deps: [email protected] (#6372)

Signed-off-by: Brian DeHamer <[email protected]>

Author: bdehamer

DEPENDENCIES.md

@@ -772,6 +772,7 @@ graph LR;
   tuf-js-->make-fetch-happen;
   tuf-js-->tufjs-models["@tufjs/models"];
   tufjs-models-->minimatch;
+  tufjs-models-->tufjs-canonical-json["@tufjs/canonical-json"];
   unique-filename-->unique-slug;
   unique-slug-->imurmurhash;
   validate-npm-package-license-->spdx-correct;

node_modules/.gitignore

@@ -37,6 +37,7 @@
 !/@tootallnate/once
 !/@tufjs/
 /@tufjs/*
+!/@tufjs/canonical-json
 !/@tufjs/models
 !/abbrev
 !/abort-controller

node_modules/@tufjs/canonical-json/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 GitHub and the TUF Contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

node_modules/@tufjs/canonical-json/lib/index.js

@@ -0,0 +1,64 @@
+const COMMA = ',';
+const COLON = ':';
+const LEFT_SQUARE_BRACKET = '[';
+const RIGHT_SQUARE_BRACKET = ']';
+const LEFT_CURLY_BRACKET = '{';
+const RIGHT_CURLY_BRACKET = '}';
+
+// Recursively encodes the supplied object according to the canonical JSON form
+// as specified at http://wiki.laptop.org/go/Canonical_JSON. It's a restricted
+// dialect of JSON in which keys are lexically sorted, floats are not allowed,
+// and only double quotes and backslashes are escaped.
+function canonicalize(object) {
+  const buffer = [];
+  if (typeof object === 'string') {
+    buffer.push(canonicalizeString(object));
+  } else if (typeof object === 'boolean') {
+    buffer.push(JSON.stringify(object));
+  } else if (Number.isInteger(object)) {
+    buffer.push(JSON.stringify(object));
+  } else if (object === null) {
+    buffer.push(JSON.stringify(object));
+  } else if (Array.isArray(object)) {
+    buffer.push(LEFT_SQUARE_BRACKET);
+    let first = true;
+    object.forEach((element) => {
+      if (!first) {
+        buffer.push(COMMA);
+      }
+      first = false;
+      buffer.push(canonicalize(element));
+    });
+    buffer.push(RIGHT_SQUARE_BRACKET);
+  } else if (typeof object === 'object') {
+    buffer.push(LEFT_CURLY_BRACKET);
+    let first = true;
+    Object.keys(object)
+      .sort()
+      .forEach((property) => {
+        if (!first) {
+          buffer.push(COMMA);
+        }
+        first = false;
+        buffer.push(canonicalizeString(property));
+        buffer.push(COLON);
+        buffer.push(canonicalize(object[property]));
+      });
+    buffer.push(RIGHT_CURLY_BRACKET);
+  } else {
+    throw new TypeError('cannot encode ' + object.toString());
+  }
+
+  return buffer.join('');
+}
+
+// String canonicalization consists of escaping backslash (\) and double
+// quote (") characters and wrapping the resulting string in double quotes.
+function canonicalizeString(string) {
+  const escapedString = string.replace(/\\/g, '\\\\').replace(/"/g, '\\"');
+  return '"' + escapedString + '"';
+}
+
+module.exports = {
+  canonicalize,
+};

node_modules/@tufjs/canonical-json/package.json

@@ -0,0 +1,39 @@
+{
+  "name": "@tufjs/canonical-json",
+  "version": "1.0.0",
+  "description": "OLPC JSON canonicalization",
+  "main": "lib/index.js",
+  "typings": "lib/index.d.ts",
+  "license": "MIT",
+  "keywords": [
+    "json",
+    "canonical",
+    "canonicalize",
+    "canonicalization",
+    "crypto",
+    "signature",
+    "olpc"
+  ],
+  "author": "[email protected]",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/theupdateframework/tuf-js.git"
+  },
+  "homepage": "https://github.com/theupdateframework/tuf-js/packages/canonical-json#readme",
+  "bugs": {
+    "url": "https://github.com/theupdateframework/tuf-js/issues"
+  },
+  "files": [
+    "lib/"
+  ],
+  "scripts": {
+    "test": "jest"
+  },
+  "devDependencies": {
+    "@types/node": "^18.14.1",
+    "typescript": "^4.9.5"
+  },
+  "engines": {
+    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+  }
+}

node_modules/@tufjs/models/dist/metadata.js

@@ -4,6 +4,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Metadata = void 0;
+const canonical_json_1 = require("@tufjs/canonical-json");
 const util_1 = __importDefault(require("util"));
 const base_1 = require("./base");
 const error_1 = require("./error");
@@ -13,7 +14,6 @@ const snapshot_1 = require("./snapshot");
 const targets_1 = require("./targets");
 const timestamp_1 = require("./timestamp");
 const utils_1 = require("./utils");
-const json_1 = require("./utils/json");
 /***
  * A container for signed TUF metadata.
  *
@@ -45,7 +45,7 @@ class Metadata {
         this.unrecognizedFields = unrecognizedFields || {};
     }
     sign(signer, append = true) {
-        const bytes = (0, json_1.canonicalize)(this.signed.toJSON());
+        const bytes = Buffer.from((0, canonical_json_1.canonicalize)(this.signed.toJSON()));
         const signature = signer(bytes);
         if (!append) {
             this.signatures = {};

node_modules/@tufjs/models/dist/utils/json.js

@@ -4,10 +4,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.verifySignature = void 0;
+const canonical_json_1 = require("@tufjs/canonical-json");
 const crypto_1 = __importDefault(require("crypto"));
-const json_1 = require("./json");
 const verifySignature = (metaDataSignedData, key, signature) => {
-    const canonicalData = (0, json_1.canonicalize)(metaDataSignedData) || '';
+    const canonicalData = Buffer.from((0, canonical_json_1.canonicalize)(metaDataSignedData));
     return crypto_1.default.verify(undefined, canonicalData, key, Buffer.from(signature, 'hex'));
 };
 exports.verifySignature = verifySignature;

node_modules/@tufjs/models/dist/utils/verify.js

@@ -1,6 +1,6 @@
 {
   "name": "@tufjs/models",
-  "version": "1.0.1",
+  "version": "1.0.3",
   "description": "TUF metadata models",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -29,11 +29,12 @@
   "homepage": "https://github.com/theupdateframework/tuf-js/tree/main/packages/models#readme",
   "devDependencies": {
     "@types/minimatch": "^5.1.2",
-    "@types/node": "^18.15.3",
-    "typescript": "^4.9.5"
+    "@types/node": "^18.15.11",
+    "typescript": "^5.0.4"
   },
   "dependencies": {
-    "minimatch": "^7.4.2"
+    "minimatch": "^7.4.6",
+    "@tufjs/canonical-json": "1.0.0"
   },
   "engines": {
     "node": "^14.17.0 || ^16.13.0 || >=18.0.0"

node_modules/@tufjs/models/package.json

@@ -1,12 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.CAClient = void 0;
-const client_1 = require("../client");
 const error_1 = require("../error");
+const external_1 = require("../external");
 const format_1 = require("./format");
 class CAClient {
     constructor(options) {
-        this.fulcio = new client_1.Fulcio({ baseURL: options.fulcioBaseURL });
+        this.fulcio = new external_1.Fulcio({ baseURL: options.fulcioBaseURL });
     }
     async createSigningCertificate(identityToken, publicKey, challenge) {
         const request = (0, format_1.toCertificateRequest)(identityToken, publicKey, challenge);