@dwn-protocol/id-sdk 0.2.5 → 0.2.6

package/src/crypto/crypto-primitives/bbs.ts

@@ -1,183 +0,0 @@
-import {
-  generateBls12381G2KeyPair,
-  blsSign,
-  blsVerify,
-  blsCreateProof,
-  blsVerifyProof,
-} from '@mattrglobal/bbs-signatures';
-
-export interface BbsKeyPair {
-  publicKey: Uint8Array;
-  secretKey: Uint8Array;
-}
-
-/**
- * The `Bbs` class provides an interface for BBS+ signature operations
- * using the BLS12-381 pairing-friendly curve.
- *
- * BBS+ signatures enable multi-message signing where each attribute of
- * a credential is signed as a separate message. This allows a holder
- * to derive a zero-knowledge proof that selectively discloses only
- * chosen attributes without revealing the full signed message set.
- *
- * Example usage:
- *
- * ```ts
- * const keyPair = await Bbs.generateKeyPair();
- * const messages = [
- *   new TextEncoder().encode('age=25'),
- *   new TextEncoder().encode('country=US'),
- * ];
- * const signature = await Bbs.sign({ keyPair, messages });
- *
- * const proof = await Bbs.createProof({
- *   publicKey: keyPair.publicKey,
- *   signature,
- *   messages,
- *   revealed: [1],
- *   nonce: new TextEncoder().encode('unique-nonce'),
- * });
- *
- * const isValid = await Bbs.verifyProof({
- *   publicKey: keyPair.publicKey,
- *   proof,
- *   messages: [messages[1]],
- *   nonce: new TextEncoder().encode('unique-nonce'),
- * });
- * ```
- */
-export class Bbs {
-
-  /**
-   * Generates a BLS12-381 G2 key pair suitable for BBS+ signatures.
-   *
-   * @returns A Promise resolving to a `BbsKeyPair` with 96-byte public key and 32-byte secret key.
-   */
-  public static async generateKeyPair(): Promise<BbsKeyPair> {
-    const keyPair = await generateBls12381G2KeyPair();
-    return {
-      publicKey: keyPair.publicKey,
-      secretKey: keyPair.secretKey,
-    };
-  }
-
-  /**
-   * Signs a set of messages using BBS+ producing a single 112-byte signature.
-   * Each message is treated as a distinct attribute that can later be
-   * individually disclosed or hidden via `createProof`.
-   *
-   * @param options.keyPair - The BLS12-381 key pair (publicKey + secretKey).
-   * @param options.messages - Array of messages (Uint8Array) to sign.
-   * @returns A Promise resolving to the BBS+ signature as a Uint8Array.
-   */
-  public static async sign(options: {
-    keyPair: BbsKeyPair;
-    messages: Uint8Array[];
-  }): Promise<Uint8Array> {
-    const { keyPair, messages } = options;
-
-    if (!messages || messages.length === 0) {
-      throw new Error('At least one message is required for BBS+ signing');
-    }
-
-    const signature = await blsSign({
-      keyPair: {
-        publicKey: keyPair.publicKey,
-        secretKey: keyPair.secretKey,
-      },
-      messages,
-    });
-
-    return signature;
-  }
-
-  /**
-   * Verifies a BBS+ signature against the full set of original messages.
-   *
-   * @param options.publicKey - The 96-byte BLS12-381 G2 public key.
-   * @param options.signature - The 112-byte BBS+ signature.
-   * @param options.messages - The complete set of messages that were signed.
-   * @returns A Promise resolving to `true` if the signature is valid.
-   */
-  public static async verify(options: {
-    publicKey: Uint8Array;
-    signature: Uint8Array;
-    messages: Uint8Array[];
-  }): Promise<boolean> {
-    const { publicKey, signature, messages } = options;
-
-    const result = await blsVerify({
-      publicKey,
-      signature,
-      messages,
-    });
-
-    return result.verified;
-  }
-
-  /**
-   * Derives a zero-knowledge proof from a BBS+ signature that selectively
-   * discloses only the messages at the specified indices. The prover
-   * demonstrates knowledge of the full signature without revealing
-   * hidden messages.
-   *
-   * @param options.publicKey - The issuer's 96-byte BLS12-381 G2 public key.
