feat: bbs createKey, sign and verify (#684)

Signed-off-by: Berend Sliedrecht <berend@animo.id>

packages/core/package.json

@@ -23,6 +23,7 @@
     "prepublishOnly": "yarn run build"
   },
   "dependencies": {
+    "@mattrglobal/bbs-signatures": "^1.0.0",
     "@multiformats/base-x": "^4.0.1",
     "@stablelib/ed25519": "^1.0.2",
     "@stablelib/sha256": "^1.0.1",

packages/core/src/agent/EnvelopeService.ts

@@ -5,8 +5,7 @@ import type { AgentMessage } from './AgentMessage'
 import { inject, scoped, Lifecycle } from 'tsyringe'
 
 import { InjectionSymbols } from '../constants'
-import { KeyType } from '../crypto'
-import { Key } from '../modules/dids'
+import { Key, KeyType } from '../crypto'
 import { ForwardMessage } from '../modules/routing/messages'
 import { Wallet } from '../wallet/Wallet'
 

packages/core/src/agent/MessageSender.ts

@@ -1,5 +1,6 @@
+import type { Key } from '../crypto'
 import type { ConnectionRecord } from '../modules/connections'
-import type { DidDocument, Key } from '../modules/dids'
+import type { DidDocument } from '../modules/dids'
 import type { OutOfBandRecord } from '../modules/oob/repository'
 import type { OutboundTransport } from '../transport/OutboundTransport'
 import type { OutboundMessage, OutboundPackage, EncryptedMessage } from '../types'

packages/core/src/agent/__tests__/MessageSender.test.ts

@@ -8,9 +8,9 @@ import type { ResolvedDidCommService } from '../MessageSender'
 import { TestMessage } from '../../../tests/TestMessage'
 import { getAgentConfig, getMockConnection, mockFunction } from '../../../tests/helpers'
 import testLogger from '../../../tests/logger'
-import { KeyType } from '../../crypto'
+import { Key, KeyType } from '../../crypto'
 import { ReturnRouteTypes } from '../../decorators/transport/TransportDecorator'
-import { Key, DidDocument, VerificationMethod } from '../../modules/dids'
+import { DidDocument, VerificationMethod } from '../../modules/dids'
 import { DidCommV1Service } from '../../modules/dids/domain/service/DidCommV1Service'
 import { DidResolverService } from '../../modules/dids/services/DidResolverService'
 import { InMemoryMessageRepository } from '../../storage/InMemoryMessageRepository'

packages/core/src/agent/helpers.ts

@@ -1,5 +1,5 @@
+import type { Key } from '../crypto'
 import type { ConnectionRecord } from '../modules/connections'
-import type { Key } from '../modules/dids/domain/Key'
 import type { OutOfBandRecord } from '../modules/oob/repository'
 import type { OutboundMessage, OutboundServiceMessage } from '../types'
 import type { AgentMessage } from './AgentMessage'

packages/core/src/agent/models/InboundMessageContext.ts

@@ -1,5 +1,5 @@
+import type { Key } from '../../crypto'
 import type { ConnectionRecord } from '../../modules/connections'
-import type { Key } from '../../modules/dids'
 import type { AgentMessage } from '../AgentMessage'
 
 import { AriesFrameworkError } from '../../error'

