go/varsig
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: go:v1.0.0-pre3
Branches Tags
go:main go:add-ci go:deps go:constants-alloc
go:v1.0.0 go:v1.0.0-pre6 go:v1.0.0-pre5 go:v1.0.0-pre4 go:v1.0.0-pre3 go:v1.0.0-pre2 go:v1.0.0-pre1
...
compare: go:v1.0.0-pre6
Branches Tags
go:main go:add-ci go:deps go:constants-alloc
go:v1.0.0 go:v1.0.0-pre6 go:v1.0.0-pre5 go:v1.0.0-pre4 go:v1.0.0-pre3 go:v1.0.0-pre2 go:v1.0.0-pre1

23 Commits
v1.0.0-pre ... v1.0.0-pre

Author SHA1 Message Date
Michael Muré
8c8da51656 Expose the hash on all varsig 2025-07-29 15:22:15 +02:00
Michael Muré
af0845c832 Remove support for varsig v0 2025-07-28 20:41:02 +02:00
Michael Muré
35ef54f79f feat: turns out, PayloadEncoding can be multiple values for EIP191 2025-07-24 16:52:58 +02:00
Michael Muré
2f22cb9b15 feat(test): add more tests for the presets, and compat with iso-ucan 2025-07-24 16:52:58 +02:00
Michael Muré
a43c3af4c8 feat(ecdsa): implement varsig for EdDSA 2025-07-22 14:24:39 +02:00
Michael Muré
eab24207bc fix(eddsa): ed25519 or ed448 should be curves, not discriminator 2025-07-22 13:57:22 +02:00
Michael Muré
be01529d44 perf: pre-allocate the buffer when encoding a varsig 2025-07-22 13:10:12 +02:00
Michael Muré
182036b055 fix(eddsa): fix the size of the signature check for ed448 2025-07-22 12:04:31 +02:00
Michael Muré
0763d6f8b6 feat(hashes): shorten HashAlgorithm to Hash, add more of them 2025-07-22 12:03:56 +02:00
Michael Muré
c7a870e9db readme: add authorship and license 2025-07-11 07:28:42 +02:00
Steve Moyer
2238f3a26c build: run GitHub checks only once 2025-07-10 10:47:33 -04:00
Steve Moyer
f2cd448a11 build: support Go v1.23.10 downstream 2025-07-10 10:10:35 -04:00
Steve Moyer
25d4579b29 test(ucan): add test for updated UCAN example varsig 2025-07-10 06:46:07 -04:00
Michael Muré
5fb3516d15 feat(deps): remove the multicodec dependency, as varsig constants are not multicodec 2025-07-10 12:39:27 +02:00
Michael Muré
eb70826a70 varsig: handle unknown version with an error 2025-07-09 13:39:09 +02:00
Michael Muré
6308c66ab7 update varsig documentation 2025-07-09 13:39:09 +02:00
Steve Moyer
f6b72f1907 fix(v0): restores validateSig behavior 2025-07-09 13:39:09 +02:00
Michael Muré
03770e0d38 use value receiver, remove unneeded generic 2025-07-09 13:39:09 +02:00
Steve Moyer
1ea8b00efd Merge pull request #1 from ucan-wg/constants-alloc 
perf(constants): avoid allocating a map for each Decode*() call
 2025-07-08 11:53:19 -04:00
Steve Moyer
21a78a9d2d fix(eddsa): use DecodeHashAlgorithm and create decodeEdDSACurve 2025-07-08 11:27:18 -04:00
Michael Muré
5cea53af26 perf(constants): avoid allocating a map for each Decode*() call 
```
goos: linux
goarch: amd64
pkg: github.com/ucan-wg/go-varsig
cpu: 13th Gen Intel(R) Core(TM) i7-1360P
                         │    old.txt    │               new.txt                │
                         │    sec/op     │    sec/op     vs base                │
DecodeHashAlgorithm-16     145.65n ± 10%   59.62n ± 30%  -59.07% (p=0.000 n=10)
DecodePayloadEncoding-16   136.65n ± 46%   50.02n ±  5%  -63.40% (p=0.000 n=10)
geomean                     141.1n         54.60n        -61.29%

                         │  old.txt   │               new.txt               │
                         │    B/op    │    B/op     vs base                 │
DecodeHashAlgorithm-16     48.00 ± 0%   48.00 ± 0%       ~ (p=1.000 n=10) ¹
DecodePayloadEncoding-16   48.00 ± 0%   48.00 ± 0%       ~ (p=1.000 n=10) ¹
geomean                    48.00        48.00       +0.00%
¹ all samples are equal

                         │  old.txt   │               new.txt               │
                         │ allocs/op  │ allocs/op   vs base                 │
DecodeHashAlgorithm-16     1.000 ± 0%   1.000 ± 0%       ~ (p=1.000 n=10) ¹
DecodePayloadEncoding-16   1.000 ± 0%   1.000 ± 0%       ~ (p=1.000 n=10) ¹
geomean                    1.000        1.000       +0.00%
¹ all samples are equal
```
 2025-07-08 16:53:40 +02:00
Steve Moyer
8dcaefbf3a feat: switch to dual Apache/MIT licenses 2025-07-08 10:51:45 -04:00
Steve Moyer
caaa0204b8 fix(hash): HashAlgorithmUnspecified should not be ok 2025-07-08 09:42:09 -04:00
22 changed files with 885 additions and 874 deletions
Expand all files Collapse all files

2
.github/workflows/pre-commit.yaml vendored
View File

@@ -1,9 +1,7 @@
name: pre-commit
on:
pull_request:
push:
# branches: [main]
jobs:
pre-commit:

212
LICENSE
View File

@@ -1,201 +1,25 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
The contents of this repository are Copyright (c) corresponding authors and
contributors, licensed under the `Permissive License Stack` meaning either of:
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
- Apache-2.0 Software License: https://www.apache.org/licenses/LICENSE-2.0
([...4tr2kfsq](https://dweb.link/ipfs/bafkreiankqxazcae4onkp436wag2lj3ccso4nawxqkkfckd6cg4tr2kfsq))
1. Definitions.
- MIT Software License: https://opensource.org/licenses/MIT
([...vljevcba](https://dweb.link/ipfs/bafkreiepofszg4gfe2gzuhojmksgemsub2h4uy2gewdnr35kswvljevcba))
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
You may not use the contents of this repository except in compliance
with one of the listed Licenses. For an extended clarification of the
intent behind the choice of Licensing please refer to
https://protocol.ai/blog/announcing-the-permissive-license-stack/
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
Unless required by applicable law or agreed to in writing, software
distributed under the terms listed in this notice is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
either express or implied. See each License for the specific language
governing permissions and limitations under that License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
<!--- SPDX-License-Identifier: Apache-2.0 OR MIT -->
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
`SPDX-License-Identifier: Apache-2.0 OR MIT`
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Verbatim copies of both licenses are included in the LICENSE-APACHE-2.0 and LICENSE-MIT files.

201
LICENSE-APACHE-2.0 Normal file
View File

@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2025 UCAN Working Group - All right reserved
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

21
LICENSE-MIT Normal file
View File

@@ -0,0 +1,21 @@
MIT License
Copyright (c) 2025 UCAN Working Group - All rights reserved
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

20
README.md
View File

@@ -1,13 +1,12 @@
# go-varsig
`go-varsig` implements the upcoming v1.0.0 release of the [`varsig` specification](https://github.com/ChainAgnostic/varsig/pull/18)
with limited (and soon to be deprecated) support for the `varsig` < v1.0
specification. This is predominatly included to support the UCAN v1.0
use-case.
`go-varsig` is a go implementation of the [`varsig` specification](https://github.com/ChainAgnostic/varsig).
Built with ❤️ by [Consensys](https://consensys.io/).
## Usage
Include the `go-varsig` library by running the following command:
Include the `go-varsig` library by running the following command:
```bash
go get github.com/ucan-wg/go-varsig@latest
@@ -29,7 +28,7 @@ asdf install
### Checks
This repository contains an set of pre-commit hooks that are run prior to
This repository contains a set of pre-commit hooks that are run prior to
each `git commit`. You can also run these checks manually using the
following command:
@@ -49,8 +48,15 @@ simulate the `docker` daemon:
export DOCKER_HOST=unix:///var/run/podman/podman.sock
```
Since there's only one workflow, the simplest command to test it is:
The simplest command to test it is:
```bash
act
```
## License
This project is dual-licensed under Apache 2.0 and MIT terms:
- Apache License, Version 2.0, ([LICENSE-APACHE](https://github.com/ucan-wg/go-varsig/blob/master/LICENSE-APACHE-2.0) or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license ([LICENSE-MIT](https://github.com/ucan-wg/go-varsig/blob/master/LICENSE-MIT) or http://opensource.org/licenses/MIT)

