Server keys (#19)

* functions and types for signing and validating a VerifiablePayID

* get pem and x5c working
simplify verify call to use Embedded option

* lint fixes and refactored SigningParams types from interface to classes

* exports

* packages.json cleanup

* WIP: get PKI with certificate chain validation workiing

* lint fixes
use generated Root CA, Intermediate CA, and server cert in tests

* add 'name' to crit section

* splitting web-pki into multiple branches

* add TODO comment on types

Author: nhartner

package-lock.json

@@ -24,14 +24,16 @@
     "test": "nyc mocha 'test/**/*.test.ts'"
   },
   "dependencies": {
-    "jose": "^1.27.2"
+    "jose": "^1.27.3",
+    "node-forge": "^0.9.1"
   },
   "devDependencies": {
     "@arkweid/lefthook": "^0.7.2",
     "@fintechstudios/eslint-plugin-chai-as-promised": "^3.0.2",
     "@types/chai": "^4.2.11",
     "@types/mocha": "^7.0.2",
     "@types/node": "^14.0.14",
+    "@types/node-forge": "^0.9.4",
     "@types/pem-jwk": "^1.5.0",
     "@typescript-eslint/eslint-plugin": "^3.7.1",
     "@typescript-eslint/parser": "^3.7.1",
@@ -52,7 +54,7 @@
     "prettier": "^2.0.5",
     "ts-node": "^8.10.2",
     "tsc-watch": "^4.2.9",
-    "typescript": "^3.9.5"
+    "typescript": "^3.9.7"
   },
   "engines": {
     "node": ">=12.0.0",

package.json

@@ -1,2 +1,5 @@
+export * from './keys'
+export { default as IdentityKeySigningParams } from './identity-key-signing-params'
+export { default as ServerKeySigningParams } from './server-key-signing-params'
 export * from './signatures'
 export * from './verifiable-payid'

src/verifiable/index.ts

@@ -1,21 +1,128 @@
 import { promises } from 'fs'
 
-import { JWK } from 'jose'
+import {
+  BasicParameters,
+  JWK,
+  JWKECKey,
+  JWKOctKey,
+  JWKOKPKey,
+  JWKRSAKey,
+  JWS,
+  KeyParameters,
+} from 'jose'
 
 import RSAKey = JWK.RSAKey
 import ECKey = JWK.ECKey
 import OKPKey = JWK.OKPKey
 import OctKey = JWK.OctKey
+import JWSRecipient = JWS.JWSRecipient
+
+const CERT_HEADER = '-----BEGIN CERTIFICATE-----'
+const CERT_TRAILER = '-----END CERTIFICATE-----'
 
 /**
  * Reads JWK key from a file.
  *
  * @param path - The full file path of the key file.
  * @returns A JWK key.
  */
-export default async function getKeyFromFile(
+export async function getSigningKeyFromFile(
   path: string,
 ): Promise<RSAKey | ECKey | OKPKey | OctKey> {
   const pem = await promises.readFile(path, 'ascii')
   return JWK.asKey(pem)
 }
+
+/**
+ * Reads JWK from a file. If file contains a chain of certificates, JWK is generated from the first
+ * certificate and the rest of the certificates in file are added to the x5c section of the JWK.
+ *
+ * @param path - The full file path of the key file.
+ * @returns A JWK key.
+ */
+export async function getJwkFromFile(
+  path: string,
+): Promise<JWKRSAKey | JWKECKey | JWKOKPKey | JWKOctKey> {
+  const content = await promises.readFile(path, 'ascii')
+  // in the case of a fullchain cert being used, the content will contain the end certificate followed by 1
+  // or more intermediate CA certs. The end certificate (index 0) is the one to be manifested as the public key
+  // in the JWS headers. The full chain of certificates will be included in the x5c section.
+  const certs = splitCerts(content)
+  const primary = JWK.asKey(certs[0]).toJWK(false)
+  const x5c = getX5cChain(certs.map((part) => JWK.asKey(part).toJWK(false)))
+  if (isX5C(primary)) {
+    return { ...primary, x5c }
+  }
+  return primary
+}
+
+/**
+ * Extracts the JWK property from the base64 json in the protected section of a JWK recipient.
+ *
+ * @param recipient - The recipient to process.
+ * @returns The JWK if found, otherwise undefined.
+ */
+export function getJwkFromRecipient(
+  recipient: JWSRecipient,
+): JWKRSAKey | JWKECKey | JWKOKPKey | JWKOctKey | undefined {
+  if (recipient.protected) {
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- because JSON
+    const headers = JSON.parse(
+      Buffer.from(recipient.protected, 'base64').toString('utf-8'),
+    )
+    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access -- because JSON
+    if (headers.jwk) {
+      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access -- because JSON
+      return JWK.asKey(headers.jwk).toJWK(false)
+    }
+  }
+  return undefined
+}
+
+/**
+ * Split of full chain certificate (which contains multiple certificate blocks) into an array
+ * of strings.
+ *
+ * @param text - Text content of the certificate chain.
+ * @returns The list of certificates.
+ */
+export function splitCerts(text: string): string[] {
+  let parts: string[] = []
+  let startIndex = text.indexOf(CERT_HEADER)
+  let endIndex = text.indexOf(CERT_TRAILER, startIndex)
+  while (startIndex >= 0) {
+    parts = parts.concat(
+      text.substring(startIndex, endIndex + CERT_TRAILER.length),
+    )
+    startIndex = text.indexOf(CERT_HEADER, endIndex + 1)
+    endIndex = text.indexOf(CERT_TRAILER, startIndex + 1)
+  }
+  return parts
+}
+
+/**
+ * Extracts the x5c values from a JWK.
+ *
+ * @param keys - The JWK to process.
+ * @returns Array of values from the x5c fields. Empty if it doesn't exist or is empty.
+ */
+function getX5cChain(
+  keys: Array<JWKRSAKey | JWKECKey | JWKOKPKey | JWKOctKey>,
+): string[] {
+  return keys.flatMap((jwk) => {
+    if (isX5C(jwk) && jwk.x5c) {
+      return jwk.x5c
+    }
+    return []
+  })
+}
+
+/**
+ * Checks if the params contains is a KeyParameters with an x5c property.
+ *
+ * @param params - The value to be checked.
+ * @returns True if x5c found.
+ */
+export function isX5C(params: BasicParameters): params is KeyParameters {
+  return 'x5c' in params
+}

