@libp2p/crypto 4.1.9-dd7b329c4 → 4.1.9-e1ca9cced

package/src/keys/index.ts

@@ -10,141 +10,159 @@
  * For encryption / decryption support, RSA keys should be used.
  */
 
-import { CodeError } from '@libp2p/interface'
-import * as Ed25519 from './ed25519-class.js'
-import generateEphemeralKeyPair from './ephemeral-keys.js'
-import { importer } from './importer.js'
-import { keyStretcher } from './key-stretcher.js'
-import * as keysPBM from './keys.js'
-import * as RSA from './rsa-class.js'
-import { importFromPem } from './rsa-utils.js'
-import * as Secp256k1 from './secp256k1-class.js'
-import type { PrivateKey, PublicKey, KeyType as KeyTypes } from '@libp2p/interface'
-
-export { keyStretcher }
-export { generateEphemeralKeyPair }
-export { keysPBM }
-
-export type { KeyTypes }
-
-export { RsaPrivateKey, RsaPublicKey, MAX_RSA_KEY_SIZE } from './rsa-class.js'
-export { Ed25519PrivateKey, Ed25519PublicKey } from './ed25519-class.js'
-export { Secp256k1PrivateKey, Secp256k1PublicKey } from './secp256k1-class.js'
-export type { JWKKeyPair } from './interface.js'
-
-export const supportedKeys = {
-  rsa: RSA,
-  ed25519: Ed25519,
-  secp256k1: Secp256k1
-}
+import { UnsupportedKeyTypeError } from '@libp2p/interface'
+import { generateEd25519KeyPair, generateEd25519KeyPairFromSeed, unmarshalEd25519PrivateKey, unmarshalEd25519PublicKey } from './ed25519/utils.js'
+import * as pb from './keys.js'
+import { pkcs1ToRSAPrivateKey, pkixToRSAPublicKey, generateRSAKeyPair } from './rsa/utils.js'
+import { generateSecp256k1KeyPair, unmarshalSecp256k1PrivateKey, unmarshalSecp256k1PublicKey } from './secp256k1/utils.js'
+import type { PrivateKey, PublicKey, KeyType, RSAPrivateKey, Secp256k1PrivateKey, Ed25519PrivateKey, Secp256k1PublicKey, Ed25519PublicKey } from '@libp2p/interface'
+import type { MultihashDigest } from 'multiformats'
 
-function unsupportedKey (type: string): CodeError<Record<string, never>> {
-  const supported = Object.keys(supportedKeys).join(' / ')
-  return new CodeError(`invalid or unsupported key type ${type}. Must be ${supported}`, 'ERR_UNSUPPORTED_KEY_TYPE')
-}
+export { generateEphemeralKeyPair } from './ecdh/index.js'
+export { keyStretcher } from './key-stretcher.js'
 
-function typeToKey (type: string): typeof RSA | typeof Ed25519 | typeof Secp256k1 {
-  type = type.toLowerCase()
+/**
+ * Generates a keypair of the given type and bitsize
+ */
+export async function generateKeyPair (type: 'Ed25519'): Promise<Ed25519PrivateKey>
+export async function generateKeyPair (type: 'secp256k1'): Promise<Secp256k1PrivateKey>
+export async function generateKeyPair (type: 'RSA', bits?: number): Promise<RSAPrivateKey>
+export async function generateKeyPair (type: KeyType, bits?: number): Promise<PrivateKey>
+export async function generateKeyPair (type: KeyType, bits?: number): Promise<unknown> {
+  if (type === 'Ed25519') {
+    return generateEd25519KeyPair()
+  }
 
-  if (type === 'rsa' || type === 'ed25519' || type === 'secp256k1') {
-    return supportedKeys[type]
+  if (type === 'secp256k1') {
+    return generateSecp256k1KeyPair()
   }
 
-  throw unsupportedKey(type)
-}
+  if (type === 'RSA') {
+    return generateRSAKeyPair(bits ?? 2048)
+  }
 
