@gjsify/crypto 0.1.0

package/src/scrypt.ts

@@ -0,0 +1,191 @@
+// Implements scrypt per RFC 7914 (The scrypt Password-Based Key Derivation Function)
+// Reference: refs/node/lib/internal/crypto/scrypt.js
+// Copyright (c) Node.js contributors. MIT license.
+// Modifications: Pure-JS implementation for GJS using internal PBKDF2/Hmac
+
+import { Buffer } from 'node:buffer';
+import { pbkdf2Sync } from './pbkdf2.js';
+
+export interface ScryptOptions {
+  N?: number;    // CPU/memory cost parameter (default: 16384)
+  r?: number;    // Block size parameter (default: 8)
+  p?: number;    // Parallelization parameter (default: 1)
+  maxmem?: number;
+}
+
+type ScryptCallback = (err: Error | null, derivedKey: Buffer) => void;
+
+// ---- Salsa20/8 core ----
+
+function R(a: number, b: number): number {
+  return ((a << b) | (a >>> (32 - b))) >>> 0;
+}
+
+function salsa20_8(B: Uint32Array): void {
+  const x = new Uint32Array(16);
+  for (let i = 0; i < 16; i++) x[i] = B[i];
+
+  for (let i = 0; i < 4; i++) {
+    // Column round
+    x[ 4] ^= R(x[ 0]+x[12], 7);  x[ 8] ^= R(x[ 4]+x[ 0], 9);
+    x[12] ^= R(x[ 8]+x[ 4],13);  x[ 0] ^= R(x[12]+x[ 8],18);
+    x[ 9] ^= R(x[ 5]+x[ 1], 7);  x[13] ^= R(x[ 9]+x[ 5], 9);
+    x[ 1] ^= R(x[13]+x[ 9],13);  x[ 5] ^= R(x[ 1]+x[13],18);
+    x[14] ^= R(x[10]+x[ 6], 7);  x[ 2] ^= R(x[14]+x[10], 9);
+    x[ 6] ^= R(x[ 2]+x[14],13);  x[10] ^= R(x[ 6]+x[ 2],18);
+    x[ 3] ^= R(x[15]+x[11], 7);  x[ 7] ^= R(x[ 3]+x[15], 9);
+    x[11] ^= R(x[ 7]+x[ 3],13);  x[15] ^= R(x[11]+x[ 7],18);
+    // Row round
+    x[ 1] ^= R(x[ 0]+x[ 3], 7);  x[ 2] ^= R(x[ 1]+x[ 0], 9);
+    x[ 3] ^= R(x[ 2]+x[ 1],13);  x[ 0] ^= R(x[ 3]+x[ 2],18);
+    x[ 6] ^= R(x[ 5]+x[ 4], 7);  x[ 7] ^= R(x[ 6]+x[ 5], 9);
+    x[ 4] ^= R(x[ 7]+x[ 6],13);  x[ 5] ^= R(x[ 4]+x[ 7],18);
+    x[11] ^= R(x[10]+x[ 9], 7);  x[ 8] ^= R(x[11]+x[10], 9);
+    x[ 9] ^= R(x[ 8]+x[11],13);  x[10] ^= R(x[ 9]+x[ 8],18);
+    x[12] ^= R(x[15]+x[14], 7);  x[13] ^= R(x[12]+x[15], 9);
+    x[14] ^= R(x[13]+x[12],13);  x[15] ^= R(x[14]+x[13],18);
+  }
+
+  for (let i = 0; i < 16; i++) B[i] = (B[i] + x[i]) >>> 0;
+}
+
+// ---- BlockMix (Salsa20/8) ----
+
+function blockMix(B: Uint32Array, r: number): void {
+  const blockWords = 2 * r * 16;
+  const X = new Uint32Array(16);
+  // X = B[2r-1]
+  for (let i = 0; i < 16; i++) X[i] = B[blockWords - 16 + i];
+
+  const Y = new Uint32Array(blockWords);
+
+  for (let i = 0; i < 2 * r; i++) {
+    // X = X ⊕ B[i]
+    for (let j = 0; j < 16; j++) X[j] ^= B[i * 16 + j];
+    salsa20_8(X);
+    // Y[i] = X
+    for (let j = 0; j < 16; j++) Y[i * 16 + j] = X[j];
+  }
+
+  // B = [Y[0], Y[2], ..., Y[2r-2], Y[1], Y[3], ..., Y[2r-1]]
+  for (let i = 0; i < r; i++) {
