npm - @ternent/seal - Versions diffs - 0.3.10 - Mend

@ternent/seal 0.3.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +258 -0
package/bin/seal +6 -0
package/dist/artifact.js +256 -0
package/dist/artifact.js.map +1 -0
package/dist/chunks/utils.es-ad8f1dc4.js +54 -0
package/dist/chunks/utils.es-ad8f1dc4.js.map +1 -0
package/dist/cli.js +441 -0
package/dist/cli.js.map +1 -0
package/dist/crypto.js +41 -0
package/dist/crypto.js.map +1 -0
package/dist/errors.js +65 -0
package/dist/errors.js.map +1 -0
package/dist/index.js +9 -0
package/dist/index.js.map +1 -0
package/dist/manifest.js +82 -0
package/dist/manifest.js.map +1 -0
package/dist/proof.js +237 -0
package/dist/proof.js.map +1 -0
package/package.json +59 -0

package/dist/manifest.js ADDED Viewed

@@ -0,0 +1,82 @@
+import { c as canonicalStringify } from "./chunks/utils.es-ad8f1dc4.js";
+const SEAL_MANIFEST_VERSION = "1";
+const SEAL_MANIFEST_TYPE = "seal-manifest";
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function hasOnlyKeys(value, allowed) {
+  return Object.keys(value).every((key) => allowed.includes(key));
+}
+function isSealHash(value) {
+  return typeof value === "string" && /^sha256:[0-9a-f]{64}$/.test(value);
+}
+function validateSealManifestShape(value) {
+  if (!isRecord(value)) {
+    return {
+      ok: false,
+      errors: ["Manifest must be a JSON object."],
+      manifest: null
+    };
+  }
+  const errors = [];
+  if (!hasOnlyKeys(value, ["version", "type", "root", "files"])) {
+    errors.push("Manifest contains unsupported fields.");
+  }
+  if (value.version !== SEAL_MANIFEST_VERSION) {
+    errors.push(`Manifest version must be ${SEAL_MANIFEST_VERSION}.`);
+  }
+  if (value.type !== SEAL_MANIFEST_TYPE) {
+    errors.push(`Manifest type must be ${SEAL_MANIFEST_TYPE}.`);
+  }
+  if (typeof value.root !== "string" || value.root.length === 0) {
+    errors.push("Manifest root must be a non-empty string.");
+  }
+  if (!isRecord(value.files)) {
+    errors.push("Manifest files must be an object.");
+  }
+  if (errors.length > 0 || !isRecord(value.files)) {
+    return { ok: false, errors, manifest: null };
+  }
+  const filesEntries = Object.entries(value.files);
+  const files = {};
+  for (const [path, hash] of filesEntries) {
+    if (!path || path.includes("\\")) {
+      errors.push(`Manifest file path is invalid: ${path || "<empty>"}.`);
+      continue;
+    }
+    if (!isSealHash(hash)) {
+      errors.push(`Manifest file hash is invalid for ${path}.`);
+      continue;
+    }
+    files[path] = hash;
+  }
+  if (errors.length > 0) {
+    return { ok: false, errors, manifest: null };
+  }
+  return {
+    ok: true,
+    errors: [],
+    manifest: {
+      version: SEAL_MANIFEST_VERSION,
+      type: SEAL_MANIFEST_TYPE,
+      root: value.root,
+      files
+    }
+  };
+}
+function parseSealManifestJson(raw) {
+  try {
+    return validateSealManifestShape(JSON.parse(raw));
+  } catch {
+    return {
+      ok: false,
+      errors: ["Manifest JSON is not valid JSON."],
+      manifest: null
+    };
+  }
+}
+function stringifySealManifest(manifest) {
+  return canonicalStringify(manifest);
+}
+export { SEAL_MANIFEST_TYPE, SEAL_MANIFEST_VERSION, parseSealManifestJson, stringifySealManifest, validateSealManifestShape };
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"manifest.js","sources":["../src/manifest.ts"],"sourcesContent":["import { canonicalStringify } from \"ternent-utils\";\n\nexport const SEAL_MANIFEST_VERSION = \"1\" as const;\nexport const SEAL_MANIFEST_TYPE = \"seal-manifest\" as const;\n\nexport type SealHash = `sha256:${string}`;\n\nexport type SealManifestV1 = {\n version: typeof SEAL_MANIFEST_VERSION;\n type: typeof SEAL_MANIFEST_TYPE;\n root: string;\n files: Record<string, SealHash>;\n};\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return Boolean(value) && typeof value === \"object\" && !Array.isArray(value);\n}\n\nfunction hasOnlyKeys(value: Record<string, unknown>, allowed: string[]): boolean {\n return Object.keys(value).every((key) => allowed.includes(key));\n}\n\nfunction isSealHash(value: unknown): value is SealHash {\n return typeof value === \"string\" && /^sha256:[0-9a-f]{64}$/.test(value);\n}\n\nexport function validateSealManifestShape(value: unknown): {\n ok: boolean;\n errors: string[];\n manifest: SealManifestV1 | null;\n} {\n if (!isRecord(value)) {\n return {\n ok: false,\n errors: [\"Manifest must be a JSON object.