-   * @param options.signature - The original 112-byte BBS+ signature.
-   * @param options.messages - The complete set of messages that were signed.
-   * @param options.revealed - Array of zero-based indices indicating which messages to disclose.
-   * @param options.nonce - A unique nonce to bind the proof to a specific verification session.
-   * @returns A Promise resolving to the derived proof as a Uint8Array.
-   */
-  public static async createProof(options: {
-    publicKey: Uint8Array;
-    signature: Uint8Array;
-    messages: Uint8Array[];
-    revealed: number[];
-    nonce: Uint8Array;
-  }): Promise<Uint8Array> {
-    const { publicKey, signature, messages, revealed, nonce } = options;
-
-    if (!nonce || nonce.length === 0) {
-      throw new Error('A nonce is required for proof creation to prevent replay attacks');
-    }
-
-    const proof = await blsCreateProof({
-      signature,
-      publicKey,
-      messages,
-      nonce,
-      revealed,
-    });
-
-    return proof;
-  }
-
-  /**
-   * Verifies a BBS+ zero-knowledge selective disclosure proof.
-   * Only the disclosed messages (those at the `revealed` indices during
-   * proof creation) should be provided.
-   *
-   * @param options.publicKey - The issuer's 96-byte BLS12-381 G2 public key.
-   * @param options.proof - The derived proof from `createProof`.
-   * @param options.messages - Only the disclosed messages, in order of their original indices.
-   * @param options.nonce - The same nonce used during proof creation.
-   * @returns A Promise resolving to `true` if the proof is valid.
-   */
-  public static async verifyProof(options: {
-    publicKey: Uint8Array;
-    proof: Uint8Array;
-    messages: Uint8Array[];
-    nonce: Uint8Array;
-  }): Promise<boolean> {
-    const { publicKey, proof, messages, nonce } = options;
-
-    const result = await blsVerifyProof({
-      proof,
-      publicKey,
-      messages,
-      nonce,
-    });
-
-    return result.verified;
-  }
-}

package/src/crypto/crypto-primitives/concat-kdf.ts

@@ -1,207 +0,0 @@
-import { sha256 } from '@noble/hashes/sha256';
-import { Convert, universalTypeOf } from '../../common/index.js';
-import { TypedArray, concatBytes } from '@noble/hashes/utils';
-
-import { NotSupportedError } from '../algorithms-api/errors.js';
-
-export type ConcatKdfOtherInfo = {
-  /**
-   * The algorithm the derived secret keying material will be used with.
-   */
-  algorithmId: string;
-
-  /**
-   * Information related to party U (initiator) involved in the key agreement
-   * transaction. It could be a public key, identifier, or any other data.
-   */
-  partyUInfo: string | TypedArray;
-
-  /**
-   * Information related to party V (receiver) involved in the key
-   * agreement transaction. Similar to partyUInfo, it could be a
-   * public key, identifier, etc.
-   */
-  partyVInfo: string | TypedArray;
-
-  /**
-   * Optional field. It is usually used to ensure the uniqueness of the
-   * derived keying material when the input keying material is used in
-   * multiple key-derivation key-agreement transactions. It is usually
-   * a public value such as the keyDataLen.
-   */
-  suppPubInfo?: number;
-
-  /**
-   * Optional field. It is used when it is desired to secretively
-   * bind additional information into the derived keying material.
-   * It is a secret value agreed upon by the entities who are party
-   * to the key agreement.
-   */
-  suppPrivInfo?: string | TypedArray;
-}
-
-/**
- * An implementation of the Concatenation Key Derivation Function (ConcatKDF)
- * as specified in NIST.800-56A, a single-step key-derivation function (SSKDF).
- * ConcatKDF produces a derived key from a secret key (like a shared secret
- * from ECDH), and other optional public information. This implementation
- * specifically uses SHA-256 as the pseudorandom function (PRF).
- *
- * @see {@link https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf | NIST.800-56A}
- * @see {@link https://datatracker.ietf.org/doc/html/rfc7518#section-4.6.2 | RFC 7518 Section 4.6.2}
- *
- * Note: This implementation allows for only a single round / repetition
- * using the function K(1) = H(counter || Z || OtherInfo), where:
- *   K(1) is the derived key material after one round
- *   H is the SHA-256 hashing function
- *   counter is a 32-bit, big-endian bit string counter set to 0x00000001
- *   Z is the shared secret value obtained from a key agreement protocol
- *   OtherInfo is a bit string used to ensure that the derived keying
- *     material is adequately "bound" to the key-agreement transaction.