+    for (let j = 0; j < 16; j++) B[i * 16 + j] = Y[2 * i * 16 + j];
+  }
+  for (let i = 0; i < r; i++) {
+    for (let j = 0; j < 16; j++) B[(r + i) * 16 + j] = Y[(2 * i + 1) * 16 + j];
+  }
+}
+
+// ---- ROMix ----
+
+function roMix(B: Uint32Array, N: number, r: number): void {
+  const blockWords = 2 * r * 16;
+  const V = new Array<Uint32Array>(N);
+
+  for (let i = 0; i < N; i++) {
+    V[i] = new Uint32Array(B);
+    blockMix(B, r);
+  }
+
+  for (let i = 0; i < N; i++) {
+    // j = Integerify(B) mod N
+    const j = B[blockWords - 16] & (N - 1);
+    for (let k = 0; k < blockWords; k++) B[k] ^= V[j][k];
+    blockMix(B, r);
+  }
+}
+
+// ---- Bytes to Uint32Array (little-endian) ----
+
+function bytesToWords(bytes: Uint8Array): Uint32Array {
+  const words = new Uint32Array(bytes.length / 4);
+  for (let i = 0; i < words.length; i++) {
+    words[i] = bytes[i*4] | (bytes[i*4+1] << 8) | (bytes[i*4+2] << 16) | (bytes[i*4+3] << 24);
+  }
+  return words;
+}
+
+function wordsToBytes(words: Uint32Array): Uint8Array {
+  const bytes = new Uint8Array(words.length * 4);
+  for (let i = 0; i < words.length; i++) {
+    bytes[i*4] = words[i] & 0xff;
+    bytes[i*4+1] = (words[i] >> 8) & 0xff;
+    bytes[i*4+2] = (words[i] >> 16) & 0xff;
+    bytes[i*4+3] = (words[i] >> 24) & 0xff;
+  }
+  return bytes;
+}
+
+// ---- scrypt core ----
+
+function scryptCore(
+  password: Buffer | Uint8Array,
+  salt: Buffer | Uint8Array,
+  N: number,
+  r: number,
+  p: number,
+  keyLen: number,
+): Buffer {
+  // Step 1: Generate initial blocks with PBKDF2-SHA256
+  const blockSize = 128 * r;
+  const B = pbkdf2Sync(password, salt, 1, p * blockSize, 'sha256');
+
+  // Step 2: Apply ROMix to each block
+  for (let i = 0; i < p; i++) {
+    const blockBytes = new Uint8Array(B.buffer, B.byteOffset + i * blockSize, blockSize);
+    const blockWords = bytesToWords(blockBytes);
+    roMix(blockWords, N, r);
+    const result = wordsToBytes(blockWords);
+    blockBytes.set(result);
+  }
+
+  // Step 3: Derive final key with PBKDF2-SHA256
+  return pbkdf2Sync(password, B, 1, keyLen, 'sha256');
+}
+
+// ---- Public API ----
+
+export function scryptSync(
+  password: string | Buffer | Uint8Array,
+  salt: string | Buffer | Uint8Array,
+  keylen: number,
+  options?: ScryptOptions,
+): Buffer {
+  const pwd = typeof password === 'string' ? Buffer.from(password) : Buffer.from(password);
+  const slt = typeof salt === 'string' ? Buffer.from(salt) : Buffer.from(salt);
+  const N = options?.N ?? 16384;
+  const r = options?.r ?? 8;
+  const p = options?.p ?? 1;
+
+  if (N <= 0 || (N & (N - 1)) !== 0) {
+    throw new Error('N must be a positive power of 2');
+  }
+
+  return scryptCore(pwd, slt, N, r, p, keylen);
+}
+
+export function scrypt(