-/**
- * Generates a keypair of the given type and bitsize
- */
-export async function generateKeyPair <T extends KeyTypes> (type: T, bits?: number): Promise<PrivateKey<T>> {
-  return typeToKey(type).generateKeyPair(bits ?? 2048)
+  throw new UnsupportedKeyTypeError()
 }
 
 /**
- * Generates a keypair of the given type and bitsize.
+ * Generates a keypair of the given type from the passed seed.  Currently only
+ * supports Ed25519 keys.
  *
  * Seed is a 32 byte uint8array
  */
-export async function generateKeyPairFromSeed <T extends KeyTypes> (type: T, seed: Uint8Array, bits?: number): Promise<PrivateKey<T>> {
-  if (type.toLowerCase() !== 'ed25519') {
-    throw new CodeError('Seed key derivation is unimplemented for RSA or secp256k1', 'ERR_UNSUPPORTED_KEY_DERIVATION_TYPE')
+export async function generateKeyPairFromSeed (type: 'Ed25519', seed: Uint8Array): Promise<Ed25519PrivateKey>
+export async function generateKeyPairFromSeed <T extends KeyType> (type: T, seed: Uint8Array, bits?: number): Promise<never>
+export async function generateKeyPairFromSeed (type: string, seed: Uint8Array): Promise<unknown> {
+  if (type !== 'Ed25519') {
+    throw new UnsupportedKeyTypeError('Seed key derivation only supported for Ed25519 keys')
   }
 
-  return Ed25519.generateKeyPairFromSeed(seed)
+  return generateEd25519KeyPairFromSeed(seed)
 }
 
 /**
  * Converts a protobuf serialized public key into its representative object
  */
-export function unmarshalPublicKey <T extends KeyTypes> (buf: Uint8Array): PublicKey<T> {
-  const decoded = keysPBM.PublicKey.decode(buf)
-  const data = decoded.Data ?? new Uint8Array()
+export function publicKeyFromProtobuf (buf: Uint8Array): PublicKey {
+  const { Type, Data } = pb.PublicKey.decode(buf)
+  const data = Data ?? new Uint8Array()
+
+  switch (Type) {
+    case pb.KeyType.RSA:
+      return pkixToRSAPublicKey(data)
+    case pb.KeyType.Ed25519:
+      return unmarshalEd25519PublicKey(data)
+    case pb.KeyType.secp256k1:
+      return unmarshalSecp256k1PublicKey(data)
+    default:
+      throw new UnsupportedKeyTypeError()
+  }
+}
 
-  switch (decoded.Type) {
-    case keysPBM.KeyType.RSA:
-      return supportedKeys.rsa.unmarshalRsaPublicKey(data)
-    case keysPBM.KeyType.Ed25519:
-      return supportedKeys.ed25519.unmarshalEd25519PublicKey(data)
-    case keysPBM.KeyType.Secp256k1:
-      return supportedKeys.secp256k1.unmarshalSecp256k1PublicKey(data)
+/**
+ * Creates a public key from the raw key bytes
+ */
+export function publicKeyFromRaw (buf: Uint8Array): PublicKey {
+  if (buf.byteLength === 32) {
+    return unmarshalEd25519PublicKey(buf)
+  } else if (buf.byteLength === 34) {
+    return unmarshalSecp256k1PublicKey(buf)
+  } else {
+    return pkixToRSAPublicKey(buf)
+  }
+}
+
+/**
+ * Creates a public key from an identity multihash which contains a protobuf
+ * encoded Ed25519 or secp256k1 public key.
+ *
+ * RSA keys are not supported as in practice we they are not stored in identity
+ * multihashes since the hash would be very large.
+ */
+export function publicKeyFromMultihash (digest: MultihashDigest<0x0>): Ed25519PublicKey | Secp256k1PublicKey {
+  const { Type, Data } = pb.PublicKey.decode(digest.digest)
+  const data = Data ?? new Uint8Array()
+
+  switch (Type) {
+    case pb.KeyType.Ed25519:
+      return unmarshalEd25519PublicKey(data)
+    case pb.KeyType.secp256k1:
+      return unmarshalSecp256k1PublicKey(data)
     default:
-      throw unsupportedKey(decoded.Type ?? 'unknown')
+      throw new UnsupportedKeyTypeError()
   }
 }
 
