UNPKG

shogun-core

Version:

SHOGUN CORE - Core library for Shogun Ecosystem

315 lines (314 loc) 12.7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.WebAuthnSigner = void 0; const webauthn_1 = require("./webauthn"); const p256_1 = require("@noble/curves/p256"); const sha256_1 = require("@noble/hashes/sha256"); const derive_1 = __importDefault(require("../../gundb/derive")); const ethers_1 = require("ethers"); /** * Base64URL encoding utilities */ const base64url = { encode: function (buffer) { const bytes = new Uint8Array(buffer); return btoa(String.fromCharCode(...bytes)) .replace(/\+/g, "-") .replace(/\//g, "_") .replace(/=/g, ""); }, decode: function (str) { str = str.replace(/-/g, "+").replace(/_/g, "/"); while (str.length % 4) str += "="; const binary = atob(str); return new Uint8Array(binary.split("").map((c) => c.charCodeAt(0))); }, }; /** * WebAuthn Signer - Provides oneshot signing functionality * Similar to webauthn.js but integrated with our architecture * CONSISTENT with normal WebAuthn approach */ class WebAuthnSigner { webauthn; credentials = new Map(); constructor(webauthn) { this.webauthn = webauthn || new webauthn_1.Webauthn(); } /** * Creates a new WebAuthn credential for signing * Similar to webauthn.js create functionality but CONSISTENT with normal approach */ async createSigningCredential(username) { try { const credential = (await navigator.credentials.create({ publicKey: { challenge: crypto.getRandomValues(new Uint8Array(32)), rp: { id: window.location.hostname === "localhost" ? "localhost" : window.location.hostname, name: "Shogun Wallet", }, user: { id: new TextEncoder().encode(username), name: username, displayName: username, }, // Use the same algorithms as webauthn.js for SEA compatibility pubKeyCredParams: [ { type: "public-key", alg: -7 }, // ECDSA, P-256 curve, for signing { type: "public-key", alg: -25 }, // ECDH, P-256 curve, for creating shared secrets { type: "public-key", alg: -257 }, ], authenticatorSelection: { userVerification: "preferred", }, timeout: 60000, attestation: "none", }, })); if (!credential) { throw new Error("Failed to create WebAuthn credential"); } // Extract public key in the same way as webauthn.js const response = credential.response; const publicKey = response.getPublicKey(); if (!publicKey) { throw new Error("Failed to get public key from credential"); } const rawKey = new Uint8Array(publicKey); // Extract coordinates like webauthn.js (slice positions may need adjustment) const xCoord = rawKey.slice(27, 59); const yCoord = rawKey.slice(59, 91); const x = base64url.encode(xCoord); const y = base64url.encode(yCoord); const pub = `${x}.${y}`; // CONSISTENCY: Use the same hashing approach as normal WebAuthn const hashedCredentialId = ethers_1.ethers.keccak256(ethers_1.ethers.toUtf8Bytes(credential.id)); const signingCredential = { id: credential.id, rawId: credential.rawId, publicKey: { x, y }, pub, hashedCredentialId, // This ensures consistency }; // Store credential for later use this.credentials.set(credential.id, signingCredential); return signingCredential; } catch (error) { console.error("Error creating signing credential:", error); throw new Error(`Failed to create signing credential: ${error.message}`); } } /** * Creates an authenticator function compatible with SEA.sign * This is the key function that makes it work like webauthn.js */ createAuthenticator(credentialId) { const credential = this.credentials.get(credentialId); if (!credential) { throw new Error(`Credential ${credentialId} not found`); } return async (data) => { try { const challenge = new TextEncoder().encode(JSON.stringify(data)); const options = { challenge, rpId: window.location.hostname === "localhost" ? "localhost" : window.location.hostname, userVerification: "preferred", allowCredentials: [ { type: "public-key", id: credential.rawId, }, ], timeout: 60000, }; const assertion = (await navigator.credentials.get({ publicKey: options, })); if (!assertion) { throw new Error("WebAuthn assertion failed"); } return assertion.response; } catch (error) { console.error("WebAuthn assertion error:", error); throw error; } }; } /** * Creates a derived key pair from WebAuthn credential * CONSISTENT with normal approach: uses hashedCredentialId as password */ async createDerivedKeyPair(credentialId, username, extra) { const credential = this.credentials.get(credentialId); if (!credential) { throw new