src/verifiable/keys.ts

@@ -1,4 +1,4 @@
-import { JWK } from 'jose'
+import { JWK, JWKECKey, JWKOctKey, JWKOKPKey, JWKRSAKey } from 'jose'
 
 import { SigningParams } from './verifiable-payid'
 
@@ -14,22 +14,22 @@ export default class ServerKeySigningParams implements SigningParams {
   public readonly keyType = 'serverKey'
   public readonly key: ECKey | RSAKey | OctKey | OKPKey
   public readonly alg: string
-  public readonly x5c: ECKey | RSAKey | OctKey | OKPKey
+  public readonly jwk: JWKRSAKey | JWKECKey | JWKOKPKey | JWKOctKey
 
   /**
    * Default constructor.
    *
    * @param key - The private key to sign with.
    * @param alg - The signing algorithm.
-   * @param x5c - The public x509 certificate.
+   * @param jwk - The public jwk to include in the jws.
    */
   public constructor(
     key: ECKey | RSAKey | OctKey | OKPKey,
     alg: string,
-    x5c: ECKey | RSAKey | OctKey | OKPKey,
+    jwk: JWKRSAKey | JWKECKey | JWKOKPKey | JWKOctKey,
   ) {
     this.key = key
     this.alg = alg
-    this.x5c = x5c
+    this.jwk = jwk
   }
 }

src/verifiable/server-key-signing-params.ts

@@ -2,7 +2,7 @@ import { JWS, JWK } from 'jose'
 
 import IdentityKeySigningParams from './identity-key-signing-params'
 import ServerKeySigningParams from './server-key-signing-params'
-import { Address } from './verifiable-payid'
+import { Address, PaymentInformation } from './verifiable-payid'
 
 import GeneralJWS = JWS.GeneralJWS
 
@@ -44,15 +44,15 @@ function signWithIdentityKey(
   }
 
   const signer = new JWS.Sign(unsigned)
-  const publicKey = signingParams.key.toJWK(false)
+  const jwk = signingParams.key.toJWK(false)
 
   const protectedHeaders = {
     name: 'identityKey',
     alg: signingParams.alg,
     typ: 'JOSE+JSON',
     b64: false,
-    crit: ['b64'],
-    jwk: publicKey,
+    crit: ['b64', 'name'],
+    jwk,
   }
 
   signer.recipient(signingParams.key, protectedHeaders)
@@ -84,8 +84,8 @@ export function signWithServerKey(
     alg: signingParams.alg,
     typ: 'JOSE+JSON',
     b64: false,
-    crit: ['b64'],
-    jwk: signingParams.x5c,
+    crit: ['b64', 'name'],
+    jwk: signingParams.jwk,
   }
 
   signer.recipient(signingParams.key, protectedHeaders)
@@ -118,6 +118,32 @@ export function signWithKeys(
     })
 }
 
+/**
+ * Verifies a PayID using the verified addresses within the PayID.
+ *
+ * @param toVerify - The PayID (as a json or as a parsed PaymentInformation).
+ *
+ * @returns True if verified.
+ */
+export function verifyPayId(toVerify: string | PaymentInformation): boolean {
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- because JSON
+  const paymentInformation: PaymentInformation =
+    typeof toVerify === 'string' ? JSON.parse(toVerify) : toVerify
+
+  const payId = paymentInformation.payId
+  if (payId) {
+    return paymentInformation.verifiedAddresses
+      .map((address) =>
+        verifySignedAddress(payId, {
+          payload: address.payload,
+          signatures: address.signatures.slice(),
+        }),
+      )
+      .every((value) => value)
+  }
+  return false
+}
+
 /**
  * Verify an address is properly signed.
  *
@@ -127,19 +153,25 @@ export function signWithKeys(
  */
 export function verifySignedAddress(
   expectedPayId: string,
-  verifiedAddress: GeneralJWS,
+  verifiedAddress: GeneralJWS | string,
 ): boolean {
   // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- because JSON
-  const address: UnsignedVerifiedAddress = JSON.parse(verifiedAddress.payload)
+  const jws: GeneralJWS =
+    typeof verifiedAddress === 'string'
+      ? JSON.parse(verifiedAddress)
+      : verifiedAddress
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- because JSON
+  const address: UnsignedVerifiedAddress = JSON.parse(jws.payload)
 
   if (expectedPayId !== address.payId) {
     // payId does not match what was inside the signed payload
     return false
   }
 
   try {
-    JWS.verify(verifiedAddress, JWK.EmbeddedJWK, {
-      crit: ['b64'],
+    // verifies signatures
+    JWS.verify(jws, JWK.EmbeddedJWK, {
+      crit: ['b64', 'name'],
       complete: true,
     })
     return true