@bcts/xid 1.0.0-alpha.12 → 1.0.0-alpha.14

package/dist/index.iife.js

@@ -1,4 +1,4 @@
-var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_components, _bcts_provenance_mark, _bcts_dcbor) {
+var bctsXid = (function(exports, _bcts_components, _bcts_known_values, _bcts_envelope, _bcts_provenance_mark, _bcts_dcbor) {
 
 
 //#region src/error.ts
@@ -574,14 +574,14 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 	* Represents a key in an XID document.
 	*/
 	var Key = class Key {
-		_publicKeyBase;
-		_privateKeys;
+		_publicKeys;
+		_privateKeyData;
 		_nickname;
 		_endpoints;
 		_permissions;
-		constructor(publicKeyBase, privateKeys, nickname = "", endpoints = /* @__PURE__ */ new Set(), permissions = Permissions.new()) {
-			this._publicKeyBase = publicKeyBase;
-			this._privateKeys = privateKeys;
+		constructor(publicKeys, privateKeyData, nickname = "", endpoints = /* @__PURE__ */ new Set(), permissions = Permissions.new()) {
+			this._publicKeys = publicKeys;
+			this._privateKeyData = privateKeyData;
 			this._nickname = nickname;
 			this._endpoints = endpoints;
 			this._permissions = permissions;
@@ -589,64 +589,78 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		/**
 		* Create a new Key with only public keys.
 		*/
-		static new(publicKeyBase) {
-			return new Key(publicKeyBase);
+		static new(publicKeys) {
+			return new Key(publicKeys);
 		}
 		/**
 		* Create a new Key with public keys and allow-all permissions.
 		*/
-		static newAllowAll(publicKeyBase) {
-			return new Key(publicKeyBase, void 0, "", /* @__PURE__ */ new Set(), Permissions.newAllowAll());
+		static newAllowAll(publicKeys) {
+			return new Key(publicKeys, void 0, "", /* @__PURE__ */ new Set(), Permissions.newAllowAll());
 		}
 		/**
-		* Create a new Key with private key base.
+		* Create a new Key with private keys.
 		*/
-		static newWithPrivateKeyBase(privateKeyBase) {
+		static newWithPrivateKeys(privateKeys, publicKeys) {
 			const salt = _bcts_components.Salt.random(32);
-			return new Key(privateKeyBase.publicKeys(), {
+			return new Key(publicKeys, {
 				data: {
 					type: "decrypted",
-					privateKeyBase
+					privateKeys
 				},
 				salt
 			}, "", /* @__PURE__ */ new Set(), Permissions.newAllowAll());
 		}
 		/**
-		* Get the public key base.
+		* Create a new Key with private key base (derives keys from it).
 		*/
-		publicKeyBase() {
-			return this._publicKeyBase;
+		static newWithPrivateKeyBase(privateKeyBase) {
+			const privateKeys = privateKeyBase.ed25519PrivateKeys();
+			const publicKeys = privateKeyBase.ed25519PublicKeys();
+			return Key.newWithPrivateKeys(privateKeys, publicKeys);
 		}
 		/**
-		* Get the private key base, if available and decrypted.
+		* Get the public keys.
 		*/
-		privateKeyBase() {
-			if (this._privateKeys === void 0) return void 0;
-			if (this._privateKeys.data.type === "decrypted") return this._privateKeys.data.privateKeyBase;
+		publicKeys() {
+			return this._publicKeys;
+		}
+		/**
+		* Get the private keys, if available and decrypted.
+		*/
+		privateKeys() {
+			if (this._privateKeyData === void 0) return void 0;
+			if (this._privateKeyData.data.type === "decrypted") return this._privateKeyData.data.privateKeys;
 		}
 		/**
 		* Check if this key has decrypted private keys.
 		*/
 		hasPrivateKeys() {
-			return this._privateKeys?.data.type === "decrypted";
+			return this._privateKeyData?.data.type === "decrypted";
 		}
 		/**
 		* Check if this key has encrypted private keys.
 		*/
 		hasEncryptedPrivateKeys() {
-			return this._privateKeys?.data.type === "encrypted";
+			return this._privateKeyData?.data.type === "encrypted";
 		}
 		/**
 		* Get the salt used for private key decorrelation.
 		*/
 		privateKeySalt() {
-			return this._privateKeys?.salt;
+			return this._privateKeyData?.salt;
 		}
 		/**
-		* Get the reference for this key (based on public key).
+		* Get the reference for this key (based on public keys tagged CBOR).