packages/core/src/crypto/BbsService.ts

@@ -0,0 +1,151 @@
+import type { CreateKeyOptions } from '../wallet'
+import type { BlsKeyPair as _BlsKeyPair } from '@mattrglobal/bbs-signatures'
+
+import {
+  bls12381toBbs,
+  generateBls12381G2KeyPair,
+  generateBls12381G1KeyPair,
+  sign,
+  verify,
+} from '@mattrglobal/bbs-signatures'
+
+import { TypedArrayEncoder } from '../utils/TypedArrayEncoder'
+import { Buffer } from '../utils/buffer'
+import { WalletError } from '../wallet/error'
+
+import { KeyType } from './KeyType'
+
+export interface BlsKeyPair {
+  publicKeyBase58: string
+  privateKeyBase58: string
+  keyType: Extract<KeyType, KeyType.Bls12381g1 | KeyType.Bls12381g2 | KeyType.Bls12381g1g2>
+}
+
+interface BbsCreateKeyOptions extends CreateKeyOptions {
+  keyType: Extract<KeyType, KeyType.Bls12381g1 | KeyType.Bls12381g2>
+}
+
+interface BbsSignOptions {
+  messages: Buffer | Buffer[]
+  publicKey: Buffer
+  privateKey: Buffer
+}
+
+interface BbsVerifyOptions {
+  publicKey: Buffer
+  signature: Buffer
+  messages: Buffer | Buffer[]
+}
+
+export class BbsService {
+  /**
+   * Create an instance of a Key class for the following key types:
+   *  - Bls12381g1
+   *  - Bls12381g2
+   *
+   * @param keyType KeyType The type of key to be created (see above for the accepted types)
+   *
+   * @returns A Key class with the public key and key type
+   *
+   * @throws {WalletError} When a key could not be created
+   * @throws {WalletError} When the method is called with an invalid keytype
+   */
+  public static async createKey({ keyType, seed }: BbsCreateKeyOptions): Promise<BlsKeyPair> {
+    // Generate bytes from the seed as required by the bbs-signatures libraries
+    const seedBytes = seed ? TypedArrayEncoder.fromString(seed) : undefined
+
+    // Temporary keypair holder
+    let blsKeyPair: Required<_BlsKeyPair>
+
+    switch (keyType) {
+      case KeyType.Bls12381g1:
+        // Generate a bls12-381G1 keypair
+        blsKeyPair = await generateBls12381G1KeyPair(seedBytes)
+        break
+      case KeyType.Bls12381g2:
+        // Generate a bls12-381G2 keypair
+        blsKeyPair = await generateBls12381G2KeyPair(seedBytes)
+        break
+      default:
+        // additional check. Should never be hit as this function will only be called from a place where
+        // a key type check already happened.
+        throw new WalletError(`Cannot create key with the BbsService for key type: ${keyType}`)
+    }
+
+    return {
+      keyType,
+      publicKeyBase58: TypedArrayEncoder.toBase58(blsKeyPair.publicKey),
+      privateKeyBase58: TypedArrayEncoder.toBase58(blsKeyPair.secretKey),
+    }
+  }
+
+  /**
+   * Sign an arbitrary amount of messages, in byte form, with a keypair
+   *
+   * @param messages Buffer[] List of messages in Buffer form
+   * @param publicKey Buffer Publickey required for the signing process
+   * @param privateKey Buffer PrivateKey required for the signing process
+   *
+   * @returns A Buffer containing the signature of the messages
+   *
+   * @throws {WalletError} When there are no supplied messages
+   */
+  public static async sign({ messages, publicKey, privateKey }: BbsSignOptions): Promise<Buffer> {
+    if (messages.length === 0) throw new WalletError('Unable to create a signature without any messages')
+    // Check if it is a single message or list and if it is a single message convert it to a list
+    const normalizedMessages = (TypedArrayEncoder.isTypedArray(messages) ? [messages as Buffer] : messages) as Buffer[]
+
+    // Get the Uint8Array variant of all the messages
+    const messageBuffers = normalizedMessages.map((m) => Uint8Array.from(m))
+
+    const bbsKeyPair = await bls12381toBbs({
+      keyPair: { publicKey: Uint8Array.from(publicKey), secretKey: Uint8Array.from(privateKey) },
+      messageCount: normalizedMessages.length,
+    })
+
+    // Sign the messages via the keyPair
+    const signature = await sign({
+      keyPair: bbsKeyPair,
+      messages: messageBuffers,
+    })
+
+    // Convert the Uint8Array signature to a Buffer type
+    return Buffer.from(signature)
+  }
+
+  /**
+   * Verify an arbitrary amount of messages with their signature created with their key pair
+   *
+   * @param publicKey Buffer The public key used to sign the messages
+   * @param messages Buffer[] The messages that have to be verified if they are signed
+   * @param signature Buffer The signature that has to be verified if it was created with the messages and public key
+   *
+   * @returns A boolean whether the signature is create with the public key over the messages
+   *
+   * @throws {WalletError} When the message list is empty
+   * @throws {WalletError} When the verification process failed
+   */
+  public static async verify({ signature, messages, publicKey }: BbsVerifyOptions): Promise<boolean> {
+    if (messages.length === 0) throw new WalletError('Unable to create a signature without any messages')
+    // Check if it is a single message or list and if it is a single message convert it to a list
+    const normalizedMessages = (TypedArrayEncoder.isTypedArray(messages) ? [messages as Buffer] : messages) as Buffer[]
+
+    // Get the Uint8Array variant of all the messages
+    const messageBuffers = normalizedMessages.map((m) => Uint8Array.from(m))
+
+    const bbsKeyPair = await bls12381toBbs({
+      keyPair: { publicKey: Uint8Array.from(publicKey) },
+      messageCount: normalizedMessages.length,
+    })
+
+    // Verify the signature against the messages with their public key
+    const { verified, error } = await verify({ signature, messages: messageBuffers, publicKey: bbsKeyPair.publicKey })
+
+    // If the messages could not be verified and an error occured
+    if (!verified && error) {
+      throw new WalletError(`Could not verify the signature against the messages: ${error}`)
+    }
+
+    return verified
+  }
+}

