feat: Implementation of AgentCardSignature feature

[guglielmo-san]

Description

This PR introduces the support for the AgentCardSignature feature.

Fixes #289 🦕

[gemini-code-assist]

Summary of Changes

Hello @guglielmo-san, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements the AgentCardSignature feature, which provides a robust mechanism for ensuring the authenticity and integrity of AgentCard data. By integrating cryptographic signing and verification processes, it allows both the server to sign agent cards and the client to verify these signatures, thereby preventing unauthorized modifications and ensuring trust in the received agent information. This foundational security enhancement leverages the jose library for cryptographic primitives and includes careful handling of JSON canonicalization to guarantee reliable signature validation.

Highlights

• New Feature: AgentCardSignature: This PR introduces the capability to cryptographically sign and verify AgentCard objects, enhancing the security and integrity of agent card data.
• Dependency Addition: The 'jose' library (Javascript Object Signing and Encryption) has been added to handle cryptographic operations for signing and verification.
• Client-Side Verification: The client's getAgentCard method now accepts an optional verifyAgentCardSignature function, allowing for verification of the agent card's authenticity upon retrieval.
• Server-Side Generation: The server's DefaultRequestHandler can now be configured with an agentCardSignatureGenerator to automatically sign agent cards before they are returned to clients.
• Canonicalization Logic: A new signature.ts file includes JCS (JSON Canonicalization Scheme) implementation to ensure consistent serialization of AgentCard objects before signing, which is crucial for signature validity.
• Comprehensive Testing: Extensive unit tests have been added for the signature generation, verification, and canonicalization logic, covering various scenarios including tampering and multi-signature support.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for AgentCardSignature, a feature for signing and verifying agent cards. The implementation adds a new jose dependency and a signature.ts module with canonicalization, signing, and verification logic. The client and server components are updated to integrate this new feature.

My review has identified a critical bug in the signature verification logic, a high-severity bug where signing is missed in one code path on the server, and a couple of medium-severity issues related to code style consistency and robustness. All original comments have been retained as they do not contradict the provided rules.

[guglielmo-san]

/gemini review

[gemini-code-assist]

Code Review

This pull request introduces support for AgentCard signatures, a valuable security feature. The implementation uses the jose library for JWS operations and includes logic for canonicalizing the agent card before signing, which is great. The changes are well-tested.

I've identified a couple of areas for improvement:

• In default_request_handler.ts, there's an inefficiency in how the agent card is signed, potentially leading to double-signing.
• In signature.ts, the error handling during verification could be improved to provide more debugging information to the consumer.
• The tests in signature.spec.ts have a minor inconsistency in the typ header used.

Overall, this is a solid implementation. Addressing these points will make it more robust and efficient.

[gemini-code-assist]

Instead of logging verification failures to the console with console.warn, it would be more helpful for the library consumer if you collect all verification errors. Then, if no valid signatures are found, you can throw an error that includes the details of why each signature verification failed. This provides better debugging information without polluting the console.

You would need to declare an array for errors before the loop, push errors in this catch block, and then use that array in the final throw statement after the loop.