@nuggetslife/vc 0.0.21 → 0.0.24

package/generate_golden_files.mjs

@@ -0,0 +1,181 @@
+/**
+ * generate_golden_files.mjs
+ *
+ * Generates golden-file signed VCs using the @mattrglobal library.
+ * These fixtures are saved as static JSON for backward compatibility testing
+ * against the new NAPI-based implementation.
+ *
+ * Outputs:
+ *   test-data/golden/mattrglobal-signed-prc.json   (BbsBlsSignature2020 signed VC)
+ *   test-data/golden/mattrglobal-derived-prc.json   (BbsBlsSignatureProof2020 derived proof)
+ *
+ * Usage:
+ *   node generate_golden_files.mjs
+ */
+
+import { readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { createRequire } from 'node:module';
+
+// @mattrglobal libraries (CJS, loaded via createRequire)
+const require = createRequire(import.meta.url);
+const { Bls12381G2KeyPair } = require('@mattrglobal/bls12381-key-pair');
+const {
+  BbsBlsSignature2020,
+  BbsBlsSignatureProof2020,
+  deriveProof,
+} = require('@mattrglobal/jsonld-signatures-bbs');
+const { sign, purposes, extendContextLoader } = require('jsonld-signatures');
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const dataDir = resolve(__dirname, 'test-data');
+const goldenDir = resolve(dataDir, 'golden');
+const loadJson = (name) => JSON.parse(readFileSync(resolve(dataDir, name), 'utf8'));
+
+// Load test data
+const inputDocument = loadJson('inputDocument.json');
+const keyPairJson = loadJson('keyPair.json');
+const controllerDocument = loadJson('controllerDocument.json');
+const citizenVocab = loadJson('citizenVocab.json');
+const bbsContext = loadJson('bbs.json');
+const credentialsContext = loadJson('credentialsContext.json');
+const suiteContext = loadJson('suiteContext.json');
+const revealDocument = loadJson('deriveProofFrame.json');
+
+// Build document loader (same pattern as test_jsonld_crossverify.mjs)
+const documents = {
+  "did:example:489398593#test": keyPairJson,
+  "did:example:489398593": controllerDocument,
+  "https://w3id.org/citizenship/v1": citizenVocab,
+  "https://w3id.org/security/bbs/v1": bbsContext,
+  "https://www.w3.org/2018/credentials/v1": credentialsContext,
+  "https://w3id.org/security/suites/jws-2020/v1": suiteContext,
+};
+
+const customDocLoader = (url) => {
+  const context = documents[url];
+  if (context) {
+    return { contextUrl: null, document: context, documentUrl: url };
+  }
+  throw new Error(`Attempted to remote load context: '${url}', please cache instead`);
+};
+const documentLoader = extendContextLoader(customDocLoader);
+
+async function main() {
+  // Ensure golden directory exists
+  mkdirSync(goldenDir, { recursive: true });
+
+  // ---------- Step 1: Sign the PRC document ----------
+  console.log('Creating key pair from test data...');
+  const keyPair = await Bls12381G2KeyPair.from({
+    id: keyPairJson.id,
+    controller: keyPairJson.controller,
+    publicKeyBase58: keyPairJson.publicKeyBase58,
+    privateKeyBase58: keyPairJson.privateKeyBase58,
+  });
+
+  const suite = new BbsBlsSignature2020({ key: keyPair });
+
+  console.log('Signing inputDocument with @mattrglobal BbsBlsSignature2020...');
+  const signedDocument = await sign(inputDocument, {
+    suite,
+    purpose: new purposes.AssertionProofPurpose(),
+    documentLoader,
+  });
+
+  const signedPath = resolve(goldenDir, 'mattrglobal-signed-prc.json');
+  writeFileSync(signedPath, JSON.stringify(signedDocument, null, 2) + '\n');
+  console.log(`  Saved signed document to: ${signedPath}`);
+  console.log(`  Proof type: ${signedDocument.proof.type}`);
+  console.log(`  Verification method: ${signedDocument.proof.verificationMethod}`);
