# project

## project 的三个需求

1. 表示数字艺术品
2. 存储数字艺术品
3. 交换数字艺术品 transection

## 安全需求分析

1. 需要记录用户和用户拥有的艺术品
    - 需要将用户和用户的独特签名对应起来
    - 需要在艺术品的存储中添加用户的独特签名
    - 将签名添加到艺术品的算法需要加密，防止攻击者修改艺术品数据内的独特签名
2. 数据交换

    - 交换艺术品时，需要将交换的请求加密，防止被中途修改
    - ACID 原则
        - 原子性（A）：一个事务的所有系列操作步骤被看成一个动作，所有的步骤要么全部完成，要么一个也不会完成。如果在事务过程中发生错误，则会回滚到事务开始前的状态，将要被改变的数据库记录不会被改变。
        - 一致性（C）：一致性是指在事务开始之前和事务结束以后，数据库的完整性约束没有被破坏，即数据库事务不能破坏关系数据的完整性及业务逻辑上的一致性。
        - 隔离性（I）：主要用于实现并发控制，隔离能够确保并发执行的事务按顺序一个接一个地执行。通过隔离，一个未完成事务不会影响另外一个未完成事务。
        - 持久性（D）：一旦一个事务被提交，它应该持久保存，不会因为与其他操作冲突而取消这个事务。

3. 数据存储的安全性

    - NFT 的不可篡改性依靠区块链的安全特性来实现。这里，我们将区块链替换为了一般的数据库，这将使平台失去去中心化的优势。为了仍然保障安全性，需要做出以下假设：
        - 部署数据库的设备不会被攻破
        - 数据库管理员的密码不会被泄露
        - 数据库管理员不会恶意修改数据库

4. 需要保护所有用户的独特签名

## 重要 reference

-   [中泰证券 NFT 技术分析](https://dfscdn.dfcfw.com/download/A2_cms_f_20220216123508144922&direct=1&abc3847.pdf)
-   [我的总结（祥见参考列表） - csdn](https://blog.csdn.net/weixin_39591031/article/details/124138855)


In [3]:
import sqlite3
import typing
from Crypto.PublicKey import ECC
from Crypto.Hash import SHA256

import json
import base64
from Crypto.Cipher import AES
from Crypto.Random import get_random_bytes


### 数据库

处理一切和数据库的交互

reference:

-   [https://developer.51cto.com/article/624601.html](https://developer.51cto.com/article/624601.html)
-   [https://www.runoob.com/sqlite/sqlite-data-types.html](https://www.runoob.com/sqlite/sqlite-data-types.html)


In [2]:
class DBmanager:
    DATABASE_PATH = "./demo.db"
    COLLECTIONS_TABLE_NAME = "collections"
    USER_TABLE_NAME = "users"
    TRANSECTIONS_TABLE_NAME = "transections"

    def __init__(self):
        # init connection
        # db will be created if doesnt exist
        self.conn = sqlite3.connect(self.DATABASE_PATH)
        self.cur = self.conn.cursor()
        self.init_collections_table()
        self.init_user_table()

    def init_collections_table(self):
        if (
            len(
                self.cur.execute(
                    "SELECT name FROM sqlite_master WHERE type='table' AND name='{}';".format(
                        self.COLLECTIONS_TABLE_NAME
                    )
                ).fetchall()
            )
            > 0
        ):
            print("Find {} table in db.".format(self.COLLECTIONS_TABLE_NAME))
            return
        # id | owner_id | price | encrypted_content | preview | statue
        self.execute_and_commit(
            'CREATE TABLE {} (ID TEXT, OWNER_ID TEXT, PRICE REAL, ENCRYPTED_CONTENT BOLB, PREVIEW BOLB, STATUE TEXT);'.format(
                self.COLLECTIONS_TABLE_NAME
            )
        )
        print("Images table initialized.")

    def init_user_table(self):
        if (
            len(
                self.cur.execute(
                    "SELECT name FROM sqlite_master WHERE type='table' AND name='{}';".format(
                        self.USER_TABLE_NAME
                    )
                ).fetchall()
            )
            > 0
        ):
            print("Find {} table in db.".format(self.USER_TABLE_NAME))
            return
        # id | validation_file | pub_key | balance
        self.cur.execute_and_commit(
            'CREATE TABLE {} (ID TEXT, VALIDATION_FILE TEXT, PUB_KEY TEXT, BALANCE REAL);'.format(
                self.USER_TABLE_NAME
            )
        )
        print("Users table initialized.")

    def init_transections_table(self):
        if (
            len(
                self.cur.execute(
                    "SELECT name FROM sqlite_master WHERE type='table' AND name='{}';".format(
                        self.TRANSECTIONS_TABLE_NAME
                    )
                ).fetchall()
            )
            > 0
        ):
            print("Find {} table in db.".format(self.TRANSECTIONS_TABLE_NAME))
            return
        # timestamp | type | content | collection_id | src_user_id | dest_user_id | status
        self.cur.execute_and_commit(
            'CREATE TABLE {} (TIMESTAMP REAL, TYPE TEXT, CONTENT TEXT, COLLECTION_ID TEXT, SRC_USER_ID TEXT, DEST_USER_ID TEXT, STATUS TEXT);'.format(
                self.TRANSECTIONS_TABLE_NAME
            )
        )
        print("Users table initialized.")