 /**
  * Converts a public key object into a protobuf serialized public key
  */
-export function marshalPublicKey (key: { bytes: Uint8Array }, type?: string): Uint8Array {
-  type = (type ?? 'rsa').toLowerCase()
-  typeToKey(type) // check type
-  return key.bytes
+export function publicKeyToProtobuf (key: PublicKey): Uint8Array {
+  return pb.PublicKey.encode({
+    Type: pb.KeyType[key.type],
+    Data: key.raw
+  })
 }
 
 /**
  * Converts a protobuf serialized private key into its representative object
  */
-export async function unmarshalPrivateKey <T extends KeyTypes> (buf: Uint8Array): Promise<PrivateKey<T>> {
-  const decoded = keysPBM.PrivateKey.decode(buf)
+export function privateKeyFromProtobuf (buf: Uint8Array): Ed25519PrivateKey | Secp256k1PrivateKey | RSAPrivateKey {
+  const decoded = pb.PrivateKey.decode(buf)
   const data = decoded.Data ?? new Uint8Array()
 
   switch (decoded.Type) {
-    case keysPBM.KeyType.RSA:
-      return supportedKeys.rsa.unmarshalRsaPrivateKey(data)
-    case keysPBM.KeyType.Ed25519:
-      return supportedKeys.ed25519.unmarshalEd25519PrivateKey(data)
-    case keysPBM.KeyType.Secp256k1:
-      return supportedKeys.secp256k1.unmarshalSecp256k1PrivateKey(data)
+    case pb.KeyType.RSA:
+      return pkcs1ToRSAPrivateKey(data)
+    case pb.KeyType.Ed25519:
+      return unmarshalEd25519PrivateKey(data)
+    case pb.KeyType.secp256k1:
+      return unmarshalSecp256k1PrivateKey(data)
     default:
-      throw unsupportedKey(decoded.Type ?? 'RSA')
+      throw new UnsupportedKeyTypeError()
   }
 }
 
 /**
- * Converts a private key object into a protobuf serialized private key
+ * Creates a private key from the raw key bytes. For Ed25519 keys this requires
+ * the public key to be appended to the private key otherwise we can't
+ * differentiate between Ed25519 and secp256k1 keys as they are the same length.
  */
-export function marshalPrivateKey (key: { bytes: Uint8Array }, type?: string): Uint8Array {
-  type = (type ?? 'rsa').toLowerCase()
-  typeToKey(type) // check type
-  return key.bytes
+export function privateKeyFromRaw (buf: Uint8Array): PrivateKey {
+  if (buf.byteLength === 64) {
+    return unmarshalEd25519PrivateKey(buf)
+  } else if (buf.byteLength === 32) {
+    return unmarshalSecp256k1PrivateKey(buf)
+  } else {
+    return pkcs1ToRSAPrivateKey(buf)
+  }
 }
 
 /**
- * Converts an exported private key into its representative object.
- *
- * Supported formats are 'pem' (RSA only) and 'libp2p-key'.
+ * Converts a private key object into a protobuf serialized private key
  */
-export async function importKey <T extends KeyTypes> (encryptedKey: string, password: string): Promise<PrivateKey<T>> {
-  try {
-    const key = await importer(encryptedKey, password)
-    return await unmarshalPrivateKey(key)
-  } catch (_) {
-    // Ignore and try the old pem decrypt
-  }
-
-  if (!encryptedKey.includes('BEGIN')) {
-    throw new CodeError('Encrypted key was not a libp2p-key or a PEM file', 'ERR_INVALID_IMPORT_FORMAT')
-  }
-
-  return importFromPem(encryptedKey, password)
+export function privateKeyToProtobuf (key: PrivateKey): Uint8Array {
+  return pb.PrivateKey.encode({
+    Type: pb.KeyType[key.type],
+    Data: key.raw
+  })
 }

