web3gbit-cli 1.0.0

package/lib/openzeppelin-contracts/contracts/utils/cryptography/WebAuthn.sol

@@ -0,0 +1,261 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Contracts (last updated v5.5.0) (utils/cryptography/WebAuthn.sol)
+
+pragma solidity ^0.8.24;
+
+import {P256} from "./P256.sol";
+import {Base64} from "../Base64.sol";
+import {Bytes} from "../Bytes.sol";
+import {Strings} from "../Strings.sol";
+
+/**
+ * @dev Library for verifying WebAuthn Authentication Assertions.
+ *
+ * WebAuthn enables strong authentication for smart contracts using
+ * https://docs.openzeppelin.com/contracts/5.x/api/utils#P256[P256]
+ * as an alternative to traditional secp256k1 ECDSA signatures. This library verifies
+ * signatures generated during WebAuthn authentication ceremonies as specified in the
+ * https://www.w3.org/TR/webauthn-2/[WebAuthn Level 2 standard].
+ *
+ * For blockchain use cases, the following WebAuthn validations are intentionally omitted:
+ *
+ * * Origin validation: Origin verification in `clientDataJSON` is omitted as blockchain
+ *   contexts rely on authenticator and dapp frontend enforcement. Standard authenticators
+ *   implement proper origin validation.
+ * * RP ID hash validation: Verification of `rpIdHash` in authenticatorData against expected
+ *   RP ID hash is omitted. This is typically handled by platform-level security measures.
+ *   Including an expiry timestamp in signed data is recommended for enhanced security.
+ * * Signature counter: Verification of signature counter increments is omitted. While
+ *   useful for detecting credential cloning, on-chain operations typically include nonce
+ *   protection, making this check redundant.
+ * * Extension outputs: Extension output value verification is omitted as these are not
+ *   essential for core authentication security in blockchain applications.
+ * * Attestation: Attestation object verification is omitted as this implementation
+ *   focuses on authentication (`webauthn.get`) rather than registration ceremonies.
+ *
+ * Inspired by:
+ *
+ * * https://github.com/daimo-eth/p256-verifier/blob/master/src/WebAuthn.sol[daimo-eth implementation]
+ * * https://github.com/base/webauthn-sol/blob/main/src/WebAuthn.sol[base implementation]
+ */
+library WebAuthn {
+    struct WebAuthnAuth {
+        bytes32 r; /// The r value of secp256r1 signature
+        bytes32 s; /// The s value of secp256r1 signature
+        uint256 challengeIndex; /// The index at which "challenge":"..." occurs in `clientDataJSON`.
+        uint256 typeIndex; /// The index at which "type":"..." occurs in `clientDataJSON`.
+        /// The WebAuthn authenticator data.
+        /// https://www.w3.org/TR/webauthn-2/#dom-authenticatorassertionresponse-authenticatordata
+        bytes authenticatorData;
+        /// The WebAuthn client data JSON.
+        /// https://www.w3.org/TR/webauthn-2/#dom-authenticatorresponse-clientdatajson
+        string clientDataJSON;
+    }
+
+    /// @dev Bit 0 of the authenticator data flags: "User Present" bit.
+    bytes1 internal constant AUTH_DATA_FLAGS_UP = 0x01;
+    /// @dev Bit 2 of the authenticator data flags: "User Verified" bit.
+    bytes1 internal constant AUTH_DATA_FLAGS_UV = 0x04;
+    /// @dev Bit 3 of the authenticator data flags: "Backup Eligibility" bit.
+    bytes1 internal constant AUTH_DATA_FLAGS_BE = 0x08;
+    /// @dev Bit 4 of the authenticator data flags: "Backup State" bit.
+    bytes1 internal constant AUTH_DATA_FLAGS_BS = 0x10;
+
+    /**
+     * @dev Performs standard verification of a WebAuthn Authentication Assertion.
