feat(http-signature-utils): move http signature related code to this package

.github/workflows/lint_test_build.yml

@@ -80,9 +80,18 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/workflows/rafiki/env-setup
-      - run: pnpm --filter openapi build
+      - run: pnpm --filter open-payments build:deps
       - run: pnpm --filter open-payments test
 
+  http-signature-utils:
+    runs-on: ubuntu-latest
+    needs: checkout
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ./.github/workflows/rafiki/env-setup
+      - run: pnpm --filter http-signature-utils test
+
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 5
@@ -93,6 +102,7 @@ jobs:
       - openapi
       - mock-account-provider
       - open-payments
+      - http-signature-utils
     steps:
       - uses: actions/checkout@v2
       - uses: ./.github/workflows/rafiki/env-setup

packages/auth/package.json

@@ -7,7 +7,7 @@
   ],
   "scripts": {
     "knex": "knex",
-    "build:deps": "pnpm --filter open-payments build",
+    "build:deps": "pnpm --filter open-payments build && pnpm --filter http-signature-utils build",
     "build": "pnpm build:deps && tsc --build tsconfig.json && pnpm copy-files",
     "clean": "rm -fr dist/",
     "fetch-schemas": "./scripts/get-op-schema.sh",

packages/backend/package.json

@@ -4,7 +4,7 @@
     "test": "jest --passWithNoTests --maxWorkers=50%",
     "knex": "knex",
     "generate": "graphql-codegen --config codegen.yml",
-    "build:deps": "pnpm --filter auth build",
+    "build:deps": "pnpm --filter auth build && pnpm --filter http-signature-utils build",
     "build": "pnpm build:deps && tsc --build tsconfig.json && pnpm copy-files",
     "clean": "rm -fr dist/",
     "copy-files": "cp src/graphql/schema.graphql dist/graphql/",
@@ -66,6 +66,7 @@
     "graphql": "^16.6.0",
     "graphql-scalars": "^1.18.0",
     "graphql-tools": "^8.3.3",
+    "http-signature-utils": "workspace:../http-signature-utils",
     "ilp-packet": "3.1.4-alpha.1",
     "ilp-protocol-ccp": "^1.2.2",
     "ilp-protocol-ildcp": "^2.2.3",

packages/backend/src/config/app.ts

@@ -1,6 +1,7 @@
 import * as crypto from 'crypto'
 import * as fs from 'fs'
 import { ConnectionOptions } from 'tls'
+import { parseOrProvisionKey } from 'http-signature-utils'
 
 function envString(name: string, value: string): string {
   const envValue = process.env[name]
@@ -24,9 +25,6 @@ function envBool(name: string, value: boolean): boolean {
 
 export type IAppConfig = typeof Config
 
-const TMP_DIR = './tmp'
-const PRIVATE_KEY_FILE = `${TMP_DIR}/private-key-${new Date().getTime()}.pem`
-
 export const Config = {
   logLevel: envString('LOG_LEVEL', 'info'),
   // publicHost is for open payments URLs.
@@ -147,32 +145,3 @@ function parseRedisTlsConfig(
 
   return Object.keys(options).length > 0 ? options : undefined
 }
-
-// exported for testing
-export function parseOrProvisionKey(
-  keyFile: string | undefined
-): crypto.KeyObject {
-  if (keyFile) {
-    try {
-      const key = crypto.createPrivateKey(fs.readFileSync(keyFile))
-      const jwk = key.export({ format: 'jwk' })
-      if (jwk.crv === 'Ed25519') {
-        return key
-      } else {
-        console.log('Private key is not EdDSA-Ed25519 key. Generating new key.')
-      }
-    } catch (err) {
-      console.log('Private key could not be loaded.')
-      throw err
-    }
-  }
-  const keypair = crypto.generateKeyPairSync('ed25519')
-  if (!fs.existsSync(TMP_DIR)) {
-    fs.mkdirSync(TMP_DIR)
-  }
-  fs.writeFileSync(
-    PRIVATE_KEY_FILE,
-    keypair.privateKey.export({ format: 'pem', type: 'pkcs8' })
-  )
-  return keypair.privateKey
-}

packages/http-signature-utils/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "http-signature-utils",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist/**/*"
+  ],
+  "scripts": {
+    "build": "tsc --build tsconfig.json"
+  },
+  "dependencies": {
+    "http-message-signatures": "^0.1.2",
+    "koa": "^2.13.4",
+    "koa-bodyparser": "^4.3.0",
+    "koa-json": "^2.0.2",
+    "koa-logger": "^3.2.1",
+    "koa-router": "^12.0.0",
+    "uuid": "^8.3.2"
+  },
+  "devDependencies": {
+    "@types/koa": "2.13.5",
+    "@types/koa-bodyparser": "^4.3.7",
+    "@types/koa-json": "^2.0.20",
+    "@types/koa-logger": "^3.1.2",
+    "@types/koa-router": "^7.4.4",
+    "@types/node": "^18.7.12",
+    "@types/uuid": "^8.3.4",
+    "typescript": "^4.9.3"
+  }
+}

