feature: added capability to ed25519 sign payload when creating or updating an Item

Author: grempe

src/cli.ts

@@ -73,6 +73,18 @@ const cmd = new Command()
       default: "text",
     },
   )
+  .globalEnv(
+    "TRUESTAMP_SIGNING_KEY_SEED=<signingKeySeed:string>",
+    "A Base64 encoded 32 byte random seed used to create an ed25519 signing keypair.",
+    {
+      required: false,
+      prefix: "TRUESTAMP_",
+    },
+  )
+  .globalOption(
+    "-S, --signing-key-seed <signingKeySeed:string>",
+    "A Base64 encoded 32 byte random seed used to create an ed25519 signing keypair. Overrides 'TRUESTAMP_SIGNING_KEY_SEED' env var.",
+  )
   .action(() => {
     cmd.showHelp();
   })

src/commands/items.ts

@@ -9,12 +9,18 @@ import {
   ValidationError,
 } from "../deps.ts";
 
-import { logSelectedOutputFormat, throwApiError } from "../utils.ts";
+import {
+  logSelectedOutputFormat,
+  signItemData,
+  throwApiError,
+} from "../utils.ts";
 
 import { createDataDir, writeItemToDb } from "../db.ts";
 
 import { environmentType, outputType } from "../cli.ts";
 
+import { ItemRequest, ItemRequestSchema } from "../types.ts";
+
 export const inputType = new EnumType(["binary", "json"]);
 
 // Limit the available hash types for now to those that are supported by the browser
@@ -28,6 +34,7 @@ const itemsCreate = new Command<{
   env: typeof environmentType;
   apiKey?: string;
   output: typeof outputType;
+  signingKeySeed?: string;
 }>()
   .description(
     `Create a new Item.
@@ -281,40 +288,60 @@ Pipe JSON content to the 'items create' command using '--input json' plus the '-
     try {
       let itemResp;
 
+      const createItemArgs = {
+        skipCF: !options.netMetadata,
+        skipOE: !options.observableEntropy,
+      };
+
       if (jsonItem) {
-        itemResp = await truestamp.createItem(jsonItem, {
-          skipCF: !options.netMetadata,
-          skipOE: !options.observableEntropy,
-        });
+        const itemRequest: ItemRequest = ItemRequestSchema.parse(jsonItem);
+
+        itemRequest.itemDataSignatures = options.signingKeySeed
+          ? signItemData(itemRequest, options.signingKeySeed)
+          : undefined;
+
+        console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
+
+        itemResp = await truestamp.createItem(itemRequest, createItemArgs);
       } else if (options.hash && options.hashType) {
+        const itemRequest: ItemRequest = {
+          itemData: [
+            {
+              hash: options.hash,
+              hashType: <HashTypes> options.hashType,
+            },
+          ],
+        };
+
+        itemRequest.itemDataSignatures = options.signingKeySeed
+          ? signItemData(itemRequest, options.signingKeySeed)
+          : undefined;
+
+        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
+
         itemResp = await truestamp.createItem(
-          {
-            itemData: [
-              {
-                hash: options.hash,
-                hashType: <HashTypes> options.hashType,
-              },
-            ],
-          },
-          {
-            skipCF: !options.netMetadata,
-            skipOE: !options.observableEntropy,
-          },
+          itemRequest,
+          createItemArgs,
         );
       } else if (altHash && altHashType) {
+        const itemRequest: ItemRequest = {
+          itemData: [
+            {
+              hash: altHash,
+              hashType: <HashTypes> altHashType,
+            },
+          ],
+        };
+
+        itemRequest.itemDataSignatures = options.signingKeySeed
+          ? signItemData(itemRequest, options.signingKeySeed)
+          : undefined;
+
+        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
+
         itemResp = await truestamp.createItem(
-          {
-            itemData: [
-              {
-                hash: altHash,
-                hashType: <HashTypes> altHashType,
-              },
-            ],
-          },
-          {
-            skipCF: !options.netMetadata,
-            skipOE: !options.observableEntropy,
-          },
+          itemRequest,
+          createItemArgs,
         );
       } else {
         throw new Error("No hash or hash-type provided");
@@ -369,6 +396,7 @@ const itemsUpdate = new Command<{
   env: typeof environmentType;
   apiKey?: string;
   output: typeof outputType;
+  signingKeySeed?: string;
 }>()
   .description(
     `Update an existing Item by replacing it with a new one.
@@ -569,45 +597,69 @@ Pipe JSON content to the 'items update' command using '--input json' plus the '-
     try {
       let itemResp;
 