+  password: string | Buffer | Uint8Array,
+  salt: string | Buffer | Uint8Array,
+  keylen: number,
+  optionsOrCallback: ScryptOptions | ScryptCallback,
+  callback?: ScryptCallback,
+): void {
+  let options: ScryptOptions = {};
+  let cb: ScryptCallback;
+
+  if (typeof optionsOrCallback === 'function') {
+    cb = optionsOrCallback;
+  } else {
+    options = optionsOrCallback;
+    cb = callback!;
+  }
+
+  try {
+    const result = scryptSync(password, salt, keylen, options);
+    // Use setTimeout to make it async
+    setTimeout(() => cb(null, result), 0);
+  } catch (err) {
+    setTimeout(() => cb(err instanceof Error ? err : new Error(String(err)), Buffer.alloc(0)), 0);
+  }
+}

package/src/sign.spec.ts

@@ -0,0 +1,160 @@
+// Ported from refs/node-test/parallel/test-crypto-sign-verify.js
+// Original: MIT license, Copyright (c) Node.js contributors
+
+import { describe, it, expect } from '@gjsify/unit';
+import { createSign, createVerify, publicEncrypt, privateDecrypt } from 'node:crypto';
+import { Buffer } from 'node:buffer';
+
+// 2048-bit RSA key pair in PKCS#8/SPKI format for cross-platform compatibility
+const RSA_PRIVATE_KEY = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDVJethEusbgt7c
+sPDaTGP+gKEdQhCSVM3Lyc4RSD1gfxLjU14zONlAeR1szp5PEWUQ2SCBykAcDa4t
+wy/pYCx1TXoHozLb9XKPqMKEBgWWiXh0d1Lwl2RYZViw+veBlTc3yc60Bmv5vb75
+S203jBAu5NbBlPbiMtiCffYXsppTVqyaDYuPUTZCga/mJUgPFupi/e5yyqqpYo44
+JyCSskGJ/0c7+cvsQaaF5zlbB4SJY5oFqaDAQIpY/I26mU8+fUY8CiDA3WFc+EzD
+2d7mFyhp9J83hVFBRP+LGx+MQ+ZHQanWECNHfe3+K08tlU88cnCGzZuX1gPPFDdH
+G6ugIelxAgMBAAECggEAYx8QOAOBPDj/BOhwCUSPF9KfmiiX5kTzszp0zwqmKFLP
+6NFjNDTSqy3npirr6d8v/cbLXDA+4gzmnDdx93iXFDHkdtrJEwswrGgRlS3ruVbS
+om6/Lk1pB8aRmTQMl8FZfWMm8gcufWRlBC+0aamD+RrIWBu7N/PnRb/oCpsvM2N4
++ZYxT3OJ21egUEF5WecVf5IyXJM8MWhfugtDnh24XtJAktXMNW4oQoBXyjgopTv6
+Gcx+vkbpDkPSWWGpI8ztt4CB2U17eWAGx6S72DECkJurmBpJW59cerAKYMpcsrwY
+eZ0NSNb1MGBe/Q3EFIg71ll7kjlKRQf1qbWEdhEA5QKBgQDrvxiqgB3Rfrn/1ma4
+F0iY4CiguUVdEK9OiDmfkWlIzvhpxiQJOBOoPzb+3taUmnAdaB2UYyHk5d4yBm46
+zGAQjVYagWN2jDy0E2QmQWDioT7gLXCQvHVDYXVt9u+L9orimOGoKF3ph6lxKtT4
+C/elC9sulWEwITIjwvwuK6lR8wKBgQDndc4W/1Frk/bluonw6kDhLOOmp7D+B0Uk
+tCCx7BB6oOpCsZRZ47X/JOhnWh0bQ7mPIWKMgRcox1pCoPU5efvvD9hCEqCGRW9i
+S4yMOdwS2doXI12KZlkLmVWvbQ4EcYzpeprOKaXgQ/YMxMvwhlkTNZ71OQw0GPp0
+eBfPrOwMCwKBgDLVvkfl4IgwP4N/hB7mRm1QyPH/gYmT83mHvoU+IenlV4PXiiXC
+xdpd50oGW1coBk0RCm/ZAJIPT16SLGrZb02ibJLCm+QQUXazR8FID9BO3PQSWFed
+i9u/xEa2HOmdfE1okiBks/uLmWohxlLGodwhNl5RL+flAJ7diOub1qMpAoGBAMn8
+3GTlWsBu17+TEl3Tj9rxuZjuLl8BKS3mo8GhKKBbXRPmtHfdaC3In6fR1CS+7Wgi
+0kWbQgKsNfB/VoFaGql9QlQmvT9vyMwW8ghNVeh9hP08N51Xw82Demsk2F64WShH
+fmD7p24W4Nozw2WbWJCS8q09o5CzW53YT69EUJoRAoGAQ8IoK50pzLpWD5HBHpqU
+/El/jaozqwctQAv5nREqG9BBHaRcCpKfPAfINF31Xy1CssYe8W8xPNkZyrNPYVC/
