feat: sign v2

2025-10-19 23:57:49 +08:00
parent 84f66ae736
commit 5a80ff9870
2 changed files with 158 additions and 7 deletions
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -6,7 +6,8 @@ mod util;
 pub use crate::keymap::KeyMap;
 use crate::sign::{ecdsaverify, EcdsaAlgorithm};
 use crate::signature::{
-    CardEcSignResult, ScriptSignature, ScriptSignatureAlgorithm, SIGNATURE_PREFIX,
+    CardEcSignResult, ScriptSignature, ScriptSignatureAlgorithm, ScriptSignatureVersion,
+    SIGNATURE_PREFIX,
 };
 use crate::util::current_time;
 use digest::Digest;
@@ -135,7 +136,48 @@ impl Script {
            None => return simple_error!("Sign key id: {} not found", &signature.key_id),
            Some(key) => key,
        };
-        let key_bytes = hex::decode(&key.public_key_point_hex)?;
+
+        let mut verify_public_key = key.public_key_point_hex.clone();
+        if ScriptSignatureVersion::V2 == signature.ver {
+            match &signature.embed_signing_key {
+                Some(embed_signing_key) => {
+                    let mut hasher = Sha256::new();
+                    hasher.update(embed_signing_key.time.as_bytes());
+                    hasher.update(&embed_signing_key.public_key);
+                    let embed_digest_sha256 = hasher.finalize().to_vec();
+                    let key_bytes = hex::decode(&key.public_key_point_hex)?;
+                    match embed_signing_key.algorithm {
+                        ScriptSignatureAlgorithm::ES256 => {
+                            match ecdsaverify(
+                                EcdsaAlgorithm::P256,
+                                &key_bytes,
+                                &embed_digest_sha256,
+                                &embed_signing_key.signature,
+                            ) {
+                                Ok(_) => {
+                                    verify_public_key = hex::encode(&embed_signing_key.public_key);
+                                }
+                                Err(e) => {
+                                    debugging!("Verify embed ecdsa signature failed: {}", e);
+                                    return Ok(false);
+                                }
+                            }
+                        }
+                        _ => {
+                            return simple_error!(
+                                "Not supported algorithm: {:?}",
+                                signature.algorithm
+                            )
+                        }
+                    }
+                }
+                None => {
+                    return simple_error!("Embed signing key not found");
+                }
+            }
+        }
+
+        let key_bytes = hex::decode(&verify_public_key)?;
        let digest_sha256 = self.normalize_content_lines_and_sha256(&signature.time);
        match signature.algorithm {
            ScriptSignatureAlgorithm::ES256 => {
@@ -169,7 +211,9 @@ impl Script {
        );
        if ecsign_result.algorithm == "ecdsa_p256_with_sha256" {
            self.signature = Some(ScriptSignature {
+                ver: ScriptSignatureVersion::V1,
                key_id: "yk-r1".to_string(),
+                embed_signing_key: None,
                algorithm: ScriptSignatureAlgorithm::ES256,
                time,
                signature: hex::decode(&ecsign_result.signed_data_hex)?,
@@ -262,13 +306,16 @@ console.log("Hello world.");
 // @SCRIPT-SIGNATURE-V1: yk-r1.ES256.20250122T233410+08:00.MEQCIGogDudoVpCVfGiNPu8Wn6YPDtFX5OXC4bKtsN1nw414AiAq+5EVdvOuKAlXdVeeE1d91mKX9TaSTR25jliUx0km6A=="##)
            .unwrap();
    let script_str = script.as_string();
-    assert_eq!(r##"#!/usr/bin/env -S deno run --allow-env
+    assert_eq!(
+        r##"#!/usr/bin/env -S deno run --allow-env

 console.log("Hello world.");

 // @SCRIPT-SIGNATURE-V1: yk-r1.ES256.20250122T233410+08:00.MEQCIGogDudoVpCVfGiNPu8W
 // n6YPDtFX5OXC4bKtsN1nw414AiAq+5EVdvOuKAlXdVeeE1d91mKX9TaSTR25jliUx0km6A==
-"##, script_str);
+"##,
+        script_str
+    );
 }

 #[test]