@fedify/vocab-runtime 2.0.0-dev.100

package/src/docloader.ts

@@ -0,0 +1,367 @@
+import { getLogger } from "@logtape/logtape";
+import { SpanKind, SpanStatusCode, trace } from "@opentelemetry/api";
+import metadata from "../deno.json" with { type: "json" };
+import preloadedContexts from "./contexts.ts";
+import { HttpHeaderLink } from "./link.ts";
+import {
+  createActivityPubRequest,
+  FetchError,
+  type GetUserAgentOptions,
+  logRequest,
+} from "./request.ts";
+import { UrlError, validatePublicUrl } from "./url.ts";
+
+const logger = getLogger(["fedify", "runtime", "docloader"]);
+
+/**
+ * A remote JSON-LD document and its context fetched by
+ * a {@link DocumentLoader}.
+ */
+export interface RemoteDocument {
+  /**
+   * The URL of the context document.
+   */
+  contextUrl: string | null;
+
+  /**
+   * The fetched JSON-LD document.
+   */
+  document: unknown;
+
+  /**
+   * The URL of the fetched document.
+   */
+  documentUrl: string;
+}
+
+/**
+ * Options for {@link DocumentLoader}.
+ * @since 1.8.0
+ */
+export interface DocumentLoaderOptions {
+  /**
+   * An `AbortSignal` for cancellation.
+   * @since 1.8.0
+   */
+  signal?: AbortSignal;
+}
+
+/**
+ * A JSON-LD document loader that fetches documents from the Web.
+ * @param url The URL of the document to load.
+ * @param options The options for the document loader.
+ * @returns The loaded remote document.
+ */
+export type DocumentLoader = (
+  url: string,
+  options?: DocumentLoaderOptions,
+) => Promise<RemoteDocument>;
+
+/**
+ * A factory function that creates a {@link DocumentLoader} with options.
+ * @param options The options for the document loader.
+ * @returns The document loader.
+ * @since 1.4.0
+ */
+export type DocumentLoaderFactory = (
+  options?: DocumentLoaderFactoryOptions,
+) => DocumentLoader;
+
+/**
+ * Options for {@link DocumentLoaderFactory}.
+ * @see {@link DocumentLoaderFactory}
+ * @see {@link AuthenticatedDocumentLoaderFactory}
+ * @since 1.4.0
+ */
+export interface DocumentLoaderFactoryOptions {
+  /**
+   * Whether to allow fetching private network addresses.
+   * Turned off by default.
+   * @default `false``
+   */
+  allowPrivateAddress?: boolean;
+
+  /**
+   * Options for making `User-Agent` string.
+   * If a string is given, it is used as the `User-Agent` header value.
+   * If an object is given, it is passed to {@link getUserAgent} function.
+   */
+  userAgent?: GetUserAgentOptions | string;
+}
+
+/**
+ * A factory function that creates an authenticated {@link DocumentLoader} for
+ * a given identity.  This is used for fetching documents that require
+ * authentication.
+ * @param identity The identity to create the document loader for.
+ *                 The actor's key pair.
+ * @param options The options for the document loader.
+ * @returns The authenticated document loader.
+ * @since 0.4.0
+ */
+export type AuthenticatedDocumentLoaderFactory = (
+  identity: { keyId: URL; privateKey: CryptoKey },
+  options?: DocumentLoaderFactoryOptions,
+) => DocumentLoader;
+
+/**
+ * Gets a {@link RemoteDocument} from the given response.
+ * @param url The URL of the document to load.
+ * @param response The response to get the document from.
+ * @param fetch The function to fetch the document.
+ * @returns The loaded remote document.
+ * @throws {FetchError} If the response is not OK.
