Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[proposal] jwt validation using cosmosAddress

See original GitHub issue

[proposal] Add cosmosAddress Property in verificationMethod like a ethereumAddress #103

Since Cosmos uses prefixes for addresses, it is an advantageous address system to use as did. So, after decomposing the address into prefix and remainder, we want to use it as a DID. And, like Ethereum, Cosmos would like to add the address of Cosmos to the property so that it can be verified by extracting the public key from the signature.

dsrv1zp78zmtj4a7qvs4p2s08ngjn9rcwpaf5k9d0la (cosmos address) did:dsrv:1zp78zmtj4a7qvs4p2s08ngjn9rcwpaf5k9d0la (did)

// VerifierAlgorithm.ts
export function verifyES256K(
  data: string,
  signature: string,
  authenticators: VerificationMethod[]
): VerificationMethod {
  const hash: Uint8Array = sha256(data)
  const sigObj: EcdsaSignature = toSignatureObject(signature)
  const fullPublicKeys = authenticators.filter(({ ethereumAddress, blockchainAccountId, cosmosAddress }) => {
    return typeof ethereumAddress === 'undefined' && typeof blockchainAccountId === 'undefined' &&  typeof cosmosAddress === 'undefined'
  })
  const addressKeys = authenticators.filter(({ ethereumAddress, blockchainAccountId, cosmosAddress }) => {
    return typeof ethereumAddress !== 'undefined' || typeof blockchainAccountId !== 'undefined' || typeof cosmosAddress !== 'undefined'
  })

  let signer: VerificationMethod | undefined = fullPublicKeys.find((pk: VerificationMethod) => {
    try {
      const pubBytes = extractPublicKeyBytes(pk)
      return secp256k1.keyFromPublic(pubBytes).verify(hash, <SignatureInput>sigObj)
    } catch (err) {
      return false
    }
  })

  if (!signer && addressKeys.length > 0) {
    signer = verifyRecoverableES256K(data, signature, addressKeys)
  }

  if (!signer) throw new Error('invalid_signature: Signature invalid for JWT')
  return signer
}

// VerifierAlgorithm.ts
  const checkSignatureAgainstSigner = (sigObj: EcdsaSignature): VerificationMethod | undefined => {
    const hash: Uint8Array = sha256(data)
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
    const recoveredKey: any = secp256k1.recoverPubKey(hash, <SignatureInput>sigObj, <number>sigObj.recoveryParam)
    const recoveredPublicKeyHex: string = recoveredKey.encode('hex')
    const recoveredCompressedPublicKeyHex: string = recoveredKey.encode('hex', true)
    const recoveredAddress: string = pk.ethereumAddress ? toEthereumAddress(recoveredPublicKeyHex) : toCosmosAddress(pk.id, recoveredPublicKeyHex) // pk.id is for extracting the prefix.

    const signer: VerificationMethod | undefined = authenticators.find((pk: VerificationMethod) => {
      const keyHex = bytesToHex(extractPublicKeyBytes(pk))
      return (
        keyHex === recoveredPublicKeyHex ||
        keyHex === recoveredCompressedPublicKeyHex ||
        pk.ethereumAddress?.toLowerCase() === recoveredAddress ||
        pk.blockchainAccountId?.split('@eip155')?.[0].toLowerCase() === recoveredAddress ||
        pk.cosmosAddress === recoveredAddress
      )
    })

Issue Analytics

State:
Created 2 years ago
Comments:8 (7 by maintainers)

Top GitHub Comments

1reaction

mirceaniscommented, Oct 28, 2021

Yes, that sounds like a good idea

1reaction

daoauthcommented, Oct 28, 2021

@mirceanis Thanks. I’ll update soon.

I want to create and use the “verifyBlockchainAccountId” function by separating the folder for the future like this PR, what do you think?

blockchains - index (verifyBlockchainAccountId)
            - eip155
            - cosmos
            - bip122
            - etc

  const checkSignatureAgainstSigner = (sigObj: EcdsaSignature): VerificationMethod | undefined => {
    const hash: Uint8Array = sha256(data)
    // eslint-disable-next-line @typescript-eslint/no-explicit-any
    const recoveredKey: any = secp256k1.recoverPubKey(hash, <SignatureInput>sigObj, <number>sigObj.recoveryParam)
    const recoveredPublicKeyHex: string = recoveredKey.encode('hex')
    const recoveredCompressedPublicKeyHex: string = recoveredKey.encode('hex', true)
    const recoveredAddress: string = toEthereumAddress(recoveredPublicKeyHex)

    const signer: VerificationMethod | undefined = authenticators.find((pk: VerificationMethod) => {
      const keyHex = bytesToHex(extractPublicKeyBytes(pk))
      return (
        keyHex === recoveredPublicKeyHex ||
        keyHex === recoveredCompressedPublicKeyHex ||
        pk.ethereumAddress?.toLowerCase() === recoveredAddress ||
        pk.blockchainAccountId?.split('@eip155')?.[0].toLowerCase() === recoveredAddress || // CAIP-2
        verifyBlockchainAccountId(recoveredKey, pk.blockchainAccountId || '') // CAIP-10
      )
    })

    return signer
  }