+Yi7MeKZhG0BYTXq8CW0O1x8P2fA2KfxmvCPIEKn1QudJw4gAbDpnsKJD14hQtGYb
+CJbXIFhqfWsYSVJJwIK9uL4=
+-----END PRIVATE KEY-----`;
+
+const RSA_PUBLIC_KEY = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1SXrYRLrG4Le3LDw2kxj
+/oChHUIQklTNy8nOEUg9YH8S41NeMzjZQHkdbM6eTxFlENkggcpAHA2uLcMv6WAs
+dU16B6My2/Vyj6jChAYFlol4dHdS8JdkWGVYsPr3gZU3N8nOtAZr+b2++UttN4wQ
+LuTWwZT24jLYgn32F7KaU1asmg2Lj1E2QoGv5iVIDxbqYv3ucsqqqWKOOCcgkrJB
+if9HO/nL7EGmhec5WweEiWOaBamgwECKWPyNuplPPn1GPAogwN1hXPhMw9ne5hco
+afSfN4VRQUT/ixsfjEPmR0Gp1hAjR33t/itPLZVPPHJwhs2bl9YDzxQ3RxuroCHp
+cQIDAQAB
+-----END PUBLIC KEY-----`;
+
+export default async () => {
+
+  await describe('crypto.createSign', async () => {
+    await it('should be a function', async () => {
+      expect(typeof createSign).toBe('function');
+    });
+
+    await it('should create a Sign instance', async () => {
+      const sign = createSign('SHA256');
+      expect(sign).toBeDefined();
+      expect(typeof sign.update).toBe('function');
+      expect(typeof sign.sign).toBe('function');
+    });
+
+    await it('should sign data with RSA-SHA256', async () => {
+      const sign = createSign('SHA256');
+      sign.update('Hello, World!');
+      const signature = sign.sign(RSA_PRIVATE_KEY);
+      expect(Buffer.isBuffer(signature)).toBe(true);
+      expect(signature.length).toBeGreaterThan(0);
+    });
+
+    await it('should produce different signatures for different data', async () => {
+      const sign1 = createSign('SHA256');
+      sign1.update('data1');
+      const sig1 = sign1.sign(RSA_PRIVATE_KEY);
+
+      const sign2 = createSign('SHA256');
+      sign2.update('data2');
+      const sig2 = sign2.sign(RSA_PRIVATE_KEY);
+
+      expect(sig1.toString('hex')).not.toBe(sig2.toString('hex'));
+    });
+  });
+
+  await describe('crypto.createVerify', async () => {
+    await it('should be a function', async () => {
+      expect(typeof createVerify).toBe('function');
+    });
+
+    await it('should verify a valid signature', async () => {
+      const data = 'test data for signing';
+
+      const sign = createSign('SHA256');
+      sign.update(data);
+      const signature = sign.sign(RSA_PRIVATE_KEY);
+
+      const verify = createVerify('SHA256');
+      verify.update(data);
+      const isValid = verify.verify(RSA_PUBLIC_KEY, signature);
+      expect(isValid).toBe(true);
+    });
+
+    await it('should reject invalid signature', async () => {
+      const sign = createSign('SHA256');
+      sign.update('original data');
+      const signature = sign.sign(RSA_PRIVATE_KEY);
+
+      const verify = createVerify('SHA256');
+      verify.update('tampered data');
+      const isValid = verify.verify(RSA_PUBLIC_KEY, signature);
+      expect(isValid).toBe(false);
