
|
+
return {
|
|
82
|
+
index,
|
|
83
|
+
classified,
|
|
84
|
+
unreachable: [...bindings.unreachable, ...revocations.unreachable],
|
|
85
|
+
invalid: [...bindings.invalid, ...revocations.invalid],
|
|
86
|
+
};
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Fetch the user's published `passportsign-index.json` and resolve it.
|
|
90
|
+
* `index: null` in the result means the user has not published one.
|
|
91
|
+
*/
|
|
92
|
+
export async function lookupBindings(githubUsername, deps) {
|
|
93
|
+
const index = await fetchProfileIndex(githubUsername, {
|
|
94
|
+
...(deps.fetch ? { fetch: deps.fetch } : {}),
|
|
95
|
+
});
|
|
96
|
+
if (index === null) {
|
|
97
|
+
return { index: null, classified: [], unreachable: [], invalid: [] };
|
|
98
|
+
}
|
|
99
|
+
return lookupFromIndex(index, deps);
|
|
100
|
+
}
|
|
101
|
+
//# sourceMappingURL=lookup.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"lookup.js","sourceRoot":"","sources":["../src/lookup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EACL,2BAA2B,EAC3B,sCAAsC,GACvC,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,gBAAgB,EAChB,gBAAgB,GAGjB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,iBAAiB,EAAqB,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAA6C,MAAM,gBAAgB,CAAC;AAsB3E,SAAS,oBAAoB,CAAC,KAAyB;IACrD,MAAM,KAAK,GAAG,KAAK,CAAC,YAAY,CAAC,cAAc,CAAC;IAChD,MAAM,IAAI,GAAG,QAAQ,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;IACjD,OAAO,eAAe,CACpB,IAAI,EACJ,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,QAAQ,EACd,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,EAC5B,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,CAC3B,CAAC;AACJ,CAAC;AAQD,KAAK,UAAU,aAAa,CAC1B,KAAe,EACf,qBAA6B,EAC7B,cAAsB,EACtB,KAAkB;IAElB,MAAM,GAAG,GAAe,EAAE,MAAM,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACrE,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAEpF,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE;QAC5B,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACvB,IAAI,MAAM,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;YAC7B,GAAG,CAAC,WAAW,CAAC,IAAI,CAAC;gBACnB,IAAI;gBACJ,KAAK,EAAE,MAAM,YAAY,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC;aACjE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;YAC3B,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,iCAAiC,EAAE,CAAC,CAAC;gBACrE,OAAO;YACT,CAAC;YACD,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,MAAM,CAAC,aAAa,KAAK,qBAAqB,EAAE,CAAC;gBACnD,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;oBACf,IAAI;oBACJ,KAAK,EAAE,iBAAiB,MAAM,CAAC,aAAa,gBAAgB,qBAAqB,EAAE;iBACpF,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,EAAE,CAAC;YACxD,IAAI,OAAO,CAAC,WAAW,EAAE,KAAK,cAAc,cAAc,EAAE,CAAC,WAAW,EAAE,EAAE,CAAC;gBAC3E,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;oBACf,IAAI;oBACJ,KAAK,EAAE,WAAW,OAAO,8BAA8B,cAAc,EAAE;iBACxE,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YACD,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACtF,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,KAAmB,EACnB,IAAgB;IAEhB,MAAM,QAAQ,GAAG,KAAK,CAAC,eAAe,CAAC;IAEvC,MAAM,CAAC,QAAQ,EAAE,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QAChD,aAAa,CACX,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAC7C,2BAA2B,EAC3B,QAAQ,EACR,IAAI,CAAC,KAAK,CACX;QACD,aAAa,CACX,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAChD,sCAAsC,EACtC,QAAQ,EACR,IAAI,CAAC,KAAK,CACX;KACF,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,gBAAgB,CAAC;QAClC,QAAQ,EAAE,QAAQ,CAAC,MAAM;QACzB,WAAW,EAAE,WAAW,CAAC,MAAM;QAC/B,GAAG,CAAC,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACrD,CAAC,CAAC;IAEH,OAAO;QACL,KAAK;QACL,UAAU;QACV,WAAW,EAAE,CAAC,GAAG,QAAQ,CAAC,WAAW,EAAE,GAAG,WAAW,CAAC,WAAW,CAAC;QAClE,OAAO,EAAE,CAAC,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,WAAW,CAAC,OAAO,CAAC;KACvD,CAAC;AACJ,CAAC;AAOD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,cAAsB,EACtB,IAAwB;IAExB,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,cAAc,EAAE;QACpD,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IACH,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACnB,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IACvE,CAAC;IACD,OAAO,eAAe,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;AACtC,CAAC"}
|
package/dist/merkle.js
CHANGED
|
@@ -15,19 +15,19 @@
|
|
|
15
15
|
* above that ancestor). The split is determined by bit-decomposition
|
|
16
16
|
* of leafIndex against treeSize - 1.