90
common.go
View File

@@ -1,41 +1,73 @@
package varsig
// Ed25519 produces a varsig that describes the associated algorithm defined
// by the [IANA JOSE specification].
//
import "fmt"
// [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
func Ed25519(payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, error) {
return NewEdDSAVarsig(CurveEd25519, HashAlgorithmSHA512, payloadEncoding, opts...)
// Ed25519 produces a varsig for EdDSA using the Ed25519 curve.
// This algorithm is defined in [IANA JOSE specification].
func Ed25519(payloadEncoding PayloadEncoding) EdDSAVarsig {
return NewEdDSAVarsig(CurveEd25519, HashSha2_512, payloadEncoding)
}
// Ed448 produces a varsig that describes the associated algorithm defined
// by the [IANA JOSE specification].
//
// [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
func Ed448(payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, error) {
return NewEdDSAVarsig(CurveEd448, HashAlgorithmShake256, payloadEncoding, opts...)
// Ed448 produces a varsig for EdDSA using the Ed448 curve.
// This algorithm is defined in [IANA JOSE specification].
func Ed448(payloadEncoding PayloadEncoding) EdDSAVarsig {
return NewEdDSAVarsig(CurveEd448, HashShake_256, payloadEncoding)
}
// RS256 produces a varsig that describes the associated algorithm defined
// by the [IANA JOSE specification].
//
// [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
func RS256(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
return NewRSAVarsig(HashAlgorithmSHA256, keyLength, payloadEncoding, opts...)
// RS256 produces a varsig for RSASSA-PKCS1-v1_5 using SHA-256.
// This algorithm is defined in [IANA JOSE specification].
func RS256(keyLength uint64, payloadEncoding PayloadEncoding) RSAVarsig {
return NewRSAVarsig(HashSha2_256, keyLength, payloadEncoding)
}
// RS384 produces a varsig that describes the associated algorithm defined
// by the [IANA JOSE specification].
//
// [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
func RS384(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
return NewRSAVarsig(HashAlgorithmSHA384, keyLength, payloadEncoding, opts...)
// RS384 produces a varsig for RSASSA-PKCS1-v1_5 using SHA-384.
// This algorithm is defined in [IANA JOSE specification].
func RS384(keyLength uint64, payloadEncoding PayloadEncoding) RSAVarsig {
return NewRSAVarsig(HashSha2_384, keyLength, payloadEncoding)
}
// RS512 produces a varsig that describes the associated algorithm defined
// by the [IANA JOSE specification].
//
// [IANA JOSE specification]: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
func RS512(keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
return NewRSAVarsig(HashAlgorithmSHA512, keyLength, payloadEncoding, opts...)
// RS512 produces a varsig for RSASSA-PKCS1-v1_5 using SHA-512.
// This algorithm is defined in [IANA JOSE specification].
func RS512(keyLength uint64, payloadEncoding PayloadEncoding) RSAVarsig {
return NewRSAVarsig(HashSha2_512, keyLength, payloadEncoding)
}
// ES256 produces a varsig for ECDSA using P-256 and SHA-256.
// This algorithm is defined in [IANA JOSE specification].
func ES256(payloadEncoding PayloadEncoding) ECDSAVarsig {
return NewECDSAVarsig(CurveP256, HashSha2_256, payloadEncoding)
}
// ES256K produces a varsig for ECDSA using secp256k1 curve and SHA-256.
// This algorithm is defined in [IANA JOSE specification].
func ES256K(payloadEncoding PayloadEncoding) ECDSAVarsig {
return NewECDSAVarsig(CurveSecp256k1, HashSha2_256, payloadEncoding)
}
// ES384 produces a varsig for ECDSA using P-384 and SHA-384.
// This algorithm is defined in [IANA JOSE specification].
func ES384(payloadEncoding PayloadEncoding) ECDSAVarsig {
return NewECDSAVarsig(CurveP384, HashSha2_384, payloadEncoding)
}
// ES512 produces a varsig for ECDSA using P-521 and SHA-512.
// This algorithm is defined in [IANA JOSE specification].
func ES512(payloadEncoding PayloadEncoding) ECDSAVarsig {
return NewECDSAVarsig(CurveP521, HashSha2_512, payloadEncoding)
}
// EIP191 produces a varsig for ECDSA using the Secp256k1 curve, Keccak256 and encoded
// with the "personal_sign" format defined by [EIP191].
// payloadEncoding must be either PayloadEncodingEIP191Raw or PayloadEncodingEIP191Cbor.
// [EIP191]: https://eips.ethereum.org/EIPS/eip-191
func EIP191(payloadEncoding PayloadEncoding) (ECDSAVarsig, error) {
switch payloadEncoding {
case PayloadEncodingEIP191Raw, PayloadEncodingEIP191Cbor:
default:
return ECDSAVarsig{}, fmt.Errorf("%w for EIP191: %v", ErrUnsupportedPayloadEncoding, payloadEncoding)
}
return NewECDSAVarsig(CurveSecp256k1, HashKeccak_256, payloadEncoding), nil
}

183
common_test.go
View File

@@ -1,63 +1,146 @@
package varsig_test
import (
"encoding/hex"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/ucan-wg/go-varsig"
)
func TestEd25519(t *testing.T) {
t.Parallel()
func TestRoundTrip(t *testing.T) {
for _, tc := range []struct {
name string
varsig varsig.Varsig
dataHex string
dataBytes []byte
}{
// Arbitrary use of presets
{
name: "Ed25519",
varsig: varsig.Ed25519(varsig.PayloadEncodingDAGCBOR),
dataHex: "3401ed01ed011371",
},
{
name: "Ed448",
varsig: varsig.Ed448(varsig.PayloadEncodingDAGCBOR),
dataHex: "3401ed0183241971",
},
{
name: "RS256",
varsig: varsig.RS256(0x100, varsig.PayloadEncodingDAGCBOR),
dataHex: "3401852412800271",
},
{
name: "RS384",
varsig: varsig.RS384(0x100, varsig.PayloadEncodingDAGCBOR),
dataHex: "3401852420800271",
},
{
name: "RS512",
varsig: varsig.RS512(0x100, varsig.PayloadEncodingDAGCBOR),
dataHex: "3401852413800271",
},
{
name: "ES256",
varsig: varsig.ES256(varsig.PayloadEncodingDAGCBOR),
dataHex: "3401ec0180241271",
},
{
name: "ES256K",
varsig: varsig.ES256K(varsig.PayloadEncodingDAGCBOR),
dataHex: "3401ec01e7011271",
},
{
name: "ES384",
varsig: varsig.ES384(varsig.PayloadEncodingDAGCBOR),
dataHex: "3401ec0181242071",
},
{
name: "ES512",
varsig: varsig.ES512(varsig.PayloadEncodingDAGCBOR),
dataHex: "3401ec0182241371",
},
{
name: "EIP191",
varsig: must(varsig.EIP191(varsig.PayloadEncodingEIP191Raw)),
dataHex: "3401ec01e7011b91c3035f",
},
in := mustVarsig[varsig.EdDSAVarsig](t)(varsig.Ed25519(varsig.PayloadEncodingDAGCBOR))
out := roundTrip(t, in, "3401ed01ed011371")
assertEdDSAEqual(t, in, out)
// from https://github.com/hugomrdias/iso-repo/blob/main/packages/iso-ucan/test/varsig.test.js
{
name: "RS256+RAW",
varsig: varsig.RS256(256, varsig.PayloadEncodingVerbatim),
dataBytes: []byte{52, 1, 133, 36, 18, 128, 2, 95},
},
{
name: "ES256+RAW",
varsig: varsig.ES256(varsig.PayloadEncodingVerbatim),
dataBytes: []byte{52, 1, 236, 1, 128, 36, 18, 95},
},
{
name: "ES512+RAW",
varsig: varsig.ES512(varsig.PayloadEncodingVerbatim),
dataBytes: []byte{52, 1, 236, 1, 130, 36, 19, 95},
},
{
name: "ES256K+RAW",
varsig: varsig.ES256K(varsig.PayloadEncodingVerbatim),
dataBytes: []byte{52, 1, 236, 1, 231, 1, 18, 95},
},
{
name: "EIP191+RAW",
varsig: must(varsig.EIP191(varsig.PayloadEncodingEIP191Raw)),
dataBytes: []byte{52, 1, 236, 1, 231, 1, 27, 145, 195, 3, 95},
},
{
name: "EIP191+DAG-CBOR",
varsig: must(varsig.EIP191(varsig.PayloadEncodingEIP191Cbor)),
dataBytes: []byte{52, 1, 236, 1, 231, 1, 27, 145, 195, 3, 113},
},
} {
t.Run(tc.name, func(t *testing.T) {
// round-trip encode and back
data := tc.varsig.Encode()
if tc.dataBytes != nil {
require.Equal(t, tc.dataBytes, data)
}
if tc.dataHex != "" {
require.Equal(t, tc.dataHex, hex.EncodeToString(data))
}
rt, err := varsig.Decode(data)
require.NoError(t, err)
require.Equal(t, tc.varsig.Version(), rt.Version())
require.Equal(t, tc.varsig.Discriminator(), rt.Discriminator())
require.Equal(t, tc.varsig.PayloadEncoding(), rt.PayloadEncoding())
switch vs := tc.varsig.(type) {
case varsig.EdDSAVarsig:
rt := rt.(varsig.EdDSAVarsig)
require.Equal(t, vs.Curve(), rt.Curve())
require.Equal(t, vs.Hash(), rt.Hash())
case varsig.ECDSAVarsig:
rt := rt.(varsig.ECDSAVarsig)
require.Equal(t, vs.Curve(), rt.Curve())
require.Equal(t, vs.Hash(), rt.Hash())
case varsig.RSAVarsig:
rt := rt.(varsig.RSAVarsig)
require.Equal(t, vs.Hash(), rt.Hash())
require.Equal(t, vs.KeyLength(), rt.KeyLength())
default:
t.Fatalf("unexpected varsig type: %T", vs)
}
})
}
}
func TestEd448(t *testing.T) {
t.Parallel()
in := mustVarsig[varsig.EdDSAVarsig](t)(varsig.Ed448(varsig.PayloadEncodingDAGCBOR))
out := roundTrip(t, in, "3401ed0183241971")
assertEdDSAEqual(t, in, out)
}
func TestRS256(t *testing.T) {
t.Parallel()
in := mustVarsig[varsig.RSAVarsig](t)(varsig.RS256(0x100, varsig.PayloadEncodingDAGCBOR))
out := roundTrip(t, in, "3401852412800271")
assertRSAEqual(t, in, out)
}
func TestRS384(t *testing.T) {
t.Parallel()
in := mustVarsig[varsig.RSAVarsig](t)(varsig.RS384(0x100, varsig.PayloadEncodingDAGCBOR))
out := roundTrip(t, in, "3401852420800271")
assertRSAEqual(t, in, out)
}
func TestRS512(t *testing.T) {
t.Parallel()
in := mustVarsig[varsig.RSAVarsig](t)(varsig.RS512(0x100, varsig.PayloadEncodingDAGCBOR))
out := roundTrip(t, in, "3401852413800271")
assertRSAEqual(t, in, out)
}
func assertEdDSAEqual(t *testing.T, in, out *varsig.EdDSAVarsig) {
t.Helper()
assert.Equal(t, in.Curve(), out.Curve())
assert.Equal(t, in.HashAlgorithm(), out.HashAlgorithm())
}
func assertRSAEqual(t *testing.T, in, out *varsig.RSAVarsig) {
t.Helper()
assert.Equal(t, in.HashAlgorithm(), out.HashAlgorithm())
assert.Equal(t, in.KeyLength(), out.KeyLength())
func must[T any](v T, err error) T {
if err != nil {
panic(err)
}
return v
}