packages/http-signature-utils/src/app.ts

@@ -0,0 +1,45 @@
+import Koa from 'koa'
+import Router from 'koa-router'
+
+import logger from 'koa-logger'
+import json from 'koa-json'
+import bodyParser from 'koa-bodyparser'
+
+import { createSignatureHeaders } from './utils/signatures'
+import { parseOrProvisionKey } from './utils/key'
+import { v4 as uuid } from 'uuid'
+import { RequestLike } from 'http-message-signatures'
+
+const app = new Koa()
+const router = new Router()
+
+// Load key
+const privateKey = parseOrProvisionKey(process.env.KEY_FILE)
+const keyId = process.env.KEY_ID || uuid()
+
+// Router
+router.get('/', async (ctx): Promise<void> => {
+  ctx.body = { msg: "I don't exist." }
+})
+
+router.post('/', async (ctx): Promise<void> => {
+  const request = ctx.request.body as RequestLike
+  if (!request.headers || !request.method || !request.url) {
+    ctx.status = 400
+    return
+  }
+  const headers = await createSignatureHeaders({ request, privateKey, keyId })
+  ctx.body = headers
+})
+
+// Middlewares
+app.use(json())
+app.use(logger())
+app.use(bodyParser())
+
+// Routes
+app.use(router.routes()).use(router.allowedMethods())
+
+app.listen(3000, () => {
+  console.log('HTTP Signature Manager started.')
+})

packages/http-signature-utils/src/index.ts

@@ -0,0 +1,3 @@
+export { generateJwk } from './utils/jwk'
+export { parseOrProvisionKey } from './utils/key'
+export { createSignatureHeaders } from './utils/signatures'

packages/open-payments/src/jwk.ts → packages/http-signature-utils/src/utils/jwk.ts

@@ -1,5 +1,13 @@
 import { createPublicKey, generateKeyPairSync, KeyObject } from 'crypto'
-import { JWK } from './types'
+
+type JWK = {
+  kid: string
+  alg: 'EdDSA'
+  use?: 'sig'
+  kty: 'OKP'
+  crv: 'Ed25519'
+  x: string
+}
 
 export const generateJwk = ({
   privateKey: providedPrivateKey,

packages/backend/src/config/app.test.ts → packages/http-signature-utils/src/utils/key.test.ts

@@ -1,7 +1,7 @@
 import * as assert from 'assert'
 import * as crypto from 'crypto'
 import * as fs from 'fs'
-import { parseOrProvisionKey } from './app'
+import { parseOrProvisionKey } from './key'
 
 describe('Config', (): void => {
   describe('parseOrProvisionKey', (): void => {

packages/http-signature-utils/src/utils/key.ts

@@ -0,0 +1,33 @@
+import * as crypto from 'crypto'
+import * as fs from 'fs'
+
+const TMP_DIR = './tmp'
+const PRIVATE_KEY_FILE = `${TMP_DIR}/private-key-${new Date().getTime()}.pem`
+
+export function parseOrProvisionKey(
+  keyFile: string | undefined
+): crypto.KeyObject {
+  if (keyFile) {
+    try {
+      const key = crypto.createPrivateKey(fs.readFileSync(keyFile))
+      const jwk = key.export({ format: 'jwk' })
+      if (jwk.crv === 'Ed25519') {
+        return key
+      } else {
+        console.log('Private key is not EdDSA-Ed25519 key. Generating new key.')
+      }
+    } catch (err) {
+      console.log('Private key could not be loaded.')
+      throw err
+    }
+  }
+  const keypair = crypto.generateKeyPairSync('ed25519')
+  if (!fs.existsSync(TMP_DIR)) {
+    fs.mkdirSync(TMP_DIR)
+  }
+  fs.writeFileSync(
+    PRIVATE_KEY_FILE,
+    keypair.privateKey.export({ format: 'pem', type: 'pkcs8' })
+  )
+  return keypair.privateKey
+}

packages/http-signature-utils/tsconfig.json

@@ -0,0 +1,11 @@
+{
+  "extends": "../../tsconfig.build.json",
+  "compilerOptions": {
+    "lib": ["ES2020"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "declaration": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["**/*.test.ts", "src/test/*"]
+}

packages/open-payments/package.json

@@ -7,7 +7,7 @@
     "dist/**/*"
   ],
   "scripts": {
-    "build:deps": "pnpm --filter openapi build",
+    "build:deps": "pnpm --filter openapi build && pnpm --filter http-signature-utils build",
     "build": "pnpm build:deps && pnpm clean && tsc --build tsconfig.json",
     "clean": "rm -fr dist/",
     "generate:types": "npx ts-node scripts/generate-types.ts",
@@ -26,6 +26,7 @@
   "dependencies": {
     "axios": "^1.1.2",
     "http-message-signatures": "^0.1.2",
+    "http-signature-utils": "workspace:../http-signature-utils",
     "openapi": "workspace:../openapi",
     "pino": "^8.4.2"
   }

packages/open-payments/src/client/requests.ts

@@ -2,7 +2,7 @@ import axios, { AxiosInstance } from 'axios'
 import { KeyLike } from 'crypto'
 import { ResponseValidator } from 'openapi'
 import { BaseDeps } from '.'
-import { createSignatureHeaders } from './signatures'
+import { createSignatureHeaders } from 'http-signature-utils'
 
 interface GetArgs {
   url: string

packages/open-payments/src/index.ts

@@ -16,5 +16,3 @@ export {
   AuthenticatedClient,
   UnauthenticatedClient
 } from './client'
-
-export { generateJwk } from './jwk'