|
|
17
17
|
*/
|
|
18
|
-
import {
|
|
18
|
+
import { sha256Bytes } from './encoding.js';
|
|
19
19
|
export function hashLeaf(data) {
|
|
20
20
|
const buf = new Uint8Array(1 + data.length);
|
|
21
21
|
buf[0] = 0x00;
|
|
22
22
|
buf.set(data, 1);
|
|
23
|
-
return
|
|
23
|
+
return sha256Bytes(buf);
|
|
24
24
|
}
|
|
25
25
|
export function hashPair(left, right) {
|
|
26
26
|
const buf = new Uint8Array(1 + left.length + right.length);
|
|
27
27
|
buf[0] = 0x01;
|
|
28
28
|
buf.set(left, 1);
|
|
29
29
|
buf.set(right, 1 + left.length);
|
|
30
|
-
return
|
|
30
|
+
return sha256Bytes(buf);
|
|
31
31
|
}
|
|
32
32
|
function bytesEqual(a, b) {
|
|
33
33
|
if (a.length !== b.length)
|
package/dist/merkle.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"merkle.js","sourceRoot":"","sources":["../src/merkle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"merkle.js","sourceRoot":"","sources":["../src/merkle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,MAAM,UAAU,QAAQ,CAAC,IAAgB;IACvC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5C,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IACd,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACjB,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAgB,EAAE,KAAiB;IAC1D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC;IAC3D,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IACd,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACjB,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAChC,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC;AAC1B,CAAC;AAED,SAAS,UAAU,CAAC,CAAa,EAAE,CAAa;IAC9C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAClC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,SAAS,CAAC,CAAS;IAC1B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACb,GAAG,EAAE,CAAC;QACN,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,QAAQ,CAAC,CAAS;IACzB,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACb,KAAK,IAAI,CAAC,GAAG,CAAC,CAAC;QACf,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,CAAS;IAC9B,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACvB,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QACrB,KAAK,EAAE,CAAC;QACR,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxB,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,SAAS,eAAe,CAAC,SAAiB,EAAE,QAAgB;IAC1D,MAAM,KAAK,GAAG,SAAS,CAAC,SAAS,GAAG,CAAC,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC;IACpE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AAC3B,CAAC;AAED,SAAS,UAAU,CAAC,IAAgB,EAAE,KAAmB,EAAE,SAAiB;IAC1E,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACzD,GAAG,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC,CAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,GAAG,CAAC,CAAC;IACxE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe,CAAC,IAAgB,EAAE,KAAmB,EAAE,SAAiB;IAC/E,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACzD,IAAI,GAAG,KAAK,CAAC,EAAE,CAAC;YACd,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,GAAG,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAgB,EAAE,KAAmB;IAC7D,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,GAAG,GAAG,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAoB,EACpB,SAAiB,EACjB,QAAgB,EAChB,KAAmB,EACnB,QAAoB;IAEpB,IAAI,SAAS,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC,IAAI,SAAS,IAAI,QAAQ;QAAE,OAAO,KAAK,CAAC;IAEzE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAC/D,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,GAAG,MAAM;QAAE,OAAO,KAAK,CAAC;IAElD,IAAI,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,SAAS,CAAC,CAAC;IACjE,GAAG,GAAG,gBAAgB,CAAC,GAAG,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IAChD,OAAO,UAAU,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;AACnC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAiB,EACjB,UAAkB,EAClB,SAAqB,EACrB,UAAsB,EACtB,KAAmB;IAEnB,IAAI,SAAS,GAAG,CAAC,IAAI,UAAU,GAAG,SAAS;QAAE,OAAO,KAAK,CAAC;IAC1D,IAAI,SAAS,KAAK,UAAU,EAAE,CAAC;QAC7B,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IACjE,CAAC;IACD,IAAI,SAAS,KAAK,CAAC,EAAE,CAAC;QACpB,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC;IAC5B,CAAC;IAED,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,eAAe,CAAC,SAAS,GAAG,CAAC,EAAE,UAAU,CAAC,CAAC;IACnE,MAAM,KAAK,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC;IACvC,KAAK,IAAI,KAAK,CAAC;IAEf,IAAI,IAAgB,CAAC;IACrB,IAAI,KAAa,CAAC;IAClB,IAAI,CAAC,SAAS,GAAG,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACjB,KAAK,GAAG,CAAC,CAAC;IACZ,CAAC;SAAM,CAAC;QACN,IAAI,GAAG,SAAS,CAAC;QACjB,KAAK,GAAG,CAAC,CAAC;IACZ,CAAC;IAED,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,GAAG,KAAK,GAAG,MAAM;QAAE,OAAO,KAAK,CAAC;IAC1D,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAEpC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IAE9D,IAAI,KAAK,GAAG,eAAe,CAAC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;IAClE,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAEhD,IAAI,KAAK,GAAG,UAAU,CAAC,IAAI,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;IAC7D,KAAK,GAAG,gBAAgB,CAAC,KAAK,EAAE,QAAQ,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;IACvD,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAEjD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
package/dist/nonce.js
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
* Format: `zkm-{username}-{base32}`
|
|
7
7
|
* Entropy: 160 bits (20 bytes → 32 base32 chars).
|
|
8
8
|
*/
|
|
9
|
-
import { randomBytes } from '
|
|
9
|
+
import { randomBytes } from './encoding.js';
|
|
10
10
|
const BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
|
|
11
11
|
export const NONCE_BYTES = 20;
|
|
12
12
|
export const NONCE_BASE32_LENGTH = 32; // (20 * 8) / 5
|
package/dist/nonce.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"nonce.js","sourceRoot":"","sources":["../src/nonce.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,
|
|
1
|
+
{"version":3,"file":"nonce.js","sourceRoot":"","sources":["../src/nonce.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,MAAM,eAAe,GAAG,kCAAkC,CAAC;AAC3D,MAAM,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;AAC9B,MAAM,CAAC,MAAM,mBAAmB,GAAG,EAAE,CAAC,CAAC,eAAe;AAEtD;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,KAAiB;IAC5C,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,IAAI,QAAQ,GAAG,CAAC,CAAC;IACjB,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC;QACnC,QAAQ,IAAI,CAAC,CAAC;QACd,OAAO,QAAQ,IAAI,CAAC,EAAE,CAAC;YACrB,QAAQ,IAAI,CAAC,CAAC;YACd,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;YACvD,MAAM,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC;QACjC,CAAC;IACH,CAAC;IACD,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;QACjB,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,IAAI,IAAI,MAAM,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;QAC3D,MAAM,IAAI,eAAe,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,QAAgB;IAC5C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,SAAS,CAAC,2CAA2C,CAAC,CAAC;IACnE,CAAC;IACD,MAAM,KAAK,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACvC,OAAO,OAAO,QAAQ,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;AAClD,CAAC"}
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* The `passportsign-index.json` convention (roadmap v0.5.5).
|
|
3
|
+
*
|
|
4
|
+
* Public Rekor cannot be searched by predicateType, so discovery of a
|
|
5
|
+
* user's bindings flows through a JSON file the user publishes at the
|
|
6
|
+
* root of their profile repo (`github.com/<user>/<user>`, branch
|
|
7
|
+
* `main`). The file lists Rekor entry UUIDs for bindings *and*
|
|
8
|
+
* revocations — revocations are discoverable only through this file,
|
|
9
|
+
* which is why the schema carries them from version 1.
|
|
10
|
+
*
|
|
11
|
+
* The file is user-controlled: consumers (the `list` command, the
|
|
12
|
+
* badge service) must sanity-check every referenced entry against the
|
|
13
|
+
* log rather than trusting the file's contents.