package/src/keys/key-stretcher.ts

@@ -1,10 +1,15 @@
-import { CodeError } from '@libp2p/interface'
+import { InvalidParametersError } from '@libp2p/interface'
 import { concat as uint8ArrayConcat } from 'uint8arrays/concat'
 import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
 import * as hmac from '../hmac/index.js'
 import type { EnhancedKey, EnhancedKeyPair } from './interface.js'
 
-const cipherMap = {
+interface Cipher {
+  ivSize: number
+  keySize: number
+}
+
+const cipherMap: Record<string, Cipher> = {
   'AES-128': {
     ivSize: 16,
     keySize: 16
@@ -24,17 +29,19 @@ const cipherMap = {
  * (myIV, theirIV, myCipherKey, theirCipherKey, myMACKey, theirMACKey)
  */
 export async function keyStretcher (cipherType: 'AES-128' | 'AES-256' | 'Blowfish', hash: 'SHA1' | 'SHA256' | 'SHA512', secret: Uint8Array): Promise<EnhancedKeyPair> {
-  const cipher = cipherMap[cipherType]
+  if (cipherType !== 'AES-128' && cipherType !== 'AES-256' && cipherType !== 'Blowfish') {
+    throw new InvalidParametersError('Cipher type was missing or unsupported')
+  }
 
-  if (cipher == null) {
-    const allowed = Object.keys(cipherMap).join(' / ')
-    throw new CodeError(`unknown cipher type '${cipherType}'. Must be ${allowed}`, 'ERR_INVALID_CIPHER_TYPE')
+  if (hash !== 'SHA1' && hash !== 'SHA256' && hash !== 'SHA512') {
+    throw new InvalidParametersError('Hash type was missing or unsupported')
   }
 
-  if (hash == null) {
-    throw new CodeError('missing hash type', 'ERR_MISSING_HASH_TYPE')
+  if (secret == null || !(secret instanceof Uint8Array)) {
+    throw new InvalidParametersError('Secret was missing or an incorrect type')
   }
 
+  const cipher = cipherMap[cipherType]
   const cipherKeySize = cipher.keySize
   const ivSize = cipher.ivSize
   const hmacKeySize = 20

package/src/keys/keys.proto

@@ -3,7 +3,7 @@ syntax = "proto3";
 enum KeyType {
   RSA = 0;
   Ed25519 = 1;
-  Secp256k1 = 2;
+  secp256k1 = 2;
 }
 message PublicKey {
   // the proto2 version of this field is "required" which means it will have

package/src/keys/keys.ts

@@ -4,20 +4,19 @@
 /* eslint-disable @typescript-eslint/no-unnecessary-boolean-literal-compare */
 /* eslint-disable @typescript-eslint/no-empty-interface */
 
-import { enumeration, encodeMessage, decodeMessage, message } from 'protons-runtime'
-import type { Codec } from 'protons-runtime'
+import { type Codec, decodeMessage, type DecodeOptions, encodeMessage, enumeration, message } from 'protons-runtime'
 import type { Uint8ArrayList } from 'uint8arraylist'
 
 export enum KeyType {
   RSA = 'RSA',
   Ed25519 = 'Ed25519',
-  Secp256k1 = 'Secp256k1'
+  secp256k1 = 'secp256k1'
 }
 
 enum __KeyTypeValues {
   RSA = 0,
   Ed25519 = 1,
-  Secp256k1 = 2
+  secp256k1 = 2
 }
 
