Closing in on signing support

Author: robmoffat

packages/fdc3-security/samples/signing-example.ts

@@ -1,13 +1,12 @@
 import { JosePublicFDC3Security, provisionJWKS } from '../src/impl/JosePublicFDC3Security';
 import { connectRemoteHandlers } from '../src/secure-boundary/ClientSideHandlersImpl';
-import { Channel, DesktopAgent } from '@finos/fdc3-standard';
+import { Channel, ContextMetadata, DesktopAgent } from '@finos/fdc3-standard';
 import { Context } from '@finos/fdc3-context';
 import { ExchangeDataMessage } from '../src/secure-boundary/MessageTypes';
 import { MockDesktopAgent } from '../test/mocks/MockDesktopAgent';
 import { startAppBackEnd } from '../test/mocks/AppBackEnd';
 import { JosePrivateFDC3Security } from '../src/impl/JosePrivateFDC3Security';
 import { SigningChannelDelegate } from '../src/signing/SigningChannelDelegate';
-import { ContextMetadataWithAuthenticity } from '../src/signing/SigningSupport';
 
 import { DefaultFDC3Handlers } from '../src/secure-boundary/FDC3Handlers';
 
@@ -26,7 +25,7 @@ class AppABackendHandlers extends DefaultFDC3Handlers {
   async handleRemoteChannel(purpose: string, channel: Channel): Promise<void> {
     console.log(`[App A Backend] Received remote channel for purpose: ${purpose}`);
     // Wrap with SigningChannelDelegate to handle signing automatically
-    this.channel = new SigningChannelDelegate(channel, this.security);
+    this.channel = new SigningChannelDelegate(channel, this.security, false);
     // Wait for listener to be ready
     setTimeout(() => this.broadcast(), 1000);
   }
@@ -74,7 +73,7 @@ async function runExample() {
   );
 
   // Wrap the channel with SigningChannelDelegate for automatic verification
-  const signedChanB = new SigningChannelDelegate(chanB, securityB_Public);
+  const signedChanB = new SigningChannelDelegate(chanB, securityB_Public, false);
 
   // 1. Listen to the raw channel to show what's "on the wire"
   await chanB.addContextListener('fdc3.instrument', async ctx => {
@@ -83,32 +82,29 @@ async function runExample() {
   });
 
   // 2. Listen via the Delegate to show the processed/verified version
-  await signedChanB.addContextListener(
-    'fdc3.instrument',
-    async (ctx: Context, meta: ContextMetadataWithAuthenticity | undefined) => {
-      console.log('[App B Front-end] <<< [VERIFIED] Context Received:');
-      console.log(JSON.stringify(ctx, null, 2));
-      console.log('[App B Front-end] <<< [VERIFIED] Metadata Received:');
-      console.log(JSON.stringify(meta, null, 2));
-
-      if (meta?.authenticity) {
-        const auth = meta.authenticity;
-        if (auth.signed) {
-          console.log('[App B Front-end] Verification Result: ✅ VALID');
-          console.log(`[App B Front-end] Trusted Provider: ${auth.jku}`);
-        } else {
-          console.log('[App B Front-end] Context was not signed.');
-          if (auth.errors) {
-            console.log('[App B Front-end] Errors:', auth.errors);
-          }
+  await signedChanB.addContextListener('fdc3.instrument', async (ctx: Context, meta: ContextMetadata | undefined) => {
+    console.log('[App B Front-end] <<< [VERIFIED] Context Received:');
+    console.log(JSON.stringify(ctx, null, 2));
+    console.log('[App B Front-end] <<< [VERIFIED] Metadata Received:');
+    console.log(JSON.stringify(meta, null, 2));
+
+    if (meta?.authenticity) {
+      const auth = meta.authenticity;
+      if (auth.signed) {
+        console.log('[App B Front-end] Verification Result: ✅ VALID');
+        console.log(`[App B Front-end] Trusted Provider: ${auth.jku}`);
+      } else {
+        console.log('[App B Front-end] Context was not signed.');
+        if (auth.errors) {
+          console.log('[App B Front-end] Errors:', auth.errors);
         }
       }
-
-      console.log('--- FDC3 Signing Example End ---');
-      httpServer.close();
-      process.exit(0);
     }
-  );
+
+    console.log('--- FDC3 Signing Example End ---');
+    httpServer.close();
+    process.exit(0);
+  });
 
   // 3. App A Front-end Execution
   console.log('[App A Front-end] Connecting to remote handlers...');

packages/fdc3-security/src/delegates/AbstractChannelDelegate.ts

@@ -4,25 +4,32 @@ import {
   EventHandler,
   Listener,
   PrivateChannel,
-  AppProvidableContextMetadata,
   ContextMetadata,
 } from '@finos/fdc3-standard';
 import { Context } from '@finos/fdc3-context';
 
+export const APP_METADATA_KEY = '__appMeta';
+
 /**
  * Wraps a standard FDC3 Channel or PrivateChannel so we can give it extra behaviour.
  */
 export abstract class AbstractChannelDelegate implements PrivateChannel {
   protected readonly delegate: PrivateChannel;
+  protected readonly metadataAvailable: boolean;
   id: string;
   type: 'user' | 'app' | 'private';
   displayMetadata?: DisplayMetadata | undefined;
 
