bind v1 sigs to manifest (#479)

* bind v1 sigs to manifest

* verifier sign API checks for correct signer

* update some of the manifest tests, more to do still

* update scheme and fix tests

* fix arg pos

* pass down manifest hash

* never a need to pass compat option

* revert batch test upgrade

* raw adds no benefit here

---------

Co-authored-by: Christophe Diederichs <[email protected]>

Author: mafintosh

lib/caps.js

@@ -25,11 +25,11 @@ exports.replicate = function (isInitiator, key, handshakeHash) {
   return out
 }
 
-exports.treeSignable = function (namespace, hash, length, fork) {
+exports.treeSignable = function (manifestHash, treeHash, length, fork) {
   const state = { start: 0, end: 112, buffer: b4a.allocUnsafe(112) }
-  c.raw.encode(state, TREE)
-  c.raw.encode(state, namespace)
-  c.raw.encode(state, hash)
+  c.fixed32.encode(state, TREE)
+  c.fixed32.encode(state, manifestHash)
+  c.fixed32.encode(state, treeHash)
   c.uint64.encode(state, length)
   c.uint64.encode(state, fork)
   return state.buffer
@@ -38,8 +38,8 @@ exports.treeSignable = function (namespace, hash, length, fork) {
 exports.treeSignableCompat = function (hash, length, fork, noHeader) {
   const end = noHeader ? 48 : 80
   const state = { start: 0, end, buffer: b4a.allocUnsafe(end) }
-  if (!noHeader) c.raw.encode(state, TREE) // ultra legacy mode, kill in future major
-  c.raw.encode(state, hash)
+  if (!noHeader) c.fixed32.encode(state, TREE) // ultra legacy mode, kill in future major
+  c.fixed32.encode(state, hash)
   c.uint64.encode(state, length)
   c.uint64.encode(state, fork)
   return state.buffer

lib/core.js

@@ -158,7 +158,7 @@ module.exports = class Core {
       while (bitfield.get(header.hints.contiguousLength)) header.hints.contiguousLength++
     }
 
-    const verifier = header.manifest ? new Verifier(header.manifest, { compat: Verifier.isCompat(header.key, header.manifest), crypto, legacy }) : null
+    const verifier = header.manifest ? new Verifier(header.key, header.manifest, { crypto, legacy }) : null
 
     for (const e of entries) {
       if (e.userData) {
@@ -197,13 +197,12 @@ module.exports = class Core {
     if (!manifest && b4a.equals(keyPair.publicKey, this.header.key)) manifest = Verifier.defaultSignerManifest(this.header.key)
     if (!manifest) return
 
-    const compat = Verifier.isCompat(this.header.key, manifest)
-    const verifier = new Verifier(manifest, { compat, crypto: this.crypto, legacy: this._legacy })
+    const verifier = new Verifier(this.header.key, manifest, { crypto: this.crypto, legacy: this._legacy })
 
     if (verifier.prologue) this.tree.setPrologue(verifier.prologue)
 
-    this.compat = compat
     this.header.manifest = manifest
+    this.compat = verifier.compat
     this.verifier = verifier
     this._manifestFlushed = false
 
@@ -681,15 +680,15 @@ module.exports = class Core {
       }
     }
 
-    const verifier = this.verifier || new Verifier(manifest, { compat: Verifier.isCompat(this.header.key, manifest), crypto: this.crypto, legacy: this._legacy })
+    const verifier = this.verifier || new Verifier(this.header.key, manifest, { crypto: this.crypto, legacy: this._legacy })
 
     if (!verifier.verify(batch, batch.signature)) {
       throw INVALID_SIGNATURE('Proof contains an invalid signature')
     }
 
     if (!this.header.manifest) {
-      this.compat = Verifier.isCompat(this.header.key, manifest)
       this.header.manifest = manifest
+      this.compat = verifier.compat
       this.verifier = verifier
       this.onupdate(0b10000, null, null, null)
     }

lib/merkle-tree.js

@@ -79,8 +79,8 @@ class MerkleTreeBatch {
     return this.hashCached
   }
 
-  signable (namespace) {
-    return caps.treeSignable(namespace, this.hash(), this.length, this.fork)
+  signable (manifestHash) {
+    return caps.treeSignable(manifestHash, this.hash(), this.length, this.fork)
   }
 
   signableCompat (noHeader) {

lib/verifier.js

@@ -9,29 +9,35 @@ const multisig = require('./multisig')
 const caps = require('./caps')
 
 class Signer {
-  constructor (crypto, index, { signature = 'ed25519', publicKey, namespace = caps.DEFAULT_NAMESPACE } = {}) {
+  constructor (crypto, manifestHash, version, index, { signature = 'ed25519', publicKey, namespace = caps.DEFAULT_NAMESPACE } = {}) {
     if (!publicKey) throw BAD_ARGUMENT('public key is required for a signer')
     if (signature !== 'ed25519') throw BAD_ARGUMENT('Only Ed25519 signatures are supported')
 
     this.crypto = crypto
+    this.manifestHash = manifestHash
+    this.version = version
     this.signer = index
     this.signature = signature
     this.publicKey = publicKey
     this.namespace = namespace
   }
 
