@snaha/swarm-id 0.0.1

package/src/proxy/act/grantee-list.test.ts

@@ -0,0 +1,393 @@
+/**
+ * Unit tests for Grantee List Management
+ */
+
+import { describe, it, expect } from "vitest"
+import {
+  serializeGranteeList,
+  deserializeGranteeList,
+  encryptGranteeList,
+  decryptGranteeList,
+  serializeAndEncryptGranteeList,
+  decryptAndDeserializeGranteeList,
+  addToGranteeList,
+  removeFromGranteeList,
+  deriveGranteeListEncryptionKey,
+  type UncompressedPublicKey,
+} from "./grantee-list"
+import { publicKeyFromPrivate } from "./crypto"
+
+// Constants
+const UNCOMPRESSED_PUBLIC_KEY_SIZE = 65
+const UNCOMPRESSED_PREFIX = 0x04
+const PUBLIC_KEY_COORD_SIZE = 32
+
+// Helper to create a random 32-byte array
+function randomBytes(length: number): Uint8Array {
+  const bytes = new Uint8Array(length)
+  crypto.getRandomValues(bytes)
+  return bytes
+}
+
+// Helper to create a test public key from seed
+function createTestPublicKey(seed: number): UncompressedPublicKey {
+  const privKey = new Uint8Array(32)
+  privKey[31] = seed
+  return publicKeyFromPrivate(privKey)
+}
+
+// Helper to create multiple test public keys
+function createTestPublicKeys(
+  count: number,
+  startSeed = 1,
+): UncompressedPublicKey[] {
+  return Array.from({ length: count }, (_, i) =>
+    createTestPublicKey(startSeed + i),
+  )
+}
+
+describe("Serialization format", () => {
+  it("serializeGranteeList should produce 65-byte entries per grantee", () => {
+    const grantees = createTestPublicKeys(3)
+    const serialized = serializeGranteeList(grantees)
+
+    expect(serialized.length).toBe(3 * UNCOMPRESSED_PUBLIC_KEY_SIZE)
+  })
+
+  it("serializeGranteeList should use 0x04 prefix for uncompressed keys", () => {
+    const grantees = createTestPublicKeys(2)
+    const serialized = serializeGranteeList(grantees)
+
+    // Check prefix for first grantee
+    expect(serialized[0]).toBe(UNCOMPRESSED_PREFIX)
+
+    // Check prefix for second grantee
+    expect(serialized[UNCOMPRESSED_PUBLIC_KEY_SIZE]).toBe(UNCOMPRESSED_PREFIX)
+  })
+
+  it("serializeGranteeList should correctly encode x and y coordinates", () => {
+    const grantee: UncompressedPublicKey = {
+      x: new Uint8Array(32).fill(0xaa),
+      y: new Uint8Array(32).fill(0xbb),
+    }
+    const serialized = serializeGranteeList([grantee])
+
+    // Check prefix
+    expect(serialized[0]).toBe(UNCOMPRESSED_PREFIX)
+
+    // Check x coordinate (bytes 1-32)
+    for (let i = 1; i <= PUBLIC_KEY_COORD_SIZE; i++) {
+      expect(serialized[i]).toBe(0xaa)
+    }
+
+    // Check y coordinate (bytes 33-64)
+    for (
+      let i = 1 + PUBLIC_KEY_COORD_SIZE;
+      i < UNCOMPRESSED_PUBLIC_KEY_SIZE;
+      i++
+    ) {
+      expect(serialized[i]).toBe(0xbb)
+    }
+  })
+
+  it("serializeGranteeList should handle empty list", () => {
+    const serialized = serializeGranteeList([])
+    expect(serialized.length).toBe(0)
+  })
+
+  it("deserializeGranteeList should parse concatenated keys", () => {
+    const grantees = createTestPublicKeys(3)
+    const serialized = serializeGranteeList(grantees)
+    const deserialized = deserializeGranteeList(serialized)
+
+    expect(deserialized.length).toBe(3)
+
+    for (let i = 0; i < 3; i++) {
+      expect(deserialized[i].x).toEqual(grantees[i].x)
+      expect(deserialized[i].y).toEqual(grantees[i].y)
+    }
+  })
+
+  it("deserializeGranteeList should handle empty data", () => {
+    const deserialized = deserializeGranteeList(new Uint8Array(0))
+    expect(deserialized).toEqual([])
+  })
+
+  it("deserializeGranteeList should throw on invalid length", () => {
+    // Not a multiple of 65
+    const invalidData = new Uint8Array(100)
+    expect(() => deserializeGranteeList(invalidData)).toThrow(
+      "Invalid grantee list length",
+    )
+  })
+
+  it("deserializeGranteeList should throw on invalid prefix", () => {
+    // Create valid-length data but with wrong prefix
+    const invalidData = new Uint8Array(65)
+    invalidData[0] = 0x02 // Wrong prefix (should be 0x04)
+
+    expect(() => deserializeGranteeList(invalidData)).toThrow(
+      "Invalid public key prefix",
+    )
+  })
+})
+
+describe("Encryption", () => {
+  it("deriveGranteeListEncryptionKey should derive consistent key", () => {