Error(`Credential ${credentialId} not found`); } try { // CONSISTENCY: Use the same approach as normal WebAuthn // Use hashedCredentialId as password (same as normal approach) const derivedKeys = await (0, derive_1.default)(credential.hashedCredentialId, // This is the key change! extra, { includeP256: true }); return { pub: derivedKeys.pub, priv: derivedKeys.priv, epub: derivedKeys.epub, epriv: derivedKeys.epriv, }; } catch (error) { console.error("Error deriving keys from WebAuthn credential:", error); throw error; } } /** * Creates a Gun user from WebAuthn credential * This ensures the SAME user is created as with normal approach */ async createGunUser(credentialId, username, gunInstance) { const credential = this.credentials.get(credentialId); if (!credential) { throw new Error(`Credential ${credentialId} not found`); } try { // Use the SAME approach as normal WebAuthn return new Promise((resolve) => { gunInstance .user() .create(username, credential.hashedCredentialId, (ack) => { if (ack.err) { // Try to login if user already exists gunInstance .user() .auth(username, credential.hashedCredentialId, (authAck) => { if (authAck.err) { resolve({ success: false, error: authAck.err }); } else { const userPub = authAck.pub; // Update credential with Gun user pub credential.gunUserPub = userPub; this.credentials.set(credentialId, credential); resolve({ success: true, userPub }); } }); } else { // User created, now login gunInstance .user() .auth(username, credential.hashedCredentialId, (authAck) => { if (authAck.err) { resolve({ success: false, error: authAck.err }); } else { const userPub = authAck.pub; // Update credential with Gun user pub credential.gunUserPub = userPub; this.credentials.set(credentialId, credential); resolve({ success: true, userPub }); } }); } }); }); } catch (error) { console.error("Error creating Gun user:", error); return { success: false, error: error.message }; } } /** * Signs data using WebAuthn + derived keys * This provides a hybrid approach: WebAuthn for user verification + derived keys for actual signing * CONSISTENT with normal approach */ async signWithDerivedKeys(data, credentialId, username, extra) { try { // First, verify user with WebAuthn const authenticator = this.createAuthenticator(credentialId); await authenticator(data); // This verifies the user // Then use derived keys for actual signing (CONSISTENT approach) const keyPair = await this.createDerivedKeyPair(credentialId, username, extra); // Create signature using P-256 (same as SEA) const message = JSON.stringify(data); const messageHash = (0, sha256_1.sha256)(new TextEncoder().encode(message)); // Convert base64url private key to bytes const privKeyBytes = base64url.decode(keyPair.priv); // Sign with P-256 const signature = p256_1.p256.sign(messageHash, privKeyBytes); // Format like SEA signature const seaSignature = { m: message, s: base64url.encode(signature.toCompactRawBytes()), }; return "SEA" + JSON.stringify(seaSignature); } catch (error) { console.error("Error signing with derived keys:", error); throw error; } } /** * Get the Gun user public key for a credential * This allows checking if the same user would be created */ getGunUserPub(credentialId) { const credential = this.credentials.get(credentialId); return credential?.gunUserPub; } /** * Get the hashed credential ID (for consistency checking) */ getHashedCredentialId(credentialId) { const credential = this.credentials.get(credentialId); return credential?.hashedCredentialId; } /** * Check if this credential would create the same Gun user as normal approach */ async verifyConsistency(credentialId, username, expectedUserPub) { const credential = this.credentials.get(credentialId); if (!credential) { return { consistent: false }; } // The derived keys should be the same as normal approach const derivedKeys = await this.createDerivedKeyPair(credentialId, username); return { consistent: expectedUserPub ? derivedKeys.pub === expectedUserPub : true, actualUserPub: derivedKeys.pub, expectedUserPub, }; } /** * Get credential by ID */ getCredential(credentialId) { return this.credentials.get(credentialId); } /** * List all stored credentials */ listCredentials() { return Array.from(this.credentials.values()); } /** * Remove a credential */ removeCredential(credentialId) { return this.credentials.delete(credentialId); } } exports.WebAuthnSigner = WebAuthnSigner; exports.default = WebAuthnSigner;