crowd-funder-for-time-pwa/test-scripts/dids_seen.sh

#!/bin/bash
# DID Visibility Check Script
# @author Matthew Raymer
#
# This script checks visibility permissions for DIDs within the endorser.ch system.
# It creates a signed JWT using admin credentials and queries the visibility API.
#
# Features:
# - JWT creation and signing using ES256K-R
# - DID visibility checking
# - Environment variable support
# - Debug logging
# - Command line argument parsing
#
# Usage:
#   ./dids_seen.sh [-d did_to_check]
#   DEBUG=1 ./dids_seen.sh  # For debug output
#
# Environment Variables:
#   ADMIN_DID          - Admin DID for authorization
#   ADMIN_PRIVATE_KEY  - Private key for signing
#   ENDORSER_API_URL   - API endpoint (defaults to test)
#   DEBUG              - Enable debug logging when set to 1

# Enhanced debug logging
debug_log() {
    if [ "${DEBUG:-0}" = "1" ]; then
        echo "DEBUG: $*" >&2
    fi
}

# Parse command line arguments
# -d: Specific DID to check visibility for
CHECK_DID=""
while getopts "d:" opt; do
    case $opt in
        d) CHECK_DID="$OPTARG" ;;
        \?) echo "Usage: $0 [-d did_to_check]" >&2; exit 1 ;;
    esac
done

# Load environment variables from .env file if present
# Supports:
# - ADMIN_DID
# - ADMIN_PRIVATE_KEY
# - ENDORSER_API_URL
if [ -f .env ]; then
    export $(cat .env | grep -v '^#' | xargs)
fi

# Default values for required parameters
ADMIN_DID=${ADMIN_DID:-"did:ethr:0x0000694B58C2cC69658993A90D3840C560f2F51F"}
ADMIN_PRIVATE_KEY=${ADMIN_PRIVATE_KEY:-"2b6472c026ec2aa2c4235c994a63868fc9212d18b58f6cbfe861b52e71330f5b"}
API_URL=${ENDORSER_API_URL:-"https://test-api.endorser.ch/api/report/whichDidsICanSee"}

# Create JWT payload with:
# - Issuer (iss)
# - Subject (sub)
# - Issued At (iat)
# - Expiration (exp)
now=$(date +%s)
exp=$((now + 86400))  # 24 hours from now

payload=$(jq -n \
    --arg iss "$ADMIN_DID" \
    --arg sub "$ADMIN_DID" \
    --arg iat "$now" \
    --arg exp "$exp" \
    '{
        iss: $iss,
        sub: $sub,
        iat: ($iat | tonumber),
        exp: ($exp | tonumber)
           }')

# Base64url encode header and payload
# Header specifies ES256K-R algorithm for Ethereum compatibility
header='{"alg":"ES256K-R","typ":"JWT"}'
header_b64=$(echo -n "$header" | base64 -w 0 | tr '/+' '_-' | tr -d '=')
payload_b64=$(echo -n "$payload" | base64 -w 0 | tr '/+' '_-' | tr -d '=')

# Create message to sign (header.payload)
message="$header_b64.$payload_b64"

# Add debug points
debug_log "Creating JWT with:"
debug_log "ADMIN_DID: $ADMIN_DID"
debug_log "API_URL: $API_URL"
debug_log "Payload: $payload"
debug_log "Header base64: $header_b64"
debug_log "Payload base64: $payload_b64"
debug_log "Message to sign: $message"

# Create temporary directory for key operations
# Uses trap to ensure cleanup on exit
TMPDIR=$(mktemp -d)
trap 'rm -rf "$TMPDIR"' EXIT

# Create private key PEM file
# Converts raw private key to PEM format for OpenSSL
echo "-----BEGIN EC PRIVATE KEY-----" > "$TMPDIR/private.pem"
(
    echo "302e0201010420"  # Private key header
    echo -n "$ADMIN_PRIVATE_KEY"  # Private key bytes
    echo "a00706052b8104000a"  # secp256k1 OID
) | xxd -r -p | base64 >> "$TMPDIR/private.pem"
echo "-----END EC PRIVATE KEY-----" >> "$TMPDIR/private.pem"

# Write message to file for signing
echo -n "$message" > "$TMPDIR/message.txt"

# Sign message and get DER format signature
openssl dgst -sha256 -sign "$TMPDIR/private.pem" "$TMPDIR/message.txt" > "$TMPDIR/signature.der"

# Convert DER signature to hex
der_sig=$(xxd -p -c 256 "$TMPDIR/signature.der")

# Parse DER structure
# Extracts R and S values from signature
if [[ $der_sig =~ ^30([0-9a-f]{2})02([0-9a-f]{2})([0-9a-f]*)02([0-9a-f]{2})([0-9a-f]*)$ ]]; then
    r_len="${BASH_REMATCH[2]}"
    r_val="${BASH_REMATCH[3]}"
    s_len="${BASH_REMATCH[4]}"
    s_val="${BASH_REMATCH[5]}"
    
    debug_log "Raw signature values:"
    debug_log "  R (${#r_val} chars): $r_val"
    debug_log "  S (${#s_val} chars): $s_val"
    
    # Convert lengths to decimal
    r_len_dec=$((16#$r_len))
    s_len_dec=$((16#$s_len))
    
    # Handle R value padding
    if [ $r_len_dec -gt 32 ]; then
        r_val=${r_val: -64}  # Take last 32 bytes
    elif [ $r_len_dec -lt 32 ]; then
        r_val=$(printf "%064s" "$r_val" | tr ' ' '0')  # Left pad
    fi
    
