@mcp-i/core 0.1.0

package/src/utils/__tests__/crypto-service.test.ts

@@ -0,0 +1,530 @@
+/**
+ * Tests for CryptoService
+ *
+ * Comprehensive test coverage for cryptographic operations service.
+ * Tests verifyEd25519() and verifyJWS() with various scenarios.
+ *
+ * Test Coverage Requirements: 100% - All security-critical code paths
+ */
+
+import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { CryptoService } from '../crypto-service.js';
+import type { CryptoProvider } from '../../providers/base.js';
+import type { Ed25519JWK } from '../crypto-service.js';
+
+describe('CryptoService', () => {
+  let cryptoService: CryptoService;
+  let mockCryptoProvider: CryptoProvider;
+
+  beforeEach(() => {
+    mockCryptoProvider = {
+      sign: vi.fn(),
+      verify: vi.fn(),
+      generateKeyPair: vi.fn(),
+      hash: vi.fn(),
+      randomBytes: vi.fn(),
+    };
+    cryptoService = new CryptoService(mockCryptoProvider);
+  });
+
+  describe('verifyEd25519', () => {
+    it('should return true for valid signature', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+
+      const result = await cryptoService.verifyEd25519(
+        new Uint8Array([1, 2, 3]),
+        new Uint8Array([4, 5, 6]),
+        'base64PublicKey'
+      );
+
+      expect(result).toBe(true);
+      expect(mockCryptoProvider.verify).toHaveBeenCalledWith(
+        new Uint8Array([1, 2, 3]),
+        new Uint8Array([4, 5, 6]),
+        'base64PublicKey'
+      );
+    });
+
+    it('should return false for invalid signature', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
+
+      const result = await cryptoService.verifyEd25519(
+        new Uint8Array([1, 2, 3]),
+        new Uint8Array([4, 5, 6]),
+        'base64PublicKey'
+      );
+
+      expect(result).toBe(false);
+    });
+
+    it('should return false on verification error', async () => {
+      mockCryptoProvider.verify = vi.fn().mockRejectedValue(
+        new Error('Verification failed')
+      );
+
+      const result = await cryptoService.verifyEd25519(
+        new Uint8Array([1, 2, 3]),
+        new Uint8Array([4, 5, 6]),
+        'base64PublicKey'
+      );
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle empty data', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+
+      const result = await cryptoService.verifyEd25519(
+        new Uint8Array(0),
+        new Uint8Array([4, 5, 6]),
+        'base64PublicKey'
+      );
+
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('parseJWS', () => {
+    it('should parse valid full compact JWS', () => {
+      const header = { alg: 'EdDSA', typ: 'JWT' };
+      const payload = { sub: 'did:key:z123', iss: 'did:key:z123' };
+      // Properly encode as base64url
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+      const parsed = cryptoService.parseJWS(jws);
+
+      expect(parsed.header).toEqual(header);
+      expect(parsed.payload).toEqual(payload);
+      expect(parsed.signingInput).toBe(`${headerB64}.${payloadB64}`);
+      expect(parsed.signatureBytes).toBeInstanceOf(Uint8Array);
+    });
+
+    it('should throw error for invalid JWS format', () => {
+      const invalidJws = 'not.a.jws';
+
+      // This will fail during JSON parsing, not format check
+      expect(() => cryptoService.parseJWS(invalidJws)).toThrow();
+    });
+
+    it('should throw error for JWS with wrong number of parts', () => {
+      const invalidJws = 'header.payload';
+
+      expect(() => cryptoService.parseJWS(invalidJws)).toThrow('Invalid JWS format');
+    });
+
+    it('should handle empty payload', () => {
+      const header = { alg: 'EdDSA' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const jws = `${headerB64}..${signatureB64}`;
+
+      const parsed = cryptoService.parseJWS(jws);
+
+      expect(parsed.header).toEqual(header);
+      expect(parsed.payload).toBeUndefined();
+    });
+  });
+
+  describe('verifyJWS', () => {
+    const validJwk: Ed25519JWK = {
+      kty: 'OKP',
+      crv: 'Ed25519',
+      x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ', // Example base64url public key (32 bytes when decoded)
+    };
+
+    // Create a valid JWS for testing
+    const createValidJWS = (): string => {
+      const header = { alg: 'EdDSA', typ: 'JWT' };
+      const payload = { sub: 'did:key:z123', iss: 'did:key:z123' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      return `${headerB64}.${payloadB64}.${signatureB64}`;
+    };
+
+    it('should verify valid full compact JWS', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, validJwk);
+
+      expect(result).toBe(true);
+      expect(mockCryptoProvider.verify).toHaveBeenCalled();
+    });
+
+    it('should reject invalid JWK format', async () => {
+      const invalidJwk = { kty: 'RSA' } as any;
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
+
+      expect(result).toBe(false);
+      expect(mockCryptoProvider.verify).not.toHaveBeenCalled();