|
|
14
|
+
*/
|
|
15
|
+
export declare const PROFILE_INDEX_VERSION: 1;
|
|
16
|
+
export declare const PROFILE_INDEX_FILENAME: "passportsign-index.json";
|
|
17
|
+
export interface ProfileIndexBinding {
|
|
18
|
+
rekor_entry_hash: string;
|
|
19
|
+
/** ISO 8601; display convenience only — Rekor's integratedTime is authoritative. */
|
|
20
|
+
bound_at: string;
|
|
21
|
+
}
|
|
22
|
+
export interface ProfileIndexRevocation {
|
|
23
|
+
rekor_entry_hash: string;
|
|
24
|
+
/** UUID of the binding entry being revoked; absent = revokes all bindings for this user. */
|
|
25
|
+
revokes_rekor_entry_hash?: string;
|
|
26
|
+
/** ISO 8601; display convenience only. */
|
|
27
|
+
revoked_at: string;
|
|
28
|
+
}
|
|
29
|
+
export interface ProfileIndex {
|
|
30
|
+
version: typeof PROFILE_INDEX_VERSION;
|
|
31
|
+
github_username: string;
|
|
32
|
+
bindings: ProfileIndexBinding[];
|
|
33
|
+
revocations: ProfileIndexRevocation[];
|
|
34
|
+
}
|
|
35
|
+
export declare class ProfileIndexValidationError extends Error {
|
|
36
|
+
constructor(message: string);
|
|
37
|
+
}
|
|
38
|
+
export declare function createProfileIndex(githubUsername: string): ProfileIndex;
|
|
39
|
+
export declare function validateProfileIndex(raw: unknown): ProfileIndex;
|
|
40
|
+
/** Append a binding; no-op (keeping the existing record) if the UUID is already listed. */
|
|
41
|
+
export declare function addBinding(index: ProfileIndex, binding: ProfileIndexBinding): ProfileIndex;
|
|
42
|
+
/** Append a revocation; no-op if the UUID is already listed. */
|
|
43
|
+
export declare function addRevocation(index: ProfileIndex, revocation: ProfileIndexRevocation): ProfileIndex;
|
|
44
|
+
/**
|
|
45
|
+
* Union two indexes for the same user (e.g. the user's own file plus
|
|
46
|
+
* the operator overlay). Deduped by entry UUID; first occurrence wins.
|
|
47
|
+
*/
|
|
48
|
+
export declare function mergeProfileIndexes(a: ProfileIndex, b: ProfileIndex): ProfileIndex;
|
|
49
|
+
export declare function profileIndexUrl(githubUsername: string): string;
|
|
50
|
+
export interface FetchProfileIndexOptions {
|
|
51
|
+
fetch?: typeof fetch;
|
|
52
|
+
/** Override the URL (e.g. the operator overlay); defaults to the profile-repo convention. */
|
|
53
|
+
url?: string;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Fetch and validate a user's published index.
|
|
57
|
+
*
|
|
58
|
+
* Returns `null` on 404 (the user hasn't published one — an expected
|
|
59
|
+
* state, not an error). Malformed content throws
|
|
60
|
+
* `ProfileIndexValidationError`; transport/HTTP failures throw
|
|
61
|
+
* `PassportsignError('internal_error')`.
|
|
62
|
+
*/
|
|
63
|
+
export declare function fetchProfileIndex(githubUsername: string, opts?: FetchProfileIndexOptions): Promise<ProfileIndex | null>;
|
|
64
|
+
//# sourceMappingURL=profile-index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profile-index.d.ts","sourceRoot":"","sources":["../src/profile-index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,eAAO,MAAM,qBAAqB,EAAG,CAAU,CAAC;AAChD,eAAO,MAAM,sBAAsB,EAAG,yBAAkC,CAAC;AAKzE,MAAM,WAAW,mBAAmB;IAClC,gBAAgB,EAAE,MAAM,CAAC;IACzB,oFAAoF;IACpF,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,sBAAsB;IACrC,gBAAgB,EAAE,MAAM,CAAC;IACzB,4FAA4F;IAC5F,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,0CAA0C;IAC1C,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,qBAAqB,CAAC;IACtC,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,WAAW,EAAE,sBAAsB,EAAE,CAAC;CACvC;AAED,qBAAa,2BAA4B,SAAQ,KAAK;gBACxC,OAAO,EAAE,MAAM;CAI5B;AAED,wBAAgB,kBAAkB,CAAC,cAAc,EAAE,MAAM,GAAG,YAAY,CAUvE;AAoBD,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,GAAG,YAAY,CAkD/D;AAED,2FAA2F;AAC3F,wBAAgB,UAAU,CAAC,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,mBAAmB,GAAG,YAAY,CAK1F;AAED,gEAAgE;AAChE,wBAAgB,aAAa,CAC3B,KAAK,EAAE,YAAY,EACnB,UAAU,EAAE,sBAAsB,GACjC,YAAY,CAKd;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,YAAY,GAAG,YAAY,CAUlF;AAED,wBAAgB,eAAe,CAAC,cAAc,EAAE,MAAM,GAAG,MAAM,CAE9D;AAED,MAAM,WAAW,wBAAwB;IACvC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,6FAA6F;IAC7F,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,cAAc,EAAE,MAAM,EACtB,IAAI,GAAE,wBAA6B,GAClC,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAgC9B"}
|
|
@@ -0,0 +1,161 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* The `passportsign-index.json` convention (roadmap v0.5.5).
|
|
3
|
+
*
|
|
4
|
+
* Public Rekor cannot be searched by predicateType, so discovery of a
|
|
5
|
+
* user's bindings flows through a JSON file the user publishes at the
|
|
6
|
+
* root of their profile repo (`github.com/<user>/<user>`, branch
|
|
7
|
+
* `main`). The file lists Rekor entry UUIDs for bindings *and*
|
|
8
|
+
* revocations — revocations are discoverable only through this file,
|
|
9
|
+
* which is why the schema carries them from version 1.
|
|
10
|
+
*
|
|
11
|
+
* The file is user-controlled: consumers (the `list` command, the
|
|
12
|
+
* badge service) must sanity-check every referenced entry against the
|
|
13
|
+
* log rather than trusting the file's contents.
