feat: replace wasm bls verification with @noble/curves

README.md

@@ -4,6 +4,8 @@ Use an Agent to interact with the Internet Computer from your JavaScript program
 
 This source code repository contains multiple npm packages, each under `./packages/`.
 
+Note: the `@noble/curves` `verifyShortSignature` function has been audited and merged, but has not yet been released. Once the release is available, we will update the `@dfinity/agent` dependency to use it instead of this manually compiled version
+
 ## Development
 
 ### Getting Started

packages/agent/package.json

@@ -51,8 +51,8 @@
     "@dfinity/principal": "^0.20.2"
   },
   "dependencies": {
-    "@noble/curves": "^1.2.0",
-    "@noble/hashes": "^1.3.1",
+    "@noble/curves": "^1.3.0",
+    "@noble/hashes": "^1.3.3",
     "base64-arraybuffer": "^0.2.0",
     "borc": "^2.1.1",
     "buffer": "^6.0.3",

packages/agent/src/actor.ts

@@ -14,7 +14,6 @@ import { pollForResponse, PollStrategyFactory, strategy } from './polling';
 import { Principal } from '@dfinity/principal';
 import { RequestId } from './request_id';
 import { toHex } from './utils/buffer';
-import { CreateCertificateOptions } from './certificate';
 import managementCanisterIdl from './canisters/management_idl';
 import _SERVICE from './canisters/management_service';
 
@@ -130,11 +129,6 @@ export interface ActorConfig extends CallConfig {
     args: unknown[],
     callConfig: CallConfig,
   ): Partial<CallConfig> | void;
-
-  /**
-   * Polyfill for BLS Certificate verification in case wasm is not supported
-   */
-  blsVerify?: CreateCertificateOptions['blsVerify'];
 }
 
 // TODO: move this to proper typing when Candid support TypeScript.
@@ -308,7 +302,7 @@ export class Actor {
             func.annotations.push(ACTOR_METHOD_WITH_HTTP_DETAILS);
           }
 
-          this[methodName] = _createActorMethod(this, methodName, func, config.blsVerify);
+          this[methodName] = _createActorMethod(this, methodName, func);
         }
       }
     }
@@ -369,12 +363,7 @@ export type ActorConstructor = new (config: ActorConfig) => ActorSubclass;
 
 export const ACTOR_METHOD_WITH_HTTP_DETAILS = 'http-details';
 
-function _createActorMethod(
-  actor: Actor,
-  methodName: string,
-  func: IDL.FuncClass,
-  blsVerify?: CreateCertificateOptions['blsVerify'],
-): ActorMethod {
+function _createActorMethod(actor: Actor, methodName: string, func: IDL.FuncClass): ActorMethod {
   let caller: (options: CallConfig, ...args: unknown[]) => Promise<unknown>;
   if (func.annotations.includes('query') || func.annotations.includes('composite_query')) {
     caller = async (options, ...args) => {
@@ -437,7 +426,7 @@ function _createActorMethod(
       }
 
       const pollStrategy = pollingStrategyFactory();
-      const responseBytes = await pollForResponse(agent, ecid, requestId, pollStrategy, blsVerify);
+      const responseBytes = await pollForResponse(agent, ecid, requestId, pollStrategy);
       const shouldIncludeHttpDetails = func.annotations.includes(ACTOR_METHOD_WITH_HTTP_DETAILS);
 
       if (responseBytes !== undefined) {

packages/agent/src/canisterStatus/index.ts

@@ -90,7 +90,6 @@ export type CanisterStatusOptions = {
   canisterId: Principal;
   agent: HttpAgent;
   paths?: Path[] | Set<Path>;
-  blsVerify?: CreateCertificateOptions['blsVerify'];
 };
 
 /**

packages/agent/src/certificate.ts

@@ -3,9 +3,20 @@ import { AgentError } from './errors';
 import { hash } from './request_id';
 import { concat, fromHex, toHex } from './utils/buffer';
 import { Principal } from '@dfinity/principal';
-import * as bls from './utils/bls';
+import { bls12_381 } from '@noble/curves/bls12-381';
 import { decodeTime } from './utils/leb';
 
+const verifyFunc = async (
+  primaryKey: Uint8Array | string,
+  signature: Uint8Array | string,
+  message: Uint8Array | string,
+): Promise<boolean> => {
+  const pk = typeof primaryKey === 'string' ? primaryKey : toHex(primaryKey);
+  const sig = typeof signature === 'string' ? signature : toHex(signature);
+  const msg = typeof message === 'string' ? message : toHex(message);
+  return bls12_381.verifyShortSignature(sig, msg, pk);
+};
+
 /**
  * A certificate may fail verification with respect to the provided public key
  */
@@ -29,7 +40,7 @@ const NodeId = {
   Pruned: 4,
 };
 
-export type NodeIdType = typeof NodeId[keyof typeof NodeId];
+export type NodeIdType = (typeof NodeId)[keyof typeof NodeId];
 
 export { NodeId };
 