+
+  // ---------- Step 2: Derive a proof ----------
+  console.log('Deriving proof with @mattrglobal BbsBlsSignatureProof2020...');
+  const derivedDocument = await deriveProof(signedDocument, revealDocument, {
+    suite: new BbsBlsSignatureProof2020(),
+    documentLoader,
+  });
+
+  const derivedPath = resolve(goldenDir, 'mattrglobal-derived-prc.json');
+  writeFileSync(derivedPath, JSON.stringify(derivedDocument, null, 2) + '\n');
+  console.log(`  Saved derived document to: ${derivedPath}`);
+  console.log(`  Proof type: ${derivedDocument.proof.type}`);
+  console.log(`  Nonce present: ${!!derivedDocument.proof.nonce}`);
+
+  // ---------- Step 3: Verify both documents ----------
+  console.log('Verifying signed document...');
+  const { verify } = require('jsonld-signatures');
+  const verifySignedResult = await verify(signedDocument, {
+    suite: new BbsBlsSignature2020(),
+    purpose: new purposes.AssertionProofPurpose(),
+    documentLoader,
+  });
+  console.log(`  Signed document verified: ${verifySignedResult.verified}`);
+  if (!verifySignedResult.verified) {
+    console.error('  ERROR:', verifySignedResult.error);
+    process.exit(1);
+  }
+
+  console.log('Verifying derived document...');
+  const verifyDerivedResult = await verify(derivedDocument, {
+    suite: new BbsBlsSignatureProof2020(),
+    purpose: new purposes.AssertionProofPurpose(),
+    documentLoader,
+  });
+  console.log(`  Derived document verified: ${verifyDerivedResult.verified}`);
+  if (!verifyDerivedResult.verified) {
+    console.error('  ERROR:', verifyDerivedResult.error);
+    process.exit(1);
+  }
+
+  // ---------- Step 4: Sign additional VC variants ----------
+  // These test different field counts (BBS+ signatures depend on statement count)
+
+  const loadGolden = (name) => JSON.parse(readFileSync(resolve(goldenDir, name), 'utf8'));
+
+  // Minimal VC (few fields)
+  const minimalDoc = loadGolden('inputDocument-minimal.json');
+  console.log('Signing minimal VC (few fields)...');
+  const signedMinimal = await sign(minimalDoc, {
+    suite: new BbsBlsSignature2020({ key: keyPair }),
+    purpose: new purposes.AssertionProofPurpose(),
+    documentLoader,
+  });
+  const minimalPath = resolve(goldenDir, 'mattrglobal-signed-minimal.json');
+  writeFileSync(minimalPath, JSON.stringify(signedMinimal, null, 2) + '\n');
+  console.log(`  Saved: ${minimalPath}`);
+
+  // Rich VC (many fields, similar to Nuggets identity credentials)
+  const richDoc = loadGolden('inputDocument-rich.json');
+  console.log('Signing rich VC (many fields)...');
+  const signedRich = await sign(richDoc, {
+    suite: new BbsBlsSignature2020({ key: keyPair }),
+    purpose: new purposes.AssertionProofPurpose(),
+    documentLoader,
+  });
+  const richPath = resolve(goldenDir, 'mattrglobal-signed-rich.json');
+  writeFileSync(richPath, JSON.stringify(signedRich, null, 2) + '\n');
+  console.log(`  Saved: ${richPath}`);
+
+  // Verify additional variants
+  for (const [name, doc] of [['minimal', signedMinimal], ['rich', signedRich]]) {
+    const result = await verify(doc, {
+      suite: new BbsBlsSignature2020(),
+      purpose: new purposes.AssertionProofPurpose(),
+      documentLoader,
+    });
+    console.log(`  ${name} VC verified: ${result.verified}`);
+    if (!result.verified) {
+      console.error('  ERROR:', result.error);
+      process.exit(1);
+    }
+  }
+
+  console.log('\nAll golden files generated and verified successfully.');
+}
+
+main().catch((err) => {
+  console.error('Fatal error:', err);
+  process.exit(1);
+});

