0.3.0 ⢠Published 10 months ago
@transmute/cose v0.3.0
cose
Usage
š„ This package is not stable or suitable for production use š§
npm install '@transmute/cose'
const cose = require("@transmute/cose");
import * as cose from "@transmute/cose";
Examples
COSE Receipts & Signature Transparency
import crypto from "crypto";
import sqlite from "better-sqlite3";
import * as cose from "@transmute/cose";
const create_software_producer = async ({
website,
product,
}: {
website: string;
product: string;
}) => {
const privateKeyJwk = await cose.crypto.key.generate<
"ES256",
"application/jwk+json"
>({
type: "application/jwk+json",
algorithm: "ES256",
});
const publicKeyJwk = cose.public_from_private({
key: privateKeyJwk,
type: "application/jwk+json",
});
const signer = cose.hash.signer({
remote: cose.crypto.signer({
privateKeyJwk,
}),
});
const verifier = cose.detached.verifier({
resolver: {
resolve: async () => {
return publicKeyJwk;
},
},
});
return { website, product, signer, verifier, public_key: publicKeyJwk };
};
const create_sqlite_log = (database: string) => {
const db = new sqlite(database);
db.prepare(
`
CREATE TABLE IF NOT EXISTS tiles
(id TEXT PRIMARY KEY, data BLOB);
`
).run();
db.prepare(
`
CREATE TABLE IF NOT EXISTS kv
(key text unique, value text);
`
).run();
const hash_size = 32;
const tile_height = 2;
const log = new cose.TileLog({
tile_height,
hash_size,
read_tree_size: () => {
const rows = db
.prepare(
`
SELECT * FROM kv
WHERE key = 'tree_size'
`
)
.all();
const [row] = rows as { key: string; value: string }[];
try {
return parseInt(row.value, 10);
} catch (e) {
// console.error(e)
return 0;
}
},
update_tree_size: (new_tree_size: number) => {
try {
db.prepare(
`
INSERT OR REPLACE INTO kv (key, value)
VALUES( 'tree_size', '${new_tree_size}');
`
).run();
} catch (e) {
// console.error(e)
// ignore errors
}
},
read_tree_root: function () {
const rows = db
.prepare(
`
SELECT * FROM kv
WHERE key = 'tree_root'
`
)
.all();
const [row] = rows as { key: string; value: string }[];
try {
return new Uint8Array(Buffer.from(row.value, "hex"));
} catch (e) {
return null;
}
},
update_tree_root: (new_tree_root: Uint8Array): void => {
try {
db.prepare(
`
INSERT OR REPLACE INTO kv (key, value)
VALUES( 'tree_root', '${Buffer.from(new_tree_root).toString("hex")}');
`
).run();
} catch (e) {
// ignore errors
}
},
read_tile: (tile: string): Uint8Array => {
const [base_tile] = tile.split(".");
// look for completed tiles first
for (let i = 4; i > 0; i--) {
const tile_path = base_tile + "." + i;
const rows = db
.prepare(
`
SELECT * FROM tiles
WHERE id = '${tile_path}'
`
)
.all();
if (rows.length) {
const [row] = rows as { id: string; data: Uint8Array }[];
return row.data;
}
}
return new Uint8Array(32);
},
update_tiles: function (
tile_path: string,
start: number,
end: number,
stored_hash: Uint8Array
) {
if (end - start !== 32) {
// this hash was an intermediate of the tile
// so it will never be persisted
return null;
}
let tile_data = this.read_tile(tile_path);
if (tile_data.length < end) {
const expanded_tile_data = new Uint8Array(tile_data.length + 32);
expanded_tile_data.set(tile_data);
tile_data = expanded_tile_data;
}
tile_data.set(stored_hash, start);
try {
db.prepare(
`
INSERT INTO tiles (id, data)
VALUES( '${tile_path}', x'${Buffer.from(tile_data).toString("hex")}');
`
).run();
} catch (e) {
// ignore errors
}
return tile_data;
},
hash_function: (data: Uint8Array) => {
return new Uint8Array(crypto.createHash("sha256").update(data).digest());
},
});
return { db, log };
};
const create_transparency_service = async ({
website,
database,
}: {
website: string;
database: string;
}) => {
const privateKeyJwk = await cose.crypto.key.generate<
"ES256",
"application/jwk+json"
>({
type: "application/jwk+json",
algorithm: "ES256",
});
const publicKeyJwk = cose.public_from_private({
key: privateKeyJwk,
type: "application/jwk+json",
});
const signer = cose.detached.signer({
remote: cose.crypto.signer({
privateKeyJwk,
}),
});
const verifier = cose.detached.verifier({
resolver: {
resolve: async () => {
return publicKeyJwk;
},
},
});
const { log, db } = create_sqlite_log(database);
const register_signed_statement = async (signed_statement: Uint8Array) => {
// registration policy goes here...