- *
- * Additional Information:
- *
- * Z, or "shared secret":
- *   The shared secret value obtained from a key agreement protocol, such as
- *   Diffie-Hellman, ECDH (Elliptic Curve Diffie-Hellman). Importantly, this
- *   shared secret is not directly used as the encryption or authentication
- *   key, but as an input to a key derivation function (KDF), such as Concat
- *   KDF, to generate the actual key. This adds an extra layer of security, as
- *   even if the shared secret gets compromised, the actual  encryption or
- *   authentication key stays safe. This shared secret 'Z' value is kept
- *   confidential between the two parties in the key agreement protocol.
- */
-export class ConcatKdf {
-  /**
-   * Derives a key of a specified length from the input parameters.
-   *
-   * @param options - Input parameters for key derivation.
-   * @param options.keyDataLen - The desired length of the derived key in bits.
-   * @param options.sharedSecret - The shared secret key to derive from.
-   * @param options.otherInfo - Additional public information to use in key derivation.
-   * @returns The derived key as a Uint8Array.
-   *
-   * @throws {NotSupportedError} If the keyDataLen would require multiple rounds.
-   */
-  public static async deriveKey(options: {
-    keyDataLen: number;
-    otherInfo: ConcatKdfOtherInfo,
-    sharedSecret: Uint8Array,
-  }): Promise<Uint8Array> {
-    const { keyDataLen, sharedSecret } = options;
-
-    // RFC 7518 Section 4.6.2 specifies using SHA-256 for ECDH key agreement:
-    // "Key derivation is performed using the Concat KDF, as defined in
-    // Section 5.8.1 of [NIST.800-56A], where the Digest Method is SHA-256."
-    // Reference: https://tools.ietf.org/html/rfc7518#section-4.6.2
-    const hashLen = 256;
-
-    // This implementation only supports single round Concat KDF.
-    const roundCount = Math.ceil(keyDataLen / hashLen);
-    if (roundCount !== 1) {
-      throw new NotSupportedError(`Concat KDF with ${roundCount} rounds not supported.`);
-    }
-
-    // Initialize a 32-bit, big-endian bit string counter as 0x00000001.
-    const counter = new Uint8Array(4);
-    new DataView(counter.buffer).setUint32(0, roundCount);
-
-    // Compute the OtherInfo bit-string.
-    const otherInfo = ConcatKdf.computeOtherInfo(options.otherInfo);
-
-    // Compute K(i) = H(counter || Z || OtherInfo)
-    // return concatBytes(counter, sharedSecretZ, otherInfo);
-    const derivedKeyingMaterial = sha256(concatBytes(counter, sharedSecret, otherInfo));
-
-    // Return the bit string of derived keying material of length keyDataLen bits.
-    return derivedKeyingMaterial.slice(0, keyDataLen / 8);
-  }
-
-  /**
-   * Computes the OtherInfo parameter as specified in NIST.800-56A.
-   * OtherInfo binds the derived key material to the context of the
-   * key agreement transaction.
-   *
-   * This implementation follows the recommended format for OtherInfo
-   * specified in section 5.8.1.2.1 of the NIST.800-56A publication.
-   *
-   * OtherInfo is a bit string equal to the following concatenation:
-   * AlgorithmID || PartyUInfo || PartyVInfo {|| SuppPubInfo }{|| SuppPrivInfo }
-   *
-   * SuppPubInfo is the key length in bits, big endian encoded as a
-   * 32-bit number. For example, 128 would be [0, 0, 0, 128] and
-   * 256 would be [0, 0, 1, 0].
-   *
-   * @param options - Input data to construct OtherInfo.
-
-  * @returns OtherInfo as a Uint8Array.
-   */
-  private static computeOtherInfo(options:
-    ConcatKdfOtherInfo
-  ): Uint8Array {
-    // Required sub-fields.
