feat: key binding certs instead of direct public keys (#568)

Author: coodos

infrastructure/control-panel/src/routes/+layout.svelte

@@ -15,12 +15,11 @@
 		{ label: 'Actions', href: '/actions' }
 	];
 
-	const isActive = (href: string) =>
-		href === '/' ? pageUrl === '/' : pageUrl.startsWith(href);
+	const isActive = (href: string) => (href === '/' ? pageUrl === '/' : pageUrl.startsWith(href));
 </script>
 
 <main class="flex min-h-screen bg-gray-50">
-	<aside class="w-64 border-black-100 border-r bg-white px-8 py-10">
+	<aside class="border-black-100 w-64 border-r bg-white px-8 py-10">
 		<h4 class="text-lg font-semibold text-black">Navigation</h4>
 		<nav class="mt-6 flex flex-col gap-2">
 			{#each navLinks as link}

infrastructure/control-panel/src/routes/actions/+page.svelte

@@ -67,10 +67,11 @@
 </script>
 
 <section class="max-w-3xl space-y-6">
-	<div class="rounded-2xl border border-black-100 bg-white px-8 py-6 shadow-sm">
+	<div class="border-black-100 rounded-2xl border bg-white px-8 py-6 shadow-sm">
 		<h2 class="text-2xl font-semibold text-black">Actions</h2>
-		<p class="mt-2 text-black-700">
-			Manual actions for orchestrating DreamSync. Trigger matchmaking directly from the control panel.
+		<p class="text-black-700 mt-2">
+			Manual actions for orchestrating DreamSync. Trigger matchmaking directly from the
+			control panel.
 		</p>
 
 		<div class="mt-6 space-y-4">
@@ -87,16 +88,17 @@
 					Trigger DreamSync
 				</ButtonAction>
 			</div>
-			<p class="text-sm text-black-500">
-				Note: Matchmaking can take up to 4 minutes to complete. Please wait for the process to finish.
+			<p class="text-black-500 text-sm">
+				Note: Matchmaking can take up to 4 minutes to complete. Please wait for the process
+				to finish.
 			</p>
 		</div>
 	</div>
 </section>
 
 {#if toast}
 	<div
-		class={`fixed right-6 top-24 z-50 rounded-lg border px-4 py-3 shadow-lg ${
+		class={`fixed top-24 right-6 z-50 rounded-lg border px-4 py-3 shadow-lg ${
 			toast.variant === 'success'
 				? 'border-green-200 bg-green-100 text-green-800'
 				: 'border-danger-200 bg-danger-100 text-danger-500'
@@ -105,4 +107,3 @@
 		<p class="font-semibold">{toast.message}</p>
 	</div>
 {/if}
-

infrastructure/eid-wallet/package.json

@@ -42,6 +42,7 @@
         "graphql-request": "^6.1.0",
         "html5-qrcode": "^2.3.8",
         "import": "^0.0.6",
+        "jose": "^5.2.0",
         "svelte-loading-spinners": "^0.3.6",
         "svelte-qrcode": "^1.0.1",
         "tailwind-merge": "^3.0.2",

infrastructure/eid-wallet/src/lib/global/controllers/evault.ts

@@ -6,6 +6,7 @@ import {
 import type { Store } from "@tauri-apps/plugin-store";
 import axios from "axios";
 import { GraphQLClient } from "graphql-request";
+import * as jose from "jose";
 import NotificationService from "../../services/NotificationService";
 import type { KeyService } from "./key";
 import type { UserController } from "./user";
@@ -122,22 +123,94 @@ export class VaultController {
                 },
             });
 
-            const existingPublicKey = whoisResponse.data?.publicKey;
-            if (existingPublicKey) {
-                // Public key already exists, mark as saved
-                localStorage.setItem(`publicKeySaved_${eName}`, "true");
-                console.log(`Public key already exists for ${eName}`);
-                return;
-            }
+            // Get key binding certificates array from whois response
+            const keyBindingCertificates =
+                whoisResponse.data?.keyBindingCertificates;
 