package/index.d.ts

@@ -3,6 +3,24 @@
 
 /* auto-generated by NAPI-RS */
 
+export interface Bbs2023VerifyOutput {
+  verified: boolean
+  error?: string
+}
+export declare function bbs2023Sign(options: any): any
+export declare function bbs2023Derive(options: any): any
+export declare function bbs2023Verify(document: any, publicKey?: string | undefined | null): Bbs2023VerifyOutput
+export interface BbsIetfKeyPair {
+  /** Hex-encoded secret key (32 bytes) */
+  secretKey: string
+  /** Hex-encoded public key (96 bytes, compressed G2) */
+  publicKey: string
+}
+export declare function bbsIetfKeygen(ikm?: Buffer | undefined | null, keyInfo?: Buffer | undefined | null, ciphersuite?: string | undefined | null): BbsIetfKeyPair
+export declare function bbsIetfSign(secretKey: Buffer, publicKey: Buffer, header: Buffer | undefined | null, messages: Array<string>, ciphersuite?: string | undefined | null): Buffer
+export declare function bbsIetfVerify(publicKey: Buffer, signature: Buffer, header: Buffer | undefined | null, messages: Array<string>, ciphersuite?: string | undefined | null): boolean
+export declare function bbsIetfProofGen(publicKey: Buffer, signature: Buffer, header: Buffer | undefined | null, presentationHeader: Buffer | undefined | null, messages: Array<string>, disclosedIndices: Array<number>, ciphersuite?: string | undefined | null): Buffer
+export declare function bbsIetfProofVerify(publicKey: Buffer, proof: Buffer, header: Buffer | undefined | null, presentationHeader: Buffer | undefined | null, disclosedMessages: any, totalMessageCount: number, ciphersuite?: string | undefined | null): boolean
 export interface BoundSignatureSuiteOptions {
   key?: KeyPairOptions
   verificationMethod?: string
@@ -164,6 +182,120 @@ export interface BoundKeyPairOptions {
   commitment: Uint8Array
   blinded: Array<number>
 }
+export const enum JoseNamedCurve {
+  P256 = 0,
+  P384 = 1,
+  P521 = 2,
+  Secp256k1 = 3,
+  Ed25519 = 4,
+  Ed448 = 5,
+  X25519 = 6,
+  X448 = 7
+}
+export const enum JoseContentEncryption {
+  A128gcm = 0,
+  A192gcm = 1,
+  A256gcm = 2,
+  A128cbcHs256 = 3,
+  A192cbcHs384 = 4,
+  A256cbcHs512 = 5
+}
+export const enum JoseKeyEncryption {
+  Dir = 0,
+  EcdhEs = 1,
+  EcdhEsA128kw = 2,
+  EcdhEsA192kw = 3,
+  EcdhEsA256kw = 4,
+  Rsa1_5 = 5,
+  RsaOaep = 6,
+  RsaOaep256 = 7,
+  RsaOaep384 = 8,
+  RsaOaep512 = 9,
+  Pbes2Hs256A128kw = 10,
+  Pbes2Hs384A192kw = 11,
+  Pbes2Hs512A256kw = 12,
+  A128kw = 13,
+  A192kw = 14,
+  A256kw = 15,
+  A128gcmkw = 16,
+  A192gcmkw = 17,
+  A256gcmkw = 18
+}
+export const enum JoseSigningAlgorithm {
+  Es256 = 0,
+  Es384 = 1,
+  Es512 = 2,
+  Es256k = 3,
+  Eddsa = 4,
+  Hs256 = 5,
+  Hs384 = 6,
+  Hs512 = 7,
+  Rs256 = 8,
+  Rs384 = 9,
+  Rs512 = 10,
+  Ps256 = 11,
+  Ps384 = 12,
+  Ps512 = 13
+}
+export interface JoseEncryptResult {
+  ciphertext: string
+  tag?: string
+}
+/**
+ * Generate a JWK key pair and return the JWK (public + private) as a JSON object.
+ * Matches ffi-jose `generateJWK({ namedCurve })`.
+ */
+export declare function generateJwk(namedCurve: JoseNamedCurve): any
+/**
+ * Generate a full key pair (JWK, PEM, DER formats) and return as a JSON object.
+ * Matches ffi-jose `generateKeyPair(type, { namedCurve })`.
+ */
+export declare function generateKeyPair(namedCurve: JoseNamedCurve): any
+/**
+ * Low-level symmetric encryption. Key and IV as hex strings, plaintext as base64.
+ * Matches ffi-jose `encrypt(enc, plaintext, cek, iv, aad, didcomm)`.
+ */
+export declare function joseEncrypt(enc: JoseContentEncryption, key: string, iv: string, message: string, aad?: string | undefined | null): JoseEncryptResult
