Signing tool: Java or JavaScript

2 tools are needed

Issuer tool

There needs to be an issuer tool which issuers can use to check the TokenScript sanity and sign it, like:

Check:

  • On a basic level, the TokenScript satisfies the schema;
  • Whether or not the contracts in it exists;
  • Whether or not the attributes used in actions are defined somewhere;

Signing (read the docs on the keys)

  • generate an express-of-trust address for a signing key
  • checking the reputation key matches the certificate
  • checking the certificate is not a CDN certificate
  • signing with both keys (or only one, if only one is provided)
  • signing manifest (linked resources)
  • make sure all linked resources integrity is checked
  • make sure all cards are individually signed (so that the deployment can only deploy some cards related to the operations needed)

website builders tool

There needs to be a website builder's tool to:

  • Make sure the tokenscript is properly signed and integral
  • Obtain signing information (like whether or not all transactions are trusted)
  • Trim a tokenscript for the functions needed for the web builder
  • Generate customised per-deployment version of the bootstrap JS library
  • Check a specific webpage with TS deployed to find out if the TS is properly deployed
  • Check if there are newer versions of TS for redeployment

What language to use

The website builder's tool needs to be in JS because that's what web builders are familiar with. It also has the TokenScript checking library that should be ported to all of android/ios/bootstrap-js hence must be in JavaScript.

However, I'm not so sure of the issuer tool.

Reasons to prefer JavaScript for issuer tool

  • It makes it possible to merge these two tools (issuer tool + web builder tool) into one command-line utility or library. Otherwise, some functionalities will duplicate in 2 languages. e.g. integrity check and deriving express-of-trust address.

  • Even token issuers may have a slight preference of JavaScript thanks to Ethereum's web3.js. For example, the secp256k1 Trust Key is likely generated with web3.js for most token issuers.

Reasons to prefer Java for issuer tool

  • It's possible to extend the support from mere key files ending with .pem to keystores like p12. As well as supporting PKCS #11 and Hardware Security Module. I don't expect supporting those easy on JavaScript

  • Traditionally much cryptographic stuff is done in Java and @jot2re can develop this. Otherwise, we will have to delegate the tool development to some JS developers that I'm not entirely sure of.

Implications of the decision if we go with Java

  • If we go with Java, the reusable part of the codeā€  can go to a library in Maven repository to be sourced in Android
  • This would lead to different architect where Android ues this library and iOS uses a JavaScript library.
  • The reusable part for Android is mostly TokenScript checking and validation, but the Signing is reusable as IntelliJ plugin too, and replace part of the existing tool.

It is indeed a very good question what language to use to make the Issuer tool! To me, the amount of pros and cons between the two choices seem pretty even. I should also mention that it seems that there are libraries for JS to support both PKCS #11 and PKCS #12. Even though I have no experience developing JS, I have worked with several programming languages and I don't have an issue reading JS code. So if we have a JS developer making the issuer tool I will have no problem reviewing the cryptographic parts of the implementation. Thus, for the consistency of having the same code-base for the verification functionality for the Issuer and Website builder tool I think I would lean slightly towards the JS solution (assuming that the libraries for PKCS works sufficiently well).