+    const publisherPrivKey = randomBytes(32)
+
+    const key1 = deriveGranteeListEncryptionKey(publisherPrivKey)
+    const key2 = deriveGranteeListEncryptionKey(publisherPrivKey)
+
+    expect(key1).toEqual(key2)
+    expect(key1.length).toBe(32)
+  })
+
+  it("deriveGranteeListEncryptionKey should produce different keys for different publishers", () => {
+    const privKey1 = randomBytes(32)
+    const privKey2 = randomBytes(32)
+
+    const key1 = deriveGranteeListEncryptionKey(privKey1)
+    const key2 = deriveGranteeListEncryptionKey(privKey2)
+
+    expect(key1).not.toEqual(key2)
+  })
+
+  it("encryptGranteeList/decryptGranteeList should roundtrip", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(3)
+    const serialized = serializeGranteeList(grantees)
+
+    const encrypted = encryptGranteeList(serialized, publisherPrivKey)
+    const decrypted = decryptGranteeList(encrypted, publisherPrivKey)
+
+    expect(decrypted).toEqual(serialized)
+  })
+
+  it("encryptGranteeList should produce different output than input", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(2)
+    const serialized = serializeGranteeList(grantees)
+
+    const encrypted = encryptGranteeList(serialized, publisherPrivKey)
+
+    // Encrypted data should differ from original
+    expect(encrypted).not.toEqual(serialized)
+    // But same length
+    expect(encrypted.length).toBe(serialized.length)
+  })
+
+  it("serializeAndEncryptGranteeList should combine operations", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(3)
+
+    const combined = serializeAndEncryptGranteeList(grantees, publisherPrivKey)
+
+    // Manual approach
+    const serialized = serializeGranteeList(grantees)
+    const encrypted = encryptGranteeList(serialized, publisherPrivKey)
+
+    expect(combined).toEqual(encrypted)
+  })
+
+  it("decryptAndDeserializeGranteeList should combine operations", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(3)
+
+    const encrypted = serializeAndEncryptGranteeList(grantees, publisherPrivKey)
+    const decrypted = decryptAndDeserializeGranteeList(
+      encrypted,
+      publisherPrivKey,
+    )
+
+    expect(decrypted.length).toBe(3)
+    for (let i = 0; i < 3; i++) {
+      expect(decrypted[i].x).toEqual(grantees[i].x)
+      expect(decrypted[i].y).toEqual(grantees[i].y)
+    }
+  })
+})
+
+describe("List operations", () => {
+  it("addToGranteeList should add new grantees to existing list", () => {
+    const publisherPrivKey = randomBytes(32)
+    const existingGrantees = createTestPublicKeys(2, 1)
+    const newGrantees = createTestPublicKeys(2, 100)
+
+    const existingEncrypted = serializeAndEncryptGranteeList(
+      existingGrantees,
+      publisherPrivKey,
+    )
+
+    const updatedEncrypted = addToGranteeList(
+      existingEncrypted,
+      newGrantees,
+      publisherPrivKey,
+    )
+
+    const result = decryptAndDeserializeGranteeList(
+      updatedEncrypted,
+      publisherPrivKey,
+    )
+
+    expect(result.length).toBe(4)
+
+    // Check existing grantees are present
+    for (const grantee of existingGrantees) {
+      expect(result.some((g) => g.x.every((v, i) => v === grantee.x[i]))).toBe(
+        true,
+      )
+    }
+
+    // Check new grantees are present
+    for (const grantee of newGrantees) {
+      expect(result.some((g) => g.x.every((v, i) => v === grantee.x[i]))).toBe(
+        true,
+      )
+    }
+  })
+
+  it("addToGranteeList should handle empty existing list", () => {
+    const publisherPrivKey = randomBytes(32)
+    const newGrantees = createTestPublicKeys(2)
+
+    const emptyEncrypted = serializeAndEncryptGranteeList([], publisherPrivKey)
+
+    const updatedEncrypted = addToGranteeList(
+      emptyEncrypted,
+      newGrantees,
+      publisherPrivKey,
+    )
+
+    const result = decryptAndDeserializeGranteeList(
+      updatedEncrypted,
+      publisherPrivKey,
+    )
+
+    expect(result.length).toBe(2)
+  })
+
+  it("removeFromGranteeList should remove specified grantees", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(4, 1)
+    const toRemove = [grantees[1], grantees[3]] // Remove 2nd and 4th
+
+    const encrypted = serializeAndEncryptGranteeList(grantees, publisherPrivKey)
