Signed keys and wallet signature (#159)

fix: signed keys & wallet signature

Author: mkobetic

package-lock.json

@@ -61,7 +61,7 @@
   "dependencies": {
     "@noble/secp256k1": "^1.5.2",
     "@stardazed/streams-polyfill": "^2.4.0",
-    "@xmtp/proto": "~3.0.0",
+    "@xmtp/proto": "^3.1.0",
     "ethers": "^5.5.3",
     "long": "^5.2.0",
     "node-localstorage": "^2.2.1"

package.json

@@ -1,6 +1,6 @@
 import { contact, publicKey } from '@xmtp/proto'
 import { PublicKeyBundle } from './crypto'
-import PublicKey from './crypto/PublicKey'
+import { PublicKey } from './crypto/PublicKey'
 
 // ContactBundle packages all the infromation which a client uses to advertise on the network.
 export default class ContactBundle implements contact.ContactBundleV1 {

src/ContactBundle.ts

@@ -1,26 +1,177 @@
 import { privateKey } from '@xmtp/proto'
 import * as secp from '@noble/secp256k1'
 import Long from 'long'
-import Signature from './Signature'
-import PublicKey from './PublicKey'
+import Signature, {
+  ECDSACompactWithRecovery,
+  ecdsaSignerKey,
+  KeySigner,
+} from './Signature'
+import { PublicKey, SignedPublicKey, UnsignedPublicKey } from './PublicKey'
 import Ciphertext from './Ciphertext'
 import { decrypt, encrypt, sha256 } from './encryption'
+import { equalBytes } from './utils'
 
-// PrivateKey represents a secp256k1 private key.
-export default class PrivateKey implements privateKey.PrivateKey {
+// SECP256k1 private key
+type secp256k1 = {
+  bytes: Uint8Array // D big-endian, 32 bytes
+}
+
+// Validate SECP256k1 private key
+function secp256k1Check(key: secp256k1): void {
+  if (key.bytes.length !== 32) {
+    throw new Error(`invalid private key length: ${key.bytes.length}`)
+  }
+}
+
+// A private key signed with another key pair or a wallet.
+export class SignedPrivateKey
+  implements privateKey.SignedPrivateKey, KeySigner
+{
+  createdNs: Long // time the key was generated, ns since epoch
+  secp256k1: secp256k1 // eslint-disable-line camelcase
+  publicKey: SignedPublicKey // caches corresponding PublicKey
+
+  constructor(obj: privateKey.SignedPrivateKey) {
+    if (!obj.secp256k1) {
+      throw new Error('invalid private key')
+    }
+    secp256k1Check(obj.secp256k1)
+    this.secp256k1 = obj.secp256k1
+    this.createdNs = obj.createdNs
+    if (!obj.publicKey) {
+      throw new Error('missing public key')
+    }
+    this.publicKey = new SignedPublicKey(obj.publicKey)
+  }
+
+  // Create a random key pair signed by the signer.
+  static async generate(signer: KeySigner): Promise<SignedPrivateKey> {
+    const secp256k1 = {
+      bytes: secp.utils.randomPrivateKey(),
+    }
+    const createdNs = Long.fromNumber(new Date().getTime()).mul(1000000)
+    const unsigned = new UnsignedPublicKey({
+      secp256k1Uncompressed: {
+        bytes: secp.getPublicKey(secp256k1.bytes),
+      },
+      createdNs: createdNs,
+    })
+    const signed = await signer.signKey(unsigned)
+    return new SignedPrivateKey({
+      secp256k1,
+      createdNs,
+      publicKey: signed,
+    })
+  }
+
+  // Time the key was generated.
+  generated(): Date | undefined {
+    return new Date(this.createdNs.div(1000000).toNumber())
+  }
+