    # Handle S value padding
    if [ $s_len_dec -gt 32 ]; then
        s_val=${s_val: -64}  # Take last 32 bytes
    elif [ $s_len_dec -lt 32 ]; then
        s_val=$(printf "%064s" "$s_val" | tr ' ' '0')  # Left pad
    fi
    
    # Ensure both values are exactly 64 characters
    r_val=$(printf "%064s" "$r_val" | tr ' ' '0')
    s_val=$(printf "%064s" "$s_val" | tr ' ' '0')
    
    debug_log "Normalized values:"
    debug_log "  R (${#r_val} chars): $r_val"
    debug_log "  S (${#s_val} chars): $s_val"
    
    # Create final signature
    concat_sig="${r_val}${s_val}"
    
    # Debug the DER parsing
    debug_log "DER Signature Analysis:"
    debug_log "  Full DER: $der_sig"
    debug_log "  Sequence length: ${BASH_REMATCH[1]}"
    debug_log "  R length: $r_len ($r_len_dec bytes)"
    debug_log "  S length: $s_len ($s_len_dec bytes)"
    
    # Debug signature components
    debug_log "Signature components:"
    debug_log "  R value: $r_val (length: ${#r_val})"
    debug_log "  S value: $s_val (length: ${#s_val})"
    debug_log "  Concatenated: $concat_sig (length: ${#concat_sig})"
    
    # Try both normal and high-S value signatures
    s_val_alt=""
    if [ $s_len_dec -gt 32 ]; then
        # Store alternative S value
        s_val_alt="$s_val"
        # Calculate N - s for high-S values
        n="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141"
        # Use Python for hex math to avoid bc issues
        normalized_s=$(python3 -c "
            n = int('$n', 16)
            s = int('${s_val}', 16)
            result = hex(n - s)[2:].zfill(64)
            print(result.lower())
        " 2>/dev/null || echo "ERROR")
        if [ "$normalized_s" = "ERROR" ]; then
            debug_log "  Failed to normalize S value"
            # Keep original s_val if normalization fails
            s_val_alt=""
        else
            s_val=$(printf "%064s" "$normalized_s" | tr ' ' '0' | tr '[:upper:]' '[:lower:]')
            debug_log "  Normalized S value: $s_val"
        fi
    fi
    
    # Calculate recovery bit (v)
    # Try each possible recovery value (0-3) until we find one that works
    for v in {0..3}; do
        # Try both S values if we have an alternative
        s_values=("$s_val")
        if [ -n "$s_val_alt" ]; then
            s_values+=("$s_val_alt")
        fi
        
        for current_s in "${s_values[@]}"; do
            concat_sig="${r_val}${current_s}"
            debug_log "Trying with S value: $current_s"
            
            recovery_sig=$(printf "%s%02x" "$concat_sig" "$v")
            debug_log "Recovery attempt $v:"
            debug_log "  Concatenated signature: $concat_sig"
            debug_log "  Recovery signature: $recovery_sig"
            debug_log "  Recovery signature length: ${#recovery_sig}"
            
            # Ensure signature is exactly 65 bytes (130 hex chars)
            if [ ${#recovery_sig} -ne 130 ]; then
                debug_log "  Invalid signature length: ${#recovery_sig}, expected 130"
                continue
            fi
            
            # Convert hex to binary, then to base64url
            signature=$(echo -n "$recovery_sig" | xxd -r -p 2>/dev/null | base64 -w 0 | tr '/+' '_-' | tr -d '=')
            debug_log "  Base64URL signature: $signature"
            
            # Create JWT with this signature
            JWT="$message.$signature"
            debug_log "  Testing JWT: $JWT"
            
            # Test the JWT against the API
            response=$(curl -s -X GET "$API_URL" \
                 -H "Content-Type: application/json" \
                 -H "Authorization: Bearer $JWT")
            debug_log "  API Response: $response"
            
            # Check if the JWT worked
            if ! echo "$response" | grep -q "JWT.*failed"; then
                echo "JWT Token:"
                echo "$JWT"
                debug_log "Success with v=$v and S=${current_s:0:8}..."
                echo
                echo "Export command:"
                echo "export TOKEN='$JWT'"
                echo
                if [ -n "$CHECK_DID" ]; then
                    # Check if specific DID is in the list
                    if echo "$response" | jq -e --arg did "$CHECK_DID" 'contains([$did])' > /dev/null; then
                        echo "✅ DID $CHECK_DID is in the list"
                        exit 0
                    else
                        echo "❌ DID $CHECK_DID is not in the list"
                        echo "Attempting to add visibility..."
                        
                        # Request visibility
                        visibility_response=$(curl -s -X POST \
                            'http://test-api.endorser.ch/api/report/canSeeMe' \
                            -H "Authorization: Bearer $JWT" \
                            -H "Content-Type: application/json" \
                            -d "{\"did\": \"$CHECK_DID\"}")
                        
                        if echo "$visibility_response" | grep -q "error"; then
                            echo "❌ Failed to add visibility:"
                            echo "$visibility_response" | jq '.' --indent 2
                            exit 1
                        else
                            echo "✅ Successfully requested visibility. Please try checking again."
                            exit 0
                        fi
                    fi
                else
                    # Show full list of visible DIDs
                    echo "$response" | jq '.' --indent 2
                fi
                exit 0
            fi
        done
    done
    
    echo "Error: Could not find valid recovery bit"
    exit 1
else
    echo "Error: Invalid DER signature format"
    echo "DER: $der_sig"
    exit 1
fi