Make auth use JWTs.

git-svn-id: https://www.unprompted.com/svn/projects/tildefriends/trunk@3991 ed5197a5-7fde-0310-b194-c3ffbd925b24

src/ssb.js.c

@@ -7,6 +7,7 @@
 #include "task.h"
 #include "util.js.h"
 
+#include <base64c.h>
 #include <sodium/crypto_hash_sha256.h>
 #include <sodium/crypto_sign.h>
 #include <string.h>
@@ -815,6 +816,78 @@ static JSValue _tf_ssb_remove_event_listener(JSContext* context, JSValueConst th
 	return result;
 }
 
+static JSValue _tf_ssb_hmacsha256_sign(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
+{
+	JSValue result = JS_UNDEFINED;
+	tf_ssb_t* ssb = JS_GetOpaque(this_val, _tf_ssb_classId);
+
+	size_t payload_length = 0;
+	const char* payload = JS_ToCStringLen(context, &payload_length, argv[0]);
+	const char* user = JS_ToCString(context, argv[1]);
+	const char* public_key = JS_ToCString(context, argv[2]);
+
+	uint8_t private_key[crypto_sign_SECRETKEYBYTES];
+	if (tf_ssb_db_identity_get_private_key(ssb, user, public_key, private_key, sizeof(private_key)))
+	{
+		uint8_t signature[crypto_sign_BYTES];
+		unsigned long long siglen;
+		if (crypto_sign_detached(signature, &siglen, (const uint8_t*)payload, payload_length, private_key) == 0)
+		{
+			char signature_base64[crypto_sign_BYTES * 2];
+			base64c_encode(signature, sizeof(signature), (uint8_t*)signature_base64, sizeof(signature_base64));
+			result = JS_NewString(context, signature_base64);
+		}
+	}
+	else
+	{
+		result = JS_ThrowInternalError(context, "Private key not found.");
+	}
+
+	JS_FreeCString(context, public_key);
+	JS_FreeCString(context, user);
+	JS_FreeCString(context, payload);
+
+	return result;
+}
+
+static JSValue _tf_ssb_hmacsha256_verify(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
+{
+	JSValue result = JS_UNDEFINED;
+
+	size_t public_key_length = 0;
+	const char* public_key = JS_ToCStringLen(context, &public_key_length, argv[0]);
+	size_t payload_length = 0;
+	const char* payload = JS_ToCStringLen(context, &payload_length, argv[1]);
+	size_t signature_length = 0;
+	const char* signature = JS_ToCStringLen(context, &signature_length, argv[2]);
+
+	const char* public_key_start = public_key && *public_key == '@' ? public_key + 1 : public_key;
+	const char* public_key_end = strstr(public_key_start, ".ed25519");
+	if (!public_key_end)
+	{
+		public_key_end = public_key_start + strlen(public_key_start);
+	}
+
+	uint8_t bin_public_key[crypto_sign_PUBLICKEYBYTES] = { 0 };
+	if (base64c_decode((const uint8_t*)public_key_start, public_key_end - public_key_start, bin_public_key, sizeof(bin_public_key)) > 0)
+	{
+		uint8_t bin_signature[crypto_sign_BYTES] = { 0 };
+		if (base64c_decode((const uint8_t*)signature, signature_length, bin_signature, sizeof(bin_signature)) > 0)
+		{
+			if (crypto_sign_verify_detached(bin_signature, (const uint8_t*)payload, payload_length, bin_public_key) == 0)
+			{
+				result = JS_TRUE;
+			}
+		}
+	}
+
+	JS_FreeCString(context, signature);
+	JS_FreeCString(context, payload);
+	JS_FreeCString(context, public_key);
+
+	return result;
+}
+
 void tf_ssb_register(JSContext* context, tf_ssb_t* ssb)
 {
 	JS_NewClassID(&_tf_ssb_classId);
@@ -836,6 +909,8 @@ void tf_ssb_register(JSContext* context, tf_ssb_t* ssb)
 	JS_SetPropertyStr(context, object, "createIdentity", JS_NewCFunction(context, _tf_ssb_createIdentity, "createIdentity", 1));
 	JS_SetPropertyStr(context, object, "getIdentities", JS_NewCFunction(context, _tf_ssb_getIdentities, "getIdentities", 1));
 	JS_SetPropertyStr(context, object, "appendMessageWithIdentity", JS_NewCFunction(context, _tf_ssb_appendMessageWithIdentity, "appendMessageWithIdentity", 3));
+	JS_SetPropertyStr(context, object, "hmacsha256sign", JS_NewCFunction(context, _tf_ssb_hmacsha256_sign, "hmacsha256sign", 3));
+	JS_SetPropertyStr(context, object, "hmacsha256verify", JS_NewCFunction(context, _tf_ssb_hmacsha256_verify, "hmacsha256verify", 3));
 
 	/* Does not require an identity. */
 	JS_SetPropertyStr(context, object, "getAllIdentities", JS_NewCFunction(context, _tf_ssb_getAllIdentities, "getAllIdentities", 0));