+  // Sign provided digest.
+  async sign(digest: Uint8Array): Promise<Signature> {
+    const [signature, recovery] = await secp.sign(
+      digest,
+      this.secp256k1.bytes,
+      {
+        recovered: true,
+        der: false,
+      }
+    )
+    return new Signature({
+      ecdsaCompact: { bytes: signature, recovery },
+    })
+  }
+
+  // Sign provided public key.
+  async signKey(pub: UnsignedPublicKey): Promise<SignedPublicKey> {
+    const keyBytes = pub.toBytes()
+    const digest = await sha256(keyBytes)
+    const signature = await this.sign(digest)
+    return new SignedPublicKey({
+      keyBytes,
+      signature,
+    })
+  }
+
+  // Return public key of the signer of the provided signed key.
+  static async signerKey(
+    key: SignedPublicKey,
+    signature: ECDSACompactWithRecovery
+  ): Promise<UnsignedPublicKey | undefined> {
+    const digest = await sha256(key.bytesToSign())
+    return ecdsaSignerKey(digest, signature)
+  }
+
+  // Derive shared secret from peer's PublicKey;
+  // the peer can derive the same secret using their private key and our public key.
+  sharedSecret(peer: SignedPublicKey | UnsignedPublicKey): Uint8Array {
+    return secp.getSharedSecret(
+      this.secp256k1.bytes,
+      peer.secp256k1Uncompressed.bytes,
+      false
+    )
+  }
+
+  // encrypt plain bytes using a shared secret derived from peer's PublicKey;
+  // additionalData allows including unencrypted parts of a Message in the authentication
+  // protection provided by the encrypted part (to make the whole Message tamper evident)
+  encrypt(
+    plain: Uint8Array,
+    peer: UnsignedPublicKey,
+    additionalData?: Uint8Array
+  ): Promise<Ciphertext> {
+    const secret = this.sharedSecret(peer)
+    return encrypt(plain, secret, additionalData)
+  }
+
+  // decrypt Ciphertext using a shared secret derived from peer's PublicKey;
+  // throws if any part of Ciphertext or additionalData was tampered with
+  decrypt(
+    encrypted: Ciphertext,
+    peer: UnsignedPublicKey,
+    additionalData?: Uint8Array
+  ): Promise<Uint8Array> {
+    const secret = this.sharedSecret(peer)
+    return decrypt(encrypted, secret, additionalData)
+  }
+
+  // Does the provided PublicKey correspond to this PrivateKey?
+  matches(key: SignedPublicKey): boolean {
+    return this.publicKey.equals(key)
+  }
+
+  // Is other the same/equivalent key?
+  equals(other: this): boolean {
+    return (
+      equalBytes(this.secp256k1.bytes, other.secp256k1.bytes) &&
+      this.publicKey.equals(other.publicKey)
+    )
+  }
+
+  // Encode this key into bytes.
+  toBytes(): Uint8Array {
+    return privateKey.SignedPrivateKey.encode(this).finish()
+  }
+
+  // Decode key from bytes.
+  static fromBytes(bytes: Uint8Array): SignedPrivateKey {
+    return new SignedPrivateKey(privateKey.SignedPrivateKey.decode(bytes))
+  }
+}
+
+// LEGACY: PrivateKey represents a secp256k1 private key.
+export class PrivateKey implements privateKey.PrivateKey {
   timestamp: Long
-  secp256k1: privateKey.PrivateKey_Secp256k1 | undefined // eslint-disable-line camelcase
+  secp256k1: secp256k1 // eslint-disable-line camelcase
   publicKey: PublicKey // caches corresponding PublicKey
 