+     */
+    function verify(
+        bytes memory challenge,
+        WebAuthnAuth memory auth,
+        bytes32 qx,
+        bytes32 qy
+    ) internal view returns (bool) {
+        return verify(challenge, auth, qx, qy, true);
+    }
+
+    /**
+     * @dev Performs verification of a WebAuthn Authentication Assertion. This variants allow the caller to select
+     * whether of not to require the UV flag (step 17).
+     *
+     * Verifies:
+     *
+     * 1. Type is "webauthn.get" (see {_validateExpectedTypeHash})
+     * 2. Challenge matches the expected value (see {_validateChallenge})
+     * 3. Cryptographic signature is valid for the given public key
+     * 4. confirming physical user presence during authentication
+     * 5. (if `requireUV` is true) confirming stronger user authentication (biometrics/PIN)
+     * 6. Backup Eligibility (`BE`) and Backup State (BS) bits relationship is valid
+     */
+    function verify(
+        bytes memory challenge,
+        WebAuthnAuth memory auth,
+        bytes32 qx,
+        bytes32 qy,
+        bool requireUV
+    ) internal view returns (bool) {
+        // Verify authenticator data has sufficient length (37 bytes minimum):
+        // - 32 bytes for rpIdHash
+        // - 1 byte for flags
+        // - 4 bytes for signature counter
+        return
+            auth.authenticatorData.length > 36 &&
+            _validateExpectedTypeHash(auth.clientDataJSON, auth.typeIndex) && // 11
+            _validateChallenge(auth.clientDataJSON, auth.challengeIndex, challenge) && // 12
+            _validateUserPresentBitSet(auth.authenticatorData[32]) && // 16
+            (!requireUV || _validateUserVerifiedBitSet(auth.authenticatorData[32])) && // 17
+            _validateBackupEligibilityAndState(auth.authenticatorData[32]) && // Consistency check
+            // P256.verify handles signature malleability internally
+            P256.verify(
+                sha256(
+                    abi.encodePacked(
+                        auth.authenticatorData,
+                        sha256(bytes(auth.clientDataJSON)) // 19
+                    )
+                ),
+                auth.r,
+                auth.s,
+                qx,
+                qy
+            ); // 20
+    }
+
+    /**
+     * @dev Validates that the https://www.w3.org/TR/webauthn-2/#type[Type] field in the client data JSON is set to
+     * "webauthn.get".
+     *
+     * Step 11 in https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion[verifying an assertion].
+     */
+    function _validateExpectedTypeHash(
+        string memory clientDataJSON,
+        uint256 typeIndex
+    ) private pure returns (bool success) {
+        assembly ("memory-safe") {
+            success := and(
+                // clientDataJson.length >= typeIndex + 21
+                gt(mload(clientDataJSON), add(typeIndex, 20)),
+                eq(
+                    // get 32 bytes starting at index typexIndex in clientDataJSON, and keep the leftmost 21 bytes
+                    and(mload(add(add(clientDataJSON, 0x20), typeIndex)), shl(88, not(0))),
+                    // solhint-disable-next-line quotes
+                    '"type":"webauthn.get"'
+                )
+            )
+        }
+    }
+
+    /**
+     * @dev Validates that the challenge in the client data JSON matches the `expectedChallenge`.
+     *
+     * Step 12 in https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion[verifying an assertion].
+     */
+    function _validateChallenge(
+        string memory clientDataJSON,
+        uint256 challengeIndex,
+        bytes memory challenge
+    ) private pure returns (bool) {
+        // solhint-disable-next-line quotes
+        string memory expectedChallenge = string.concat('"challenge":"', Base64.encodeURL(challenge), '"');
+        string memory actualChallenge = string(
+            Bytes.slice(bytes(clientDataJSON), challengeIndex, challengeIndex + bytes(expectedChallenge).length)
+        );
+
+        return Strings.equal(actualChallenge, expectedChallenge);
+    }
+
+    /**
+     * @dev Validates that the https://www.w3.org/TR/webauthn-2/#up[User Present (UP)] bit is set.
