feat(*): contract signing and verification

[sanketshevkar]

Enables the parties involved in execution of a contract to digitally sign the signatures.

Changes

• The party can sign the contract instance using their private key stored in a pkcs#12 keystore.
• The signatures are stored in an folder inside the slc archive or the contract directory

Author Checklist

• Ensure you provide a DCO sign-off for your commits using the --signoff option of git commit.
• Vital features and changes captured in unit and/or integration tests
• Commits messages follow AP format
• Extend the documentation, if necessary
• Merging to master from fork:branchname

[mttrbrts]

Under what circumstances would we ever need to access entries that are not in the first position of safeContents or safeBags array?

[sanketshevkar]

I don't think we'll ever have to, it's mostly metadata of the keystore stored in it.

[jeromesimeon]

How safe is this path really? What happens if there is no safeContents or no safeBags. Could you clarify what the forge API supports there?

[sanketshevkar]

@mttrbrts safeContents contains all the things present inside the keystore. In this case at the first position it is the certificate and in the second position it is the private key. So safeContents[0].safeBags[0] contains the x509 cert, and only has one object inside the safeBags array. Similary safeContents[1].safeBags[0] has the private key and also has only object inside the safeBags array. @jeromesimeon there is another method getBags() using which the the material inside safe bags can be accessed but either one of the following property is to be known:

• friendlyName
• localKeyIdHex
• bagType

[sanketshevkar]

• I was not able to find a friendly name
• { localKeyId: [ '\u0010÷&Þ\u001e°ÑÆ\u0015Ã?\u0011Aw\u0010¥' ] }, this was the localKeyId
• 1.2.840.113549.1.12.10.1.3, this was the bag type for a x509 cert & 1.2.840.113549.1.12.10.1.2 this for a private key.

Since these were a bit hard to understand I decided to take the route of selecting the certificate and the private key from safeContents and safeBags directly

[sanketshevkar]

You can refer to this replit: https://replit.com/@sanketshevkar/forgeBags#index.js

[jeromesimeon]

1. this branch includes many commits from the source branch which will make for a very messy commit history and unnecessary code duplication. A clean version can be found here: New slc signing #692
2. somehow the tests didn't run. Running locally I see two tests failing:

  1) ContractInstance
       #verify
         should throw error for failed signature verification:
     Error: Contract signature is invalid!
      at ContractInstance.verify (lib/contractinstance.js:1656:13)
      at Context.<anonymous> (test/contractinstance.js:121:29)

  2) ContractInstance
       #verifySignatures
         should throw error while verifying the contract signatures:
     Error: Contract signature is invalid!
      at ContractInstance.verify (lib/contractinstance.js:1656:13)
      at /Users/jerome.simeon/git/accordproject/cicero-signing/packages/cicero-core/lib/contractinstance.js:1617:14
      at Array.forEach (<anonymous>)
      at ContractInstance.verifySignatures (lib/contractinstance.js:1609:31)
      at Context.<anonymous> (test/contractinstance.js:139:29)

A proposed fix is included in this commit: 609b42c

[jeromesimeon]

Closing this, replaced by #692