214
constant.go
View File

@@ -1,126 +1,182 @@
package varsig
import (
"bytes"
"encoding/binary"
"fmt"
"github.com/multiformats/go-multicodec"
)
// Prefix is the multicodec.Code for the varsig's varuint prefix byte.
const Prefix = uint64(multicodec.Varsig)
// Prefix is the value for the varsig's varuint prefix byte.
const Prefix = uint64(0x34)
// HashAlgorithm is the multicodec.Code that specifies the hash algorithm
// that's used to reduced the signed content
type HashAlgorithm uint64
// Hash is the value that specifies the hash algorithm
// that's used to reduce the signed content
type Hash uint64
// Constant multicodec.Code values that allow Varsig implementations to
// specify how the payload content is hashed before the signature is
// generated.
// Constant values that allow Varsig implementations to specify how
// the payload content is hashed before the signature is generated.
const (
HashAlgorithmUnspecified HashAlgorithm = 0x00
HashAlgorithmSHA256 = HashAlgorithm(multicodec.Sha2_256)
HashAlgorithmSHA384 = HashAlgorithm(multicodec.Sha2_384)
HashAlgorithmSHA512 = HashAlgorithm(multicodec.Sha2_512)
HashAlgorithmShake256 = HashAlgorithm(multicodec.Shake256)
HashUnspecified Hash = 0x00
HashSha2_224 = Hash(0x1013)
HashSha2_256 = Hash(0x12)
HashSha2_384 = Hash(0x20)
HashSha2_512 = Hash(0x13)
HashSha3_224 = Hash(0x17)
HashSha3_256 = Hash(0x16)
HashSha3_384 = Hash(0x15)
HashSha3_512 = Hash(0x14)
HashSha512_224 = Hash(0x1014)
HashSha512_256 = Hash(0x1015)
HashBlake2s_256 = Hash(0xb260)
HashBlake2b_256 = Hash(0xb220)
HashBlake2b_384 = Hash(0xb230)
HashBlake2b_512 = Hash(0xb240)
HashShake_256 = Hash(0x19)
HashKeccak_256 = Hash(0x1b)
HashKeccak_512 = Hash(0x1d)
// You should likely not use those:
HashRipemd_160 = Hash(0x1053)
HashMd4 = Hash(0xd4)
HashMd5 = Hash(0xd5)
HashSha1 = Hash(0x11)
)
// DecodeHashAlgorithm reads and validates the expected hash algorithm
// (for varsig types include a variable hash algorithm.)
func DecodeHashAlgorithm(r *bytes.Reader) (HashAlgorithm, error) {
func DecodeHashAlgorithm(r BytesReader) (Hash, error) {
u, err := binary.ReadUvarint(r)
if err != nil {
return HashAlgorithmUnspecified, fmt.Errorf("%w: %w", ErrUnknownHashAlgorithm, err)
return HashUnspecified, fmt.Errorf("%w: %w", ErrUnknownHash, err)
}
h := HashAlgorithm(u)
h := Hash(u)
if _, ok := map[HashAlgorithm]struct{}{
HashAlgorithmUnspecified: {},
HashAlgorithmSHA256: {},
HashAlgorithmSHA384: {},
HashAlgorithmSHA512: {},
HashAlgorithmShake256: {},
}[h]; !ok {
return HashAlgorithmUnspecified, fmt.Errorf("%w: %x", ErrUnknownHashAlgorithm, h)
switch h {
case HashSha2_224,
HashSha2_256,
HashSha2_384,
HashSha2_512,
HashSha3_224,
HashSha3_256,
HashSha3_384,
HashSha3_512,
HashSha512_224,
HashSha512_256,
HashBlake2s_256,
HashBlake2b_256,
HashBlake2b_384,
HashBlake2b_512,
HashShake_256,
HashKeccak_256,
HashKeccak_512,
HashRipemd_160,
HashMd4,
HashMd5,
HashSha1:
return h, nil
default:
return HashUnspecified, fmt.Errorf("%w: %x", ErrUnknownHash, h)
}
return h, nil
}
// PayloadEncoding specifies the encoding of the data being (hashed and)
// signed. A canonical representation of the data is required to produce
// consistent hashes and signatures.
type PayloadEncoding uint64
type PayloadEncoding int
// Constant multicodec.Code values that allow Varsig implementations to
// specify how the payload content is encoded before being hashed. In
// varsig >= v1, only canonical encoding is allowed.
// Constant values that allow Varsig implementations to specify how the
// payload content is encoded before being hashed.
const (
PayloadEncodingUnspecified PayloadEncoding = 0x00
PayloadEncodingVerbatim PayloadEncoding = 0x5f
PayloadEncodingDAGPB = PayloadEncoding(multicodec.DagPb)
PayloadEncodingDAGCBOR = PayloadEncoding(multicodec.DagCbor)
PayloadEncodingDAGJSON = PayloadEncoding(multicodec.DagJson)
PayloadEncodingEIP191 = PayloadEncoding(multicodec.Eip191)
PayloadEncodingJWT PayloadEncoding = 0x6a77
PayloadEncodingUnspecified = PayloadEncoding(iota)
PayloadEncodingVerbatim
PayloadEncodingDAGPB
PayloadEncodingDAGCBOR
PayloadEncodingDAGJSON
PayloadEncodingEIP191Raw
PayloadEncodingEIP191Cbor
PayloadEncodingJWT
)
const (
encodingSegmentVerbatim = uint64(0x5f)
encodingSegmentDAGPB = uint64(0x70)
encodingSegmentDAGCBOR = uint64(0x71)
encodingSegmentDAGJSON = uint64(0x0129)
encodingSegmentEIP191 = uint64(0xe191)
encodingSegmentJWT = uint64(0x6a77)
)
// DecodePayloadEncoding reads and validates the expected canonical payload
// encoding of the data to be signed.
func DecodePayloadEncoding(r *bytes.Reader, vers Version) (PayloadEncoding, error) {
u, err := binary.ReadUvarint(r)
func DecodePayloadEncoding(r BytesReader) (PayloadEncoding, error) {
seg1, err := binary.ReadUvarint(r)
if err != nil {
return PayloadEncodingUnspecified, fmt.Errorf("%w: %w", ErrUnsupportedPayloadEncoding, err)
}
payEnc := PayloadEncoding(u)
switch vers {
case Version0:
return decodeEncodingInfoV0(payEnc)
case Version1:
return decodeEncodingInfoV1(payEnc)
switch seg1 {
case encodingSegmentVerbatim:
return PayloadEncodingVerbatim, nil
case encodingSegmentDAGCBOR:
return PayloadEncodingDAGCBOR, nil
case encodingSegmentDAGJSON:
return PayloadEncodingDAGJSON, nil
case encodingSegmentEIP191:
seg2, err := binary.ReadUvarint(r)
if err != nil {
return PayloadEncodingUnspecified, fmt.Errorf("%w: incomplete EIP191 encoding: %w", ErrUnsupportedPayloadEncoding, err)
}
switch seg2 {
case encodingSegmentVerbatim:
return PayloadEncodingEIP191Raw, nil
case encodingSegmentDAGCBOR:
return PayloadEncodingEIP191Cbor, nil
default:
return PayloadEncodingUnspecified, fmt.Errorf("%w: encoding=%x+%x", ErrUnsupportedPayloadEncoding, seg1, seg2)
}
default:
return 0, ErrUnsupportedVersion
return PayloadEncodingUnspecified, fmt.Errorf("%w: encoding=%x", ErrUnsupportedPayloadEncoding, seg1)
}
}
// https://github.com/ChainAgnostic/varsig#4-payload-encoding
func decodeEncodingInfoV0(payEnc PayloadEncoding) (PayloadEncoding, error) {
if _, ok := map[PayloadEncoding]struct{}{
PayloadEncodingVerbatim: {},
PayloadEncodingDAGPB: {},
PayloadEncodingDAGCBOR: {},
PayloadEncodingDAGJSON: {},
PayloadEncodingJWT: {},
PayloadEncodingEIP191: {},
}[payEnc]; !ok {
return PayloadEncodingUnspecified, fmt.Errorf("%w: version=%d, encoding=%x", ErrUnsupportedPayloadEncoding, Version0, payEnc)
// EncodePayloadEncoding returns the PayloadEncoding as serialized bytes.
// If enc is not a valid PayloadEncoding, this function will panic.
func EncodePayloadEncoding(enc PayloadEncoding) []byte {
res := make([]byte, 0, 8)
switch enc {
case PayloadEncodingVerbatim:
res = binary.AppendUvarint(res, encodingSegmentVerbatim)
case PayloadEncodingDAGPB:
res = binary.AppendUvarint(res, encodingSegmentDAGPB)
case PayloadEncodingDAGCBOR:
res = binary.AppendUvarint(res, encodingSegmentDAGCBOR)
case PayloadEncodingDAGJSON:
res = binary.AppendUvarint(res, encodingSegmentDAGJSON)
case PayloadEncodingEIP191Raw:
res = binary.AppendUvarint(res, encodingSegmentEIP191)
res = binary.AppendUvarint(res, encodingSegmentVerbatim)
case PayloadEncodingEIP191Cbor:
res = binary.AppendUvarint(res, encodingSegmentEIP191)
res = binary.AppendUvarint(res, encodingSegmentDAGCBOR)
case PayloadEncodingJWT:
res = binary.AppendUvarint(res, encodingSegmentJWT)
default:
panic(fmt.Sprintf("invalid encoding: %v", enc))
}
return payEnc, nil
return res
}
// https://github.com/expede/varsig/blob/main/README.md#payload-encoding
func decodeEncodingInfoV1(payEnc PayloadEncoding) (PayloadEncoding, error) {
if _, ok := map[PayloadEncoding]struct{}{
PayloadEncodingVerbatim: {},
PayloadEncodingDAGCBOR: {},
PayloadEncodingDAGJSON: {},
PayloadEncodingEIP191: {},
}[payEnc]; !ok {
return PayloadEncodingUnspecified, fmt.Errorf("%w: version=%d, encoding=%x", ErrUnsupportedPayloadEncoding, Version1, payEnc)
}
return payEnc, nil
}
// Discriminator is (usually) the multicodec.Code representing the public
// key type of the algorithm used to create the signature.
// Discriminator is (usually) the value representing the public key type of
// the algorithm used to create the signature.
//
// There is not set list of constants here, nor is there a decode function
// There is no set list of constants here, nor is there a decode function
// as the author of an implementation should include the constant with the
// implementation, and the decoding is handled by the Handler, which uses
// the Discriminator to choose the correct implementation. Also note that

