ARC-60 Algorand Wallet Structured Data Signing API

[deanstef]

An API for signing structured bytes with Algorand wallets. It unlocks many use cases ranging from self-custodial digital identities, authentication, document signing etc.

The API provides a standard interface for a signData() function that takes as an argument a structured data object and metadata and returns the requested digital signature. It is compatible with rekeyed accounts, multi-signature and HD wallets.

This API is inspired and based on ARC-1. It has been conceived to be secure by design with semantics and security controls. It does not allow the signing of canonical Algorand transactions or Groups.

[ehanoc]

Made a few comments.

I think we need a schema for 32 bytes signing auth challenge requests

[ehanoc]

We could add a matching wallet.spec.ts file with a small test suite so that we can test the functions of the reference implementation

[ehanoc]

@joe-p can you validate this schema?

[deanstef]

Made a few comments.

I think we need a schema for 32 bytes signing auth challenge requests

@ehanoc Thank you for your comments. The JSON schema for authentication challenge will be provided by ARC-31 as an extension of ARC-60.

[deanstef]

With 7447a0d and 8d8cef3 I updated ARC-60 with a simpler signBytes interface. It now takes three arguments: data, metadata, and signer. I removed the msig, authaddr and hdWallet functionalities to keep it simple.

@ehanoc @pbennett @yigitguler @k13n @joe-p PTAL

[ehanoc]

PLAIN is the same as ARBITRARY, doesn't specify WHY we are signing

[deanstef]

Agreed. I would like to keep a generic Scope for a generic message signing. What about SIGMSG?

[ehanoc]

But generic is problematic because we don't know what we are signing. SIGMSG still doesn't state what we are signing.

[deanstef]

I removed generic scopes. We only have AUTH and LSIG now.

[k13n]

Thanks @deanstef for putting together ARC-60!

[k13n]

In which cases can signData return null? Further below, it is defined that if signData fails, it should throw an error, not return null. So shouldn't the function either return SigendDataStr or throw an error?

[deanstef]

Yes you are right. This is a leftover from a previous design with bulk signatures.

[deanstef]

Actually - in the reference implemnetation, I am returning null if the user does not confimr the signature: https://github.com/deanstef/ARCs/blob/a8de5d08f3c558bedeb8c1addbacc25362eda7b5/assets/arc-0060/wallet.ts#L79C4-L79C5

[k13n]

The naming is a little confusing to me. Why does SignedDataStr include the term Str when it is defined as an Uint8Array. Conversely, StdData is also defined as a string but does not contain the term Str.

[deanstef]

Yeah the naming got a bit messy when we changed stuff from String to Uint8Array. I will align the naming such that only string objects names will end with the Str term

[deanstef]

045de9e

[k13n]

According to this definition, SigendDataStr is purely the signature (64 bytes long). In the reference implementation, nacl.sign is used which returns the signature and the original message.

If SignedDataStr represents purely the signature, wouldn't something like Signature be a more appropriate name for this type?

[deanstef]

Good catch. Here b244ed6 I updated both the naming and the reference implementation. I am using nacl.sign.detached now.

[k13n]

Why is the schema (which is a JSON object) represented as a canonicalized JSON string?

[deanstef]

In a very first version of ARC60 I was using canonicalized versions of JSON objects to produce signatures of the entire objects. In the new version this is not needed anymore. We can get rid of the canonicalized stuff indeed.

[deanstef]

045de9e

[k13n]

What are possible encodings that should be supported?

[jasonpaulos]

+1 to clarifying this

[k13n]

In which case could failingSignData be null?

[deanstef]

If the error was caused by a missing StdData object.

[k13n]

According to the definition of SignDataFunction above, it seems a null return value is also possible (which I don't think is required as I mentioned earlier).

[k13n]

According to the table above an invalid schema is a 4601 error code, or is this a different schema?

[deanstef]

Error code 4601 means that the JSON schema does not comply with ARC-60 (the required fields ARC60Domain and bytes are missing).

In this case, we are failing because data is not a valid object according to the schema metadata.schema.

[k13n]

Is this validation here independent of the ARC60Domain validation? Because if ARC60Domain is set to arc60 (or anything other than "", "TX", or "TG"), wouldn't it be fine if bytes started with TX or TG? Because the wallet would have to concatenate the value of ARC60Domain and bytes and hence no malicious payload could be signed?

[deanstef]

Setting ARC60Domain to "" would make the concatenation not effective. I suggest to always validate bytes against malicious payloads (prepended with TX or TG) to avoid problems.

[ehanoc]

I don't think we should have generic scopes. They should be VERY Specific.

A generic scope doesn't tell you what schema to enforce and could potentially be used to trick the user or even the wallet.

[FrankSzendzielarz]

The spec doesn't make it generic. It says that the bytes must not be certain things, such as transactions. The spec says "most generic", i.e., that narrower scopes might be defined. I think the problem then becomes how to specify what things should not be. For example, specifying a scope that allows 32 arbitrary bytes to be signed for auth purposes does not preclude a 32 byte arbitrary document from being signed.

[deanstef]

We only have AUTH and LSIG scopes now.

[ehanoc]

@deanstef requiring the public key (a.k.a signer) would be somewhat cumbersome for HDWallets to find the correct address to use. Would have to do a recursive search.