+    });
+
+    await it('should support multiple update calls', async () => {
+      const sign = createSign('SHA256');
+      sign.update('part1');
+      sign.update('part2');
+      const signature = sign.sign(RSA_PRIVATE_KEY);
+
+      const verify = createVerify('SHA256');
+      verify.update('part1');
+      verify.update('part2');
+      expect(verify.verify(RSA_PUBLIC_KEY, signature)).toBe(true);
+    });
+
+    await it('should support hex encoding for signature', async () => {
+      const sign = createSign('SHA256');
+      sign.update('test');
+      const sigHex = sign.sign(RSA_PRIVATE_KEY, 'hex');
+      expect(typeof sigHex).toBe('string');
+
+      const verify = createVerify('SHA256');
+      verify.update('test');
+      expect(verify.verify(RSA_PUBLIC_KEY, sigHex, 'hex')).toBe(true);
+    });
+  });
+
+  await describe('crypto.publicEncrypt / privateDecrypt', async () => {
+    await it('should be functions', async () => {
+      expect(typeof publicEncrypt).toBe('function');
+      expect(typeof privateDecrypt).toBe('function');
+    });
+
+    await it('should encrypt and decrypt round-trip', async () => {
+      const plaintext = Buffer.from('secret message');
+      const encrypted = publicEncrypt(RSA_PUBLIC_KEY, plaintext);
+      expect(Buffer.isBuffer(encrypted)).toBe(true);
+      expect(encrypted.length).toBeGreaterThan(0);
+
+      const decrypted = privateDecrypt(RSA_PRIVATE_KEY, encrypted);
+      expect(decrypted.toString()).toBe('secret message');
+    });
+
+    await it('should produce different ciphertext each time (PKCS#1 random padding)', async () => {
+      const plaintext = Buffer.from('test');
+      const enc1 = publicEncrypt(RSA_PUBLIC_KEY, plaintext);
+      const enc2 = publicEncrypt(RSA_PUBLIC_KEY, plaintext);
+      // Due to random padding, ciphertexts should differ
+      expect(enc1.toString('hex')).not.toBe(enc2.toString('hex'));
+    });
+  });
+};

package/src/sign.ts

@@ -0,0 +1,319 @@
+// Sign/Verify — RSA PKCS#1 v1.5 signature scheme for GJS
+// Reference: refs/browserify-sign/browser/sign.js, refs/browserify-sign/browser/verify.js
+// Reimplemented for GJS using native BigInt (ES2024)
+
+import { Buffer } from 'node:buffer';
+import { Hash } from './hash.js';
+import { parsePemKey, rsaKeySize } from './asn1.js';
+import type { RsaPrivateComponents, RsaPublicComponents } from './asn1.js';
+import { modPow, bigIntToBytes, bytesToBigInt } from './bigint-math.js';
+
+// ============================================================================
+// PKCS#1 v1.5 DigestInfo structures
+// ============================================================================
+
+/**
+ * DigestInfo DER prefix bytes for each supported hash algorithm.
