feature: allow provision of signing secret key instead of seed. Generate and store in config a new keypair if one is not provided. Every item create/update is signed.

grempe · grempe · commit 8f1a085cc94b · 2022-12-29T12:17:38.000-05:00
diff --git a/src/cli.ts b/src/cli.ts
@@ -74,16 +74,16 @@ const cmd = new Command()
     },
   )
   .globalEnv(
-    "TRUESTAMP_SIGNING_KEY_SEED=<signingKeySeed:string>",
-    "A Base64 encoded 32 byte random seed used to create an ed25519 signing keypair.",
+    "TRUESTAMP_SIGNING_SECRET_KEY=<signingSecretKey:string>",
+    "A Base64 encoded ed25519 secret key.",
     {
       required: false,
       prefix: "TRUESTAMP_",
     },
   )
   .globalOption(
-    "-S, --signing-key-seed <signingKeySeed:string>",
-    "A Base64 encoded 32 byte random seed used to create an ed25519 signing keypair. Overrides 'TRUESTAMP_SIGNING_KEY_SEED' env var.",
+    "-S, --signing-secret-key <signingSecretKey:string>",
+    "A Base64 encoded ed25519 secret key. Overrides 'TRUESTAMP_SIGNING_SECRET_KEY' env var.",
   )
   .action(() => {
     cmd.showHelp();
diff --git a/src/commands/items.ts b/src/commands/items.ts
@@ -10,6 +10,7 @@ import {
 } from "../deps.ts";
 
 import {
+  getSigningSecretKeyForEnv,
   logSelectedOutputFormat,
   signItemData,
   throwApiError,
@@ -34,7 +35,7 @@ const itemsCreate = new Command<{
   env: typeof environmentType;
   apiKey?: string;
   output: typeof outputType;
-  signingKeySeed?: string;
+  signingSecretKey?: string;
 }>()
   .description(
     `Create a new Item.
@@ -293,15 +294,18 @@ Pipe JSON content to the 'items create' command using '--input json' plus the '-
         skipOE: !options.observableEntropy,
       };
 
+      const signingSecretKeyFromConfig = getSigningSecretKeyForEnv(options.env);
+
       if (jsonItem) {
         const itemRequest: ItemRequest = ItemRequestSchema.parse(jsonItem);
 
-        itemRequest.itemDataSignatures = options.signingKeySeed
-          ? signItemData(itemRequest, options.signingKeySeed)
+        // Signing Secret Key provided as an option or env var overrides a key stored in the config file.
+        itemRequest.itemDataSignatures = options.signingSecretKey
+          ? signItemData(itemRequest, options.signingSecretKey)
+          : signingSecretKeyFromConfig
+          ? signItemData(itemRequest, signingSecretKeyFromConfig)
           : undefined;
 
-        console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
-
         itemResp = await truestamp.createItem(itemRequest, createItemArgs);
       } else if (options.hash && options.hashType) {
         const itemRequest: ItemRequest = {
@@ -313,12 +317,13 @@ Pipe JSON content to the 'items create' command using '--input json' plus the '-
           ],
         };
 
-        itemRequest.itemDataSignatures = options.signingKeySeed
-          ? signItemData(itemRequest, options.signingKeySeed)
+        // Signing Secret Key provided as an option or env var overrides a key stored in the config file.
+        itemRequest.itemDataSignatures = options.signingSecretKey
+          ? signItemData(itemRequest, options.signingSecretKey)
+          : signingSecretKeyFromConfig
+          ? signItemData(itemRequest, signingSecretKeyFromConfig)
           : undefined;
 
-        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
-
         itemResp = await truestamp.createItem(
           itemRequest,
           createItemArgs,
@@ -333,12 +338,13 @@ Pipe JSON content to the 'items create' command using '--input json' plus the '-
           ],
         };
 
-        itemRequest.itemDataSignatures = options.signingKeySeed
-          ? signItemData(itemRequest, options.signingKeySeed)
+        // Signing Secret Key provided as an option or env var overrides a key stored in the config file.
+        itemRequest.itemDataSignatures = options.signingSecretKey
+          ? signItemData(itemRequest, options.signingSecretKey)
+          : signingSecretKeyFromConfig
+          ? signItemData(itemRequest, signingSecretKeyFromConfig)
           : undefined;
 
