@le-space/orbitdb-identity-provider-webauthn-did 0.0.1 → 0.2.1

package/src/varsig/assertion.js

@@ -0,0 +1,205 @@
+/**
+ * Build and verify WebAuthn varsig assertions for payloads.
+ */
+import { unwrapEC2Signature } from 'iso-passkeys';
+import {
+  bytesToBase64url,
+  decodeWebAuthnVarsigV1,
+  encodeWebAuthnVarsigV1,
+  parseClientDataJSON,
+  reconstructSignedData,
+  verifyEd25519Signature,
+  verifyP256Signature,
+  verifyWebAuthnAssertion
+} from 'iso-webauthn-varsig';
+import { buildChallengeBytes, toArrayBuffer, toBytes } from './utils.js';
+
+const isTestMode = () =>
+  typeof window !== 'undefined' && window.__PLAYWRIGHT__ === true;
+
+/**
+ * Run a WebAuthn assertion for a payload.
+ * @param {Object} credential - WebAuthn credential info.
+ * @param {Uint8Array} payloadBytes - Payload to sign.
+ * @param {string} domainLabel - Challenge domain label.
+ * @returns {Promise<Object>} Assertion metadata and bytes.
+ */
+async function runWebAuthnAssertionForPayload(credential, payloadBytes, domainLabel) {
+  const rpId = window.location.hostname;
+  const origin = window.location.origin;
+  const challengeBytes = await buildChallengeBytes(domainLabel, payloadBytes);
+
+  if (isTestMode()) {
+    return {
+      rpId,
+      origin,
+      challengeBytes,
+      algorithm: credential.algorithm,
+      publicKey: credential.publicKey,
+      assertion: {
+        authenticatorData: new Uint8Array(37),
+        clientDataJSON: new TextEncoder().encode(JSON.stringify({
+          type: 'webauthn.get',
+          challenge: 'test',
+          origin
+        })),
+        signature: new Uint8Array(64)
+      }
+    };
+  }
+
+  const assertion = await navigator.credentials.get({
+    publicKey: {
+      rpId,
+      challenge: challengeBytes,
+      allowCredentials: [
+        {
+          type: 'public-key',
+          id: toArrayBuffer(credential.credentialId)
+        }
+      ],
+      userVerification: 'preferred'
+    }
+  });
+
+  if (!assertion) {
+    throw new Error('Passkey authentication failed.');
+  }
+
+  const response = assertion.response;
+
+  return {
+    rpId,
+    origin,
+    challengeBytes,
+    algorithm: credential.algorithm,
+    publicKey: credential.publicKey,
+    assertion: {
+      authenticatorData: new Uint8Array(response.authenticatorData),
+      clientDataJSON: new Uint8Array(response.clientDataJSON),
+      signature: new Uint8Array(response.signature)
+    }
+  };
+}
+
+/**
+ * Build varsig envelope and validate the assertion.
+ * @param {Object} assertionData - Assertion metadata from WebAuthn.
+ * @returns {Promise<{varsig: Uint8Array, clientData: Object, verification: Object, signatureValid: boolean}>}
+ */
+async function buildVarsigOutput(assertionData) {
+  if (isTestMode()) {
+    return {
+      varsig: new Uint8Array([1, 2, 3]),
+      clientData: {},
+      verification: { valid: true },
+      signatureValid: true
+    };
+  }
+
+  const { assertion, algorithm, origin, rpId, challengeBytes, publicKey } =
+    assertionData;
+
+  const varsig = encodeWebAuthnVarsigV1(assertion, algorithm);
+  const decoded = decodeWebAuthnVarsigV1(varsig);