|
|
14
|
+
*/
|
|
15
|
+
import { PassportsignError } from './errors.js';
|
|
16
|
+
export const PROFILE_INDEX_VERSION = 1;
|
|
17
|
+
export const PROFILE_INDEX_FILENAME = 'passportsign-index.json';
|
|
18
|
+
/** Rekor entry UUIDs are 80 hex chars (16-byte tree-ID prefix + 32-byte entry hash). */
|
|
19
|
+
const REKOR_UUID = /^[0-9a-f]{80}$/;
|
|
20
|
+
export class ProfileIndexValidationError extends Error {
|
|
21
|
+
constructor(message) {
|
|
22
|
+
super(message);
|
|
23
|
+
this.name = 'ProfileIndexValidationError';
|
|
24
|
+
}
|
|
25
|
+
}
|
|
26
|
+
export function createProfileIndex(githubUsername) {
|
|
27
|
+
if (githubUsername.length === 0) {
|
|
28
|
+
throw new TypeError('github_username: must be non-empty');
|
|
29
|
+
}
|
|
30
|
+
return {
|
|
31
|
+
version: PROFILE_INDEX_VERSION,
|
|
32
|
+
github_username: githubUsername,
|
|
33
|
+
bindings: [],
|
|
34
|
+
revocations: [],
|
|
35
|
+
};
|
|
36
|
+
}
|
|
37
|
+
function fail(message) {
|
|
38
|
+
throw new ProfileIndexValidationError(message);
|
|
39
|
+
}
|
|
40
|
+
function assertRekorUuid(value, field) {
|
|
41
|
+
if (typeof value !== 'string' || !REKOR_UUID.test(value)) {
|
|
42
|
+
fail(`${field}: expected 80-char lowercase hex Rekor entry UUID, got ${JSON.stringify(value)}`);
|
|
43
|
+
}
|
|
44
|
+
return value;
|
|
45
|
+
}
|
|
46
|
+
function assertIsoDate(value, field) {
|
|
47
|
+
if (typeof value !== 'string' || Number.isNaN(Date.parse(value))) {
|
|
48
|
+
fail(`${field}: expected ISO 8601 timestamp, got ${JSON.stringify(value)}`);
|
|
49
|
+
}
|
|
50
|
+
return value;
|
|
51
|
+
}
|
|
52
|
+
export function validateProfileIndex(raw) {
|
|
53
|
+
if (typeof raw !== 'object' || raw === null) {
|
|
54
|
+
fail('index must be a JSON object');
|
|
55
|
+
}
|
|
56
|
+
const obj = raw;
|
|
57
|
+
if (obj['version'] !== PROFILE_INDEX_VERSION) {
|
|
58
|
+
fail(`version: expected ${PROFILE_INDEX_VERSION}, got ${JSON.stringify(obj['version'])}`);
|
|
59
|
+
}
|
|
60
|
+
const username = obj['github_username'];
|
|
61
|
+
if (typeof username !== 'string' || username.length === 0) {
|
|
62
|
+
fail('github_username: must be a non-empty string');
|
|
63
|
+
}
|
|
64
|
+
const bindingsRaw = obj['bindings'];
|
|
65
|
+
if (!Array.isArray(bindingsRaw)) {
|
|
66
|
+
fail('bindings: must be an array');
|
|
67
|
+
}
|
|
68
|
+
const revocationsRaw = obj['revocations'];
|
|
69
|
+
if (!Array.isArray(revocationsRaw)) {
|
|
70
|
+
fail('revocations: must be an array');
|
|
71
|
+
}
|
|
72
|
+
const bindings = bindingsRaw.map((b, i) => {
|
|
73
|
+
if (typeof b !== 'object' || b === null)
|
|
74
|
+
fail(`bindings[${i}]: must be an object`);
|
|
75
|
+
const rec = b;
|
|
76
|
+
return {
|
|
77
|
+
rekor_entry_hash: assertRekorUuid(rec['rekor_entry_hash'], `bindings[${i}].rekor_entry_hash`),
|
|
78
|
+
bound_at: assertIsoDate(rec['bound_at'], `bindings[${i}].bound_at`),
|
|
79
|
+
};
|
|
80
|
+
});
|
|
81
|
+
const revocations = revocationsRaw.map((r, i) => {
|
|
82
|
+
if (typeof r !== 'object' || r === null)
|
|
83
|
+
fail(`revocations[${i}]: must be an object`);
|
|
84
|
+
const rec = r;
|
|
85
|
+
const out = {
|
|
86
|
+
rekor_entry_hash: assertRekorUuid(rec['rekor_entry_hash'], `revocations[${i}].rekor_entry_hash`),
|
|
87
|
+
revoked_at: assertIsoDate(rec['revoked_at'], `revocations[${i}].revoked_at`),
|
|
88
|
+
};
|
|
89
|
+
if (rec['revokes_rekor_entry_hash'] !== undefined) {
|
|
90
|
+
out.revokes_rekor_entry_hash = assertRekorUuid(rec['revokes_rekor_entry_hash'], `revocations[${i}].revokes_rekor_entry_hash`);
|
|
91
|
+
}
|
|
92
|
+
return out;
|
|
93
|
+
});
|
|
94
|
+
return { version: PROFILE_INDEX_VERSION, github_username: username, bindings, revocations };
|
|
95
|
+
}
|
|
96
|
+
/** Append a binding; no-op (keeping the existing record) if the UUID is already listed. */
|
|
97
|
+
export function addBinding(index, binding) {
|
|
98
|
+
if (index.bindings.some((b) => b.rekor_entry_hash === binding.rekor_entry_hash)) {
|
|
99
|
+
return index;
|
|
100
|
+
}
|
|
101
|
+
return { ...index, bindings: [...index.bindings, binding] };
|
|
102
|
+
}
|
|
103
|
+
/** Append a revocation; no-op if the UUID is already listed. */
|
|
104
|
+
export function addRevocation(index, revocation) {
|
|
105
|
+
if (index.revocations.some((r) => r.rekor_entry_hash === revocation.rekor_entry_hash)) {
|
|
106
|
+
return index;
|
|
107
|
+
}
|
|
108
|
+
return { ...index, revocations: [...index.revocations, revocation] };
|
|
109
|
+
}
|
|
110
|
+
/**
|
|
111
|
+
* Union two indexes for the same user (e.g. the user's own file plus
|
|
112
|
+
* the operator overlay). Deduped by entry UUID; first occurrence wins.