+ * @internal
+ */
+export async function getRemoteDocument(
+  url: string,
+  response: Response,
+  fetch: (
+    url: string,
+    options?: DocumentLoaderOptions,
+  ) => Promise<RemoteDocument>,
+): Promise<RemoteDocument> {
+  const documentUrl = response.url === "" ? url : response.url;
+  const docUrl = new URL(documentUrl);
+  if (!response.ok) {
+    logger.error(
+      "Failed to fetch document: {status} {url} {headers}",
+      {
+        status: response.status,
+        url: documentUrl,
+        headers: Object.fromEntries(response.headers.entries()),
+      },
+    );
+    throw new FetchError(
+      documentUrl,
+      `HTTP ${response.status}: ${documentUrl}`,
+    );
+  }
+  const contentType = response.headers.get("Content-Type");
+  const jsonLd = contentType == null ||
+    contentType === "application/activity+json" ||
+    contentType.startsWith("application/activity+json;") ||
+    contentType === "application/ld+json" ||
+    contentType.startsWith("application/ld+json;");
+  const linkHeader = response.headers.get("Link");
+  let contextUrl: string | null = null;
+  if (linkHeader != null) {
+    let link: HttpHeaderLink;
+    try {
+      link = new HttpHeaderLink(linkHeader);
+    } catch (e) {
+      if (e instanceof SyntaxError) {
+        link = new HttpHeaderLink();
+      } else {
+        throw e;
+      }
+    }
+    if (jsonLd) {
+      const entries = link.getByRel("http://www.w3.org/ns/json-ld#context");
+      for (const [uri, params] of entries) {
+        if ("type" in params && params.type === "application/ld+json") {
+          contextUrl = uri;
+          break;
+        }
+      }
+    } else {
+      const entries = link.getByRel("alternate");
+      for (const [uri, params] of entries) {
+        const altUri = new URL(uri, docUrl);
+        if (
+          "type" in params &&
+          (params.type === "application/activity+json" ||
+            params.type === "application/ld+json" ||
+            params.type.startsWith("application/ld+json;")) &&
+          altUri.href !== docUrl.href
+        ) {
+          logger.debug(
+            "Found alternate document: {alternateUrl} from {url}",
+            { alternateUrl: altUri.href, url: documentUrl },
+          );
+          return await fetch(altUri.href);
+        }
+      }
+    }
+  }
+  let document: unknown;
+  if (
+    !jsonLd &&
+    (contentType === "text/html" || contentType?.startsWith("text/html;") ||
+      contentType === "application/xhtml+xml" ||
+      contentType?.startsWith("application/xhtml+xml;"))
+  ) {
+    // Security: Limit HTML response size to mitigate ReDoS attacks
+    const MAX_HTML_SIZE = 1024 * 1024; // 1MB
+    const html = await response.text();
+    if (html.length > MAX_HTML_SIZE) {
+      logger.warn(
+        "HTML response too large, skipping alternate link discovery: {url}",
+        { url: documentUrl, size: html.length },
+      );
+      document = JSON.parse(html);
+    } else {
+      // Safe regex patterns without nested quantifiers to prevent ReDoS
+      // (CVE-2025-68475)
+      // Step 1: Extract <a ...> or <link ...> tags
+      const tagPattern = /<(a|link)\s+([^>]*?)\s*\/?>/gi;
+      // Step 2: Parse attributes
+      const attrPattern =
+        /([a-z][a-z:_-]*)=(?:"([^"]*)"|'([^']*)'|([^\s>]+))/gi;
+
+      let tagMatch: RegExpExecArray | null;
+      while ((tagMatch = tagPattern.exec(html)) !== null) {
+        const tagContent = tagMatch[2];
+        let attrMatch: RegExpExecArray | null;
+        const attribs: Record<string, string> = {};
+
+        // Reset regex state for attribute parsing
+        attrPattern.lastIndex = 0;
+        while ((attrMatch = attrPattern.exec(tagContent)) !== null) {
+          const key = attrMatch[1].toLowerCase();
+          const value = attrMatch[2] ?? attrMatch[3] ?? attrMatch[4] ?? "";
+          attribs[key] = value;
+        }
+
+        if (
+          attribs.rel === "alternate" && "type" in attribs && (
+            attribs.type === "application/activity+json" ||
+            attribs.type === "application/ld+json" ||
+            attribs.type.startsWith("application/ld+json;")
+          ) && "href" in attribs &&
+          new URL(attribs.href, docUrl).href !== docUrl.href
+        ) {
+          logger.debug(
+            "Found alternate document: {alternateUrl} from {url}",
+            { alternateUrl: attribs.href, url: documentUrl },
+          );
+          return await fetch(new URL(attribs.href, docUrl).href);
+        }
+      }
+      document = JSON.parse(html);
+    }
+  } else {
+    document = await response.json();
+  }
+  logger.debug(
+    "Fetched document: {status} {url} {headers}",
+    {
+      status: response.status,
+      url: documentUrl,
+      headers: Object.fromEntries(response.headers.entries()),
+    },
+  );
+  return { contextUrl, document, documentUrl };
+}
+
+/**
+ * Options for {@link getDocumentLoader}.