packages/core/src/crypto/JwsService.ts

@@ -9,6 +9,9 @@ import { JsonEncoder, TypedArrayEncoder } from '../utils'
 import { Wallet } from '../wallet'
 import { WalletError } from '../wallet/error'
 
+import { Key } from './Key'
+import { KeyType } from './KeyType'
+
 // TODO: support more key types, more generic jws format
 const JWS_KEY_TYPE = 'OKP'
 const JWS_CURVE = 'Ed25519'
@@ -25,9 +28,10 @@ export class JwsService {
   public async createJws({ payload, verkey, header }: CreateJwsOptions): Promise<JwsGeneralFormat> {
     const base64Payload = TypedArrayEncoder.toBase64URL(payload)
     const base64Protected = JsonEncoder.toBase64URL(this.buildProtected(verkey))
+    const key = Key.fromPublicKeyBase58(verkey, KeyType.Ed25519)
 
     const signature = TypedArrayEncoder.toBase64URL(
-      await this.wallet.sign(TypedArrayEncoder.fromString(`${base64Protected}.${base64Payload}`), verkey)
+      await this.wallet.sign({ data: TypedArrayEncoder.fromString(`${base64Protected}.${base64Payload}`), key })
     )
 
     return {
@@ -38,7 +42,7 @@ export class JwsService {
   }
 
   /**
-   * Verify a a JWS
+   * Verify a JWS
    */
   public async verifyJws({ jws, payload }: VerifyJwsOptions): Promise<VerifyJwsResult> {
     const base64Payload = TypedArrayEncoder.toBase64URL(payload)
@@ -64,10 +68,11 @@ export class JwsService {
       const signature = TypedArrayEncoder.fromBase64(jws.signature)
 
       const verkey = TypedArrayEncoder.toBase58(TypedArrayEncoder.fromBase64(protectedJson?.jwk?.x))
+      const key = Key.fromPublicKeyBase58(verkey, KeyType.Ed25519)
       signerVerkeys.push(verkey)
 
       try {
-        const isValid = await this.wallet.verify(verkey, data, signature)
+        const isValid = await this.wallet.verify({ key, data, signature })
 
         if (!isValid) {
           return {

packages/core/src/modules/dids/domain/Key.ts → packages/core/src/crypto/Key.ts

@@ -1,8 +1,8 @@
-import type { KeyType } from '../../../crypto'
+import type { KeyType } from './KeyType'
 
-import { Buffer, TypedArrayEncoder, MultiBaseEncoder, VarintEncoder } from '../../../utils'
+import { Buffer, MultiBaseEncoder, TypedArrayEncoder, VarintEncoder } from '../utils'
 