|
|
113
|
+
*/
|
|
114
|
+
export function mergeProfileIndexes(a, b) {
|
|
115
|
+
if (a.github_username.toLowerCase() !== b.github_username.toLowerCase()) {
|
|
116
|
+
fail(`cannot merge indexes for different users: ${a.github_username} vs ${b.github_username}`);
|
|
117
|
+
}
|
|
118
|
+
let merged = a;
|
|
119
|
+
for (const binding of b.bindings)
|
|
120
|
+
merged = addBinding(merged, binding);
|
|
121
|
+
for (const revocation of b.revocations)
|
|
122
|
+
merged = addRevocation(merged, revocation);
|
|
123
|
+
return merged;
|
|
124
|
+
}
|
|
125
|
+
export function profileIndexUrl(githubUsername) {
|
|
126
|
+
return `https://raw.githubusercontent.com/${githubUsername}/${githubUsername}/main/${PROFILE_INDEX_FILENAME}`;
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Fetch and validate a user's published index.
|
|
130
|
+
*
|
|
131
|
+
* Returns `null` on 404 (the user hasn't published one — an expected
|
|
132
|
+
* state, not an error). Malformed content throws
|
|
133
|
+
* `ProfileIndexValidationError`; transport/HTTP failures throw
|
|
134
|
+
* `PassportsignError('internal_error')`.
|
|
135
|
+
*/
|
|
136
|
+
export async function fetchProfileIndex(githubUsername, opts = {}) {
|
|
137
|
+
const fetchImpl = opts.fetch ?? globalThis.fetch;
|
|
138
|
+
const url = opts.url ?? profileIndexUrl(githubUsername);
|
|
139
|
+
let response;
|
|
140
|
+
try {
|
|
141
|
+
response = await fetchImpl(url);
|
|
142
|
+
}
|
|
143
|
+
catch (err) {
|
|
144
|
+
throw new PassportsignError('internal_error', `profile-index fetch failed: ${err instanceof Error ? err.message : String(err)}`, err);
|
|
145
|
+
}
|
|
146
|
+
if (response.status === 404) {
|
|
147
|
+
return null;
|
|
148
|
+
}
|
|
149
|
+
if (!response.ok) {
|
|
150
|
+
throw new PassportsignError('internal_error', `profile-index fetch returned ${response.status} for ${url}`);
|
|
151
|
+
}
|
|
152
|
+
let body;
|
|
153
|
+
try {
|
|
154
|
+
body = await response.json();
|
|
155
|
+
}
|
|
156
|
+
catch (err) {
|
|
157
|
+
throw new ProfileIndexValidationError(`profile-index at ${url} is not valid JSON: ${err instanceof Error ? err.message : String(err)}`);
|
|
158
|
+
}
|
|
159
|
+
return validateProfileIndex(body);
|
|
160
|
+
}
|
|
161
|
+
//# sourceMappingURL=profile-index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"profile-index.js","sourceRoot":"","sources":["../src/profile-index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAU,CAAC;AAChD,MAAM,CAAC,MAAM,sBAAsB,GAAG,yBAAkC,CAAC;AAEzE,wFAAwF;AACxF,MAAM,UAAU,GAAG,gBAAgB,CAAC;AAuBpC,MAAM,OAAO,2BAA4B,SAAQ,KAAK;IACpD,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,6BAA6B,CAAC;IAC5C,CAAC;CACF;AAED,MAAM,UAAU,kBAAkB,CAAC,cAAsB;IACvD,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,SAAS,CAAC,oCAAoC,CAAC,CAAC;IAC5D,CAAC;IACD,OAAO;QACL,OAAO,EAAE,qBAAqB;QAC9B,eAAe,EAAE,cAAc;QAC/B,QAAQ,EAAE,EAAE;QACZ,WAAW,EAAE,EAAE;KAChB,CAAC;AACJ,CAAC;AAED,SAAS,IAAI,CAAC,OAAe;IAC3B,MAAM,IAAI,2BAA2B,CAAC,OAAO,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,eAAe,CAAC,KAAc,EAAE,KAAa;IACpD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACzD,IAAI,CAAC,GAAG,KAAK,0DAA0D,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CAAC,KAAc,EAAE,KAAa;IAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;QACjE,IAAI,CAAC,GAAG,KAAK,sCAAsC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAY;IAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,IAAI,CAAC,6BAA6B,CAAC,CAAC;IACtC,CAAC;IACD,MAAM,GAAG,GAAG,GAA8B,CAAC;IAC3C,IAAI,GAAG,CAAC,SAAS,CAAC,KAAK,qBAAqB,EAAE,CAAC;QAC7C,IAAI,CAAC,qBAAqB,qBAAqB,SAAS,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;IACD,MAAM,QAAQ,GAAG,GAAG,CAAC,iBAAiB,CAAC,CAAC;IACxC,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,IAAI,CAAC,6CAA6C,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,WAAW,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC;IACpC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACrC,CAAC;IACD,MAAM,cAAc,GAAG,GAAG,CAAC,aAAa,CAAC,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,QAAQ,GAA0B,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC/D,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI;YAAE,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC,CAAC;QACnF,MAAM,GAAG,GAAG,CAA4B,CAAC;QACzC,OAAO;YACL,gBAAgB,EAAE,eAAe,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAE,YAAY,CAAC,oBAAoB,CAAC;YAC7F,QAAQ,EAAE,aAAa,CAAC,GAAG,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,YAAY,CAAC;SACpE,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,MAAM,WAAW,GAA6B,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACxE,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI;YAAE,IAAI,CAAC,eAAe,CAAC,sBAAsB,CAAC,CAAC;QACtF,MAAM,GAAG,GAAG,CAA4B,CAAC;QACzC,MAAM,GAAG,GAA2B;YAClC,gBAAgB,EAAE,eAAe,CAC/B,GAAG,CAAC,kBAAkB,CAAC,EACvB,eAAe,CAAC,oBAAoB,CACrC;YACD,UAAU,EAAE,aAAa,CAAC,GAAG,CAAC,YAAY,CAAC,EAAE,eAAe,CAAC,cAAc,CAAC;SAC7E,CAAC;QACF,IAAI,GAAG,CAAC,0BAA0B,CAAC,KAAK,SAAS,EAAE,CAAC;YAClD,GAAG,CAAC