Browse Source
Adds dids_seen.sh script to check DID visibility permissions in endorser.ch system. Key features: - JWT creation and signing using ES256K-R - DID visibility checking via API - Environment variable and .env file support - Debug logging with DEBUG=1 flag - Command line argument parsing for specific DID checks - Secure key handling with temporary files - Pretty-printed JSON output Security: - Uses secure temporary files with cleanup - Validates DER signature format - Handles key material securely - Supports environment variable configuration
Matthew Raymer
8 months ago
1 changed files with 186 additions and 0 deletions
@ -0,0 +1,186 @@ |
|||||
|
#!/bin/bash |
||||
|
# DID Visibility Check Script |
||||
|
# @author Matthew Raymer |
||||
|
# |
||||
|
# This script checks visibility permissions for DIDs within the endorser.ch system. |
||||
|
# It creates a signed JWT using admin credentials and queries the visibility API. |
||||
|
# |
||||
|
# Features: |
||||
|
# - JWT creation and signing using ES256K-R |
||||
|
# - DID visibility checking |
||||
|
# - Environment variable support |
||||
|
# - Debug logging |
||||
|
# - Command line argument parsing |
||||
|
# |
||||
|
# Usage: |
||||
|
# ./dids_seen.sh [-d did_to_check] |
||||
|
# DEBUG=1 ./dids_seen.sh # For debug output |
||||
|
# |
||||
|
# Environment Variables: |
||||
|
# ADMIN_DID - Admin DID for authorization |
||||
|
# ADMIN_PRIVATE_KEY - Private key for signing |
||||
|
# ENDORSER_API_URL - API endpoint (defaults to test) |
||||
|
# DEBUG - Enable debug logging when set to 1 |
||||
|
|
||||
|
# Add debug logging function |
||||
|
debug_log() { |
||||
|
if [ "${DEBUG:-0}" = "1" ]; then |
||||
|
echo "DEBUG: $*" >&2 |
||||
|
fi |
||||
|
} |
||||
|
|
||||
|
# Parse command line arguments |
||||
|
# -d: Specific DID to check visibility for |
||||
|
CHECK_DID="" |
||||
|
while getopts "d:" opt; do |
||||
|
case $opt in |
||||
|
d) CHECK_DID="$OPTARG" ;; |
||||
|
\?) echo "Usage: $0 [-d did_to_check]" >&2; exit 1 ;; |
||||
|
esac |
||||
|
done |
||||
|
|
||||
|
# Load environment variables from .env file if present |
||||
|
# Supports: |
||||
|
# - ADMIN_DID |
||||
|
# - ADMIN_PRIVATE_KEY |
||||
|
# - ENDORSER_API_URL |
||||
|
if [ -f .env ]; then |
||||
|
export $(cat .env | grep -v '^#' | xargs) |
||||
|
fi |
||||
|
|
||||
|
# Default values for required parameters |
||||
|
ADMIN_DID=${ADMIN_DID:-"did:ethr:0x0000694B58C2cC69658993A90D3840C560f2F51F"} |
||||
|
ADMIN_PRIVATE_KEY=${ADMIN_PRIVATE_KEY:-"2b6472c026ec2aa2c4235c994a63868fc9212d18b58f6cbfe861b52e71330f5b"} |
||||
|
API_URL=${ENDORSER_API_URL:-"https://test-api.endorser.ch/api/report/whichDidsICanSee"} |
||||
|
|
||||
|
# Create JWT payload with: |
||||
|
# - Issuer (iss) |
||||
|
# - Subject (sub) |
||||
|
# - Issued At (iat) |
||||
|
# - Expiration (exp) |
||||
|
now=$(date +%s) |
||||
|
exp=$((now + 86400)) # 24 hours from now |
||||
|
|
||||
|
payload=$(jq -n \ |
||||
|
--arg iss "$ADMIN_DID" \ |
||||
|
--arg sub "$ADMIN_DID" \ |
||||
|
--arg iat "$now" \ |
||||
|
--arg exp "$exp" \ |
||||
|
'{ |
||||
|
iss: $iss, |
||||
|
sub: $sub, |
||||
|
iat: ($iat | tonumber), |
||||
|
exp: ($exp | tonumber) |
||||
|
}') |
||||
|
|
||||
|
# Base64url encode header and payload |
||||
|
# Header specifies ES256K-R algorithm for Ethereum compatibility |
||||
|
header='{"alg":"ES256K-R","typ":"JWT"}' |
||||
|
header_b64=$(echo -n "$header" | base64 -w 0 | tr '/+' '_-' | tr -d '=') |
||||
|
payload_b64=$(echo -n "$payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=') |
||||
|
|
||||
|
# Create message to sign (header.payload) |
||||
|
message="$header_b64.$payload_b64" |
||||
|
|
||||
|
# Create temporary directory for key operations |
||||