+    });
+
+    it('should reject JWK with wrong kty', async () => {
+      const invalidJwk = {
+        kty: 'RSA',
+        crv: 'Ed25519',
+        x: 'test',
+      } as any;
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should reject JWK with wrong crv', async () => {
+      const invalidJwk = {
+        kty: 'OKP',
+        crv: 'P-256',
+        x: 'test',
+      } as any;
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should reject JWK with missing x field', async () => {
+      const invalidJwk = {
+        kty: 'OKP',
+        crv: 'Ed25519',
+      } as any;
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should reject JWK with empty x field', async () => {
+      const invalidJwk = {
+        kty: 'OKP',
+        crv: 'Ed25519',
+        x: '',
+      };
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, invalidJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should reject malformed JWS', async () => {
+      const malformedJws = 'not.a.jws';
+
+      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should reject non-EdDSA algorithms', async () => {
+      const header = { alg: 'RS256', typ: 'JWT' };
+      const payload = { sub: 'did:key:z123' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const rsaJws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+      const result = await cryptoService.verifyJWS(rsaJws, validJwk);
+
+      expect(result).toBe(false);
+      expect(mockCryptoProvider.verify).not.toHaveBeenCalled();
+    });
+
+    it('should reject HS256 algorithm', async () => {
+      const header = { alg: 'HS256', typ: 'JWT' };
+      const payload = { sub: 'did:key:z123' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const hs256Jws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+      const result = await cryptoService.verifyJWS(hs256Jws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle empty JWS components', async () => {
+      const emptyJws = '..';
+
+      const result = await cryptoService.verifyJWS(emptyJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle malformed JWS - single part', async () => {
+      const malformedJws = 'singlepart';
+
+      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle malformed JWS - two parts', async () => {
+      const malformedJws = 'header.payload';
+
+      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle malformed JWS - four parts', async () => {
+      const header = { alg: 'EdDSA' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from('payload').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const malformedJws = `${headerB64}.${payloadB64}.${signatureB64}.extra`;
+
+      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle malformed JWS - invalid JSON header', async () => {
+      const invalidHeaderB64 = Buffer.from('notjson').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from('payload').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const malformedJws = `${invalidHeaderB64}.${payloadB64}.${signatureB64}`;
+
+      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle malformed JWS - invalid base64', async () => {
+      // Don't mock verify - the function should catch the error and return false
+      // before it gets to verification
+      const header = { alg: 'EdDSA' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const invalidBase64 = 'notbase64!!!';
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const malformedJws = `${headerB64}.${invalidBase64}.${signatureB64}`;
+
+      // parseJWS will throw when trying to decode invalid base64 payload
+      // This should be caught and return false
+      const result = await cryptoService.verifyJWS(malformedJws, validJwk);
+
+      expect(result).toBe(false);
+      // verify should not be called because parseJWS should throw
+      expect(mockCryptoProvider.verify).not.toHaveBeenCalled();
+    });
+
+    it('should validate expectedKid option', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const validJws = createValidJWS();
+      const jwkWithKid: Ed25519JWK = {
+        kty: 'OKP',
+        crv: 'Ed25519',
+        x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
+        kid: 'key-1',
+      };
+
+      // Should succeed with matching kid
+      const result1 = await cryptoService.verifyJWS(validJws, jwkWithKid, {
+        expectedKid: 'key-1',
+      });
+      expect(result1).toBe(true);
+
+      // Should fail with mismatched kid
+      const result2 = await cryptoService.verifyJWS(validJws, jwkWithKid, {
+        expectedKid: 'key-2',
+      });
+      expect(result2).toBe(false);
+    });
+
+    it('should validate alg option', async () => {
+      const header = { alg: 'EdDSA', typ: 'JWT' };
+      const payload = { sub: 'did:key:z123' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const validJws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+      // Should succeed with matching alg