\"],\n manifest: null,\n };\n }\n\n const errors: string[] = [];\n\n if (!hasOnlyKeys(value, [\"version\", \"type\", \"root\", \"files\"])) {\n errors.push(\"Manifest contains unsupported fields.\");\n }\n\n if (value.version !== SEAL_MANIFEST_VERSION) {\n errors.push(`Manifest version must be ${SEAL_MANIFEST_VERSION}.`);\n }\n\n if (value.type !== SEAL_MANIFEST_TYPE) {\n errors.push(`Manifest type must be ${SEAL_MANIFEST_TYPE}.`);\n }\n\n if (typeof value.root !== \"string\" || value.root.length === 0) {\n errors.push(\"Manifest root must be a non-empty string.\");\n }\n\n if (!isRecord(value.files)) {\n errors.push(\"Manifest files must be an object.\");\n }\n\n if (errors.length > 0 || !isRecord(value.files)) {\n return { ok: false, errors, manifest: null };\n }\n\n const filesEntries = Object.entries(value.files);\n const files: Record<string, SealHash> = {};\n for (const [path, hash] of filesEntries) {\n if (!path || path.includes(\"\\\\\")) {\n errors.push(`Manifest file path is invalid: ${path || \"<empty>\"}.`);\n continue;\n }\n if (!isSealHash(hash)) {\n errors.push(`Manifest file hash is invalid for ${path}.`);\n continue;\n }\n files[path] = hash;\n }\n\n if (errors.length > 0) {\n return { ok: false, errors, manifest: null };\n }\n\n return {\n ok: true,\n errors: [],\n manifest: {\n version: SEAL_MANIFEST_VERSION,\n type: SEAL_MANIFEST_TYPE,\n root: value.root as string,\n files,\n },\n };\n}\n\nexport function parseSealManifestJson(raw: string): {\n ok: boolean;\n errors: string[];\n manifest: SealManifestV1 | null;\n} {\n try {\n return validateSealManifestShape(JSON.parse(raw));\n } catch {\n return {\n ok: false,\n errors: [\"Manifest JSON is not valid JSON.\"],\n manifest: null,\n };\n }\n}\n\nexport function stringifySealManifest(manifest: SealManifestV1): string {\n return canonicalStringify(manifest);\n}\n"],"names":[],"mappings":";AAEO,MAAM,wBAAwB;AAC9B,MAAM,qBAAqB;AAWlC,SAAS,SAAS,OAAkD;AAC3D,SAAA,QAAQ,KAAK,KAAK,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAgC,SAA4B;AACxE,SAAA,OAAO,KAAK,KAAK,EAAE,MAAM,CAAC,QAAQ,QAAQ,SAAS,GAAG,CAAC;AAChE;AAEA,SAAS,WAAW,OAAmC;AACrD,SAAO,OAAO,UAAU,YAAY,wBAAwB,KAAK,KAAK;AACxE;AAEO,SAAS,0BAA0B,OAIxC;AACI,MAAA,CAAC,SAAS,KAAK,GAAG;AACb,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,iCAAiC;AAAA,MAC1C,UAAU;AAAA,IAAA;AAAA,EAEd;AAEA,QAAM,SAAmB,CAAA;AAErB,MAAA,CAAC,YAAY,OAAO,CAAC,WAAW,QAAQ,QAAQ,OAAO,CAAC,GAAG;AAC7D,WAAO,KAAK,uCAAuC;AAAA,EACrD;AAEI,MAAA,MAAM,YAAY,uBAAuB;AACpC,WAAA,KAAK,4BAA4B,wBAAwB;AAAA,EAClE;AAEI,MAAA,MAAM,SAAS,oBAAoB;AAC9B,WAAA,KAAK,yBAAyB,qBAAqB;AAAA,EAC5D;AAEA,MAAI,OAAO,MAAM,SAAS,YAAY,MAAM,KAAK,WAAW,GAAG;AAC7D,WAAO,KAAK,2CAA2C;AAAA,EACzD;AAEA,MAAI,CAAC,SAAS,MAAM,KAAK,GAAG;AAC1B,WAAO,KAAK,mCAAmC;AAAA,EACjD;AAEA,MAAI,OAAO,SAAS,KAAK,CAAC,SAAS,MAAM,KAAK,GAAG;AAC/C,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU,KAAK;AAAA,EAC7C;AAEA,QAAM,eAAe,OAAO,QAAQ,MAAM,KAAK;AAC/C,QAAM,QAAkC,CAAA;AACxC,aAAW,CAAC,MAAM,IAAI,KAAK,cAAc;AACvC,QAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,GAAG;AACzB,aAAA,KAAK,kCAAkC,QAAQ,YAAY;AAClE;AAAA,IACF;AACI,QAAA,CAAC,WAAW,IAAI,GAAG;AACd,aAAA,KAAK,qCAAqC,OAAO;AACxD;AAAA,IACF;AACA,UAAM,QAAQ;AAAA,EAChB;AAEI,MAAA,OAAO,SAAS,GAAG;AACrB,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU,KAAK;AAAA,EAC7C;AAEO,SAAA;AAAA,IACL,IAAI;AAAA,IACJ,QAAQ,CAAC;AAAA,IACT,UAAU;AAAA,MACR,SAAS;AAAA,MACT,MAAM;AAAA,MACN,MAAM,MAAM;AAAA,MACZ;AAAA,IACF;AAAA,EAAA;AAEJ;AAEO,SAAS,sBAAsB,KAIpC;AACI,MAAA;AACF,WAAO,0BAA0B,KAAK,MAAM,GAAG,CAAC;AAAA,EAAA,QAChD;AACO,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,kCAAkC;AAAA,MAC3C,UAAU;AAAA,IAAA;AAAA,EAEd;AACF;AAEO,SAAS,sBAAsB,UAAkC;AACtE,SAAO,mBAAmB,QAAQ;AACpC;;"}