-import { getKeyTypeByMultiCodecPrefix, getMultiCodecPrefixByKeytype } from './key-type/multiCodecKey'
+import { getKeyTypeByMultiCodecPrefix, getMultiCodecPrefixByKeytype } from './multiCodecKey'
 
 export class Key {
   public readonly publicKey: Buffer

packages/core/src/crypto/__tests__/JwsService.test.ts

@@ -1,10 +1,11 @@
 import type { Wallet } from '@aries-framework/core'
 
 import { getAgentConfig } from '../../../tests/helpers'
-import { DidKey, Key } from '../../modules/dids'
+import { DidKey } from '../../modules/dids'
 import { Buffer, JsonEncoder } from '../../utils'
 import { IndyWallet } from '../../wallet/IndyWallet'
 import { JwsService } from '../JwsService'
+import { Key } from '../Key'
 import { KeyType } from '../KeyType'
 
 import * as didJwsz6Mkf from './__fixtures__/didJwsz6Mkf'

packages/core/src/crypto/index.ts

@@ -1 +1,2 @@
 export { KeyType } from './KeyType'
+export { Key } from './Key'

packages/core/src/modules/dids/domain/key-type/multiCodecKey.ts → packages/core/src/crypto/multiCodecKey.ts

@@ -1,4 +1,4 @@
-import { KeyType } from '../../../../crypto'
+import { KeyType } from './KeyType'
 
 // based on https://github.com/multiformats/multicodec/blob/master/table.csv
 const multiCodecPrefixMap: Record<string, KeyType> = {

packages/core/src/decorators/signature/SignatureDecoratorUtils.ts

@@ -1,5 +1,6 @@
 import type { Wallet } from '../../wallet/Wallet'
 
+import { Key, KeyType } from '../../crypto'
 import { AriesFrameworkError } from '../../error'
 import { JsonEncoder } from '../../utils/JsonEncoder'
 import { TypedArrayEncoder } from '../../utils/TypedArrayEncoder'
@@ -21,12 +22,14 @@ export async function unpackAndVerifySignatureDecorator(
   wallet: Wallet
 ): Promise<Record<string, unknown>> {
   const signerVerkey = decorator.signer
+  const key = Key.fromPublicKeyBase58(signerVerkey, KeyType.Ed25519)
 
   // first 8 bytes are for 64 bit integer from unix epoch
   const signedData = TypedArrayEncoder.fromBase64(decorator.signatureData)
   const signature = TypedArrayEncoder.fromBase64(decorator.signature)
 
-  const isValid = await wallet.verify(signerVerkey, signedData, signature)
+  // const isValid = await wallet.verify(signerVerkey, signedData, signature)
+  const isValid = await wallet.verify({ signature, data: signedData, key })
 
   if (!isValid) {
     throw new AriesFrameworkError('Signature is not valid')
@@ -47,8 +50,9 @@ export async function unpackAndVerifySignatureDecorator(
  */
 export async function signData(data: unknown, wallet: Wallet, signerKey: string): Promise<SignatureDecorator> {
   const dataBuffer = Buffer.concat([timestamp(), JsonEncoder.toBuffer(data)])
+  const key = Key.fromPublicKeyBase58(signerKey, KeyType.Ed25519)
 
-  const signatureBuffer = await wallet.sign(dataBuffer, signerKey)
+  const signatureBuffer = await wallet.sign({ key, data: dataBuffer })
 
   const signatureDecorator = new SignatureDecorator({
     signatureType: 'https://didcomm.org/signature/1.0/ed25519Sha512_single',

packages/core/src/modules/connections/ConnectionsModule.ts

@@ -1,4 +1,4 @@
-import type { Key } from '../dids'
+import type { Key } from '../../crypto'
 import type { OutOfBandRecord } from '../oob/repository'
 import type { ConnectionRecord } from './repository/ConnectionRecord'
 import type { Routing } from './services'

packages/core/src/modules/connections/DidExchangeProtocol.ts

@@ -10,13 +10,13 @@ import type { Routing } from './services/ConnectionService'
 import { Lifecycle, scoped } from 'tsyringe'
 
