feat: varsig initial impl

Author: hugomrdias

packages/ucan/package.json

@@ -58,9 +58,10 @@
     "test:browser": "playwright-test 'test/**/!(*.node).test.js'"
   },
   "dependencies": {
+    "@ipld/dag-cbor": "^9.2.0",
     "@noble/ed25519": "^2.0.0",
     "@scure/bip39": "^1.2.2",
-    "iso-base": "^3.0.0",
+    "iso-base": "^4.0.0",
     "iso-did": "^1.6.0",
     "iso-kv": "^3.0.1",
     "iso-signatures": "^0.3.2",

packages/ucan/src/types.ts

@@ -6,6 +6,7 @@ import type { code as RAW_CODE } from 'multiformats/codecs/raw'
 import type { sha256 } from 'multiformats/hashes/sha2'
 import type { Block } from 'multiformats'
 import type { Driver, IKV } from 'iso-kv'
+import type { ENCODING } from './varsig'
 
 export { CID } from 'multiformats/cid'
 
@@ -203,3 +204,12 @@ export interface AgentCreateOptions {
     exported: string | CryptoKeyPair | undefined
   ) => Promise<ISigner<string | CryptoKeyPair>>
 }
+
+/**
+ * Varsig types
+ */
+
+export interface VarsigOptions {
+  encoding: keyof typeof ENCODING
+  alg: SignatureAlgorithm
+}

packages/ucan/src/varsig.js

@@ -0,0 +1,180 @@
+import { varint } from 'iso-base/varint'
+import { equals } from 'iso-base/utils'
+import { hex } from 'iso-base/rfc4648'
+
+export const VARSIG = 0x34
+
+export const ENCODING = /** @types  {const} */ {
+  RAW: 0x5f,
+  'DAG-PB': 0x70,
+  'DAG-CBOR': 0x71,
+  'DAG-JSON': 0x1_29,
+  JWT: 0x6a_77,
+}
+
+/**
+ * @type {Record<number, string>}
+ */
+export const CODE_ENCODING = /** @types  {const} */ {
+  0x5f: 'RAW',
+  0x70: 'DAG-PB',
+  0x71: 'DAG-CBOR',
+  0x1_29: 'DAG-JSON',
+  0x6a_77: 'JWT',
+}
+
+export const ALG = /** @type {const} */ ({
+  EdDSA: 0xed,
+  RS256: 0x12_05,
+  ES256: 0x12_00,
+  ES384: 0x12_01,
+  ES512: 0x12_02,
+  ES256K: 0xe7,
+})
+
+/**
+ * @type {Record<number, string>}
+ */
+export const CODE_ALG = /** @type {const} */ ({
+  0xed: 'EdDSA',
+  0x12_05: 'RS256',
+  0x12_00: 'ES256',
+  0x12_01: 'ES384',
+  0x12_02: 'ES512',
+  0xe7: 'ES256K',
+})
+
+/**
+ * @param {keyof typeof ENCODING} type
+ */
+export function encCode(type) {
+  const encCode = ENCODING[type]
+  if (!encCode) {
+    throw new TypeError(`Unsupported encoding ${type}`)
+  }
+  return encCode
+}
+
+/**
+ * Varint encoding for signature algorithms and encodings.
+ *
+ * @type {Record<keyof typeof ENCODING | 'VARSIG' | import('iso-did/types').SignatureAlgorithm, number[]  >}
+ */
+const VARINT = {
+  VARSIG: [52],
+
+  RAW: [95],
+  'DAG-CBOR': [113],
+  'DAG-JSON': [169, 2],
+  'DAG-PB': [112],
+  JWT: [247, 212, 1],
+
+  EdDSA: [237, 1],
+  //      rsa   + SHA2-256 + 256
+  RS256: [133, 36, 18, 128, 2],
+  // secp256k1  + SHA2-256
+  ES256K: [231, 1, 18],
+  //     p256   + SHA2-256
+  ES256: [128, 36, 18],
+  //     p384   + SHA2-384
+  ES384: [129, 36, 32],
+  //     p512   + SHA2-512
+  ES512: [130, 36, 19],
+}
+
+/**
+ * @param {import('./types.js').VarsigOptions} options
+ */
+export function encode(options) {
+  const enc = VARINT[options.encoding]
+  if (!enc) {
+    throw new TypeError(`Unsupported encoding ${options.encoding}`)
+  }
+
+  const alg = VARINT[options.alg]
+  if (!alg) {
+    throw new TypeError(`Unsupported algorithm ${options.alg}`)
+  }
+
+  return Uint8Array.from([...VARINT.VARSIG, ...alg, ...enc])
+}
+
+/**
+ * Match the algorithm and encoding.
+ *
+ * @param {keyof typeof ALG} alg
+ * @param {Uint8Array} buf
+ */
+function matchAlg(alg, buf) {
+  const expected = Uint8Array.from([...VARINT.VARSIG, ...VARINT[alg]])
+  const actual = buf.slice(0, VARINT[alg].length + 1)
+  const match = equals(actual, expected)
+  if (!match)
+    throw new TypeError(
+      `Header 0x${hex.encode(actual)} does not match expected 0x${hex.encode(expected)} for ${alg}`
+    )
+  const enc = varint.decode(buf, expected.length)
+  const encoding = CODE_ENCODING[enc[0]]
+  if (!encoding) {
+    throw new TypeError(`Unsupported encoding 0x${enc[0]}`)
+  }
+
+  return encoding
+}
+
+/**
+ * Decode varsig header
+ *
+ * @param {Uint8Array} buf
+ */
+export function decode(buf) {
+  const alg = varint.decode(buf, varint.encodingLength(VARSIG))
+
+  switch (CODE_ALG[alg[0]]) {
+    case 'RS256': {
+      return {
+        alg: 'RS256',
+        encoding: matchAlg('RS256', buf),
+      }
+    }
+
+    case 'ES256': {
+      return {
+        alg: 'ES256',
+        encoding: matchAlg('ES256', buf),
+      }
+    }
+
+    case 'ES384': {
+      return {
+        alg: 'ES384',
+        encoding: matchAlg('ES384', buf),
+      }
+    }
+
+    case 'ES512': {
+      return {
+        alg: 'ES512',
+        encoding: matchAlg('ES512', buf),
+      }
+    }
+
+    case 'ES256K': {
+      return {
+        alg: 'ES256K',
+        encoding: matchAlg('ES256K', buf),
+      }
+    }
+
+    case 'EdDSA': {
+      return {
+        alg: 'EdDSA',
+        encoding: matchAlg('EdDSA', buf),
+      }
+    }
+
+    default: {
+      throw new TypeError(`Unsupported algorithm with code ${alg[0]}`)
+    }
+  }
+}