-        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
-
         itemResp = await truestamp.createItem(
           itemRequest,
           createItemArgs,
@@ -396,7 +402,7 @@ const itemsUpdate = new Command<{
   env: typeof environmentType;
   apiKey?: string;
   output: typeof outputType;
-  signingKeySeed?: string;
+  signingSecretKey?: string;
 }>()
   .description(
     `Update an existing Item by replacing it with a new one.
@@ -602,15 +608,18 @@ Pipe JSON content to the 'items update' command using '--input json' plus the '-
         skipOE: !options.observableEntropy,
       };
 
+      const signingSecretKeyFromConfig = getSigningSecretKeyForEnv(options.env);
+
       if (jsonItem) {
         const itemRequest: ItemRequest = ItemRequestSchema.parse(jsonItem);
 
-        itemRequest.itemDataSignatures = options.signingKeySeed
-          ? signItemData(itemRequest, options.signingKeySeed)
+        // Signing Secret Key provided as an option or env var overrides a key stored in the config file.
+        itemRequest.itemDataSignatures = options.signingSecretKey
+          ? signItemData(itemRequest, options.signingSecretKey)
+          : signingSecretKeyFromConfig
+          ? signItemData(itemRequest, signingSecretKeyFromConfig)
           : undefined;
 
-        console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
-
         itemResp = await truestamp.updateItem(
           options.id,
           itemRequest,
@@ -626,12 +635,13 @@ Pipe JSON content to the 'items update' command using '--input json' plus the '-
           ],
         };
 
-        itemRequest.itemDataSignatures = options.signingKeySeed
-          ? signItemData(itemRequest, options.signingKeySeed)
+        // Signing Secret Key provided as an option or env var overrides a key stored in the config file.
+        itemRequest.itemDataSignatures = options.signingSecretKey
+          ? signItemData(itemRequest, options.signingSecretKey)
+          : signingSecretKeyFromConfig
+          ? signItemData(itemRequest, signingSecretKeyFromConfig)
           : undefined;
 
-        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
-
         itemResp = await truestamp.updateItem(
           options.id,
           itemRequest,
@@ -647,12 +657,13 @@ Pipe JSON content to the 'items update' command using '--input json' plus the '-
           ],
         };
 
-        itemRequest.itemDataSignatures = options.signingKeySeed
-          ? signItemData(itemRequest, options.signingKeySeed)
+        // Signing Secret Key provided as an option or env var overrides a key stored in the config file.
+        itemRequest.itemDataSignatures = options.signingSecretKey
+          ? signItemData(itemRequest, options.signingSecretKey)
+          : signingSecretKeyFromConfig
+          ? signItemData(itemRequest, signingSecretKeyFromConfig)
           : undefined;
 
-        // console.log("itemRequest", JSON.stringify(itemRequest, null, 2));
-
         itemResp = await truestamp.updateItem(
           options.id,
           itemRequest,
@@ -680,7 +691,7 @@ export const items = new Command<{
   env: typeof environmentType;
   apiKey?: string;
   output: typeof outputType;
-  signingKeySeed?: string;
+  signingSecretKey?: string;
 }>()
   .description("Create or update Items.")
   .action(() => {
diff --git a/src/config.ts b/src/config.ts
@@ -2,6 +2,8 @@
 
 import { Conf, Json } from "./deps.ts";
 
+// e.g.  cat "/Users/glenn/Library/Preferences/com.truestamp.cli.development/config.json"
+
 function getConfigProjectNameForEnv(env: string): string {
   return `com.truestamp.cli.${env}`;
 }
diff --git a/src/utils.ts b/src/utils.ts
@@ -1,6 +1,10 @@
 // Copyright © 2020-2022 Truestamp Inc. All rights reserved.
 