package/dist/proof.js ADDED Viewed

@@ -0,0 +1,237 @@
+import { c as canonicalStringify, h as hashBytes } from "./chunks/utils.es-ad8f1dc4.js";
+import { resolveSealSigner, signSealUtf8, verifyPublicKeyKeyId, verifySealUtf8 } from "./crypto.js";
+import "@ternent/identity";
+const SEAL_PROOF_VERSION = "2";
+const SEAL_PROOF_TYPE = "seal-proof";
+const SEAL_PUBLIC_KEY_TYPE = "seal-public-key";
+const SEAL_SIGNATURE_ALGORITHM = "Ed25519";
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function hasOnlyKeys(value, allowed) {
+  return Object.keys(value).every((key) => allowed.includes(key));
+}
+function isSealHash(value) {
+  return typeof value === "string" && /^sha256:[0-9a-f]{64}$/.test(value);
+}
+function isIsoDate(value) {
+  return !Number.isNaN(Date.parse(value));
+}
+function getSealProofSignableFields(proof) {
+  return {
+    version: proof.version,
+    type: proof.type,
+    algorithm: proof.algorithm,
+    createdAt: proof.createdAt,
+    subject: proof.subject,
+    signer: proof.signer
+  };
+}
+function getSealProofSigningPayload(proof) {
+  return canonicalStringify(getSealProofSignableFields(proof));
+}
+async function createSealHash(bytes) {
+  const hash = await hashBytes(bytes);
+  return `sha256:${hash}`;
+}
+async function createSealProof(input) {
+  const signer = await resolveSealSigner(input.signer);
+  const fields = {
+    version: SEAL_PROOF_VERSION,
+    type: SEAL_PROOF_TYPE,
+    algorithm: SEAL_SIGNATURE_ALGORITHM,
+    createdAt: input.createdAt ?? new Date().toISOString(),
+    subject: input.subject,
+    signer: {
+      publicKey: signer.publicKey,
+      keyId: signer.keyId
+    }
+  };
+  const signature = await signSealUtf8(signer.identity, getSealProofSigningPayload(fields));
+  return {
+    ...fields,
+    signature
+  };
+}
+async function createSealPublicKeyArtifact(signer) {
+  const resolved = await resolveSealSigner(signer);
+  return {
+    version: SEAL_PROOF_VERSION,
+    type: SEAL_PUBLIC_KEY_TYPE,
+    algorithm: SEAL_SIGNATURE_ALGORITHM,
+    publicKey: resolved.publicKey,
+    keyId: resolved.keyId
+  };
+}
+function validateSealProofShape(value) {
+  if (!isRecord(value)) {
+    return { ok: false, errors: ["Proof must be a JSON object."], proof: null };
+  }
+  const errors = [];
+  if (!hasOnlyKeys(value, [
+    "version",
+    "type",
+    "algorithm",
+    "createdAt",
+    "subject",
+    "signer",
+    "signature"
+  ])) {
+    errors.push("Proof contains unsupported fields.");
+  }
+  if (value.version !== SEAL_PROOF_VERSION) {
+    errors.push(`Proof version must be ${SEAL_PROOF_VERSION}.`);
+  }
+  if (value.type !== SEAL_PROOF_TYPE) {
+    errors.push(`Proof type must be ${SEAL_PROOF_TYPE}.`);
+  }
+  if (value.algorithm !== SEAL_SIGNATURE_ALGORITHM) {
+    errors.push(`Proof algorithm must be ${SEAL_SIGNATURE_ALGORITHM}.`);
+  }
+  if (typeof value.createdAt !== "string" || !isIsoDate(value.createdAt)) {
+    errors.push("Proof createdAt must be an ISO timestamp.");
+  }
+  if (typeof value.signature !== "string" || value.signature.length === 0) {
+    errors.push("Proof signature must be a non-empty base64url string.");
+  }
+  if (!isRecord(value.subject)) {
+    errors.push("Proof subject must be an object.");
+  }
+  if (!isRecord(value.signer)) {
+    errors.push("Proof signer must be an object.");
+  }
+  if (errors.length > 0 || !isRecord(value.subject) || !isRecord(value.signer)) {
+    return { ok: false, errors, proof: null };
+  }
+  if (!hasOnlyKeys(value.subject, ["kind", "path", "hash"])) {
+    errors.push("Proof subject contains unsupported fields.");
+  }
+  if (!hasOnlyKeys(value.signer, ["publicKey", "keyId"])) {
+    errors.push("Proof signer contains unsupported fields.");
+  }
+  if (value.subject.kind !== "file" && value.subject.kind !== "manifest" && value.subject.kind !== "artifact") {
+    errors.push("Proof subject kind must be file, manifest, or artifact.");
+  }