|
# Uses trap to ensure cleanup on exit |
||||
|
TMPDIR=$(mktemp -d) |
||||
|
trap 'rm -rf "$TMPDIR"' EXIT |
||||
|
|
||||
|
# Create private key PEM file |
||||
|
# Converts raw private key to PEM format for OpenSSL |
||||
|
echo "-----BEGIN EC PRIVATE KEY-----" > "$TMPDIR/private.pem" |
||||
|
( |
||||
|
echo "302e0201010420" # Private key header |
||||
|
echo -n "$ADMIN_PRIVATE_KEY" # Private key bytes |
||||
|
echo "a00706052b8104000a" # secp256k1 OID |
||||
|
) | xxd -r -p | base64 >> "$TMPDIR/private.pem" |
||||
|
echo "-----END EC PRIVATE KEY-----" >> "$TMPDIR/private.pem" |
||||
|
|
||||
|
# Write message to file for signing |
||||
|
echo -n "$message" > "$TMPDIR/message.txt" |
||||
|
|
||||
|
# Sign message and get DER format signature |
||||
|
openssl dgst -sha256 -sign "$TMPDIR/private.pem" "$TMPDIR/message.txt" > "$TMPDIR/signature.der" |
||||
|
|
||||
|
# Convert DER signature to hex |
||||
|
der_sig=$(xxd -p -c 256 "$TMPDIR/signature.der") |
||||
|
|
||||
|
# Parse DER structure |
||||
|
# Extracts R and S values from signature |
||||
|
if [[ $der_sig =~ ^30([0-9a-f]{2})02([0-9a-f]{2})([0-9a-f]*)02([0-9a-f]{2})([0-9a-f]*)$ ]]; then |
||||
|
r_len="${BASH_REMATCH[2]}" |
||||
|
r_val="${BASH_REMATCH[3]}" |
||||
|
s_len="${BASH_REMATCH[4]}" |
||||
|
s_val="${BASH_REMATCH[5]}" |
||||
|
|
||||
|
# Convert lengths to decimal |
||||
|
r_len_dec=$((16#$r_len)) |
||||
|
s_len_dec=$((16#$s_len)) |
||||
|
|
||||
|
# Handle R value padding |
||||
|
if [ $r_len_dec -gt 32 ]; then |
||||
|
r_val=${r_val: -64} # Take last 32 bytes |
||||
|
elif [ $r_len_dec -lt 32 ]; then |
||||
|
r_val=$(printf "%064s" "$r_val" | tr ' ' '0') # Left pad |
||||
|
fi |
||||
|
|
||||
|
# Handle S value padding |
||||
|
if [ $s_len_dec -gt 32 ]; then |
||||
|
s_val=${s_val: -64} # Take last 32 bytes |
||||
|
elif [ $s_len_dec -lt 32 ]; then |
||||
|
s_val=$(printf "%064s" "$s_val" | tr ' ' '0') # Left pad |
||||
|
fi |
||||
|
|
||||
|
# Create final signature |
||||
|
concat_sig="${r_val}${s_val}" |
||||
|
|
||||
|
# Calculate recovery bit (v) |
||||
|
# Try each possible recovery value (0-3) until we find one that works |
||||
|
for v in {0..3}; do |
||||
|
recovery_sig=$(printf "%s%02x" "$concat_sig" "$v") |
||||
|
debug_log "Trying recovery bit $v: $recovery_sig" |
||||
|
|
||||
|
# Convert to base64url |
||||
|
signature=$(echo -n "$recovery_sig" | xxd -r -p | base64 -w 0 | tr '/+' '_-' | tr -d '=') |
||||
|
|
||||
|
# Create JWT with this signature |
||||
|
JWT="$message.$signature" |
||||
|
|
||||
|
# Test the JWT against the API |
||||
|
response=$(curl -s -X GET "$API_URL" \ |
||||
|
-H "Content-Type: application/json" \ |
||||
|
-H "Authorization: Bearer $JWT") |
||||
|
|
||||
|
# Check if the JWT worked |
||||
|
if ! echo "$response" | grep -q "JWT_VERIFY_FAILED"; then |
||||
|
echo "JWT Token:" |
||||
|
echo "$JWT" |
||||
|
echo |
||||
|
echo "Export command:" |
||||
|
echo "export TOKEN='$JWT'" |
||||
|
echo |
||||
|
if [ -n "$CHECK_DID" ]; then |
||||
|
# Check if specific DID is in the list |
||||
|
if echo "$response" | jq -e --arg did "$CHECK_DID" 'contains([$did])' > /dev/null; then |
||||
|
echo "✅ DID $CHECK_DID is in the list" |
||||
|
exit 0 |
||||
|
else |
||||
|
echo "❌ DID $CHECK_DID is not in the list" |
||||
|
exit 1 |
||||
|
fi |
||||
|
else |
||||
|
# Show full list of visible DIDs |
||||
|
echo "$response" | jq '.' --indent 2 |
||||
|
fi |
||||
|
exit 0 |
||||
|
fi |
||||
|
done |
||||
|
|
||||
|
echo "Error: Could not find valid recovery bit" |
||||
|
exit 1 |
||||
|
else |
||||
|
echo "Error: Invalid DER signature format" |
||||
|
echo "DER: $der_sig" |
||||
|
exit 1 |
||||
|
fi |
||||
Loading…
Reference in new issue