-import { generateKeyPairFromSeed, sign } from "@stablelib/ed25519";
+import {
+  extractPublicKeyFromSecretKey,
+  generateKeyPair,
+  sign,
+} from "@stablelib/ed25519";
 import { hash as sha256 } from "@stablelib/sha256";
 import { z } from "zod";
 
@@ -11,6 +15,8 @@ import {
   encode as base64Encode,
 } from "@stablelib/base64";
 
+import { getConfigKeyForEnv, setConfigKeyForEnv } from "./config.ts";
+
 const OutputWrapper = z.object({
   text: z.string(),
   json: z.record(z.string().min(1), z.any()),
@@ -163,26 +169,57 @@ export async function put<T, U>(
 
 export function signItemData(
   itemRequest: ItemRequest,
-  signingKeySeed: Uint8Array | string,
+  secretKey: Uint8Array | string,
 ): Signature[] {
-  if (typeof signingKeySeed === "string") {
-    signingKeySeed = base64Decode(signingKeySeed);
+  if (typeof secretKey === "string") {
+    secretKey = base64Decode(secretKey);
   }
 
-  const signingKeyPair = generateKeyPairFromSeed(signingKeySeed);
+  const publicKey = extractPublicKeyFromSecretKey(secretKey);
+
   const canonicalData = canonify(itemRequest.itemData);
   const canonicalDataUint8Array = new TextEncoder().encode(canonicalData);
   const canonicalDataHash = sha256(canonicalDataUint8Array);
+
   const canonicalDataHashSignature = sign(
-    signingKeyPair.secretKey,
+    secretKey,
     canonicalDataHash,
   );
 
   return [
     {
-      publicKey: base64Encode(signingKeyPair.publicKey),
+      publicKey: base64Encode(publicKey),
       signature: base64Encode(canonicalDataHashSignature),
       signatureType: "ed25519",
     },
   ];
 }
+
+export function getSigningSecretKeyForEnv(env: string): Uint8Array {
+  const configSecretKeyPropertyName = "signing_secret_key";
+  const configPublicKeyPropertyName = "signing_public_key";
+
+  const secretKey = getConfigKeyForEnv(
+    env,
+    configSecretKeyPropertyName,
+  );
+
+  if (secretKey) {
+    return base64Decode(secretKey as string);
+  } else {
+    // Initialize and save a new KeyPair to config
+    const keyPair = generateKeyPair();
+    setConfigKeyForEnv(
+      env,
+      configSecretKeyPropertyName,
+      base64Encode(keyPair.secretKey),
+    );
+    setConfigKeyForEnv(
+      env,
+      configPublicKeyPropertyName,
+      base64Encode(keyPair.publicKey),
+    );
+
+    return keyPair.secretKey;
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -74,16 +74,16 @@ const cmd = new Command()`
`74`	`74`	`},`
`75`	`75`	`)`
`76`	`76`	`.globalEnv(`
`77`		`- "TRUESTAMP_SIGNING_KEY_SEED=<signingKeySeed:string>",`
`78`		`- "A Base64 encoded 32 byte random seed used to create an ed25519 signing keypair.",`
	`77`	`+ "TRUESTAMP_SIGNING_SECRET_KEY=<signingSecretKey:string>",`
	`78`	`+ "A Base64 encoded ed25519 secret key.",`
`79`	`79`	`{`
`80`	`80`	`required: false,`
`81`	`81`	`prefix: "TRUESTAMP_",`
`82`	`82`	`},`
`83`	`83`	`)`
`84`	`84`	`.globalOption(`
`85`		`- "-S, --signing-key-seed <signingKeySeed:string>",`
`86`		`- "A Base64 encoded 32 byte random seed used to create an ed25519 signing keypair. Overrides 'TRUESTAMP_SIGNING_KEY_SEED' env var.",`
	`85`	`+ "-S, --signing-secret-key <signingSecretKey:string>",`
	`86`	`+ "A Base64 encoded ed25519 secret key. Overrides 'TRUESTAMP_SIGNING_SECRET_KEY' env var.",`
`87`	`87`	`)`
`88`	`88`	`.action(() => {`
`89`	`89`	`cmd.showHelp();`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,8 @@`
`2`	`2`
`3`	`3`	`import { Conf, Json } from "./deps.ts";`
`4`	`4`
	`5`	`+// e.g. cat "/Users/glenn/Library/Preferences/com.truestamp.cli.development/config.json"`
	`6`	`+`
`5`	`7`	`function getConfigProjectNameForEnv(env: string): string {`
`6`	`8`	return `com.truestamp.cli.${env}`;
`7`	`9`	`}`