Fix signing (#26)

Author: mistermoe

lib/src/protocol/crypto.dart

@@ -1,20 +1,22 @@
-import 'dart:convert';
 import 'dart:math';
 import 'dart:typed_data';
 
 import 'package:crypto/crypto.dart';
+import 'package:tbdex/src/protocol/jcs.dart';
 import 'package:web5/web5.dart';
 
 class CryptoUtils {
   static Uint8List digest(Object value) {
-    final payload = json.encode(value);
-    final bytes = utf8.encode(payload);
-    return Uint8List.fromList(sha256.convert(bytes).bytes);
+    final canonicalized = JsonCanonicalizer.canonicalize(value);
+    final digest = sha256.convert(canonicalized);
+
+    return Uint8List.fromList(digest.bytes);
   }
 
   static String generateSalt() {
     var random = Random.secure();
-    var bytes = Uint8List.fromList(List.generate(16, (_) => random.nextInt(256)));
+    var bytes =
+        Uint8List.fromList(List.generate(16, (_) => random.nextInt(256)));
     return Base64Url.encode(bytes);
   }
-}
+}

lib/src/protocol/jcs.dart

@@ -0,0 +1,78 @@
+import 'dart:convert';
+import 'dart:typed_data';
+
+// TODO: turn into standalone lib
+
+/// Implements the JSON Canonicalization Scheme specified in
+/// [RFC8785](https://www.rfc-editor.org/rfc/rfc8785)
+class JsonCanonicalizer {
+  /// canonicalizes the provided input per
+  /// [RFC8785](https://www.rfc-editor.org/rfc/rfc8785)
+  static Uint8List canonicalize(Object? input, {StringBuffer? buffer}) {
+    //! this weird line is here to catch any non json encodable types (e.g. fn)
+    //! and error out if any are present. this could also be checked per term
+    //! (key and value) during canonicalization. refactor to per term if/when
+    //! we make this a standalone lib
+    final o = jsonDecode(jsonEncode(input));
+
+    final sb = buffer ?? StringBuffer();
+    _canonicalize(o, sb);
+
+    return utf8.encode(sb.toString());
+  }
+
+  static void _canonicalize(Object? o, StringBuffer sb) {
+    if (o == null || o is num || o is bool || o is String) {
+      _writePrimitive(o, sb);
+    } else if (o is List) {
+      _writeList(o, sb);
+    } else if (o is Map) {
+      _writeMap(o, sb);
+    }
+  }
+
+  /// Writes a primitive value to the `StringBuffer`.
+  static void _writePrimitive(Object? value, StringBuffer sb) {
+    sb.write(json.encode(value));
+  }
+
+  /// Writes a list to the `StringBuffer` using recursive serialization for elements.
+  static void _writeList(List<dynamic> list, StringBuffer sb) {
+    sb.write('[');
+    var isFirst = true;
+
+    for (final item in list) {
+      if (!isFirst) {
+        sb.write(',');
+      }
+
+      _canonicalize(item, sb);
+      isFirst = false;
+    }
+    sb.write(']');
+  }
+
+  /// Writes a map to the `StringBuffer` after sorting its keys.
+  static void _writeMap(Map<dynamic, dynamic> map, StringBuffer sb) {
+    sb.write('{');
+    final keys = List<dynamic>.from(map.keys)..sort();
+
+    var isFirst = true;
+    for (final key in keys) {
+      if (!isFirst) {
+        sb.write(',');
+      }
+
+      var keyStr = key;
+      if (key is! String) {
+        keyStr = key.toString();
+      }
+
+      sb.write('${json.encode(keyStr)}:');
+      _canonicalize(map[key], sb);
+      isFirst = false;
+    }
+
+    sb.write('}');
+  }
+}

lib/src/protocol/models/message.dart

@@ -42,7 +42,10 @@ class MessageMetadata extends Metadata {
     return MessageMetadata(
       kind: MessageKind.values.firstWhere(
         (kind) => kind.name == json['kind'],
-        orElse: () => throw TbdexParseException(TbdexExceptionCode.messageUnknownKind, 'unknown message kind: ${json['kind']}'),
+        orElse: () => throw TbdexParseException(
+          TbdexExceptionCode.messageUnknownKind,
+          'unknown message kind: ${json['kind']}',
+        ),
       ),
       to: json['to'],
       from: json['from'],
@@ -105,7 +108,7 @@ abstract class Message {
 
     if (signingDid != metadata.from) {
       throw TbdexSignatureVerificationException(
-      TbdexExceptionCode.messageSignatureMismatch,
+        TbdexExceptionCode.messageSignatureMismatch,
         'signature verification failed: was not signed by the expected DID',
       );
     }
@@ -114,7 +117,10 @@ abstract class Message {
   }
 
   Uint8List _digest() {
-    return CryptoUtils.digest({'metadata': metadata, 'data': data});
+    return CryptoUtils.digest({
+      'metadata': metadata.toJson(),
+      'data': data.toJson(),
+    });
   }
 
