diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fcc3f189..8247684a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -136,14 +136,16 @@ jobs: azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} azure-kid: ${{ secrets.AZURE_KEY_ID }} transmute: | - scitt issue-statement ./tests/fixtures/message.json \ - --azure-keyvault \ + scitt issue-statement \ + ./tests/fixtures/message.json \ --alg ES256 \ --iss https://software.vendor.example \ --sub https://software.vendor.example/product/123 \ --content-type application/spdx+json \ --location https://software.vendor.example/storage/456 \ --output ./tests/fixtures/message.json.akv.cbor \ + --azure-keyvault + - name: Export Public Key id: akv_export uses: ./ @@ -154,8 +156,9 @@ jobs: azure-kid: ${{ secrets.AZURE_KEY_ID }} transmute: | scitt export-remote-public-key \ - --azure-keyvault \ - --output ./tests/fixtures/public.akv.key.cbor + --output ./tests/fixtures/public.akv.key.cbor \ + --azure-keyvault + - name: Issue Receipt id: akv_receipt uses: ./ @@ -167,18 +170,14 @@ jobs: transmute: | scitt issue-receipt \ ./tests/fixtures/message.json.akv.cbor \ - --azure-keyvault \ --log ./tests/fixtures/trans.json \ - --output ./tests/fixtures/message.akv.receipt.cbor + --output ./tests/fixtures/message.akv.receipt.cbor \ + --azure-keyvault - name: Verify Receipt id: akv_receipt_verify uses: ./ with: - azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} - azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} - azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} - azure-kid: ${{ secrets.AZURE_KEY_ID }} transmute: | scitt verify-receipt-hash \ ./tests/fixtures/public.akv.key.cbor \ diff --git a/scripts/graph.diagnostic.sh b/scripts/graph.diagnostic.sh index 5b125bea..aa61ec3f 100755 --- a/scripts/graph.diagnostic.sh +++ b/scripts/graph.diagnostic.sh @@ -1,4 +1,8 @@ # Graph -npm run -s transmute -- graph assist ./tests/fixtures/issuer-claims.json --credential-type application/vc --output ./tests/fixtures/issuer-claims.graph.json --env ./.env --push \ No newline at end of file +npm run -s transmute -- graph assist ./tests/fixtures/issuer-claims.json \ +--credential-type application/vc \ +--output ./tests/fixtures/issuer-claims.graph.json \ +--env ./.env \ +--push \ No newline at end of file diff --git a/scripts/scitt.diagnostic.sh b/scripts/scitt.diagnostic.sh index c5e8b3e8..3c03d593 100755 --- a/scripts/scitt.diagnostic.sh +++ b/scripts/scitt.diagnostic.sh @@ -1,13 +1,73 @@ # notary keys -npm run -s transmute -- cose keygen --alg ES256 --output ./tests/fixtures/private.notary.key.cbor > ./tests/fixtures/private.notary.key.diag -npm run -s transmute -- cose keypub ./tests/fixtures/private.notary.key.cbor --output ./tests/fixtures/public.notary.key.cbor > ./tests/fixtures/public.notary.key.diag +npm run -s transmute -- cose keygen \ +--alg ES256 \ +--output ./tests/fixtures/private.notary.key.cbor > ./tests/fixtures/private.notary.key.diag +npm run -s transmute -- cose keypub \ +./tests/fixtures/private.notary.key.cbor \ +--output ./tests/fixtures/public.notary.key.cbor > ./tests/fixtures/public.notary.key.diag -# sign hash envelope -npm run -s transmute -- scitt issue-statement ./tests/fixtures/private.notary.key.cbor ./tests/fixtures/message.json --output ./tests/fixtures/message.hash-envelope.cbor > ./tests/fixtures/message.hash-envelope.diag -npm run -s transmute -- scitt verify-statement-hash ./tests/fixtures/public.notary.key.cbor ./tests/fixtures/message.hash-envelope.cbor 3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22 --output ./tests/fixtures/message.hash-envelope.verified.data > ./tests/fixtures/message.hash-envelope.diag + +# sign statement +npm run -s transmute -- scitt issue-statement \ +./tests/fixtures/private.notary.key.cbor \ +./tests/fixtures/message.json \ +--output ./tests/fixtures/message.hash-envelope.cbor > ./tests/fixtures/message.hash-envelope.diag + +# verify statement +npm run -s transmute -- scitt verify-statement-hash \ +./tests/fixtures/public.notary.key.cbor \ +./tests/fixtures/message.hash-envelope.cbor \ +3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22 \ +--output ./tests/fixtures/message.hash-envelope.verified.data > ./tests/fixtures/message.hash-envelope.diag # sign receipt -npm run -s transmute -- scitt issue-receipt ./tests/fixtures/private.notary.key.cbor ./tests/fixtures/message.hash-envelope.cbor --log ./tests/fixtures/trans.json --output ./tests/fixtures/message.hash-envelope-with-receipt.cbor > ./tests/fixtures/message.hash-envelope-with-receipt.diag -npm run -s transmute -- scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor ./tests/fixtures/message.hash-envelope-with-receipt.cbor 