ox 0.12.4 → 0.13.1

package/core/WebCryptoP256.ts

@@ -283,7 +283,10 @@ export declare namespace sign {
  * @returns Whether the payload was signed by the provided public key.
  */
 export async function verify(options: verify.Options): Promise<boolean> {
-  const { payload, signature } = options
+  const { lowS = true, payload, signature } = options
+
+  // Reject high-S signatures if lowS is enabled.
+  if (lowS && signature.s > p256.CURVE.n / 2n) return false
 
   const publicKey = await globalThis.crypto.subtle.importKey(
     'raw',
@@ -306,6 +309,8 @@ export async function verify(options: verify.Options): Promise<boolean> {
 
 export declare namespace verify {
   type Options = {
+    /** If set to `true`, only low-S signatures will be accepted. @default true */
+    lowS?: boolean | undefined
     /** Public key that signed the payload. */
     publicKey: PublicKey.PublicKey<boolean>
     /** Signature of the payload. */

package/core/internal/webauthn.ts

@@ -1,157 +1,7 @@
 import { p256 } from '@noble/curves/p256'
+import * as Registration from '../../webauthn/Registration.js'
 import type * as Errors from '../Errors.js'
-import * as Hex from '../Hex.js'
 import * as PublicKey from '../PublicKey.js'
-import { CredentialCreationFailedError } from '../WebAuthnP256.js'
-
-/** @internal */
-export type AttestationConveyancePreference =
-  | 'direct'
-  | 'enterprise'
-  | 'indirect'
-  | 'none'
-
-/** @internal */
-export type AuthenticatorAttachment = 'cross-platform' | 'platform'
-
-/** @internal */
-export type AuthenticatorTransport =
-  | 'ble'
-  | 'hybrid'
-  | 'internal'
-  | 'nfc'
-  | 'usb'
-
-/** @internal */
-export type COSEAlgorithmIdentifier = number
-
-/** @internal */
-export type CredentialMediationRequirement =
-  | 'conditional'
-  | 'optional'
-  | 'required'
-  | 'silent'
-
-/** @internal */
-export type PublicKeyCredentialType = 'public-key'
-
-/** @internal */
-export type ResidentKeyRequirement = 'discouraged' | 'preferred' | 'required'
-
-/** @internal */
-export type UserVerificationRequirement =
-  | 'discouraged'
-  | 'preferred'
-  | 'required'
-
-/** @internal */
-export type LargeBlobSupport = {
-  support: 'required' | 'preferred'
-}
-
-/** @internal */
-export type BufferSource = ArrayBufferView | ArrayBuffer
-
-/** @internal */
-export type PrfExtension = Record<'eval', Record<'first', Uint8Array>>
-
-/** @internal */
-export interface AuthenticationExtensionsClientInputs {
-  appid?: string
-  credProps?: boolean
-  hmacCreateSecret?: boolean
-  minPinLength?: boolean
-  prf?: PrfExtension
-  largeBlob?: LargeBlobSupport
-}
-
-/** @internal */
-export interface AuthenticatorSelectionCriteria {
-  authenticatorAttachment?: AuthenticatorAttachment
-  requireResidentKey?: boolean
-  residentKey?: ResidentKeyRequirement
-  userVerification?: UserVerificationRequirement
-}
-
-/** @internal */
-export interface Credential {
-  readonly id: string
-  readonly type: string
-}
-
-/** @internal */
-export interface CredentialCreationOptions {
-  publicKey?: PublicKeyCredentialCreationOptions
-  signal?: AbortSignal
-}
-
-/** @internal */
-export interface CredentialRequestOptions {
-  mediation?: CredentialMediationRequirement
-  publicKey?: PublicKeyCredentialRequestOptions
-  signal?: AbortSignal
-}
-
-/** @internal */
-export interface PublicKeyCredential extends Credential {
-  readonly authenticatorAttachment: string | null
-  readonly rawId: ArrayBuffer
-  readonly response: AuthenticatorResponse
-  getClientExtensionResults(): AuthenticationExtensionsClientOutputs
-}
-
-/** @internal */
-export interface PublicKeyCredentialCreationOptions {
-  attestation?: AttestationConveyancePreference
-  authenticatorSelection?: AuthenticatorSelectionCriteria
-  challenge: BufferSource
-  excludeCredentials?: PublicKeyCredentialDescriptor[]
-  extensions?: AuthenticationExtensionsClientInputs
-  pubKeyCredParams: PublicKeyCredentialParameters[]
-  rp: PublicKeyCredentialRpEntity
-  timeout?: number
-  user: PublicKeyCredentialUserEntity
-}
-
-/** @internal */
-export interface PublicKeyCredentialDescriptor {
-  id: BufferSource
-  transports?: AuthenticatorTransport[]
-  type: PublicKeyCredentialType
-}
-
-/** @internal */
-export interface PublicKeyCredentialEntity {
-  name: string
-}
-
-/** @internal */
-export interface PublicKeyCredentialParameters {
-  alg: COSEAlgorithmIdentifier
-  type: PublicKeyCredentialType
-}
-
-/** @internal */
-export interface PublicKeyCredentialRequestOptions {
-  allowCredentials?: PublicKeyCredentialDescriptor[]
-  challenge: BufferSource
-  extensions?: AuthenticationExtensionsClientInputs
-  rpId?: string
-  timeout?: number
-  userVerification?: UserVerificationRequirement
-}
-
-/** @internal */
-export interface PublicKeyCredentialRpEntity extends PublicKeyCredentialEntity {
-  id?: string
-}
-
-/** @internal */
-export interface PublicKeyCredentialUserEntity
-  extends PublicKeyCredentialEntity {
-  displayName: string
-  id: BufferSource
-}
 
