feat: signature validator library

Author: coodos

infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

@@ -1,4 +1,8 @@
-import { PUBLIC_REGISTRY_URL, PUBLIC_PROVISIONER_URL, PUBLIC_EID_WALLET_TOKEN } from "$env/static/public";
+import {
+    PUBLIC_REGISTRY_URL,
+    PUBLIC_PROVISIONER_URL,
+    PUBLIC_EID_WALLET_TOKEN,
+} from "$env/static/public";
 import type { Store } from "@tauri-apps/plugin-store";
 import axios from "axios";
 import { GraphQLClient } from "graphql-request";
@@ -52,7 +56,11 @@ export class VaultController {
     #profileCreationStatus: "idle" | "loading" | "success" | "failed" = "idle";
     #notificationService: NotificationService;
 
-    constructor(store: Store, userController: UserController, keyService?: KeyService) {
+    constructor(
+        store: Store,
+        userController: UserController,
+        keyService?: KeyService,
+    ) {
         this.#store = store;
         this.#userController = userController;
         this.#keyService = keyService || null;
@@ -86,12 +94,16 @@ export class VaultController {
             // Check if we've already saved the public key
             const savedKey = localStorage.getItem(`publicKeySaved_${eName}`);
             if (savedKey === "true") {
-                console.log(`Public key already saved for ${eName}, skipping sync`);
+                console.log(
+                    `Public key already saved for ${eName}, skipping sync`,
+                );
                 return;
             }
 
             if (!this.#keyService) {
-                console.warn("KeyService not available, cannot sync public key");
+                console.warn(
+                    "KeyService not available, cannot sync public key",
+                );
                 return;
             }
 
@@ -121,29 +133,39 @@ export class VaultController {
             // Get public key using the exact same logic as onboarding/verification flow
             // KEY_ID is always "default", context depends on whether user is pre-verification
             const KEY_ID = "default";
-            
+
             // Determine context: check if user is pre-verification (fake/demo user)
             const isFake = await this.#userController.isFake;
             const context = isFake ? "pre-verification" : "onboarding";
 
             // Get public key using the same method as getApplicationPublicKey() in onboarding/verify
             let publicKey: string | undefined;
             try {
-                publicKey = await this.#keyService.getPublicKey(KEY_ID, context);
+                publicKey = await this.#keyService.getPublicKey(
+                    KEY_ID,
+                    context,
+                );
             } catch (error) {
-                console.error(`Failed to get public key for ${KEY_ID} with context ${context}:`, error);
+                console.error(
+                    `Failed to get public key for ${KEY_ID} with context ${context}:`,
+                    error,
+                );
                 return;
             }
 
             if (!publicKey) {
-                console.warn(`No public key found for ${KEY_ID} with context ${context}, cannot sync`);
+                console.warn(
+                    `No public key found for ${KEY_ID} with context ${context}, cannot sync`,
+                );
                 return;
             }
 
             // Get authentication token from environment variable
             const authToken = PUBLIC_EID_WALLET_TOKEN || null;
             if (!authToken) {
-                console.warn("PUBLIC_EID_WALLET_TOKEN not set, request may fail authentication");
+                console.warn(
+                    "PUBLIC_EID_WALLET_TOKEN not set, request may fail authentication",
+                );
             }
 
             // Call PATCH /public-key to save the public key
@@ -157,11 +179,7 @@ export class VaultController {
                 headers["Authorization"] = `Bearer ${authToken}`;
             }
 
-            await axios.patch(
-                patchUrl,
-                { publicKey },
-                { headers }
-            );
+            await axios.patch(patchUrl, { publicKey }, { headers });
 
             // Mark as saved
             localStorage.setItem(`publicKeySaved_${eName}`, "true");

infrastructure/eid-wallet/src/lib/global/state.ts

@@ -35,7 +35,11 @@ export class GlobalState {
         this.securityController = new SecurityController(store);
         this.userController = new UserController(store);
         this.keyService = keyService;
-        this.vaultController = new VaultController(store, this.userController, keyService);
+        this.vaultController = new VaultController(
+            store,
+            this.userController,
+            keyService,
+        );
         this.notificationService = NotificationService.getInstance();
     }
 

infrastructure/eid-wallet/src/routes/(auth)/login/+page.svelte

@@ -101,7 +101,9 @@ onMount(async () => {
 
                     // Sync public key to eVault core
                     try {
-                        await globalState.vaultController.syncPublicKey(vault.ename);
+                        await globalState.vaultController.syncPublicKey(
+                            vault.ename,
+                        );
                     } catch (error) {
                         console.error("Error syncing public key:", error);
                         // Continue to app even if sync fails - non-blocking
@@ -181,7 +183,9 @@ onMount(async () => {
 