,wBAAwB,GAAG,eAAe,CAC5C,GAAG,CAAC,0BAA0B,CAAC,EAC/B,eAAe,CAAC,4BAA4B,CAC7C,CAAC;QACJ,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,qBAAqB,EAAE,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;AAC9F,CAAC;AAED,2FAA2F;AAC3F,MAAM,UAAU,UAAU,CAAC,KAAmB,EAAE,OAA4B;IAC1E,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,KAAK,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAChF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,EAAE,GAAG,KAAK,EAAE,QAAQ,EAAE,CAAC,GAAG,KAAK,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;AAC9D,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,aAAa,CAC3B,KAAmB,EACnB,UAAkC;IAElC,IAAI,KAAK,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,KAAK,UAAU,CAAC,gBAAgB,CAAC,EAAE,CAAC;QACtF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,EAAE,GAAG,KAAK,EAAE,WAAW,EAAE,CAAC,GAAG,KAAK,CAAC,WAAW,EAAE,UAAU,CAAC,EAAE,CAAC;AACvE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,CAAe,EAAE,CAAe;IAClE,IAAI,CAAC,CAAC,eAAe,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,eAAe,CAAC,WAAW,EAAE,EAAE,CAAC;QACxE,IAAI,CACF,6CAA6C,CAAC,CAAC,eAAe,OAAO,CAAC,CAAC,eAAe,EAAE,CACzF,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,MAAM,OAAO,IAAI,CAAC,CAAC,QAAQ;QAAE,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACvE,KAAK,MAAM,UAAU,IAAI,CAAC,CAAC,WAAW;QAAE,MAAM,GAAG,aAAa,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACnF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,cAAsB;IACpD,OAAO,qCAAqC,cAAc,IAAI,cAAc,SAAS,sBAAsB,EAAE,CAAC;AAChH,CAAC;AAQD;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,cAAsB,EACtB,OAAiC,EAAE;IAEnC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC;IACjD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,IAAI,eAAe,CAAC,cAAc,CAAC,CAAC;IAExD,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,+BAA+B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACjF,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,gCAAgC,QAAQ,CAAC,MAAM,QAAQ,GAAG,EAAE,CAC7D,CAAC;IACJ,CAAC;IACD,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,2BAA2B,CACnC,oBAAoB,GAAG,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACjG,CAAC;IACJ,CAAC;IACD,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC;AACpC,CAAC"}
|
package/dist/revoke.d.ts
ADDED
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Revocation orchestrator (roadmap v0.5.2, spec §7).
|
|
3
|
+
*
|
|
4
|
+
* Mirror of `bind.ts`'s `prepareBinding` minus the GitHub gist check:
|
|
5
|
+
* revocation deliberately requires only a fresh proof from the same
|
|
6
|
+
* passport, so a user who lost their GitHub account can still revoke.
|
|
7
|
+
* The result feeds the same `submitBinding` Rekor path — a revocation
|
|
8
|
+
* is just another in-toto entry, with the `#revocation` predicateType.
|
|
9
|
+
*/
|
|
10
|
+
import { type PassportsignRevocationStatement } from './statement.js';
|
|
11
|
+
export interface PrepareRevocationInput {
|
|
12
|
+
github_username: string;
|
|
13
|
+
/** Base64-encoded zkPassport proof blob (fresh scan, same passport). */
|
|
14
|
+
proof_blob_b64: string;
|
|
15
|
+
/** From the SDK's `onResult` — must match the binding being revoked. */
|
|
16
|
+
unique_identifier: string;
|
|
17
|
+
/** Rekor entry UUID of the binding to revoke. */
|
|
18
|
+
revokes_rekor_entry_hash: string;
|
|
19
|
+
scope: string;
|
|
20
|
+
zkpassport_sdk_version: string;
|
|
21
|
+
}
|
|
22
|
+
export interface PreparedRevocation {
|
|
23
|
+
statement: PassportsignRevocationStatement;
|
|
24
|
+
statement_canonical: Uint8Array;
|
|
25
|
+
statement_sha256_hex: string;
|
|
26
|
+
proof_blob_b64: string;
|
|
27
|
+
proof_blob_sha256_hex: string;
|
|
28
|
+
}
|
|
29
|
+
export declare function prepareRevocation(input: PrepareRevocationInput): PreparedRevocation;
|
|
30
|
+
//# sourceMappingURL=revoke.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revoke.d.ts","sourceRoot":"","sources":["../src/revoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,EAEL,KAAK,+BAA+B,EACrC,MAAM,gBAAgB,CAAC;AAExB,MAAM,WAAW,sBAAsB;IACrC,eAAe,EAAE,MAAM,CAAC;IACxB,wEAAwE;IACxE,cAAc,EAAE,MAAM,CAAC;IACvB,wEAAwE;IACxE,iBAAiB,EAAE,MAAM,CAAC;IAC1B,iDAAiD;IACjD,wBAAwB,EAAE,MAAM,CAAC;IACjC,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,+BAA+B,CAAC;IAC3C,mBAAmB,EAAE,UAAU,CAAC;IAChC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;CAC/B;AAED,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,sBAAsB,GAAG,kBAAkB,CA4BnF"}
|
package/dist/revoke.js
ADDED
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Revocation orchestrator (roadmap v0.5.2, spec §7).
|
|
3
|
+
*
|
|
4
|
+
* Mirror of `bind.ts`'s `prepareBinding` minus the GitHub gist check:
|
|
5
|
+
* revocation deliberately requires only a fresh proof from the same
|
|
6
|
+
* passport, so a user who lost their GitHub account can still revoke.
|
|
7
|
+
* The result feeds the same `submitBinding` Rekor path — a revocation
|
|
8
|
+
* is just another in-toto entry, with the `#revocation` predicateType.