+  if (typeof value.subject.path !== "string" || value.subject.path.length === 0) {
+    errors.push("Proof subject path must be a non-empty string.");
+  }
+  if (!isSealHash(value.subject.hash)) {
+    errors.push("Proof subject hash must be a sha256 hash.");
+  }
+  if (typeof value.signer.publicKey !== "string" || value.signer.publicKey.length === 0) {
+    errors.push("Proof signer publicKey must be a non-empty base64url string.");
+  }
+  if (typeof value.signer.keyId !== "string" || value.signer.keyId.length === 0) {
+    errors.push("Proof signer keyId must be a non-empty string.");
+  }
+  if (errors.length > 0) {
+    return { ok: false, errors, proof: null };
+  }
+  return {
+    ok: true,
+    errors: [],
+    proof: value
+  };
+}
+function parseSealProofJson(raw) {
+  try {
+    return validateSealProofShape(JSON.parse(raw));
+  } catch {
+    return {
+      ok: false,
+      errors: ["Proof JSON is not valid JSON."],
+      proof: null
+    };
+  }
+}
+function validateSealPublicKeyShape(value) {
+  if (!isRecord(value)) {
+    return {
+      ok: false,
+      errors: ["Public key artifact must be a JSON object."],
+      artifact: null
+    };
+  }
+  const errors = [];
+  if (!hasOnlyKeys(value, ["version", "type", "algorithm", "publicKey", "keyId"])) {
+    errors.push("Public key artifact contains unsupported fields.");
+  }
+  if (value.version !== SEAL_PROOF_VERSION) {
+    errors.push(`Public key artifact version must be ${SEAL_PROOF_VERSION}.`);
+  }
+  if (value.type !== SEAL_PUBLIC_KEY_TYPE) {
+    errors.push(`Public key artifact type must be ${SEAL_PUBLIC_KEY_TYPE}.`);
+  }
+  if (value.algorithm !== SEAL_SIGNATURE_ALGORITHM) {
+    errors.push(`Public key artifact algorithm must be ${SEAL_SIGNATURE_ALGORITHM}.`);
+  }
+  if (typeof value.publicKey !== "string" || value.publicKey.length === 0) {
+    errors.push("Public key artifact publicKey must be a non-empty base64url string.");
+  }
+  if (typeof value.keyId !== "string" || value.keyId.length === 0) {
+    errors.push("Public key artifact keyId must be a non-empty string.");
+  }
+  if (errors.length > 0) {
+    return { ok: false, errors, artifact: null };
+  }
+  return {
+    ok: true,
+    errors: [],
+    artifact: value
+  };
+}
+function parseSealPublicKeyJson(raw) {
+  try {
+    return validateSealPublicKeyShape(JSON.parse(raw));
+  } catch {
+    return {
+      ok: false,
+      errors: ["Public key JSON is not valid JSON."],
+      artifact: null
+    };
+  }
+}
+async function verifySealProofSignature(proof) {
+  const validation = validateSealProofShape(proof);
+  if (!validation.ok || !validation.proof) {
+    return { ok: false, errors: validation.errors };
+  }
+  if (!await verifyPublicKeyKeyId(proof.signer.publicKey, proof.signer.keyId)) {
+    return {
+      ok: false,
+      errors: ["Proof signer keyId does not match signer public key."]
+    };
+  }
+  try {
+    const valid = await verifySealUtf8(
+      proof.signature,
+      getSealProofSigningPayload(proof),
+      proof.signer.publicKey
+    );
+    if (!valid) {
+      return { ok: false, errors: ["Invalid signature."] };
+    }
+    return { ok: true, errors: [] };
+  } catch (caught) {
+    return {
+      ok: false,
+      errors: ["Invalid signature."]
+    };
+  }
+}
+async function verifySealProofAgainstBytes(proof, bytes) {
+  const subjectHash = await createSealHash(bytes);
+  const signatureCheck = await verifySealProofSignature(proof);
+  const hashMatch = subjectHash === proof.subject.hash;
+  const signatureValid = signatureCheck.ok;
+  return {
+    valid: hashMatch && signatureValid,
+    hashMatch,
+    signatureValid,
+    keyId: proof.signer.keyId,
+    algorithm: proof.algorithm,
+    subjectHash
+  };
+}
+export { SEAL_PROOF_TYPE, SEAL_PROOF_VERSION, SEAL_PUBLIC_KEY_TYPE, SEAL_SIGNATURE_ALGORITHM, createSealHash, createSealProof, createSealPublicKeyArtifact, getSealProofSignableFields, getSealProofSigningPayload, parseSealProofJson, parseSealPublicKeyJson, validateSealProofShape, validateSealPublicKeyShape, verifySealProofAgainstBytes, verifySealProofSignature };