+     *
+     * Step 16 in https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion[verifying an assertion].
+     *
+     * NOTE: Required by WebAuthn spec but may be skipped for platform authenticators
+     * (Touch ID, Windows Hello) in controlled environments. Enforce for public-facing apps.
+     */
+    function _validateUserPresentBitSet(bytes1 flags) private pure returns (bool) {
+        return (flags & AUTH_DATA_FLAGS_UP) == AUTH_DATA_FLAGS_UP;
+    }
+
+    /**
+     * @dev Validates that the https://www.w3.org/TR/webauthn-2/#uv[User Verified (UV)] bit is set.
+     *
+     * Step 17 in https://www.w3.org/TR/webauthn-2/#sctn-verifying-assertion[verifying an assertion].
+     *
+     * The UV bit indicates whether the user was verified using a stronger identification method
+     * (biometrics, PIN, password). While optional, requiring UV=1 is recommended for:
+     *
+     * * High-value transactions and sensitive operations
+     * * Account recovery and critical settings changes
+     * * Privileged operations
+     *
+     * NOTE: For routine operations or when using hardware authenticators without verification capabilities,
+     * `UV=0` may be acceptable. The choice of whether to require UV represents a security vs. usability
+     * tradeoff - for blockchain applications handling valuable assets, requiring UV is generally safer.
+     */
+    function _validateUserVerifiedBitSet(bytes1 flags) private pure returns (bool) {
+        return (flags & AUTH_DATA_FLAGS_UV) == AUTH_DATA_FLAGS_UV;
+    }
+
+    /**
+     * @dev Validates the relationship between Backup Eligibility (`BE`) and Backup State (`BS`) bits
+     * according to the WebAuthn specification.
+     *
+     * The function enforces that if a credential is backed up (`BS=1`), it must also be eligible
+     * for backup (`BE=1`). This prevents unauthorized credential backup and ensures compliance
+     * with the WebAuthn spec.
+     *
+     * Returns true in these valid states:
+     *
+     * * `BE=1`, `BS=0`: Credential is eligible but not backed up
+     * * `BE=1`, `BS=1`: Credential is eligible and backed up
+     * * `BE=0`, `BS=0`: Credential is not eligible and not backed up
+     *
+     * Returns false only when `BE=0` and `BS=1`, which is an invalid state indicating
+     * a credential that's backed up but not eligible for backup.
+     *
+     * NOTE: While the WebAuthn spec defines this relationship between `BE` and `BS` bits,
+     * validating it is not explicitly required as part of the core verification procedure.
+     * Some implementations may choose to skip this check for broader authenticator
+     * compatibility or when the application's threat model doesn't consider credential
+     * syncing a major risk.
+     */
+    function _validateBackupEligibilityAndState(bytes1 flags) private pure returns (bool) {
+        return (flags & AUTH_DATA_FLAGS_BE) == AUTH_DATA_FLAGS_BE || (flags & AUTH_DATA_FLAGS_BS) == 0;
+    }
+
+    /**
+     * @dev Verifies that calldata bytes (`input`) represents a valid `WebAuthnAuth` object. If encoding is valid,
+     * returns true and the calldata view at the object. Otherwise, returns false and an invalid calldata object.
+     *
+     * NOTE: The returned `auth` object should not be accessed if `success` is false. Trying to access the data may
+     * cause revert/panic.
+     */
+    function tryDecodeAuth(bytes calldata input) internal pure returns (bool success, WebAuthnAuth calldata auth) {
+        assembly ("memory-safe") {
+            auth := input.offset
+        }
+
+        // Minimum length to hold 6 objects (32 bytes each)
+        if (input.length < 0xC0) return (false, auth);
+
+        // Get offset of non-value-type elements relative to the input buffer
+        uint256 authenticatorDataOffset = uint256(bytes32(input[0x80:]));
+        uint256 clientDataJSONOffset = uint256(bytes32(input[0xa0:]));
+
+        // The elements length (at the offset) should be 32 bytes long. We check that this is within the
+        // buffer bounds. Since we know input.length is at least 32, we can subtract with no overflow risk.
