Draft: full id service

.gitignore

@@ -4,3 +4,4 @@ node_modules/
 packages/*/example/*.js*
 *.map
 .nx/
+packages/matrix-identity-server/matrix-server/synapse-data

package.json

@@ -38,8 +38,10 @@
     "test": "lerna run test"
   },
   "dependencies": {
+    "@remix-run/express": "^1.16.0",
     "express": "^4.18.2",
-    "@remix-run/express": "^1.16.0"
+    "tweetnacl": "^1.0.3",
+    "tweetnacl-util": "^0.15.1"
   },
   "devDependencies": {
     "@crowdsec/express-bouncer": "^0.1.0",
@@ -91,4 +93,4 @@
     "ts-jest": "^29.1.0",
     "typescript": "^4.9.5"
   }
-}
+}

packages/crypto/src/index.test.ts

@@ -1,4 +1,10 @@
-import { Hash, randomString } from './index'
+import {
+  Hash,
+  randomString,
+  generateKeyPair,
+  canonicalJson,
+  signJson
+} from './index'
 
 const sha256Results: Record<string, string> = {
   '[email protected] email matrixrocks':
@@ -39,3 +45,177 @@ test('randomString', () => {
   const res = randomString(64)
   expect(res).toMatch(/^[a-zA-Z0-9]{64}$/)
 })
+
+describe('generateKeyPair', () => {
+  it('should generate a valid Ed25519 key pair and key ID', () => {
+    const { publicKey, privateKey, keyId } = generateKeyPair('ed25519')
+    expect(publicKey).toMatch(/^[A-Za-z0-9_-]+$/) // Unpadded Base64 URL encoded string
+    expect(privateKey).toMatch(/^[A-Za-z0-9_-]+$/) // Unpadded Base64 URL encoded string
+    expect(keyId).toMatch(/^ed25519:[A-Za-z0-9_-]+$/) // Key ID format
+  })
+
+  it('should generate a valid Curve25519 key pair and key ID', () => {
+    const { publicKey, privateKey, keyId } = generateKeyPair('curve25519')
+    expect(publicKey).toMatch(/^[A-Za-z0-9_-]+$/) // Unpadded Base64 URL encoded string
+    expect(privateKey).toMatch(/^[A-Za-z0-9_-]+$/) // Unpadded Base64 URL encoded string
+    expect(keyId).toMatch(/^curve25519:[A-Za-z0-9_-]+$/) // Key ID format
+  })
+})
+
+describe('canonicalJson', () => {
+  test('should handle empty object', () => {
+    const input = {}
+    const expectedOutput = '{}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle simple object with different key types', () => {
+    const input = { one: 1, two: 'Two' }
+    const expectedOutput = '{"one":1,"two":"Two"}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle object with keys in reverse order', () => {
+    const input = { b: '2', a: '1' }
+    const expectedOutput = '{"a":"1","b":"2"}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle nested objects with arrays', () => {
+    const input = {
+      auth: {
+        success: true,
+        mxid: '@john.doe:example.com',
+        profile: {
+          display_name: 'John Doe',
+          three_pids: [
+            {
+              medium: 'email',
+              address: '[email protected]'
+            },
+            {
+              medium: 'msisdn',
+              address: '123456789'
+            }
+          ]
+        }
+      }
+    }
+    const expectedOutput =
+      '{"auth":{"mxid":"@john.doe:example.com","profile":{"display_name":"John Doe","three_pids":[{"address":"[email protected]","medium":"email"},{"address":"123456789","medium":"msisdn"}]},"success":true}}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle object with non-ASCII characters', () => {
+    const input = { a: '日本語' }
+    const expectedOutput = '{"a":"日本語"}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle object with non-ASCII keys', () => {
+    const input = { 本: 2, 日: 1 }