 		*/
 		reference() {
-			return _bcts_components.Reference.hash(this._publicKeyBase.data());
+			return this._publicKeys.reference();
+		}
+		/**
+		* Verify a signature against a message.
+		*/
+		verify(signature, message) {
+			return this._publicKeys.verify(signature, message);
 		}
 		/**
 		* Get the endpoints set.
@@ -688,26 +702,26 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		* Convert to envelope with specified options.
 		*/
 		intoEnvelopeOpt(privateKeyOptions = XIDPrivateKeyOptions.Omit) {
-			let envelope = _bcts_envelope.Envelope.new(this._publicKeyBase.data());
-			if (this._privateKeys !== void 0) {
-				const { data, salt } = this._privateKeys;
+			let envelope = _bcts_envelope.Envelope.new(this._publicKeys.taggedCborData());
+			if (this._privateKeyData !== void 0) {
+				const { data, salt } = this._privateKeyData;
 				if (data.type === "encrypted") {
 					envelope = envelope.addAssertion(kv$3(_bcts_known_values.PRIVATE_KEY), data.envelope);
 					envelope = envelope.addAssertion(kv$3(_bcts_known_values.SALT), salt.toData());
 				} else if (data.type === "decrypted") switch (typeof privateKeyOptions === "object" ? privateKeyOptions.type : privateKeyOptions) {
 					case XIDPrivateKeyOptions.Include:
-						envelope = envelope.addAssertion(kv$3(_bcts_known_values.PRIVATE_KEY), data.privateKeyBase.data());
+						envelope = envelope.addAssertion(kv$3(_bcts_known_values.PRIVATE_KEY), data.privateKeys.taggedCborData());
 						envelope = envelope.addAssertion(kv$3(_bcts_known_values.SALT), salt.toData());
 						break;
 					case XIDPrivateKeyOptions.Elide: {
-						const elidedAssertion = _bcts_envelope.Envelope.newAssertion(kv$3(_bcts_known_values.PRIVATE_KEY), data.privateKeyBase.data()).elide();
+						const elidedAssertion = _bcts_envelope.Envelope.newAssertion(kv$3(_bcts_known_values.PRIVATE_KEY), data.privateKeys.taggedCborData()).elide();
 						envelope = envelope.addAssertionEnvelope(elidedAssertion);
 						envelope = envelope.addAssertion(kv$3(_bcts_known_values.SALT), salt.toData());
 						break;
 					}
 					case XIDPrivateKeyOptions.Encrypt:
 						if (typeof privateKeyOptions === "object") {
-							const encrypted = _bcts_envelope.Envelope.new(data.privateKeyBase.data()).encryptSubject(privateKeyOptions.password);
+							const encrypted = _bcts_envelope.Envelope.new(data.privateKeys.taggedCborData()).encryptSubject(privateKeyOptions.password);
 							envelope = envelope.addAssertion(kv$3(_bcts_known_values.PRIVATE_KEY), encrypted);
 							envelope = envelope.addAssertion(kv$3(_bcts_known_values.SALT), salt.toData());
 						}
@@ -729,10 +743,10 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		*/
 		static tryFromEnvelope(envelope, password) {
 			const env = envelope;
-			const publicKeyData = (env.case().type === "node" ? env.subject() : env).asByteString();
-			if (publicKeyData === void 0) throw XIDError.component(/* @__PURE__ */ new Error("Could not extract public key from envelope"));
-			const publicKeyBase = new _bcts_envelope.PublicKeyBase(publicKeyData);
-			let privateKeys;
+			const publicKeysData = (env.case().type === "node" ? env.subject() : env).asByteString();
+			if (publicKeysData === void 0) throw XIDError.component(/* @__PURE__ */ new Error("Could not extract public keys from envelope"));
+			const publicKeys = _bcts_components.PublicKeys.fromTaggedCborData(publicKeysData);
+			let privateKeyData;
 			let salt = _bcts_components.Salt.random(32);
 			const saltAssertions = env.assertionsWithPredicate(_bcts_known_values.SALT);
 			if (saltAssertions.length > 0) {
@@ -749,15 +763,15 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 					const privateKeyObject = assertionCase.assertion.object();
 					if (privateKeyObject.case().type === "encrypted") if (password !== void 0) try {
 						const decryptedData = privateKeyObject.decryptSubject(password).asByteString();
-						if (decryptedData !== void 0) privateKeys = {
+						if (decryptedData !== void 0) privateKeyData = {
 							data: {
 								type: "decrypted",
-								privateKeyBase: _bcts_envelope.PrivateKeyBase.fromBytes(decryptedData, publicKeyData)
+								privateKeys: _bcts_components.PrivateKeys.fromTaggedCborData(decryptedData)
 							},
 							salt
 						};
 					} catch {
-						privateKeys = {
+						privateKeyData = {
 							data: {
 								type: "encrypted",
 								envelope: privateKeyObject
@@ -765,7 +779,7 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 							salt
 						};
 					}