+        if (input.length - 0x20 < authenticatorDataOffset || input.length - 0x20 < clientDataJSONOffset)
+            return (false, auth);
+
+        // Get the lengths. offset + 32 is bounded by input.length so it does not overflow.
+        uint256 authenticatorDataLength = uint256(bytes32(input[authenticatorDataOffset:]));
+        uint256 clientDataJSONLength = uint256(bytes32(input[clientDataJSONOffset:]));
+
+        // Check that the input buffer is long enough to store the non-value-type elements
+        // Since we know input.length is at least xxxOffset + 32, we can subtract with no overflow risk.
+        if (
+            input.length - authenticatorDataOffset - 0x20 < authenticatorDataLength ||
+            input.length - clientDataJSONOffset - 0x20 < clientDataJSONLength
+        ) return (false, auth);
+
+        return (true, auth);
+    }
+}

package/lib/openzeppelin-contracts/contracts/utils/cryptography/draft-ERC7739Utils.sol

@@ -0,0 +1,207 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Contracts (last updated v5.5.0) (utils/cryptography/draft-ERC7739Utils.sol)
+
+pragma solidity ^0.8.20;
+
+import {Calldata} from "../Calldata.sol";
+import {Hashes} from "./Hashes.sol";
+
+/**
+ * @dev Utilities to process https://ercs.ethereum.org/ERCS/erc-7739[ERC-7739] typed data signatures
+ * that are specific to an EIP-712 domain.
+ *
+ * This library provides methods to wrap, unwrap and operate over typed data signatures with a defensive
+ * rehashing mechanism that includes the app's xref:api:utils/cryptography#EIP712-_domainSeparatorV4[EIP-712]
+ * and preserves readability of the signed content using an EIP-712 nested approach.
+ *
+ * A smart contract domain can validate a signature for a typed data structure in two ways:
+ *
+ * - As an application validating a typed data signature. See {typedDataSignStructHash}.
+ * - As a smart contract validating a raw message signature. See {personalSignStructHash}.
+ *
+ * NOTE: A provider for a smart contract wallet would need to return this signature as the
+ * result of a call to `personal_sign` or `eth_signTypedData`, and this may be unsupported by
+ * API clients that expect a return value of 129 bytes, or specifically the `r,s,v` parameters
+ * of an xref:api:utils/cryptography#ECDSA[ECDSA] signature, as is for example specified for
+ * xref:api:utils/cryptography#EIP712[EIP-712].
+ */
+library ERC7739Utils {
+    /**
+     * @dev An EIP-712 type to represent "personal" signatures
+     * (i.e. mimic of `personal_sign` for smart contracts).
+     */
+    bytes32 private constant PERSONAL_SIGN_TYPEHASH = keccak256("PersonalSign(bytes prefixed)");
+
+    /**
+     * @dev Nest a signature for a given EIP-712 type into a nested signature for the domain of the app.
+     *
+     * Counterpart of {decodeTypedDataSig} to extract the original signature and the nested components.
+     */
+    function encodeTypedDataSig(
+        bytes memory signature,
+        bytes32 appSeparator,
+        bytes32 contentsHash,
+        string memory contentsDescr
+    ) internal pure returns (bytes memory) {
+        return
+            abi.encodePacked(signature, appSeparator, contentsHash, contentsDescr, uint16(bytes(contentsDescr).length));
+    }
+
+    /**
+     * @dev Parses a nested signature into its components.
+     *
+     * Constructed as follows:
+     *
+     * `signature ‖ APP_DOMAIN_SEPARATOR ‖ contentsHash ‖ contentsDescr ‖ uint16(contentsDescr.length)`
+     *
+     * - `signature` is the signature for the (ERC-7739) nested struct hash. This signature indirectly signs over the
+     *   original "contents" hash (from the app) and the account's domain separator.