 /**
  * Parses an ASN.1 signature into a r and s value.
@@ -159,17 +9,8 @@ export interface PublicKeyCredentialUserEntity
  * @internal
  */
 export function parseAsn1Signature(bytes: Uint8Array) {
-  const r_start = bytes[4] === 0 ? 5 : 4
-  const r_end = r_start + 32
-  const s_start = bytes[r_end + 2] === 0 ? r_end + 3 : r_end + 2
-
-  const r = BigInt(Hex.fromBytes(bytes.slice(r_start, r_end)))
-  const s = BigInt(Hex.fromBytes(bytes.slice(s_start)))
-
-  return {
-    r,
-    s: s > p256.CURVE.n / 2n ? p256.CURVE.n - s : s,
-  }
+  const sig = p256.Signature.fromDER(bytes).normalizeS()
+  return { r: sig.r, s: sig.s }
 }
 
 /**
@@ -183,7 +24,7 @@ export async function parseCredentialPublicKey(
 ): Promise<PublicKey.PublicKey> {
   try {
     const publicKeyBuffer = response.getPublicKey()
-    if (!publicKeyBuffer) throw new CredentialCreationFailedError()
+    if (!publicKeyBuffer) throw new Registration.CreateFailedError()
 
     // Converting `publicKeyBuffer` throws when credential is created by 1Password Firefox Add-on
     const publicKeyBytes = new Uint8Array(publicKeyBuffer)
@@ -218,7 +59,7 @@ export async function parseCredentialPublicKey(
       for (let i = 0; i < data.length - coordinate.length; i++)
         if (coordinate.every((byte, j) => data[i + j] === byte))
           return i + coordinate.length
-      throw new CredentialCreationFailedError()
+      throw new Registration.CreateFailedError()
     }
 
     const xStart = findStart(0x21)
@@ -235,5 +76,5 @@ export async function parseCredentialPublicKey(
 }
 
 export declare namespace parseCredentialPublicKey {
-  type ErrorType = CredentialCreationFailedError | Errors.GlobalErrorType
+  type ErrorType = Registration.CreateFailedError | Errors.GlobalErrorType
 }

package/erc8021/index.ts

@@ -17,7 +17,7 @@ export type {}
  *
  * const dataSuffix2 = Attribution.toDataSuffix({
  *   codes: ['baseapp', 'morpho'],
- *   codeRegistryAddress: '0x...'
+ *   codeRegistry: { address: '0x0000000000000000000000000000000000000000', chainId: 1 },
  * })
  * ```
  *
@@ -30,7 +30,7 @@ export type {}
  * const attribution = Attribution.fromData('0x...')
  *
  * console.log(attribution)
- * // @log: { codes: ['baseapp', 'morpho'], codeRegistryAddress: '0x...' }
+ * // @log: { codes: ['baseapp', 'morpho'], codeRegistry: { address: '0x...', chainId: 1 } }
  * ```
  *
  * @category ERC-8021

package/index.docs.ts

@@ -7,4 +7,5 @@ export * from './erc6492/index.js'
 export * from './erc7821/index.js'
 export * from './erc8010/index.js'
 export * from './erc8021/index.js'
+export * from './webauthn/index.js'
 export * from './tempo/index.js'