-					else privateKeys = {
+					else privateKeyData = {
 						data: {
 							type: "encrypted",
 							envelope: privateKeyObject
@@ -773,11 +787,11 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 						salt
 					};
 					else {
-						const privateKeyData = privateKeyObject.asByteString();
-						if (privateKeyData !== void 0) privateKeys = {
+						const privateKeysBytes = privateKeyObject.asByteString();
+						if (privateKeysBytes !== void 0) privateKeyData = {
 							data: {
 								type: "decrypted",
-								privateKeyBase: _bcts_envelope.PrivateKeyBase.fromBytes(privateKeyData, publicKeyData)
+								privateKeys: _bcts_components.PrivateKeys.fromTaggedCborData(privateKeysBytes)
 							},
 							salt
 						};
@@ -796,27 +810,27 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 				if (text !== void 0) endpoints.add(text);
 			}
 			const permissions = Permissions.tryFromEnvelope(envelope);
-			return new Key(publicKeyBase, privateKeys, nickname, endpoints, permissions);
+			return new Key(publicKeys, privateKeyData, nickname, endpoints, permissions);
 		}
 		/**
 		* Check equality with another Key.
 		*/
 		equals(other) {
-			return this._publicKeyBase.hex() === other._publicKeyBase.hex();
+			return this._publicKeys.equals(other._publicKeys);
 		}
 		/**
 		* Get a hash key for use in Sets/Maps.
 		*/
 		hashKey() {
-			return this._publicKeyBase.hex();
+			return this._publicKeys.reference().toHex();
 		}
 		/**
 		* Clone this Key.
 		*/
 		clone() {
-			return new Key(this._publicKeyBase, this._privateKeys !== void 0 ? {
-				data: this._privateKeys.data,
-				salt: this._privateKeys.salt
+			return new Key(this._publicKeys, this._privateKeyData !== void 0 ? {
+				data: this._privateKeyData.data,
+				salt: this._privateKeyData.salt
 			} : void 0, this._nickname, new Set(this._endpoints), this._permissions.clone());
 		}
 	};
@@ -963,11 +977,11 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		intoEnvelope() {
 			let envelope = _bcts_envelope.Envelope.new(this._uri);
 			for (const keyRef of this._keyReferences) {
-				const refBytes = hexToBytes$1(keyRef);
+				const refBytes = hexToBytes(keyRef);
 				envelope = envelope.addAssertion(kv$2(_bcts_known_values.KEY), refBytes);
 			}
 			for (const delegateRef of this._delegateReferences) {
-				const refBytes = hexToBytes$1(delegateRef);
+				const refBytes = hexToBytes(delegateRef);
 				envelope = envelope.addAssertion(kv$2(_bcts_known_values.DELEGATE), refBytes);
 			}
 			if (this._capability !== "") envelope = envelope.addAssertion(kv$2(_bcts_known_values.CAPABILITY), this._capability);
@@ -1048,7 +1062,7 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 			return clone;
 		}
 	};
-	function hexToBytes$1(hex) {
+	function hexToBytes(hex) {
 		const bytes = new Uint8Array(hex.length / 2);
 		for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
 		return bytes;
@@ -1459,18 +1473,19 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		static new(keyOptions = { type: "default" }, markOptions = { type: "none" }) {
 			const inceptionKey = XIDDocument.inceptionKeyForOptions(keyOptions);
 			const provenance = XIDDocument.genesisMarkWithOptions(markOptions);
-			const doc = new XIDDocument(_bcts_components.XID.from(hashPublicKey(inceptionKey.publicKeyBase())), /* @__PURE__ */ new Set(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), provenance);
+			const doc = new XIDDocument(_bcts_components.XID.from(inceptionKey.publicKeys().reference().getDigest().toData()), /* @__PURE__ */ new Set(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), /* @__PURE__ */ new Map(), provenance);
 			doc.addKey(inceptionKey);
 			return doc;
 		}
 		static inceptionKeyForOptions(options) {
 			switch (options.type) {
 				case "default": {
-					const privateKeyBase = _bcts_envelope.PrivateKeyBase.generate();
+					const privateKeyBase = _bcts_components.PrivateKeyBase.new();
 					return Key.newWithPrivateKeyBase(privateKeyBase);
 				}
-				case "publicKeyBase": return Key.newAllowAll(options.publicKeyBase);
+				case "publicKeys": return Key.newAllowAll(options.publicKeys);
 				case "privateKeyBase": return Key.newWithPrivateKeyBase(options.privateKeyBase);
+				case "privateKeys": return Key.newWithPrivateKeys(options.privateKeys, options.publicKeys);
 			}
 		}
 		static genesisMarkWithOptions(options) {
@@ -1537,10 +1552,10 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 			this._keys.set(hashKey, key);
 		}
 		/**
-		* Find a key by its public key base.
