packages/shade-key-transparency/tests/sth.test.ts

import { describe, expect, test } from 'bun:test';
import { SubtleCryptoProvider } from '@shade/crypto-web';
import {
  canonicalSthBytes,
  computeLogId,
  signSth,
  sthFromWire,
  sthToWire,
  verifySthSignature,
} from '../src/index.js';
import { fromBase64, toBase64 } from '../src/util.js';

const crypto = new SubtleCryptoProvider();

describe('STH signing & verification', () => {
  test('signSth + verifySthSignature roundtrip', async () => {
    const kp = await crypto.generateEd25519KeyPair();
    const sth = await signSth(crypto, kp.privateKey, {
      treeSize: 42,
      timestampMs: 1700000000000,
      rootHash: new Uint8Array(32).fill(0xaa),
      indexRoot: new Uint8Array(32).fill(0xbb),
      logId: computeLogId(kp.publicKey),
    });
    expect(await verifySthSignature(crypto, sth, kp.publicKey)).toBe(true);
  });

  test('verify fails with wrong public key', async () => {
    const kp = await crypto.generateEd25519KeyPair();
    const other = await crypto.generateEd25519KeyPair();
    const sth = await signSth(crypto, kp.privateKey, {
      treeSize: 1,
      timestampMs: 1700000000000,
      rootHash: new Uint8Array(32),
      indexRoot: new Uint8Array(32),
      logId: computeLogId(kp.publicKey),
    });
    expect(await verifySthSignature(crypto, sth, other.publicKey)).toBe(false);
  });

  test('verify fails when log_id is forged', async () => {
    const kp = await crypto.generateEd25519KeyPair();
    const other = await crypto.generateEd25519KeyPair();
    const sth = await signSth(crypto, kp.privateKey, {
      treeSize: 1,
      timestampMs: 1700000000000,
      rootHash: new Uint8Array(32),
      indexRoot: new Uint8Array(32),
      logId: computeLogId(other.publicKey), // mismatched
    });
    // The signature was made over a log_id that doesn't match the supplied
    // public key — verifySthSignature should refuse.
    expect(await verifySthSignature(crypto, sth, kp.publicKey)).toBe(false);
  });

  test('canonical bytes layout is stable', () => {
    const bytes = canonicalSthBytes({
      treeSize: 0x0102030405,
      timestampMs: 0x06070809,
      rootHash: new Uint8Array(32).fill(0x11),
      indexRoot: new Uint8Array(32).fill(0x22),
      logId: new Uint8Array(32).fill(0x33),
    });
    // 1 prefix + 8 treeSize + 8 timestamp + 32 + 32 + 32
    expect(bytes.length).toBe(113);
    expect(bytes[0]).toBe(0x02);
  });

  test('wire roundtrip', async () => {
    const kp = await crypto.generateEd25519KeyPair();
    const sth = await signSth(crypto, kp.privateKey, {
      treeSize: 7,
      timestampMs: 1700000000000,
      rootHash: new Uint8Array(32).fill(0x77),
      indexRoot: new Uint8Array(32).fill(0x88),
      logId: computeLogId(kp.publicKey),
    });
    const wire = sthToWire(sth, toBase64);
    const back = sthFromWire(wire, fromBase64);
    expect(back).toEqual(sth);
    expect(await verifySthSignature(crypto, back, kp.publicKey)).toBe(true);
  });
});
release(v4.0.0): Shade GA — V3.x consolidation + audit prep V3.1 → V3.12 consolidated and tagged for the first GA release. Wire format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers byte-for-byte. The version bump is semantic: audit-cycle complete, opt-in surface fully exposed, threat model refreshed for every new surface. Highlights: - All 24 @shade/* packages bumped to 4.0.0 in lockstep. - CHANGELOG 4.0.0 section is the canonical manifest of what landed. - THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12 Web-Worker boundary) + residual-risks table refreshed. - OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox, bridge, observer, /metrics, /healthz, /ready. - MIGRATION 0.3.x → 4.0 documented + smoke-tested against shade migrate-storage on a real SQLite DB. - docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer. - scripts/soak.ts harness for the GA-stable 2-week soak window. - All V*.md plans archived under docs/archive/ with Status: Done. - Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen non-realtime stack. Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green. Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports version 4.0.0 on /health. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-03 18:35:35 +02:00			`import { describe, expect, test } from 'bun:test';`
			`import { SubtleCryptoProvider } from '@shade/crypto-web';`
			`import {`
			`canonicalSthBytes,`
			`computeLogId,`
			`signSth,`
			`sthFromWire,`
			`sthToWire,`
			`verifySthSignature,`
			`} from '../src/index.js';`
			`import { fromBase64, toBase64 } from '../src/util.js';`