|
|
9
|
+
*/
|
|
10
|
+
import { canonicalize, canonicalSha256Hex } from './canonical.js';
|
|
11
|
+
import { base64ToBytes, sha256Hex } from './encoding.js';
|
|
12
|
+
import { PassportsignError } from './errors.js';
|
|
13
|
+
import { buildRevocationStatement, } from './statement.js';
|
|
14
|
+
export function prepareRevocation(input) {
|
|
15
|
+
let proofBytes;
|
|
16
|
+
try {
|
|
17
|
+
proofBytes = base64ToBytes(input.proof_blob_b64);
|
|
18
|
+
}
|
|
19
|
+
catch (err) {
|
|
20
|
+
throw new PassportsignError('proof_invalid', 'proof_blob_b64 is not valid base64', err);
|
|
21
|
+
}
|
|
22
|
+
if (proofBytes.length === 0) {
|
|
23
|
+
throw new PassportsignError('proof_invalid', 'proof_blob_b64 decoded to zero bytes');
|
|
24
|
+
}
|
|
25
|
+
const proof_blob_sha256_hex = sha256Hex(proofBytes);
|
|
26
|
+
const statement = buildRevocationStatement({
|
|
27
|
+
github_username: input.github_username,
|
|
28
|
+
unique_identifier: input.unique_identifier,
|
|
29
|
+
revokes_rekor_entry_hash: input.revokes_rekor_entry_hash,
|
|
30
|
+
proof_blob_sha256: proof_blob_sha256_hex,
|
|
31
|
+
scope: input.scope,
|
|
32
|
+
zkpassport_sdk_version: input.zkpassport_sdk_version,
|
|
33
|
+
});
|
|
34
|
+
return {
|
|
35
|
+
statement,
|
|
36
|
+
statement_canonical: canonicalize(statement),
|
|
37
|
+
statement_sha256_hex: canonicalSha256Hex(statement),
|
|
38
|
+
proof_blob_b64: input.proof_blob_b64,
|
|
39
|
+
proof_blob_sha256_hex,
|
|
40
|
+
};
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=revoke.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"revoke.js","sourceRoot":"","sources":["../src/revoke.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EACL,wBAAwB,GAEzB,MAAM,gBAAgB,CAAC;AAsBxB,MAAM,UAAU,iBAAiB,CAAC,KAA6B;IAC7D,IAAI,UAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CAAC,eAAe,EAAE,oCAAoC,EAAE,GAAG,CAAC,CAAC;IAC1F,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,iBAAiB,CAAC,eAAe,EAAE,sCAAsC,CAAC,CAAC;IACvF,CAAC;IACD,MAAM,qBAAqB,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;IAEpD,MAAM,SAAS,GAAG,wBAAwB,CAAC;QACzC,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,wBAAwB,EAAE,KAAK,CAAC,wBAAwB;QACxD,iBAAiB,EAAE,qBAAqB;QACxC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;KACrD,CAAC,CAAC;IAEH,OAAO;QACL,SAAS;QACT,mBAAmB,EAAE,YAAY,CAAC,SAAS,CAAC;QAC5C,oBAAoB,EAAE,kBAAkB,CAAC,SAAS,CAAC;QACnD,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,qBAAqB;KACtB,CAAC;AACJ,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sdk-payload.d.ts","sourceRoot":"","sources":["../src/sdk-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,MAAM,WAAW,UAAU;IACzB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,MAAM,EAAE,OAAO,EAAE,CAAC;IAClB,8DAA8D;IAC9D,cAAc,EAAE,OAAO,CAAC;IACxB,wDAAwD;IACxD,YAAY,EAAE,OAAO,CAAC;IACtB,yDAAyD;IACzD,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,4CAA4C;IAC5C,KAAK,EAAE,UAAU,CAAC;IAClB,wEAAwE;IACxE,GAAG,EAAE,MAAM,CAAC;IACZ,uGAAuG;IACvG,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,gBAAgB,
|
|
1
|
+
{"version":3,"file":"sdk-payload.d.ts","sourceRoot":"","sources":["../src/sdk-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,MAAM,WAAW,UAAU;IACzB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,MAAM,EAAE,OAAO,EAAE,CAAC;IAClB,8DAA8D;IAC9D,cAAc,EAAE,OAAO,CAAC;IACxB,wDAAwD;IACxD,YAAY,EAAE,OAAO,CAAC;IACtB,yDAAyD;IACzD,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,4CAA4C;IAC5C,KAAK,EAAE,UAAU,CAAC;IAClB,wEAAwE;IACxE,GAAG,EAAE,MAAM,CAAC;IACZ,uGAAuG;IACvG,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,gBAAgB,CAGpE;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAkBxD"}
|
package/dist/sdk-payload.js
CHANGED
|
@@ -8,17 +8,15 @@
|
|
|
8
8
|
* binds those bytes to the rest of the binding — Day 5's hash check
|
|
9
9
|
* carries through.
|
|
10
10
|
*/
|
|
11
|
-
import { createHash } from 'node:crypto';
|
|
12
11
|
import { canonicalize } from './canonical.js';
|
|
12
|
+
import { base64ToBytes, bytesToBase64, bytesToUtf8, sha256Hex } from './encoding.js';
|
|
13
13
|
export function packSdkPayload(payload) {
|
|
14
14
|
const bytes = canonicalize(payload);
|
|
15
|
-
|
|
16
|
-
const sha256Hex = createHash('sha256').update(bytes).digest('hex');
|
|
17
|
-
return { bytes, b64, sha256Hex };
|
|
15
|
+
return { bytes, b64: bytesToBase64(bytes), sha256Hex: sha256Hex(bytes) };
|
|
18
16
|
}
|
|
19
17
|
export function unpackSdkPayload(b64) {
|
|
20
|
-
const bytes =
|
|
21
|
-
const parsed = JSON.parse(bytes
|
|
18
|
+
const bytes = base64ToBytes(b64);
|
|
19
|
+
const parsed = JSON.parse(bytesToUtf8(bytes));
|
|
22
20
|
// Defensive shape check (cheap; the canonicalize round-trip would already catch shape issues elsewhere).