 export namespace KeyType {
@@ -53,7 +52,7 @@ export namespace PublicKey {
         if (opts.lengthDelimited !== false) {
           w.ldelim()
         }
-      }, (reader, length) => {
+      }, (reader, length, opts = {}) => {
         const obj: any = {}
 
         const end = length == null ? reader.len : reader.pos + length
@@ -62,15 +61,18 @@ export namespace PublicKey {
           const tag = reader.uint32()
 
           switch (tag >>> 3) {
-            case 1:
+            case 1: {
               obj.Type = KeyType.codec().decode(reader)
               break
-            case 2:
+            }
+            case 2: {
               obj.Data = reader.bytes()
               break
-            default:
+            }
+            default: {
               reader.skipType(tag & 7)
               break
+            }
           }
         }
 
@@ -85,8 +87,8 @@ export namespace PublicKey {
     return encodeMessage(obj, PublicKey.codec())
   }
 
-  export const decode = (buf: Uint8Array | Uint8ArrayList): PublicKey => {
-    return decodeMessage(buf, PublicKey.codec())
+  export const decode = (buf: Uint8Array | Uint8ArrayList, opts?: DecodeOptions<PublicKey>): PublicKey => {
+    return decodeMessage(buf, PublicKey.codec(), opts)
   }
 }
 
@@ -118,7 +120,7 @@ export namespace PrivateKey {
         if (opts.lengthDelimited !== false) {
           w.ldelim()
         }
-      }, (reader, length) => {
+      }, (reader, length, opts = {}) => {
         const obj: any = {}
 
         const end = length == null ? reader.len : reader.pos + length
@@ -127,15 +129,18 @@ export namespace PrivateKey {
           const tag = reader.uint32()
 
           switch (tag >>> 3) {
-            case 1:
+            case 1: {
               obj.Type = KeyType.codec().decode(reader)
               break
-            case 2:
+            }
+            case 2: {
               obj.Data = reader.bytes()
               break
-            default:
+            }
+            default: {
               reader.skipType(tag & 7)
               break
+            }
           }
         }
 
@@ -150,7 +155,7 @@ export namespace PrivateKey {
     return encodeMessage(obj, PrivateKey.codec())
   }
 
-  export const decode = (buf: Uint8Array | Uint8ArrayList): PrivateKey => {
-    return decodeMessage(buf, PrivateKey.codec())
+  export const decode = (buf: Uint8Array | Uint8ArrayList, opts?: DecodeOptions<PrivateKey>): PrivateKey => {
+    return decodeMessage(buf, PrivateKey.codec(), opts)
   }
 }

package/src/keys/{rsa-browser.ts → rsa/index.browser.ts}

@@ -1,14 +1,14 @@
-import { CodeError } from '@libp2p/interface'
+import { InvalidParametersError } from '@libp2p/interface'
 import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
-import randomBytes from '../random-bytes.js'
-import webcrypto from '../webcrypto.js'
-import * as utils from './rsa-utils.js'
-import type { JWKKeyPair } from './interface.js'
+import randomBytes from '../../random-bytes.js'
+import webcrypto from '../../webcrypto/index.js'
+import * as utils from './utils.js'
+import type { JWKKeyPair } from '../interface.js'
 import type { Uint8ArrayList } from 'uint8arraylist'
 
 export { utils }
 
-export async function generateKey (bits: number): Promise<JWKKeyPair> {
+export async function generateRSAKey (bits: number): Promise<JWKKeyPair> {
   const pair = await webcrypto.get().subtle.generateKey(
     {
       name: 'RSASSA-PKCS1-v1_5',
@@ -28,35 +28,6 @@ export async function generateKey (bits: number): Promise<JWKKeyPair> {
   }
 }
 
