sign & verify

Author: mmalmi

dist/db/Message.d.ts

@@ -2,7 +2,7 @@ import { Actor } from './Actor';
 import { Children } from "./Node";
 export declare class Message {
     static fromObject(obj: any): Message;
-    static deserialize(str: string, from: Actor): Message;
+    static deserialize(str: string, from: Actor): Promise<Message>;
     serialize(): string;
 }
 export declare class Get implements Message {
@@ -15,7 +15,7 @@ export declare class Get implements Message {
     jsonStr?: string;
     checksum?: string;
     serialize(): string;
-    static deserialize(obj: any, jsonStr: string, from: Actor): Get;
+    static deserialize(obj: any, jsonStr: string, from: Actor): Promise<Get>;
     static fromObject(obj: any): Get;
     static new(nodeId: string, from: Actor, recipients?: string[], childKey?: string, jsonStr?: string, checksum?: string): Get;
     constructor(id: string, nodeId: string, from: Actor, recipients?: string[], childKey?: string, jsonStr?: string, checksum?: string);
@@ -33,7 +33,7 @@ export declare class Put implements Message {
     jsonStr?: string;
     checksum?: string;
     serialize(): string;
-    static deserialize(obj: any, jsonStr: string, from: Actor): Put;
+    static deserialize(obj: any, jsonStr: string, from: Actor): Promise<Put>;
     static fromObject(obj: any): Put;
     static new(updatedNodes: UpdatedNodes, from: Actor, inResponseTo?: string, recipients?: string[], jsonStr?: string, checksum?: string): Put;
     static newFromKv(key: string, children: Children, from: Actor): Put;

dist/iris.cjs.development.js

@@ -1,7 +1,7 @@
 declare function gunOnceDefined(node: any): Promise<unknown>;
 declare const _default: {
     gunOnceDefined: typeof gunOnceDefined;
-    getHash(str: string, format?: string): Promise<string | undefined>;
+    getHash(data: any, format?: string): Promise<string | ArrayBuffer>;
     capitalize(s: string): string;
     generateName(): string;
     base64ToHex(str: string): string;

dist/iris.cjs.development.js.map

@@ -153,17 +153,14 @@ class Key {
 
   static async sign(data: any, pair: any, cb?: Function, opt: any = {}) {
     if(undefined === data){ throw '`undefined` not allowed.' }
-    if (typeof data === 'object') {
-      data = JSON.stringify(data);
-    }
+    const text = JSON.stringify(data);
     var jwk = Key.keyToJwk(pair);
-    console.log('signing with jwk', jwk);
-    var hash = await util.getHash(data);
+    var hash = await util.getHash(text, 'buffer') as Buffer;
     var sig = await window.crypto.subtle.importKey('jwk', jwk, {name: 'ECDSA', namedCurve: 'P-256'}, false, ['sign'])
     .then((key) =>
-      window.crypto.subtle.sign({name: 'ECDSA', hash: {name: 'SHA-256'}}, key, new Uint8Array(hash as any))
+      window.crypto.subtle.sign({name: 'ECDSA', hash: {name: 'SHA-256'}}, key, hash)
     ) // privateKey scope doesn't leak out from here!
-    var r: any = {m: JSON.stringify(data), s: Buffer.from(sig).toString(opt.encode || 'base64')}
+    var r: any = {m: text, s: Buffer.from(sig).toString(opt.encode || 'base64')}
     if(!opt.raw){ r = 'aSEA' + JSON.stringify(r) }
 
     if(cb){ try{ cb(r) }catch(e){console.log(e)} }
@@ -173,18 +170,26 @@ class Key {
   static async verify(data: any, pair: any, cb?: Function, opt: any = {}) {
     try {
       if (typeof data === 'string') {
-        console.log('verifying string', data.slice(4));
-        data = JSON.parse(data.slice(4));
+        if (data.slice(0, 4) === 'aSEA') {
+          data = JSON.parse(data.slice(4));
+        } else {
+          data = JSON.parse(data);
+        }
       }
       var pub = pair.pub || pair;
       var jwk = Key.keyToJwk(pub);
       var key = await crypto.subtle.importKey('jwk', jwk, {name: 'ECDSA', namedCurve: 'P-256'}, false, ['verify']);
-      var hash: any = await util.getHash(data.m);
+
+      var text = (typeof data.m === 'string')? data.m : JSON.stringify(data.m);
+      let hash = await util.getHash(text, 'buffer') as Buffer;
       var buf, sig, isValid;
-      buf = Buffer.from(data.s, opt.encode || 'base64'); // NEW DEFAULT!
+      buf = Buffer.from(data.s, opt.encode || 'base64');
       sig = new Uint8Array(buf);
-      isValid = await crypto.subtle.verify({name: 'ECDSA', hash: {name: 'SHA-256'}}, key, sig, new Uint8Array(hash));
+      isValid = await crypto.subtle.verify({name: 'ECDSA', hash: {name: 'SHA-256'}}, key, sig, hash);
       var r = isValid? JSON.parse(data.m) : undefined;
+      if (r === undefined) {
+        //console.log('invalid', data, pair, hash);
+      }
 
       if(cb){ try{ cb(r) }catch(e){console.log(e)} }
       return r;

dist/iris.cjs.production.min.js

@@ -1,5 +1,6 @@
 import {Actor} from './Actor';
 import {Children} from "./Node";
+import Key from "../Key";
 
 export class Message {
     // When Messages are sent over BroadcastChannel, class name is lost.
@@ -13,7 +14,7 @@ export class Message {
         }
     }
 