+  const clientData = parseClientDataJSON(decoded.clientDataJSON);
+
+  const verification = await verifyWebAuthnAssertion(decoded, {
+    expectedOrigin: origin,
+    expectedRpId: rpId,
+    expectedChallenge: challengeBytes
+  });
+
+  const signedData = await reconstructSignedData(decoded);
+  const signatureBytes = Uint8Array.from(decoded.signature);
+  let p256Signature = signatureBytes;
+  if (signatureBytes.length !== 64) {
+    try {
+      p256Signature = Uint8Array.from(unwrapEC2Signature(signatureBytes));
+    } catch {
+      p256Signature = signatureBytes;
+    }
+  }
+
+  const signatureValid =
+    algorithm === 'Ed25519'
+      ? await verifyEd25519Signature(signedData, decoded.signature, publicKey)
+      : await verifyP256Signature(signedData, p256Signature, publicKey);
+
+  if (!verification.valid || !signatureValid) {
+    throw new Error('WebAuthn varsig verification failed.');
+  }
+
+  return { varsig, clientData, verification, signatureValid };
+}
+
+/**
+ * Resolve algorithm name from a public key.
+ * @param {Uint8Array} publicKey - Raw public key bytes.
+ * @returns {string} Algorithm name.
+ */
+function algorithmFromPublicKey(publicKey) {
+  if (publicKey.length === 32) {
+    return 'Ed25519';
+  }
+  if (publicKey.length === 65 && publicKey[0] === 0x04) {
+    return 'P-256';
+  }
+  throw new Error('Unsupported public key format');
+}
+
+/**
+ * Verify varsig signature for a payload and domain.
+ * @param {Uint8Array} signature - Varsig signature.
+ * @param {Uint8Array} publicKey - Public key bytes.
+ * @param {Uint8Array} payloadBytes - Signed payload bytes.
+ * @param {string} domainLabel - Challenge domain label.
+ * @returns {Promise<boolean>} True if valid.
+ */
+async function verifyVarsigForPayload(signature, publicKey, payloadBytes, domainLabel) {
+  if (isTestMode()) {
+    return true;
+  }
+
+  const decoded = decodeWebAuthnVarsigV1(signature);
+  const clientData = parseClientDataJSON(decoded.clientDataJSON);
+  const expectedChallenge = await buildChallengeBytes(domainLabel, payloadBytes);
+  const expectedChallengeEncoded = bytesToBase64url(expectedChallenge);
+
+  if (clientData.challenge !== expectedChallengeEncoded) {
+    return false;
+  }
+
+  const verification = await verifyWebAuthnAssertion(decoded, {
+    expectedOrigin: window.location.origin,
+    expectedRpId: window.location.hostname,
+    expectedChallenge
+  });
+
+  if (!verification.valid) {
+    return false;
+  }
+
+  const signedData = await reconstructSignedData(decoded);
+  const signatureBytes = Uint8Array.from(decoded.signature);
+  let p256Signature = signatureBytes;
+  if (signatureBytes.length !== 64) {
+    try {
+      p256Signature = Uint8Array.from(unwrapEC2Signature(signatureBytes));
+    } catch {
+      p256Signature = signatureBytes;
+    }
+  }
+
+  const algorithm = algorithmFromPublicKey(publicKey);
+  return algorithm === 'Ed25519'
+    ? verifyEd25519Signature(signedData, decoded.signature, publicKey)
+    : verifyP256Signature(signedData, p256Signature, publicKey);
+}
+
+export {
+  buildVarsigOutput,
+  runWebAuthnAssertionForPayload,
+  verifyVarsigForPayload,
+  toBytes
+};