packages/ucan/test/agent.test.js

@@ -5,7 +5,7 @@ import { MemoryDriver } from 'iso-kv/drivers/memory.js'
 import { RSASigner } from 'iso-signatures/signers/rsa.js'
 import { Agent } from '../src/agent.js'
 
-const test = suite('agent').only
+const test = suite('agent')
 
 const resolverEdOrEC = (
   /** @type {string | CryptoKeyPair | undefined} */ exported

packages/ucan/test/bip39.test.js

@@ -0,0 +1,54 @@
+import { assert, suite } from 'playwright-test/taps'
+import { varint } from 'iso-base/varint'
+import { ALG, ENCODING, VARSIG, decode, encode } from '../src/varsig.js'
+
+const { test } = suite('varsig')
+
+test('should encode es384 cbor', async function () {
+  const out = encode({
+    encoding: 'DAG-CBOR',
+    alg: 'ES384',
+  })
+
+  const varsig = varint.decode(out)
+  const alg = varint.decode(out, varsig[1])
+  const hash = varint.decode(out, varsig[1] + alg[1])
+  const enc = varint.decode(out, varsig[1] + alg[1] + hash[1])
+
+  assert.equal(varsig[0], VARSIG)
+  assert.equal(alg[0], 0x12_01)
+  assert.equal(hash[0], 0x20)
+  assert.equal(enc[0], ENCODING['DAG-CBOR'])
+})
+
+test('should encode rs256 cbor', async function () {
+  const out = encode({
+    encoding: 'DAG-CBOR',
+    alg: 'RS256',
+  })
+
+  const varsig = varint.decode(out)
+  const alg = varint.decode(out, varsig[1])
+  const hash = varint.decode(out, varsig[1] + alg[1])
+  const size = varint.decode(out, varsig[1] + alg[1] + hash[1])
+  const enc = varint.decode(out, varsig[1] + alg[1] + hash[1] + size[1])
+
+  assert.equal(varsig[0], VARSIG)
+  assert.equal(alg[0], ALG.RS256)
+  assert.equal(hash[0], 0x12)
+  assert.equal(size[0], 0x01_00)
+  assert.equal(enc[0], ENCODING['DAG-CBOR'])
+
+  assert.equal(out.length, varsig[1] + alg[1] + hash[1] + size[1] + enc[1])
+})
+
+test('should decode', async function () {
+  const header = {
+    encoding: 'JWT',
+    alg: 'RS256',
+  }
+  // @ts-ignore
+  const out = encode(header)
+
+  assert.deepEqual(decode(out), header)
+})