56
constant_test.go
View File

@@ -18,45 +18,45 @@ func TestDecodeHashAlgorithm(t *testing.T) {
hashAlg, err := varsig.DecodeHashAlgorithm(bytes.NewReader([]byte{0x12}))
require.NoError(t, err)
require.Equal(t, varsig.HashAlgorithmSHA256, hashAlg)
require.Equal(t, varsig.HashSha2_256, hashAlg)
})
t.Run("fails - truncated varsig (no bytes)", func(t *testing.T) {
t.Parallel()
hashAlg, err := varsig.DecodeHashAlgorithm(bytes.NewReader([]byte{}))
require.ErrorIs(t, err, varsig.ErrUnknownHashAlgorithm)
require.ErrorIs(t, err, varsig.ErrUnknownHash)
require.ErrorIs(t, err, io.EOF)
require.Equal(t, varsig.HashAlgorithmUnspecified, hashAlg)
require.Equal(t, varsig.HashUnspecified, hashAlg)
})
t.Run("fails - unknown hash algorithm", func(t *testing.T) {
t.Parallel()
hashAlg, err := varsig.DecodeHashAlgorithm(bytes.NewReader([]byte{0x42}))
require.ErrorIs(t, err, varsig.ErrUnknownHashAlgorithm)
require.Equal(t, varsig.HashAlgorithmUnspecified, hashAlg)
require.ErrorIs(t, err, varsig.ErrUnknownHash)
require.Equal(t, varsig.HashUnspecified, hashAlg)
})
}
func BenchmarkDecodeHashAlgorithm(b *testing.B) {
b.ReportAllocs()
data := []byte{0x12}
for i := 0; i < b.N; i++ {
_, _ = varsig.DecodeHashAlgorithm(bytes.NewReader(data))
}
}
func TestDecodePayloadEncoding(t *testing.T) {
t.Parallel()
t.Run("passes", func(t *testing.T) {
t.Parallel()
t.Run("v0", func(t *testing.T) {
t.Parallel()
payEnc, err := varsig.DecodePayloadEncoding(bytes.NewReader([]byte{0x5f}), varsig.Version1)
require.NoError(t, err)
require.Equal(t, varsig.PayloadEncodingVerbatim, payEnc)
})
t.Run("v1", func(t *testing.T) {
t.Parallel()
payEnc, err := varsig.DecodePayloadEncoding(bytes.NewReader([]byte{0x5f}), varsig.Version1)
payEnc, err := varsig.DecodePayloadEncoding(bytes.NewReader([]byte{0x5f}))
require.NoError(t, err)
require.Equal(t, varsig.PayloadEncodingVerbatim, payEnc)
})
@@ -68,27 +68,13 @@ func TestDecodePayloadEncoding(t *testing.T) {
tests := []struct {
name string
data []byte
vers varsig.Version
err error
}{
{
name: "unsupported encoding - v0",
data: []byte{0x42}, // random
vers: varsig.Version0,
err: varsig.ErrUnsupportedPayloadEncoding,
},
{
name: "unsupported encoding - v1",
name: "unsupported encoding",
data: []byte{0x6a, 0x77}, // JWT
vers: varsig.Version1,
err: varsig.ErrUnsupportedPayloadEncoding,
},
{
name: "unsupported version",
data: []byte{0x5f}, // Verbatim
vers: 99, // random
err: varsig.ErrUnsupportedVersion,
},
}
for _, tt := range tests {
@@ -97,11 +83,17 @@ func TestDecodePayloadEncoding(t *testing.T) {
t.Parallel()
r := bytes.NewReader(tt.data)
_, err := varsig.DecodePayloadEncoding(r, tt.vers)
_, err := varsig.DecodePayloadEncoding(r)
require.ErrorIs(t, err, tt.err)
// t.Log(err)
// t.Fail()
})
}
})
}
func BenchmarkDecodePayloadEncoding(b *testing.B) {
b.ReportAllocs()
data := []byte{0x5f}
for i := 0; i < b.N; i++ {
_, _ = varsig.DecodePayloadEncoding(bytes.NewReader(data))
}
}