+ * These encode: SEQUENCE { SEQUENCE { OID hashAlg, NULL }, OCTET STRING hashValue }
+ * excluding the actual hash value at the end.
+ */
+const DIGEST_INFO_PREFIX: Record<string, Uint8Array> = {
+  sha1: new Uint8Array([
+    0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
+    0x2b, 0x0e, 0x03, 0x02, 0x1a,
+    0x05, 0x00, 0x04, 0x14,
+  ]),
+  sha256: new Uint8Array([
+    0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
+    0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
+    0x05, 0x00, 0x04, 0x20,
+  ]),
+  sha512: new Uint8Array([
+    0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
+    0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
+    0x05, 0x00, 0x04, 0x40,
+  ]),
+};
+
+// ============================================================================
+// Algorithm normalization
+// ============================================================================
+
+/**
+ * Normalize algorithm strings like "RSA-SHA256", "SHA256", "sha256" to
+ * the canonical hash name used internally (e.g. "sha256").
+ */
+function normalizeSignAlgorithm(algorithm: string): string {
+  let alg = algorithm.toLowerCase().replace(/-/g, '');
+  // Strip leading "rsa" prefix (e.g., "rsasha256" -> "sha256")
+  if (alg.startsWith('rsa')) {
+    alg = alg.slice(3);
+  }
+  if (!DIGEST_INFO_PREFIX[alg]) {
+    throw new Error(`Unsupported algorithm: ${algorithm}. Supported: RSA-SHA1, RSA-SHA256, RSA-SHA512`);
+  }
+  return alg;
+}
+
+// ============================================================================
+// Key extraction helpers
+// ============================================================================
+
+interface KeyInput {
+  key: string;
+  passphrase?: string;
+  padding?: number;
+}
+
+function extractPem(key: string | Buffer | KeyInput): string {
+  if (typeof key === 'string') {
+    return key;
+  }
+  if (Buffer.isBuffer(key) || key instanceof Uint8Array) {
+    return Buffer.from(key).toString('utf8');
+  }
+  if (key && typeof key === 'object' && 'key' in key) {
+    const k = key.key;
+    if (typeof k === 'string') return k;
+    if (Buffer.isBuffer(k) || (k as unknown) instanceof Uint8Array) return Buffer.from(k as Uint8Array).toString('utf8');
+  }
+  throw new TypeError('Invalid key argument');
+}
+
+// ============================================================================
+// Sign class
+// ============================================================================
+
+/**
+ * The Sign class generates RSA PKCS#1 v1.5 signatures.
+ *
+ * Usage:
+ *   const sign = createSign('RSA-SHA256');
+ *   sign.update('data');
+ *   const signature = sign.sign(privateKey);
+ */
+export class Sign {
+  private _algorithm: string;
+  private _hash: Hash;
+  private _finalized = false;
+
+  constructor(algorithm: string) {
+    this._algorithm = normalizeSignAlgorithm(algorithm);
+    this._hash = new Hash(this._algorithm);
+  }
+
+  /**
+   * Update the Sign object with the given data.
+   */
+  update(data: string | Buffer | Uint8Array, inputEncoding?: BufferEncoding): this {
+    if (this._finalized) {
+      throw new Error('Sign was already finalized');
+    }
+    this._hash.update(data, inputEncoding);
+    return this;
+  }
+
+  /**
+   * Compute the signature using the private key.
+   * Returns the signature as a Buffer (or string if outputEncoding is given).
