From 5f5562f5e3dc8e3faf42c9a367a16d34d372ff4c Mon Sep 17 00:00:00 2001 From: Trent Larson Date: Fri, 17 Nov 2023 17:47:41 -0700 Subject: [PATCH 1/2] doc: update tasks --- project.task.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/project.task.yaml b/project.task.yaml index af1c65bfc..fd5970c01 100644 --- a/project.task.yaml +++ b/project.task.yaml @@ -5,11 +5,6 @@ tasks: - 40 notifications : - push, where we trigger a ServiceWorker(?) in the app to reach out and check for new data assignee:matthew -- 01 Replace Gifted/Give in ContactsView with GiftedDialog assignee:matthew - -- 01 fix the Discovery map display to not show on top of bottom icons (and any other UI tweaks on the map flow) assignee-group:ui -- .1 add instructions for map location selection - - 01 Show pop-up or some message confirming that settings & contacts download has been initiated/finished - 01 Ensure each action sent to the server has a confirmation - eg registration (ie a toast something that dismisses after 5-10s) @@ -21,8 +16,8 @@ tasks: - 24 Move to Vite assignee:matthew +- .3 fix the Project-location-selection map display to not show on top of bottom icons (and any other UI tweaks on the map flow) assignee-group:ui - .5 switch so DiscoverView shows anywhere by default, and no number unless search is done (and maybe a better filter UI, including "mine" to consolidate with ProjectsView) -- .2 fit as many icons as possible on home & project view screens but only going halfway down the page assignee-group:ui - .5 Add infinite scroll to gifts on the home page - .5 bug - search for "Safari" does not find the project, but if already on the "Anywhere" tab it shows all - .2 figure out why endorser-mobile search doesn't find recently created PlanAction @@ -66,6 +61,7 @@ tasks: - Release Minimum Viable Product : - 08 thorough testing for errors & edge cases + - 01 ensure ability to recover server remotely, and add redundant access - Turn off stats-world or ensure it's usable (eg. cannot zoom out too far and lose world, cannot screenshot). - Add disclaimers. - Switch default server to the public server. @@ -85,6 +81,10 @@ tasks: - for subtasks: fulfills (is it really the same?), feeds, contributes to, supplies, boosts, advances - for blocking: blocks, precedes, comes before, is sought by -- vs follows, seeks, builds on ("contributes to" isn't specific enough, "succeeds" has different, possibly confusing meaning) +- .5 add "back" button to all screens that aren't part of the bottom tray +- .5 fit as many icons as possible on home & project view screens but only going halfway down the page assignee-group:ui +- .5 Replace Gifted/Give in ContactsView with GiftedDialog + - Stats : - 01 point out user's location on the world - 01 present a credential selected from the stats From 92fcffdfc5734145c1f43e01730614535df134c5 Mon Sep 17 00:00:00 2001 From: Trent Larson Date: Fri, 17 Nov 2023 20:33:57 -0700 Subject: [PATCH 2/2] update the script commands for JWT signature generation & validation --- README.md | 6 +++--- openssl_signing_console.rst | 25 +++++++++++++++---------- openssl_signing_console.sh | 34 ++++++++++++++++++++++++++-------- project.task.yaml | 2 -- 4 files changed, 44 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 76c09f323..57ac895f4 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ npm run lint ## Tests -### +### Web-push For your own web-push tests, change the 'vapid' URL in App.vue, and install apps on the same domain. @@ -54,8 +54,8 @@ by an existing user: On the test server, User #0 has rights to register others, so you can start playing one of two ways: -- Import the keys for the test User `did:ethr:0x000Ee5654b9742f6Fe18ea970e32b97ee2247B51` by importing this seed phrase: - `seminar accuse mystery assist delay law thing deal image undo guard initial shallow wrestle list fragile borrow velvet tomorrow awake explain test offer control` +- Import the keys for the test User `did:ethr:0x0000694B58C2cC69658993A90D3840C560f2F51F` by importing this seed phrase: + `rigid shrug mobile smart veteran half all pond toilet brave review universe ship congress found yard skate elite apology jar uniform subway slender luggage` (Other test users are found [here](https://github.com/trentlarson/endorser-ch/blob/master/test/util.js).) - Alternatively, register someone else under User #0 automatically: diff --git a/openssl_signing_console.rst b/openssl_signing_console.rst index 28a272ab8..8b7befdf6 100644 --- a/openssl_signing_console.rst +++ b/openssl_signing_console.rst @@ -1,8 +1,11 @@ -Prerequisites: +JWT Creation & Verification -jq +To run this in a script, see ./openssl_signing_console.sh -You can create a JWT using a library or by encoding the header and payload base64Url and signing it with a secret using a ES256K algorithm. Here is an example of how you can create a JWT using the jq and openssl command line utilities: +Prerequisites: openssl, jq + +You can create a JWT using a library or by encoding the header and payload base64Url and signing it with a secret using +a ES256K algorithm. Here is an example of how you