104
ecdsa.go
View File

@@ -1,9 +1,101 @@
package varsig
// Stub
const (
DiscriminatorECDSASecp256k1 Discriminator = 0xe7
DiscriminatorECDSAP256 Discriminator = 0x1200
DiscriminatorECDSAP384 Discriminator = 0x1201
DiscriminatorECDSAP521 Discriminator = 0x1202
import (
"encoding/binary"
"fmt"
)
// DiscriminatorECDSA is the value specifying an ECDSA signature.
const DiscriminatorECDSA = Discriminator(0xec)
// ECDSACurve are values that specify which ECDSA curve is used when
// generating the signature.
type ECDSACurve uint64
// Constants describing the values for each specific ECDSA curve that can
// be encoded into a Varsig.
const (
CurveSecp256k1 = ECDSACurve(0xe7)
CurveP256 = ECDSACurve(0x1200)
CurveP384 = ECDSACurve(0x1201)
CurveP521 = ECDSACurve(0x1202)
)
func decodeECDSACurve(r BytesReader) (ECDSACurve, error) {
u, err := binary.ReadUvarint(r)
if err != nil {
return 0, err
}
switch curve := ECDSACurve(u); curve {
case CurveSecp256k1, CurveP256, CurveP384, CurveP521:
return curve, nil
default:
return 0, fmt.Errorf("%w: %x", ErrUnknownECDSACurve, u)
}
}
var _ Varsig = ECDSAVarsig{}
// ECDSAVarsig is a varsig that encodes the parameters required to describe
// an ECDSA signature.
type ECDSAVarsig struct {
varsig
curve ECDSACurve
hashAlg Hash
}
// NewECDSAVarsig creates and validates an ECDSA varsig with the provided
// curve, hash algorithm and payload encoding.
func NewECDSAVarsig(curve ECDSACurve, hashAlgorithm Hash, payloadEncoding PayloadEncoding) ECDSAVarsig {
return ECDSAVarsig{
varsig: varsig{
disc: DiscriminatorECDSA,
payEnc: payloadEncoding,
},
curve: curve,
hashAlg: hashAlgorithm,
}
}
// Curve returns the elliptic curve used to generate the ECDSA signature.
func (v ECDSAVarsig) Curve() ECDSACurve {
return v.curve
}
// Hash returns the value describing the hash algorithm used to hash
// the payload content before the signature is generated.
func (v ECDSAVarsig) Hash() Hash {
return v.hashAlg
}
// Encode returns the encoded byte format of the ECDSAVarsig.
func (v ECDSAVarsig) Encode() []byte {
buf := v.encode()
buf = binary.AppendUvarint(buf, uint64(v.curve))
buf = binary.AppendUvarint(buf, uint64(v.hashAlg))
buf = append(buf, EncodePayloadEncoding(v.payEnc)...)
return buf
}
func decodeECDSA(r BytesReader) (Varsig, error) {
curve, err := decodeECDSACurve(r)
if err != nil {
return nil, err
}
hashAlg, err := DecodeHashAlgorithm(r)
if err != nil {
return nil, err
}
payEnc, err := DecodePayloadEncoding(r)
if err != nil {
return nil, err
}
return NewECDSAVarsig(curve, hashAlg, payEnc), nil
}

121
eddsa.go
View File

@@ -1,81 +1,70 @@
package varsig
import (
"bytes"
"crypto/ed25519"
"encoding/binary"
"github.com/multiformats/go-multicodec"
"fmt"
)
// Constants containing multicodec.Code values that specify EdDSA signatures.
const (
DiscriminatorEdDSA = Discriminator(multicodec.Ed25519Pub)
DiscriminatorEd25519 = Discriminator(multicodec.Ed25519Pub)
DiscriminatorEd448 = Discriminator(multicodec.Ed448Pub)
)
// DiscriminatorEdDSA is the value specifying an EdDSA signature.
const DiscriminatorEdDSA = Discriminator(0xed)
// EdDSACurve are multicodec.Code values that specify which Edwards curve
// is used when generating the signature.
// EdDSACurve are values that specify which Edwards curve is used when
// generating the signature.
type EdDSACurve uint64
// Constants describing the multicodec.Code for each specific Edwards
// curve that can be encoded into a Varsig.
// Constants describing the values for each specific Edwards curve that can
// be encoded into a Varsig.
const (
CurveEd25519 = EdDSACurve(multicodec.Ed25519Pub)
CurveEd448 = EdDSACurve(multicodec.Ed448Pub)
CurveEd25519 = EdDSACurve(0xed)
CurveEd448 = EdDSACurve(0x1203)
)
var _ Varsig = (*EdDSAVarsig)(nil)
func decodeEdDSACurve(r BytesReader) (EdDSACurve, error) {
u, err := binary.ReadUvarint(r)
if err != nil {
return 0, err
}
switch curve := EdDSACurve(u); curve {
case CurveEd25519, CurveEd448:
return curve, nil
default:
return 0, fmt.Errorf("%w: %x", ErrUnknownEdDSACurve, u)
}
}
var _ Varsig = EdDSAVarsig{}
// EdDSAVarsig is a varsig that encodes the parameters required to describe
// an EdDSA signature.
type EdDSAVarsig struct {
varsig[EdDSAVarsig]
varsig
curve EdDSACurve
hashAlg HashAlgorithm
hashAlg Hash
}
// NewEdDSAVarsig creates and validates an EdDSA varsig with the provided
// curve, hash algorithm and payload encoding.
func NewEdDSAVarsig(curve EdDSACurve, hashAlgorithm HashAlgorithm, payloadEncoding PayloadEncoding, opts ...Option) (*EdDSAVarsig, error) {
options := newOptions(opts...)
var (
vers = Version1
disc = DiscriminatorEdDSA
sig = []byte{}
)
if options.ForceVersion0() {
vers = Version0
disc = Discriminator(curve)
sig = options.Signature()
}
v := &EdDSAVarsig{
varsig: varsig[EdDSAVarsig]{
vers: vers,
disc: disc,
func NewEdDSAVarsig(curve EdDSACurve, hashAlgorithm Hash, payloadEncoding PayloadEncoding) EdDSAVarsig {
return EdDSAVarsig{
varsig: varsig{
disc: DiscriminatorEdDSA,
payEnc: payloadEncoding,
sig: sig,
},
curve: curve,
hashAlg: hashAlgorithm,
}
return v.validateSig(v, ed25519.PrivateKeySize)
}
// Curve returns the Edwards curve used to generate the EdDSA signature.
func (v *EdDSAVarsig) Curve() EdDSACurve {
func (v EdDSAVarsig) Curve() EdDSACurve {
return v.curve
}
// HashAlgorithm returns the multicodec.Code describing the hash algorithm
// used to hash the payload content before the signature is generated.
func (v *EdDSAVarsig) HashAlgorithm() HashAlgorithm {
// Hash returns the value describing the hash algorithm used to hash
// the payload content before the signature is generated.
func (v EdDSAVarsig) Hash() Hash {
return v.hashAlg
}
@@ -83,42 +72,28 @@ func (v *EdDSAVarsig) HashAlgorithm() HashAlgorithm {
func (v EdDSAVarsig) Encode() []byte {
buf := v.encode()
if v.vers != Version0 {
buf = binary.AppendUvarint(buf, uint64(v.curve))
}
buf = binary.AppendUvarint(buf, uint64(v.curve))
buf = binary.AppendUvarint(buf, uint64(v.hashAlg))
buf = binary.AppendUvarint(buf, uint64(v.payEnc))
buf = append(buf, v.Signature()...)
buf = append(buf, EncodePayloadEncoding(v.payEnc)...)
return buf
}
func decodeEd25519(r *bytes.Reader, vers Version, disc Discriminator) (Varsig, error) {
curve := uint64(disc)
if vers != Version0 {
u, err := binary.ReadUvarint(r)
if err != nil {
return nil, err // TODO: wrap error?
}
curve = u
}
hashAlg, err := binary.ReadUvarint(r)
func decodeEdDSA(r BytesReader) (Varsig, error) {
curve, err := decodeEdDSACurve(r)
if err != nil {
return nil, err // TODO: wrap error?
return nil, err
}
v := &EdDSAVarsig{
varsig: varsig[EdDSAVarsig]{
vers: vers,
disc: disc,
},
curve: EdDSACurve(curve),
hashAlg: HashAlgorithm(hashAlg),
hashAlg, err := DecodeHashAlgorithm(r)
if err != nil {
return nil, err
}
return v.decodePayEncAndSig(r, v, ed25519.PrivateKeySize)
payEnc, err := DecodePayloadEncoding(r)
if err != nil {
return nil, err
}
return NewEdDSAVarsig(curve, hashAlg, payEnc), nil
}