3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22 > ./tests/fixtures/message.hash-envelope-with-receipt.diag \ No newline at end of file +npm run -s transmute -- scitt issue-receipt \ +./tests/fixtures/private.notary.key.cbor \ +./tests/fixtures/message.hash-envelope.cbor \ +--log ./tests/fixtures/trans.json \ +--output ./tests/fixtures/message.hash-envelope-with-receipt.cbor > ./tests/fixtures/message.hash-envelope-with-receipt.diag + +# verify receipt +npm run -s transmute -- scitt verify-receipt-hash \ +./tests/fixtures/public.notary.key.cbor \ +./tests/fixtures/message.hash-envelope-with-receipt.cbor \ +3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22 > ./tests/fixtures/message.hash-envelope-with-receipt.diag + +# azure key vault + +npm run -s transmute -- scitt issue-statement \ +./tests/fixtures/message.json \ +--env ./.env \ +--alg ES256 \ +--iss https://software.vendor.example \ +--sub https://software.vendor.example/product/123 \ +--content-type application/spdx+json \ +--location https://software.vendor.example/storage/456 \ +--output ./tests/fixtures/message.json.akv.cbor \ +--azure-keyvault + +npm run -s transmute -- scitt issue-receipt \ +./tests/fixtures/message.json.akv.cbor \ +--env ./.env \ +--log ./tests/fixtures/trans.json \ +--output ./tests/fixtures/message.akv.receipt.cbor \ +--azure-keyvault + +npm run -s transmute -- scitt export-remote-public-key \ +--env ./.env \ +--output ./tests/fixtures/public.akv.key.cbor \ +--azure-keyvault + +npm run -s transmute -- scitt verify-statement-hash \ +./tests/fixtures/public.akv.key.cbor \ +./tests/fixtures/message.json.akv.cbor \ +3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22 + +echo + +npm run -s transmute -- scitt verify-receipt-hash \ +./tests/fixtures/public.akv.key.cbor \ +./tests/fixtures/message.akv.receipt.cbor \ +3073d614f853aaec9a1146872c7bab75495ee678c8864ed3562f8787555c1e22 \ No newline at end of file diff --git a/src/scitt/handler.ts b/src/scitt/handler.ts index 71df2046..4fe38f13 100644 --- a/src/scitt/handler.ts +++ b/src/scitt/handler.ts @@ -205,8 +205,14 @@ export const handler = async function ({ positionals, values }: Arguments) { setOutput('cbor', Buffer.from(result).toString('hex')) } else { if (!output) { - const text = await cose.cbor.diagnose(Buffer.from(coseSign1)) - console.log(text) + const statement = await cose.cbor.decodeFirst(coseSign1) + const statementHeader = cose.cbor.decode(statement.value[0]) + const statementClaims = statementHeader.get(cose.Protected.CWTClaims) + console.log('✅ Statement Verified') + console.log(`File: ${Buffer.from(result).toString('hex')}`) + if (statementClaims.get(1)) { + console.log(`Producer: ${statementClaims.get(1)} `) + } } } break @@ -220,7 +226,7 @@ export const handler = async function ({ positionals, values }: Arguments) { dotenv.config({ path: envFile }) } if (!log) { - const message = `❌ --log is required (only JSON is supported)` + const message = `❌ --log is required(only JSON is supported)` console.error(message) throw new Error(message) } @@ -351,7 +357,7 @@ export const handler = async function ({ positionals, values }: Arguments) { }); const root = Buffer.from(verified.receipts[0]).toString('hex') if (Buffer.from(verified.payload).toString('hex') !== Buffer.from(hash, 'hex').toString('hex')) { - throw new Error(`Signature verification failed for hash: ${Buffer.from(verified.payload).toString('hex')}`) + throw new Error(`Signature verification failed for hash: ${Buffer.from(verified.payload).toString('hex')} `) } if (output) { fs.writeFileSync(output, Buffer.from(verified.payload)) @@ -361,8 +367,8 @@ export const handler = async function ({ positionals, values }: Arguments) { } else { if (!output) { console.log('✅ Receipt Verified') - console.log(`Log: ${root}`) - console.log(`File: ${hash}`) + console.log(`Log: ${root} `) + console.log(`File: ${hash} `) const statement = await cose.cbor.decodeFirst(transparentStatement) const statementHeader = cose.cbor.decode(statement.value[0]) const [encodedReceipt] = statement.value[1].get(cose.Unprotected.Receipts) @@ -371,13 +377,13 @@ export const handler = async function ({ positionals, values }: Arguments) { const receiptClaims = receiptHeader.get(cose.Protected.CWTClaims) const statementClaims = statementHeader.get(cose.Protected.CWTClaims) if (receiptClaims.get(1)) { - console.log(`Notary: ${receiptClaims.get(1)}`) + console.log(`Notary: ${receiptClaims.get(1)} `) } if (statementClaims.get(1)) { - console.log(`Producer: ${statementClaims.get(1)}`) + console.log(`Producer: ${statementClaims.get(1)} `) } if (receiptClaims.get(2)) { - console.log(`Product: ${receiptClaims.get(2)}`) + console.log(`Product: ${receiptClaims.get(2)} `) } } }