+ * @since 1.3.0
+ */
+export interface GetDocumentLoaderOptions extends DocumentLoaderFactoryOptions {
+  /**
+   * Whether to preload the frequently used contexts.
+   */
+  skipPreloadedContexts?: boolean;
+}
+
+/**
+ * Creates a JSON-LD document loader that utilizes the browser's `fetch` API.
+ *
+ * The created loader preloads the below frequently used contexts by default
+ * (unless `options.ignorePreloadedContexts` is set to `true`):
+ *
+ * - <https://www.w3.org/ns/activitystreams>
+ * - <https://w3id.org/security/v1>
+ * - <https://w3id.org/security/data-integrity/v1>
+ * - <https://www.w3.org/ns/did/v1>
+ * - <https://w3id.org/security/multikey/v1>
+ * - <https://purl.archive.org/socialweb/webfinger>
+ * - <http://schema.org/>
+ * @param options Options for the document loader.
+ * @returns The document loader.
+ * @since 1.3.0
+ */
+export function getDocumentLoader(
+  { allowPrivateAddress, skipPreloadedContexts, userAgent }:
+    GetDocumentLoaderOptions = {},
+): DocumentLoader {
+  const tracerProvider = trace.getTracerProvider();
+  const tracer = tracerProvider.getTracer(metadata.name, metadata.version);
+
+  async function load(
+    url: string,
+    options?: DocumentLoaderOptions,
+  ): Promise<RemoteDocument> {
+    options?.signal?.throwIfAborted();
+    if (!skipPreloadedContexts && url in preloadedContexts) {
+      logger.debug("Using preloaded context: {url}.", { url });
+      return {
+        contextUrl: null,
+        document: preloadedContexts[url],
+        documentUrl: url,
+      };
+    }
+    if (!allowPrivateAddress) {
+      try {
+        await validatePublicUrl(url);
+      } catch (error) {
+        if (error instanceof UrlError) {
+          logger.error("Disallowed private URL: {url}", { url, error });
+        }
+        throw error;
+      }
+    }
+
+    return await tracer.startActiveSpan(
+      "activitypub.fetch_document",
+      {
+        kind: SpanKind.CLIENT,
+        attributes: {
+          "url.full": url,
+        },
+      },
+      async (span) => {
+        try {
+          const request = createActivityPubRequest(url, { userAgent });
+          logRequest(logger, request);
+          const response = await fetch(request, {
+            // Since Bun has a bug that ignores the `Request.redirect` option,
+            // to work around it we specify `redirect: "manual"` here too:
+            // https://github.com/oven-sh/bun/issues/10754
+            redirect: "manual",
+            signal: options?.signal,
+          });
+          span.setAttribute("http.response.status_code", response.status);
+
+          // Follow redirects manually to get the final URL:
+          if (
+            response.status >= 300 && response.status < 400 &&
+            response.headers.has("Location")
+          ) {
+            const redirectUrl = response.headers.get("Location")!;
+            span.setAttribute("http.redirect.url", redirectUrl);
+            return await load(redirectUrl, options);
+          }
+
+          const result = await getRemoteDocument(url, response, load);