+
+    const updatedEncrypted = removeFromGranteeList(
+      encrypted,
+      toRemove,
+      publisherPrivKey,
+    )
+
+    const result = decryptAndDeserializeGranteeList(
+      updatedEncrypted,
+      publisherPrivKey,
+    )
+
+    expect(result.length).toBe(2)
+
+    // Check removed grantees are not present
+    for (const removed of toRemove) {
+      expect(result.some((g) => g.x.every((v, i) => v === removed.x[i]))).toBe(
+        false,
+      )
+    }
+
+    // Check remaining grantees are present
+    expect(
+      result.some((g) => g.x.every((v, i) => v === grantees[0].x[i])),
+    ).toBe(true)
+    expect(
+      result.some((g) => g.x.every((v, i) => v === grantees[2].x[i])),
+    ).toBe(true)
+  })
+
+  it("removeFromGranteeList should handle removing non-existent grantees", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(2, 1)
+    const nonExistent = createTestPublicKeys(1, 100)
+
+    const encrypted = serializeAndEncryptGranteeList(grantees, publisherPrivKey)
+
+    const updatedEncrypted = removeFromGranteeList(
+      encrypted,
+      nonExistent,
+      publisherPrivKey,
+    )
+
+    const result = decryptAndDeserializeGranteeList(
+      updatedEncrypted,
+      publisherPrivKey,
+    )
+
+    // List should be unchanged
+    expect(result.length).toBe(2)
+  })
+
+  it("removeFromGranteeList should handle removing all grantees", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(2, 1)
+
+    const encrypted = serializeAndEncryptGranteeList(grantees, publisherPrivKey)
+
+    const updatedEncrypted = removeFromGranteeList(
+      encrypted,
+      grantees,
+      publisherPrivKey,
+    )
+
+    const result = decryptAndDeserializeGranteeList(
+      updatedEncrypted,
+      publisherPrivKey,
+    )
+
+    expect(result.length).toBe(0)
+  })
+})
+
+describe("Roundtrip tests", () => {
+  it("should preserve all data through serialize/encrypt/decrypt/deserialize cycle", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(5, 1)
+
+    const encrypted = serializeAndEncryptGranteeList(grantees, publisherPrivKey)
+    const result = decryptAndDeserializeGranteeList(encrypted, publisherPrivKey)
+
+    expect(result.length).toBe(5)
+
+    for (let i = 0; i < 5; i++) {
+      expect(result[i].x).toEqual(grantees[i].x)
+      expect(result[i].y).toEqual(grantees[i].y)
+    }
+  })
+
+  it("should handle large number of grantees", () => {
+    const publisherPrivKey = randomBytes(32)
+    const grantees = createTestPublicKeys(100, 1)
+
+    const encrypted = serializeAndEncryptGranteeList(grantees, publisherPrivKey)
+    const result = decryptAndDeserializeGranteeList(encrypted, publisherPrivKey)
+
+    expect(result.length).toBe(100)
+  })
+
+  it("different publishers cannot decrypt each other's grantee lists", () => {
+    const publisherPrivKey1 = randomBytes(32)
+    const publisherPrivKey2 = randomBytes(32)
+    const grantees = createTestPublicKeys(2)
+
+    const encrypted = serializeAndEncryptGranteeList(
+      grantees,
+      publisherPrivKey1,
+    )
+
+    // Attempting to decrypt with wrong key will produce garbage
+    // The decrypted data may not be a valid grantee list format
+    const wrongDecrypted = decryptGranteeList(encrypted, publisherPrivKey2)
+
+    // The data will be different from original serialized
+    const correctSerialized = serializeGranteeList(grantees)
+    expect(wrongDecrypted).not.toEqual(correctSerialized)
+  })
+})

package/src/proxy/act/grantee-list.ts

@@ -0,0 +1,239 @@
+import { Binary } from "cafe-utility"
+import { counterModeEncrypt, counterModeDecrypt } from "./crypto"
+
+// Grantee list format constants
+const UNCOMPRESSED_PUBLIC_KEY_SIZE = 65 // 0x04 prefix + 32 byte X + 32 byte Y
+const UNCOMPRESSED_PREFIX = 0x04
+const PUBLIC_KEY_COORD_SIZE = 32
+
+// Grantee list encryption key derivation suffix
+const GRANTEE_LIST_KEY_SUFFIX = new TextEncoder().encode("act-grantee-list")
+
+/**
+ * Public key in uncompressed format
+ */
+export interface UncompressedPublicKey {
+  x: Uint8Array // 32 bytes
+  y: Uint8Array // 32 bytes
+}
+
+/**
+ * Derive the encryption key for the grantee list
+ *
+ * This is different from the legacy format key derivation.