@@ -103,7 +114,7 @@ export function hashTreeToString(tree: HashTree): string {
   }
 }
 
-interface Delegation extends Record<string, any> {
+interface Delegation extends Record<string, unknown> {
   subnet_id: ArrayBuffer;
   certificate: ArrayBuffer;
 }
@@ -153,8 +164,6 @@ export interface CreateCertificateOptions {
   maxAgeInMinutes?: number;
 }
 
-type MetricsResult = number | bigint | Map<number, number | bigint> | undefined;
-
 export class Certificate {
   private readonly cert: Cert;
 
@@ -179,13 +188,12 @@ export class Certificate {
   private static createUnverified(options: CreateCertificateOptions): Certificate {
     let blsVerify = options.blsVerify;
     if (!blsVerify) {
-      blsVerify = bls.blsVerify;
+      blsVerify = verifyFunc;
     }
     return new Certificate(
       options.certificate,
       options.rootKey,
       options.canisterId,
-      blsVerify,
       options.maxAgeInMinutes,
     );
   }
@@ -194,8 +202,6 @@ export class Certificate {
     certificate: ArrayBuffer,
     private _rootKey: ArrayBuffer,
     private _canisterId: Principal,
-    private _blsVerify: VerifyFunc,
-    // Default to 5 minutes
     private _maxAgeInMinutes: number = 5,
   ) {
     this.cert = cbor.decode(new Uint8Array(certificate));
@@ -249,7 +255,7 @@ export class Certificate {
     }
 
     try {
-      sigVer = await this._blsVerify(new Uint8Array(key), new Uint8Array(sig), new Uint8Array(msg));
+      sigVer = await verifyFunc(new Uint8Array(key), new Uint8Array(sig), new Uint8Array(msg));
     } catch (err) {
       sigVer = false;
     }
@@ -267,7 +273,6 @@ export class Certificate {
       certificate: d.certificate,
       rootKey: this._rootKey,
       canisterId: this._canisterId,
-      blsVerify: this._blsVerify,
       // Do not check max age for delegation certificates
       maxAgeInMinutes: Infinity,
     });

packages/agent/src/index.ts

@@ -11,7 +11,6 @@ export * from './der';
 export * from './fetch_candid';
 export * from './public_key';
 export * from './request_id';
-export * from './utils/bls';
 export * from './utils/buffer';
 export * from './utils/random';
 export * as polling from './polling';

packages/agent/src/polling/index.ts

@@ -29,7 +29,6 @@ export async function pollForResponse(
   strategy: PollStrategy,
   // eslint-disable-next-line
   request?: any,
-  blsVerify?: CreateCertificateOptions['blsVerify'],
 ): Promise<ArrayBuffer> {
   const path = [new TextEncoder().encode('request_status'), requestId];
   const currentRequest = request ?? (await agent.createReadStateRequest?.({ paths: [path] }));
@@ -39,7 +38,6 @@ export async function pollForResponse(
     certificate: state.certificate,
     rootKey: agent.rootKey,
     canisterId: canisterId,
-    blsVerify,
   });
   const maybeBuf = cert.lookup([...path, new TextEncoder().encode('status')]);
   let status;

packages/bls-verify/README.md

@@ -20,11 +20,4 @@ npm i --save @dfinity/bls-verify
 
 ```ts
 import { blsVerify } from '@dfinity/bls-verify';
-import { createActor, canisterId } from '../declarations/example';
-
-const exampleActor = createActor(canisterId, {
-  actorOptions: {
-    blsVerify,
-  },
-});
 ```

packages/bls-verify/package.json

@@ -13,7 +13,6 @@
   "bugs": {
     "url": "https://github.com/dfinity/agent-js/issues"
   },
-  "type": "module",
   "keywords": [
     "internet computer",
     "ic",
@@ -39,22 +38,23 @@
     "build": "tsc -b && tsc -p tsconfig-cjs.json",
     "bundle": "esbuild --bundle src/index.ts --outfile=dist/index.js --platform=node",
     "size-limit": "size-limit",
+    "test": "vitest",
     "ci": "npm run prettier && npm run lint && npm run test",
     "lint": "eslint 'src' --ext '.js,.jsx,.ts,.tsx'",
     "lint:fix": "npm run lint -- --fix",
     "make:docs/reference": "typedoc src/index.ts --out ../../docs/generated/bls-verify --excludeInternal",
-    "test": "jest",
     "prettier": "prettier --check \"src/**/*.ts\"",
     "prettier:write": "npm run prettier -- --write"
   },
   "dependencies": {
-    "amcl-js": "file:src/vendor/amcl-js"
+    "@noble/curves": "^1.3.0",
+    "@noble/hashes": "^1.3.3"
   },
   "devDependencies": {
     "@types/jest": "^29.5.5",
     "esbuild": "^0.15.16",
-    "jest": "^29.7.0",
-    "size-limit": "^8.1.0"
+    "size-limit": "^8.1.0",
+    "vitest": "^0.34.6"
   },
   "size-limit": [
     {