+          span.setAttribute("docloader.document_url", result.documentUrl);
+          if (result.contextUrl != null) {
+            span.setAttribute("docloader.context_url", result.contextUrl);
+          }
+          return result;
+        } catch (error) {
+          span.recordException(error as Error);
+          span.setStatus({
+            code: SpanStatusCode.ERROR,
+            message: String(error),
+          });
+          throw error;
+        } finally {
+          span.end();
+        }
+      },
+    );
+  }
+  return load;
+}

package/src/jwk.ts

@@ -0,0 +1,70 @@
+export function validateCryptoKey(
+  key: CryptoKey,
+  type?: "public" | "private",
+): void {
+  if (type != null && key.type !== type) {
+    throw new TypeError(`The key is not a ${type} key.`);
+  }
+  if (!key.extractable) {
+    throw new TypeError("The key is not extractable.");
+  }
+  if (
+    key.algorithm.name !== "RSASSA-PKCS1-v1_5" &&
+    key.algorithm.name !== "Ed25519"
+  ) {
+    throw new TypeError(
+      "Currently only RSASSA-PKCS1-v1_5 and Ed25519 keys are supported.  " +
+        "More algorithms will be added in the future!",
+    );
+  }
+  if (key.algorithm.name === "RSASSA-PKCS1-v1_5") {
+    // @ts-ignore TS2304
+    const algorithm = key.algorithm as unknown as RsaHashedKeyAlgorithm;
+    if (algorithm.hash.name !== "SHA-256") {
+      throw new TypeError(
+        "For compatibility with the existing Fediverse software " +
+          "(e.g., Mastodon), hash algorithm for RSASSA-PKCS1-v1_5 keys " +
+          "must be SHA-256.",
+      );
+    }
+  }
+}
+
+export async function exportJwk(key: CryptoKey): Promise<JsonWebKey> {
+  validateCryptoKey(key);
+  const jwk = await crypto.subtle.exportKey("jwk", key);
+  if (jwk.crv === "Ed25519") jwk.alg = "Ed25519";
+  return jwk;
+}
+
+export async function importJwk(
+  jwk: JsonWebKey,
+  type: "public" | "private",
+): Promise<CryptoKey> {
+  let key: CryptoKey;
+  if (jwk.kty === "RSA" && jwk.alg === "RS256") {
+    key = await crypto.subtle.importKey(
+      "jwk",
+      jwk,
+      { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      true,
+      type === "public" ? ["verify"] : ["sign"],
+    );
+  } else if (jwk.kty === "OKP" && jwk.crv === "Ed25519") {
+    if (navigator?.userAgent === "Cloudflare-Workers") {
+      jwk = { ...jwk };
+      delete jwk.alg;
+    }
+    key = await crypto.subtle.importKey(
+      "jwk",
+      jwk,
+      "Ed25519",
+      true,
+      type === "public" ? ["verify"] : ["sign"],
+    );
+  } else {
+    throw new TypeError("Unsupported JWK format.");
+  }
+  validateCryptoKey(key, type);
+  return key;
+}

package/src/key.test.ts

@@ -0,0 +1,179 @@
+import { deepStrictEqual } from "node:assert";
+import { test } from "node:test";
+import { exportJwk, importJwk } from "./jwk.ts";
+import {
+  exportMultibaseKey,
+  exportSpki,
+  importMultibaseKey,
+  importPem,
+  importPkcs1,
+  importSpki,
+} from "./key.ts";
+
+// cSpell: disable
+const rsaSpki = "-----BEGIN PUBLIC KEY-----\n" +
+  "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxsRuvCkgJtflBTl4OVsm\n" +
