CLI - Chapter 4 - Inspector PayID (#25)

* functions and types for signing and validating a VerifiablePayID

* get pem and x5c working
simplify verify call to use Embedded option

* lint fixes and refactored SigningParams types from interface to classes

* exports

* packages.json cleanup

* WIP: get PKI with certificate chain validation workiing

* lint fixes
use generated Root CA, Intermediate CA, and server cert in tests

* add 'name' to crit section

* splitting web-pki into multiple branches

* logic to parse a chain of certificates from the x5c section of a JWS

* add test to verify self-signed certs pass signature check but fail chain of certificate check

* initial stab at some CLI commands

* refactoring of commands
add commands for signing and verifying signatures

* command to save key
upper case the network and environment

* refactor inspection logic into a standalone class

* more refactoring

* linting fixes

* jsdoc, refactorings and test coverage

* npm audit fix

* npm audit fix

* revert signing and verfication and inspection changes
moving to a separate PR

* reverting signing and verification related code for a later PR

* bringing back commands to build and modify a payid (sans signatures)

* bringing back commands to build and modify a payid (sans signatures)

* bringing back commands to create and import keys, sign and verify a payid

* bringing back command to inspect a PayID's verified addresses

* better error messaging

* docker file

* fix typo in error message

* code review feedback
change command 'url to-payid' to 'payid from-url'

* remove eslint disablement rule from eslint rc in favor of doing it in the one class that violates the rule

* reorder fields to match constructor per PR review

* documentation

* linting changes due to merge

* linting changes due to merge

* Update src/commands/key-generate-identity-key.ts

Co-authored-by: Hans Bergren <[email protected]>

* simplify nest if condition

* js doc

* fix post merge

Co-authored-by: Hans Bergren <[email protected]>

Author: nhartner

Dockerfile

@@ -0,0 +1,20 @@
+FROM node:12-alpine
+
+ADD . / payid-utils/
+
+RUN cd payid-utils/ &&\
+    npm cache clean --force &&\
+    npm install &&\
+    npm run build && \
+    npm link
+
+FROM node:12-alpine
+
+RUN mkdir /opt/payid-utils
+
+WORKDIR /opt/payid-utils
+
+COPY --from=0 /payid-utils/dist  /opt/payid-utils/dist
+COPY --from=0 /payid-utils/node_modules  /opt/payid-utils/node_modules
+
+CMD ["node", "/opt/payid-utils/dist/cli.js"]

package-lock.json

@@ -19,6 +19,7 @@ new cmd.ListKeysCommand(vorpal, localStorage).setup()
 new cmd.LoadIdentityKeyCommand(vorpal, localStorage).setup()
 new cmd.LoadServerKeyCommand(vorpal, localStorage).setup()
 new cmd.InitPayIdCommand(vorpal, localStorage).setup()
+new cmd.InspectPayIdCommand(vorpal, localStorage).setup()
 new cmd.LoadPayIdCommand(vorpal, localStorage).setup()
 new cmd.ShowPayIdCommand(vorpal, localStorage).setup()
 new cmd.SignPayIdCommand(vorpal, localStorage).setup()

src/cli.ts

@@ -38,7 +38,9 @@ abstract class Command {
         try {
           await this.action(args)
         } catch (error) {
-          this.vorpal.log(error)
+          // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- error has any type
+          const { message } = error
+          this.vorpal.log(message)
         }
       },
     )
@@ -54,7 +56,7 @@ abstract class Command {
     const info = this.localStorage.getPaymentInfo()
     if (info === undefined) {
       throw new Error(
-        `please run 'payid init' or 'payid load' before adding an address`,
+        `error: no PayID loaded. Run 'payid init' or 'payid load' first.`,
       )
     }
     return info

src/commands/Command.ts

@@ -11,6 +11,7 @@ export { default as ClearKeysCommand } from './keys-clear'
 export { default as ListKeysCommand } from './keys-list'
 export { default as LocalStorage } from './localstorage'
 export { default as InitPayIdCommand } from './payid-init'
+export { default as InspectPayIdCommand } from './payid-inspect'
 export { default as LoadPayIdCommand } from './payid-load'
 export { default as SavePayIdCommand } from './payid-save'
 export { default as ShowPayIdCommand } from './payid-show'