// for this test, we accept everything
const record = await cose.prepare_for_inclusion(signed_statement);
log.write_record(record);
const root = log.root();
const index = log.size();
const decoded = cose.cbor.decode(signed_statement);
const signed_statement_header = cose.cbor.decode(decoded.value[0]);
const signed_statement_claims = signed_statement_header.get(
cose.header.cwt_claims
);
const inclusion_proof = log.inclusion_proof(index, index - 1);
return signer.sign({
protectedHeader: cose.ProtectedHeader([
[cose.header.kid, publicKeyJwk.kid],
[cose.header.alg, cose.algorithm.es256],
[
cose.draft_headers.verifiable_data_structure,
cose.verifiable_data_structures.rfc9162_sha256,
],
[
cose.header.cwt_claims,
cose.CWTClaims([
[cose.cwt_claims.iss, website], // issuer notary
// receipt subject is statement subject.
// ... could be receipts have different subject id
[
cose.cwt_claims.sub,
signed_statement_claims.get(cose.cwt_claims.sub),
],
]),
],
]),
unprotectedHeader: cose.UnprotectedHeader([
[
cose.draft_headers.verifiable_data_proofs,
cose.VerifiableDataStructureProofs([
[cose.rfc9162_sha256_proof_types.inclusion, [inclusion_proof]],
]),
],
]),
payload: root,
});
};
return {
website,
db,
signer,
verifier,
log,
register_signed_statement,
public_key: publicKeyJwk,
};
};
const software_producer = await create_software_producer({
website: "https://green.example",
product: "https://green.example/cli@v1.2.3",
});
const blue_notary = await create_transparency_service({
website: "https://blue.example",
database: "./tests/draft-ietf-scitt-architecture/blue.transparency.db",
});
const orange_notary = await create_transparency_service({
website: "https://orange.example",
database: "./tests/draft-ietf-scitt-architecture/orange.transparency.db",
});
const statement = Buffer.from("large file that never moves over a network");
const signed_statement = await software_producer.signer.sign({
protectedHeader: cose.ProtectedHeader([
[cose.header.kid, software_producer.public_key.kid],
[cose.header.alg, cose.algorithm.es256],
[cose.draft_headers.payload_hash_algorithm, cose.algorithm.sha_256],
[cose.draft_headers.payload_preimage_content_type, "application/spdx+json"],
[cose.draft_headers.payload_location, "https://cloud.example/sbom/42"],
[
cose.header.cwt_claims,
cose.CWTClaims([
[cose.cwt_claims.iss, software_producer.website],
[cose.cwt_claims.sub, software_producer.product],
]),
],
]),
payload: statement,
});
const blue_receipt = await blue_notary.register_signed_statement(
signed_statement
);
const transparent_statement = await cose.add_receipt(
signed_statement,
blue_receipt
);
const orange_receipt = await orange_notary.register_signed_statement(
transparent_statement
);
const signed_statement_with_multiple_receipts = await cose.add_receipt(
transparent_statement,
orange_receipt
);
const statement_hash = new Uint8Array(
await (await cose.crypto.subtle()).digest("SHA-256", statement)
);
const verification = await verify_transparent_statement(
statement_hash,
signed_statement_with_multiple_receipts,
{
tree_hasher: blue_notary.log.tree_hasher, // both logs use same tree algorithm