+  "nt/J1mQfZasfJtN33dcZ3d1lJroxmgmMu69zjGEAwkNbMQaWNLqC4eogkJaeJ4RR\n" +
+  "5MHYXkL9nNilVoTkjX5BVit3puzs7XJ7WQnKQgQMI+ezn24GHsZ/v1JIo77lerX5\n" +
+  "k4HNwTNVt+yaZVQWaOMR3+6FwziQR6kd0VuG9/a9dgAnz2cEoORRC1i4W7IZaB1s\n" +
+  "Znh1WbHbevlGd72HSXll5rocPIHn8gq6xpBgpHwRphlRsgn4KHaJ6brXDIJjrnQh\n" +
+  "Ie/YUBOGj/ImSEXhRwlFerKsoAVnZ0Hwbfa46qk44TAt8CyoPMWmpK6pt0ng4pQ2\n" +
+  "uwIDAQAB\n" +
+  "-----END PUBLIC KEY-----\n";
+// cSpell: enable
+
+// cSpell: disable
+const rsaPkcs1 = "-----BEGIN RSA PUBLIC KEY-----\n" +
+  "MIIBCgKCAQEAxsRuvCkgJtflBTl4OVsmnt/J1mQfZasfJtN33dcZ3d1lJroxmgmM\n" +
+  "u69zjGEAwkNbMQaWNLqC4eogkJaeJ4RR5MHYXkL9nNilVoTkjX5BVit3puzs7XJ7\n" +
+  "WQnKQgQMI+ezn24GHsZ/v1JIo77lerX5k4HNwTNVt+yaZVQWaOMR3+6FwziQR6kd\n" +
+  "0VuG9/a9dgAnz2cEoORRC1i4W7IZaB1sZnh1WbHbevlGd72HSXll5rocPIHn8gq6\n" +
+  "xpBgpHwRphlRsgn4KHaJ6brXDIJjrnQhIe/YUBOGj/ImSEXhRwlFerKsoAVnZ0Hw\n" +
+  "bfa46qk44TAt8CyoPMWmpK6pt0ng4pQ2uwIDAQAB\n" +
+  "-----END RSA PUBLIC KEY-----\n";
+// cSpell: enable
+
+const rsaJwk: JsonWebKey = {
+  alg: "RS256",
+  // cSpell: disable
+  e: "AQAB",
+  // cSpell: enable
+  ext: true,
+  key_ops: ["verify"],
+  kty: "RSA",
+  // cSpell: disable
+  n: "xsRuvCkgJtflBTl4OVsmnt_J1mQfZasfJtN33dcZ3d1lJroxmgmMu69zjGEAwkNbMQaWN" +
+    "LqC4eogkJaeJ4RR5MHYXkL9nNilVoTkjX5BVit3puzs7XJ7WQnKQgQMI-ezn24GHsZ_v1J" +
+    "Io77lerX5k4HNwTNVt-yaZVQWaOMR3-6FwziQR6kd0VuG9_a9dgAnz2cEoORRC1i4W7IZa" +
+    "B1sZnh1WbHbevlGd72HSXll5rocPIHn8gq6xpBgpHwRphlRsgn4KHaJ6brXDIJjrnQhIe_" +
+    "YUBOGj_ImSEXhRwlFerKsoAVnZ0Hwbfa46qk44TAt8CyoPMWmpK6pt0ng4pQ2uw",
+  // cSpell: enable
+};
+
+const rsaMultibase =
+  // cSpell: disable
+  "z4MXj1wBzi9jUstyPqYMn6Gum79JtbKFiHTibtPRoPeufjdimA24Kg8Q5N7E2eMpgVUtD61kUv" +
+  "my4FaT5D5G8XU3ktxeduwEw5FHTtiLCzaruadf6rit1AUPL34UtcPuHh6GxBzTxgFKMMuzcHiU" +
+  "zG9wvbxn7toS4H2gbmUn1r91836ET2EVgmSdzju614Wu67ukyBGivcboncdfxPSR5JXwURBaL8" +
+  "K2P6yhKn3NyprFV8s6QpN4zgQMAD3Q6fjAsEvGNwXaQTZmEN2yd1NQ7uBE3RJ2XywZnehmfLQT" +
+  "EqD7Ad5XM3qfLLd9CtdzJGBkRfunHhkH1kz8dHL7hXwtk5EMXktY4QF5gZ1uisUV5mpPjEgqz7uDz";
+// cSpell: enable
+
+// cSpell: disable
+const ed25519Pem = "-----BEGIN PUBLIC KEY-----\n" +
+  "MCowBQYDK2VwAyEAvrabdlLgVI5jWl7GpF+fLFJVF4ccI8D7h+v5ulBCYwo=\n" +
+  "-----END PUBLIC KEY-----\n";
+// cSpell: enable
+
+const ed25519Jwk: JsonWebKey = {
+  alg: "Ed25519",
+  kty: "OKP",
+  crv: "Ed25519",
+  // cSpell: disable
+  x: "vrabdlLgVI5jWl7GpF-fLFJVF4ccI8D7h-v5ulBCYwo",
+  // cSpell: enable
+  key_ops: ["verify"],
+  ext: true,
+};
+
+// cSpell: disable
+const ed25519Multibase = "z6MksHj1MJnidCtDiyYW9ugNFftoX9fLK4bornTxmMZ6X7vq";
+// cSpell: enable
+
+test("importSpki()", async () => {
+  const rsaKey = await importSpki(rsaSpki);
+  deepStrictEqual(await exportJwk(rsaKey), rsaJwk);
+
+  const ed25519Key = await importSpki(ed25519Pem);
+  deepStrictEqual(await exportJwk(ed25519Key), ed25519Jwk);
+});
+
+test("exportSpki()", async () => {
+  const rsaKey = await importJwk(rsaJwk, "public");
+  const rsaSpki = await exportSpki(rsaKey);
+  deepStrictEqual(rsaSpki, rsaSpki);
+