src/commands/index.ts

@@ -0,0 +1,122 @@
+import * as Vorpal from 'vorpal'
+
+import { PaymentInformationInspector } from '../verifiable'
+import {
+  CertificateChainInspectionResult,
+  SignatureInspectionResult,
+} from '../verifiable/payment-information-inspector'
+
+import Command from './Command'
+import LocalStorage from './localstorage'
+
+/**
+ * Inspects the currently loaded PayID and prints inspection details to the console.
+ * Inspection looks at verified addresses and verifies the signatures and certificate chain (if present).
+ */
+export default class InspectPayIdCommand extends Command {
+  private readonly paymentInformationInspector: PaymentInformationInspector
+
+  /**
+   * Creates new command.
+   *
+   * @param vorpal - The vorpal instance to use.
+   * @param localStorage - The localstorage to use.
+   */
+  public constructor(vorpal: Vorpal, localStorage: LocalStorage) {
+    super(vorpal, localStorage)
+    this.paymentInformationInspector = new PaymentInformationInspector()
+  }
+
+  /**
+   * @override
+   */
+  protected command(): string {
+    return 'payid inspect'
+  }
+
+  /**
+   * @override
+   */
+  protected description(): string {
+    return 'Inspect signatures on the loaded PayID'
+  }
+
+  protected async action(): Promise<void> {
+    const info = this.getPaymentInfo()
+    const result = this.paymentInformationInspector.inspect(info)
+    this.vorpal.log(`${info.payId} ${validString(result.isVerified)}`)
+    result.verifiedAddressesResults.forEach((addressResult) => {
+      const address = addressResult.address
+      const cryptoAddress =
+        'address' in address.addressDetails
+          ? address.addressDetails.address
+          : ''
+
+      const environment: string =
+        typeof address.environment === 'string' ? address.environment : ''
+      this.vorpal.log(
+        `Found verified ${address.paymentNetwork} ${environment} address ${cryptoAddress}`,
+      )
+      this.vorpal.log(
+        `- Signed with ${addressResult.signaturesResults.length} signature(s)`,
+      )
+      addressResult.signaturesResults.forEach((signatureResult, sigIndex) => {
+        this.inspectSignatureResult(sigIndex, signatureResult)
+      })
+    })
+  }
+
+  /**
+   * Inspects and logs information about the inspection result.
+   *
+   * @param sigIndex - The index of the signature.
+   * @param signatureResult -The signature result to inspect.
+   */
+  private inspectSignatureResult(
+    sigIndex: number,
+    signatureResult: SignatureInspectionResult,
+  ): void {
+    this.vorpal.log(
+      `- Signature ${sigIndex + 1} ${validString(
+        signatureResult.isSignatureValid,
+      )}`,
+    )
+    if (signatureResult.jwk && signatureResult.keyType) {
+      const thumbprint = signatureResult.jwk.thumbprint
+      this.vorpal.log(
+        `  - Signed with ${signatureResult.jwk.kty} ${signatureResult.keyType} with thumbprint ${thumbprint}`,
+      )
+    }
+    if (signatureResult.certificateChainResult) {
+      this.inspectCertificateChainResult(signatureResult.certificateChainResult)
+    }
+  }
+
+  /**
+   * Inspects and logs information about the inspection result.
+   *
+   * @param result -The chain to inspect.
+   */
+  private inspectCertificateChainResult(
+    result: CertificateChainInspectionResult,
+  ): void {
+    this.vorpal.log(`  - Certificate chain ${validString(result.isChainValid)}`)
+    result.certificateResults.forEach((chainResult, chainIndex) => {
+      this.vorpal.log(
+        `     - Certificate ${chainIndex + 1} for ${
+          chainResult.issuedTo
+        }, issued by ${chainResult.issuedBy}`,
+      )
+    })
+  }
+}
+
+/**
+ * Prints either 'is verfied' or 'is NOT verfied' based on the valid flag.
+ *
+ * @param valid - Flag for is / is NOT.
+ * @returns The is/is NOT string.
+ */
+function validString(valid: boolean): string {
+  return `${valid ? 'is' : 'is NOT'} verified`
+}

src/commands/payid-inspect.ts

@@ -22,7 +22,10 @@ export default class SignPayIdCommand extends Command {
     }
     const signingKeys = this.getSigningKeys()
     if (signingKeys.length === 0) {
-      this.vorpal.log(`you must generate or load a key before signing`)
+      this.vorpal.log(
+        'you must generate or load a key before signing using ' +
+          `'keys generate identity-key' or 'keys load identity-key'`,
+      )
       return
     }
 

src/commands/payid-sign.ts

@@ -6,8 +6,6 @@ import * as forge from 'node-forge'
 
 import { getJwkFromRecipient, isX5C } from './keys'
 
-import certificateFromPem = forge.pki.certificateFromPem
-
 /**
  * Service to validate the certificate chain (using web PKI) for Verifiable PayIDs
  * signed with a a server key.
@@ -39,6 +37,9 @@ export default class CertificateChainValidator {
    * @returns True if verified.
    */
   public verifyCertificateChainRecipient(recipient: JWS.JWSRecipient): boolean {
+    if (!recipient.protected) {
+      return false
+    }
     return this.verifyCertificateChain(extractX5CCertificates(recipient))
   }
 
@@ -50,7 +51,7 @@ export default class CertificateChainValidator {
    */
   public verifyCertificateChain(chain: forge.pki.Certificate[]): boolean {
     if (chain.length === 0) {
-      return true
+      return false
     }
     try {
       return forge.pki.verifyCertificateChain(this.caStore, chain)
@@ -104,7 +105,7 @@ export function extractX5CCertificates(
   const jwk = getJwkFromRecipient(recipient)
   if (jwk && isX5C(jwk) && jwk.x5c) {
     return jwk.x5c.map((pem) =>
-      certificateFromPem(
+      forge.pki.certificateFromPem(
         `-----BEGIN CERTIFICATE-----${pem}-----END CERTIFICATE-----`,
       ),
     )