64
eddsa_test.go
View File

@@ -1,7 +1,7 @@
package varsig_test
import (
"encoding/hex"
"encoding/base64"
"testing"
"github.com/stretchr/testify/assert"
@@ -10,49 +10,41 @@ import (
"github.com/ucan-wg/go-varsig"
)
func TestDecodeEd25519(t *testing.T) {
func TestUCANExampleV1(t *testing.T) {
t.Parallel()
t.Run("passes - section 3 example - v0", func(t *testing.T) {
// Original: 34ed01 1371ae3784f03f9ee1163382fa6efa73b0c31ecf58c899c836709303ba4621d1e6df20e09aaa568914290b7ea124f5b38e70b9b69c7de0d216880eac885edd41c302
// Corrected: 34ed011371ae3784f03f9ee1163382fa6efa73b0c31ecf58c899c836709303ba4621d1e6df20e09aaa568914290b7ea124f5b38e70b9b69c7de0d216880eac885edd41c302")
// This test is the value shown in the UCAN v1.0.0 example, which is
// an EdDSA varsig = v1 with the Ed25519 curve, SHA2_256 hashing and
// DAG-CBOR content encoding.
example, err := base64.RawStdEncoding.DecodeString("NAHtAe0BE3E")
require.NoError(t, err)
hdr, err := hex.DecodeString("34ed011371")
t.Run("Decode", func(t *testing.T) {
t.Parallel()
v, err := varsig.Decode(example)
require.NoError(t, err)
sig, err := hex.DecodeString("ae3784f03f9ee1163382fa6efa73b0c31ecf58c899c836709303ba4621d1e6df20e09aaa568914290b7ea124f5b38e70b9b69c7de0d216880eac885edd41c302")
require.NoError(t, err)
require.Len(t, sig, 64)
ed25519V, ok := v.(varsig.EdDSAVarsig)
require.True(t, ok)
t.Run("Decode", func(t *testing.T) {
t.Parallel()
assert.Equal(t, varsig.Version1, ed25519V.Version())
assert.Equal(t, varsig.DiscriminatorEdDSA, ed25519V.Discriminator())
assert.Equal(t, varsig.CurveEd25519, ed25519V.Curve())
assert.Equal(t, varsig.HashSha2_512, ed25519V.Hash())
assert.Equal(t, varsig.PayloadEncodingDAGCBOR, ed25519V.PayloadEncoding())
})
v, err := varsig.Decode(append(hdr, sig...))
require.NoError(t, err)
require.NotNil(t, v)
assert.Equal(t, varsig.Version0, v.Version())
assert.Equal(t, varsig.DiscriminatorEd25519, v.Discriminator())
assert.Equal(t, varsig.PayloadEncodingDAGCBOR, v.PayloadEncoding())
assert.Len(t, v.Signature(), 64)
t.Run("Encode", func(t *testing.T) {
t.Parallel()
impl, ok := v.(*varsig.EdDSAVarsig)
require.True(t, ok)
assert.Equal(t, varsig.CurveEd25519, impl.Curve())
assert.Equal(t, varsig.HashAlgorithmSHA512, impl.HashAlgorithm())
})
edDSAVarsig := varsig.NewEdDSAVarsig(
varsig.CurveEd25519,
varsig.HashSha2_512,
varsig.PayloadEncodingDAGCBOR,
)
t.Run("Encode", func(t *testing.T) {
t.Parallel()
v, err := varsig.NewEdDSAVarsig(
varsig.CurveEd25519,
varsig.HashAlgorithmSHA512,
varsig.PayloadEncodingDAGCBOR,
varsig.WithForceVersion0(sig),
)
require.NoError(t, err)
require.NotNil(t, v)
assert.Equal(t, append(hdr, sig...), v.Encode())
})
assert.Equal(t, example, edDSAVarsig.Encode())
t.Log(base64.RawStdEncoding.EncodeToString(edDSAVarsig.Encode()))
})
}

30
error.go
View File

@@ -2,42 +2,36 @@ package varsig
import "errors"
// ErrMissingSignature is returned when a varsig v0 is parsed and does
// not contain the expected signature bytes. This is expected in some
// intermediate cases, such as the UCAN v1 specification.
var ErrMissingSignature = errors.New("missing signature expected in varsig v0")
// ErrNotYetImplemented is returned when a function is currently under
// construction. For released versions of this library, this error should
// never occur.
var ErrNotYetImplemented = errors.New("not yet implemented")
// ErrUnexpectedSignaturePresent is returned when a signature is present
// in a varsig >= v1.
var ErrUnexpectedSignaturePresent = errors.New("unexpected signature present in varsig >= v1")
// ErrUnexpectedSignatureSize is returned when the length of the decoded
// signature doesn't match the expected signature length as defined by the
// signing algorithm or sent via a Varsig field.
var ErrUnexpectedSignatureSize = errors.New("unexpected signature size in varsig v0")
// ErrUnknownHashAlgoritm is returned when an unexpected value is provided
// ErrUnknownHash is returned when an unexpected value is provided
// while decoding the hashing algorithm.
var ErrUnknownHashAlgorithm = errors.New("unknown hash algorithm")
var ErrUnknownHash = errors.New("unknown hash algorithm")
// ErrUnsupportedPayloadEncoding is returned when an unexpected value is
// provided while decoding the payload encoding field. The allowed values
// for this field may vary based on the varsig version.
var ErrUnsupportedPayloadEncoding = errors.New("unsupported payload encoding")
// ErrUnknowndiscorith is returned when the Registry doesn't have a
// ErrUnknownDiscriminator is returned when the Registry doesn't have a
// parsing function for the decoded signing algorithm.
var ErrUnknownDiscriminator = errors.New("unknown signing algorithm")
// ErrUnknownEdDSACurve is returned when the decoded uvarint isn't either
// CurveEd25519 or CurveEd448.
var ErrUnknownEdDSACurve = errors.New("unknown Edwards curve")
// ErrUnknownECDSACurve is returned when the decoded uvarint isn't either
// CurveSecp256k1, CurveP256, CurveP384 or CurveP521.
var ErrUnknownECDSACurve = errors.New("unknown ECDSA curve")
// ErrUnsupportedVersion is returned when an unsupported varsig version
// field is present.
var ErrUnsupportedVersion = errors.New("unsupported version")
// ErrBadPrefix is returned when the prefix field contains a value other
// than 0x34 (encoded as a uvarint).
// than 0x34 (encoded as an uvarint).
var ErrBadPrefix = errors.New("varsig prefix not found")

9
go.mod
View File

@@ -1,11 +1,10 @@
module github.com/ucan-wg/go-varsig
go 1.24.4
go 1.23.10
require (
github.com/multiformats/go-multicodec v0.9.2
github.com/stretchr/testify v1.10.0
)
toolchain go1.24.4
require github.com/stretchr/testify v1.10.0
require (
github.com/davecgh/go-spew v1.1.1 // indirect

2
go.sum
View File

@@ -6,8 +6,6 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/renameio v0.1.0 h1:GOZbcHa3HfsPKPlmyPyN2KEohoMXOhdMbHrvbpl2QaA=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/multiformats/go-multicodec v0.9.2 h1:YrlXCuqxjqm3bXl+vBq5LKz5pz4mvAsugdqy78k0pXQ=
github.com/multiformats/go-multicodec v0.9.2/go.mod h1:LLWNMtyV5ithSBUo3vFIMaeDy+h3EbkMTek1m+Fybbo=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=

45
option.go
View File

@@ -1,45 +0,0 @@
package varsig
// Options define customization when creating a new Varsig.
type Options struct {
forceVersion0 bool
signature []byte
}
func newOptions(opts ...Option) *Options {
o := &Options{}
for _, opt := range opts {
opt(o)
}
return o
}
// ForceVersion0 returns a boolean indicating that a Varsig < v1 should
// be created (which means the encoded Varsig won't have a version field
// and might contain the signature bytes as the last field.)
func (o *Options) ForceVersion0() bool {
return o.forceVersion0
}
// Signature returns the optional signature bytes when creating a Varsig
// < v1.
func (o *Options) Signature() []byte {
return o.signature
}
// Option is a function that alters the default behavior of constructors
// that produce implementations of the Varsig type.
type Option func(*Options)
// WithForceVersion0 indicates that a Varsig < v1 should be produced. If
// the signature is a) not nil, b) not empty and c) the correct length
// based on the signing algorithm or signing key, the signature's bytes
// will be appended to the encoded Varsig.
func WithForceVersion0(signature []byte) Option {
return func(o *Options) {
o.forceVersion0 = true
o.signature = signature
}
}

31
registry.go
View File

@@ -6,11 +6,11 @@ import (
"fmt"
)
// Version represents which version of the vasig specification was used
// Version represents which version of the varsig specification was used
// to produce Varsig value.
type Version uint64
// Constancts for the existing varsig specifications
// Constants for the existing varsig specifications
const (
Version0 Version = 0
Version1 Version = 1
@@ -18,9 +18,9 @@ const (
// DecodeFunc is a function that parses the varsig representing a specific
// signing algorithm.
type DecodeFunc func(*bytes.Reader, Version, Discriminator) (Varsig, error)
type DecodeFunc func(BytesReader) (Varsig, error)
// Registry contains a mapping between known signing algorithms, and
// Registry contains a mapping between known signing algorithms and
// functions that can parse varsigs for that signing algorithm.
type Registry map[Discriminator]DecodeFunc
@@ -28,12 +28,9 @@ type Registry map[Discriminator]DecodeFunc
// signing algorithms which have an implementation within this library.
func DefaultRegistry() Registry {
return map[Discriminator]DecodeFunc{
DiscriminatorRSA: decodeRSA,
DiscriminatorEdDSA: decodeEd25519,
DiscriminatorEd448: decodeEd25519,
DiscriminatorECDSAP256: notYetImplementedVarsigDecoder,
DiscriminatorECDSASecp256k1: notYetImplementedVarsigDecoder,
DiscriminatorECDSAP521: notYetImplementedVarsigDecoder,
DiscriminatorRSA: decodeRSA,
DiscriminatorEdDSA: decodeEdDSA,
DiscriminatorECDSA: decodeECDSA,
}
}
@@ -56,7 +53,7 @@ func (rs Registry) Decode(data []byte) (Varsig, error) {
// DecodeStream converts data read from the provided io.Reader into one
// of the registered Varsig types.
func (rs Registry) DecodeStream(r *bytes.Reader) (Varsig, error) {
func (rs Registry) DecodeStream(r BytesReader) (Varsig, error) {
pre, err := binary.ReadUvarint(r)
if err != nil {
return nil, fmt.Errorf("%w: %w", ErrBadPrefix, err)
@@ -71,15 +68,19 @@ func (rs Registry) DecodeStream(r *bytes.Reader) (Varsig, error) {
return nil, err
}
if vers != Version1 {
return nil, fmt.Errorf("%w: %d", ErrUnsupportedVersion, vers)
}
decodeFunc, ok := rs[Discriminator(disc)]
if !ok {
return nil, fmt.Errorf("%w: %x", ErrUnknownDiscriminator, disc)
}
return decodeFunc(r, vers, disc)
return decodeFunc(r)
}
func (rs Registry) decodeVersAnddisc(r *bytes.Reader) (Version, Discriminator, error) {
func (rs Registry) decodeVersAnddisc(r BytesReader) (Version, Discriminator, error) {
vers, err := binary.ReadUvarint(r)
if err != nil {
return Version(vers), 0, err
@@ -97,7 +98,3 @@ func (rs Registry) decodeVersAnddisc(r *bytes.Reader) (Version, Discriminator, e
return Version(vers), Discriminator(disc), err
}
func notYetImplementedVarsigDecoder(_ *bytes.Reader, vers Version, disc Discriminator) (Varsig, error) {
return nil, fmt.Errorf("%w: Version: %d, Discriminator: %x", ErrNotYetImplemented, vers, disc)
}

