feat: node signature verification for queries (#784)

* feat: adds node signatures to query response types

* moves fetchNodeKeys to canisterStatus

* updating e2e tests

* replaces tweetnacl with @noble/curves

* more ed25519 tests and compatibility with previous stored JSON

* moves public key and DER utils into agent

* simplifies @dfinity/identity with agent exports

* subnetStatus mapping node id to public key

* lookup_path now returns tree by default

* fix: canister ranges checked for root subnet
fixes FOLLOW-1301

* fix: sets maxAge for delegation certificates to
Infinity, bypassing check
resolves FOLLOW-1302

Author: krpeacock

canister_ids.json

@@ -1,4 +1,7 @@
 {
+  "counter": {
+    "ic": "tnnnb-2yaaa-aaaab-qaiiq-cai"
+  },
   "docs": {
     "ic": "erxue-5aaaa-aaaab-qaagq-cai"
   }

docs/generated/changelog.html

@@ -12,6 +12,27 @@ <h1>Agent-JS Changelog</h1>
     <section>
       <h2>Version x.x.x</h2>
       <ul>
+        <ul>
+          <strong>feat!: node signature verification</strong
+          ><br />
+          This feature includes additional changes in support of testing and releasing the feature:
+          <br />
+          <li>Mainnet e2e tests for queries and calls</li>
+          <li>published counter canister</li>
+          <li>
+            New HttpAgent option - verifyQuerySignatures. Defaults to true, but allows you to opt
+            out of verification. Useful for testing against older replica versions
+          </li>
+          <li>Introducing ed25519 logic to agent for validating node signatures</li>
+          <li>Standardizing around @noble/curves instead of tweetnacl in @dfinity/identity</li>
+          <li>
+            new export - hashOfMap from agent, matching the naming used in the interface
+            specification
+          </li>
+          <li>new unit tests</li>
+          <li>new Verify export on ed25519 because why not</li>
+        </ul>
+        <li>Adds support for Uint8Arrays in Principal.from()</li>
         <li>
           chore: increases size limit for agent-js to allow for Ed25519 support for node key
           signature verification

e2e/node/basic/mitm.test.ts

@@ -19,3 +19,14 @@ mitmTest(
   },
   { timeout: 30000 },
 );
+
+mitmTest('mitm with query verification', async () => {
+  const counter = await createActor('tnnnb-2yaaa-aaaab-qaiiq-cai', {
+    agent: await makeAgent({
+      host: 'http://127.0.0.1:8888',
+      verifyQuerySignatures: true,
+    }),
+  });
+  await expect(counter.greet('counter')).rejects.toThrow(/Invalid certificate/);
+  await expect(counter.queryGreet('counter')).rejects.toThrow(/Invalid certificate/);
+});

e2e/node/utils/agent.ts

@@ -12,6 +12,8 @@ if (Number.isNaN(port)) {
 export const makeAgent = async (options?: HttpAgentOptions) => {
   const agent = new HttpAgent({
     host: `http://127.0.0.1:${process.env.REPLICA_PORT ?? 4943}`,
+    // TODO - remove this when the dfx replica supports it
+    verifyQuerySignatures: false,
     ...options,
   });
   try {