Legacy algorand wallets are single address, with HDWallets they will support BIP44 and providing the path as optional would suit best.

Thoughts?

[ehanoc]

I think signData(data, metadata, keyInfo

Where keyInfo can contain information of where to find the key, what keyType, hashing function to use would be extendable and offer future proof with HDWallets

[deanstef]

In the first version of ARC-60 there was the possibility of passing a HDWallet derivation path as signer parameter (see https://github.com/deanstef/ARCs/blob/67754a89ff9e211cfee6f29ebd7aa4f016b19243/ARCs/arc-0060.md?plain=1#L122)

Then we decided to keep it simple and just opt for passing the public key of the signer. I'd be happy to re-introduce HDWallets support though

[ehanoc]

I understand. Although just the public key is ambiguous when you have N possible key pairs in a BIP32 / BIP44 path scheme.

[mxmauro]

Hi, I cannot figure out if, on the latest revision, data to sign is Uint8Array or a string. (I prefer the former because data & platform-independant)

[jasonpaulos]

+1 to clarifying this

[jasonpaulos]

I don't understand how this can contain an logicsig program if it's a string

[mxmauro]

Yes, I prefer a Buffer or Uint8Array.

[FrankSzendzielarz]

The way I read the spec is that the StdDataStr is a stringified JSON object that must comply with the metadata supplied as an argument to the sign function, of type StdSignMetadata. The metadata specifies which field contains data to be signed, and not the whole json object. Part of the problem is this line in the first paragraphs:

data is a string representing the structured data being signed.

This is not true according to the rest of the spec. The data being signed is whichever field of the StdDataStr json object is specified to be signed.

Another problem is that there is not defined here the standard encoding for JSON bytes data. Typically in web applications it is Base64 encoded strings, and OpenAPI spec clients/servers will work with that, but it's only by common convention, and I don't know the base specs like JSON Schema say anything about it (off the top of my head)

In general I find the spec confusing because of a) the use of both TypeScript types and JSON types, and I don't like the use of things like UInt8Array at all, as they are TS domain specific concepts and don't belong in language agnostic specs. b) slightly misleading terminology, like "Scope" instead of "Schema"...

[deanstef]

Thank you @FrankSzendzielarz

This commit c08b995 should fix the issue you raised.

[deanstef]

Also, @jasonpaulos @mxmauro please refer to the Backwards Compatibility section of the ARC.

[FrankSzendzielarz]

Hi, I cannot figure out if, on the latest revision, data to sign is Uint8Array or a string. (I prefer the former because data & platform-independant)

The data to sign is an encoded field of the input JSON text. It will always be a string, of course, as the input is JSON. What encoding depends on the metadata (and I am informed that the spec will be updated to clarify this). What does seem to be clear though, given the comments like this one, is that either the spec is not being read, or not being understood, so I'd suggest specs like these get plain English TLDRs at the top.

[k13n]

I made another pass through the ARC, please see my comments below. The ARC is making good progress!

[k13n]

Should the bytes here really be a string or rather a proper array like so:
"bytes" : [99, 50, 97, 57, 51, 99, ..., 57, 49, 53]

[k13n]

Is it intentional that the letter "n" is missing in StdSigData / present in StdSignMetadata? Should it be StdSignData and StdSignMetadata?

[k13n]

Can we give those objects a name? For example:

signingData = {
  "data": "{...}",
  "signer": "xxxx"
};

metadata = {
  "scope": "...",
  "schema": "{...}",
  "encoding": "..."
};

Also, should it be "data": "{...}" rather than "data": "/{.../}"? (same for schema)

[k13n]

same as above:

signingData = {
  "data": "{...}",
  "signer": "xxxx",
  "hdPath": {
    "purpose": 44,
    "coinType": 0,
    "account": 0,
    "change": 0,
    "addrIdx": 0
  }
};

metadata = {
  "scope": "...",
  "schema": "{...}",
  "encoding": "..."
};

[k13n]

I have two questions here:

• Does this encoding apply to (metadata.)schema.bytes or (signingData.)data.bytes? Could it be that when you write schema.bytes you implicitly mean data.bytes?
• Since encoding is an optional parameter, this means if no encoding is provided it should be considered base64? In your wallet.ts example no encoding is specified, but the bytes array is represented as a JSON array of integers, not a base64-string

[k13n]

Same as above: are there any other forbidden tags like "Program"?

[k13n]

Just marking this for completeness -- same as above

[k13n]

I'm wondering if we should even mention ARC-47 in this ARC here. I'm inclined to remove it for the sake of simplicity and to keep this ARC as short and concise as possible. If there's demand for signing lsigs with ARC-60, somebody can propose a new ARC, specify the scope, and define the schema, etc.

[k13n]

I agree that wallets need to hard-code the ScopeTypes and schemas that they support. But this raises the question for me if we even need to include the schema in the metadata field?

Given the ScopeType, the wallet could look up its hard-coded schema and match the signingData against this schema.

Perhaps it's nice to have the schema also in the metadata to make the request self-descriptive. But in an implementation I'd likely ignore metadata.schema and match signingData.bytes against my hard-coded schema. Would that be a problem?

[k13n]

Once the ARC is stable and about to be finalized, it'd be nice to add some test cases. We could specify a keypair, a message (according to the AUTH schema) and show the resulting signature as a test case.

In another test case we could have a keypair derived from a hd-wallet.