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ox",
   "description": "Ethereum Standard Library",
-  "version": "0.12.4",
+  "version": "0.13.1",
   "main": "./_cjs/index.js",
   "module": "./_esm/index.js",
   "types": "./_types/index.d.ts",
@@ -554,6 +554,36 @@
       "import": "./_esm/trusted-setups/index.js",
       "default": "./_cjs/trusted-setups/index.js"
     },
+    "./webauthn/Authentication": {
+      "types": "./_types/webauthn/Authentication.d.ts",
+      "import": "./_esm/webauthn/Authentication.js",
+      "default": "./_cjs/webauthn/Authentication.js"
+    },
+    "./webauthn/Authenticator": {
+      "types": "./_types/webauthn/Authenticator.d.ts",
+      "import": "./_esm/webauthn/Authenticator.js",
+      "default": "./_cjs/webauthn/Authenticator.js"
+    },
+    "./webauthn/Credential": {
+      "types": "./_types/webauthn/Credential.d.ts",
+      "import": "./_esm/webauthn/Credential.js",
+      "default": "./_cjs/webauthn/Credential.js"
+    },
+    "./webauthn/Registration": {
+      "types": "./_types/webauthn/Registration.d.ts",
+      "import": "./_esm/webauthn/Registration.js",
+      "default": "./_cjs/webauthn/Registration.js"
+    },
+    "./webauthn/Types": {
+      "types": "./_types/webauthn/Types.d.ts",
+      "import": "./_esm/webauthn/Types.js",
+      "default": "./_cjs/webauthn/Types.js"
+    },
+    "./webauthn": {
+      "types": "./_types/webauthn/index.d.ts",
+      "import": "./_esm/webauthn/index.js",
+      "default": "./_cjs/webauthn/index.js"
+    },
     "./window": {
       "types": "./_types/window/index.d.ts",
       "import": "./_esm/window/index.js",

package/tempo/KeyAuthorization.test.ts

@@ -927,6 +927,74 @@ describe('getSignPayload', () => {
   })
 })
 
+describe('deserialize', () => {
+  test('default', () => {
+    const authorization = KeyAuthorization.from({
+      address,
+      expiry,
+      type: 'secp256k1',
+      limits: [
+        {
+          token,
+          limit: Value.from('10', 6),
+        },
+      ],
+    })
+
+    const serialized = KeyAuthorization.serialize(authorization)
+    const deserialized = KeyAuthorization.deserialize(serialized)
+
+    expect(deserialized).toEqual(authorization)
+  })
+
+  test('signed (secp256k1)', () => {
+    const authorization = KeyAuthorization.from(
+      {
+        address,
+        expiry,
+        type: 'secp256k1',
+        limits: [
+          {
+            token,
+            limit: Value.from('10', 6),
+          },
+        ],
+      },
+      { signature: signature_secp256k1 },
+    )
+
+    const serialized = KeyAuthorization.serialize(authorization)
+    const deserialized = KeyAuthorization.deserialize(serialized)
+
+    expect(deserialized).toEqual(authorization)
+  })
+
+  test('no limits', () => {
+    const authorization = KeyAuthorization.from({
+      address,
+      expiry,
+      type: 'secp256k1',
+    })
+
+    const serialized = KeyAuthorization.serialize(authorization)
+    const deserialized = KeyAuthorization.deserialize(serialized)
+
+    expect(deserialized).toEqual(authorization)
+  })
+
+  test('no expiry', () => {
+    const authorization = KeyAuthorization.from({
+      address,
+      type: 'secp256k1',
+    })
+
+    const serialized = KeyAuthorization.serialize(authorization)
+    const deserialized = KeyAuthorization.deserialize(serialized)
+
+    expect(deserialized).toEqual(authorization)
+  })
+})
+
 describe('hash', () => {
   test('default', () => {
     const authorization = KeyAuthorization.from({
@@ -949,6 +1017,77 @@ describe('hash', () => {
   })
 })
 
+describe('serialize', () => {
+  test('default', () => {
+    const authorization = KeyAuthorization.from({
+      address,
+      expiry,
+      type: 'secp256k1',
+      limits: [
+        {
+          token,
+          limit: Value.from('10', 6),
+        },
+      ],
+    })
+
+    const serialized = KeyAuthorization.serialize(authorization)
+
+    expect(serialized).toMatchInlineSnapshot(
+      `"0xf838f7808094be95c3f554e9fc85ec51be69a3d807a0d55bcf2c84499602d2dad99420c000000000000000000000000000000000000183989680"`,
+    )
+  })
+
+  test('signed (secp256k1)', () => {
+    const authorization = KeyAuthorization.from(
+      {
+        address,
+        expiry,
+        type: 'secp256k1',
+        limits: [
+          {
+            token,
+            limit: Value.from('10', 6),
+          },
+        ],
+      },
+      { signature: signature_secp256k1 },
+    )
+
+    const serialized = KeyAuthorization.serialize(authorization)
+    const deserialized = KeyAuthorization.deserialize(serialized)
+
+    expect(deserialized).toEqual(authorization)
+  })
+
+  test('no limits', () => {
+    const authorization = KeyAuthorization.from({
+      address,
+      expiry,
+      type: 'secp256k1',
+    })
+
+    const serialized = KeyAuthorization.serialize(authorization)
+
+    expect(serialized).toMatchInlineSnapshot(
+      `"0xdddc808094be95c3f554e9fc85ec51be69a3d807a0d55bcf2c84499602d2"`,
+    )
+  })
+
+  test('no expiry', () => {
+    const authorization = KeyAuthorization.from({
+      address,
+      type: 'secp256k1',
+    })
+
+    const serialized = KeyAuthorization.serialize(authorization)
+
+    expect(serialized).toMatchInlineSnapshot(
+      `"0xd8d7808094be95c3f554e9fc85ec51be69a3d807a0d55bcf2c"`,
+    )
+  })
+})
+
 describe('toRpc', () => {
   test('secp256k1', () => {
     const authorization = KeyAuthorization.from({