-    const algorithmId = ConcatKdf.toDataLenData({ data: options.algorithmId });
-    const partyUInfo = ConcatKdf.toDataLenData({ data: options.partyUInfo });
-    const partyVInfo = ConcatKdf.toDataLenData({ data: options.partyVInfo });
-    // Optional sub-fields.
-    const suppPubInfo = ConcatKdf.toDataLenData({ data: options.suppPubInfo, variableLength: false });
-    const suppPrivInfo = ConcatKdf.toDataLenData({ data: options.suppPrivInfo });
-
-    // Concatenate AlgorithmID || PartyUInfo || PartyVInfo || SuppPubInfo || SuppPrivInfo.
-    const otherInfo = concatBytes(algorithmId, partyUInfo, partyVInfo, suppPubInfo, suppPrivInfo);
-
-    return otherInfo;
-  }
-
-  /**
-   * Encodes input data as a length-prefixed byte string, or
-   * as a fixed-length bit string if specified.
-   *
-   * If variableLength = true, return the data in the form Datalen || Data,
-   * where Data is a variable-length string of zero or more (eight-bit)
-   * bytes, and Datalen is a fixed-length, big-endian counter that
-   * indicates the length (in bytes) of Data.
-   *
-   * If variableLength = false, return the data formatted as a
-   * fixed-length bit string.
-   *
-   * @param options - Input data and options for the conversion.
-   * @param options.data - The input data to encode. Must be a type convertible to Uint8Array by the Convert class.
-   * @param options.variableLength - Whether to output the data as variable length. Default is true.
-   * @returns The input data encoded as a Uint8Array.
-   *
-   * @throws {TypeError} If fixed-length data is not a number.
-   */
-  private static toDataLenData(options: {
-    data: unknown,
-    variableLength?: boolean
-  }): Uint8Array {
-    const { data, variableLength = true } = options;
-    let encodedData: Uint8Array;
-    const dataType = universalTypeOf(data);
-
-    // Return an emtpy octet sequence if data is not specified.
-    if (dataType === 'Undefined') {
-      return new Uint8Array(0);
-    }
-
-    if (variableLength) {
-      const dataU8A = (dataType === 'Uint8Array')
-        ? data as Uint8Array
-        : new Convert(data, dataType).toUint8Array();
-      const bufferLength = dataU8A.length;
-      encodedData = new Uint8Array(4 + bufferLength);
-      new DataView(encodedData.buffer).setUint32(0, bufferLength);
-      encodedData.set(dataU8A, 4);
-
-    } else {
-      if (typeof data !== 'number') {
-        throw TypeError('Fixed length input must be a number.');
-      }
-      encodedData = new Uint8Array(4);
-      new DataView(encodedData.buffer).setUint32(0, data);
-    }
-
-    return encodedData;
-  }
-}

package/src/crypto/crypto-primitives/ed25519.ts

@@ -1,201 +0,0 @@
-import type { BytesKeyPair } from '../types/crypto-key.js';
-
-import { ed25519, edwardsToMontgomeryPub, edwardsToMontgomeryPriv } from '@noble/curves/ed25519';
-
-/**
- * The `Ed25519` class provides an interface for generating Ed25519 key pairs,
- * computing public keys from private keys, and signing and verifying messages.
- *
- * The class uses the '@noble/curves' package for the cryptographic operations.
- *
- * The methods of this class are all asynchronous and return Promises. They all use
- * the Uint8Array type for keys, signatures, and data, providing a consistent
- * interface for working with binary data.
- *
- * Example usage:
- *
- * ```ts
- * const keyPair = await Ed25519.generateKeyPair();
- * const message = new TextEncoder().encode('Hello, world!');
- * const signature = await Ed25519.sign({
- *   key: keyPair.privateKey,
- *   data: message
- * });
- * const isValid = await Ed25519.verify({
- *   key: keyPair.publicKey,
- *   signature,
- *   data: message
- * });
- * console.log(isValid); // true
- * ```
- */
-export class Ed25519 {
-
-  /**
-   * Converts an Ed25519 private key to its X25519 counterpart.
-   *
-   * Similar to the public key conversion, this method aids in transitioning
-   * from signing to encryption operations. By converting an Ed25519 private
-   * key to X25519 format, one can use the same key pair for both digital
-   * signatures and key exchange operations.