+//# sourceMappingURL=proof.js.map

package/dist/proof.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"proof.js","sources":["../src/proof.ts"],"sourcesContent":["import { canonicalStringify, hashBytes } from \"ternent-utils\";\nimport {\n resolveSealSigner,\n signSealUtf8,\n verifyPublicKeyKeyId,\n verifySealUtf8,\n type SealSignerInput,\n} from \"./crypto\";\n\nexport const SEAL_PROOF_VERSION = \"2\" as const;\nexport const SEAL_PROOF_TYPE = \"seal-proof\" as const;\nexport const SEAL_PUBLIC_KEY_TYPE = \"seal-public-key\" as const;\nexport const SEAL_SIGNATURE_ALGORITHM = \"Ed25519\" as const;\n\nexport type SealSubjectKind = \"file\" | \"manifest\" | \"artifact\";\n\nexport type SealProofV1 = {\n version: typeof SEAL_PROOF_VERSION;\n type: typeof SEAL_PROOF_TYPE;\n algorithm: typeof SEAL_SIGNATURE_ALGORITHM;\n createdAt: string;\n subject: {\n kind: SealSubjectKind;\n path: string;\n hash: `sha256:${string}`;\n };\n signer: {\n publicKey: string;\n keyId: string;\n };\n signature: string;\n};\n\nexport type SealPublicKeyArtifact = {\n version: typeof SEAL_PROOF_VERSION;\n type: typeof SEAL_PUBLIC_KEY_TYPE;\n algorithm: typeof SEAL_SIGNATURE_ALGORITHM;\n publicKey: string;\n keyId: string;\n};\n\ntype SealProofSignableFields = Omit<SealProofV1, \"signature\">;\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return Boolean(value) && typeof value === \"object\" && !Array.isArray(value);\n}\n\nfunction hasOnlyKeys(value: Record<string, unknown>, allowed: string[]): boolean {\n return Object.keys(value).every((key) => allowed.includes(key));\n}\n\nfunction isSealHash(value: unknown): value is `sha256:${string}` {\n return typeof value === \"string\" && /^sha256:[0-9a-f]{64}$/.test(value);\n}\n\nfunction isIsoDate(value: string): boolean {\n return !Number.isNaN(Date.parse(value));\n}\n\nexport function getSealProofSignableFields(\n proof: SealProofV1 | SealProofSignableFields,\n): SealProofSignableFields {\n return {\n version: proof.version,\n type: proof.type,\n algorithm: proof.algorithm,\n createdAt: proof.createdAt,\n subject: proof.subject,\n signer: proof.signer,\n };\n}\n\nexport function getSealProofSigningPayload(proof: SealProofV1 | SealProofSignableFields): string {\n return canonicalStringify(getSealProofSignableFields(proof));\n}\n\nexport async function createSealHash(bytes: Uint8Array | ArrayBuffer): Promise<`sha256:${string}`> {\n const hash = await hashBytes(bytes);\n return `sha256:${hash}`;\n}\n\nexport async function createSealProof(input: {\n createdAt?: string;\n signer: SealSignerInput;\n subject: SealProofV1[\"subject\"];\n}): Promise<SealProofV1> {\n const signer = await resolveSealSigner(input.signer);\n const fields: SealProofSignableFields = {\n version: SEAL_PROOF_VERSION,\n type: SEAL_PROOF_TYPE,\n algorithm: SEAL_SIGNATURE_ALGORITHM,\n createdAt: input.createdAt ?? new Date().toISOString(),\n subject: input.subject,\n signer: {\n publicKey: signer.publicKey,\n keyId: signer.keyId,\n },\n };\n\n const signature = await signSealUtf8(signer.identity, getSealProofSigningPayload(fields));\n\n return {\n ...fields,\n signature,\n };\n}\n\nexport async function createSealPublicKeyArtifact(\n signer: SealSignerInput,\n): Promise<SealPublicKeyArtifact> {\n const resolved = await resolveSealSigner(signer);\n return {\n version: SEAL_PROOF_VERSION,\n type: SEAL_PUBLIC_KEY_TYPE,\n algorithm: SEAL_SIGNATURE_ALGORITHM,\n publicKey: resolved.publicKey,\n keyId: resolved.keyId,\n };\n}\n\nexport function validateSealProofShape(value: unknown): {\n ok: boolean;\n errors: string[];\n proof: SealProofV1 | null;\n} {\n if (!isRecord(value)) {\n return { ok: false, errors: [\"Proof must be a JSON object.\"], proof: null };\n }\n\n const errors: string[] = [];\n\n if (\n !hasOnlyKeys(value, [\n \"version\",\n \"type\",\n \"algorithm\",\n \"createdAt\",\n \"subject\",\n \"signer\",\n \"signature\",\n ])\n ) {\n errors.push(\"Proof contains unsupported fields.