    def execute_and_commit(self, sql_cmd: str):
        self.cur.execute(sql_cmd)
        self.conn.commit()

    def add_collection(self, id, price, owner_id, encrypted_content, preview, status):
        self.execute_and_commit(
            "INSERT INTO collections VALUES('{}', '{}', '{}', '{}', '{}', '{}')".format(
                id, price, owner_id, encrypted_content, preview, status,
            )
        )

    def update_collection_owner(self, collection_id:str, new_owner_id:str):
        '''Update the owner_id of the collection in database.'''
        self.execute_and_commit(
            ""
        )

    def get_all_collections(self):
        self.cur.execute("SELECT * FROM collections")
        return self.cur.fetchall()

    def destroy(self):
        self.cur.close()
        self.conn.close()
        print("Db connection closed.")


In [4]:
# init database
db = DBmanager()


In [None]:
db.destroy()


### 用户

属性
- `ID`: user name, must be unique, thus can be view as ID
- `validation_file`: json serilized file (2 fields: user_id & AES key) being encrypted using user's RSA private key
- `pub_key`: user's RSA public key
- `balance`: user's balance of XAV coin
- `transections`: user's all transections


In [24]:
class User:
    DEFAULT_BALANCE = 3 # user default balance

    def __init__(
        self,
        id: str,
        # can be left empty during registration:
        pub_key: str = None,
        validation_file: bytes = None,
        balance: float = None,
        collections: list = None,
        transections: list = None,
        # must be provided in instantiation:
        db: DBmanager = None,
    ):
        """
        id: user name, must be unique, thus can be view as ID
        pub_key: user's RSA public key
        validation_file: json serilized file (2 fields: user_id & AES key) being encrypted using user's RSA private key
        balance: user's balance of XAV coin
        collections: user's all collections
        transections: user's all transections
        db: DBmanager
        """
        self.id = id
        self.pub_key = pub_key
        self.validation_file = validation_file
        self.balance = balance
        self.collections = collections
        self.transections = transections

        # db must be provided in instantiation
        if not (db or self.db):  # if both are None
            raise AttributeError("Haven't connect to database, please connect first.")
        else:
            self.db = db

        # necessary fields
        self.id = id

        # if any of following fields is None -> register mode
        if not (pub_key and validation_file and balance and collections and transections):
            # if any of following fields isn't none -> raise exception
            if pub_key and validation_file and balance and collections and transections:
                raise AttributeError(
                    "In non-register mode all fields must be provided."
                )
            # register user
            priv_key, self.pub_key, aes_key = self._gen_keys()
            self.validation_file = self._gen_validation_file(aes_key)
            self.balance = self.DEFAULT_BALANCE
            self.collections = []
            self.transections = []
            self._add_to_db()
        else: # normal mode
            self.pub_key = pub_key
            self.validation_file = validation_file
            self.balance = balance
            self.collections = collections
            self.transections = transections

    def _gen_keys(self):
        """
        Generate:
            1. a pair of keys using EEC algorithm
            2. a key using AES algorithm
        """
        key = ECC.generate(curve="P-256")

        # PEM is human readable string
        # when import, read as text (e.g., open(path, 'rt'))
        priv_key = key.export_key(format="PEM")
        pub_key = key.public_key().export_key(format="PEM")

        aes_key = get_random_bytes(32)  # 32-bytes is safer than 16-bytes

        print("Generate user keys:")
        print(priv_key)
        print(pub_key)
        print("AES key:", aes_key)

        return priv_key, pub_key, aes_key

    def _gen_validation_file(self, aes_key):
        return json.dumps({'user_id': self.id, 'aes_key': aes_key})

    def _add_to_db(self):
        """
        - id: user name, must be unique, thus can be view as ID
        - pub_key: user's RSA public key
        - validation_file: json serilized file (2 fields: user_id & AES key) being encrypted using user's RSA private key
        - balance: user's balance of XAV coin
        - transections: user's all transections
        """
        self.db.add_user(
            self.id,
            self.pub_key,
            self.validation_file,
            self.balance,
            self.transections,
        )
        

    def get_image_list(self):
        # retrieve user's images from database
        img_list = self.db.execute(
            "SELECT * FROM images WHERE privkey={}".format(self.privkey)
        )
        print("Get image list:")
        [print("\t", item) for item in img_list]
        return img_list


In [25]:
xav = User('xav', db=db)


RSA key generated:
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgazy/RhHLF+J1RYgX
ZY7NWPXL3qofu10E8PZmzGMVBDGhRANCAAQRpORpcaRw1IHU3d/cQvyGvwI7qVE2
e5z9eiDrL8TjhtrciFIIwXMolGGDQkrbgXwUED46d/eV4W/M4bc3MIly
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEaTkaXGkcNSB1N3f3EL8hr8CO6lR
Nnuc/Xog6y/E44ba3IhSCMFzKJRhg0JK24F8FBA+Onf3leFvzOG3NzCJcg==
-----END PUBLIC KEY-----