   constructor(obj: privateKey.PrivateKey) {
     if (!obj.secp256k1) {
       throw new Error('invalid private key')
     }
-    if (obj.secp256k1.bytes.length !== 32) {
-      throw new Error(
-        `invalid private key length: ${obj.secp256k1.bytes.length}`
-      )
-    }
+    secp256k1Check(obj.secp256k1)
     this.timestamp = obj.timestamp
     this.secp256k1 = obj.secp256k1
     if (!obj.publicKey) {
@@ -48,17 +199,11 @@ export default class PrivateKey implements privateKey.PrivateKey {
   }
 
   generated(): Date | undefined {
-    if (!this.timestamp) {
-      return undefined
-    }
     return new Date(this.timestamp.toNumber())
   }
 
   // sign provided digest
   async sign(digest: Uint8Array): Promise<Signature> {
-    if (!this.secp256k1) {
-      throw new Error('invalid private key')
-    }
     const [signature, recovery] = await secp.sign(
       digest,
       this.secp256k1.bytes,
@@ -74,9 +219,6 @@ export default class PrivateKey implements privateKey.PrivateKey {
 
   // sign provided public key
   async signKey(pub: PublicKey): Promise<PublicKey> {
-    if (!pub.secp256k1Uncompressed) {
-      throw new Error('invalid public key')
-    }
     const digest = await sha256(pub.bytesToSign())
     pub.signature = await this.sign(digest)
     return pub
@@ -85,12 +227,6 @@ export default class PrivateKey implements privateKey.PrivateKey {
   // derive shared secret from peer's PublicKey;
   // the peer can derive the same secret using their PrivateKey and our PublicKey
   sharedSecret(peer: PublicKey): Uint8Array {
-    if (!peer.secp256k1Uncompressed) {
-      throw new Error('invalid public key')
-    }
-    if (!this.secp256k1) {
-      throw new Error('invalid private key')
-    }
     return secp.getSharedSecret(
       this.secp256k1.bytes,
       peer.secp256k1Uncompressed.bytes,
@@ -121,15 +257,17 @@ export default class PrivateKey implements privateKey.PrivateKey {
     return decrypt(encrypted, secret, additionalData)
   }
 
-  // Does the provided PublicKey correspnd to this PrivateKey?
+  // Does the provided PublicKey correspond to this PrivateKey?
   matches(key: PublicKey): boolean {
     return this.publicKey.equals(key)
   }
 
+  // Encode this key into bytes.
   toBytes(): Uint8Array {
     return privateKey.PrivateKey.encode(this).finish()
   }
 
+  // Decode key from bytes.
   static fromBytes(bytes: Uint8Array): PrivateKey {
     return new PrivateKey(privateKey.PrivateKey.decode(bytes))
   }

src/crypto/PrivateKey.ts

@@ -1,9 +1,9 @@
 import { privateKey as proto } from '@xmtp/proto'
-import PrivateKey from './PrivateKey'
-import PublicKey from './PublicKey'
+import { PrivateKey } from './PrivateKey'
+import { PublicKey } from './PublicKey'
 import PublicKeyBundle from './PublicKeyBundle'
 import Ciphertext from './Ciphertext'
-import * as ethers from 'ethers'
+import { Signer } from 'ethers'
 import { bytesToHex, getRandomValues, hexToBytes } from './utils'
 import { decrypt, encrypt } from './encryption'
 import { NoMatchingPreKeyError } from './errors'
@@ -22,7 +22,7 @@ export default class PrivateKeyBundle implements proto.PrivateKeyBundleV1 {
 
   // Generate a new key bundle with the preKey signed byt the identityKey.
   // Optionally sign the identityKey with the provided wallet as well.
-  static async generate(wallet?: ethers.Signer): Promise<PrivateKeyBundle> {
+  static async generate(wallet?: Signer): Promise<PrivateKeyBundle> {
     const identityKey = PrivateKey.generate()
     if (wallet) {
       await identityKey.publicKey.signWithWallet(wallet)
@@ -100,7 +100,7 @@ export default class PrivateKeyBundle implements proto.PrivateKeyBundleV1 {
 
   static storageSigRequestText(preKey: Uint8Array): string {
     // Note that an update to this signature request text will require
-    // addition of backward compatability for existing encrypted bundles
+    // addition of backward compatibility for existing encrypted bundles
     // and/or a migration; otherwise clients will no longer be able to
     // decrypt those bundles.
     return (
@@ -112,7 +112,7 @@ export default class PrivateKeyBundle implements proto.PrivateKeyBundleV1 {
   }
 
   // encrypts/serializes the bundle for storage
-  async toEncryptedBytes(wallet: ethers.Signer): Promise<Uint8Array> {
+  async toEncryptedBytes(wallet: Signer): Promise<Uint8Array> {
     // serialize the contents
     if (this.preKeys.length === 0) {
       throw new Error('missing pre-keys')
@@ -125,6 +125,7 @@ export default class PrivateKeyBundle implements proto.PrivateKeyBundleV1 {
         identityKey: this.identityKey,
         preKeys: this.preKeys,
       },
+      v2: undefined,
     }).finish()
     const wPreKey = getRandomValues(new Uint8Array(32))
     const secret = hexToBytes(
@@ -140,7 +141,7 @@ export default class PrivateKeyBundle implements proto.PrivateKeyBundleV1 {
   }
 
   encode(): Uint8Array {
-    return proto.PrivateKeyBundle.encode({ v1: this }).finish()
+    return proto.PrivateKeyBundle.encode({ v1: this, v2: undefined }).finish()
   }
 
   static decode(bytes: Uint8Array): PrivateKeyBundle {
@@ -156,7 +157,7 @@ export default class PrivateKeyBundle implements proto.PrivateKeyBundleV1 {
 
   // decrypts/deserializes the bundle from storage bytes
   static async fromEncryptedBytes(
-    wallet: ethers.Signer,
+    wallet: Signer,
     bytes: Uint8Array
   ): Promise<PrivateKeyBundle> {
     const [eBundle, needsUpdateA] = getEncryptedV1Bundle(bytes)