UNPKG

blockstack

Version:

The Blockstack Javascript library for authentication, identity, and storage.

blockstack.org

blockstack/blockstack.js

169 lines (142 loc) 5.67 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
'use strict'; Object.defineProperty(exports, "__esModule", { value: true }); exports.signProfileToken = signProfileToken; exports.wrapProfileToken = wrapProfileToken; exports.verifyProfileToken = verifyProfileToken; exports.extractProfile = extractProfile; var _bitcoinjsLib = require('bitcoinjs-lib'); var _jsontokens = require('jsontokens'); var _utils = require('../utils'); /** * Signs a profile token * @param {Object} profile - the JSON of the profile to be signed * @param {String} privateKey - the signing private key * @param {Object} subject - the entity that the information is about * @param {Object} issuer - the entity that is issuing the token * @param {String} signingAlgorithm - the signing algorithm to use * @param {Date} issuedAt - the time of issuance of the token * @param {Date} expiresAt - the time of expiration of the token * @returns {Object} - the signed profile token */ function signProfileToken(profile, privateKey) { var subject = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : null; var issuer = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : null; var signingAlgorithm = arguments.length > 4 && arguments[4] !== undefined ? arguments[4] : 'ES256K'; var issuedAt = arguments.length > 5 && arguments[5] !== undefined ? arguments[5] : new Date(); var expiresAt = arguments.length > 6 && arguments[6] !== undefined ? arguments[6] : (0, _utils.nextYear)(); if (signingAlgorithm !== 'ES256K') { throw new Error('Signing algorithm not supported'); } var publicKey = _jsontokens.SECP256K1Client.derivePublicKey(privateKey); if (subject === null) { subject = { publicKey: publicKey }; } if (issuer === null) { issuer = { publicKey: publicKey }; } var tokenSigner = new _jsontokens.TokenSigner(signingAlgorithm, privateKey); var payload = { jti: (0, _utils.makeUUID4)(), iat: issuedAt.toISOString(), exp: expiresAt.toISOString(), subject: subject, issuer: issuer, claim: profile }; return tokenSigner.sign(payload); } /** * Wraps a token for a profile token file * @param {String} token - the token to be wrapped * @returns {Object} - including `token` and `decodedToken` */ function wrapProfileToken(token) { return { token: token, decodedToken: (0, _jsontokens.decodeToken)(token) }; } /** * Verifies a profile token * @param {String} token - the token to be verified * @param {String} publicKeyOrAddress - the public key or address of the * keypair that is thought to have signed the token * @returns {Object} - the verified, decoded profile token * @throws {Error} - throws an error if token verification fails */ function verifyProfileToken(token, publicKeyOrAddress) { var decodedToken = (0, _jsontokens.decodeToken)(token); var payload = decodedToken.payload; // Inspect and verify the subject if (payload.hasOwnProperty('subject')) { if (!payload.subject.hasOwnProperty('publicKey')) { throw new Error('Token doesn\'t have a subject public key'); } } else { throw new Error('Token doesn\'t have a subject'); } // Inspect and verify the issuer if (payload.hasOwnProperty('issuer')) { if (!payload.issuer.hasOwnProperty('publicKey')) { throw new Error('Token doesn\'t have an issuer public key'); } } else { throw new Error('Token doesn\'t have an issuer'); } // Inspect and verify the claim if (!payload.hasOwnProperty('claim')) { throw new Error('Token doesn\'t have a claim'); } var issuerPublicKey = payload.issuer.publicKey; var publicKeyBuffer = new Buffer(issuerPublicKey, 'hex'); var compressedKeyPair = _bitcoinjsLib.ECPair.fromPublicKey(publicKeyBuffer, { compressed: true }); var compressedAddress = (0, _utils.ecPairToAddress)(compressedKeyPair); var uncompressedKeyPair = _bitcoinjsLib.ECPair.fromPublicKey(publicKeyBuffer, { compressed: false }); var uncompressedAddress = (0, _utils.ecPairToAddress)(uncompressedKeyPair); if (publicKeyOrAddress === issuerPublicKey) { // pass } else if (publicKeyOrAddress === compressedAddress) { // pass } else if (publicKeyOrAddress === uncompressedAddress) { // pass } else { throw new Error('Token issuer public key does not match the verifying value'); } var tokenVerifier = new _jsontokens.TokenVerifier(decodedToken.header.alg, issuerPublicKey); if (!tokenVerifier) { throw new Error('Invalid token verifier'); } var tokenVerified = tokenVerifier.verify(token); if (!tokenVerified) { throw new Error('Token verification failed'); } return decodedToken; } /** * Extracts a profile from an encoded token and optionally verifies it, * if `publicKeyOrAddress` is provided. * @param {String} token - the token to be extracted * @param {String} publicKeyOrAddress - the public key or address of the * keypair that is thought to have signed the token * @returns {Object} - the profile extracted from the encoded token * @throws {Error} - if the token isn't signed by the provided `publicKeyOrAddress` */ function extractProfile(token) { var publicKeyOrAddress = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : null; var decodedToken = void 0; if (publicKeyOrAddress) { decodedToken = verifyProfileToken(token, publicKeyOrAddress); } else { decodedToken = (0, _jsontokens.decodeToken)(token); } var profile = {}; if (decodedToken.hasOwnProperty('payload')) { var payload = decodedToken.payload; if (payload.hasOwnProperty('claim')) { profile = decodedToken.payload.claim; } } return profile; }