                     // Sync public key to eVault core
                     try {
-                        await globalState.vaultController.syncPublicKey(vault.ename);
+                        await globalState.vaultController.syncPublicKey(
+                            vault.ename,
+                        );
                     } catch (error) {
                         console.error("Error syncing public key:", error);
                         // Continue to app even if sync fails - non-blocking

infrastructure/evault-core/src/core/http/server.ts

@@ -286,30 +286,50 @@ export async function registerHttpRoutes(
   // Helper function to validate JWT token
   async function validateToken(authHeader: string | null): Promise<any | null> {
     if (!authHeader || !authHeader.startsWith("Bearer ")) {
+      console.error("Token validation: Missing or invalid Authorization header format");
       return null;
     }
 
     const token = authHeader.substring(7); // Remove 'Bearer ' prefix
 
     try {
-      if (!process.env.REGISTRY_URL) {
-        console.error("REGISTRY_URL is not set");
+      // Try REGISTRY_URL first, fallback to PUBLIC_REGISTRY_URL
+      const registryUrl = process.env.REGISTRY_URL || process.env.PUBLIC_REGISTRY_URL;
+      if (!registryUrl) {
+        console.error("Token validation: REGISTRY_URL or PUBLIC_REGISTRY_URL is not set");
         return null;
       }
 
-      const jwksResponse = await axios.get(
-        new URL(
-          `/.well-known/jwks.json`,
-          process.env.REGISTRY_URL
-        ).toString()
-      );
+      const jwksUrl = new URL(`/.well-known/jwks.json`, registryUrl).toString();
+      console.log(`Token validation: Fetching JWKS from ${jwksUrl}`);
+
+      const jwksResponse = await axios.get(jwksUrl, {
+        timeout: 5000,
+      });
 
+      console.log(`Token validation: JWKS response keys count: ${jwksResponse.data?.keys?.length || 0}`);
+      
       const JWKS = jose.createLocalJWKSet(jwksResponse.data);
+      
+      // Decode token header to see what kid it's using
+      const decodedHeader = jose.decodeProtectedHeader(token);
+      console.log(`Token validation: Token header - alg: ${decodedHeader.alg}, kid: ${decodedHeader.kid}`);
+      
       const { payload } = await jose.jwtVerify(token, JWKS);
-
+      
+      console.log(`Token validation: Token verified successfully, payload:`, payload);
       return payload;
-    } catch (error) {
-      console.error("Token validation failed:", error);
+    } catch (error: any) {
+      console.error("Token validation failed:", error.message || error);
+      if (error.code) {
+        console.error(`Token validation error code: ${error.code}`);
+      }
+      if (error.response) {
+        console.error(`Token validation HTTP error: ${error.response.status} - ${error.response.statusText}`);
+      }
+      if (error.cause) {
+        console.error(`Token validation error cause:`, error.cause);
+      }
       return null;
     }
   }

infrastructure/signature-validator/.gitignore

@@ -0,0 +1,5 @@
+node_modules/
+dist/
+*.log
+.DS_Store
+

infrastructure/signature-validator/README.md

@@ -0,0 +1,67 @@
+# Signature Validator
+
+A TypeScript library for verifying signatures using public keys retrieved from eVault.
+
+## Installation
+
+```bash
+npm install
+npm run build
+```
+
+## Usage
+
+```typescript
+import { verifySignature } from "signature-validator";
+
+const result = await verifySignature({
+  eName: "@user.w3id",
+  signature: "z...", // multibase encoded signature
+  payload: "message to verify",
+  registryBaseUrl: "https://registry.example.com"
+});
+
+if (result.valid) {
+  console.log("Signature is valid!");
+} else {
+  console.error("Signature invalid:", result.error);
+}
+```
+
+## API
+
+### `verifySignature(options: VerifySignatureOptions): Promise<VerifySignatureResult>`
+
+Verifies a signature by:
+1. Resolving the eVault URL from the registry using the eName
+2. Fetching the public key from the eVault `/whois` endpoint
+3. Decoding the multibase-encoded public key
+4. Verifying the signature using Web Crypto API
+
+#### Parameters
+
+- `eName`: The eName (W3ID) of the user
+- `signature`: The signature to verify (multibase encoded string, supports 'z' prefix for base58btc or base64)
+- `payload`: The payload that was signed (string)
+- `registryBaseUrl`: Base URL of the registry service
+
+#### Returns
+
+- `valid`: Boolean indicating if the signature is valid
+- `error`: Error message if verification failed
+- `publicKey`: The public key that was used for verification
+
+## Public Key Format
+
+Public keys are expected to be in multibase format starting with 'z':
+- `z` prefix indicates multibase encoding
+- Supports base58btc (standard) or hex encoding
+
+Example: `z3059301306072a8648ce3d020106082a8648ce3d03010703420004a16b063e785d25945c44ae2e7a4cbd94c3316533427261244f696609d6afb848155b9016ad8d5c9ec59053b3b2cf2511af0c2414fc53d2abf96323bb1a031902`
+
+## Signature Format
+
+Signatures can be:
+- Multibase encoded (starting with 'z' for base58btc)
+- Base64 encoded (for software keys)
+

infrastructure/signature-validator/package.json

@@ -0,0 +1,21 @@
+{
+    "name": "signature-validator",
+    "version": "1.0.0",
+    "description": "Library for verifying signatures using public keys from eVault",
+    "main": "dist/index.js",
+    "types": "dist/index.d.ts",
+    "scripts": {
+        "build": "tsc",
+        "test": "vitest",
+        "dev": "tsc --watch"
+    },
+    "dependencies": {
+        "axios": "^1.6.7",
+        "multiformats": "^13.3.2"
+    },
+    "devDependencies": {
+        "@types/node": "^20.11.24",
+        "typescript": "^5.3.3",
+        "vitest": "^1.6.1"
+    }
+}