|
|
23
21
|
if (typeof parsed['sdk_version'] !== 'string' ||
|
|
24
22
|
typeof parsed['dev_mode'] !== 'boolean' ||
|
package/dist/sdk-payload.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sdk-payload.js","sourceRoot":"","sources":["../src/sdk-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"sdk-payload.js","sourceRoot":"","sources":["../src/sdk-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAwBrF,MAAM,UAAU,cAAc,CAAC,OAAmB;IAChD,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,aAAa,CAAC,KAAK,CAAC,EAAE,SAAS,EAAE,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;AAC3E,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,CAA4B,CAAC;IACzE,yGAAyG;IACzG,IACE,OAAO,MAAM,CAAC,aAAa,CAAC,KAAK,QAAQ;QACzC,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,SAAS;QACvC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAChC,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,aAAa,CAAC;QAClC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC;QACxB,cAAc,EAAE,MAAM,CAAC,gBAAgB,CAAC;QACxC,YAAY,EAAE,MAAM,CAAC,cAAc,CAAC;QACpC,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;KAC7B,CAAC;AACJ,CAAC"}
|
package/dist/statement.d.ts
CHANGED
|
@@ -9,6 +9,7 @@
|
|
|
9
9
|
*/
|
|
10
10
|
export declare const IN_TOTO_STATEMENT_TYPE: "https://in-toto.io/Statement/v1";
|
|
11
11
|
export declare const PASSPORTSIGN_PREDICATE_TYPE: "https://passportsign.dev/personhood/v1";
|
|
12
|
+
export declare const PASSPORTSIGN_REVOCATION_PREDICATE_TYPE: "https://passportsign.dev/personhood/v1#revocation";
|
|
12
13
|
export type DisclosureLevel = 'personhood' | 'personhood+country';
|
|
13
14
|
export interface PassportsignPredicate {
|
|
14
15
|
/** From the zkPassport SDK — deterministic for (passport, domain, scope). */
|
|
@@ -64,4 +65,44 @@ export interface BuildStatementInput {
|
|
|
64
65
|
* authoritative time of binding.
|
|
65
66
|
*/
|
|
66
67
|
export declare function buildStatement(input: BuildStatementInput): PassportsignStatement;
|
|
68
|
+
export interface PassportsignRevocationPredicate {
|
|
69
|
+
/** Must match the revoked binding's `unique_identifier` — same passport, same scope. */
|
|
70
|
+
unique_identifier: string;
|
|
71
|
+
/** Rekor entry UUID of the binding being revoked. */
|
|
72
|
+
revokes_rekor_entry_hash: string;
|
|
73
|
+
/** Lowercase hex SHA-256 of the fresh proof blob backing this revocation. */
|
|
74
|
+
proof_blob_sha256: string;
|
|
75
|
+
/** zkPassport scope — must equal the binding scope or the identifiers won't match. */
|
|
76
|
+
scope: string;
|
|
77
|
+
zkpassport_sdk_version: string;
|
|
78
|
+
}
|
|
79
|
+
export interface PassportsignRevocationStatement {
|
|
80
|
+
_type: typeof IN_TOTO_STATEMENT_TYPE;
|
|
81
|
+
subject: Array<{
|
|
82
|
+
name: string;
|
|
83
|
+
digest: {
|
|
84
|
+
sha256: string;
|
|
85
|
+
};
|
|
86
|
+
}>;
|
|
87
|
+
predicateType: typeof PASSPORTSIGN_REVOCATION_PREDICATE_TYPE;
|
|
88
|
+
predicate: PassportsignRevocationPredicate;
|
|
89
|
+
}
|
|
90
|
+
export interface BuildRevocationStatementInput {
|
|
91
|
+
github_username: string;
|
|
92
|
+
unique_identifier: string;
|
|
93
|
+
revokes_rekor_entry_hash: string;
|
|
94
|
+
proof_blob_sha256: string;
|
|
95
|
+
scope: string;
|
|
96
|
+
zkpassport_sdk_version: string;
|
|
97
|
+
}
|
|
98
|
+
/**
|
|
99
|
+
* Build a passportsign revocation statement (spec §7, roadmap v0.5.2).
|
|
100
|
+
*
|
|
101
|
+
* Revocation requires only a fresh proof from the same passport — there
|
|
102
|
+
* are deliberately no gist fields (no GitHub control needed; that's the
|
|
103
|
+
* recovery property). The revocation always targets one concrete
|
|
104
|
+
* binding entry; the subject digest is the sha256 of that entry's UUID
|
|
105
|
+
* string, tying the statement to the artifact it acts on.
|
|
106
|
+
*/
|
|
107
|
+
export declare function buildRevocationStatement(input: BuildRevocationStatementInput): PassportsignRevocationStatement;
|
|
67
108
|
//# sourceMappingURL=statement.d.ts.map
|
package/dist/statement.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"statement.d.ts","sourceRoot":"","sources":["../src/statement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;
|
|
1
|
+
{"version":3,"file":"statement.d.ts","sourceRoot":"","sources":["../src/statement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,eAAO,MAAM,sBAAsB,EAAG,iCAA0C,CAAC;AACjF,eAAO,MAAM,2BAA2B,EACtC,wCAAiD,CAAC;AACpD,eAAO,MAAM,sCAAsC,EACjD,mDAA4D,CAAC;AAE/D,MAAM,MAAM,eAAe,GAAG,YAAY,GAAG,oBAAoB,CAAC;AAElE,MAAM,WAAW,qBAAqB;IACpC,6EAA6E;IAC7E,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mFAAmF;IACnF,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,kFAAkF;IAClF,gBAAgB,EAAE,eAAe,CAAC;IAClC,qDAAqD;IACrD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,mBAAmB,EAAE,MAAM,CAAC;IAC5B,yEAAyE;IACzE,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,sBAAsB,CAAC;IACrC,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE;YAAE,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;KAC5B,CAAC,CAAC;IACH,aAAa,EAAE,OAAO,2BAA2B,CAAC;IAClD,SAAS,EAAE,qBAAqB,CAAC;CAClC;AAED,MAAM,WAAW,mBAAmB;IAClC,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB,EAAE,MAAM,CAAC;CAChC;AA2BD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,qBAAqB,CAgChF;AAED,MAAM,WAAW,+BAA+B;IAC9C,wFAAwF;IACxF,iBAAiB,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,wBAAwB,EAAE,MAAM,CAAC;IACjC,6EAA6E;IAC7E,iBAAiB,EAAE,MAAM,CAAC;IAC1B,sFAAsF;IACtF,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,+BAA+B;IAC9C,KAAK,EAAE,OAAO,sBAAsB,CAAC;IACrC,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE;YAAE,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;KAC5B,CAAC,CAAC;IACH,aAAa,EAAE,OAAO,sCAAsC,CAAC;IAC7D,SAAS,EAAE,+BAA+B,CAAC;CAC5C;AAED,MAAM,WAAW,6BAA6B;IAC5C,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,wBAAwB,EAAE,MAAM,CAAC;IACjC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED;;;;;;;;GAQG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,6BAA6B,GACnC,+BAA+B,CA2BjC"}
|