+		* Find a key by its public keys.
 		*/
-		findKeyByPublicKeyBase(publicKeyBase) {
-			const hashKey = publicKeyBase.hex();
+		findKeyByPublicKeys(publicKeys) {
+			const hashKey = publicKeys.reference().toHex();
 			return this._keys.get(hashKey);
 		}
 		/**
@@ -1552,8 +1567,8 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		/**
 		* Take and remove a key.
 		*/
-		takeKey(publicKeyBase) {
-			const hashKey = publicKeyBase.hex();
+		takeKey(publicKeys) {
+			const hashKey = publicKeys.reference().toHex();
 			const key = this._keys.get(hashKey);
 			if (key !== void 0) this._keys.delete(hashKey);
 			return key;
@@ -1561,28 +1576,40 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		/**
 		* Remove a key.
 		*/
-		removeKey(publicKeyBase) {
-			if (this.servicesReferenceKey(publicKeyBase)) throw XIDError.stillReferenced("key");
-			const hashKey = publicKeyBase.hex();
+		removeKey(publicKeys) {
+			if (this.servicesReferenceKey(publicKeys)) throw XIDError.stillReferenced("key");
+			const hashKey = publicKeys.reference().toHex();
 			if (!this._keys.delete(hashKey)) throw XIDError.notFound("key");
 		}
 		/**
-		* Check if the given public key is the inception signing key.
+		* Check if the given public keys is the inception signing key.
 		*/
-		isInceptionKey(publicKeyBase) {
-			return bytesEqual(hashPublicKey(publicKeyBase), this._xid.toData());
+		isInceptionKey(publicKeys) {
+			return bytesEqual(publicKeys.reference().getDigest().toData(), this._xid.toData());
 		}
 		/**
 		* Get the inception key, if it exists in the document.
 		*/
 		inceptionKey() {
-			for (const key of this._keys.values()) if (this.isInceptionKey(key.publicKeyBase())) return key;
+			for (const key of this._keys.values()) if (this.isInceptionKey(key.publicKeys())) return key;
 		}
 		/**
-		* Get the inception private key base, if available.
+		* Get the inception private keys, if available.
 		*/
-		inceptionPrivateKeyBase() {
-			return this.inceptionKey()?.privateKeyBase();
+		inceptionPrivateKeys() {
+			return this.inceptionKey()?.privateKeys();
+		}
+		/**
+		* Get the encryption key (encapsulation public key) for this document.
+		*
+		* Prefers the inception key for encryption. If no inception key is available,
+		* falls back to the first key in the document.
+		*/
+		encryptionKey() {
+			const inceptionKey = this.inceptionKey();
+			if (inceptionKey !== void 0) return inceptionKey.publicKeys().encapsulationPublicKey();
+			const firstKey = this._keys.values().next().value;
+			if (firstKey !== void 0) return firstKey.publicKeys().encapsulationPublicKey();
 		}
 		/**
 		* Remove the inception key from the document.
@@ -1687,13 +1714,11 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		checkServiceConsistency(service) {
 			if (service.keyReferences().size === 0 && service.delegateReferences().size === 0) throw XIDError.noReferences(service.uri());
 			for (const keyRef of service.keyReferences()) {
-				const refBytes = hexToBytes(keyRef);
-				const ref = _bcts_components.Reference.hash(refBytes);
+				const ref = _bcts_components.Reference.fromHex(keyRef);
 				if (this.findKeyByReference(ref) === void 0) throw XIDError.unknownKeyReference(keyRef, service.uri());
 			}
 			for (const delegateRef of service.delegateReferences()) {
-				const refBytes = hexToBytes(delegateRef);
-				const ref = _bcts_components.Reference.hash(refBytes);
+				const ref = _bcts_components.Reference.fromHex(delegateRef);
 				if (this.findDelegateByReference(ref) === void 0) throw XIDError.unknownDelegateReference(delegateRef, service.uri());
 			}
 			if (service.permissions().allow.size === 0) throw XIDError.noPermissions(service.uri());
@@ -1701,8 +1726,8 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		/**
 		* Check if any service references the given key.