+    const expectedOutput = '{"日":1,"本":2}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle object with unicode escape sequences', () => {
+    const input = { a: '\u65E5' }
+    const expectedOutput = '{"a":"日"}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle object with null values', () => {
+    const input = { a: null }
+    const expectedOutput = '{"a":null}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+
+  test('should handle object with special numeric values', () => {
+    const input = { a: -0, b: 1e10 }
+    const expectedOutput = '{"a":0,"b":10000000000}'
+    expect(canonicalJson(input)).toEqual(expectedOutput)
+  })
+})
+
+describe('signJson', () => {
+  const testKey = generateKeyPair('ed25519')
+  const signingKey = testKey.privateKey
+  const signingName = 'testSigningName'
+  const keyId = testKey.keyId
+
+  it('should add signature to a simple object', () => {
+    const jsonObj = { a: 1, b: 'string' }
+    const result = signJson(jsonObj, signingKey, signingName, keyId)
+
+    expect(result).toHaveProperty('signatures')
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+    expect(result.signatures).toHaveProperty(signingName)
+    expect(result.signatures?.[signingName]).toHaveProperty(keyId)
+    expect(result).toMatchObject({
+      a: 1,
+      b: 'string',
+      signatures: expect.any(Object)
+    })
+  })
+
+  it('should preserve existing signatures', () => {
+    const jsonObj = {
+      a: 1,
+      b: 'string',
+      signatures: {
+        existingSignature: {
+          existingKeyId: 'existingSignatureValue'
+        }
+      }
+    }
+    const result = signJson(jsonObj, signingKey, signingName, keyId)
+
+    expect(result.signatures).toHaveProperty('existingSignature')
+    expect(result.signatures?.existingSignature).toHaveProperty('existingKeyId')
+    expect(result.signatures).toHaveProperty(signingName)
+    expect(result.signatures?.[signingName]).toHaveProperty(keyId)
+  })
+
+  it('should handle unsigned field correctly', () => {
+    const jsonObj = { a: 1, b: 'string', unsigned: { c: 2 } }
+    const result = signJson(jsonObj, signingKey, signingName, keyId)
+
+    expect(result).toHaveProperty('unsigned')
+    expect(result.unsigned).toEqual({ c: 2 })
+  })
+
+  it('should not include `unsigned` field if not present', () => {
+    const jsonObj = { a: 1, b: 'string' }
+    const result = signJson(jsonObj, signingKey, signingName, keyId)
+
+    expect(result).not.toHaveProperty('unsigned')
+  })
+
+  it('should handle complex nested objects', () => {
+    const jsonObj = { a: { b: { c: 1 } }, d: ['e', 'f', { g: 'h' }] }
+    const result = signJson(jsonObj, signingKey, signingName, keyId)
+
+    expect(result).toHaveProperty('signatures')
+    expect(result.signatures).toHaveProperty(signingName)
+    expect(result.signatures?.[signingName]).toHaveProperty(keyId)
+    expect(result).toMatchObject({
+      a: { b: { c: 1 } },
+      d: ['e', 'f', { g: 'h' }],
+      signatures: expect.any(Object)
+    })
+  })
+
+  it('should handle objects with null values', () => {
+    const jsonObj = { a: null, b: 'string' }
+    const result = signJson(jsonObj, signingKey, signingName, keyId)
+
+    expect(result).toHaveProperty('signatures')
+    expect(result.signatures).toHaveProperty(signingName)
+    expect(result.signatures?.[signingName]).toHaveProperty(keyId)
+    expect(result).toMatchObject({
+      a: null,
+      b: 'string',
+      signatures: expect.any(Object)
+    })
+  })
+})