+   */
+  sign(privateKey: string | Buffer | KeyInput, outputEncoding?: BufferEncoding): Buffer | string {
+    if (this._finalized) {
+      throw new Error('Sign was already finalized');
+    }
+    this._finalized = true;
+
+    // Hash the accumulated data
+    const digest = this._hash.digest() as Buffer;
+
+    // Parse the private key
+    const pem = extractPem(privateKey);
+    const parsed = parsePemKey(pem);
+    if (parsed.type !== 'rsa-private') {
+      throw new Error('privateKey must be an RSA private key');
+    }
+    const { n, e, d } = parsed.components;
+    const keyLen = rsaKeySize(n);
+
+    // Build DigestInfo = prefix || hash
+    const prefix = DIGEST_INFO_PREFIX[this._algorithm];
+    const digestInfo = new Uint8Array(prefix.length + digest.length);
+    digestInfo.set(prefix, 0);
+    digestInfo.set(digest, prefix.length);
+
+    // Apply PKCS#1 v1.5 Type 1 padding
+    // 0x00 0x01 [0xFF padding] 0x00 [DigestInfo]
+    const padLen = keyLen - digestInfo.length - 3;
+    if (padLen < 8) {
+      throw new Error('Key is too short for the specified hash algorithm');
+    }
+
+    const em = new Uint8Array(keyLen);
+    em[0] = 0x00;
+    em[1] = 0x01;
+    for (let i = 2; i < 2 + padLen; i++) {
+      em[i] = 0xff;
+    }
+    em[2 + padLen] = 0x00;
+    em.set(digestInfo, 3 + padLen);
+
+    // RSA private key operation: signature = em^d mod n
+    const m = bytesToBigInt(em);
+    const s = modPow(m, d, n);
+    const sigBytes = bigIntToBytes(s, keyLen);
+    const sigBuf = Buffer.from(sigBytes);
+
+    if (outputEncoding) {
+      return sigBuf.toString(outputEncoding);
+    }
+    return sigBuf;
+  }
+}
+
+// ============================================================================
+// Verify class
+// ============================================================================
+
+/**
+ * The Verify class verifies RSA PKCS#1 v1.5 signatures.
+ *
+ * Usage:
+ *   const verify = createVerify('RSA-SHA256');
+ *   verify.update('data');
+ *   const ok = verify.verify(publicKey, signature);
+ */
+export class Verify {
+  private _algorithm: string;
+  private _hash: Hash;
+  private _finalized = false;
+
+  constructor(algorithm: string) {
+    this._algorithm = normalizeSignAlgorithm(algorithm);
+    this._hash = new Hash(this._algorithm);
+  }
+
+  /**
+   * Update the Verify object with the given data.
+   */
+  update(data: string | Buffer | Uint8Array, inputEncoding?: BufferEncoding): this {
+    if (this._finalized) {
+      throw new Error('Verify was already finalized');
+    }
+    this._hash.update(data, inputEncoding);
+    return this;
+  }
+
+  /**
+   * Verify the signature against the public key.
+   * Returns true if the signature is valid, false otherwise.
