WASCAP

In the waSCC runtime, each actor securely declares the set of capabilities it requires. This library and its associated binary are used to embed, extract, and validate JSON Web Tokens (JWT) containing these capability attestations, as well as the hash of the wasm file and a provable issuer for verifying module provenance.

If you just want the CLI that signs and examines capabilities claims, then you can install it with cargo:

$ cargo install wascap --features "cli"

While there are some standard, well-known claims already defined in the library (such as wascc:messaging and wascc:keyvalue), you can add custom claims in your own namespaces.

The following example illustrates embedding a new set of claims into a WebAssembly module, then extracting, validating, and examining those claims:

use wascap::prelude::*;
 
let unsigned = read_unsigned_wasm(); // Read a Wasm file into a byte vector
let issuer = KeyPair::new_account(); // Create an Ed25519 key pair to sign the module
let module = KeyPair::new_module(); // Create a key pair for the module itself
 
// Grant the module some basic capabilities, with no date limits
let claims = ClaimsBuilder::new()
    .with_capability(caps::MESSAGING)
    .with_capability(caps::KEY_VALUE)
    .issuer(&issuer.public_key())
    .subject(&module.public_key())
    .build();
 
// Sign the JWT and embed it into the WebAssembly module, returning the signed bytes
let embedded = wasm::embed_claims(&unsigned, &claims, &issuer)?;
 
// Extract a signed JWT from a WebAssembly module's bytes (performs a check on
// the signed module hash)
let extracted = wasm::extract_claims(&embedded)?.unwrap();
 
// Validate dates, signature, JWT structure, etc.
let v = validate_token(&extracted.jwt)?;
 
assert_eq!(v.expired, false);
assert_eq!(v.cannot_use_yet, false);
assert_eq!(v.expires_human, "never");
assert_eq!(v.not_before_human, "immediately");
assert_eq!(extracted.claims.issuer, issuer.public_key());

The Ed25519 key functionality is provided by the nkeys crate.

The wascap CLI allows you to examine and sign WebAssembly files from a terminal prompt:

 $ wascap caps examples/signed_loop.wasm 
╔════════════════════════════════════════════════════════════════════════════╗
║                          Secure Actor Module                               ║
╠═══════════════╦════════════════════════════════════════════════════════════╣
║ Account       ║   ACP6T7SH5R6JL3WV3LMNRS5V2SLB4LAMZR7CQPS6IAPYDW3OSBCTYM2J ║
╠═══════════════╬════════════════════════════════════════════════════════════╣
║ Module        ║   MABXCIBU2N2FORNPKRUINQEGES2V2NE4EVD6ZRE7DFIOIX6JE7SLR3U4 ║
╠═══════════════╬════════════════════════════════════════════════════════════╣
║ Expires       ║                                                      Never ║
╠═══════════════╬════════════════════════════════════════════════════════════╣
║ Can Be Used   ║                                                Immediately ║
╠═══════════════╬════════════════════════════════════════════════════════════╣
║ Version       ║                                                v1.0.0 (1)  ║
╠═══════════════╩════════════════════════════════════════════════════════════╣
║                                Capabilities                                ║
╠════════════════════════════════════════════════════════════════════════════╣
║ K/V Store                                                                  ║
║ Messaging                                                                  ║
║ HTTP Client                                                                ║
║ HTTP Server                                                                ║
╠════════════════════════════════════════════════════════════════════════════╣
║                                    Tags                                    ║
╠════════════════════════════════════════════════════════════════════════════╣
║ None                                                                       ║
╚════════════════════════════════════════════════════════════════════════════╝