\");\n }\n\n if (value.version !== SEAL_PROOF_VERSION) {\n errors.push(`Proof version must be ${SEAL_PROOF_VERSION}.`);\n }\n if (value.type !== SEAL_PROOF_TYPE) {\n errors.push(`Proof type must be ${SEAL_PROOF_TYPE}.`);\n }\n if (value.algorithm !== SEAL_SIGNATURE_ALGORITHM) {\n errors.push(`Proof algorithm must be ${SEAL_SIGNATURE_ALGORITHM}.`);\n }\n if (typeof value.createdAt !== \"string\" || !isIsoDate(value.createdAt)) {\n errors.push(\"Proof createdAt must be an ISO timestamp.\");\n }\n if (typeof value.signature !== \"string\" || value.signature.length === 0) {\n errors.push(\"Proof signature must be a non-empty base64url string.\");\n }\n if (!isRecord(value.subject)) {\n errors.push(\"Proof subject must be an object.\");\n }\n if (!isRecord(value.signer)) {\n errors.push(\"Proof signer must be an object.\");\n }\n\n if (errors.length > 0 || !isRecord(value.subject) || !isRecord(value.signer)) {\n return { ok: false, errors, proof: null };\n }\n\n if (!hasOnlyKeys(value.subject, [\"kind\", \"path\", \"hash\"])) {\n errors.push(\"Proof subject contains unsupported fields.\");\n }\n if (!hasOnlyKeys(value.signer, [\"publicKey\", \"keyId\"])) {\n errors.push(\"Proof signer contains unsupported fields.\");\n }\n if (\n value.subject.kind !== \"file\" &&\n value.subject.kind !== \"manifest\" &&\n value.subject.kind !== \"artifact\"\n ) {\n errors.push(\"Proof subject kind must be file, manifest, or artifact.\");\n }\n if (typeof value.subject.path !== \"string\" || value.subject.path.length === 0) {\n errors.push(\"Proof subject path must be a non-empty string.\");\n }\n if (!isSealHash(value.subject.hash)) {\n errors.push(\"Proof subject hash must be a sha256 hash.\");\n }\n if (typeof value.signer.publicKey !== \"string\" || value.signer.publicKey.length === 0) {\n errors.push(\"Proof signer publicKey must be a non-empty base64url string.\");\n }\n if (typeof value.signer.keyId !== \"string\" || value.signer.keyId.length === 0) {\n errors.push(\"Proof signer keyId must be a non-empty string.\");\n }\n\n if (errors.length > 0) {\n return { ok: false, errors, proof: null };\n }\n\n return {\n ok: true,\n errors: [],\n proof: value as SealProofV1,\n };\n}\n\nexport function parseSealProofJson(raw: string): {\n ok: boolean;\n errors: string[];\n proof: SealProofV1 | null;\n} {\n try {\n return validateSealProofShape(JSON.parse(raw));\n } catch {\n return {\n ok: false,\n errors: [\"Proof JSON is not valid JSON.\"],\n proof: null,\n };\n }\n}\n\nexport function validateSealPublicKeyShape(value: unknown): {\n ok: boolean;\n errors: string[];\n artifact: SealPublicKeyArtifact | null;\n} {\n if (!isRecord(value)) {\n return {\n ok: false,\n errors: [\"Public key artifact must be a JSON object.\"],\n artifact: null,\n };\n }\n\n const errors: string[] = [];\n\n if (!hasOnlyKeys(value, [\"version\", \"type\", \"algorithm\", \"publicKey\", \"keyId\"])) {\n errors.push(\"Public key artifact contains unsupported fields.\");\n }\n if (value.version !== SEAL_PROOF_VERSION) {\n errors.push(`Public key artifact version must be ${SEAL_PROOF_VERSION}.`);\n }\n if (value.type !== SEAL_PUBLIC_KEY_TYPE) {\n errors.push(`Public key artifact type must be ${SEAL_PUBLIC_KEY_TYPE}.`);\n }\n if (value.algorithm !== SEAL_SIGNATURE_ALGORITHM) {\n errors.push(`Public key artifact algorithm must be ${SEAL_SIGNATURE_ALGORITHM}.`);\n }\n if (typeof value.publicKey !== \"string\" || value.publicKey.length === 0) {\n errors.push(\"Public key artifact publicKey must be a non-empty base64url string.\");\n }\n if (typeof value.keyId !== \"string\" || value.keyId.length === 0) {\n errors.push(\"Public key artifact keyId must be a non-empty string.\");\n }\n\n if (errors.length > 0) {\n return { ok: false, errors, artifact: null };\n }\n\n return {\n ok: true,\n errors: [],\n artifact: value as SealPublicKeyArtifact,\n };\n}\n\nexport function parseSealPublicKeyJson(raw: string): {\n ok: boolean;\n errors: string[];\n artifact: SealPublicKeyArtifact | null;\n} {\n try {\n return validateSealPublicKeyShape(JSON.parse(raw));\n } catch {\n return {\n ok: false,\n errors: [\"Public key JSON is not valid JSON.