package/tempo/KeyAuthorization.ts

@@ -458,6 +458,43 @@ export declare namespace getSignPayload {
   type ErrorType = hash.ErrorType | Errors.GlobalErrorType
 }
 
+/**
+ * Deserializes an RLP-encoded {@link ox#KeyAuthorization.KeyAuthorization}.
+ *
+ * @example
+ * ```ts twoslash
+ * import { KeyAuthorization } from 'ox/tempo'
+ * import { Value } from 'ox'
+ *
+ * const authorization = KeyAuthorization.from({
+ *   expiry: 1234567890,
+ *   address: '0xbe95c3f554e9fc85ec51be69a3d807a0d55bcf2c',
+ *   type: 'secp256k1',
+ *   limits: [{
+ *     token: '0x20c0000000000000000000000000000000000001',
+ *     limit: Value.from('10', 6)
+ *   }],
+ * })
+ *
+ * const serialized = KeyAuthorization.serialize(authorization)
+ * const deserialized = KeyAuthorization.deserialize(serialized) // [!code focus]
+ * ```
+ *
+ * @param serialized - The RLP-encoded Key Authorization.
+ * @returns The {@link ox#KeyAuthorization.KeyAuthorization}.
+ */
+export function deserialize(serialized: Hex.Hex): KeyAuthorization {
+  const tuple = Rlp.toHex(serialized) as unknown as Tuple
+  return fromTuple(tuple)
+}
+
+export declare namespace deserialize {
+  type ErrorType =
+    | Rlp.toHex.ErrorType
+    | fromTuple.ErrorType
+    | Errors.GlobalErrorType
+}
+
 /**
  * Computes the hash for an {@link ox#KeyAuthorization.KeyAuthorization}.
  *
@@ -497,6 +534,42 @@ export declare namespace hash {
     | Errors.GlobalErrorType
 }
 
+/**
+ * Serializes a {@link ox#KeyAuthorization.KeyAuthorization} to RLP-encoded hex.
+ *
+ * @example
+ * ```ts twoslash
+ * import { KeyAuthorization } from 'ox/tempo'
+ * import { Value } from 'ox'
+ *
+ * const authorization = KeyAuthorization.from({
+ *   expiry: 1234567890,
+ *   address: '0xbe95c3f554e9fc85ec51be69a3d807a0d55bcf2c',
+ *   type: 'secp256k1',
+ *   limits: [{
+ *     token: '0x20c0000000000000000000000000000000000001',
+ *     limit: Value.from('10', 6)
+ *   }],
+ * })
+ *
+ * const serialized = KeyAuthorization.serialize(authorization) // [!code focus]
+ * ```
+ *
+ * @param authorization - The {@link ox#KeyAuthorization.KeyAuthorization}.
+ * @returns The RLP-encoded Key Authorization.
+ */
+export function serialize(authorization: KeyAuthorization): Hex.Hex {
+  const tuple = toTuple(authorization)
+  return Rlp.fromHex(tuple as any)
+}
+
+export declare namespace serialize {
+  type ErrorType =
+    | toTuple.ErrorType
+    | Rlp.fromHex.ErrorType
+    | Errors.GlobalErrorType
+}
+
 /**
  * Converts an {@link ox#KeyAuthorization.KeyAuthorization} to an {@link ox#KeyAuthorization.Rpc}.
  *
@@ -603,13 +676,19 @@ export function toTuple<const authorization extends KeyAuthorization>(
         throw new Error(`Invalid key type: ${authorization.type}`)
     }
   })()
+  const limitsValue = limits?.map((limit) => [
+    limit.token,
+    bigintToHex(limit.limit),
+  ])
   const authorizationTuple = [
     bigintToHex(chainId),
     type,
     address,
-    typeof expiry === 'number' ? numberToHex(expiry) : undefined,
-    limits?.map((limit) => [limit.token, bigintToHex(limit.limit)]) ??
-      undefined,
+    // expiry is required in the tuple when limits are present
+    typeof expiry === 'number' || limitsValue
+      ? numberToHex(expiry ?? 0)
+      : undefined,
+    limitsValue,
   ].filter(Boolean)
   return [authorizationTuple, ...(signature ? [signature] : [])] as never
 }