+ * The grantee list is encrypted with a key derived from the publisher's private key.
+ */
+export function deriveGranteeListEncryptionKey(
+  publisherPrivKey: Uint8Array,
+): Uint8Array {
+  const input = Binary.concatBytes(publisherPrivKey, GRANTEE_LIST_KEY_SUFFIX)
+  return Binary.keccak256(input)
+}
+
+/**
+ * Serialize grantee list to Bee-compatible format
+ *
+ * Bee stores grantees as concatenated 65-byte uncompressed secp256k1 public keys.
+ * Format: [0x04 || X (32 bytes) || Y (32 bytes)] for each key
+ *
+ * @param grantees - Array of public keys with x and y coordinates
+ * @returns Serialized grantee list
+ */
+export function serializeGranteeList(
+  grantees: UncompressedPublicKey[],
+): Uint8Array {
+  const result = new Uint8Array(grantees.length * UNCOMPRESSED_PUBLIC_KEY_SIZE)
+
+  for (let i = 0; i < grantees.length; i++) {
+    const offset = i * UNCOMPRESSED_PUBLIC_KEY_SIZE
+
+    // 0x04 prefix for uncompressed point
+    result[offset] = UNCOMPRESSED_PREFIX
+
+    // X coordinate (32 bytes)
+    result.set(grantees[i].x, offset + 1)
+
+    // Y coordinate (32 bytes)
+    result.set(grantees[i].y, offset + 1 + PUBLIC_KEY_COORD_SIZE)
+  }
+
+  return result
+}
+
+/**
+ * Deserialize grantee list from Bee-compatible format
+ *
+ * @param data - Serialized grantee list (concatenated 65-byte uncompressed keys)
+ * @returns Array of public keys with x and y coordinates
+ */
+export function deserializeGranteeList(
+  data: Uint8Array,
+): UncompressedPublicKey[] {
+  if (data.length === 0) {
+    return []
+  }
+
+  if (data.length % UNCOMPRESSED_PUBLIC_KEY_SIZE !== 0) {
+    throw new Error(
+      `Invalid grantee list length: ${data.length} is not a multiple of ${UNCOMPRESSED_PUBLIC_KEY_SIZE}`,
+    )
+  }
+
+  const granteeCount = data.length / UNCOMPRESSED_PUBLIC_KEY_SIZE
+  const grantees: UncompressedPublicKey[] = []
+
+  for (let i = 0; i < granteeCount; i++) {
+    const offset = i * UNCOMPRESSED_PUBLIC_KEY_SIZE
+
+    // Verify 0x04 prefix
+    if (data[offset] !== UNCOMPRESSED_PREFIX) {
+      throw new Error(
+        `Invalid public key prefix at index ${i}: expected 0x04, got 0x${data[offset].toString(16)}`,
+      )
+    }
+
+    // Extract X coordinate
+    const x = data.slice(offset + 1, offset + 1 + PUBLIC_KEY_COORD_SIZE)
+
+    // Extract Y coordinate
+    const y = data.slice(
+      offset + 1 + PUBLIC_KEY_COORD_SIZE,
+      offset + UNCOMPRESSED_PUBLIC_KEY_SIZE,
+    )
+
+    grantees.push({ x, y })
+  }
+
+  return grantees
+}
+
+/**
+ * Encrypt a serialized grantee list for storage
+ *
+ * @param granteeList - Serialized grantee list
+ * @param publisherPrivKey - Publisher's private key for key derivation
+ * @returns Encrypted grantee list
+ */
+export function encryptGranteeList(
+  granteeList: Uint8Array,
+  publisherPrivKey: Uint8Array,
+): Uint8Array {
+  const encryptionKey = deriveGranteeListEncryptionKey(publisherPrivKey)
+  return counterModeEncrypt(granteeList, encryptionKey)
+}
+
+/**
+ * Decrypt an encrypted grantee list
+ *
+ * @param encryptedList - Encrypted grantee list
+ * @param publisherPrivKey - Publisher's private key for key derivation
+ * @returns Decrypted serialized grantee list
+ */
+export function decryptGranteeList(
+  encryptedList: Uint8Array,