			`const crypto = new SubtleCryptoProvider();`

			`describe('STH signing & verification', () => {`
			`test('signSth + verifySthSignature roundtrip', async () => {`
			`const kp = await crypto.generateEd25519KeyPair();`
			`const sth = await signSth(crypto, kp.privateKey, {`
			`treeSize: 42,`
			`timestampMs: 1700000000000,`
			`rootHash: new Uint8Array(32).fill(0xaa),`
			`indexRoot: new Uint8Array(32).fill(0xbb),`
			`logId: computeLogId(kp.publicKey),`
			`});`
			`expect(await verifySthSignature(crypto, sth, kp.publicKey)).toBe(true);`
			`});`

			`test('verify fails with wrong public key', async () => {`
			`const kp = await crypto.generateEd25519KeyPair();`
			`const other = await crypto.generateEd25519KeyPair();`
			`const sth = await signSth(crypto, kp.privateKey, {`
			`treeSize: 1,`
			`timestampMs: 1700000000000,`
			`rootHash: new Uint8Array(32),`
			`indexRoot: new Uint8Array(32),`
			`logId: computeLogId(kp.publicKey),`
			`});`
			`expect(await verifySthSignature(crypto, sth, other.publicKey)).toBe(false);`
			`});`

			`test('verify fails when log_id is forged', async () => {`
			`const kp = await crypto.generateEd25519KeyPair();`
			`const other = await crypto.generateEd25519KeyPair();`
			`const sth = await signSth(crypto, kp.privateKey, {`
			`treeSize: 1,`
			`timestampMs: 1700000000000,`
			`rootHash: new Uint8Array(32),`
			`indexRoot: new Uint8Array(32),`
			`logId: computeLogId(other.publicKey), // mismatched`
			`});`
			`// The signature was made over a log_id that doesn't match the supplied`
			`// public key — verifySthSignature should refuse.`
			`expect(await verifySthSignature(crypto, sth, kp.publicKey)).toBe(false);`
			`});`

			`test('canonical bytes layout is stable', () => {`
			`const bytes = canonicalSthBytes({`
			`treeSize: 0x0102030405,`
			`timestampMs: 0x06070809,`
			`rootHash: new Uint8Array(32).fill(0x11),`
			`indexRoot: new Uint8Array(32).fill(0x22),`
			`logId: new Uint8Array(32).fill(0x33),`
			`});`
			`// 1 prefix + 8 treeSize + 8 timestamp + 32 + 32 + 32`
			`expect(bytes.length).toBe(113);`
			`expect(bytes[0]).toBe(0x02);`
			`});`

			`test('wire roundtrip', async () => {`
			`const kp = await crypto.generateEd25519KeyPair();`
			`const sth = await signSth(crypto, kp.privateKey, {`
			`treeSize: 7,`
			`timestampMs: 1700000000000,`
			`rootHash: new Uint8Array(32).fill(0x77),`
			`indexRoot: new Uint8Array(32).fill(0x88),`
			`logId: computeLogId(kp.publicKey),`
			`});`
			`const wire = sthToWire(sth, toBase64);`
			`const back = sthFromWire(wire, fromBase64);`
			`expect(back).toEqual(sth);`
			`expect(await verifySthSignature(crypto, back, kp.publicKey)).toBe(true);`
			`});`
			`});`