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const result1 = await cryptoService.verifyJWS(validJws, validJwk, {
+        alg: 'EdDSA',
+      });
+      expect(result1).toBe(true);
+
+      // Should fail with mismatched alg (even if header says EdDSA)
+      const result2 = await cryptoService.verifyJWS(validJws, validJwk, {
+        alg: 'RS256' as any,
+      });
+      expect(result2).toBe(false);
+    });
+
+    it('should validate Ed25519 key length', async () => {
+      const invalidLengthJwk = {
+        kty: 'OKP' as const,
+        crv: 'Ed25519' as const,
+        x: 'c2hvcnQ', // "short" in base64 - too short for Ed25519 (only 5 bytes)
+      };
+
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, invalidLengthJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle detached payload', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const header = { alg: 'EdDSA' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const detachedJws = `${headerB64}..${signatureB64}`;
+      const detachedPayload = JSON.stringify({ sub: 'did:key:z123' });
+
+      const result = await cryptoService.verifyJWS(detachedJws, validJwk, {
+        detachedPayload,
+      });
+
+      expect(result).toBe(true);
+      expect(mockCryptoProvider.verify).toHaveBeenCalled();
+    });
+
+    it('should handle detached payload as Uint8Array', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const header = { alg: 'EdDSA' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const detachedJws = `${headerB64}..${signatureB64}`;
+      const detachedPayloadBytes = new TextEncoder().encode(JSON.stringify({ sub: 'did:key:z123' }));
+
+      const result = await cryptoService.verifyJWS(detachedJws, validJwk, {
+        detachedPayload: detachedPayloadBytes,
+      });
+
+      expect(result).toBe(true);
+      expect(mockCryptoProvider.verify).toHaveBeenCalled();
+    });
+
+    it('should handle signature verification failure', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(false);
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should handle signature verification error', async () => {
+      mockCryptoProvider.verify = vi.fn().mockRejectedValue(new Error('Crypto error'));
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, validJwk);
+
+      expect(result).toBe(false);
+    });
+
+    it('should accept JWK with optional kid field', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const jwkWithKid: Ed25519JWK = {
+        kty: 'OKP',
+        crv: 'Ed25519',
+        x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
+        kid: 'key-1',
+      };
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, jwkWithKid);
+
+      expect(result).toBe(true);
+    });
+
+    it('should accept JWK with optional use field', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const jwkWithUse: Ed25519JWK = {
+        kty: 'OKP',
+        crv: 'Ed25519',
+        x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
+        use: 'sig',
+      };
+      const validJws = createValidJWS();
+
+      const result = await cryptoService.verifyJWS(validJws, jwkWithUse);
+
+      expect(result).toBe(true);
+    });
+  });
+
+  describe('base64url edge cases', () => {
+    const validJwk: Ed25519JWK = {
+      kty: 'OKP',
+      crv: 'Ed25519',
+      x: 'VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ',
+    };
+
+    it('should handle base64url with no padding', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const header = { alg: 'EdDSA' };
+      const payload = { test: 'Hello' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+      const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+      const result = await cryptoService.verifyJWS(jws, validJwk);
+
+      // Should not throw, even if padding is missing
+      expect(typeof result).toBe('boolean');
+    });
+
+    it('should handle base64url with padding', async () => {
+      mockCryptoProvider.verify = vi.fn().mockResolvedValue(true);
+      const header = { alg: 'EdDSA' };
+      const payload = { test: 'Hello World!' };
+      const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_');
+      const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_');
+      const signatureB64 = Buffer.from('signature').toString('base64')
+        .replace(/\+/g, '-').replace(/\//g, '_');
+      const jws = `${headerB64}.${payloadB64}.${signatureB64}`;
+
+      const result = await cryptoService.verifyJWS(jws, validJwk);
+
+      expect(typeof result).toBe('boolean');
+    });
+  });
+});

package/src/utils/__tests__/did-helpers.test.ts

@@ -0,0 +1,156 @@
+/**
+ * Tests for DID Helper Utilities
+ *
+ * @package @mcp-i/core/utils/__tests__
+ */
+
+import { describe, it, expect } from "vitest";
+import {
+  isValidDid,
+  getDidMethod,
+  normalizeDid,
+  compareDids,
+  getServerDid,
+  generateDidKeyFromBytes,