 import { AgentConfig } from '../../agent/AgentConfig'
-import { KeyType } from '../../crypto'
+import { Key, KeyType } from '../../crypto'
 import { JwsService } from '../../crypto/JwsService'
 import { Attachment, AttachmentData } from '../../decorators/attachment/Attachment'
 import { AriesFrameworkError } from '../../error'
 import { JsonEncoder } from '../../utils/JsonEncoder'
 import { JsonTransformer } from '../../utils/JsonTransformer'
-import { DidDocument, Key } from '../dids'
+import { DidDocument } from '../dids'
 import { DidDocumentRole } from '../dids/domain/DidDocumentRole'
 import { createDidDocumentFromServices } from '../dids/domain/createPeerDidFromServices'
 import { getKeyDidMappingByVerificationMethod } from '../dids/domain/key-type'

packages/core/src/modules/connections/__tests__/ConnectionService.test.ts

@@ -5,13 +5,13 @@ import { getAgentConfig, getMockConnection, getMockOutOfBand, mockFunction } fro
 import { AgentMessage } from '../../../agent/AgentMessage'
 import { EventEmitter } from '../../../agent/EventEmitter'
 import { InboundMessageContext } from '../../../agent/models/InboundMessageContext'
-import { KeyType } from '../../../crypto'
+import { Key, KeyType } from '../../../crypto'
 import { signData, unpackAndVerifySignatureDecorator } from '../../../decorators/signature/SignatureDecoratorUtils'
 import { JsonTransformer } from '../../../utils/JsonTransformer'
 import { uuid } from '../../../utils/uuid'
 import { IndyWallet } from '../../../wallet/IndyWallet'
 import { AckMessage, AckStatus } from '../../common'
-import { DidKey, IndyAgentService, Key } from '../../dids'
+import { DidKey, IndyAgentService } from '../../dids'
 import { DidCommV1Service } from '../../dids/domain/service/DidCommV1Service'
 import { didDocumentJsonToNumAlgo1Did } from '../../dids/methods/peer/peerDidNumAlgo1'
 import { DidRepository } from '../../dids/repository'

packages/core/src/modules/connections/services/ConnectionService.ts

@@ -15,12 +15,13 @@ import { inject, scoped, Lifecycle } from 'tsyringe'
 import { AgentConfig } from '../../../agent/AgentConfig'
 import { EventEmitter } from '../../../agent/EventEmitter'
 import { InjectionSymbols } from '../../../constants'
+import { Key } from '../../../crypto'
 import { signData, unpackAndVerifySignatureDecorator } from '../../../decorators/signature/SignatureDecoratorUtils'
 import { AriesFrameworkError } from '../../../error'
 import { JsonTransformer } from '../../../utils/JsonTransformer'
 import { indyDidFromPublicKeyBase58 } from '../../../utils/did'
 import { Wallet } from '../../../wallet/Wallet'
-import { DidKey, Key, IndyAgentService } from '../../dids'
+import { DidKey, IndyAgentService } from '../../dids'
 import { DidDocumentRole } from '../../dids/domain/DidDocumentRole'
 import { didKeyToVerkey } from '../../dids/helpers'
 import { didDocumentJsonToNumAlgo1Did } from '../../dids/methods/peer/peerDidNumAlgo1'

packages/core/src/modules/connections/services/helpers.ts

@@ -1,9 +1,9 @@
 import type { DidDocument } from '../../dids'
 import type { DidDoc, PublicKey } from '../models'
 
-import { KeyType } from '../../../crypto'
+import { Key, KeyType } from '../../../crypto'
 import { AriesFrameworkError } from '../../../error'
-import { IndyAgentService, DidCommV1Service, Key, DidDocumentBuilder } from '../../dids'
+import { IndyAgentService, DidCommV1Service, DidDocumentBuilder } from '../../dids'
 import { getEd25519VerificationMethod } from '../../dids/domain/key-type/ed25519'
 import { didDocumentJsonToNumAlgo1Did } from '../../dids/methods/peer/peerDidNumAlgo1'
 import { EmbeddedAuthentication } from '../models'

packages/core/src/modules/dids/DidsModule.ts

@@ -1,4 +1,4 @@
-import type { Key } from './domain/Key'
+import type { Key } from '../../crypto'
 import type { DidResolutionOptions } from './types'
 
 import { Lifecycle, scoped } from 'tsyringe'