can create a JWT using the jq and openssl command line utilities: Here is an example of how you can use openssl to sign a JWT with the ES256K algorithm: @@ -15,20 +18,22 @@ openssl ec -in private.pem -pubout -out public.pem header='{"alg":"ES256K", "issuer": "", "typ":"JWT"}' - Next, create a payload object as a JSON object containing the claims you want to include in the JWT. For example schema.org : + Next, create a payload object as a JSON object containing the claims you want to include in the JWT. + For example schema.org : payload='{"@context": "http://schema.org", "@type": "PlanAction", "identifier": "did:ethr:0xb86913f83A867b5Ef04902419614A6FF67466c12", "name": "Test", "description": "Me"}' Encode the header and payload objects as base64Url strings. You can use the jq command line utility to do this: -header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n') -payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n') +header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_') +payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_') Concatenate the encoded header, payload, and a secret to create the signing input: signing_input="$header_b64.$payload_b64" - Create the signature by signing the signing input with a ES256K algorithm and your secret. You can use the openssl command line utility to do this: + Create the signature by signing the signing input with a ES256K algorithm and your secret. + You can use the openssl command line utility to do this: signature=$(echo -n "$signing_input" | openssl dgst -sha256 -sign private.pem) @@ -43,7 +48,7 @@ Authorization: Bearer $jwt To verify the JWT, you can use the openssl utility with the public key: -openssl dgst -sha256 -verify public.pem -signature <(echo -n "$signature") "$signing_input" - - This will verify the signature and output Verified OK if the signature is valid. If the signature is not valid, it will output an error. +echo -n "$signing_input" | openssl dgst -sha256 -verify public.pem -signature <(echo -n "$signature") + This will verify the signature and output "Verified OK" if the signature is valid. + If the signature is not valid, it will give an error response and output "Verification failure". diff --git a/openssl_signing_console.sh b/openssl_signing_console.sh index acdda6893..599b3a1d3 100755 --- a/openssl_signing_console.sh +++ b/openssl_signing_console.sh @@ -1,5 +1,17 @@ #!/bin/bash +# Generate a JWT, with signature verified using OpenSSL +# +# Prerequisites: openssl, jq +# +# Usage: source ./openssl_signing_console.sh +# +# For a more complete explanation, see ./openssl_signing_console.rst +# +# It's crazy that raw execution only works about 20% of the time! +# See https://stackoverflow.com/questions/77505582/why-would-openssl-verify-succeed-every-time-with-source-but-fail-80-of-the + + openssl ecparam -name secp256k1 -genkey -noout -out private.pem openssl ec -in private.pem -pubout -out public.pem @@ -7,19 +19,25 @@ header='{"alg":"ES256K", "issuer": "", "typ":"JWT"}' payload='{"@context": "http://schema.org", "@type": "PlanAction", "identifier": "did:ethr:0xb86913f83A867b5Ef04902419614A6FF67466c12", "name": "Test", "description": "Me"}' -header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n') -payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n') +header_b64=$(echo -n "$header" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_') +payload_b64=$(echo -n "$payload" | jq -c -M . | tr -d '\n' | base64 | tr -d '=' | tr '+' '-' | tr '/' '_') signing_input="$header_b64.$payload_b64" -echo -n "$signing_input" | openssl dgst -sha256 -sign private.pem -out signature.bin +signature=$(echo -n "$signing_input" | openssl dgst -sha256 -sign private.pem) -# Read binary signature from file and encode it to Base64 URL-Safe format -signature_b64=$(base64 -w 0 < signature.bin | tr -d '=' | tr '+' '-' | tr '/' '_') +echo -n "$signing_input" | openssl dgst -sha256 -verify public.pem -signature <(echo -n "$signature") -# Construct the JWT -jwt="$signing_input.$signature_b64" +# Also tested this, to no avail. +#echo -n "$signature" > sig.out +#echo -n "$signing_input" | openssl dgst -sha256 -verify public.pem -signature sig.out -openssl dgst -sha256 -verify public.pem -signature signature.bin -out verified.txt <(echo -n "$signing_input") +# Read binary signature and encode it to Base64 URL-Safe format +signature_b64=$(echo -n "$signature" | base64 | tr -d '=' | tr '+' '-' | tr '/' '_') + +# Construct the JWT +jwt="$signing_input.$signature_b64" + +echo Resulting JWT: $jwt diff --git a/project.task.yaml b/project.task.yaml index fd5970c01..271c5e945 100644 --- a/project.task.yaml +++ b/project.task.yaml @@ -5,8 +5,6 @@ tasks: - 40 notifications : - push, where we trigger a ServiceWorker(?) in the app to reach out and check for new data assignee:matthew -- 01 Show pop-up or some message confirming that settings & contacts download has been initiated/finished - - 01 Ensure each action sent to the server has a confirmation - eg registration (ie a toast something that dismisses after 5-10s) - Home Feed & Quick Give screen :