packages/crypto/src/index.ts

@@ -1,4 +1,6 @@
 import _nacl, { type Nacl } from 'js-nacl'
+import nacl from 'tweetnacl'
+import * as naclUtil from 'tweetnacl-util'
 
 // export const supportedHashes = ['sha256', 'sha512']
 export const supportedHashes = ['sha256']
@@ -50,3 +52,136 @@
   }
   return res
 }
+
+// Function to generate KeyId
+function generateKeyId(algorithm: string, identifier: string): string {
+  return `${algorithm}:${identifier}`
+}
+
+// Function to convert a Base64 string to unpadded Base64 URL encoded string
+function toBase64Url(base64: string): string {
+  return base64.replace(/=+$/, '').replace(/\//g, '_').replace(/\+/g, '-')
+}
+
+// Function to convert an unpadded Base64 URL encoded string to Base64 string
+function fromBase64Url(base64Url: string): string {
+  let base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/')
+  while (base64.length % 4 !== 0) {
+    base64 += '='
+  }
+  return base64
+}
+
+// Function to generate Ed25519 key pair and KeyId
+function generateEdKeyPair(): {
+  publicKey: string
+  privateKey: string
+  keyId: string
+} {
+  // Generate an Ed25519 key pair
+  const keyPair = nacl.sign.keyPair()
+
+  // Generate a unique identifier for the KeyId
+  const identifier = nacl.randomBytes(8) // Generate 8 random bytes
+  let identifierHex = naclUtil.encodeBase64(identifier)
+  // Convert to unpadded Base64 URL encoded form
+  identifierHex = toBase64Url(identifierHex)
+
+  const algorithm = 'ed25519'
+  const _keyId = generateKeyId(algorithm, identifierHex)
+
+  return {
+    publicKey: toBase64Url(naclUtil.encodeBase64(keyPair.publicKey)),
+    privateKey: toBase64Url(naclUtil.encodeBase64(keyPair.secretKey)),
+    keyId: _keyId
+  }
+}
+
+// Function to generate Curve25519 key pair and KeyId
+function generateCurveKeyPair(): {
+  publicKey: string
+  privateKey: string
+  keyId: string
+} {
+  // Generate a Curve25519 key pair
+  const keyPair = nacl.box.keyPair()
+
+  // Generate a unique identifier for the KeyId
+  const identifier = nacl.randomBytes(8) // Generate 8 random bytes
+  let identifierHex = naclUtil.encodeBase64(identifier)
+  // Convert to unpadded Base64 URL encoded form
+  identifierHex = toBase64Url(identifierHex)
+
+  const algorithm = 'curve25519'
+  const _keyId = generateKeyId(algorithm, identifierHex)
+
+  return {
+    publicKey: toBase64Url(naclUtil.encodeBase64(keyPair.publicKey)),
+    privateKey: toBase64Url(naclUtil.encodeBase64(keyPair.secretKey)),
+    keyId: _keyId
+  }
+}
+
+export const generateKeyPair = (
+  algorithm: 'ed25519' | 'curve25519'
+): { publicKey: string; privateKey: string; keyId: string } => {
+  if (algorithm === 'ed25519') {
+    return generateEdKeyPair()
+  } else if (algorithm === 'curve25519') {
+    return generateCurveKeyPair()
+  } else {
+    throw new Error('Unsupported algorithm')
+  }
+}
+
+export const canonicalJson = (value: any): string => {
+  return JSON.stringify(value, (key, val) =>
+    typeof val === 'object' && val !== null && !Array.isArray(val)
+      ? Object.keys(val)
+          .sort()
+          .reduce<any>((sorted, key) => {
+            sorted[key] = val[key]
+            return sorted
+          }, {})
+      : val
+  ).replace(/[\u007f-\uffff]/g, function (c) {
+    return c
+  })
+}
+
+interface JsonObject {
+  [key: string]: any
+  signatures?: Record<string, Record<string, string>>
+  unsigned?: any
+}
+
+export const signJson = (
+  jsonObj: JsonObject,
+  signingKey: string,
+  signingName: string,
+  keyId: string
+): JsonObject => {
+  // eslint-disable-next-line @typescript-eslint/strict-boolean-expressions
+  const signatures = jsonObj.signatures ?? {}
+  const unsigned = jsonObj.unsigned
+  delete jsonObj.signatures
+  delete jsonObj.unsigned
+  const signed = nacl.sign(
+    naclUtil.decodeUTF8(canonicalJson(jsonObj)),
+    naclUtil.decodeBase64(fromBase64Url(signingKey))
+  )
+  const signatureBase64 = Buffer.from(signed).toString('base64')
+
+  signatures[signingName] = {
+    ...signatures[signingName],
+    [keyId]: signatureBase64
+  }
+
+  jsonObj.signatures = signatures
+  // eslint-disable-next-line @typescript-eslint/strict-boolean-expressions
+  if (unsigned) {
+    jsonObj.unsigned = unsigned
+  }
+
+  return jsonObj
+}

packages/matrix-client-server/README.md

@@ -0,0 +1,23 @@
+# @twake/matrix-client-server
+
+Node.js library that implements
+[Matrix Client Server API](https://spec.matrix.org/v1.10/client-server-api/).
+
+## Synopsis
+
+Example using [express](https://www.npmjs.com/package/express):
+
+``js
+ // Add example which will be similar to the one inside packages/matrix-identity-server/README.md
+```
+
+## Configuration file
+
+Configuration file is a JSON file. The default values are
+in [src/config.json](./src/config.json).
+
+## Copyright and license
+
+Copyright (c) 2023-present Linagora <https://linagora.com>
+
+License: [GNU AFFERO GENERAL PUBLIC LICENSE](https://ci.linagora.com/publicgroup/oss/twake/tom-server/-/blob/master/LICENSE)