-            // Get public key using the exact same logic as onboarding/verification flow
-            // KEY_ID is always "default", context depends on whether user is pre-verification
+            // Get current device's public key to check if it already exists
             const KEY_ID = "default";
-
-            // Determine context: check if user is pre-verification (fake/demo user)
             const isFake = await this.#userController.isFake;
             const context = isFake ? "pre-verification" : "onboarding";
 
+            let currentPublicKey: string | undefined;
+            try {
+                currentPublicKey = await this.#keyService.getPublicKey(
+                    KEY_ID,
+                    context,
+                );
+            } catch (error) {
+                console.error(
+                    "Failed to get current public key for comparison:",
+                    error,
+                );
+                // Continue to sync anyway
+            }
+
+            // If we have certificates and current key, check if it already exists
+            if (
+                keyBindingCertificates &&
+                Array.isArray(keyBindingCertificates) &&
+                keyBindingCertificates.length > 0 &&
+                currentPublicKey
+            ) {
+                try {
+                    // Get registry JWKS for JWT verification
+                    const registryUrl = PUBLIC_REGISTRY_URL;
+                    if (registryUrl) {
+                        const jwksUrl = new URL(
+                            "/.well-known/jwks.json",
+                            registryUrl,
+                        ).toString();
+                        const jwksResponse = await axios.get(jwksUrl, {
+                            timeout: 10000,
+                        });
+                        const JWKS = jose.createLocalJWKSet(jwksResponse.data);
+
+                        // Extract public keys from certificates and check if current key exists
+                        for (const jwt of keyBindingCertificates) {
+                            try {
+                                const { payload } = await jose.jwtVerify(
+                                    jwt,
+                                    JWKS,
+                                );
+
+                                // Verify ename matches
+                                if (payload.ename !== eName) {
+                                    continue;
+                                }
+
+                                // Extract publicKey from JWT payload
+                                const extractedPublicKey =
+                                    payload.publicKey as string;
+                                if (extractedPublicKey === currentPublicKey) {
+                                    // Current device's key already exists, mark as saved
+                                    localStorage.setItem(
+                                        `publicKeySaved_${eName}`,
+                                        "true",
+                                    );
+                                    console.log(
+                                        `Public key already exists for ${eName}`,
+                                    );
+                                    return;
+                                }
+                            } catch (error) {
+                                // JWT verification failed, try next certificate
+                                console.warn(
+                                    "Failed to verify key binding certificate:",
+                                    error,
+                                );
+                            }
+                        }
+                    }
+                } catch (error) {
+                    console.error(
+                        "Error checking existing public keys:",
+                        error,
+                    );
+                    // Continue to sync anyway
+                }
+            }
+
             console.log("=".repeat(70));
             console.log("🔄 [VaultController] syncPublicKey called");
             console.log("=".repeat(70));

infrastructure/evault-core/src/core/db/db.service.ts

@@ -676,43 +676,53 @@ export class DbService {
     }
 
     /**
-     * Gets the public key for a given eName.
+     * Gets all public keys for a given eName.
      * @param eName - The eName identifier
-     * @returns The public key string, or null if not found
+     * @returns Array of public key strings, or empty array if not found
      */
-    async getPublicKey(eName: string): Promise<string | null> {
+    async getPublicKeys(eName: string): Promise<string[]> {
         if (!eName) {
-            throw new Error("eName is required for getting public key");
+            throw new Error("eName is required for getting public keys");
         }
 
         const result = await this.runQueryInternal(
-            `MATCH (u:User { eName: $eName }) RETURN u.publicKey AS publicKey`,
+            `MATCH (u:User { eName: $eName }) RETURN u.publicKeys AS publicKeys`,
             { eName },
         );
 
         if (!result.records[0]) {
-            return null;
+            return [];
         }
 
-        return result.records[0].get("publicKey") || null;
+        const publicKeys = result.records[0].get("publicKeys");
+        // Handle null/undefined and ensure we return an array
+        if (!publicKeys || !Array.isArray(publicKeys)) {
+            return [];
+        }
+
+        return publicKeys;
     }
 