57
registry_test.go
View File

@@ -12,25 +12,7 @@ import (
)
func TestRegistry_Decode(t *testing.T) {
t.Parallel()
t.Run("passes - v0", func(t *testing.T) {
t.Parallel()
data, err := hex.DecodeString("348120")
require.NoError(t, err)
reg := testRegistry(t)
vs, err := reg.DecodeStream(bytes.NewReader(data))
require.NoError(t, err)
assert.Equal(t, varsig.Version0, vs.Version())
assert.Equal(t, testDiscriminator1, vs.Discriminator())
})
t.Run("passes - v1", func(t *testing.T) {
t.Parallel()
data, err := hex.DecodeString("34018120")
require.NoError(t, err)
@@ -52,50 +34,41 @@ func testRegistry(t *testing.T) varsig.Registry {
t.Helper()
reg := varsig.NewRegistry()
reg.Register(testDiscriminator0, testDecodeFunc(t))
reg.Register(testDiscriminator1, testDecodeFunc(t))
reg.Register(testDiscriminator0, testDecodeFunc(testDiscriminator0))
reg.Register(testDiscriminator1, testDecodeFunc(testDiscriminator1))
return reg
}
func testDecodeFunc(t *testing.T) varsig.DecodeFunc {
t.Helper()
return func(r *bytes.Reader, vers varsig.Version, disc varsig.Discriminator) (varsig.Varsig, error) {
v := &testVarsig{
vers: vers,
disc: disc,
}
return v, nil
func testDecodeFunc(disc varsig.Discriminator) varsig.DecodeFunc {
return func(r varsig.BytesReader) (varsig.Varsig, error) {
return &testVarsig{disc: disc}, nil
}
}
var _ varsig.Varsig = (*testVarsig)(nil)
var _ varsig.Varsig = testVarsig{}
type testVarsig struct {
vers varsig.Version
disc varsig.Discriminator
payEnc varsig.PayloadEncoding
sig []byte
}
func (v *testVarsig) Version() varsig.Version {
return v.vers
func (v testVarsig) Version() varsig.Version {
return varsig.Version1
}
func (v *testVarsig) Discriminator() varsig.Discriminator {
func (v testVarsig) Discriminator() varsig.Discriminator {
return v.disc
}
func (v *testVarsig) PayloadEncoding() varsig.PayloadEncoding {
func (v testVarsig) Hash() varsig.Hash {
return varsig.HashUnspecified
}
func (v testVarsig) PayloadEncoding() varsig.PayloadEncoding {
return v.payEnc
}
func (v *testVarsig) Signature() []byte {
return v.sig
}
func (v *testVarsig) Encode() []byte {
func (v testVarsig) Encode() []byte {
return nil
}

70
rsa.go
View File

@@ -1,95 +1,73 @@
package varsig
import (
"bytes"
"encoding/binary"
"github.com/multiformats/go-multicodec"
)
// DiscriminatorRSA is the multicodec.Code specifying an RSA signature.
const DiscriminatorRSA = Discriminator(multicodec.RsaPub)
// DiscriminatorRSA is the value specifying an RSA signature.
const DiscriminatorRSA = Discriminator(0x1205)
var _ Varsig = (*RSAVarsig)(nil)
var _ Varsig = RSAVarsig{}
// RSAVarsig is a varsig that encodes the parameters required to describe
// an RSA signature.
type RSAVarsig struct {
varsig[RSAVarsig]
hashAlg HashAlgorithm
sigLen uint64
varsig
hashAlg Hash
keyLen uint64
}
// NewRSAVarsig creates and validates an RSA varsig with the provided
// hash algorithm, key length and payload encoding.
func NewRSAVarsig(hashAlgorithm HashAlgorithm, keyLength uint64, payloadEncoding PayloadEncoding, opts ...Option) (*RSAVarsig, error) {
options := newOptions(opts...)
var (
vers = Version1
sig = []byte{}
)
if options.ForceVersion0() {
vers = Version0
sig = options.Signature()
}
v := &RSAVarsig{
varsig: varsig[RSAVarsig]{
vers: vers,
func NewRSAVarsig(hashAlgorithm Hash, keyLen uint64, payloadEncoding PayloadEncoding) RSAVarsig {
return RSAVarsig{
varsig: varsig{
disc: DiscriminatorRSA,
payEnc: payloadEncoding,
sig: sig,
},
hashAlg: hashAlgorithm,
sigLen: keyLength,
keyLen: keyLen,
}
return v.validateSig(v, v.sigLen)
}
// Encode returns the encoded byte format of the RSAVarsig.
func (v RSAVarsig) Encode() []byte {
buf := v.encode()
buf = binary.AppendUvarint(buf, uint64(v.hashAlg))
buf = binary.AppendUvarint(buf, v.sigLen)
buf = binary.AppendUvarint(buf, uint64(v.payEnc))
buf = append(buf, v.Signature()...)
buf = binary.AppendUvarint(buf, v.keyLen)
buf = append(buf, EncodePayloadEncoding(v.payEnc)...)
return buf
}
// HashAlgorithm returns the hash algorithm used to has the payload content.
func (v *RSAVarsig) HashAlgorithm() HashAlgorithm {
// Hash returns the value describing the hash algorithm used to hash
// the payload content before the signature is generated.
func (v RSAVarsig) Hash() Hash {
return v.hashAlg
}
// KeyLength returns the length of the RSA key used to sign the payload
// content.
func (v *RSAVarsig) KeyLength() uint64 {
return v.sigLen
func (v RSAVarsig) KeyLength() uint64 {
return v.keyLen
}
func decodeRSA(r *bytes.Reader, vers Version, disc Discriminator) (Varsig, error) {
func decodeRSA(r BytesReader) (Varsig, error) {
hashAlg, err := DecodeHashAlgorithm(r)
if err != nil {
return nil, err
}
sigLen, err := binary.ReadUvarint(r)
keyLen, err := binary.ReadUvarint(r)
if err != nil {
return nil, err
}
vs := &RSAVarsig{
varsig: varsig[RSAVarsig]{
vers: vers,
disc: disc,
},
hashAlg: HashAlgorithm(hashAlg),
sigLen: sigLen,
payEnc, err := DecodePayloadEncoding(r)
if err != nil {
return nil, err
}
return vs.decodePayEncAndSig(r, vs, sigLen)
return NewRSAVarsig(hashAlg, keyLen, payEnc), nil
}