resolver: {
resolve: async (token: Buffer) => {
const decoded = cose.cbor.decode(token);
const header = cose.cbor.decode(decoded.value[0]);
const kid = header.get(cose.header.kid);
switch (kid) {
case software_producer.public_key.kid: {
return software_producer.public_key;
}
case blue_notary.public_key.kid: {
return blue_notary.public_key;
}
case orange_notary.public_key.kid: {
return orange_notary.public_key;
}
default: {
throw new Error("Unknown key: " + kid);
}
}
},
},
}
);
Example of a transparent signed statement with multiple receipts in extended diagnostic notation:
Transparent Statement
/ cose-sign1 / 18([
/ protected / <<{
/ key / 4 : "vCl7UcS0ZZY99VpRthDc-0iUjLdfLtnmFqLJ2-Tt8N4",
/ algorithm / 1 : -7, # ES256
/ hash / -6800 : -16, # SHA-256
/ content / -6802 : "application/spdx+json",
/ location / -6801 : "https://cloud.example/sbom/42",
/ claims / 15 : {
/ issuer / 1 : "https://green.example",
/ subject / 2 : "https://green.example/cli@v1.2.3",
},
}>>,
/ unprotected / {
/ receipts / 394 : {
<</ cose-sign1 / 18([
/ protected / <<{
/ key / 4 : "mxA4KiOkQFZ-dkLebSo3mLOEPR7rN8XtxkJe45xuyJk",
/ algorithm / 1 : -7, # ES256
/ notary / 395 : 1, # RFC9162 SHA-256
/ claims / 15 : {
/ issuer / 1 : "https://blue.example",
/ subject / 2 : "https://green.example/cli@v1.2.3",
},
}>>,
/ unprotected / {
/ proofs / 396 : {
/ inclusion / -1 : [
<<[
/ size / 9, / leaf / 8,
/ inclusion path /
h'7558a95f...e02e35d6'
]>>
],
},
},
/ payload / null,
/ signature / h'02d227ed...ccd3774f'
])>>,
<</ cose-sign1 / 18([
/ protected / <<{
/ key / 4 : "ajOkeBTJou_wPrlExLMw7L9OTCD5ZIOBYc-O6LESe9c",
/ algorithm / 1 : -7, # ES256
/ notary / 395 : 1, # RFC9162 SHA-256
/ claims / 15 : {
/ issuer / 1 : "https://orange.example",
/ subject / 2 : "https://green.example/cli@v1.2.3",
},
}>>,
/ unprotected / {
/ proofs / 396 : {
/ inclusion / -1 : [
<<[
/ size / 6, / leaf / 5,
/ inclusion path /
h'9352f974...4ffa7ce0',
h'54806f32...f007ea06'
]>>
],
},
},
/ payload / null,
/ signature / h'36581f38...a5581960'
])>>
},
},
/ payload / h'0167c57c...deeed6d4',
/ signature / h'2544f2ed...5840893b'
])
COSE RFCs
- RFC9360 - Header Parameters for Carrying and Referencing X.509 Certificates
- RFC9052 - Structures and Process
- RFC9053 - Initial Algorithms
COSE Drafts
SCITT Drafts
Develop
npm i
npm t
npm run lint
npm run build
Questions? Contact Transmute
0.3.0
10 months ago
0.2.12
11 months ago
0.2.11
11 months ago
0.2.10
11 months ago
0.2.1
11 months ago
0.2.7
11 months ago
0.2.6
11 months ago
0.2.9
11 months ago
0.2.8
11 months ago
0.2.2
11 months ago
0.2.5
11 months ago
0.2.4
11 months ago
0.2.0
1 year ago
0.1.1
1 year ago
0.1.0
1 year ago
0.0.20
2 years ago
0.0.21
2 years ago
0.0.22
2 years ago
0.0.23
2 years ago
0.0.24
2 years ago
0.0.25
2 years ago
0.0.15
2 years ago
0.0.16
2 years ago
0.0.17
2 years ago
0.0.18
2 years ago
0.0.19
2 years ago
0.0.10
2 years ago
0.0.11
2 years ago
0.0.12
2 years ago
0.0.13
2 years ago
0.0.14
2 years ago
0.0.9
2 years ago
0.0.8
2 years ago
0.0.7
2 years ago
0.0.6
2 years ago
0.0.5
2 years ago
0.0.4
2 years ago
0.0.3
2 years ago
0.0.2
2 years ago
0.0.1
2 years ago
0.0.0
2 years ago