### Collection

属性：
-   标题（`Bored Ape Yacht Club`）+id（`#5552`）
-   数字签名（绑定：图片内容+拥有者）
-   价格（和标题唯一绑定）
-   拥有者
-   原作者（待实现）
-   数据：云端唯一链接 / 原始数据（`rawdata`）

数据库格式：
`(id, owner_id, price, encrypted_content, preview, status)`

待解决的问题：
-   作品存在云端还是本地?
-   有人盗版图片然后重新上传（审核人员的工作，暂时不考虑）


In [26]:
class Collection:
    # Format in database: (id, owner_id, price, encrypted_content, preview, status)

    _DEFAULT_PRICE = 0.1  # default price of a collection
    _STATUS_CONFIRMED = "confirmed"  # default status
    _STATUS_PENDING = "pending"
    db = None  # database

    def __init__(
        self,
        id: str,
        owner_id: str,
        # can be left empty during registration:
        price: float = None,
        encrypted_content: str = None,
        preview: str = None,
        status: str = None,
        # used only during registration:
        raw_data: bytes = None,
        aes_key: str = None,
        # must be provided in instantiation:
        db: DBmanager = None,
    ):
        """
        @params
        - id: collection unique name
        - owner_id: id of collection's owner
        - price: price of the collection, auto increase by 1 after each transection
        - encrypted_content: raw data of the collection after encrypted with owner's AES key
        - preview: low resolution version of the image
        - status: pending if in the middle of a transection, otherwise confirmed
        - raw_data: raw data of the collection in bytes
        - ase_key: a ase key used to decrypt `encrypted_content`
        - db: DBmanager instance.
        """

        # db must be provided in instantiation
        if not (db or self.db):  # if both are None
            raise AttributeError("Haven't connect to database, please connect first.")
        else:
            self.db = db

        # necessary fields
        self.id = id
        self.owner_id = owner_id

        # if any of following fields is None -> register mode
        if not (price and encrypted_content and status):
            # if any of following fields isn't none -> raise exception
            if price or encrypted_content or status:
                raise AttributeError(
                    "In non-register mode all fields must be provided."
                )
            # register collection
            self.status = self._STATUS_CONFIRMED
            self.price = self._DEFAULT_PRICE
            self.encrypted_content = self._encrypte_content(raw_data, aes_key)
            self.preview = self._gen_preview(raw_data)
            self._add_to_db()
        else: # normal mode
            self.status = status
            self.price = price
            self.encrypted_content = encrypted_content
            self.preview = preview

    def _add_to_db(self):
        """
        - id: collection unique name
        - price: price of the collection, auto increase by 1 after each transection
        - owner_id: id of collection's owner
        - encrypted_content: raw data of the collection after encrypted with owner's AES key
        - preview: low resolution version of the image
        - status: pending if in the middle of a transection, otherwise confirmed
        """
        self.db.add_collection(
            self.id,
            self.price,
            self.owner_id,
            self.encrypted_content,
            self.preview,
            self.status,
        )

    def _encrypte_content(data, aes_key) -> str:
        """
        Encrypt content using AES (CTR mode, allow arbitrary length of data).
        @param data: raw data of image in bytes
        @return serialized json string (e.g., {"nonce": '4Sa\we', "ciphertext": 'wgS2F=D3'})
        """
        cipher = AES.new(aes_key, AES.MODE_CTR)
        ct_bytes = cipher.encrypt(data)
        nonce = base64.b64encode(cipher.nonce).decode("utf-8")
        ct = base64.b64encode(ct_bytes).decode("utf-8")
        result = json.dumps({"nonce": nonce, "ciphertext": ct})
        print("Encrypt result:", result)
        return result

    def _decrypte_content(data, aes_key) -> bytes:
        """
        Encrypt content using AES (CTR mode, allow arbitrary length of data).
        @param data: json serialized string (e.g., {"nonce": '4Sa\we', "ciphertext": 'wgS2F=D3'})
        @return decrypted bytes data
        """
        b64 = json.loads(data)
        nonce = base64.b64decode(b64["nonce"])
        ct = base64.b64decode(b64["ciphertext"])
        cipher = AES.new(aes_key, AES.MODE_CTR, nonce=nonce)
        pt = cipher.decrypt(ct)
        print("Decrypt result:", pt)
        return pt

    def update_owner(self, new_owner_id:str):
        """Change owner of this artwork."""
        # update owner of this collection in database
        print("Image owner updated: {} ---> {}".format(self.owner_id, new_owner_id))
        self.db.update_collection_owner(new_owner_id)


问题总结：

1. 应该把 user 信息放进 image 还是反过来
    - image 更换拥有者时，需要根据主人 priv_key 重新生成 id
    - 需要给用户展示拥有的 images
2. 用户：昵称（可重复），ID（唯一），