+     * - `APP_DOMAIN_SEPARATOR` is the EIP-712 {EIP712-_domainSeparatorV4} of the application smart contract that is
+     *   requesting the signature verification (through ERC-1271).
+     * - `contentsHash` is the hash of the underlying data structure or message.
+     * - `contentsDescr` is a descriptor of the "contents" part of the EIP-712 type of the nested signature.
+     *
+     * NOTE: This function returns empty if the input format is invalid instead of reverting.
+     */
+    function decodeTypedDataSig(
+        bytes calldata encodedSignature
+    )
+        internal
+        pure
+        returns (bytes calldata signature, bytes32 appSeparator, bytes32 contentsHash, string calldata contentsDescr)
+    {
+        unchecked {
+            uint256 sigLength = encodedSignature.length;
+
+            // 66 bytes = contentsDescrLength (2 bytes) + contentsHash (32 bytes) + APP_DOMAIN_SEPARATOR (32 bytes).
+            if (sigLength < 66) return (Calldata.emptyBytes(), 0, 0, Calldata.emptyString());
+
+            uint256 contentsDescrEnd = sigLength - 2; // Last 2 bytes
+            uint256 contentsDescrLength = uint16(bytes2(encodedSignature[contentsDescrEnd:]));
+
+            // Check for space for `contentsDescr` in addition to the 66 bytes documented above
+            if (sigLength < 66 + contentsDescrLength) return (Calldata.emptyBytes(), 0, 0, Calldata.emptyString());
+
+            uint256 contentsHashEnd = contentsDescrEnd - contentsDescrLength;
+            uint256 separatorEnd = contentsHashEnd - 32;
+            uint256 signatureEnd = separatorEnd - 32;
+
+            signature = encodedSignature[:signatureEnd];
+            appSeparator = bytes32(encodedSignature[signatureEnd:separatorEnd]);
+            contentsHash = bytes32(encodedSignature[separatorEnd:contentsHashEnd]);
+            contentsDescr = string(encodedSignature[contentsHashEnd:contentsDescrEnd]);
+        }
+    }
+
+    /**
+     * @dev Nests an `ERC-191` digest into a `PersonalSign` EIP-712 struct, and returns the corresponding struct hash.
+     * This struct hash must be combined with a domain separator, using {MessageHashUtils-toTypedDataHash} before
+     * being verified/recovered.
+     *
+     * This is used to simulate the `personal_sign` RPC method in the context of smart contracts.
+     */
+    function personalSignStructHash(bytes32 contents) internal pure returns (bytes32) {
+        return Hashes.efficientKeccak256(PERSONAL_SIGN_TYPEHASH, contents);
+    }
+
+    /**
+     * @dev Nests an `EIP-712` hash (`contents`) into a `TypedDataSign` EIP-712 struct, and returns the corresponding
+     * struct hash. This struct hash must be combined with a domain separator, using {MessageHashUtils-toTypedDataHash}
+     * before being verified/recovered.
+     */
+    function typedDataSignStructHash(
+        string calldata contentsName,
+        string calldata contentsType,
+        bytes32 contentsHash,
+        bytes memory domainBytes
+    ) internal pure returns (bytes32 result) {
+        return
+            bytes(contentsName).length == 0
+                ? bytes32(0)
+                : keccak256(
+                    abi.encodePacked(typedDataSignTypehash(contentsName, contentsType), contentsHash, domainBytes)
+                );
+    }
+
+    /**
+     * @dev Variant of {typedDataSignStructHash-string-string-bytes32-bytes} that takes a content descriptor
+     * and decodes the `contentsName` and `contentsType` out of it.
+     */
+    function typedDataSignStructHash(
+        string calldata contentsDescr,
+        bytes32 contentsHash,
+        bytes memory domainBytes
+    ) internal pure returns (bytes32 result) {
+        (string calldata contentsName, string calldata contentsType) = decodeContentsDescr(contentsDescr);
+
+        return typedDataSignStructHash(contentsName, contentsType, contentsHash, domainBytes);
+    }
+
+    /**
+     * @dev Compute the EIP-712 typehash of the `TypedDataSign` structure for a given type (and typename).