+  _ctx () {
+    return this.version === 0 ? this.namespace : this.manifestHash
+  }
+
   verify (batch, signature) {
-    return this.crypto.verify(batch.signable(this.namespace), signature, this.publicKey)
+    return this.crypto.verify(batch.signable(this._ctx()), signature, this.publicKey)
   }
 
   sign (batch, keyPair) {
-    return this.crypto.sign(batch.signable(this.namespace), keyPair.secretKey)
+    return this.crypto.sign(batch.signable(this._ctx()), keyPair.secretKey)
   }
 }
 
 class CompatSigner extends Signer {
   constructor (crypto, index, signer, legacy) {
-    super(crypto, index, signer)
+    super(crypto, null, 0, index, signer)
     this.legacy = legacy
   }
 
@@ -45,16 +51,24 @@ class CompatSigner extends Signer {
 }
 
 module.exports = class Verifier {
-  constructor (manifest, { compat = false, crypto = defaultCrypto, legacy = false } = {}) {
+  constructor (manifestHash, manifest, { compat = isCompat(manifestHash, manifest), crypto = defaultCrypto, legacy = false } = {}) {
+    const self = this
+
+    this.manifestHash = manifestHash
     this.compat = compat || manifest === null
     this.version = this.compat ? 0 : typeof manifest.version === 'number' ? manifest.version : 1
     this.hash = manifest.hash || 'blake2b'
     this.allowPatch = !this.compat && !!manifest.allowPatch
     this.quorum = this.compat ? 1 : defaultQuorum(manifest)
-    this.signers = manifest.signers
-      ? manifest.signers.map((s, index) => this.compat ? new CompatSigner(crypto, index, s, legacy) : new Signer(crypto, index, s))
-      : []
+
+    this.signers = manifest.signers ? manifest.signers.map(createSigner) : []
     this.prologue = this.compat ? null : (manifest.prologue || null)
+
+    function createSigner (signer, index) {
+      return self.compat
+        ? new CompatSigner(crypto, index, signer, legacy)
+        : new Signer(crypto, manifestHash, self.version, index, signer)
+    }
   }
 
   _verifyCompat (batch, signature) {
@@ -129,21 +143,22 @@ module.exports = class Verifier {
   // TODO: better api for this that is more ... multisig-ey
   sign (batch, keyPair) {
     if (!keyPair || !keyPair.secretKey) throw BAD_ARGUMENT('No key pair was passed')
-    if (this.signers.length > 1 || this.allowPatch) throw BAD_ARGUMENT('Can only sign directly for single signers')
 
-    const signature = this.signers[0].sign(batch, keyPair)
-    if (this.version !== 1) return signature
-    return this.assemble([{ signer: 0, signature, patch: 0, nodes: null }])
+    for (const s of this.signers) {
+      if (b4a.equals(s.publicKey, keyPair.publicKey)) {
+        const signature = s.sign(batch, keyPair)
+        if (this.signers.length !== 1 || this.version === 0) return signature
+        return this.assemble([{ signer: 0, signature, patch: 0, nodes: null }])
+      }
+    }
+
+    throw new BAD_ARGUMENT('Public key is not a declared signer')
   }
 
   assemble (inputs) {
     return this.version === 0 ? multisig.assemblev0(inputs) : multisig.assemble(inputs)
   }
 
-  manifestHash () {
-    return manifestHash(this)
-  }
-
   static manifestHash (manifest) {
     return manifestHash(manifest)
   }
@@ -163,6 +178,11 @@ module.exports = class Verifier {
     }
   }
 
+  static fromManifest (manifest, opts) {
+    const m = this.createManifest(manifest)
+    return new this(manifestHash(m), m, opts)
+  }
+
   static createManifest (inp) {
     if (!inp) return null
 
@@ -192,12 +212,11 @@ module.exports = class Verifier {
   }
 
   static isCompat (key, manifest) {
-    return !!(manifest && manifest.signers.length === 1 && b4a.equals(key, manifest.signers[0].publicKey))
+    return isCompat(key, manifest)
   }
 
   static sign (manifest, batch, keyPair, opts) {
-    const v = new Verifier(manifest, opts)
-    return v.sign(batch, keyPair)
+    return Verifier.fromManifest(manifest, opts).sign(batch, keyPair)
   }
 }
 
@@ -207,6 +226,10 @@ function toMap (nodes) {
   return m
 }
 
+function isCompat (key, manifest) {
+  return !!(manifest && manifest.signers.length === 1 && b4a.equals(key, manifest.signers[0].publicKey))
+}
+
 function defaultQuorum (man) {
   if (typeof man.quorum === 'number') return man.quorum
   if (!man.signers || !man.signers.length) return 0