-  constructor(c: Channel | PrivateChannel) {
+  /**
+   * @param c Channel to wrap
+   * @param metadataAvailable Pass in true if running in FDC3 3.0 where we can broadcast our own metadata, otherwise false.
+   */
+  constructor(c: Channel | PrivateChannel, metadataAvailable: boolean) {
     this.delegate = c as PrivateChannel;
     this.id = c.id;
     this.type = c.type;
     this.displayMetadata = c.displayMetadata;
+    this.metadataAvailable = metadataAvailable;
   }
 
   async clearContext(contextType?: string): Promise<void> {
@@ -56,7 +63,15 @@ export abstract class AbstractChannelDelegate implements PrivateChannel {
 
   async broadcast(context: Context, metadata?: ContextMetadata): Promise<void> {
     const wrapped = await this.wrapContext(context, metadata);
-    return this.delegate.broadcast(wrapped.ctx, wrapped.meta);
+    if (this.metadataAvailable) {
+      return this.delegate.broadcast(wrapped.ctx, wrapped.meta);
+    } else {
+      const contextWithMeta = {
+        ...context,
+        __appMeta: wrapped.meta,
+      };
+      return this.delegate.broadcast(contextWithMeta);
+    }
   }
 
   getCurrentContext(contextType?: string | undefined): Promise<Context | null> {

packages/fdc3-security/src/secure-boundary/ClientSideHandlersImpl.ts

@@ -1,4 +1,4 @@
-import { Channel, DesktopAgent, IntentHandler, Listener, PrivateChannel } from '@finos/fdc3-standard';
+import { Channel, DesktopAgent, IntentHandler, Listener, PrivateChannel, ContextMetadata } from '@finos/fdc3-standard';
 import { Context } from '@finos/fdc3-context';
 import {
   REMOTE_INTENT_HANDLER,
@@ -112,7 +112,7 @@ export class ClientSideHandlersImpl implements FDC3Handlers {
 
   private async handleBroadcast(br: BroadcastRequest): Promise<BroadcastResponse> {
     const channel = this.channels.get(br.payload.channelId)!!;
-    await channel.broadcast(br.payload.context);
+    await channel.broadcast(br.payload.context, br.payload.metadata as any);
     return {
       type: 'broadcastResponse',
       meta: {
@@ -128,18 +128,21 @@ export class ClientSideHandlersImpl implements FDC3Handlers {
     const channel = this.channels.get(acl.payload.channelId!);
     const id = this.messaging.createUUID();
     if (channel) {
-      const cl = await channel.addContextListener(acl.payload.contextType, async (ctx: Context) => {
-        const msg: BroadcastEvent = {
-          type: 'broadcastEvent',
-          meta: {
-            requestUuid: this.messaging.createUUID(),
-            timestamp: new Date(),
-            eventUuid: this.messaging.createUUID(),
-          } as any,
-          payload: { context: ctx, channelId: channel.id },
-        };
-        this.messaging.post(msg);
-      });
+      const cl = await channel.addContextListener(
+        acl.payload.contextType,
+        async (ctx: Context, meta?: ContextMetadata) => {
+          const msg: BroadcastEvent = {
+            type: 'broadcastEvent',
+            meta: {
+              requestUuid: this.messaging.createUUID(),
+              timestamp: new Date(),
+              eventUuid: this.messaging.createUUID(),
+            } as any,
+            payload: { context: ctx, channelId: channel.id, metadata: meta } as any,
+          };
+          this.messaging.post(msg);
+        }
+      );
       this.contextListeners.set(id, cl);
       return {
         type: 'addContextListenerResponse',

packages/fdc3-security/src/signing/SigningChannelDelegate.ts

@@ -1,6 +1,6 @@
 import { Channel, ContextHandler, ContextMetadata, Listener, PrivateChannel } from '@finos/fdc3-standard';
 import { Context } from '@finos/fdc3-context';
-import { signingContextHandler } from './SigningSupport';
+import { signatureCheckingContextHandler, signContext } from './SigningSupport';
 import { AbstractChannelDelegate } from '../delegates/AbstractChannelDelegate';
 import { PrivateFDC3Security } from '../impl/PrivateFDC3Security';
 import { PublicFDC3Security } from '../impl/PublicFDC3Security';
@@ -13,34 +13,29 @@ import { PublicFDC3Security } from '../impl/PublicFDC3Security';
 export class SigningChannelDelegate extends AbstractChannelDelegate {
   private readonly fdc3Security: PublicFDC3Security;
 
-  constructor(d: Channel | PrivateChannel, fdc3Security: PublicFDC3Security) {
-    super(d);
+  constructor(d: Channel | PrivateChannel, fdc3Security: PublicFDC3Security, metadataAvailable: boolean) {
+    super(d, metadataAvailable);
     this.fdc3Security = fdc3Security;
   }
 
   canSign(): boolean {
-    return typeof (this.fdc3Security as any).sign === 'function';
+    const hasSign = typeof (this.fdc3Security as any).sign === 'function';
+    if (!hasSign) {
+      console.log('SigningChannelDelegate: Security provider does not have sign method', this.fdc3Security);
+    }
+    return hasSign;
   }
 
   async wrapContext(ctx: Context, meta?: ContextMetadata): Promise<{ ctx: Context; meta?: ContextMetadata }> {
     if (this.canSign()) {
-      const { signature, antiReplay } = await (this.fdc3Security as any as PrivateFDC3Security).sign(ctx);
-      const metaOut = {
-        ...meta,
-        signature,
-        antiReplay,
-      } as ContextMetadata;
-      return { ctx, meta: metaOut };
+      return signContext(this.fdc3Security as PrivateFDC3Security, ctx, meta);
     }
     return { ctx, meta };
   }
 
   addContextListener(context: any, handler?: any): Promise<Listener> {
     const theHandler: ContextHandler = handler ? handler : (context as ContextHandler);
     const theContextType: string | null = context && handler ? (context as string) : null;
-    return super.addContextListener(
-      theContextType,
-      signingContextHandler(this.fdc3Security, theHandler, async () => this.delegate)
-    );
+    return super.addContextListener(theContextType, signatureCheckingContextHandler(this.fdc3Security, theHandler));
   }
 }