+  publisherPrivKey: Uint8Array,
+): Uint8Array {
+  const encryptionKey = deriveGranteeListEncryptionKey(publisherPrivKey)
+  return counterModeDecrypt(encryptedList, encryptionKey)
+}
+
+/**
+ * Serialize and encrypt grantee list in one step
+ *
+ * @param grantees - Array of public keys
+ * @param publisherPrivKey - Publisher's private key
+ * @returns Encrypted serialized grantee list ready for upload
+ */
+export function serializeAndEncryptGranteeList(
+  grantees: UncompressedPublicKey[],
+  publisherPrivKey: Uint8Array,
+): Uint8Array {
+  const serialized = serializeGranteeList(grantees)
+  return encryptGranteeList(serialized, publisherPrivKey)
+}
+
+/**
+ * Decrypt and deserialize grantee list in one step
+ *
+ * @param encryptedList - Encrypted serialized grantee list
+ * @param publisherPrivKey - Publisher's private key
+ * @returns Array of public keys
+ */
+export function decryptAndDeserializeGranteeList(
+  encryptedList: Uint8Array,
+  publisherPrivKey: Uint8Array,
+): UncompressedPublicKey[] {
+  const decrypted = decryptGranteeList(encryptedList, publisherPrivKey)
+  return deserializeGranteeList(decrypted)
+}
+
+/**
+ * Add grantees to an existing encrypted grantee list
+ *
+ * @param encryptedList - Existing encrypted grantee list
+ * @param newGrantees - New grantees to add
+ * @param publisherPrivKey - Publisher's private key
+ * @returns New encrypted grantee list with added grantees
+ */
+export function addToGranteeList(
+  encryptedList: Uint8Array,
+  newGrantees: UncompressedPublicKey[],
+  publisherPrivKey: Uint8Array,
+): Uint8Array {
+  // Decrypt existing list
+  const existingGrantees =
+    encryptedList.length > 0
+      ? decryptAndDeserializeGranteeList(encryptedList, publisherPrivKey)
+      : []
+
+  // Add new grantees
+  const updatedGrantees = [...existingGrantees, ...newGrantees]
+
+  // Re-encrypt
+  return serializeAndEncryptGranteeList(updatedGrantees, publisherPrivKey)
+}
+
+/**
+ * Remove grantees from an existing encrypted grantee list
+ *
+ * @param encryptedList - Existing encrypted grantee list
+ * @param revokeGrantees - Grantees to remove
+ * @param publisherPrivKey - Publisher's private key
+ * @returns New encrypted grantee list with removed grantees
+ */
+export function removeFromGranteeList(
+  encryptedList: Uint8Array,
+  revokeGrantees: UncompressedPublicKey[],
+  publisherPrivKey: Uint8Array,
+): Uint8Array {
+  // Decrypt existing list
+  const existingGrantees = decryptAndDeserializeGranteeList(
+    encryptedList,
+    publisherPrivKey,
+  )
+
+  // Filter out revoked grantees
+  const remainingGrantees = existingGrantees.filter((existing) => {
+    return !revokeGrantees.some((revoke) => publicKeysEqual(existing, revoke))
+  })
+
+  // Re-encrypt
+  return serializeAndEncryptGranteeList(remainingGrantees, publisherPrivKey)
+}
+
+/**
+ * Check if two public keys are equal
+ */
+function publicKeysEqual(
+  a: UncompressedPublicKey,
+  b: UncompressedPublicKey,
+): boolean {
+  if (a.x.length !== b.x.length || a.y.length !== b.y.length) return false
+  for (let i = 0; i < a.x.length; i++) {
+    if (a.x[i] !== b.x[i]) return false
+  }
+  for (let i = 0; i < a.y.length; i++) {
+    if (a.y[i] !== b.y[i]) return false
+  }
+  return true
+}