+/**
+ * Low-level symmetric decryption. Returns base64-encoded plaintext.
+ * Matches ffi-jose `decrypt(enc, cek, ciphertext, iv, tag, aad)`.
+ */
+export declare function joseDecrypt(enc: JoseContentEncryption, key: string, iv: string, ciphertext: string, aad?: string | undefined | null, tag?: string | undefined | null): string
+/**
+ * Encrypt a JSON payload for one or more recipients using JWE General JSON serialization.
+ * Matches ffi-jose `generalEncryptJson(alg, enc, payload, recipients, didcomm)`.
+ */
+export declare function generalEncryptJson(alg: JoseKeyEncryption, enc: JoseContentEncryption, payload: any, recipients: Array<any>, didcomm?: boolean | undefined | null): any
+/**
+ * Decrypt a JWE JSON object using a JWK private key.
+ * Matches ffi-jose `decryptJson(jwe, jwk)`.
+ */
+export declare function decryptJson(jwe: any, jwk: any): any
+/**
+ * Sign a JSON payload using JWS Compact serialization.
+ * Matches ffi-jose `compactSignJson(alg, payload, jwk, didcomm)`.
+ */
+export declare function compactSignJson(alg: JoseSigningAlgorithm, payload: any, jwk: any, didcomm?: boolean | undefined | null): string
+/**
+ * Verify a JWS Compact serialization and return the payload.
+ * Matches ffi-jose `compactJsonVerify(jws, jwk)`.
+ */
+export declare function compactJsonVerify(jws: string, jwk: any): any
+/**
+ * Sign a JSON payload using JWS Flattened JSON serialization.
+ * Matches ffi-jose `flattenedSignJson(alg, payload, jwk, didcomm)`.
+ */
+export declare function flattenedSignJson(alg: JoseSigningAlgorithm, payload: any, jwk: any, didcomm?: boolean | undefined | null): any
+/**
+ * Verify a JWS Flattened or General JSON serialization and return the payload.
+ * Matches ffi-jose `jsonVerify(jws, jwk)`.
+ */
+export declare function jsonVerify(jws: any, jwk: any): any
+/**
+ * Sign a JSON payload using JWS General JSON serialization with multiple signers.
+ * Matches ffi-jose `generalSignJson(payload, jwks, didcomm)`.
+ */
+export declare function generalSignJson(payload: any, jwks: Array<any>, didcomm?: boolean | undefined | null): any
 /**
  * Sign a document with BbsBlsSignature2020 and embed the proof.
  *
@@ -222,6 +354,28 @@ export declare function unblindSignature(blindSignature: Uint8Array, blindingFac
  * Output: derived document JSON with embedded proof
  */
 export declare function deriveProofHolderBound(proofDocument: any, revealDocument: any, options: any): Promise<any>
+export interface SdJwtDisclosure {
+  salt: string
+  claimName: string
+  claimValue: any
+  encoded: string
+  digest: string
+}
+export interface SdJwtIssueOutput {
+  sdJwt: string
+  disclosures: Array<SdJwtDisclosure>
+}
+export interface SdJwtPresentOutput {
+  presentation: string
+}
+export interface SdJwtVerifyOutput {
+  verified: boolean
+  claims: any
+  error?: string
+}
+export declare function sdJwtIssue(claims: any, disclosable: Array<string>, jwk: any, alg: string, holderJwk?: any | undefined | null, decoyCount?: number | undefined | null): SdJwtIssueOutput
+export declare function sdJwtPresent(sdJwt: string, disclosuresToReveal: Array<string>, kbJwk?: any | undefined | null, kbAlg?: string | undefined | null, audience?: string | undefined | null, nonce?: string | undefined | null): SdJwtPresentOutput
+export declare function sdJwtVerify(presentation: string, issuerJwk: any, holderJwk?: any | undefined | null, audience?: string | undefined | null, nonce?: string | undefined | null): SdJwtVerifyOutput
 export declare class BbsBlsHolderBoundSignature2022 {
   type: string
   constructor(options?: BoundSignatureSuiteOptions | undefined | null)