-// Takes a jwk key
-export async function unmarshalPrivateKey (key: JsonWebKey): Promise<JWKKeyPair> {
-  const privateKey = await webcrypto.get().subtle.importKey(
-    'jwk',
-    key,
-    {
-      name: 'RSASSA-PKCS1-v1_5',
-      hash: { name: 'SHA-256' }
-    },
-    true,
-    ['sign']
-  )
-
-  const pair = [
-    privateKey,
-    await derivePublicFromPrivate(key)
-  ]
-
-  const keys = await exportKey({
-    privateKey: pair[0],
-    publicKey: pair[1]
-  })
-
-  return {
-    privateKey: keys[0],
-    publicKey: keys[1]
-  }
-}
-
 export { randomBytes as getRandomValues }
 
 export async function hashAndSign (key: JsonWebKey, msg: Uint8Array | Uint8ArrayList): Promise<Uint8Array> {
@@ -102,7 +73,7 @@ export async function hashAndVerify (key: JsonWebKey, sig: Uint8Array, msg: Uint
 
 async function exportKey (pair: CryptoKeyPair): Promise<[JsonWebKey, JsonWebKey]> {
   if (pair.privateKey == null || pair.publicKey == null) {
-    throw new CodeError('Private and public key are required', 'ERR_INVALID_PARAMETERS')
+    throw new InvalidParametersError('Private and public key are required')
   }
 
   return Promise.all([
@@ -111,28 +82,11 @@ async function exportKey (pair: CryptoKeyPair): Promise<[JsonWebKey, JsonWebKey]
   ])
 }
 
-async function derivePublicFromPrivate (jwKey: JsonWebKey): Promise<CryptoKey> {
-  return webcrypto.get().subtle.importKey(
-    'jwk',
-    {
-      kty: jwKey.kty,
-      n: jwKey.n,
-      e: jwKey.e
-    },
-    {
-      name: 'RSASSA-PKCS1-v1_5',
-      hash: { name: 'SHA-256' }
-    },
-    true,
-    ['verify']
-  )
-}
-
-export function keySize (jwk: JsonWebKey): number {
+export function rsaKeySize (jwk: JsonWebKey): number {
   if (jwk.kty !== 'RSA') {
-    throw new CodeError('invalid key type', 'ERR_INVALID_KEY_TYPE')
+    throw new InvalidParametersError('invalid key type')
   } else if (jwk.n == null) {
-    throw new CodeError('invalid key modulus', 'ERR_INVALID_KEY_MODULUS')
+    throw new InvalidParametersError('invalid key modulus')
   }
   const bytes = uint8ArrayFromString(jwk.n, 'base64url')
   return bytes.length * 8

package/src/keys/{rsa.ts → rsa/index.ts}

@@ -1,17 +1,17 @@
 import crypto from 'crypto'
 import { promisify } from 'util'
-import { CodeError } from '@libp2p/interface'
+import { InvalidParametersError } from '@libp2p/interface'
 import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
-import randomBytes from '../random-bytes.js'
-import * as utils from './rsa-utils.js'
-import type { JWKKeyPair } from './interface.js'
+import randomBytes from '../../random-bytes.js'
+import * as utils from './utils.js'
+import type { JWKKeyPair } from '../interface.js'
 import type { Uint8ArrayList } from 'uint8arraylist'
 
 const keypair = promisify(crypto.generateKeyPair)
 
 export { utils }
 
-export async function generateKey (bits: number): Promise<JWKKeyPair> {
+export async function generateRSAKey (bits: number): Promise<JWKKeyPair> {
   // @ts-expect-error node types are missing jwk as a format
   const key = await keypair('rsa', {
     modulusLength: bits,
@@ -27,21 +27,6 @@ export async function generateKey (bits: number): Promise<JWKKeyPair> {
   }
 }
 