     /**
-     * Sets or updates the public key for a given eName.
+     * Adds a public key to the array for a given eName (appends, avoids duplicates).
      * @param eName - The eName identifier
-     * @param publicKey - The public key to store
+     * @param publicKey - The public key to add
      */
-    async setPublicKey(eName: string, publicKey: string): Promise<void> {
+    async addPublicKey(eName: string, publicKey: string): Promise<void> {
         if (!eName) {
-            throw new Error("eName is required for setting public key");
+            throw new Error("eName is required for adding public key");
         }
         if (!publicKey) {
             throw new Error("publicKey is required");
         }
 
+        // Use MERGE to create User if doesn't exist, then append publicKey if not already in array
         await this.runQueryInternal(
             `MERGE (u:User { eName: $eName })
-             SET u.publicKey = $publicKey`,
+             ON CREATE SET u.publicKeys = []
+             WITH u
+             WHERE NOT $publicKey IN u.publicKeys
+             SET u.publicKeys = u.publicKeys + $publicKey`,
             { eName, publicKey },
         );
     }
@@ -803,26 +813,26 @@ export class DbService {
             }
         }
 
-        // Copy User node with public key if it exists
+        // Copy User node with public keys if it exists
         try {
             const userResult = await this.runQueryInternal(
-                `MATCH (u:User { eName: $eName }) RETURN u.publicKey AS publicKey`,
+                `MATCH (u:User { eName: $eName }) RETURN u.publicKeys AS publicKeys`,
                 { eName },
             );
 
             if (userResult.records.length > 0) {
-                const publicKey = userResult.records[0].get("publicKey");
-                if (publicKey) {
+                const publicKeys = userResult.records[0].get("publicKeys");
+                if (publicKeys && Array.isArray(publicKeys) && publicKeys.length > 0) {
                     console.log(
-                        `[MIGRATION] Copying User node with public key for eName: ${eName}`,
+                        `[MIGRATION] Copying User node with public keys for eName: ${eName}`,
                     );
                     await targetDbService.runQuery(
                         `MERGE (u:User { eName: $eName })
-                         SET u.publicKey = $publicKey`,
-                        { eName, publicKey },
+                         SET u.publicKeys = $publicKeys`,
+                        { eName, publicKeys },
                     );
                     console.log(
-                        `[MIGRATION] User node with public key copied successfully`,
+                        `[MIGRATION] User node with public keys copied successfully`,
                     );
                 }
             }

infrastructure/evault-core/src/core/db/migrations/migrate-publickey-to-array.ts

@@ -0,0 +1,48 @@
+/**
+ * Neo4j Migration: Convert User.publicKey (string) to User.publicKeys (array)
+ * 
+ * This migration converts the single publicKey property to an array of publicKeys
+ * to support multiple device installs per user.
+ * 
+ * For existing users with publicKey: converts to [publicKey]
+ * For users without publicKey: initializes as []
+ */
+
+import { Driver } from "neo4j-driver";
+
+export async function migratePublicKeyToArray(driver: Driver): Promise<void> {
+    const session = driver.session();
+    try {
+        // First, convert existing publicKey (string) to publicKeys (array)
+        // For users with publicKey, set publicKeys = [publicKey] and remove publicKey
+        const result = await session.run(
+            `MATCH (u:User)
+             WHERE u.publicKey IS NOT NULL AND u.publicKeys IS NULL
+             SET u.publicKeys = [u.publicKey]
+             REMOVE u.publicKey
+             RETURN count(u) as converted`
+        );
+        
+        const converted = result.records[0]?.get("converted") || 0;
+        console.log(`Converted ${converted} User nodes from publicKey to publicKeys array`);
+
+        // For users without publicKey, initialize publicKeys as empty array
+        const result2 = await session.run(
+            `MATCH (u:User)
+             WHERE u.publicKey IS NULL AND u.publicKeys IS NULL
+             SET u.publicKeys = []
+             RETURN count(u) as initialized`
+        );
+        
+        const initialized = result2.records[0]?.get("initialized") || 0;
+        console.log(`Initialized ${initialized} User nodes with empty publicKeys array`);
+
+        console.log("Migration completed: publicKey -> publicKeys array");
+    } catch (error) {
+        console.error("Error migrating publicKey to publicKeys array:", error);
+        throw error;
+    } finally {
+        await session.close();
+    }
+}
+