# project

## project 的三个需求

1. 表示数字艺术品
2. 存储数字艺术品
3. 交换数字艺术品 transection

## 安全需求分析

1. 需要记录用户和用户拥有的艺术品
    - 需要将用户和用户的独特签名对应起来
    - 需要在艺术品的存储中添加用户的独特签名
    - 将签名添加到艺术品的算法需要加密，防止攻击者修改艺术品数据内的独特签名
2. 数据交换

    - 交换艺术品时，需要将交换的请求加密，防止被中途修改
    - ACID 原则
        - 原子性（A）：一个事务的所有系列操作步骤被看成一个动作，所有的步骤要么全部完成，要么一个也不会完成。如果在事务过程中发生错误，则会回滚到事务开始前的状态，将要被改变的数据库记录不会被改变。
        - 一致性（C）：一致性是指在事务开始之前和事务结束以后，数据库的完整性约束没有被破坏，即数据库事务不能破坏关系数据的完整性及业务逻辑上的一致性。
        - 隔离性（I）：主要用于实现并发控制，隔离能够确保并发执行的事务按顺序一个接一个地执行。通过隔离，一个未完成事务不会影响另外一个未完成事务。
        - 持久性（D）：一旦一个事务被提交，它应该持久保存，不会因为与其他操作冲突而取消这个事务。

3. 数据存储的安全性

    - NFT 的不可篡改性依靠区块链的安全特性来实现。这里，我们将区块链替换为了一般的数据库，这将使平台失去去中心化的优势。为了仍然保障安全性，需要做出以下假设：
        - 部署数据库的设备不会被攻破
        - 数据库管理员的密码不会被泄露
        - 数据库管理员不会恶意修改数据库

4. 需要保护所有用户的独特签名

## 重要 reference

-   [中泰证券 NFT 技术分析](https://dfscdn.dfcfw.com/download/A2_cms_f_20220216123508144922&direct=1&abc3847.pdf)
-   [我的总结（祥见参考列表） - csdn](https://blog.csdn.net/weixin_39591031/article/details/124138855)


In [27]:
import sqlite3
import typing
from Crypto.PublicKey import ECC
from Crypto.Hash import SHA256


### 数据库

处理一切和数据库的交互

reference:

-   [https://developer.51cto.com/article/624601.html](https://developer.51cto.com/article/624601.html)
-   [https://www.runoob.com/sqlite/sqlite-data-types.html](https://www.runoob.com/sqlite/sqlite-data-types.html)


In [3]:
class Database:
    DATABASE_PATH = './demo.db'
    IMAGE_TABLE_NAME = 'images'
    USER_TABLE_NAME = 'users'

    def __init__(self):
        # init connection
        # db will be created if doesnt exist
        self.conn = sqlite3.connect(self.DATABASE_PATH)
        self.cur = self.conn.cursor()
        self.verify_img_table()
        self.verify_user_table()

    def verify_img_table(self):
        if len(self.cur.execute(
            "SELECT name FROM sqlite_master WHERE type='table' AND name='{}';".format(
                self.IMAGE_TABLE_NAME)).fetchall()) > 0:
            print("Find IMAGES table in db.")
            return

        self.cur.execute("""CREATE TABLE images (
            NAME TEXT, 
            ID BOLB, 
            PRICE REAL, 
            OWNER BOLB, 
            RAWDATA BOLB
            );""")
        self.conn.commit()
        print("Images table initialized.")

    def verify_user_table(self):
        if len(self.cur.execute(
            "SELECT name FROM sqlite_master WHERE type='table' AND name='{}';".format(
                self.USER_TABLE_NAME)).fetchall()) > 0:
            print("Find USERS table in db.")
            return

        # name | timestamp | privkey | pubkey
        self.cur.execute("""CREATE TABLE users (
            NAME TEXT, 
            PRIVKEY BOLB,
            PUBKEY BOLB
            );""")
        self.conn.commit()
        print("Users table initialized.")

    def execute(self, sql_cmd: str):
        self.cur.execute(sql_cmd)
        self.conn.commit()

    def insert_img(self, name, id, price, owner, rawdata, timestamp):
        '''
        name, id, price, owner, rawdata
        '''
        sql_cmd = "INSERT INTO images VALUES('{}', '{}', '{}', '{}', '{}')".format(
            name, id, price, owner, rawdata)
        self.cur.execute(sql_cmd)
        self.conn.commit()

    def fetch(self):
        sql_cmd = "SELECT * FROM images"
        self.cur.execute(sql_cmd)
        return self.cur.fetchall()

    def destroy(self):
        self.cur.close()
        self.conn.close()
        print("Db connection closed.")