-// Takes a jwk key
-export async function unmarshalPrivateKey (key: JsonWebKey): Promise<JWKKeyPair> {
-  if (key == null) {
-    throw new CodeError('Missing key parameter', 'ERR_MISSING_KEY')
-  }
-  return {
-    privateKey: key,
-    publicKey: {
-      kty: key.kty,
-      n: key.n,
-      e: key.e
-    }
-  }
-}
-
 export { randomBytes as getRandomValues }
 
 export async function hashAndSign (key: JsonWebKey, msg: Uint8Array | Uint8ArrayList): Promise<Uint8Array> {
@@ -74,11 +59,11 @@ export async function hashAndVerify (key: JsonWebKey, sig: Uint8Array, msg: Uint
   return hash.verify({ format: 'jwk', key }, sig)
 }
 
-export function keySize (jwk: JsonWebKey): number {
+export function rsaKeySize (jwk: JsonWebKey): number {
   if (jwk.kty !== 'RSA') {
-    throw new CodeError('invalid key type', 'ERR_INVALID_KEY_TYPE')
+    throw new InvalidParametersError('Invalid key type')
   } else if (jwk.n == null) {
-    throw new CodeError('invalid key modulus', 'ERR_INVALID_KEY_MODULUS')
+    throw new InvalidParametersError('Invalid key modulus')
   }
   const modulus = uint8ArrayFromString(jwk.n, 'base64url')
   return modulus.length * 8

package/src/keys/rsa/rsa.ts

@@ -0,0 +1,83 @@
+import { base58btc } from 'multiformats/bases/base58'
+import { CID } from 'multiformats/cid'
+import { type Digest } from 'multiformats/hashes/digest'
+import { equals as uint8ArrayEquals } from 'uint8arrays/equals'
+import { hashAndSign, utils, hashAndVerify } from './index.js'
+import type { RSAPublicKey as RSAPublicKeyInterface, RSAPrivateKey as RSAPrivateKeyInterface } from '@libp2p/interface'
+import type { Uint8ArrayList } from 'uint8arraylist'
+
+export class RSAPublicKey implements RSAPublicKeyInterface {
+  public readonly type = 'RSA'
+  private readonly _key: JsonWebKey
+  private _raw?: Uint8Array
+  private readonly _multihash: Digest<18, number>
+
+  constructor (key: JsonWebKey, digest: Digest<18, number>) {
+    this._key = key
+    this._multihash = digest
+  }
+
+  get raw (): Uint8Array {
+    if (this._raw == null) {
+      this._raw = utils.jwkToPkix(this._key)
+    }
+
+    return this._raw
+  }
+
+  toMultihash (): Digest<18, number> {
+    return this._multihash
+  }
+
+  toCID (): CID<unknown, 114, 18, 1> {
+    return CID.createV1(114, this._multihash)
+  }
+
+  toString (): string {
+    return base58btc.encode(this.toMultihash().bytes).substring(1)
+  }
+
+  equals (key?: any): boolean {
+    if (key == null || !(key.raw instanceof Uint8Array)) {
+      return false
+    }
+
+    return uint8ArrayEquals(this.raw, key.raw)
+  }
+
+  verify (data: Uint8Array | Uint8ArrayList, sig: Uint8Array): boolean | Promise<boolean> {
+    return hashAndVerify(this._key, sig, data)
+  }
+}
+
+export class RSAPrivateKey implements RSAPrivateKeyInterface {
+  public readonly type = 'RSA'
+  private readonly _key: JsonWebKey
+  private _raw?: Uint8Array
+  public readonly publicKey: RSAPublicKey
+
+  constructor (key: JsonWebKey, publicKey: RSAPublicKey) {
+    this._key = key
+    this.publicKey = publicKey
+  }
+
+  get raw (): Uint8Array {
+    if (this._raw == null) {
+      this._raw = utils.jwkToPkcs1(this._key)
+    }
+
+    return this._raw
+  }
+
+  equals (key: any): boolean {
+    if (key == null || !(key.raw instanceof Uint8Array)) {
+      return false
+    }
+
+    return uint8ArrayEquals(this.raw, key.raw)
+  }
+
+  sign (message: Uint8Array | Uint8ArrayList): Uint8Array | Promise<Uint8Array> {
+    return hashAndSign(this._key, message)
+  }
+}