+      const updateItemsArgs = {
+        skipCF: !options.netMetadata,
+        skipOE: !options.observableEntropy,
+      };
+
       if (jsonItem) {
-        itemResp = await truestamp.updateItem(options.id, jsonItem, {
-          skipCF: !options.netMetadata,
-          skipOE: !options.observableEntropy,
-        });
+        const itemRequest: ItemRequest = ItemRequestSchema.parse(jsonItem);
+
+        itemRequest.itemDataSignatures = options.signingKeySeed
+          ? signItemData(itemRequest, options.signingKeySeed)
+          : undefined;
+
+        console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
+
+        itemResp = await truestamp.updateItem(
+          options.id,
+          itemRequest,
+          updateItemsArgs,
+        );
       } else if (options.hash && options.hashType) {
+        const itemRequest: ItemRequest = {
+          itemData: [
+            {
+              hash: options.hash,
+              hashType: <HashTypes> options.hashType,
+            },
+          ],
+        };
+
+        itemRequest.itemDataSignatures = options.signingKeySeed
+          ? signItemData(itemRequest, options.signingKeySeed)
+          : undefined;
+
+        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
+
         itemResp = await truestamp.updateItem(
           options.id,
-          {
-            itemData: [
-              {
-                hash: options.hash,
-                hashType: <HashTypes> options.hashType,
-              },
-            ],
-          },
-          {
-            skipCF: !options.netMetadata,
-            skipOE: !options.observableEntropy,
-          },
+          itemRequest,
+          updateItemsArgs,
         );
       } else if (altHash && altHashType) {
+        const itemRequest: ItemRequest = {
+          itemData: [
+            {
+              hash: altHash,
+              hashType: <HashTypes> altHashType,
+            },
+          ],
+        };
+
+        itemRequest.itemDataSignatures = options.signingKeySeed
+          ? signItemData(itemRequest, options.signingKeySeed)
+          : undefined;
+
+        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
+
         itemResp = await truestamp.updateItem(
           options.id,
-          {
-            itemData: [
-              {
-                hash: altHash,
-                hashType: <HashTypes> altHashType,
-              },
-            ],
-          },
-          {
-            skipCF: !options.netMetadata,
-            skipOE: !options.observableEntropy,
-          },
+          itemRequest,
+          updateItemsArgs,
         );
       } else {
-        throw new Error("No hash or hashType provided");
+        throw new Error("No hash or hash-type provided");
       }
 
       const { id } = itemResp;
@@ -628,6 +680,7 @@ export const items = new Command<{
   env: typeof environmentType;
   apiKey?: string;
   output: typeof outputType;
+  signingKeySeed?: string;
 }>()
   .description("Create or update Items.")
   .action(() => {

src/utils.ts

@@ -1,12 +1,23 @@
 // Copyright © 2020-2022 Truestamp Inc. All rights reserved.
 
+import { generateKeyPairFromSeed, sign } from "@stablelib/ed25519";
+import { hash as sha256 } from "@stablelib/sha256";
 import { z } from "zod";
 
+import { canonify } from "@truestamp/canonify";
+
+import {
+  decode as base64Decode,
+  encode as base64Encode,
+} from "@stablelib/base64";
+
 const OutputWrapper = z.object({
   text: z.string(),
   json: z.record(z.string().min(1), z.any()),
 });
 
+import type { ItemRequest, Signature } from "./types.ts";
+
 export type OutputWrapper = z.infer<typeof OutputWrapper>;
 
 export function logSelectedOutputFormat(
@@ -149,3 +160,29 @@ export async function put<T, U>(
   };
   return await http<U>(path, init);
 }
+
+export function signItemData(
+  itemRequest: ItemRequest,
+  signingKeySeed: Uint8Array | string,
+): Signature[] {
+  if (typeof signingKeySeed === "string") {
+    signingKeySeed = base64Decode(signingKeySeed);
+  }
+
+  const signingKeyPair = generateKeyPairFromSeed(signingKeySeed);
+  const canonicalData = canonify(itemRequest.itemData);
+  const canonicalDataUint8Array = new TextEncoder().encode(canonicalData);
+  const canonicalDataHash = sha256(canonicalDataUint8Array);
+  const canonicalDataHashSignature = sign(
+    signingKeyPair.secretKey,
+    canonicalDataHash,
+  );
+
+  return [
+    {
+      publicKey: base64Encode(signingKeyPair.publicKey),
+      signature: base64Encode(canonicalDataHashSignature),
+      signatureType: "ed25519",
+    },
+  ];
+}