oydid 0.6.1 → 0.6.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 53df9e3939e5a1e5a6f1ccede456130a6160b08c3e89cb0dd4a05efbb8210ebc
-  data.tar.gz: bce7ea71e480908e1565f2783a709a3a67e3f2b5e43492bc4a535f9750cb738d
+  metadata.gz: e048d33455d4b2b305d1905b1acea54c0f87f7a871998fa5a294b0669a245112
+  data.tar.gz: 0ff2fabe31fe7352062e93ef8bce6c74dfa6afd7004db0f53ccfb13912b7e9d5
 SHA512:
-  metadata.gz: b9483301abb9a88db165a3ad72024449c6731f042fee0b6480b23981999d658af14a87b76aa3170084a9de06e31b6f33ab10e1dc42c788e7a2b07b94b7641d69
-  data.tar.gz: b14e69f7e18fa55169fedb57d5b5197f3332a4ccb0270dabee0ed5b7b0f9db005d4f81a8ab9e75e8dd4a44c1371e9e7c52be40032c342ae35c91c6e9eb3c4e4e
+  metadata.gz: be4ef04a7f885cf2cbd870126a45fc97ec84444426dca4341102256dddbe17eddd3975e63ccd02687527fb43099cda7b1eba70e655cf5ecee4c64b21499237ca
+  data.tar.gz: f4c305a56ce2952dc72632d9a3fdc13ee9282eefd40dc8fda65f5233bd8e82409a3ba90a64a4964503cb6ba3825cf89c24143311b6051630148fd21d51ef1a60

data/VERSION

@@ -1 +1 @@
-0.6.1
+0.6.4

data/lib/oydid/basic.rb

@@ -193,18 +193,31 @@ class Oydid
             end
             raw_key = raw_key.to_bytes
         when 'p256-priv'
-            key = OpenSSL::PKey::EC.new('prime256v1')
             if input == ""
+                # no seed provided => generate a random key
                 key = OpenSSL::PKey::EC.generate('prime256v1')
+                raw_key = key.private_key.to_s(2)
             else
-                # input for p256-priv requires valid base64 encoded private key
+                # try to interpret input as a base64-encoded existing private key first;
+                # otherwise derive the key deterministically from input (seed/password),
+                # mirroring the ed25519-priv behaviour above
+                key = nil
                 begin
-                    key = OpenSSL::PKey.read Base64.decode64(input)
+                    candidate = OpenSSL::PKey.read(Base64.decode64(input))
+                    key = candidate if candidate.is_a?(OpenSSL::PKey::EC)
                 rescue
-                    return [nil, "invalid input"]
+                    key = nil
+                end
+                if key.nil?
+                    # deterministic derivation: hash seed to a scalar in [1, n-1]
+                    order = OpenSSL::PKey::EC::Group.new('prime256v1').order
+                    scalar = (OpenSSL::BN.new(RbNaCl::Hash.sha256(input), 2) % (order - OpenSSL::BN.new(1))) + OpenSSL::BN.new(1)
+                    raw_key = scalar.to_s(2)
+                    raw_key = ("\x00".b * (32 - raw_key.bytesize)) + raw_key if raw_key.bytesize < 32
+                else
+                    raw_key = key.private_key.to_s(2)
                 end
             end
-            raw_key = key.private_key.to_s(2)
         else
             return [nil, "unsupported key codec"]
         end
@@ -284,7 +297,9 @@ class Oydid
                     privateKey, msg = read_private_key(dsk.to_s, options)
                 end
             else
-                privateKey, msg = generate_private_key(pwd, 'ed25519-priv', options)
+                kt = options[:key_type].to_s
+                kt = 'ed25519' if kt == ''
+                privateKey, msg = generate_private_key(pwd, kt + '-priv', options)
             end
         else
             privateKey, msg = decode_private_key(enc.to_s, options)
@@ -971,6 +986,94 @@ class Oydid
         Base64.urlsafe_decode64(str + '=' * (4 - str.length % 4))
     end
 