64
rsa_test.go
View File

@@ -4,7 +4,6 @@ import (
"encoding/base64"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/ucan-wg/go-varsig"
@@ -26,71 +25,26 @@ func TestRSAVarsig(t *testing.T) {
vs, err := varsig.Decode(example)
require.NoError(t, err)
rsaVs, ok := vs.(*varsig.RSAVarsig)
rsaVs, ok := vs.(varsig.RSAVarsig)
require.True(t, ok)
assert.Equal(t, varsig.Version1, rsaVs.Version())
assert.Equal(t, varsig.DiscriminatorRSA, rsaVs.Discriminator())
assert.Equal(t, varsig.HashAlgorithmSHA256, rsaVs.HashAlgorithm())
assert.Equal(t, varsig.PayloadEncodingDAGCBOR, rsaVs.PayloadEncoding())
assert.Equal(t, uint64(keyLen), rsaVs.KeyLength())
assert.Len(t, rsaVs.Signature(), 0)
require.Equal(t, varsig.Version1, rsaVs.Version())
require.Equal(t, varsig.DiscriminatorRSA, rsaVs.Discriminator())
require.Equal(t, varsig.HashSha2_256, rsaVs.Hash())
require.Equal(t, varsig.PayloadEncodingDAGCBOR, rsaVs.PayloadEncoding())
require.Equal(t, uint64(keyLen), rsaVs.KeyLength())
})
t.Run("Encode", func(t *testing.T) {
t.Parallel()
rsaVarsig, err := varsig.NewRSAVarsig(
varsig.HashAlgorithmSHA256,
rsaVarsig := varsig.NewRSAVarsig(
varsig.HashSha2_256,
keyLen,
varsig.PayloadEncodingDAGCBOR,
)
require.NoError(t, err)
assert.Equal(t, example, rsaVarsig.Encode())
require.Equal(t, example, rsaVarsig.Encode())
t.Log(base64.RawStdEncoding.EncodeToString(rsaVarsig.Encode()))
})
}
func TestUCANExample(t *testing.T) {
t.Parallel()
const keyLen = 0x100
// This test is the value shown in the UCAN v1.0.0 example, which is
// an RSA varsig < v1 encoded as RS256 with a key length of 0x100
// bytes and DAG-CBOR payload encoding.
example, err := base64.RawStdEncoding.DecodeString("NIUkEoACcQ")
require.NoError(t, err)
t.Run("Decode", func(t *testing.T) {
t.Parallel()
vs, err := varsig.Decode(example)
require.ErrorIs(t, err, varsig.ErrMissingSignature)
rsaVs, ok := vs.(*varsig.RSAVarsig)
require.True(t, ok)
assert.Equal(t, varsig.Version0, rsaVs.Version())
assert.Equal(t, varsig.DiscriminatorRSA, rsaVs.Discriminator())
assert.Equal(t, varsig.HashAlgorithmSHA256, rsaVs.HashAlgorithm())
assert.Equal(t, varsig.PayloadEncodingDAGCBOR, rsaVs.PayloadEncoding())
assert.Equal(t, uint64(keyLen), rsaVs.KeyLength())
assert.Len(t, rsaVs.Signature(), 0)
})
t.Run("Encode", func(t *testing.T) {
t.Parallel()
rsaVarsig, err := varsig.NewRSAVarsig(
varsig.HashAlgorithmSHA256,
keyLen,
varsig.PayloadEncodingDAGCBOR,
varsig.WithForceVersion0([]byte{}),
)
require.ErrorIs(t, err, varsig.ErrMissingSignature)
assert.Equal(t, example, rsaVarsig.Encode())
})
}

89
varsig.go
View File

@@ -19,7 +19,6 @@
package varsig
import (
"bytes"
"encoding/binary"
"io"
)
@@ -27,13 +26,19 @@ import (
// Varsig represents types that describe how a signature was generated
// and thus how to interpret the signature and verify the signed data.
type Varsig interface {
// accessors for fields that are common to all varsig
// Version returns the varsig's version field.
Version() Version
Discriminator() Discriminator
PayloadEncoding() PayloadEncoding
Signature() []byte
// Operations that are common to all varsig
// Discriminator returns the algorithm used to produce the corresponding signature.
Discriminator() Discriminator
// Hash returns the hash used on the data before signature.
Hash() Hash
// PayloadEncoding returns the codec that was used to encode the signed data.
PayloadEncoding() PayloadEncoding
// Encode returns the encoded byte format of the varsig.
Encode() []byte
}
@@ -45,86 +50,46 @@ func Decode(data []byte) (Varsig, error) {
// DecodeStream converts data read from the provided io.Reader into one
// of the Varsig types provided by the DefaultRegistry.
func DecodeStream(r *bytes.Reader) (Varsig, error) {
func DecodeStream(r BytesReader) (Varsig, error) {
return DefaultRegistry().DecodeStream(r)
}
type varsig[T Varsig] struct {
vers Version
type varsig struct {
disc Discriminator
payEnc PayloadEncoding
sig []byte
}
// Version returns the varsig's version field.
func (v varsig[_]) Version() Version {
return v.vers
func (v varsig) Version() Version {
return Version1
}
// Discriminator returns the algorithm used to produce corresponding
// Discriminator returns the algorithm used to produce the corresponding
// signature.
func (v varsig[_]) Discriminator() Discriminator {
func (v varsig) Discriminator() Discriminator {
return v.disc
}
// PayloadEncoding returns the codec that was used to encode the signed
// data.
func (v varsig[_]) PayloadEncoding() PayloadEncoding {
func (v varsig) PayloadEncoding() PayloadEncoding {
return v.payEnc
}
// Signature returns the cryptographic signature of the signed data. This
// value is never present in a varsig >= v1 and must either be a valid
// signature with the correct length or empty in varsig < v1.
func (v varsig[_]) Signature() []byte {
return v.sig
}
func (v *varsig[_]) encode() []byte {
var buf []byte
func (v varsig) encode() []byte {
// Pre-allocate to the maximum size to avoid re-allocating.
// I think the maximum is 10 bytes, but it's all the same for go to allocate 16 (due to the small
// size allocation class), so we might as well get some headroom for bigger varints.
buf := make([]byte, 0, 16)
buf = binary.AppendUvarint(buf, Prefix)
if v.Version() == Version1 {
buf = binary.AppendUvarint(buf, uint64(Version1))
}
buf = binary.AppendUvarint(buf, uint64(Version1))
buf = binary.AppendUvarint(buf, uint64(v.disc))
return buf
}
func (v *varsig[T]) decodePayEncAndSig(r *bytes.Reader, varsig *T, expectedLength uint64) (*T, error) {
payEnc, err := DecodePayloadEncoding(r, v.Version())
if err != nil {
return nil, err
}
v.payEnc = payEnc
signature, err := io.ReadAll(r)
if err != nil {
return nil, err
}
v.sig = signature
return v.validateSig(varsig, expectedLength)
}
func (v *varsig[T]) validateSig(varsig *T, expectedLength uint64) (*T, error) {
if v.Version() == Version0 && len(v.sig) == 0 {
return varsig, ErrMissingSignature
}
if v.Version() == Version0 && uint64(len(v.sig)) != expectedLength {
return nil, ErrUnexpectedSignatureSize
}
if v.Version() == Version1 && len(v.sig) != 0 {
return nil, ErrUnexpectedSignaturePresent
}
return varsig, nil
type BytesReader interface {
io.ByteReader
io.Reader
}

74
varsig_test.go
View File

@@ -2,7 +2,6 @@ package varsig_test
import (
"encoding/hex"
"errors"
"io"
"testing"
@@ -59,17 +58,6 @@ func TestDecode(t *testing.T) {
assert.Nil(t, vs)
})
t.Run("fails - unknown signature algorithm - v0", func(t *testing.T) {
t.Parallel()
data, err := hex.DecodeString("3464")
require.NoError(t, err)
vs, err := varsig.Decode(data)
require.ErrorIs(t, err, varsig.ErrUnknownDiscriminator)
assert.Nil(t, vs)
})
t.Run("fails - unknown signature algorithm - v1", func(t *testing.T) {
t.Parallel()
@@ -88,7 +76,6 @@ func TestDecode(t *testing.T) {
rsaHex = "8524"
sha256Hex = "12"
keyLen = "8002"
rsaBaseV0 = "34" + rsaHex + sha256Hex + keyLen
rsaBaseV1 = "3401" + rsaHex + sha256Hex + keyLen
)
@@ -124,65 +111,4 @@ func TestDecode(t *testing.T) {
require.ErrorIs(t, err, varsig.ErrUnsupportedPayloadEncoding)
assert.Nil(t, vs)
})
t.Run("fails - unexpected signature length - v0", func(t *testing.T) {
t.Parallel()
data, err := hex.DecodeString(rsaBaseV0 + "5f" + "42") // 0x42 is only a single byte - 256 bytes are expected
require.NoError(t, err)
vs, err := varsig.Decode(data)
require.ErrorIs(t, err, varsig.ErrUnexpectedSignatureSize)
assert.Nil(t, vs)
})
t.Run("fails - unexpected signature present - v1", func(t *testing.T) {
t.Parallel()
data, err := hex.DecodeString(rsaBaseV1 + "5f" + "42") // 0x42 is only a single byte - 256 bytes are expected
require.NoError(t, err)
vs, err := varsig.Decode(data)
require.ErrorIs(t, err, varsig.ErrUnexpectedSignaturePresent)
assert.Nil(t, vs)
})
t.Run("passes with error - v0", func(t *testing.T) {
t.Parallel()
data, err := hex.DecodeString(rsaBaseV0 + "5f")
require.NoError(t, err)
vs, err := varsig.Decode(data)
require.ErrorIs(t, err, varsig.ErrMissingSignature)
assert.NotNil(t, vs) // varsig is still returned with just "header"
})
}
func mustVarsig[T varsig.Varsig](t *testing.T) func(*T, error) *T {
t.Helper()
return func(v *T, err error) *T {
if err != nil && ((*v).Version() != varsig.Version0 || !errors.Is(err, varsig.ErrMissingSignature)) {
t.Error(err)
}
return v
}
}
func roundTrip[T varsig.Varsig](t *testing.T, in T, expEncHex string) T {
data := in.Encode()
assert.Equal(t, expEncHex, hex.EncodeToString(data))
out, err := varsig.Decode(in.Encode())
if err != nil && (out.Version() != varsig.Version0 || !errors.Is(err, varsig.ErrMissingSignature)) {
t.Fail()
}
assert.Equal(t, in.Version(), out.Version())
assert.Equal(t, in.Discriminator(), out.Discriminator())
assert.Equal(t, in.PayloadEncoding(), out.PayloadEncoding())
assert.Equal(t, in.Signature(), out.Signature())
return out.(T)
}