@the-ai-company/cbio-node-runtime 1.31.0 → 1.34.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,29 +1,39 @@
|
|
|
1
1
|
import { signPayload, verifySignature, derivePublicKey } from "../protocol/crypto.js";
|
|
2
2
|
/**
|
|
3
|
-
*
|
|
3
|
+
* Hardcoded field order for canonical JSON stringification.
|
|
4
|
+
* This ensures that even if different environments parse/stringify,
|
|
5
|
+
* the signature check string is always identical.
|
|
4
6
|
*/
|
|
5
|
-
function
|
|
6
|
-
if (obj
|
|
7
|
-
|
|
8
|
-
return obj.map(sortObject);
|
|
9
|
-
}
|
|
10
|
-
return obj;
|
|
7
|
+
function canonicalStringify(obj) {
|
|
8
|
+
if (!obj || typeof obj !== "object" || Array.isArray(obj)) {
|
|
9
|
+
return JSON.stringify(obj);
|
|
11
10
|
}
|
|
12
|
-
const
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
11
|
+
const keys = Object.keys(obj).sort();
|
|
12
|
+
const parts = [];
|
|
13
|
+
for (const key of keys) {
|
|
14
|
+
const value = obj[key];
|
|
15
|
+
if (value === undefined)
|
|
16
|
+
continue;
|
|
17
|
+
// Recursive canonical for nested objects if any (mostly for publicMetadata)
|
|
18
|
+
parts.push(`${JSON.stringify(key)}:${canonicalStringify(value)}`);
|
|
19
|
+
}
|
|
20
|
+
return `{${parts.join(",")}}`;
|
|
19
21
|
}
|
|
20
22
|
/**
|
|
21
23
|
* Signs and writes a payload to storage as a verifiable metadata envelope.
|
|
22
24
|
*/
|
|
23
25
|
export async function writeVerifiableMetadata(storage, path, payload, privateKey) {
|
|
24
|
-
const payloadStr =
|
|
26
|
+
const payloadStr = canonicalStringify(payload);
|
|
25
27
|
const signature = await signPayload(privateKey, payloadStr);
|
|
26
28
|
const signer = derivePublicKey(privateKey);
|
|
29
|
+
// Self-verify check
|
|
30
|
+
const isCorrect = await verifySignature(signer, payloadStr, signature);
|
|
31
|
+
if (!isCorrect) {
|
|
32
|
+
throw new Error(`[VerifiableMetadata] SDK Integrity Failure: Generated signature is invalid for the payload.
|
|
33
|
+
Payload: ${payloadStr}
|
|
34
|
+
Signer: ${signer}
|
|
35
|
+
Signature: ${signature}`);
|
|
36
|
+
}
|
|
27
37
|
const envelope = {
|
|
28
38
|
payload,
|
|
29
39
|
signature,
|
|
@@ -44,10 +54,13 @@ export async function readVerifiableMetadata(storage, path, expectedSigner) {
|
|
|
44
54
|
if (expectedSigner && envelope.signer !== expectedSigner) {
|
|
45
55
|
return null; // Signer mismatch
|
|
46
56
|
}
|
|
47
|
-
const payloadStr =
|
|
57
|
+
const payloadStr = canonicalStringify(envelope.payload);
|
|
48
58
|
const isValid = await verifySignature(envelope.signer, payloadStr, envelope.signature);
|
|
49
59
|
if (!isValid) {
|
|
50
60
|
console.warn(`[VerifiableMetadata] Invalid signature at ${path}`);
|
|
61
|
+
console.warn(`[VerifiableMetadata] Signer: ${envelope.signer}`);
|
|
62
|
+
console.warn(`[VerifiableMetadata] Payload String: ${payloadStr}`);
|
|
63
|
+
console.warn(`[VerifiableMetadata] Signature: ${envelope.signature}`);
|
|
51
64
|
return null;
|
|
52
65
|
}
|
|
53
66
|
return envelope.payload;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verifiable-metadata.js","sourceRoot":"","sources":["../../src/runtime/verifiable-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAatF
|
|
1
|
+
{"version":3,"file":"verifiable-metadata.js","sourceRoot":"","sources":["../../src/runtime/verifiable-metadata.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAatF;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,GAAQ;IAClC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1D,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACrC,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;QACvB,IAAI,KAAK,KAAK,SAAS;YAAE,SAAS;QAElC,4EAA4E;QAC5E,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpE,CAAC;IAED,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAyB,EACzB,IAAY,EACZ,OAAU,EACV,UAAkB;IAElB,MAAM,UAAU,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAE3C,oBAAoB;IACpB,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,MAAM,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;IACvE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC;WACT,UAAU;UACX,MAAM;aACH,SAAS,EAAE,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,QAAQ,GAA0B;QACtC,OAAO;QACP,SAAS;QACT,MAAM;KACP,CAAC;IAEF,MAAM,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAyB,EACzB,IAAY,EACZ,cAAuB;IAEvB,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrC,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IAEtB,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,CAA0B,CAAC;QAErE,gDAAgD;QAChD,IAAI,cAAc,IAAI,QAAQ,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACzD,OAAO,IAAI,CAAC,CAAC,kBAAkB;QACjC,CAAC;QAED,MAAM,UAAU,GAAG,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACxD,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,MAAM,EAAE,UAAU,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC;QAEvF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,CAAC,IAAI,CAAC,6CAA6C,IAAI,EAAE,CAAC,CAAC;YAClE,OAAO,CAAC,IAAI,CAAC,gCAAgC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YAChE,OAAO,CAAC,IAAI,CAAC,wCAAwC,UAAU,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,IAAI,CAAC,mCAAmC,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;YACtE,OAAO,IAAI,CAAC;QACd,CAAC;QAED,OAAO,QAAQ,CAAC,OAAO,CAAC;IAC1B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}
|
package/package.json
CHANGED