+   */
+  verify(
+    publicKey: string | Buffer | KeyInput,
+    signature: string | Buffer | Uint8Array,
+    signatureEncoding?: BufferEncoding,
+  ): boolean {
+    if (this._finalized) {
+      throw new Error('Verify was already finalized');
+    }
+    this._finalized = true;
+
+    // Hash the accumulated data
+    const digest = this._hash.digest() as Buffer;
+
+    // Parse the public key
+    const pem = extractPem(publicKey);
+    const parsed = parsePemKey(pem);
+
+    let n: bigint;
+    let e: bigint;
+    if (parsed.type === 'rsa-public') {
+      n = parsed.components.n;
+      e = parsed.components.e;
+    } else if (parsed.type === 'rsa-private') {
+      // Allow using a private key for verification (extract public components)
+      n = parsed.components.n;
+      e = parsed.components.e;
+    } else {
+      throw new Error('publicKey must be an RSA public or private key');
+    }
+
+    const keyLen = rsaKeySize(n);
+
+    // Decode the signature
+    let sigBytes: Uint8Array;
+    if (typeof signature === 'string') {
+      sigBytes = Buffer.from(signature, signatureEncoding || 'base64');
+    } else {
+      sigBytes = signature instanceof Uint8Array ? signature : Buffer.from(signature);
+    }
+
+    if (sigBytes.length !== keyLen) {
+      return false;
+    }
+
+    // RSA public key operation: em = signature^e mod n
+    const s = bytesToBigInt(sigBytes);
+    if (s >= n) {
+      return false;
+    }
+    const m = modPow(s, e, n);
+    const em = bigIntToBytes(m, keyLen);
+
+    // Verify PKCS#1 v1.5 Type 1 padding structure
+    // Expected: 0x00 0x01 [0xFF...] 0x00 [DigestInfo]
+    if (em[0] !== 0x00 || em[1] !== 0x01) {
+      return false;
+    }
+
+    // Find the 0x00 separator after the 0xFF padding
+    let sepIdx = 2;
+    while (sepIdx < em.length && em[sepIdx] === 0xff) {
+      sepIdx++;
+    }
+    if (sepIdx >= em.length || em[sepIdx] !== 0x00) {
+      return false;
+    }
+    // Must have at least 8 bytes of 0xFF padding
+    if (sepIdx - 2 < 8) {
+      return false;
+    }
+    sepIdx++; // skip the 0x00 separator
+
+    // Extract DigestInfo from the decrypted message
+    const recoveredDigestInfo = em.slice(sepIdx);
+
+    // Build expected DigestInfo
+    const prefix = DIGEST_INFO_PREFIX[this._algorithm];
+    const expectedDigestInfo = new Uint8Array(prefix.length + digest.length);
+    expectedDigestInfo.set(prefix, 0);
+    expectedDigestInfo.set(digest, prefix.length);
+
+    // Constant-time comparison
+    if (recoveredDigestInfo.length !== expectedDigestInfo.length) {
+      return false;
+    }
+    let diff = 0;
+    for (let i = 0; i < recoveredDigestInfo.length; i++) {
+      diff |= recoveredDigestInfo[i] ^ expectedDigestInfo[i];
+    }
+    return diff === 0;
+  }
+}
+
+// ============================================================================
+// Factory functions
+// ============================================================================
+
+/**
+ * Create and return a Sign object for the given algorithm.
+ */
+export function createSign(algorithm: string): Sign {
+  return new Sign(algorithm);
+}
+
+/**
+ * Create and return a Verify object for the given algorithm.
+ */
+export function createVerify(algorithm: string): Verify {
+  return new Verify(algorithm);
+}

package/src/test.mts

@@ -0,0 +1,19 @@
+
+import { run } from '@gjsify/unit';
+
+import testSuiteHash from './hash.spec.js';
+import testSuiteHmac from './hmac.spec.js';
+import testSuiteRandom from './random.spec.js';
+import testSuitePbkdf2 from './pbkdf2.spec.js';
+import testSuiteCipher from './cipher.spec.js';
+import testSuiteScrypt from './scrypt.spec.js';
+import testSuiteDh from './dh.spec.js';
+import testSuiteEcdh from './ecdh.spec.js';
+import testSuiteGcm from './gcm.spec.js';
+import testSuiteSign from './sign.spec.js';
+import testSuiteKeyObject from './key-object.spec.js';
+import testSuiteX509 from './x509.spec.js';
+
+import testSuiteExtended from './extended.spec.js';
+
+run({ testSuiteHash, testSuiteHmac, testSuiteRandom, testSuitePbkdf2, testSuiteCipher, testSuiteScrypt, testSuiteDh, testSuiteEcdh, testSuiteGcm, testSuiteSign, testSuiteKeyObject, testSuiteX509, testSuiteExtended });