   @override

lib/src/protocol/models/message_data.dart

@@ -107,6 +107,7 @@ class RfqData extends MessageData {
     );
   }
 
+  @override
   Map<String, dynamic> toJson() {
     return {
       'offeringId': offeringId,
@@ -185,6 +186,7 @@ class QuoteData extends MessageData {
     );
   }
 
+  @override
   Map<String, dynamic> toJson() {
     return {
       'expiresAt': expiresAt,
@@ -269,6 +271,7 @@ class CloseData extends MessageData {
     );
   }
 
+  @override
   Map<String, dynamic> toJson() {
     return {
       if (success != null) 'success': success,
@@ -278,6 +281,7 @@ class CloseData extends MessageData {
 }
 
 class OrderData extends MessageData {
+  @override
   Map<String, dynamic> toJson() {
     return {};
   }
@@ -294,6 +298,7 @@ class OrderStatusData extends MessageData {
     );
   }
 
+  @override
   Map<String, dynamic> toJson() {
     return {
       'orderStatus': orderStatus,

lib/src/protocol/models/resource_data.dart

@@ -1,6 +1,10 @@
 import 'package:json_schema/json_schema.dart';
 
-abstract class Data {}
+abstract class Data {
+  Map<String, dynamic> toJson() {
+    throw UnimplementedError();
+  }
+}
 
 abstract class ResourceData extends Data {}
 
@@ -29,6 +33,7 @@ class OfferingData extends ResourceData {
     );
   }
 
+  @override
   Map<String, dynamic> toJson() {
     return {
       'description': description,

test/protocol/jcs_test.dart

@@ -0,0 +1,90 @@
+import 'dart:convert';
+import 'package:tbdex/src/protocol/jcs.dart';
+import 'package:test/test.dart';
+
+void main() {
+  group('JsonCanonicalizer', () {
+    test('empty array', () {
+      final result = JsonCanonicalizer.canonicalize([]);
+      expect(utf8.decode(result), equals('[]'));
+    });
+
+    test('one element array', () {
+      final result = JsonCanonicalizer.canonicalize([123]);
+      expect(utf8.decode(result), equals('[123]'));
+    });
+
+    test('multi element array', () {
+      final result = JsonCanonicalizer.canonicalize([123, 456, 'hello']);
+      expect(utf8.decode(result), equals('[123,456,"hello"]'));
+    });
+
+    test('null and undefined values in array', () {
+      final result = JsonCanonicalizer.canonicalize([null, null, 'hello']);
+      expect(utf8.decode(result), equals('[null,null,"hello"]'));
+    });
+
+    test('object in array', () {
+      final result = JsonCanonicalizer.canonicalize([
+        {'b': 123, 'a': 'string'}
+      ]);
+      expect(utf8.decode(result), equals('[{"a":"string","b":123}]'));
+    });
+
+    test('empty object', () {
+      final result = JsonCanonicalizer.canonicalize({});
+      expect(utf8.decode(result), equals('{}'));
+    });
+
+    test('object with one property', () {
+      final result = JsonCanonicalizer.canonicalize({'hello': 'world'});
+      expect(utf8.decode(result), equals('{"hello":"world"}'));
+    });
+
+    test('object with more than one property', () {
+      final result =
+          JsonCanonicalizer.canonicalize({'hello': 'world', 'number': 123});
+      expect(utf8.decode(result), equals('{"hello":"world","number":123}'));
+    });
+
+    test('null', () {
+      final result = JsonCanonicalizer.canonicalize(null);
+      expect(utf8.decode(result), equals('null'));
+    });
+
+    test('object with number key', () {
+      expect(
+        () => JsonCanonicalizer.canonicalize({42: 'foo'}),
+        throwsA(isA<JsonUnsupportedObjectError>()),
+      );
+    });
+
+    test('object with a function', () {
+      var customObject = {
+        'a': 123,
+        'b': 456,
+        'toJSON': () => {'b': 456, 'a': 123},
+      };
+
+      expect(
+        () => JsonCanonicalizer.canonicalize(customObject),
+        throwsA(isA<JsonUnsupportedObjectError>()),
+      );
+    });
+
+    // Handling error cases
+    test('NaN in array', () {
+      expect(
+        () => JsonCanonicalizer.canonicalize([double.nan]),
+        throwsA(isA<JsonUnsupportedObjectError>()),
+      );
+    });
+
+    test('Infinity in array', () {
+      expect(
+        () => JsonCanonicalizer.canonicalize([double.infinity]),
+        throwsA(isA<JsonUnsupportedObjectError>()),
+      );
+    });
+  });
+}

test/protocol/models/rfq_test.dart

@@ -14,10 +14,10 @@ void main() async {
   await TestData.initializeDids();
 
   group('Rfq', () {
-    test('can create a new rfq', () {
+    test('can create a new rfq', () async {
       final rfq = Rfq.create(
-        TestData.pfi,
-        TestData.alice,
+        TestData.pfiDid.uri,
+        TestData.aliceDid.uri,
         CreateRfqData(
           offeringId: TypeId.generate(ResourceKind.offering.name),
           payin: CreateSelectedPayinMethod(amount: '100', kind: 'BTC_ADDRESS'),