+  generateDidKeyFromBase64,
+} from "../did-helpers";
+
+describe("DID Helpers", () => {
+  describe("isValidDid", () => {
+    it("should return true for valid DIDs", () => {
+      expect(isValidDid("did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK")).toBe(true);
+      expect(isValidDid("did:web:example.com")).toBe(true);
+      expect(isValidDid("did:web:example.com:path")).toBe(true);
+    });
+
+    it("should return false for invalid DIDs", () => {
+      expect(isValidDid("not-a-did")).toBe(false);
+      expect(isValidDid("")).toBe(false);
+      expect(isValidDid("did")).toBe(false);
+      expect(isValidDid("key:z6Mk...")).toBe(false);
+    });
+  });
+
+  describe("getDidMethod", () => {
+    it("should extract DID method correctly", () => {
+      expect(getDidMethod("did:key:z6Mk...")).toBe("key");
+      expect(getDidMethod("did:web:example.com")).toBe("web");
+      expect(getDidMethod("did:ion:...")).toBe("ion");
+    });
+
+    it("should return null for invalid DIDs", () => {
+      expect(getDidMethod("not-a-did")).toBeNull();
+      expect(getDidMethod("")).toBeNull();
+      expect(getDidMethod("did")).toBeNull();
+    });
+  });
+
+  describe("normalizeDid", () => {
+    it("should trim whitespace", () => {
+      expect(normalizeDid("  did:key:z6Mk...  ")).toBe("did:key:z6Mk...");
+      expect(normalizeDid("did:key:z6Mk...")).toBe("did:key:z6Mk...");
+    });
+  });
+
+  describe("compareDids", () => {
+    it("should compare DIDs correctly", () => {
+      expect(compareDids("did:key:z6Mk...", "did:key:z6Mk...")).toBe(true);
+      expect(compareDids("did:key:z6Mk...", "did:web:example.com")).toBe(false);
+    });
+
+    it("should normalize before comparing", () => {
+      expect(compareDids("  did:key:z6Mk...  ", "did:key:z6Mk...")).toBe(true);
+    });
+  });
+
+  describe("getServerDid", () => {
+    it("should return serverDid when present", () => {
+      const config = {
+        identity: {
+          serverDid: "did:web:server.com",
+        },
+      };
+      expect(getServerDid(config)).toBe("did:web:server.com");
+    });
+
+    it("should return agentDid when serverDid not present (backward compatibility)", () => {
+      const config = {
+        identity: {
+          agentDid: "did:web:old-server.com",
+        },
+      };
+      expect(getServerDid(config)).toBe("did:web:old-server.com");
+    });
+
+    it("should prefer serverDid over agentDid", () => {
+      const config = {
+        identity: {
+          serverDid: "did:web:new-server.com",
+          agentDid: "did:web:old-server.com",
+        },
+      };
+      expect(getServerDid(config)).toBe("did:web:new-server.com");
+    });
+
+    it("should throw error when neither serverDid nor agentDid present", () => {
+      const config = {
+        identity: {},
+      };
+      expect(() => getServerDid(config)).toThrow("Server DID not configured");
+    });
+  });
+
+  describe("generateDidKeyFromBytes", () => {
+    it("should generate valid did:key from 32-byte Ed25519 public key", () => {
+      // Use a known test key (32 bytes)
+      const publicKeyBytes = new Uint8Array(32).fill(0xab);
+      const did = generateDidKeyFromBytes(publicKeyBytes);
+
+      expect(did).toMatch(/^did:key:z6Mk/);
+      expect(isValidDid(did)).toBe(true);
+      expect(getDidMethod(did)).toBe("key");
+    });
+
+    it("should generate consistent did:key for same input", () => {
+      const publicKeyBytes = new Uint8Array(32).fill(0x42);
+      const did1 = generateDidKeyFromBytes(publicKeyBytes);
+      const did2 = generateDidKeyFromBytes(publicKeyBytes);
+
+      expect(did1).toBe(did2);
+    });
+
+    it("should generate different did:key for different inputs", () => {
+      const key1 = new Uint8Array(32).fill(0x11);
+      const key2 = new Uint8Array(32).fill(0x22);
+
+      const did1 = generateDidKeyFromBytes(key1);
+      const did2 = generateDidKeyFromBytes(key2);
+
+      expect(did1).not.toBe(did2);
+    });
+  });
+
+  describe("generateDidKeyFromBase64", () => {
+    it("should generate valid did:key from base64-encoded public key", () => {
+      // Base64 encode a 32-byte key
+      const publicKeyBytes = new Uint8Array(32).fill(0xcd);
+      const publicKeyBase64 = btoa(String.fromCharCode(...publicKeyBytes));
+
+      const did = generateDidKeyFromBase64(publicKeyBase64);
+
+      expect(did).toMatch(/^did:key:z6Mk/);
+      expect(isValidDid(did)).toBe(true);
+    });
+
+    it("should produce same result as generateDidKeyFromBytes", () => {
+      const publicKeyBytes = new Uint8Array(32).fill(0xef);
+      const publicKeyBase64 = btoa(String.fromCharCode(...publicKeyBytes));
+
+      const didFromBytes = generateDidKeyFromBytes(publicKeyBytes);
+      const didFromBase64 = generateDidKeyFromBase64(publicKeyBase64);
+
+      expect(didFromBytes).toBe(didFromBase64);
+    });
+  });
+});
+