In [4]:
# init database
db = Database()


In [None]:
db.destroy()


### 用户

-   昵称
-   公钥+私钥
    -   私钥非常重要，有非常多的功能，如：当作 id，生成所拥有的作品的 id（这是一个非常重要的表示图片的方法）
-   资产（一一币数量）


In [24]:
class User:
    def __init__(
        self, 
        name: str, 
        keys: typing.Tuple[str, str] = None, 
        money: float = 0,
        artwork_list: list = None, 
        db: Database = None
    ):
        '''
        Register a new user or add a user.
        User attr in db: name | privkey | pubkey | money
        - When register: only name is needed.
        - When adding an existing user: all user attributes are needed
        TODO: shoule we put user info in images table or image info in users table?
        '''
        self.name = name
        self.privkey, self.pubkey = keys or self.gen_keys()
        self.money = money
        self.image_list = artwork_list or []

        if not (db or self.db):  # if both are None
            raise AttributeError(
                "Haven't connect to database, please connect first.")
        else:
            self.db = db

    def gen_keys(self):
        '''Generate a pair of keys for user future use.'''
        # key = RSA.generate(2048)
        key = ECC.generate(curve='P-256')

        # PEM is human readable string
        # when import, read as text (e.g., open(path, 'rt'))
        priv_key = key.export_key(format='PEM')
        pub_key = key.public_key().export_key(format='PEM')

        print("RSA key generated:")
        print(priv_key)
        print(pub_key)

        return priv_key, pub_key

    def get_image_list(self):
        # retrieve user's images from database
        img_list = self.db.execute(
            "SELECT * FROM images WHERE privkey={}".format(self.privkey))
        print("Get image list:")
        [print('\t', item) for item in img_list]
        return img_list


In [25]:
xav = User('xav', db=db)


RSA key generated:
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgazy/RhHLF+J1RYgX
ZY7NWPXL3qofu10E8PZmzGMVBDGhRANCAAQRpORpcaRw1IHU3d/cQvyGvwI7qVE2
e5z9eiDrL8TjhtrciFIIwXMolGGDQkrbgXwUED46d/eV4W/M4bc3MIly
-----END PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEEaTkaXGkcNSB1N3f3EL8hr8CO6lR
Nnuc/Xog6y/E44ba3IhSCMFzKJRhg0JK24F8FBA+Onf3leFvzOG3NzCJcg==
-----END PUBLIC KEY-----


### Artwork

属性：

-   标题（`Bored Ape Yacht Club`）+id（`#5552`）
-   数字签名（绑定：图片内容+拥有者）
-   价格（和标题唯一绑定）
-   拥有者
-   原作者（待实现）
-   数据：云端唯一链接 / 原始数据（`rawdata`）

待解决的问题：

-   作品存在云端还是本地?
-   有人盗版图片然后重新上传（审核人员的工作，暂时不考虑）


In [26]:
class Artwork:
    '''
    Format in database:
        - name: image name
        - id: image unique id
        - price: price of the artwork
        - owner: privite key of the artwork owner
        - rawdata: raw data of the image
    '''
    DEFAULT_PRICE = 0.1  # default price of an artwork
    db = None  # database

    def __init__(self, name, id, price, owner: User, rawdata, db: Database = None):
        '''        
        - name: image name
        - id: image unique id
        - price: price of the artwork
        - owner: privite key of the artwork owner
        - rawdata: raw data of the image
        '''
        self.name = name
        self.id = id
        self.price = price
        self.owner = owner
        self.rawdata = rawdata

        if not (db or self.db):  # if both are None
            raise AttributeError(
                "Haven't connect to database, please connect first.")
        else:
            self.db = db

    @classmethod  # second constructor, for new image
    def new(self, name, rawdata, owner: User, db: Database = None):
        '''Upload a new image.'''
        self.name = name
        self.rawdata = rawdata
        self.owner = owner
        self.price = self.DEFAULT_PRICE
        self.id = self.gen_id()

        if not (db or self.db):  # if both are None
            raise AttributeError(
                "Haven't connect to database, please connect first.")
        else:
            self.db = db

        self.add_to_db()

    def add_to_db(self):
        self.db.verify_img_table()  # create iamge table if doesn't exist
        sql_cmd = "INSERT INTO images VALUES('{}', '{}', '{}', '{}', '{}')".format(
            self.name, self.id, self.price, self.owner, self.rawdata)
        self.db.execute(sql_cmd)

    def gen_id(self) -> typing.Tuple[bytes, str]:
        '''
        Get artwork id: use Hash256 algorithm to get the digest of the image, then use the owner's pubkey to encrypt it.
        @return [the byte id of the image, the printable id of the image]
        '''
        h1 = SHA256.new()
        h1.update(self.rawdata)
        h2 = SHA256.new()
        h2.update(h1.digest())
        id = ECC.import_key(self.owner.privkey)

        return h2.digest(), h2.hexdigest()

    def update_owner(self, new_owner: User):
        '''Change owner of this artwork.'''
        # update database
        print("Image owner updated: {} ---> {}".format(self.owner, new_owner))
        cmd = "UPDATE images SET owner={} WHERE id={}".format(
            new_owner.signature, self.id
        )
        self.db.execute(cmd)

        print("Updated image table:")
        imgs = db.execute("SELECT * FROM images")
        [print('\t', img) for img in imgs]


问题总结：

1. 应该把 user 信息放进 image 还是反过来
    - image 更换拥有者时，需要根据主人 priv_key 重新生成 id
    - 需要给用户展示拥有的 images
2.