\"],\n artifact: null,\n };\n }\n}\n\nexport async function verifySealProofSignature(proof: SealProofV1): Promise<{\n ok: boolean;\n errors: string[];\n}> {\n const validation = validateSealProofShape(proof);\n if (!validation.ok || !validation.proof) {\n return { ok: false, errors: validation.errors };\n }\n\n if (!(await verifyPublicKeyKeyId(proof.signer.publicKey, proof.signer.keyId))) {\n return {\n ok: false,\n errors: [\"Proof signer keyId does not match signer public key.\"],\n };\n }\n\n try {\n const valid = await verifySealUtf8(\n proof.signature,\n getSealProofSigningPayload(proof),\n proof.signer.publicKey,\n );\n if (!valid) {\n return { ok: false, errors: [\"Invalid signature.\"] };\n }\n return { ok: true, errors: [] };\n } catch (caught) {\n return {\n ok: false,\n errors: [\"Invalid signature.\"],\n };\n }\n}\n\nexport async function verifySealProofAgainstBytes(\n proof: SealProofV1,\n bytes: Uint8Array | ArrayBuffer,\n): Promise<{\n valid: boolean;\n hashMatch: boolean;\n signatureValid: boolean;\n keyId: string;\n algorithm: typeof SEAL_SIGNATURE_ALGORITHM;\n subjectHash: `sha256:${string}`;\n}> {\n const subjectHash = await createSealHash(bytes);\n const signatureCheck = await verifySealProofSignature(proof);\n const hashMatch = subjectHash === proof.subject.hash;\n const signatureValid = signatureCheck.ok;\n\n return {\n valid: hashMatch && signatureValid,\n hashMatch,\n signatureValid,\n keyId: proof.signer.keyId,\n algorithm: proof.algorithm,\n subjectHash,\n };\n}\n"],"names":[],"mappings":";;;AASO,MAAM,qBAAqB;AAC3B,MAAM,kBAAkB;AACxB,MAAM,uBAAuB;AAC7B,MAAM,2BAA2B;AA+BxC,SAAS,SAAS,OAAkD;AAC3D,SAAA,QAAQ,KAAK,KAAK,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAgC,SAA4B;AACxE,SAAA,OAAO,KAAK,KAAK,EAAE,MAAM,CAAC,QAAQ,QAAQ,SAAS,GAAG,CAAC;AAChE;AAEA,SAAS,WAAW,OAA6C;AAC/D,SAAO,OAAO,UAAU,YAAY,wBAAwB,KAAK,KAAK;AACxE;AAEA,SAAS,UAAU,OAAwB;AACzC,SAAO,CAAC,OAAO,MAAM,KAAK,MAAM,KAAK,CAAC;AACxC;AAEO,SAAS,2BACd,OACyB;AAClB,SAAA;AAAA,IACL,SAAS,MAAM;AAAA,IACf,MAAM,MAAM;AAAA,IACZ,WAAW,MAAM;AAAA,IACjB,WAAW,MAAM;AAAA,IACjB,SAAS,MAAM;AAAA,IACf,QAAQ,MAAM;AAAA,EAAA;AAElB;AAEO,SAAS,2BAA2B,OAAsD;AACxF,SAAA,mBAAmB,2BAA2B,KAAK,CAAC;AAC7D;AAEA,eAAsB,eAAe,OAA8D;AAC3F,QAAA,OAAO,MAAM,UAAU,KAAK;AAClC,SAAO,UAAU;AACnB;AAEA,eAAsB,gBAAgB,OAIb;AACvB,QAAM,SAAS,MAAM,kBAAkB,MAAM,MAAM;AACnD,QAAM,SAAkC;AAAA,IACtC,SAAS;AAAA,IACT,MAAM;AAAA,IACN,WAAW;AAAA,IACX,WAAW,MAAM,aAAa,IAAI,KAAA,EAAO,YAAY;AAAA,IACrD,SAAS,MAAM;AAAA,IACf,QAAQ;AAAA,MACN,WAAW,OAAO;AAAA,MAClB,OAAO,OAAO;AAAA,IAChB;AAAA,EAAA;AAGF,QAAM,YAAY,MAAM,aAAa,OAAO,UAAU,2BAA2B,MAAM,CAAC;AAEjF,SAAA;AAAA,IACL,GAAG;AAAA,IACH;AAAA,EAAA;AAEJ;AAEA,eAAsB,4BACpB,QACgC;AAC1B,QAAA,WAAW,MAAM,kBAAkB,MAAM;AACxC,SAAA;AAAA,IACL,SAAS;AAAA,IACT,MAAM;AAAA,IACN,WAAW;AAAA,IACX,WAAW,SAAS;AAAA,IACpB,OAAO,SAAS;AAAA,EAAA;AAEpB;AAEO,SAAS,uBAAuB,OAIrC;AACI,MAAA,CAAC,SAAS,KAAK,GAAG;AACb,WAAA,EAAE,IAAI,OAAO,QAAQ,CAAC,8BAA8B,GAAG,OAAO;EACvE;AAEA,QAAM,SAAmB,CAAA;AAGvB,MAAA,CAAC,YAAY,OAAO;AAAA,IAClB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EAAA,CACD,GACD;AACA,WAAO,KAAK,oCAAoC;AAAA,EAClD;AAEI,MAAA,MAAM,YAAY,oBAAoB;AACjC,WAAA,KAAK,yBAAyB,qBAAqB;AAAA,EAC5D;AACI,MAAA,MAAM,SAAS,iBAAiB;AAC3B,WAAA,KAAK,sBAAsB,kBAAkB;AAAA,EACtD;AACI,MAAA,MAAM,cAAc,0BAA0B;AACzC,WAAA,KAAK,2BAA2B,2BAA2B;AAAA,EACpE;AACI,MAAA,OAAO,MAAM,cAAc,YAAY,CAAC,UAAU,MAAM,SAAS,GAAG;AACtE,WAAO,KAAK,2CAA2C;AAAA,EACzD;AACA,MAAI,OAAO,MAAM,cAAc,YAAY,MAAM,UAAU,WAAW,GAAG;AACvE,WAAO,KAAK,uDAAuD;AAAA,EACrE;AACA,MAAI,CAAC,SAAS,MAAM,OAAO,GAAG;AAC5B,WAAO,KAAK,kCAAkC;AAAA,EAChD;AACA,MAAI,CAAC,SAAS,MAAM,MAAM,GAAG;AAC3B,WAAO,KAAK,iCAAiC;AAAA,EAC/C;AAEA,MAAI,OAAO,SAAS,KAAK,CAAC,SAAS,MAAM,OAAO,KAAK,CAAC,SAAS,MAAM,MAAM,GAAG;AAC5E,WAAO,EAAE,IAAI,OAAO,QAAQ,OAAO,KAAK;AAAA,EAC1C;AAEI,MAAA,CAAC,YAAY,MAAM,SAAS,CAAC,QAAQ,QAAQ,MAAM,CAAC,GAAG;AACzD,WAAO,KAAK,4CAA4C;AAAA,EAC1D;AACI,MAAA,CAAC,YAAY,MAAM,QAAQ,CAAC,aAAa,OAAO,CAAC,GAAG;AACtD,WAAO,KAAK,2CAA2C;AAAA,EACzD;AAEE,MAAA,MAAM,QAAQ,SAAS,UACvB