package/index.js

@@ -310,8 +310,16 @@ if (!nativeBinding) {
   throw new Error(`Failed to load native binding`)
 }
 
-const { BbsBlsHolderBoundSignature2022, BbsBlsHolderBoundSignatureProof2022, BbsBlsSignature2020, BbsBlsSignatureProof2020, Bls12381G2KeyPair, KeyPairSigner, KeyPairVerifier, BoundBls12381G2KeyPair, JsonLd, ldSign, ldVerify, ldDeriveProof, deriveProof, createCommitment, verifyCommitment, unblindSignature, deriveProofHolderBound } = nativeBinding
+const { bbs2023Sign, bbs2023Derive, bbs2023Verify, bbsIetfKeygen, bbsIetfSign, bbsIetfVerify, bbsIetfProofGen, bbsIetfProofVerify, BbsBlsHolderBoundSignature2022, BbsBlsHolderBoundSignatureProof2022, BbsBlsSignature2020, BbsBlsSignatureProof2020, Bls12381G2KeyPair, KeyPairSigner, KeyPairVerifier, BoundBls12381G2KeyPair, JoseNamedCurve, JoseContentEncryption, JoseKeyEncryption, JoseSigningAlgorithm, generateJwk, generateKeyPair, joseEncrypt, joseDecrypt, generalEncryptJson, decryptJson, compactSignJson, compactJsonVerify, flattenedSignJson, jsonVerify, generalSignJson, JsonLd, ldSign, ldVerify, ldDeriveProof, deriveProof, createCommitment, verifyCommitment, unblindSignature, deriveProofHolderBound, sdJwtIssue, sdJwtPresent, sdJwtVerify } = nativeBinding
 
+module.exports.bbs2023Sign = bbs2023Sign
+module.exports.bbs2023Derive = bbs2023Derive
+module.exports.bbs2023Verify = bbs2023Verify
+module.exports.bbsIetfKeygen = bbsIetfKeygen
+module.exports.bbsIetfSign = bbsIetfSign
+module.exports.bbsIetfVerify = bbsIetfVerify
+module.exports.bbsIetfProofGen = bbsIetfProofGen
+module.exports.bbsIetfProofVerify = bbsIetfProofVerify
 module.exports.BbsBlsHolderBoundSignature2022 = BbsBlsHolderBoundSignature2022
 module.exports.BbsBlsHolderBoundSignatureProof2022 = BbsBlsHolderBoundSignatureProof2022
 module.exports.BbsBlsSignature2020 = BbsBlsSignature2020
@@ -320,6 +328,21 @@ module.exports.Bls12381G2KeyPair = Bls12381G2KeyPair
 module.exports.KeyPairSigner = KeyPairSigner
 module.exports.KeyPairVerifier = KeyPairVerifier
 module.exports.BoundBls12381G2KeyPair = BoundBls12381G2KeyPair
+module.exports.JoseNamedCurve = JoseNamedCurve
+module.exports.JoseContentEncryption = JoseContentEncryption
+module.exports.JoseKeyEncryption = JoseKeyEncryption
+module.exports.JoseSigningAlgorithm = JoseSigningAlgorithm
+module.exports.generateJwk = generateJwk
+module.exports.generateKeyPair = generateKeyPair
+module.exports.joseEncrypt = joseEncrypt
+module.exports.joseDecrypt = joseDecrypt
+module.exports.generalEncryptJson = generalEncryptJson
+module.exports.decryptJson = decryptJson
+module.exports.compactSignJson = compactSignJson
+module.exports.compactJsonVerify = compactJsonVerify
+module.exports.flattenedSignJson = flattenedSignJson
+module.exports.jsonVerify = jsonVerify
+module.exports.generalSignJson = generalSignJson
 module.exports.JsonLd = JsonLd
 module.exports.ldSign = ldSign
 module.exports.ldVerify = ldVerify
@@ -329,3 +352,6 @@ module.exports.createCommitment = createCommitment
 module.exports.verifyCommitment = verifyCommitment
 module.exports.unblindSignature = unblindSignature
 module.exports.deriveProofHolderBound = deriveProofHolderBound
+module.exports.sdJwtIssue = sdJwtIssue
+module.exports.sdJwtPresent = sdJwtPresent
+module.exports.sdJwtVerify = sdJwtVerify