+  const ed25519Key = await importJwk(ed25519Jwk, "public");
+  const ed25519Spki = await exportSpki(ed25519Key);
+  deepStrictEqual(ed25519Spki, ed25519Pem);
+});
+
+test("importPkcs1()", async () => {
+  const rsaKey = await importPkcs1(rsaPkcs1);
+  deepStrictEqual(await exportJwk(rsaKey), rsaJwk);
+});
+
+test("importPem()", async () => {
+  const rsaPkcs1Key = await importPem(rsaPkcs1);
+  deepStrictEqual(await exportJwk(rsaPkcs1Key), rsaJwk);
+
+  const rsaSpkiKey = await importPem(rsaSpki);
+  deepStrictEqual(await exportJwk(rsaSpkiKey), rsaJwk);
+
+  const ed25519Key = await importPem(ed25519Pem);
+  deepStrictEqual(await exportJwk(ed25519Key), ed25519Jwk);
+});
+
+test("importMultibase()", async () => {
+  const rsaKey = await importMultibaseKey(rsaMultibase);
+  deepStrictEqual(await exportJwk(rsaKey), rsaJwk);
+
+  const ed25519Key = await importMultibaseKey(ed25519Multibase);
+  deepStrictEqual(await exportJwk(ed25519Key), ed25519Jwk);
+});
+
+test("exportMultibaseKey()", async () => {
+  const rsaKey = await importJwk(rsaJwk, "public");
+  const rsaMb = await exportMultibaseKey(rsaKey);
+  deepStrictEqual(rsaMb, rsaMultibase);
+
+  const ed25519Key = await importJwk(ed25519Jwk, "public");
+  const ed25519Mb = await exportMultibaseKey(ed25519Key);
+  deepStrictEqual(ed25519Mb, ed25519Multibase);
+
+  // Test vectors from <https://codeberg.org/fediverse/fep/src/branch/main/fep/521a/fep-521a.feature>:
+  const rsaKey2 = await importJwk({
+    alg: "RS256",
+    ext: true,
+    key_ops: ["verify"],
+    // cSpell: disable
+    e: "AQAB",
+    kty: "RSA",
+    n: "sbX82NTV6IylxCh7MfV4hlyvaniCajuP97GyOqSvTmoEdBOflFvZ06kR_9D6ctt45Fk6h" +
+      "skfnag2GG69NALVH2o4RCR6tQiLRpKcMRtDYE_thEmfBvDzm_VVkOIYfxu-Ipuo9J_S5XD" +
+      "NDjczx2v-3oDh5-CIHkU46hvFeCvpUS-L8TJSbgX0kjVk_m4eIb9wh63rtmD6Uz_KBtCo5" +
+      "mmR4TEtcLZKYdqMp3wCjN-TlgHiz_4oVXWbHUefCEe8rFnX1iQnpDHU49_SaXQoud1jCae" +
+      "xFn25n-Aa8f8bc5Vm-5SeRwidHa6ErvEhTvf1dz6GoNPp2iRvm-wJ1gxwWJEYPQ",
+    // cSpell: enable
+  }, "public");
+  const rsaMb2 = await exportMultibaseKey(rsaKey2);
+  deepStrictEqual(
+    rsaMb2,
+    // cSpell: disable
+    "z4MXj1wBzi9jUstyPMS4jQqB6KdJaiatPkAtVtGc6bQEQEEsKTic4G7Rou3iBf9vPmT5dbkm" +
+      "9qsZsuVNjq8HCuW1w24nhBFGkRE4cd2Uf2tfrB3N7h4mnyPp1BF3ZttHTYv3DLUPi1zMdk" +
+      "ULiow3M1GfXkoC6DoxDUm1jmN6GBj22SjVsr6dxezRVQc7aj9TxE7JLbMH1wh5X3kA58H3" +
+      "DFW8rnYMakFGbca5CB2Jf6CnGQZmL7o5uJAdTwXfy2iiiyPxXEGerMhHwhjTA1mKYobyk2" +
+      "CpeEcmvynADfNZ5MBvcCS7m3XkFCMNUYBS9NQ3fze6vMSUPsNa6GVYmKx2x6JrdEjCk3qR" +
+      "MMmyjnjCMfR4pXbRMZa3i",
+    // cSpell: enable
+  );
+
+  const ed25519Key2 = await importJwk({
+    alg: "Ed25519",
+    crv: "Ed25519",
+    ext: true,
+    key_ops: ["verify"],
+    kty: "OKP",
+    // cSpell: disable
+    x: "Lm_M42cB3HkUiODQsXRcweM6TByfzEHGO9ND274JcOY",
+    // cSpell: enable
+  }, "public");
+  const ed25519Mb2 = await exportMultibaseKey(ed25519Key2);
+  deepStrictEqual(
+    ed25519Mb2,
+    // cSpell: disable
+    "z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK",
+    // cSpell: enable
+  );
+});