-    static deserialize(str: string, from: Actor): Message {
+    static async deserialize(str: string, from: Actor): Promise<Message> {
         const obj = JSON.parse(str);
         if (obj.get) {
             return Get.deserialize(obj, str, from);
@@ -67,7 +68,7 @@ export class Get implements Message {
         return this.jsonStr;
     }
 
-    static deserialize(obj: any, jsonStr: string, from: Actor): Get {
+    static async deserialize(obj: any, jsonStr: string, from: Actor): Promise<Get> {
         const id = obj['#'];
         let nodeId = obj.get['#']; // TODO add "global/" prefix, replace /^~/ with "user/"
         if (nodeId.startsWith('~')) {
@@ -136,7 +137,7 @@ export class Put implements Message {
         return JSON.stringify(obj);
     }
 
-    static deserialize(obj: any, jsonStr: string, from: Actor): Put {
+    static async deserialize(obj: any, jsonStr: string, from: Actor): Promise<Put> {
         const id = obj['#'];
         const updatedNodes: UpdatedNodes = {};
         type SerializedChildren = {
@@ -145,10 +146,29 @@ export class Put implements Message {
         for (const [nodeId, c] of Object.entries(obj.put)) {
             const children = c as SerializedChildren;
             const node: any = {};
+            const isUserSpace = nodeId.startsWith('~');
             for (const [childKey, childValue] of Object.entries(children)) {
                 if (childKey === '_') {
                     continue;
                 }
+                if (isUserSpace) {
+                    const user = nodeId.split('/')[0].slice(1);
+                    const signatureObj = JSON.parse(childValue);
+                    const timestamp = children['_']['>'][childKey];
+                    const value = signatureObj[':'];
+                    const signedObj = {
+                        "#": nodeId,
+                        ".": childKey,
+                        ":": value,
+                        ">": timestamp
+                    };
+                    const signature = signatureObj['~'];
+                    const signedStr = JSON.stringify(signedObj);
+                    if (await Key.verify({s: signature, m: signedStr}, user) === undefined) {
+                        throw new Error(`invalid signature in ${nodeId} of ${signedStr}`);
+                    }
+                }
+                // TODO test hash space validity
                 const updatedAt = children['_']['>'][childKey];
                 node[childKey] = {
                     value: childValue,

dist/iris.cjs.production.min.js.map

@@ -18,12 +18,12 @@ export default class Websocket extends Actor {
             this.sendQueue.forEach((message) => this.ws.send(message));
             this.sendQueue = [];
         }
-        this.ws.onmessage = (event) => {
+        this.ws.onmessage = async (event) => {
             try {
-                const message = Message.deserialize(event.data, this);
+                const message = await Message.deserialize(event.data, this);
                 this.router.postMessage(message);
             } catch (e) {
-                console.log('Failed to deserialize message', event.data, e);
+                //console.log('Failed to deserialize message', event.data, e);
             }
         }
         this.ws.onclose = () => {

dist/iris.esm.js

@@ -126,6 +126,7 @@ export default {
   },
 
   isMixedContent(url: string) {
+    if (!url) { return false; }
     return window.location.protocol === 'https:' && (url.indexOf('http:') === 0);
   },
 
@@ -135,13 +136,14 @@ export default {
     const sample = _.sampleSize(
       Object.keys(
         _.pickBy(this.known, (peer: any, url: string) => {
-          return url && !this.isMixedContent(url) && peer.enabled && !(util.isElectron && url === ELECTRON_GUN_URL);
+          return !this.isMixedContent(url) && peer.enabled && !(util.isElectron && url === ELECTRON_GUN_URL);
         })
       ), sampleSize
     );
     if (sample && connectToLocalElectron) {
       sample.push(ELECTRON_GUN_URL);
     }
+    console.log('sample', sample, JSON.stringify(this.known));
     return sample;
   },
 

dist/iris.esm.js.map

@@ -1850,13 +1850,22 @@ const adjectives = [
 
 export default {
   gunOnceDefined,
-  async getHash (str: string, format = `base64`) {
-    if (!str) {
-      return undefined;
+  async getHash (data: any, format = `base64`) {
+    if (data === undefined) {
+      throw new Error('getHash data was undefined');
     }
+    if (typeof data !== 'string') {
+      data = JSON.stringify(data);
+    }
+
     const encoder = new TextEncoder();
-    const data = encoder.encode(str);
+    data = encoder.encode(data);
     const buffer = await crypto.subtle.digest('SHA-256', data);
+
+    if (format === 'buffer') {
+      return buffer;
+    }
+
     const hash = this.arrayBufferToBase64(buffer);
     if (format === `hex`) {
       return this.base64ToHex(hash);

dist/iris.umd.development.js

@@ -37,6 +37,7 @@ describe('iris', () => {
       const key = await iris.Key.generate();
       const msg = 'hello';
       const signedMsg = await iris.Key.sign(msg, key);
+      console.log('signedMsg', signedMsg);
       const verified = await iris.Key.verify(signedMsg, key);
       expect(verified).toBe(msg);
     });