From be74338645fa91740495e5f2350da4ca3660fede Mon Sep 17 00:00:00 2001
From: Andrew Min <andrew@turnkey.io>
Date: Sun, 8 Dec 2024 15:52:36 -0500
Subject: [PATCH] add batch stamping logic

---
 auth/index.html | 61 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

diff --git a/auth/index.html b/auth/index.html
index 9b2c343..b827f66 100644
--- a/auth/index.html
+++ b/auth/index.html
@@ -1045,6 +1045,16 @@ <h2>Message log</h2>
                   TKHQ.sendMessageUp("ERROR", e.toString());
                 }
               }
+              if (event.data && event.data["type"] == "BATCH_STAMP_REQUEST") {
+                TKHQ.logMessage(
+                  `⬇️ Received message ${event.data["type"]}: ${event.data["value"]}`
+                );
+                try {
+                  await onBatchStampRequest(event.data["value"]);
+                } catch (e) {
+                  TKHQ.sendMessageUp("ERROR", e.toString());
+                }
+              }
               if (event.data && event.data["type"] == "RESET_EMBEDDED_KEY") {
                 TKHQ.logMessage(`⬇️ Received message ${event.data["type"]}`);
                 try {
@@ -1198,6 +1208,57 @@ <h2>Message log</h2>
         );
         TKHQ.sendMessageUp("STAMP", stampHeaderValue);
       };
+      /**
+       * Function triggered when BATCH_STAMP_REQUEST event is received.
+       * @param {string} payloads to sign
+       */
+      var onBatchStampRequest = async function (payloads) {
+        if (CREDENTIAL_BYTES === null) {
+          throw new Error(
+            "cannot sign payload without credential. Credential bytes are null"
+          );
+        }
+        var key = await TKHQ.importCredential(CREDENTIAL_BYTES);
+
+        // This is a bit of a pain, but we need to go through this:
+        // - Key needs to be exported to JWK first
+        // - Then imported without the private "d" component, and exported to get the public key
+        //   ^^ (that's what `p256JWKPrivateToPublic` does)
+        // - Finally, compress the public key.
+        var jwkKey = await crypto.subtle.exportKey("jwk", key);
+        var publicKey = await TKHQ.p256JWKPrivateToPublic(jwkKey);
+        var compressedPublicKey = TKHQ.compressRawPublicKey(publicKey);
+
+        var stamps = payloads.map(async (p) => {
+          var signatureIeee1363 = await window.crypto.subtle.sign(
+            {
+              name: "ECDSA",
+              hash: { name: "SHA-256" },
+            },
+            key,
+            new TextEncoder().encode(p)
+          );
+
+          var derSignature = TKHQ.convertEcdsaIeee1363ToDer(
+            new Uint8Array(signatureIeee1363)
+          );
+          var derSignatureHexString = TKHQ.uint8arrayToHexString(derSignature);
+
+          var stamp = {
+            publicKey: TKHQ.uint8arrayToHexString(compressedPublicKey),
+            scheme: "SIGNATURE_SCHEME_TK_API_P256",
+            signature: derSignatureHexString,
+          };
+
+          var stampHeaderValue = TKHQ.stringToBase64urlString(
+            JSON.stringify(stamp)
+          );
+
+          return stampHeaderValue;
+        });
+
+        TKHQ.sendMessageUp("BATCH_STAMP", stamps);
+      };
 
       /**
        * Decrypt the ciphertext (ArrayBuffer) given an encapsulation key (ArrayBuffer)