JS/TS IC Signature Verification Library

Developers
1

Hi everyone

I just wanted to quickly show the following JS / TS library that I made to wrap the ic-standalone-sig-verifier crate: @dfinity/standalone-sig-verifier-web - npm

It allows to verify all signature schemes supported by the IC, including canister signatures. It also takes over all the DER-key parsing to figure out the signature scheme used. The library should be compatible with all major browsers and node.

Usage example here.

However, the following caveats apply:

  1. Verifying signatures in the front-end is generally unsafe! Malicious users could modify the front-end code and bypass the signature verification. This library is intended for use in demos, prototypes, backends and other situations where the code either cannot be tampered with or the tampering does not pose a security risk.
  2. This library is built from the master branch of the ic repo rather than a proper release of the underlying library. This means that the API may change at any time.
  3. The resulting wasm module is heavy, around 400 kb gzipped. Do not use this library if you are concerned about the size of your bundle.

Still, maybe it is useful for some. :wink:
It is also open for external contributions, so feel free to open PRs if you want to improve it.

8 Likes
2

could be a good fit for GitHub - dfinity/awesome-internet-computer: A curated list of awesome projects and resources relating to the Internet Computer Protocol :slight_smile:

2 Likes
3

Hi @frederikrothenberger :wave:, I want to test this IC JavaScript verification and so I would like to ask you the following:

  • Could you provide a more practical example with more context as it is in the documentation ?
  • When should we use this verification ?

Thanks for helping me to understand the practical use case for this a bit more.

1 Like
4

@rbole

This is a tool to implement higher-level use-cases. So far, we have used it internally for R&D purposes, i.e. to be able to quickly try out new protocols. For example in the process of validating the challenges as per ICRC-32 draft standard.

We will also release an example project showcasing how to integrate Internet Identity sign-in into a Web 2.0 application, where the underlying library is based on that project.

So it really depends what problem you would like to solve. It might not be applicable in all cases, but if your problem entails checking signatures produced by the IC, then this is definitely a useful tool.

I hope this helps. :slight_smile:

1 Like
5

Thanks for the infos.

But why is it necessary to check the login process on a Web2 application and how is it different from a Web3 application?

6

But why is it necessary to check the login process on a Web2 application and how is it different from a Web3 application?

This is just a different use-case. It is aimed at existing Web2 projects that want to start offering their service to Web3 users by allowing sign-in with II.

It is different from a Web3 application (specifically one built on the IC) because in Web3 the platform will validate the caller / signature whereas in Web2 it is the responsibility of the application.

You don’t need to use this library if you do not have any use for it. :wink:

7

ok, thank you for making this clear.

1 Like