+    def self.private_key_from_jwk(jwk, options = {})
+        begin
+            if jwk.is_a?(String)
+                jwk = JSON.parse(jwk)
+            end
+        rescue
+            return [nil, "invalid input"]
+        end
+        jwk = jwk.transform_keys(&:to_s)
+        if jwk["kty"] == "EC" && jwk["crv"] == "P-256"
+            digest = base64_url_decode(jwk["d"])
+            group = OpenSSL::PKey::EC::Group.new("prime256v1")
+            public_key = group.generator.mul(OpenSSL::BN.new(digest, 2))
+            point = public_key.to_bn.to_s(2)
+            x_calc = Base64.urlsafe_encode64(point[1, 32], padding: false)
+            y_calc = Base64.urlsafe_encode64(point[33, 32], padding: false)
+            return [nil, "x/y do not match d"] unless x_calc == jwk["x"] && y_calc == jwk["y"]
+
+            code = Multicodecs["p256-priv"].code
+            length = digest.bytesize
+            return multi_encode([code, length, digest].pack("SCa#{length}"), options)
+        else
+            return [nil, "unsupported key codec"]
+        end
+    end
+
+    # build an OYDID multibase-encoded private key from a raw hex-encoded key
+    # (e.g. an externally generated P-256 or Ed25519 key). The key type is taken
+    # from options[:key_type] (default 'ed25519').
+    def self.private_key_from_hex(hex, options = {})
+        hex = hex.to_s.strip.delete_prefix("0x").delete_prefix("0X")
+        unless hex =~ /\A[0-9a-fA-F]+\z/ && hex.length.even?
+            return [nil, "invalid hex input"]
+        end
+        raw = [hex].pack("H*")
+        key_type = options[:key_type].to_s
+        key_type = "ed25519" if key_type == ""
+        case key_type
+        when "p256"
+            unless raw.bytesize == 32
+                return [nil, "p256 private key must be 32 bytes (64 hex characters)"]
+            end
+            # scalar must be a valid private key in [1, n-1]
+            order = OpenSSL::PKey::EC::Group.new("prime256v1").order
+            scalar = OpenSSL::BN.new(raw, 2)
+            if scalar < OpenSSL::BN.new(1) || scalar >= order
+                return [nil, "p256 private key out of range"]
+            end
+            code = Multicodecs["p256-priv"].code
+        when "ed25519"
+            unless raw.bytesize == 32
+                return [nil, "ed25519 private key must be 32 bytes (64 hex characters)"]
+            end
+            code = Multicodecs["ed25519-priv"].code
+        else
+            return [nil, "unsupported key type"]
+        end
+        length = raw.bytesize
+        return multi_encode([code, length, raw].pack("SCa#{length}"), options)
+    end
+
+    # reverse of private_key_from_hex / public_key encoding:
+    # decode an OYDID Multibase-encoded key (private or public) back to raw hex.
+    def self.key_to_hex(key_encoded, options = {})
+        key_encoded = key_encoded.to_s.strip
+        key_type = get_keytype(key_encoded) rescue nil
+        if key_type.nil?
+            return [nil, "unsupported or invalid key"]
+        end
+        begin
+            raw = multi_decode(key_encoded).first
+            case key_type
+            when 'ed25519-priv', 'p256-priv'
+                # custom layout: [uint16 codec][uint8 length][raw key bytes]
+                _code, _length, digest = raw.unpack('SCa*')
+                hex = digest.unpack1('H*')
+            when 'ed25519-pub', 'p256-pub'
+                # multicodec varint prefix (2 bytes) followed by raw key material
+                hex = raw[2..].unpack1('H*')
+            else
+                return [nil, "unsupported key codec"]
+            end
+        rescue
+            return [nil, "invalid key"]
+        end
+        return [hex, ""]
+    end
+
     def self.public_key_from_jwk(jwk, options = {})
         begin
             if jwk.is_a?(String)
@@ -1043,6 +1146,11 @@ class Oydid
     end
 
     def self.retrieve_document(doc_identifier, doc_file, doc_location, options)
+        # in-process callers can supply the DID document directly (e.g. read from
+        # a local database) to avoid any HTTP/file lookup
+        if options[:local_doc].is_a?(Hash) && !options[:local_doc].empty?
+            return [options[:local_doc], ""]
+        end
         if doc_location == ""
             doc_location = DEFAULT_LOCATION
         end

data/lib/oydid/log.rb

@@ -24,6 +24,11 @@ class Oydid
     end
 
     def self.retrieve_log(did_hash, log_file, log_location, options)
+        # in-process callers can supply the raw log array directly (e.g. read from
+        # a local database) to avoid any HTTP/file lookup
+        if options[:local_log].is_a?(Array)
+            return [options[:local_log], ""]
+        end
         if log_location == ""
             log_location = DEFAULT_LOCATION
         end

data/lib/oydid.rb

@@ -541,6 +541,12 @@ class Oydid
     end
 
     def self.publish(did, didDocument, logs, options)
+        # in-process callers (e.g. a repository storing DIDs in its own database)
+        # can skip remote/file publishing and persist the returned logs themselves
+        if options[:skip_publish]
+            return [true, ""]
+        end
+
         did_hash = did.delete_prefix("did:oyd:")
         did10 = did_hash[0,10]
 
