Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

signature CI #180

Merged
merged 3 commits into from
Mar 25, 2024
Merged

signature CI #180

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
db6be06
signature CI
Ptroger Mar 25, 2024
b614e2f
fixed lint
Ptroger Mar 25, 2024
ff52df0
use can't be a random string in JWK
Ptroger Mar 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions .github/workflows/signature.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: '@narval/signature CI'

on:
push:
paths:
- packages/signature/**
- .github/workflows/signature.yml
- jest.config.ts
- jest.preset.js
- .eslintrc.json
- .prettierrc
- package.json
- package-lock.json

jobs:
build-and-test:
name: Build and test

runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@master

- name: Install Node.js
uses: actions/setup-node@v3
with:
node-version: '20.4.0'

- name: Install dependencies
run: |
make install/ci

- name: Code format
shell: bash
run: |
make signature/format/check
make signature/lint/check

- name: Test types
shell: bash
run: |
make signature/test/type

- name: Test upstream application types
shell: bash
run: |
make policy-engine/test/type

- name: Test unit
shell: bash
run: |
make signature/test/unit

- name: Send Slack notification on failure
if: failure() && github.ref == 'refs/heads/main'
uses: 8398a7/action-slack@v3
with:
username: GitHub
author_name: '@narval/signature CI failed'
status: ${{ job.status }}
fields: message,commit,author
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }}
9 changes: 8 additions & 1 deletion packages/signature/src/lib/__test__/unit/sign.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,14 @@ describe('sign', () => {
it('should sign build & sign es256 JWT correctly with a PEM', async () => {
const key = await importPKCS8(PRIVATE_KEY_PEM, Alg.ES256)
const jwk = await exportJWK(key)
const jwt = await signJwt(payload, { ...jwk, alg: Alg.ES256, crv: 'P-256', kty: 'EC', kid: 'somekid' })
const jwt = await signJwt(payload, {
...jwk,
alg: Alg.ES256,
crv: 'P-256',
kty: 'EC',
kid: 'somekid',
use: undefined
})

const verified = await jwtVerify(jwt, key)
expect(verified.payload).toEqual(payload)
Expand Down
2 changes: 1 addition & 1 deletion packages/signature/src/lib/sign.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@ import { sha256 as sha256Hash } from '@noble/hashes/sha256'
import { keccak_256 as keccak256 } from '@noble/hashes/sha3'
import { SignJWT, base64url, importJWK } from 'jose'
import { isHex, signatureToHex, toBytes, toHex } from 'viem'
import { hash } from './hash-request'
import { privateKeySchema } from './schemas'
import { EcdsaSignature, Header, Hex, Jwk, JwsdHeader, Payload, PrivateKey, SigningAlg } from './types'
import { hash } from './hash-request'
import { hexToBase64Url } from './utils'
import { validate } from './validate'

Expand Down
12 changes: 6 additions & 6 deletions packages/signature/src/lib/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,8 +155,8 @@ const rsaKeyToKid = (jwk: Jwk) => {
const generateRsaKeyPair = async (
opts: {
keyId?: string
modulusLength?: number,
use?: Use,
modulusLength?: number
use?: Use
} = {
modulusLength: 2048
}
Expand All @@ -175,9 +175,9 @@ const generateRsaKeyPair = async (
alg: Alg.RS256,
kty: KeyTypes.RSA,
crv: undefined,
use: opts.use || undefined,
use: opts.use || undefined
}
jwk.kid = opts.keyId || rsaKeyToKid(jwk);
jwk.kid = opts.keyId || rsaKeyToKid(jwk)

const pk = validate<RsaPrivateKey>(rsaPrivateKeySchema, jwk, 'Invalid RSA Private Key JWK')
return pk
Expand All @@ -187,8 +187,8 @@ export const generateJwk = async (
alg: Alg,
opts?: {
keyId?: string
modulusLength?: number,
use?: Use,
modulusLength?: number
use?: Use
}
): Promise<Jwk> => {
switch (alg) {
Expand Down
26 changes: 13 additions & 13 deletions packages/signature/src/lib/verify.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,19 +101,19 @@ export async function verifyJwt(jwt: string, jwk: Jwk): Promise<Jwt> {
}

export async function verifyJwsd(jws: string, jwk: PublicKey): Promise<Jwsd> {
const { header, payload, signature } = decodeJwsd(jws)
const { header, payload, signature } = decodeJwsd(jws)

if (header.alg === SigningAlg.EIP191) {
await verifyEip191(jws, jwk)
} else {
// TODO: Implement other algs individually without jose
const joseJwk = await importJWK(jwk)
await jwtVerify(jws, joseJwk)
}
if (header.alg === SigningAlg.EIP191) {
await verifyEip191(jws, jwk)
} else {
// TODO: Implement other algs individually without jose
const joseJwk = await importJWK(jwk)
await jwtVerify(jws, joseJwk)
}

return {
header,
payload,
signature
}
return {
header,
payload,
signature
}
}
Loading