package/src/varsig/credential.js

@@ -0,0 +1,144 @@
+/**
+ * WebAuthn varsig credential creation and parsing utilities.
+ */
+import { DIDKey } from 'iso-did';
+import { parseAttestationObject } from 'iso-passkeys';
+import { toArrayBuffer } from './utils.js';
+
+const isTestMode = () =>
+  typeof window !== 'undefined' && window.__PLAYWRIGHT__ === true;
+
+/**
+ * Extract public key info from a WebAuthn attestation object.
+ * @param {Uint8Array} attestationObject - Raw attestation object bytes.
+ * @returns {{algorithm: string|null, publicKey: Uint8Array|null, kty: number, alg: number, crv: number}}
+ */
+function extractCredentialInfo(attestationObject) {
+  const parsed = parseAttestationObject(toArrayBuffer(attestationObject));
+  const coseKey = parsed.authData.credentialPublicKey;
+
+  if (!coseKey) {
+    throw new Error('Credential public key missing from attestation');
+  }
+
+  const getValue = (key) =>
+    coseKey instanceof Map ? coseKey.get(key) : coseKey[key];
+
+  const kty = getValue(1);
+  const alg = getValue(3);
+  const crv = getValue(-1);
+
+  if (kty === 1 && (alg === -50 || alg === -8) && crv === 6) {
+    const publicKeyBytes = new Uint8Array(getValue(-2));
+    if (publicKeyBytes.length !== 32) {
+      throw new Error(`Invalid Ed25519 public key length: ${publicKeyBytes.length}`);
+    }
+    return { algorithm: 'Ed25519', publicKey: publicKeyBytes, kty, alg, crv };
+  }
+
+  if (kty === 2 && alg === -7 && crv === 1) {
+    const x = new Uint8Array(getValue(-2));
+    const y = new Uint8Array(getValue(-3));
+    if (x.length !== 32 || y.length !== 32) {
+      throw new Error(`Invalid P-256 coordinate length: x=${x.length} y=${y.length}`);
+    }
+    const publicKeyBytes = new Uint8Array(65);
+    publicKeyBytes[0] = 0x04;
+    publicKeyBytes.set(x, 1);
+    publicKeyBytes.set(y, 33);
+    return { algorithm: 'P-256', publicKey: publicKeyBytes, kty, alg, crv };
+  }
+
+  return { algorithm: null, publicKey: null, kty, alg, crv };
+}
+
+/**
+ * Create a WebAuthn credential for varsig usage.
+ * @param {Object} [options] - WebAuthn creation options.
+ * @param {string} [options.userId] - User identifier.
+ * @param {string} [options.displayName] - Display name.
+ * @param {string} [options.domain] - RP ID / domain.
+ * @returns {Promise<Object>} Credential info including public key and DID.
+ */
+async function createWebAuthnVarsigCredential(options = {}) {
+  const {
+    userId,
+    displayName,
+    domain
+  } = {
+    userId: `orbitdb-user-${Date.now()}`,
+    displayName: 'OrbitDB Varsig User',
+    domain: window.location.hostname,
+    ...options
+  };
+
+  if (isTestMode()) {
+    const credentialId = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8]);
+    const publicKey = new Uint8Array(32);
+    for (let i = 0; i < publicKey.length; i++) {
+      publicKey[i] = i + 1;
+    }
+    const algorithm = 'Ed25519';
+    const did = DIDKey.fromPublicKey(algorithm, publicKey).did;
+    return {
+      credentialId,
+      publicKey,
+      did,
+      algorithm,
+      cose: { kty: 1, alg: -8, crv: 6 }
+    };
+  }
+
+  const publicKey = {
+    rp: { name: 'OrbitDB Varsig Identity', id: domain },
+    user: {
+      id: crypto.getRandomValues(new Uint8Array(16)),
+      name: userId,
+      displayName
+    },
+    challenge: crypto.getRandomValues(new Uint8Array(32)),
+    pubKeyCredParams: [
+      { type: 'public-key', alg: -50 },
+      { type: 'public-key', alg: -8 },
+      { type: 'public-key', alg: -7 }
+    ],
+    attestation: 'none',
+    authenticatorSelection: {
+      residentKey: 'preferred',
+      userVerification: 'preferred'
+    }
+  };
+
+  const credential = await navigator.credentials.create({ publicKey });
+  if (!credential) {
+    throw new Error('Passkey registration failed.');
+  }
+
+  const response = credential.response;
+  const {
+    algorithm,
+    publicKey: publicKeyBytes,
+    kty,
+    alg,
+    crv
+  } = extractCredentialInfo(new Uint8Array(response.attestationObject));
+
+  if (!publicKeyBytes || !algorithm) {
+    throw new Error('No supported credential returned (expected Ed25519 or P-256).');
+  }
+
+  const credentialId = new Uint8Array(credential.rawId);
+  const did = DIDKey.fromPublicKey(algorithm, publicKeyBytes).did;
+
+  return {
+    credentialId,
+    publicKey: publicKeyBytes,
+    did,
+    algorithm,
+    cose: { kty, alg, crv }
+  };
+}
+
+export {
+  createWebAuthnVarsigCredential
+};

package/src/varsig/domain.js

@@ -0,0 +1,11 @@
+/**
+ * Default domain labels for varsig challenge separation.
+ * @type {{id: string, publicKey: string, entry: string}}
+ */
+const DEFAULT_DOMAIN_LABELS = {
+  id: 'orbitdb-id:',
+  publicKey: 'orbitdb-pubkey:',
+  entry: 'orbitdb-entry:'
+};
+
+export { DEFAULT_DOMAIN_LABELS };