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nuggetslife/vc",
-  "version": "0.0.21",
+  "version": "0.0.24",
   "main": "index.js",
   "types": "index.d.ts",
   "napi": {
@@ -22,10 +22,7 @@
     "@mattrglobal/jsonld-signatures-bbs": "^1.2.0",
     "@napi-rs/cli": "^2.18.3",
     "@types/node": "^20.14.9",
-    "ava": "^6.0.1"
-  },
-  "ava": {
-    "timeout": "3m"
+    "jsonld": "^8.3.3"
   },
   "engines": {
     "node": ">= 10"
@@ -35,17 +32,17 @@
     "build": "napi build --platform --release",
     "build:debug": "napi build --platform",
     "prepublishOnly": "napi prepublish -t npm",
-    "test": "ava",
+    "test": "node test.mjs && node test_jose.mjs && node test_sd_jwt.mjs && node test_jsonld_crossverify.mjs && node test_backward_compat.mjs",
     "universal": "napi universal",
     "version": "napi version"
   },
   "packageManager": "yarn@4.3.1",
   "optionalDependencies": {
-    "@nuggetslife/vc-darwin-arm64": "0.0.21",
-    "@nuggetslife/vc-linux-arm64-gnu": "0.0.21",
-    "@nuggetslife/vc-linux-arm64-musl": "0.0.21",
-    "@nuggetslife/vc-linux-x64-gnu": "0.0.21",
-    "@nuggetslife/vc-linux-x64-musl": "0.0.21"
+    "@nuggetslife/vc-darwin-arm64": "0.0.24",
+    "@nuggetslife/vc-linux-arm64-gnu": "0.0.24",
+    "@nuggetslife/vc-linux-arm64-musl": "0.0.24",
+    "@nuggetslife/vc-linux-x64-gnu": "0.0.24",
+    "@nuggetslife/vc-linux-x64-musl": "0.0.24"
   },
   "dependencies": {}
 }

package/src/bbs_2023.rs

@@ -0,0 +1,71 @@
+use serde_json::Value;
+
+// ---------------------------------------------------------------------------
+// Result types
+// ---------------------------------------------------------------------------
+
+#[napi(object)]
+pub struct Bbs2023VerifyOutput {
+    pub verified: bool,
+    pub error: Option<String>,
+}
+
+// ---------------------------------------------------------------------------
+// bbs2023Sign — create a base proof (issuer)
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbs2023Sign")]
+pub fn bbs2023_sign(options: Value) -> napi::Result<Value> {
+    let sign_opts: vc::bbs_2023::SignOptions = serde_json::from_value(options)
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Sign parse options: {e}")))?;
+
+    let rt = tokio::runtime::Runtime::new()
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Sign runtime: {e}")))?;
+
+    let result = rt
+        .block_on(vc::bbs_2023::create_base_proof(sign_opts))
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Sign failed: {e}")))?;
+
+    Ok(result)
+}
+
+// ---------------------------------------------------------------------------
+// bbs2023Derive — create a derived proof (holder)
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbs2023Derive")]
+pub fn bbs2023_derive(options: Value) -> napi::Result<Value> {
+    let derive_opts: vc::bbs_2023::DeriveOptions = serde_json::from_value(options)
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Derive parse options: {e}")))?;
+
+    let rt = tokio::runtime::Runtime::new()
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Derive runtime: {e}")))?;
+
+    let result = rt
+        .block_on(vc::bbs_2023::create_derived_proof(derive_opts))
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Derive failed: {e}")))?;
+
+    Ok(result)
+}
+
+// ---------------------------------------------------------------------------
+// bbs2023Verify — verify a base or derived proof
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbs2023Verify")]
+pub fn bbs2023_verify(
+    document: Value,
+    public_key: Option<String>,
+) -> napi::Result<Bbs2023VerifyOutput> {
+    let rt = tokio::runtime::Runtime::new()
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Verify runtime: {e}")))?;
+
+    let result = rt
+        .block_on(vc::bbs_2023::verify_proof(document, public_key))
+        .map_err(|e| napi::Error::from_reason(format!("bbs2023Verify failed: {e}")))?;
+
+    Ok(Bbs2023VerifyOutput {
+        verified: result.verified,
+        error: result.error,
+    })
+}