 		*/
-		servicesReferenceKey(publicKeyBase) {
-			const keyRef = _bcts_components.Reference.hash(publicKeyBase.data()).toHex();
+		servicesReferenceKey(publicKeys) {
+			const keyRef = publicKeys.reference().toHex();
 			for (const service of this._services.values()) if (service.keyReferences().has(keyRef)) return true;
 			return false;
 		}
@@ -1781,13 +1806,18 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 				case "inception": {
 					const inceptionKey = this.inceptionKey();
 					if (inceptionKey === void 0) throw XIDError.missingInceptionKey();
-					const privateKeyBase = inceptionKey.privateKeyBase();
-					if (privateKeyBase === void 0) throw XIDError.missingInceptionKey();
-					envelope = envelope.addSignature(privateKeyBase);
+					const privateKeys = inceptionKey.privateKeys();
+					if (privateKeys === void 0) throw XIDError.missingInceptionKey();
+					envelope = envelope.sign(privateKeys);
+					break;
+				}
+				case "privateKeyBase": {
+					const privateKeys = signingOptions.privateKeyBase.ed25519PrivateKeys();
+					envelope = envelope.sign(privateKeys);
 					break;
 				}
-				case "privateKeyBase":
-					envelope = envelope.addSignature(signingOptions.privateKeyBase);
+				case "privateKeys":
+					envelope = envelope.sign(signingOptions.privateKeys);
 					break;
 				case "none":
 				default: break;
@@ -1814,8 +1844,8 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 					const doc = XIDDocument.fromEnvelopeInner(unwrapped, password);
 					const inceptionKey = doc.inceptionKey();
 					if (inceptionKey === void 0) throw XIDError.missingInceptionKey();
-					if (!envelopeExt.hasSignatureFrom(inceptionKey.publicKeyBase())) throw XIDError.signatureVerificationFailed();
-					if (!doc.isInceptionKey(inceptionKey.publicKeyBase())) throw XIDError.invalidXid();
+					if (!envelopeExt.hasSignatureFrom(inceptionKey.publicKeys())) throw XIDError.signatureVerificationFailed();
+					if (!doc.isInceptionKey(inceptionKey.publicKeys())) throw XIDError.invalidXid();
 					return doc;
 				}
 			}
@@ -1869,7 +1899,7 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		* Create a signed envelope.
 		*/
 		toSignedEnvelope(signingKey) {
-			return this.toEnvelope(XIDPrivateKeyOptions.Omit, XIDGeneratorOptions.Omit, { type: "none" }).addSignature(signingKey);
+			return this.toEnvelope(XIDPrivateKeyOptions.Omit, XIDGeneratorOptions.Omit, { type: "none" }).sign(signingKey);
 		}
 		/**
 		* Get the reference for this document.
@@ -1897,19 +1927,11 @@ var bctsXid = (function(exports, _bcts_known_values, _bcts_envelope, _bcts_compo
 		}
 	};
 	registerXIDDocumentClass(XIDDocument);
-	function hexToBytes(hex) {
-		const bytes = new Uint8Array(hex.length / 2);
-		for (let i = 0; i < hex.length; i += 2) bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
-		return bytes;
-	}
 	function bytesEqual(a, b) {
 		if (a.length !== b.length) return false;
 		for (let i = 0; i < a.length; i++) if (a[i] !== b[i]) return false;
 		return true;
 	}
-	function hashPublicKey(publicKeyBase) {
-		return _bcts_components.Reference.hash(publicKeyBase.data()).getDigest().toData();
-	}
 
 //#endregion
 //#region src/index.ts
@@ -1926,6 +1948,12 @@ exports.Provenance = Provenance;
 exports.Service = Service;
 exports.Shared = Shared;
 exports.VERSION = VERSION;
+Object.defineProperty(exports, 'XID', {
+  enumerable: true,
+  get: function () {
+    return _bcts_components.XID;
+  }
+});
 exports.XIDDocument = XIDDocument;
 exports.XIDError = XIDError;
 exports.XIDErrorCode = XIDErrorCode;
@@ -1938,5 +1966,5 @@ exports.privilegeToEnvelope = privilegeToEnvelope;
 exports.privilegeToKnownValue = privilegeToKnownValue;
 exports.registerXIDDocumentClass = registerXIDDocumentClass;
 return exports;
-})({}, bctsKnownValues, bctsEnvelope, bctsComponents, bctsProvenanceMark, bctsDcbor);
+})({}, bctsComponents, bctsKnownValues, bctsEnvelope, bctsProvenanceMark, bctsDcbor);
 //# sourceMappingURL=index.iife.js.map