package/src/varsig/identity.js

@@ -0,0 +1,161 @@
+/**
+ * Identity creation helpers for WebAuthn varsig.
+ */
+import * as Block from 'multiformats/block';
+import * as dagCbor from '@ipld/dag-cbor';
+import { sha256 } from 'multiformats/hashes/sha2';
+import { base58btc } from 'multiformats/bases/base58';
+import { DIDKey } from 'iso-did';
+import { concat } from 'iso-webauthn-varsig';
+import { DEFAULT_DOMAIN_LABELS } from './domain.js';
+import { encoder, toBytes } from './utils.js';
+import { verifyVarsigForPayload } from './assertion.js';
+import { WebAuthnVarsigProvider } from './provider.js';
+
+const IDENTITY_CODEC = dagCbor;
+const IDENTITY_HASHER = sha256;
+const IDENTITY_HASH_ENCODING = base58btc;
+
+/**
+ * Encode an identity value as CBOR and compute its CID hash.
+ * @param {Object} value - Identity payload.
+ * @returns {Promise<{hash: string, bytes: Uint8Array}>}
+ */
+async function encodeIdentityValue(value) {
+  const { cid, bytes } = await Block.encode({
+    value,
+    codec: IDENTITY_CODEC,
+    hasher: IDENTITY_HASHER
+  });
+  return {
+    hash: cid.toString(IDENTITY_HASH_ENCODING),
+    bytes: Uint8Array.from(bytes)
+  };
+}
+
+/**
+ * Create a WebAuthn varsig identity.
+ * @param {Object} params - Identity inputs.
+ * @param {Object} params.credential - WebAuthn varsig credential info.
+ * @param {Object} [params.domainLabels] - Domain label overrides.
+ * @returns {Promise<Object>} OrbitDB identity object.
+ */
+export async function createWebAuthnVarsigIdentity({ credential, domainLabels = {} }) {
+  const labels = { ...DEFAULT_DOMAIN_LABELS, ...domainLabels };
+  const provider = new WebAuthnVarsigProvider(credential);
+  const id = credential.did || DIDKey.fromPublicKey(credential.algorithm, credential.publicKey).did;
+  const idBytes = encoder.encode(id);
+
+  const idSignature = await provider.signPayload(idBytes, labels.id);
+  const publicKeyPayload = concat([credential.publicKey, idSignature]);
+  const publicKeySignature = await provider.signPayload(publicKeyPayload, labels.publicKey);
+
+  const identity = {
+    id,
+    publicKey: credential.publicKey,
+    signatures: {
+      id: idSignature,
+      publicKey: publicKeySignature
+    },
+    type: 'webauthn-varsig',
+    sign: (identityInstance, data) => provider.sign(data, labels.entry),
+    verify: (signature, data) =>
+      provider.verify(signature, credential.publicKey, data, labels.entry)
+  };
+
+  const { hash, bytes } = await encodeIdentityValue({
+    id: identity.id,
+    publicKey: identity.publicKey,
+    signatures: identity.signatures,
+    type: identity.type
+  });
+  identity.hash = hash;
+  identity.bytes = bytes;
+
+  return identity;
+}
+
+/**
+ * Build an OrbitDB identities interface for varsig.
+ * @param {Object} identity - Local identity instance.
+ * @param {Object} [domainLabels] - Domain label overrides.
+ * @param {Object} [storage] - Optional storage adapter.
+ * @returns {Object} Identities-compatible API.
+ */
+export function createWebAuthnVarsigIdentities(identity, domainLabels = {}) {
+  const labels = { ...DEFAULT_DOMAIN_LABELS, ...domainLabels };
+  const identityByHash = new Map([[identity.hash, identity]]);
+  const storage = arguments.length > 2 ? arguments[2] : null;
+
+  const verify = (signature, publicKey, data) =>
+    verifyVarsigForPayload(signature, publicKey, toBytes(data), labels.entry);
+
+  const verifyIdentity = async (identityToVerify) => {
+    if (!identityToVerify) return false;
+
+    const idBytes = encoder.encode(identityToVerify.id);
+    const idValid = await verifyVarsigForPayload(
+      identityToVerify.signatures.id,
+      identityToVerify.publicKey,
+      idBytes,
+      labels.id
+    );
+    if (!idValid) return false;
+
+    const publicKeyPayload = concat([
+      identityToVerify.publicKey,
+      identityToVerify.signatures.id
+    ]);
+
+    return verifyVarsigForPayload(
+      identityToVerify.signatures.publicKey,
+      identityToVerify.publicKey,
+      publicKeyPayload,
+      labels.publicKey
+    );
+  };
+
+  const getIdentity = async (hash) => {
+    const cached = identityByHash.get(hash);
+    if (cached) return cached;
+    if (!storage || !storage.get) return null;
+    const bytes = await storage.get(hash);
+    if (!bytes) return null;
+    const { value } = await Block.decode({ bytes, codec: IDENTITY_CODEC, hasher: IDENTITY_HASHER });
+    const decoded = value;
+    const { hash: decodedHash } = await encodeIdentityValue({
+      id: decoded.id,
+      publicKey: decoded.publicKey,
+      signatures: decoded.signatures,
+      type: decoded.type
+    });
+    const storedIdentity = {
+      id: decoded.id,
+      publicKey: decoded.publicKey,
+      signatures: decoded.signatures,
+      type: decoded.type,
+      hash: decodedHash,
+      bytes,
+      sign: async () => {
+        throw new Error('Remote identity cannot sign');
+      },
+      verify: (signature, data) =>
+        verifyVarsigForPayload(signature, decoded.publicKey, toBytes(data), labels.entry)
+    };
+    identityByHash.set(decodedHash, storedIdentity);
+    return storedIdentity;
+  };
+
+  if (storage && storage.put) {
+    storage.put(identity.hash, identity.bytes);
+  }
+
+  return {
+    createIdentity: async () => identity,
+    verifyIdentity,
+    getIdentity,
+    sign: (identityInstance, data) => identityInstance.sign(identityInstance, data),
+    verify,
+    keystore: null
+  };
+}