-   *
-   * @param options - The options for the conversion.
-   * @param options.privateKey - The Ed25519 private key to convert, represented as a Uint8Array.
-   * @returns A Promise that resolves to the X25519 private key as a Uint8Array.
-   */
-  public static async convertPrivateKeyToX25519(options: {
-    privateKey: Uint8Array
-  }): Promise<Uint8Array> {
-    const { privateKey } = options;
-
-    // Converts Ed25519 private key to X25519 private key.
-    const montgomeryPrivateKey = edwardsToMontgomeryPriv(privateKey);
-
-    return montgomeryPrivateKey;
-  }
-
-  /**
- * Converts an Ed25519 public key to its X25519 counterpart.
- *
- * This method is useful when transitioning from signing to encryption
- * operations, as Ed25519 and X25519 keys share the same mathematical
- * foundation but serve different purposes. Ed25519 keys are used for
- * digital signatures, while X25519 keys are used for key exchange in
- * encryption protocols like Diffie-Hellman.
- *
- * @param options - The options for the conversion.
- * @param options.publicKey - The Ed25519 public key to convert, represented as a Uint8Array.
- * @returns A Promise that resolves to the X25519 public key as a Uint8Array.
- */
-  public static async convertPublicKeyToX25519(options: {
-    publicKey: Uint8Array
-  }): Promise<Uint8Array> {
-    const { publicKey } = options;
-
-    // Verify Edwards public key is valid.
-    const isValid = await Ed25519.validatePublicKey({ key: publicKey });
-    if (!isValid) {
-      throw new Error('Ed25519: Invalid public key.');
-    }
-
-    // Converts Ed25519 public key to X25519 public key.
-    const montgomeryPublicKey = edwardsToMontgomeryPub(publicKey);
-
-    return montgomeryPublicKey;
-  }
-
-  /**
-   * Generates an Ed25519 key pair.
-   *
-   * @returns A Promise that resolves to an object containing the private and public keys as Uint8Array.
-   */
-  public static async generateKeyPair(): Promise<BytesKeyPair> {
-    // Generate the private key and compute its public key.
-    const privateKey = ed25519.utils.randomPrivateKey();
-    const publicKey  = ed25519.getPublicKey(privateKey);
-
-    const keyPair = {
-      privateKey : privateKey,
-      publicKey  : publicKey
-    };
-
-    return keyPair;
-  }
-
-  /**
-   * Computes the public key from a given private key.
-   *
-   * @param options - The options for the public key computation.
-   * @param options.privateKey - The 32-byte private key from which to compute the public key.
-   * @returns A Promise that resolves to the computed 32-byte public key as a Uint8Array.
-   */
-  public static async getPublicKey(options: {
-    privateKey: Uint8Array
-  }): Promise<Uint8Array> {
-    let { privateKey } = options;
-
-    // Compute public key.
-    const publicKey  = ed25519.getPublicKey(privateKey);
-
-    return publicKey;
-  }
-
-  /**
-   * Generates a RFC8032 EdDSA signature of given data with a given private key.
-   *
-   * @param options - The options for the signing operation.
-   * @param options.key - The private key to use for signing.
-   * @param options.data - The data to sign.
-   * @returns A Promise that resolves to the signature as a Uint8Array.
-   */
-  public static async sign(options: {
-    data: Uint8Array,
-    key: Uint8Array
-  }): Promise<Uint8Array> {
-    const { key, data } = options;
-
-    // Signature operation.
-    const signature = ed25519.sign(data, key);
-
-    return signature;
-  }
-
-  /**
-   * Validates a given public key to ensure that it corresponds to a
-   * valid point on the Ed25519 elliptic curve.
-   *
-   * This method decodes the Edwards points from the key bytes and
-   * asserts their validity on the curve. If the points are not valid,
-   * the method returns false. If the points are valid, the method
-   * returns true.
-   *
-   * Note: This method does not check whether the key corresponds to a
-   * known or authorized entity, or whether it has been compromised.
-   * It only checks the mathematical validity of the key.
-   *
-   * @param options - The options for the key validation.
-   * @param options.key - The key to validate, represented as a Uint8Array.
-   * @returns A Promise that resolves to a boolean indicating whether the key
-   *          corresponds to a valid point on the Edwards curve.
