From cf8c69e73cb37e5197812487ac5dc773b0d570c4 Mon Sep 17 00:00:00 2001 From: Rob Woodgate Date: Fri, 21 Mar 2025 01:05:34 +0000 Subject: [PATCH 1/3] Added signString() method --- Readme.md | 1 + package-lock.json | 4 ++-- src/background/background.js | 10 ++++++++++ src/common/common.js | 1 + src/common/model/{Keypair.ts => KeyPair.ts} | 0 src/static/nostr-provider.js | 4 ++++ 6 files changed, 18 insertions(+), 2 deletions(-) rename src/common/model/{Keypair.ts => KeyPair.ts} (100%) diff --git a/Readme.md b/Readme.md index a5996fd..33833b0 100644 --- a/Readme.md +++ b/Readme.md @@ -56,6 +56,7 @@ This feature can be enable / disabled in Options. - getPublicKey() - signEvent(event) - getRelays() +- signString() [NIP-04](https://github.com/nostr-protocol/nips/blob/master/04.md) diff --git a/package-lock.json b/package-lock.json index e743d64..74d9fe6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "aka-extension", - "version": "1.0.7", + "version": "1.0.8", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "aka-extension", - "version": "1.0.7", + "version": "1.0.8", "license": "MIT", "dependencies": { "@noble/hashes": "1.3.1", diff --git a/src/background/background.js b/src/background/background.js index 1a394fb..e6a589d 100644 --- a/src/background/background.js +++ b/src/background/background.js @@ -7,6 +7,10 @@ import * as nip44 from "nostr-tools/nip44"; import { Mutex } from "async-mutex"; import { LRUCache } from "./utils"; +import {sha256} from "@noble/hashes/sha256"; +import {bytesToHex} from "@noble/hashes/utils"; +import {schnorr} from "@noble/curves/secp256k1"; + import { NO_PERMISSIONS_REQUIRED, updatePermission, @@ -296,6 +300,12 @@ async function handleContentScriptMessage({ type, params, host, protocol }) { ? event : { error: { message: "invalid event" } }; } + case "signString": { + const hash = bytesToHex(sha256(params.message)); + const sig = bytesToHex(schnorr.sign(hash, sk)); + const pubkey = bytesToHex(schnorr.getPublicKey(sk)); + return {hash: hash, sig: sig, pubkey: pubkey}; + } case "nip04.encrypt": { let { peer, plaintext } = params; lib = "nostr-tools/nip04"; diff --git a/src/common/common.js b/src/common/common.js index f248283..a3c2b9f 100644 --- a/src/common/common.js +++ b/src/common/common.js @@ -9,6 +9,7 @@ export const PERMISSION_NAMES = { getPublicKey: "read your public key", getRelays: "read your list of preferred relays", signEvent: "sign events using your private key", + signString: "sign messages using your private key", "nip04.encrypt": "encrypt messages to peers", "nip04.decrypt": "decrypt messages from peers", "nip44.encrypt": "encrypt messages to peers", diff --git a/src/common/model/Keypair.ts b/src/common/model/KeyPair.ts similarity index 100% rename from src/common/model/Keypair.ts rename to src/common/model/KeyPair.ts diff --git a/src/static/nostr-provider.js b/src/static/nostr-provider.js index 253a781..51c9696 100644 --- a/src/static/nostr-provider.js +++ b/src/static/nostr-provider.js @@ -10,6 +10,10 @@ window.nostr = { return this._call("signEvent", { event }); }, + async signString(message) { + return this._call("signString", { message }); + }, + async getRelays() { return this._call("getRelays", {}); }, From 8537752bd8ef7507ff734925139172ac588acc1a Mon Sep 17 00:00:00 2001 From: Rob Woodgate Date: Fri, 21 Mar 2025 19:18:30 +0000 Subject: [PATCH 2/3] Added security checks for signString() --- src/background/background.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/background/background.js b/src/background/background.js index e6a589d..b0f3e06 100644 --- a/src/background/background.js +++ b/src/background/background.js @@ -301,6 +301,17 @@ async function handleContentScriptMessage({ type, params, host, protocol }) { : { error: { message: "invalid event" } }; } case "signString": { + if (typeof params.message !== 'string') { + return { error: { message: "message is not a string" } }; + } + try { + // Check this is not a stringified event + // trying to bypass permission checks + const obj = JSON.parse(params.message); + if (validateEvent(obj)){ + return { error: { message: "use signEvent() to sign events" } }; + } + } catch (e) {} // not a JSON string const hash = bytesToHex(sha256(params.message)); const sig = bytesToHex(schnorr.sign(hash, sk)); const pubkey = bytesToHex(schnorr.getPublicKey(sk)); From 0400c5aacf2e05aaa27e6272428bac9925459510 Mon Sep 17 00:00:00 2001 From: Rob Woodgate Date: Fri, 21 Mar 2025 21:16:10 +0000 Subject: [PATCH 3/3] Added utf8 encoding --- src/background/background.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/background/background.js b/src/background/background.js index b0f3e06..d33c1b4 100644 --- a/src/background/background.js +++ b/src/background/background.js @@ -312,7 +312,8 @@ async function handleContentScriptMessage({ type, params, host, protocol }) { return { error: { message: "use signEvent() to sign events" } }; } } catch (e) {} // not a JSON string - const hash = bytesToHex(sha256(params.message)); + const utf8Encoder = new TextEncoder(); + const hash = bytesToHex(sha256(utf8Encoder.encode(params.message))); const sig = bytesToHex(schnorr.sign(hash, sk)); const pubkey = bytesToHex(schnorr.getPublicKey(sk)); return {hash: hash, sig: sig, pubkey: pubkey};