,MAAM,QAAQ,SAAS,cACvB,MAAM,QAAQ,SAAS,YACvB;AACA,WAAO,KAAK,yDAAyD;AAAA,EACvE;AACI,MAAA,OAAO,MAAM,QAAQ,SAAS,YAAY,MAAM,QAAQ,KAAK,WAAW,GAAG;AAC7E,WAAO,KAAK,gDAAgD;AAAA,EAC9D;AACA,MAAI,CAAC,WAAW,MAAM,QAAQ,IAAI,GAAG;AACnC,WAAO,KAAK,2CAA2C;AAAA,EACzD;AACI,MAAA,OAAO,MAAM,OAAO,cAAc,YAAY,MAAM,OAAO,UAAU,WAAW,GAAG;AACrF,WAAO,KAAK,8DAA8D;AAAA,EAC5E;AACI,MAAA,OAAO,MAAM,OAAO,UAAU,YAAY,MAAM,OAAO,MAAM,WAAW,GAAG;AAC7E,WAAO,KAAK,gDAAgD;AAAA,EAC9D;AAEI,MAAA,OAAO,SAAS,GAAG;AACrB,WAAO,EAAE,IAAI,OAAO,QAAQ,OAAO,KAAK;AAAA,EAC1C;AAEO,SAAA;AAAA,IACL,IAAI;AAAA,IACJ,QAAQ,CAAC;AAAA,IACT,OAAO;AAAA,EAAA;AAEX;AAEO,SAAS,mBAAmB,KAIjC;AACI,MAAA;AACF,WAAO,uBAAuB,KAAK,MAAM,GAAG,CAAC;AAAA,EAAA,QAC7C;AACO,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,+BAA+B;AAAA,MACxC,OAAO;AAAA,IAAA;AAAA,EAEX;AACF;AAEO,SAAS,2BAA2B,OAIzC;AACI,MAAA,CAAC,SAAS,KAAK,GAAG;AACb,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,4CAA4C;AAAA,MACrD,UAAU;AAAA,IAAA;AAAA,EAEd;AAEA,QAAM,SAAmB,CAAA;AAErB,MAAA,CAAC,YAAY,OAAO,CAAC,WAAW,QAAQ,aAAa,aAAa,OAAO,CAAC,GAAG;AAC/E,WAAO,KAAK,kDAAkD;AAAA,EAChE;AACI,MAAA,MAAM,YAAY,oBAAoB;AACjC,WAAA,KAAK,uCAAuC,qBAAqB;AAAA,EAC1E;AACI,MAAA,MAAM,SAAS,sBAAsB;AAChC,WAAA,KAAK,oCAAoC,uBAAuB;AAAA,EACzE;AACI,MAAA,MAAM,cAAc,0BAA0B;AACzC,WAAA,KAAK,yCAAyC,2BAA2B;AAAA,EAClF;AACA,MAAI,OAAO,MAAM,cAAc,YAAY,MAAM,UAAU,WAAW,GAAG;AACvE,WAAO,KAAK,qEAAqE;AAAA,EACnF;AACA,MAAI,OAAO,MAAM,UAAU,YAAY,MAAM,MAAM,WAAW,GAAG;AAC/D,WAAO,KAAK,uDAAuD;AAAA,EACrE;AAEI,MAAA,OAAO,SAAS,GAAG;AACrB,WAAO,EAAE,IAAI,OAAO,QAAQ,UAAU,KAAK;AAAA,EAC7C;AAEO,SAAA;AAAA,IACL,IAAI;AAAA,IACJ,QAAQ,CAAC;AAAA,IACT,UAAU;AAAA,EAAA;AAEd;AAEO,SAAS,uBAAuB,KAIrC;AACI,MAAA;AACF,WAAO,2BAA2B,KAAK,MAAM,GAAG,CAAC;AAAA,EAAA,QACjD;AACO,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,oCAAoC;AAAA,MAC7C,UAAU;AAAA,IAAA;AAAA,EAEd;AACF;AAEA,eAAsB,yBAAyB,OAG5C;AACK,QAAA,aAAa,uBAAuB,KAAK;AAC/C,MAAI,CAAC,WAAW,MAAM,CAAC,WAAW,OAAO;AACvC,WAAO,EAAE,IAAI,OAAO,QAAQ,WAAW,OAAO;AAAA,EAChD;AAEI,MAAA,CAAE,MAAM,qBAAqB,MAAM,OAAO,WAAW,MAAM,OAAO,KAAK,GAAI;AACtE,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,sDAAsD;AAAA,IAAA;AAAA,EAEnE;AAEI,MAAA;AACF,UAAM,QAAQ,MAAM;AAAA,MAClB,MAAM;AAAA,MACN,2BAA2B,KAAK;AAAA,MAChC,MAAM,OAAO;AAAA,IAAA;AAEf,QAAI,CAAC,OAAO;AACV,aAAO,EAAE,IAAI,OAAO,QAAQ,CAAC,oBAAoB,EAAE;AAAA,IACrD;AACA,WAAO,EAAE,IAAI,MAAM,QAAQ,CAAG,EAAA;AAAA,WACvB;AACA,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,oBAAoB;AAAA,IAAA;AAAA,EAEjC;AACF;AAEsB,eAAA,4BACpB,OACA,OAQC;AACK,QAAA,cAAc,MAAM,eAAe,KAAK;AACxC,QAAA,iBAAiB,MAAM,yBAAyB,KAAK;AACrD,QAAA,YAAY,gBAAgB,MAAM,QAAQ;AAChD,QAAM,iBAAiB,eAAe;AAE/B,SAAA;AAAA,IACL,OAAO,aAAa;AAAA,IACpB;AAAA,IACA;AAAA,IACA,OAAO,MAAM,OAAO;AAAA,IACpB,WAAW,MAAM;AAAA,IACjB;AAAA,EAAA;AAEJ;;"}

package/package.json ADDED Viewed

@@ -0,0 +1,59 @@
+{
+  "name": "@ternent/seal",
+  "version": "0.3.10",
+  "description": "Deterministic artifact signing for Seal",
+  "keywords": [
+    "cli",
+    "integrity",
+    "manifest",
+    "seal",
+    "signature"
+  ],
+  "homepage": "https://github.com/ternent/core/tree/main/packages/seal",
+  "bugs": {
+    "url": "https://github.com/ternent/core/issues"
+  },
+  "license": "ISC",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/ternent/core.git",
+    "directory": "packages/seal"
+  },
+  "bin": {
+    "seal": "bin/seal"
+  },
+  "files": [
+    "bin",
+    "dist",
+    "README.md"
+  ],
+  "type": "module",
+  "sideEffects": false,
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "exports": {
+    ".": "./dist/index.js",
+    "./proof": "./dist/proof.js",
+    "./artifact": "./dist/artifact.js",
+    "./manifest": "./dist/manifest.js",
+    "./crypto": "./dist/crypto.js",
+    "./errors": "./dist/errors.js"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build:proof": "vite build --mode proof-only",
+    "build": "vite build",
+    "test": "vitest run"
+  },
+  "dependencies": {
+    "@ternent/armour": "workspace:*",
+    "@ternent/identity": "workspace:*",
+    "@ternent/utils": "workspace:*"
+  },
+  "devDependencies": {
+    "vite": "^2.9.18",
+    "vitest": "^1.6.0"
+  }
+}