Implemented manifest signatures (#27)

* Implemented manifest signatures

* Vendor tweetnacl

* Various changes

* New verifySignature command
* Tests for validating signatures
* keygen command now outputs to two files
* manifest command now uses public key files instead of strings

* Update CI deno version

* Optional external key for verification, flow control using exit instead of throw

* Verify that hashes match

.github/workflows/ci.yml

@@ -14,5 +14,5 @@ jobs:
     - uses: actions/checkout@v3
     - uses: denoland/setup-deno@v1
       with:
-        deno-version: v1.38.2
+        deno-version: v1.40.4
     - run: deno task test --no-check

deno.json

@@ -24,5 +24,6 @@
     "files": {
       "exclude": ["node_modules/", "test/", "vendor/", "dist/", "build/"]
     }
-  }
+  },
+  "importMap": "./vendor/import_map.json"
 }

src/commands.ts

@@ -5,7 +5,9 @@ export { eventsAfter } from './eventsAfter.ts'
 export { get } from './get.ts'
 export { hash } from './hash.ts'
 export { help } from './help.ts'
+export { keygen } from './keygen.ts'
 export { manifest } from './manifest.ts'
 export { migrate } from './migrate.ts'
 export { upload } from './upload.ts'
+export { verifySignature } from './verifySignature.ts'
 export { version } from './version.ts'

src/deps.ts

@@ -5,6 +5,7 @@ export * as colors from "https://deno.land/std@0.141.0/fmt/colors.ts"
 export * as fs from 'https://deno.land/std@0.141.0/fs/mod.ts'
 export * as path from 'https://deno.land/std@0.141.0/path/mod.ts'
 export * as streams from "https://deno.land/std@0.141.0/streams/mod.ts"
+export { default as tweetnacl } from 'https://esm.sh/tweetnacl@1.0.3?pin=v120'
 export { base58btc } from 'https://esm.sh/multiformats@11.0.2/bases/base58?pin=v120'
 export { type Multibase } from 'https://esm.sh/multiformats@11.0.2?pin=v120'
 export { default as blake } from 'https://esm.sh/@multiformats/blake2@1.0.13?pin=v120'

src/help.ts

@@ -6,8 +6,9 @@ export function help (args?: string[]) {
       chel
       chel help [command]
       chel version
-      chel keygen [--out <key.json>]
-      chel manifest [-k|--key <pubkey1> [-k|--key <pubkey2> ...]] [--out=<manifest.json>] [-s|--slim <contract-slim.js>] [-v|--version <version>] <key.json> <contract-bundle.js>
+      chel keygen [--out <key.json>] [--pubout <key.pub.json>]
+      chel verifySignature [-k <pubkey.json>] <manifest.json>
+      chel manifest [-k|--key <pubkey1.json> [-k|--key <pubkey2.json> ...]] [--out=<manifest.json>] [-s|--slim <contract-slim.js>] [-v|--version <version>] <key.json> <contract-bundle.js>
       chel deploy <url-or-dir-or-sqlitedb> <contract-manifest.json> [<manifest2.json> [<manifest3.json> ...]]
       chel upload <url-or-dir-or-sqlitedb> <file1> [<file2> [<file3> ...]]
       chel latestState <url> <contractID>

src/keygen.ts

@@ -0,0 +1,29 @@
+import { colors, flags } from './deps.ts'
+import { revokeNet } from './utils.ts'
+import { EDWARDS25519SHA512BATCH, keygen as cryptoKeygen, keyId, serializeKey } from './lib/crypto.ts'
+
+export const keygen = async (args: string[]) => {
+  await revokeNet()
+  const parsedArgs = flags.parse(args)
+  const key = cryptoKeygen(EDWARDS25519SHA512BATCH)
+  const pubKeyData = {
+    version: '1.0.0',
+    pubkey: serializeKey(key, false)
+  }
+  const keyData = {
+    ...pubKeyData,
+    privkey: serializeKey(key, true)
+  }
+  const result = JSON.stringify(keyData)
+  const pubResult = JSON.stringify(pubKeyData)
+
+  const idx = keyId(key).slice(-12)
+  const outFile = parsedArgs['out'] || `${EDWARDS25519SHA512BATCH}-${idx}.json`
+  const pubOutFile = parsedArgs['pubout'] || `${EDWARDS25519SHA512BATCH}-${idx}.pub.json`
+
+  await Deno.writeTextFile(outFile, result)
+  console.log(colors.green('wrote:'), outFile, colors.blue('(secret)'))
+
+  await Deno.writeTextFile(pubOutFile, pubResult)
+  console.log(colors.green('wrote:'), pubOutFile, colors.blue('(public)'))
+}