+     */
+    function typedDataSignTypehash(
+        string calldata contentsName,
+        string calldata contentsType
+    ) internal pure returns (bytes32) {
+        return
+            keccak256(
+                abi.encodePacked(
+                    "TypedDataSign(",
+                    contentsName,
+                    " contents,string name,string version,uint256 chainId,address verifyingContract,bytes32 salt)",
+                    contentsType
+                )
+            );
+    }
+
+    /**
+     * @dev Parse the type name out of the ERC-7739 contents type description. Supports both the implicit and explicit
+     * modes.
+     *
+     * Following ERC-7739 specifications, a `contentsName` is considered invalid if it's empty or it contains
+     * any of the following bytes , )\x00
+     *
+     * If the `contentsType` is invalid, this returns an empty string. Otherwise, the return string has non-zero
+     * length.
+     */
+    function decodeContentsDescr(
+        string calldata contentsDescr
+    ) internal pure returns (string calldata contentsName, string calldata contentsType) {
+        bytes calldata buffer = bytes(contentsDescr);
+        if (buffer.length == 0) {
+            // pass through (fail)
+        } else if (buffer[buffer.length - 1] == bytes1(")")) {
+            // Implicit mode: read contentsName from the beginning, and keep the complete descr
+            for (uint256 i = 0; i < buffer.length; ++i) {
+                bytes1 current = buffer[i];
+                if (current == bytes1("(")) {
+                    // if name is empty - passthrough (fail)
+                    if (i == 0) break;
+                    // we found the end of the contentsName
+                    return (string(buffer[:i]), contentsDescr);
+                } else if (_isForbiddenChar(current)) {
+                    // we found an invalid character (forbidden) - passthrough (fail)
+                    break;
+                }
+            }
+        } else {
+            // Explicit mode: read contentsName from the end, and remove it from the descr
+            for (uint256 i = buffer.length; i > 0; --i) {
+                bytes1 current = buffer[i - 1];
+                if (current == bytes1(")")) {
+                    // we found the end of the contentsName
+                    return (string(buffer[i:]), string(buffer[:i]));
+                } else if (_isForbiddenChar(current)) {
+                    // we found an invalid character (forbidden) - passthrough (fail)
+                    break;
+                }
+            }
+        }
+        return (Calldata.emptyString(), Calldata.emptyString());
+    }
+
+    function _isForbiddenChar(bytes1 char) private pure returns (bool) {
+        return char == 0x00 || char == bytes1(" ") || char == bytes1(",") || char == bytes1("(") || char == bytes1(")");
+    }
+}

package/lib/openzeppelin-contracts/contracts/utils/cryptography/signers/AbstractSigner.sol

@@ -0,0 +1,23 @@
+// SPDX-License-Identifier: MIT
+// OpenZeppelin Contracts (last updated v5.4.0) (utils/cryptography/signers/AbstractSigner.sol)
+
+pragma solidity ^0.8.20;
+
+/**
+ * @dev Abstract contract for signature validation.
+ *
+ * Developers must implement {_rawSignatureValidation} and use it as the lowest-level signature validation mechanism.
+ *
+ * @custom:stateless
+ */
+abstract contract AbstractSigner {
+    /**
+     * @dev Signature validation algorithm.
+     *
+     * WARNING: Implementing a signature validation algorithm is a security-sensitive operation as it involves
+     * cryptographic verification. It is important to review and test thoroughly before deployment. Consider
+     * using one of the signature verification libraries (xref:api:utils/cryptography#ECDSA[ECDSA],
+     * xref:api:utils/cryptography#P256[P256] or xref:api:utils/cryptography#RSA[RSA]).
+     */
+    function _rawSignatureValidation(bytes32 hash, bytes calldata signature) internal view virtual returns (bool);
+}