@@ -584,6 +590,13 @@ class Oydid
     end
 
     def self.persist_cmsm(pubkey, payload, options)
+        # in-process callers can supply a store object (responding to
+        # #set(pubkey, payload)) to persist CMSM data in a local database
+        if options[:cmsm_store]
+            options[:cmsm_store].set(pubkey, payload)
+            return [true, ""]
+        end
+
         doc_location = options[:doc_location]
         if doc_location.to_s == ""
             doc_location = DEFAULT_LOCATION
@@ -612,6 +625,17 @@ class Oydid
     end
 
     def self.check_cmsm(pubkey, options)
+        # in-process callers can supply a store object (responding to
+        # #get(pubkey)) to read CMSM data from a local database
+        if options[:cmsm_store]
+            payload = options[:cmsm_store].get(pubkey)
+            if payload.nil?
+                return [nil, "no persisted CMSM data for key"]
+            end
+            payload = payload.transform_keys(&:to_s) if payload.is_a?(Hash)
+            return [payload, ""]
+        end
+
         doc_location = options[:doc_location]
         if doc_location.to_s == ""
             doc_location = DEFAULT_LOCATION
@@ -937,7 +961,12 @@ class Oydid
         end
 
         # check if REVOCATION hash matches hash in TERMINATION
-        if did_info["log"][did_info["termination_log_id"]]["doc"] != multi_hash(canonical(revocationLog), LOG_HASH_OPTIONS).first
+        # the "doc" field of the TERMINATE log entry may carry a location suffix
+        # (e.g. "<hash>@http://localhost:3000") when the DID was created with -l,
+        # so strip the location prefix before comparing with the bare revocation hash
+        termination_doc = did_info["log"][did_info["termination_log_id"]]["doc"]
+        termination_doc = termination_doc.split(LOCATION_PREFIX).first.split(CGI.escape LOCATION_PREFIX).first
+        if termination_doc != multi_hash(canonical(revocationLog), LOG_HASH_OPTIONS).first
             return [nil, "invalid revocation information"]
         end
         revoc_log = JSON.parse(revocationLog)
@@ -957,9 +986,17 @@ class Oydid
             did_hash = hash_split[0]
             doc_location = hash_split[1]
         end
+        if did_hash.include?(CGI.escape LOCATION_PREFIX)
+            hash_split = did_hash.split(CGI.escape LOCATION_PREFIX)
+            did_hash = hash_split[0]
+            doc_location = hash_split[1]
+        end
         if doc_location.to_s == ""
             doc_location = DEFAULT_LOCATION
         end
+        # the location extracted from the DID may be percent-encoded
+        # (e.g. "http%3A%2F%2Flocalhost%3A3000"); decode before using as URL
+        doc_location = doc_location.to_s.gsub("%3A", ":").gsub("%2F", "/")
 
         # publish revocation log based on location
         case doc_location.to_s
@@ -986,6 +1023,11 @@ class Oydid
         if revoc_log.nil?
             return [nil, msg]
         end
+        # in-process callers persist the revocation log themselves; return it
+        # instead of publishing to a remote location / file
+        if options[:skip_publish]
+            return [revoc_log, ""]
+        end
         success, msg = revoke_publish(did, revoc_log, options)
     end
 