-   */
-  public static async validatePublicKey(options: {
-    key: Uint8Array
-  }): Promise<boolean> {
-    const { key } = options;
-
-    try {
-      // Decode Edwards points from key bytes.
-      const point = ed25519.ExtendedPoint.fromHex(key);
-
-      // Check if points are on the Twisted Edwards curve.
-      point.assertValidity();
-
-    } catch(error: any) {
-      return false;
-    }
-
-    return true;
-  }
-
-  /**
-   * Verifies a RFC8032 EdDSA signature of given data with a given public key.
-   *
-   * @param options - The options for the verification operation.
-   * @param options.key - The public key to use for verification.
-   * @param options.signature - The signature to verify.
-   * @param options.data - The data that was signed.
-   * @returns A Promise that resolves to a boolean indicating whether the signature is valid.
-   */
-  public static async verify(options: {
-    data: Uint8Array,
-    key: Uint8Array,
-    signature: Uint8Array
-  }): Promise<boolean> {
-    const { key, signature, data } = options;
-
-    // Verify operation.
-    const isValid = ed25519.verify(signature, data, key);
-
-    return isValid;
-  }
-}

package/src/crypto/crypto-primitives/index.ts

@@ -1,10 +0,0 @@
-export * from './bbs.js';
-export * from './pbkdf2.js';
-export * from './x25519.js';
-export * from './aes-ctr.js';
-export * from './aes-gcm.js';
-export * from './ed25519.js';
-export * from './concat-kdf.js';
-export * from './secp256k1.js';
-export * from './xchacha20.js';
-export * from './xchacha20-poly1305.js';

package/src/crypto/crypto-primitives/pbkdf2.ts

@@ -1,78 +0,0 @@
-import { crypto } from '@noble/hashes/crypto';
-
-import { isWebCryptoSupported } from '../utils.js';
-
-type DeriveKeyOptions = {
-  hash: 'SHA-256' | 'SHA-384' | 'SHA-512',
-  password: Uint8Array,
-  salt: Uint8Array,
-  iterations: number,
-  length: number
-};
-
-export class Pbkdf2 {
-  public static async deriveKey(options: DeriveKeyOptions): Promise<Uint8Array> {
-    if (isWebCryptoSupported()) {
-      return Pbkdf2.deriveKeyWithWebCrypto(options);
-    } else {
-      return Pbkdf2.deriveKeyWithNodeCrypto(options);
-    }
-  }
-
-  private static async deriveKeyWithNodeCrypto(options: DeriveKeyOptions): Promise<Uint8Array> {
-    const { password, salt, iterations } = options;
-
-    // Map the hash string to the node:crypto equivalent.
-    const hashToNodeCryptoMap = {
-      'SHA-256' : 'sha256',
-      'SHA-384' : 'sha384',
-      'SHA-512' : 'sha512'
-    };
-    const hash = hashToNodeCryptoMap[options.hash];
-
-    // Convert length from bits to bytes.
-    const length = options.length / 8;
-
-    // Dynamically import the `crypto` package.
-    const { pbkdf2 } = await import('node:crypto');
-
-    return new Promise((resolve) => {
-      pbkdf2(
-        password,
-        salt,
-        iterations,
-        length,
-        hash,
-        (err, derivedKey) => {
-          if (!err) {
-            resolve(new Uint8Array(derivedKey));
-          }
-        }
-      );
-    });
-  }
-
-  private static async deriveKeyWithWebCrypto(options: DeriveKeyOptions): Promise<Uint8Array> {
-    const { hash, password, salt, iterations, length } = options;
-
-    // Import the password as a raw key for use with the Web Crypto API.
-    const webCryptoKey = await crypto.subtle.importKey(
-      'raw',
-      password,
-      { name: 'PBKDF2' },
-      false,
-      ['deriveBits']
-    );
-
-    const derivedKeyBuffer = await crypto.subtle.deriveBits(
-      { name: 'PBKDF2', hash, salt, iterations },
-      webCryptoKey,
-      length
-    );
-
-    // Convert from ArrayBuffer to Uint8Array.
-    const derivedKey = new Uint8Array(derivedKeyBuffer);
-
-    return derivedKey;
-  }
-}