package/src/varsig/index.js

@@ -0,0 +1,6 @@
+/**
+ * WebAuthn varsig public exports.
+ */
+export { WebAuthnVarsigProvider } from './provider.js';
+export { createWebAuthnVarsigIdentity, createWebAuthnVarsigIdentities } from './identity.js';
+export { storeWebAuthnVarsigCredential, loadWebAuthnVarsigCredential, clearWebAuthnVarsigCredential } from './storage.js';

package/src/varsig/provider.js

@@ -0,0 +1,78 @@
+/**
+ * WebAuthn varsig identity provider.
+ *
+ * Uses passkey assertions for each signature and encodes them into a varsig
+ * envelope for OrbitDB identity verification.
+ */
+import { DEFAULT_DOMAIN_LABELS } from './domain.js';
+import { buildVarsigOutput, runWebAuthnAssertionForPayload, verifyVarsigForPayload, toBytes } from './assertion.js';
+import { createWebAuthnVarsigCredential } from './credential.js';
+
+export class WebAuthnVarsigProvider {
+  /**
+   * @param {Object} credentialInfo - Varsig credential info (public key, algorithm, credentialId)
+   */
+  constructor(credentialInfo) {
+    this.credential = credentialInfo;
+    this.type = 'webauthn-varsig';
+  }
+
+  /**
+   * @returns {boolean} True if WebAuthn is available in this environment.
+   */
+  static isSupported() {
+    return Boolean(window.PublicKeyCredential);
+  }
+
+  /**
+   * Create a WebAuthn varsig credential.
+   * @param {Object} [options] - WebAuthn creation options.
+   * @returns {Promise<Object>} Credential info with public key and DID.
+   */
+  static async createCredential(options = {}) {
+    return createWebAuthnVarsigCredential(options);
+  }
+
+  /**
+   * Sign raw bytes using WebAuthn and return a varsig envelope.
+   * @param {Uint8Array} payloadBytes - Data to sign.
+   * @param {string} [domainLabel] - Domain label for the challenge.
+   * @returns {Promise<Uint8Array>} Varsig signature.
+   */
+  async signPayload(payloadBytes, domainLabel = DEFAULT_DOMAIN_LABELS.entry) {
+    const assertion = await runWebAuthnAssertionForPayload(
+      this.credential,
+      payloadBytes,
+      domainLabel
+    );
+    const output = await buildVarsigOutput(assertion);
+    return output.varsig;
+  }
+
+  /**
+   * Sign data (string or bytes) and return a varsig envelope.
+   * @param {string|Uint8Array} data - Data to sign.
+   * @param {string} [domainLabel] - Domain label for the challenge.
+   * @returns {Promise<Uint8Array>} Varsig signature.
+   */
+  async sign(data, domainLabel = DEFAULT_DOMAIN_LABELS.entry) {
+    return this.signPayload(toBytes(data), domainLabel);
+  }
+
+  /**
+   * Verify a varsig signature for a payload.
+   * @param {Uint8Array} signature - Varsig signature.
+   * @param {Uint8Array} publicKey - Public key for verification.
+   * @param {string|Uint8Array} data - Payload data.
+   * @param {string} [domainLabel] - Domain label for the challenge.
+   * @returns {Promise<boolean>} True if valid.
+   */
+  async verify(signature, publicKey, data, domainLabel = DEFAULT_DOMAIN_LABELS.entry) {
+    return verifyVarsigForPayload(
+      signature,
+      publicKey,
+      toBytes(data),
+      domainLabel
+    );
+  }
+}