data/spec/oydid_spec.rb

@@ -167,6 +167,77 @@ describe "OYDID handling" do
     end
   end
 
+  # P-256 predefined / deterministic key handling
+  it "derives a deterministic p256 private key from a seed/password" do
+    key1, _ = Oydid.generate_private_key("my-fixed-seed", "p256-priv", {key_type: "p256"})
+    key2, _ = Oydid.generate_private_key("my-fixed-seed", "p256-priv", {key_type: "p256"})
+    expect(key1).not_to be_nil
+    expect(key1).to eq key2
+    expect(Oydid.get_keytype(key1)).to eq "p256-priv"
+  end
+  it "derives different p256 keys for different seeds" do
+    key1, _ = Oydid.generate_private_key("seed-a", "p256-priv", {})
+    key2, _ = Oydid.generate_private_key("seed-b", "p256-priv", {})
+    expect(key1).not_to eq key2
+  end
+  it "produces a usable p256 keypair from a derived key (sign/verify roundtrip)" do
+    privkey, _ = Oydid.generate_private_key("roundtrip-seed", "p256-priv", {})
+    pubkey, _  = Oydid.public_key(privkey, {})
+    expect(pubkey).not_to be_nil
+    message = "hello oydid"
+    signature, _ = Oydid.sign(message, privkey, {})
+    expect(signature).not_to be_nil
+    expect(Oydid.verify(message, signature, pubkey).first).to eq true
+  end
+  it "preserves a predefined base64-encoded p256 private key" do
+    ec = OpenSSL::PKey::EC.generate('prime256v1')
+    b64 = Base64.encode64(ec.to_pem)
+    encoded, _ = Oydid.generate_private_key(b64, "p256-priv", {})
+    expect(encoded).not_to be_nil
+    decoded = Oydid.decode_private_key(encoded).first
+    expect(decoded.private_key.to_s(2)).to eq ec.private_key.to_s(2)
+  end
+  it "getPrivateKey honors key_type for password-derived keys" do
+    p256_key, _ = Oydid.getPrivateKey(nil, "shared-pwd", nil, nil, {key_type: "p256"})
+    ed_key, _   = Oydid.getPrivateKey(nil, "shared-pwd", nil, nil, {key_type: "ed25519"})
+    expect(Oydid.get_keytype(p256_key)).to eq "p256-priv"
+    expect(Oydid.get_keytype(ed_key)).to eq "ed25519-priv"
+  end
+  it "imports a hex-encoded p256 private key (matching the JWK conversion)" do
+    hex = "96fe0f41947d645c7a1858c48c7a0560e7e5bd3d45125b57a611a3a9a103626b"
+    jwk = {kty: "EC", crv: "P-256",
+           d: "lv4PQZR9ZFx6GFjEjHoFYOflvT1FEltXphGjqaEDYms",
+           x: "vK0MQ6yFnQVS2VtjkVYHP5wcT7GqlJDzY5qM8KKqrao",
+           y: "R3AQWDZ-AAdwQ3sys1UwhIA5MX2WNnmSerQRKDKxg48"}
+    from_hex, _ = Oydid.private_key_from_hex(hex, {key_type: "p256"})
+    from_jwk, _ = Oydid.private_key_from_jwk(jwk.to_json, {})
+    expect(from_hex).not_to be_nil
+    expect(Oydid.get_keytype(from_hex)).to eq "p256-priv"
+    expect(from_hex).to eq from_jwk
+  end
+  it "rejects malformed hex private keys" do
+    expect(Oydid.private_key_from_hex("xyz", {key_type: "p256"}).first).to be_nil
+    expect(Oydid.private_key_from_hex("96fe", {key_type: "p256"}).first).to be_nil
+    expect(Oydid.private_key_from_hex("00" * 32, {key_type: "p256"}).first).to be_nil
+  end
+  it "round-trips a p256 private key hex -> mb -> hex" do
+    hex = "96fe0f41947d645c7a1858c48c7a0560e7e5bd3d45125b57a611a3a9a103626b"
+    mb, _  = Oydid.private_key_from_hex(hex, {key_type: "p256"})
+    back, _ = Oydid.key_to_hex(mb, {})
+    expect(back).to eq hex
+  end
+  it "decodes a p256 public key from mb to uncompressed hex" do
+    privkey, _ = Oydid.private_key_from_hex(
+      "96fe0f41947d645c7a1858c48c7a0560e7e5bd3d45125b57a611a3a9a103626b",
+      {key_type: "p256"})
+    pub_mb, _ = Oydid.public_key(privkey, {})
+    pub_hex, _ = Oydid.key_to_hex(pub_mb, {})
+    expect(pub_hex).to eq "04bcad0c43ac859d0552d95b639156073f9c1c4fb1aa9490f3639a8cf0a2aaadaa47701058367e000770437b32b35530848039317d963679927ab4112832b1838f"
+  end
+  it "rejects an invalid multibase key in key_to_hex" do
+    expect(Oydid.key_to_hex("not-a-key", {}).first).to be_nil
+  end
+
   # storage functions
   it "should create 'filename' and put/read 'text'" do
     @buffer = StringIO.new()

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: oydid
 version: !ruby/object:Gem::Version
-  version: 0.6.1
+  version: 0.6.4
 platform: ruby
 authors:
 - Christoph Fabianek
 bindir: bin
 cert_chain: []
-date: 2026-03-23 00:00:00.000000000 Z
+date: 2026-06-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: simple_dag
@@ -422,7 +422,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.6
+rubygems_version: 4.0.15
 specification_version: 4
 summary: Own Your Decentralized Identifier for Ruby.
 test_files: