@nuggetslife/vc 0.0.10 → 0.0.15

package/src/bls_signatures/bls_12381_g2_keypair/mod.rs

@@ -0,0 +1,470 @@
+use base64::{
+  engine::general_purpose::URL_SAFE, engine::general_purpose::URL_SAFE_NO_PAD, Engine as _,
+};
+use napi::bindgen_prelude::*;
+use types::{
+  BlsCurveName, FingerPrintFromPublicKeyOptions, GenerateKeyPairOptions, JsonWebKey,
+  JwkKeyPairOptions, JwkKty, KeyPairFromFingerPrintOptions, KeyPairOptions,
+};
+use validators::{assert_bls_12381_g2_private_jwk, assert_bls_12381_g2_public_jwk};
+use vc::bbs_signatures::bls12381::{
+  bls_generate_g2_key, bls_sign, bls_verify, BlsBbsSignRequest, BlsBbsVerifyRequest, BlsKeyPair,
+  BLS12381G2_MULTICODEC_IDENTIFIER, DEFAULT_BLS12381_G2_PUBLIC_KEY_LENGTH,
+  MULTIBASE_ENCODED_BASE58_IDENTIFIER, VARIABLE_INTEGER_TRAILING_BYTE,
+};
+
+pub mod types;
+pub mod validators;
+
+#[derive(Clone)]
+#[napi]
+pub struct Bls12381G2KeyPair {
+  pub id: Option<String>,
+  pub controller: Option<String>,
+  pub private_key_inner: Option<Vec<u8>>,
+  pub public_key_inner: Option<Vec<u8>>,
+  #[napi(js_name = "type")]
+  pub type_: String,
+}
+
+#[napi]
+impl Bls12381G2KeyPair {
+  #[napi(constructor)]
+  pub fn new(options: Option<KeyPairOptions>) -> Self {
+    match options {
+      Some(o) => {
+        // The provided publicKey needs to be 384 bits / 5.85 = 65.6
+        // which means the base58 encoded publicKey can be either 65 or 66 chars
+        // 5.85 = log base 2 (58) which is equivalent to the number of bits
+        // encoded per character of a base58 encoded string.
+        // if let Some(ref pubkey_bs58) = o.public_key_base58 {
+        //   if pubkey_bs58.len() != 131 && pubkey_bs58.len() != 132 {
+        //     panic!(
+        //       "public_key_base58 invalid length. expected 131 or 132. got {}",
+        //       pubkey_bs58.len()
+        //     )
+        //   }
+        // };
+
+        // Validates the size of the private key if one is included
+        // This is done by 256 bits / 5.85 = 43.7 which means
+        // the base58 encoded privateKey can be either 43 or 44 chars
+        // if let Some(ref privkey_bs58) = o.private_key_base58 {
+        //   if privkey_bs58.len() != 43 && privkey_bs58.len() != 44 {
+        //     panic!(
+        //       "private_key_base58 invalid length. expected 43 or 44. got {}",
+        //       privkey_bs58.len()
+        //     )
+        //   }
+        // };
+
+        let private_key_inner = o
+          .private_key_base58
+          .map(|v| bs58::decode(v).into_vec().unwrap());
+        let public_key_inner = o
+          .public_key_base58
+          .map(|v| bs58::decode(v).into_vec().unwrap());
+
+        Self {
+          id: o.id,
+          controller: o.controller,
+          private_key_inner,
+          public_key_inner,
+          type_: String::from("Bls12381G2Key2020"),
+        }
+      }
+      None => Self {
+        id: None,
+        controller: None,
+        private_key_inner: None,
+        public_key_inner: None,
+        type_: String::from("Bls12381G2Key2020"),
+      },
+    }
+  }
+
+  #[napi(factory)]
+  pub async fn generate(options: Option<GenerateKeyPairOptions>) -> Self {
+    match options {
+      Some(o) => {
+        let seed: Option<Vec<u8>> = o.seed.map(|s| s.into());
+        let kp = bls_generate_g2_key(seed).await;
+        let public_key_base58 = kp.public_key.map(|v| bs58::encode(v).into_string());
+        let private_key_base58 = kp.secret_key.map(|v| bs58::encode(v).into_string());
+
+        Self::new(Some(KeyPairOptions {
+          id: o.id,
+          controller: o.controller,
+          private_key_base58,
+          public_key_base58,
+        }))
+      }
+      None => {
+        let kp = bls_generate_g2_key(None).await;
+        let public_key_base58 = kp.public_key.map(|v| bs58::encode(v).into_string());
+        let private_key_base58 = kp.secret_key.map(|v| bs58::encode(v).into_string());
+
+        Self::new(Some(KeyPairOptions {
+          id: None,
+          controller: None,
+          private_key_base58,
+          public_key_base58,
+        }))
+      }
+    }
+  }
+
+  #[napi(factory)]
+  pub async fn from(options: KeyPairOptions) -> Self {
+    Bls12381G2KeyPair::new(Some(options))
+  }
+
+  #[napi(factory)]
+  pub async fn from_jwk(options: JwkKeyPairOptions) -> Result<Bls12381G2KeyPair> {
+    let JwkKeyPairOptions {
+      id,
+      controller,
+      private_key_jwk,
+      public_key_jwk,
+    } = options;
+
+    if let Some(jwk) = private_key_jwk {
+      assert_bls_12381_g2_private_jwk(&jwk)?;
+      let public_key_base58 = Some(convert_base64_url_to_base58(jwk.x)?);
+      let d = jwk
+        .d
+        .ok_or(napi::Error::from_reason("jwk.d value is none"))?;
+      let private_key_base58 = Some(convert_base64_url_to_base58(d)?);
+
+      let kp = Bls12381G2KeyPair::new(Some(KeyPairOptions {
+        id,
+        controller,
+        public_key_base58,
+        private_key_base58,
+      }));
+
+      Ok(kp)
+    } else if let Some(jwk) = public_key_jwk {
+      assert_bls_12381_g2_public_jwk(&jwk)?;
+      let public_key_base58 = Some(convert_base64_url_to_base58(jwk.x)?);
+      let kp = Bls12381G2KeyPair::new(Some(KeyPairOptions {
+        id,
+        controller,
+        public_key_base58,
+        private_key_base58: None,
+      }));
+
+      Ok(kp)
+    } else {
+      Err(napi::Error::from_reason("The JWK provided is not a valid"))
+    }
+  }
+
+  #[napi(factory)]
+  pub async fn from_fingerprint(
+    options: KeyPairFromFingerPrintOptions,
+  ) -> Result<Bls12381G2KeyPair> {
+    let KeyPairFromFingerPrintOptions {
+      id,
+      controller,
+      fingerprint,
+    } = options;
+    let mut chars = fingerprint.chars();
+    let head = chars
+      .next()
+      .ok_or(napi::Error::from_reason("fingerprint string is empty"))?
+      .to_string();
+
+    if head != MULTIBASE_ENCODED_BASE58_IDENTIFIER {
+      return Err(napi::Error::from_reason(
+      format!("Unsupported fingerprint type: expected first character to be `z` indicating base58 encoding, received {head}")
+    ));
+    };
+
+    let rest = chars.collect::<String>();
+    let buffer = bs58::decode(rest).into_vec().map_err(|err| {
+      napi::Error::from_reason(format!(
+        "failed to decode bs58 fingerprint to bytes. error: {err}"
+      ))
+    })?;
+
+    if buffer.len() != BLS12381G2_MULTICODEC_IDENTIFIER as usize {
+      return Err(napi::Error::from_reason(
+      format!("Unsupported public key length: expected `${DEFAULT_BLS12381_G2_PUBLIC_KEY_LENGTH}` received {}", buffer.len())
+    ));
+    }
+
+    if buffer[0] != DEFAULT_BLS12381_G2_PUBLIC_KEY_LENGTH {
+      return Err(napi::Error::from_reason(
+      format!("Unsupported public key identifier: expected second character to be {BLS12381G2_MULTICODEC_IDENTIFIER} indicating BLS12381G2 key pair, received  {}", buffer[0])
+    ));
+    }
+
+    if buffer[1] != VARIABLE_INTEGER_TRAILING_BYTE {
+      return Err(napi::Error::from_reason(
+      format!("Missing variable integer trailing byte: expected third character to be {BLS12381G2_MULTICODEC_IDENTIFIER} indicating BLS12381G2 key pair, received  {}", buffer[1])
+    ));
+    }
+
+    let pubkey_base58 = bs58::encode(buffer).into_string();
+    let opts = FingerPrintFromPublicKeyOptions {
+      public_key_base58: pubkey_base58.clone(),
+    };
+    let fingerprint = Bls12381G2KeyPair::fingerprint_from_public_key(opts).map_err(|err| {
+      napi::Error::from_reason(format!("fingerprint_from_public_key failed. error: {err}"))
+    })?;
+    let mapped_controller = match controller {
+      Some(v) => v,
+      None => {
+        format!("did:key:{fingerprint}",)
+      }
+    };
+
+    let mapped_id = match id {
+      Some(v) => v,
+      None => {
+        format!("#{fingerprint}",)
+      }
+    };
+
+    let kp = Bls12381G2KeyPair::new(Some(KeyPairOptions {
+      id: Some(mapped_id),
+      controller: Some(mapped_controller),
+      public_key_base58: Some(pubkey_base58),
+      private_key_base58: None,
+    }));
+
+    Ok(kp)
+  }
+
+  #[napi(getter)]
+  pub fn public_key(&self) -> Option<String> {
+    self
+      .public_key_inner
+      .clone()
+      .map(|b| bs58::encode(b).into_string())
+  }
+
+  #[napi(getter)]
+  pub fn public_key_buffer(&self) -> Buffer {
+    self.public_key_inner.clone().unwrap().into()
+  }
+
+  #[napi(getter)]
+  pub fn private_key_buffer(&self) -> Buffer {
+    self.private_key_inner.clone().unwrap().into()
+  }
+
+  #[napi]
+  pub fn public_key_jwk(&self) -> Result<JsonWebKey> {
+    let Some(ref public_key_inner) = self.public_key_inner else {
+      return Err(napi::Error::from_reason("no public_key_inner"));
+    };
+
+    Ok(JsonWebKey {
+      kid: self.id.to_owned(),
+      kty: JwkKty::EC.into(),
+      crv: BlsCurveName::G2.into(),
+      x: URL_SAFE_NO_PAD.encode(public_key_inner),
+      use_: None,
+      key_ops: None,
+      alg: None,
+      d: None,
+      y: None,
+      ext: None,
+    })
+  }
+
+  #[napi(getter)]
+  pub fn private_key(&self) -> Option<String> {
+    self
+      .private_key_inner
+      .clone()
+      .map(|b| bs58::encode(b).into_string())
+  }
+
+  #[napi]
+  pub fn private_key_jwk(&self) -> Result<JsonWebKey> {
+    let Some(ref public_key_inner) = self.public_key_inner else {
+      return Err(napi::Error::from_reason("no public_key_inner"));
+    };
+
+    let Some(ref private_key_inner) = self.private_key_inner else {
+      return Err(napi::Error::from_reason("no private_key_inner"));
+    };
+
+    Ok(JsonWebKey {
+      kid: self.id.to_owned(),
+      kty: JwkKty::EC.into(),
+      crv: BlsCurveName::G2.into(),
+      x: URL_SAFE_NO_PAD.encode(public_key_inner),
+      d: Some(URL_SAFE_NO_PAD.encode(private_key_inner)),
+      use_: None,
+      key_ops: None,
+      alg: None,
+      y: None,
+      ext: None,
+    })
+  }
+
+  #[napi]
+  pub fn signer(&self) -> KeyPairSigner {
+    KeyPairSigner { key: self.clone() }
+  }
+
+  #[napi]
+  pub fn verifier(&self) -> KeyPairVerifier {
+    KeyPairVerifier { key: self.clone() }
+  }
+
+  #[napi]
+  pub fn fingerprint(&self) -> Result<String> {
+    let Some(public_key_base58) = self.public_key() else {
+      return Err(napi::Error::from_reason("no public key"));
+    };
+    Bls12381G2KeyPair::fingerprint_from_public_key(FingerPrintFromPublicKeyOptions {
+      public_key_base58,
+    })
+  }
+
+  #[napi]
+  pub fn fingerprint_from_public_key(options: FingerPrintFromPublicKeyOptions) -> Result<String> {
+    let FingerPrintFromPublicKeyOptions { public_key_base58 } = options;
+    let mut key_bytes = bs58::decode(public_key_base58).into_vec().map_err(|err| {
+      napi::Error::from_reason(format!(
+        "failed to decode public_key_base58 value. error: {err}"
+      ))
+    })?;
+
+    let mut buffer = vec![
+      BLS12381G2_MULTICODEC_IDENTIFIER,
+      VARIABLE_INTEGER_TRAILING_BYTE,
+    ];
+    buffer.append(&mut key_bytes);
+
+    Ok(format!(
+      "{}{}",
+      MULTIBASE_ENCODED_BASE58_IDENTIFIER,
+      bs58::encode(buffer).into_string()
+    ))
+  }
+
+  #[napi]
+  pub fn verify_fingerprint(&self, fingerprint: String) -> Result<()> {
+    // fingerprint should have `z` prefix indicating
+    // that it's multi-base encoded
+    let mut chars = fingerprint.chars();
+    let head = chars
+      .next()
+      .ok_or(napi::Error::from_reason("fingerprint string is empty"))?
+      .to_string();
+
+    let rest = chars.collect::<String>();
+
+    if head != MULTIBASE_ENCODED_BASE58_IDENTIFIER {
+      return Err(napi::Error::from_reason(
+        "`fingerprint` must be a multibase encoded string.",
+      ));
+    };
+
+    let fingerprint_buffer = bs58::decode(rest).into_vec().map_err(|err| {
+      napi::Error::from_reason(format!("failed to decode bs58 value: error: {err}"))
+    })?;
+
+    let public_key_inner = self
+      .public_key_inner
+      .clone()
+      .ok_or(napi::Error::from_reason("public key buffer is missing"))?;
+
+    let leader = hex::encode(&fingerprint_buffer[..2]);
+    let leader_match = if leader == "eb01" { true } else { false };
+    let bytes_match = if &public_key_inner == &fingerprint_buffer[2..] {
+      true
+    } else {
+      false
+    };
+
+    if leader_match && bytes_match {
+      Ok(())
+    } else {
+      Err(napi::Error::from_reason(
+        "The fingerprint does not match the public key",
+      ))
+    }
+  }
+}
+
+pub fn convert_base64_url_to_base58(value: String) -> Result<String> {
+  let decoded = URL_SAFE.decode(value).map_err(|err| {
+    napi::Error::from_reason(format!("failed to decode base64 url_safe. error {err}"))
+  })?;
+  Ok(bs58::encode(decoded).into_string())
+}
+
+#[derive(Clone)]
+#[napi]
+pub struct KeyPairSigner {
+  key: Bls12381G2KeyPair,
+}
+
+#[napi(object)]
+pub struct KeyPairSignerOptions {
+  pub data: Vec<Uint8Array>,
+}
+
+#[napi]
+impl KeyPairSigner {
+  #[napi]
+  pub async fn sign(&self, options: KeyPairSignerOptions) -> Result<Uint8Array> {
+    if self.key.private_key_inner.is_none() {
+      return Err(napi::Error::from_reason("No private key to sign with."));
+    }
+
+    let messages: Vec<Vec<u8>> = options.data.into_iter().map(|x| x.to_vec()).collect();
+    let key_pair = BlsKeyPair {
+      public_key: self.key.public_key_inner.clone(),
+      secret_key: self.key.private_key_inner.clone(),
+    };
+    let sig = bls_sign(BlsBbsSignRequest { messages, key_pair })
+      .await
+      .map_err(|err| napi::Error::from_reason(format!("bls_signed failed: {err}")))?;
+
+    Ok(Uint8Array::from(sig))
+  }
+}
+
+#[napi]
+pub struct KeyPairVerifier {
+  key: Bls12381G2KeyPair,
+}
+
+#[napi(object)]
+pub struct KeyPairVerifierOptions {
+  pub data: Vec<Uint8Array>,
+  pub signature: Uint8Array,
+}
+
+#[napi]
+impl KeyPairVerifier {
+  #[napi]
+  pub async fn verify(&self, options: KeyPairVerifierOptions) -> Result<bool> {
+    let KeyPairVerifierOptions { data, signature } = options;
+    let Some(public_key) = self.key.public_key_inner.clone() else {
+      return Err(napi::Error::from_reason(
+        "key.public_key is required for verify",
+      ));
+    };
+    let signature = signature.to_vec();
+    let messages = data.into_iter().map(|a| a.to_vec()).collect::<Vec<_>>();
+
+    let verified = bls_verify(BlsBbsVerifyRequest {
+      public_key,
+      signature,
+      messages,
+    })
+    .await
+    .map_err(|err| napi::Error::from_reason(format!("bls_verify failed: {err}")))?;
+
+    Ok(verified)
+  }
+}

package/src/{types.rs → bls_signatures/bls_12381_g2_keypair/types.rs}

@@ -1,16 +1,5 @@
 use napi::bindgen_prelude::*;
 
-#[derive(Clone)]
-#[napi]
-pub struct Bls12381G2KeyPair {
-  pub id: Option<String>,
-  pub controller: Option<String>,
-  pub private_key_inner: Option<Vec<u8>>,
-  pub public_key_inner: Option<Vec<u8>>,
-  #[napi(js_name = "type")]
-  pub type_: String,
-}
-
 #[napi(object)]
 pub struct KeyPairOptions {
   pub id: Option<String>,

package/src/{validators.rs → bls_signatures/bls_12381_g2_keypair/validators.rs}

@@ -1,4 +1,4 @@
-use crate::types::{BlsCurveName, JsonWebKey, JwkKty};
+use super::types::{BlsCurveName, JsonWebKey, JwkKty};
 
 pub fn check_common_bls_jwk_values(jwk: &JsonWebKey) -> napi::Result<()> {
   BlsCurveName::try_from(jwk.crv.as_str())?;

package/src/bls_signatures/bound_bls_12381_g2_keypair/mod.rs

@@ -0,0 +1,70 @@
+#![allow(dead_code)]
+use napi::bindgen_prelude::*;
+
+use super::bls_12381_g2_keypair::Bls12381G2KeyPair;
+use types::BoundKeyPairOptions;
+
+pub mod types;
+
+#[napi]
+pub struct BoundBls12381G2KeyPair {
+  inner: Bls12381G2KeyPair,
+  commitment_bytes: Vec<u8>,
+  blinded_indices: Vec<usize>,
+}
+
+#[napi]
+impl BoundBls12381G2KeyPair {
+  #[napi(constructor)]
+  pub fn new(options: BoundKeyPairOptions) -> Self {
+    let inner = Bls12381G2KeyPair::new(Some(
+      super::bls_12381_g2_keypair::types::KeyPairOptions {
+        id: options.id,
+        controller: options.controller,
+        public_key_base58: options.public_key_base58,
+        private_key_base58: options.private_key_base58,
+      },
+    ));
+
+    Self {
+      inner,
+      commitment_bytes: options.commitment.to_vec(),
+      blinded_indices: options.blinded.iter().map(|&i| i as usize).collect(),
+    }
+  }
+
+  #[napi(factory)]
+  pub fn from(options: BoundKeyPairOptions) -> Self {
+    Self::new(options)
+  }
+
+  #[napi(getter)]
+  pub fn commitment(&self) -> Uint8Array {
+    Uint8Array::from(self.commitment_bytes.clone())
+  }
+
+  #[napi(getter)]
+  pub fn blinded(&self) -> Vec<u32> {
+    self.blinded_indices.iter().map(|&i| i as u32).collect()
+  }
+
+  /// Convert to a Rust core BoundBls12381G2KeyPair for use in signing.
+  pub(crate) fn to_rust_bound_key(
+    &self,
+  ) -> vc::jsonld::signatures::bbs::bound_keypair::BoundBls12381G2KeyPair {
+    let rust_key = vc::jsonld::signatures::bbs::bls_12381_g2_keypair::Bls12381G2KeyPair::new(
+      Some(vc::jsonld::signatures::bbs::bls_12381_g2_keypair::types::KeyPairOptions {
+        id: self.inner.id.clone(),
+        controller: self.inner.controller.clone(),
+        public_key_base58: self.inner.public_key(),
+        private_key_base58: self.inner.private_key(),
+      }),
+    );
+
+    vc::jsonld::signatures::bbs::bound_keypair::BoundBls12381G2KeyPair::new(
+      rust_key,
+      self.commitment_bytes.clone(),
+      self.blinded_indices.clone(),
+    )
+  }
+}

package/src/bls_signatures/bound_bls_12381_g2_keypair/types.rs

@@ -0,0 +1,11 @@
+use napi::bindgen_prelude::*;
+
+#[napi(object)]
+pub struct BoundKeyPairOptions {
+  pub id: Option<String>,
+  pub controller: Option<String>,
+  pub public_key_base58: Option<String>,
+  pub private_key_base58: Option<String>,
+  pub commitment: Uint8Array,
+  pub blinded: Vec<u32>,
+}

package/src/bls_signatures/mod.rs

@@ -0,0 +1,6 @@
+mod bbs_bls_holder_bound_signature_2022;
+mod bbs_bls_holder_bound_signature_proof_2022;
+mod bbs_bls_signature_2020;
+mod bbs_bls_signature_proof_2020;
+mod bls_12381_g2_keypair;
+mod bound_bls_12381_g2_keypair;