package/src/varsig/storage.js

@@ -0,0 +1,46 @@
+/**
+ * LocalStorage helpers for varsig credential persistence.
+ */
+import { base64urlToBytes, bytesToBase64url } from 'iso-webauthn-varsig';
+
+/**
+ * Persist varsig credential to localStorage.
+ * @param {Object} credential - Varsig credential info.
+ * @param {string} [key] - Storage key.
+ */
+export function storeWebAuthnVarsigCredential(credential, key = 'webauthn-varsig-credential') {
+  const payload = {
+    credentialId: bytesToBase64url(credential.credentialId),
+    publicKey: bytesToBase64url(credential.publicKey),
+    did: credential.did,
+    algorithm: credential.algorithm,
+    cose: credential.cose || null
+  };
+  localStorage.setItem(key, JSON.stringify(payload));
+}
+
+/**
+ * Load varsig credential from localStorage.
+ * @param {string} [key] - Storage key.
+ * @returns {Object|null} Credential info or null.
+ */
+export function loadWebAuthnVarsigCredential(key = 'webauthn-varsig-credential') {
+  const stored = localStorage.getItem(key);
+  if (!stored) return null;
+  const parsed = JSON.parse(stored);
+  return {
+    credentialId: base64urlToBytes(parsed.credentialId),
+    publicKey: base64urlToBytes(parsed.publicKey),
+    did: parsed.did,
+    algorithm: parsed.algorithm,
+    cose: parsed.cose || null
+  };
+}
+
+/**
+ * Remove varsig credential from localStorage.
+ * @param {string} [key] - Storage key.
+ */
+export function clearWebAuthnVarsigCredential(key = 'webauthn-varsig-credential') {
+  localStorage.removeItem(key);
+}

package/src/varsig/utils.js

@@ -0,0 +1,43 @@
+/**
+ * Byte and challenge helpers for varsig signing.
+ */
+import { concat } from 'iso-webauthn-varsig';
+
+const encoder = new TextEncoder();
+
+/**
+ * Convert a Uint8Array view to ArrayBuffer slice.
+ * @param {Uint8Array} bytes - Source bytes.
+ * @returns {ArrayBuffer} ArrayBuffer slice.
+ */
+function toArrayBuffer(bytes) {
+  return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+}
+
+/**
+ * Convert string to bytes, or return bytes as-is.
+ * @param {string|Uint8Array} data - Input data.
+ * @returns {Uint8Array} Byte representation.
+ */
+function toBytes(data) {
+  return typeof data === 'string' ? encoder.encode(data) : data;
+}
+
+/**
+ * Build a WebAuthn challenge from a domain label and payload.
+ * @param {string} domainLabel - Domain label prefix.
+ * @param {Uint8Array} payloadBytes - Payload bytes.
+ * @returns {Promise<Uint8Array>} SHA-256 digest.
+ */
+async function buildChallengeBytes(domainLabel, payloadBytes) {
+  const domain = encoder.encode(domainLabel);
+  const hash = await crypto.subtle.digest('SHA-256', concat([domain, payloadBytes]));
+  return new Uint8Array(hash);
+}
+
+export {
+  encoder,
+  toArrayBuffer,
+  toBytes,
+  buildChallengeBytes
+};