@nuggetslife/vc 0.0.21 → 0.0.24

package/src/bbs_ietf.rs

@@ -0,0 +1,255 @@
+use napi::bindgen_prelude::Buffer;
+use serde_json::Value;
+
+// ---------------------------------------------------------------------------
+// Result types
+// ---------------------------------------------------------------------------
+
+#[napi(object)]
+pub struct BbsIetfKeyPair {
+    /// Hex-encoded secret key (32 bytes)
+    pub secret_key: String,
+    /// Hex-encoded public key (96 bytes, compressed G2)
+    pub public_key: String,
+}
+
+// ---------------------------------------------------------------------------
+// Key Generation
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbsIetfKeygen")]
+pub fn bbs_ietf_keygen(
+    ikm: Option<Buffer>,
+    key_info: Option<Buffer>,
+    ciphersuite: Option<String>,
+) -> napi::Result<BbsIetfKeyPair> {
+    let ikm_bytes = ikm.as_deref();
+    let key_info_bytes = key_info.as_deref().unwrap_or(&[]);
+    let cs = ciphersuite.as_deref().unwrap_or("SHA-256");
+
+    let kp = match cs {
+        "SHAKE-256" => vc::bbs_ietf::keygen::<vc::bbs_ietf::Bls12381Shake256>(
+            ikm_bytes,
+            key_info_bytes,
+        ),
+        _ => vc::bbs_ietf::keygen::<vc::bbs_ietf::Bls12381Sha256>(
+            ikm_bytes,
+            key_info_bytes,
+        ),
+    }
+    .map_err(|e| napi::Error::from_reason(format!("bbsIetfKeygen: {e}")))?;
+
+    Ok(BbsIetfKeyPair {
+        secret_key: hex::encode(vc::bbs_ietf::serialize::scalar_to_bytes(&kp.secret_key.0)),
+        public_key: hex::encode(vc::bbs_ietf::serialize::point_to_octets_g2(&kp.public_key.0)),
+    })
+}
+
+// ---------------------------------------------------------------------------
+// Sign
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbsIetfSign")]
+pub fn bbs_ietf_sign(
+    secret_key: Buffer,
+    public_key: Buffer,
+    header: Option<Buffer>,
+    messages: Vec<String>,
+    ciphersuite: Option<String>,
+) -> napi::Result<Buffer> {
+    let sk = vc::bbs_ietf::serialize::bytes_to_scalar(&secret_key)
+        .map_err(|e| napi::Error::from_reason(format!("bbsIetfSign invalid SK: {e}")))?;
+    let pk_point = vc::bbs_ietf::serialize::octets_to_point_g2(&public_key)
+        .map_err(|e| napi::Error::from_reason(format!("bbsIetfSign invalid PK: {e}")))?;
+
+    let header = header.as_deref().unwrap_or(&[]);
+    let cs = ciphersuite.as_deref().unwrap_or("SHA-256");
+
+    let sk = vc::bbs_ietf::SecretKey(sk);
+    let pk = vc::bbs_ietf::PublicKey(pk_point);
+
+    let sig = match cs {
+        "SHAKE-256" => {
+            let scalars: Vec<_> = messages
+                .iter()
+                .map(|m| vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Shake256>(m.as_bytes()))
+                .collect();
+            vc::bbs_ietf::sign::<vc::bbs_ietf::Bls12381Shake256>(&sk, &pk, header, &scalars)
+        }
+        _ => {
+            let scalars: Vec<_> = messages
+                .iter()
+                .map(|m| vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Sha256>(m.as_bytes()))
+                .collect();
+            vc::bbs_ietf::sign::<vc::bbs_ietf::Bls12381Sha256>(&sk, &pk, header, &scalars)
+        }
+    }
+    .map_err(|e| napi::Error::from_reason(format!("bbsIetfSign: {e}")))?;
+
+    let bytes = vc::bbs_ietf::serialize_signature(&sig);
+    Ok(Buffer::from(bytes.to_vec()))
+}
+
+// ---------------------------------------------------------------------------
+// Verify
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbsIetfVerify")]
+pub fn bbs_ietf_verify(
+    public_key: Buffer,
+    signature: Buffer,
+    header: Option<Buffer>,
+    messages: Vec<String>,
+    ciphersuite: Option<String>,
+) -> napi::Result<bool> {
+    let pk_point = vc::bbs_ietf::serialize::octets_to_point_g2(&public_key)
+        .map_err(|e| napi::Error::from_reason(format!("bbsIetfVerify invalid PK: {e}")))?;
+    let sig = vc::bbs_ietf::deserialize_signature(&signature)
+        .map_err(|e| napi::Error::from_reason(format!("bbsIetfVerify invalid sig: {e}")))?;
+
+    let header = header.as_deref().unwrap_or(&[]);
+    let cs = ciphersuite.as_deref().unwrap_or("SHA-256");
+    let pk = vc::bbs_ietf::PublicKey(pk_point);
+
+    match cs {
+        "SHAKE-256" => {
+            let scalars: Vec<_> = messages
+                .iter()
+                .map(|m| vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Shake256>(m.as_bytes()))
+                .collect();
+            vc::bbs_ietf::verify::<vc::bbs_ietf::Bls12381Shake256>(&pk, &sig, header, &scalars)
+        }
+        _ => {
+            let scalars: Vec<_> = messages
+                .iter()
+                .map(|m| vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Sha256>(m.as_bytes()))
+                .collect();
+            vc::bbs_ietf::verify::<vc::bbs_ietf::Bls12381Sha256>(&pk, &sig, header, &scalars)
+        }
+    }
+    .map_err(|e| napi::Error::from_reason(format!("bbsIetfVerify: {e}")))
+}
+
+// ---------------------------------------------------------------------------
+// ProofGen
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbsIetfProofGen")]
+pub fn bbs_ietf_proof_gen(
+    public_key: Buffer,
+    signature: Buffer,
+    header: Option<Buffer>,
+    presentation_header: Option<Buffer>,
+    messages: Vec<String>,
+    disclosed_indices: Vec<u32>,
+    ciphersuite: Option<String>,
+) -> napi::Result<Buffer> {
+    let pk_point = vc::bbs_ietf::serialize::octets_to_point_g2(&public_key)
+        .map_err(|e| napi::Error::from_reason(format!("bbsIetfProofGen invalid PK: {e}")))?;
+    let sig = vc::bbs_ietf::deserialize_signature(&signature)
+        .map_err(|e| napi::Error::from_reason(format!("bbsIetfProofGen invalid sig: {e}")))?;
+
+    let header = header.as_deref().unwrap_or(&[]);
+    let ph = presentation_header.as_deref().unwrap_or(&[]);
+    let cs = ciphersuite.as_deref().unwrap_or("SHA-256");
+    let indices: Vec<usize> = disclosed_indices.iter().map(|&i| i as usize).collect();
+    let pk = vc::bbs_ietf::PublicKey(pk_point);
+
+    let proof = match cs {
+        "SHAKE-256" => {
+            let scalars: Vec<_> = messages
+                .iter()
+                .map(|m| vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Shake256>(m.as_bytes()))
+                .collect();
+            vc::bbs_ietf::proof_gen::<vc::bbs_ietf::Bls12381Shake256>(
+                &pk, &sig, header, ph, &scalars, &indices,
+            )
+        }
+        _ => {
+            let scalars: Vec<_> = messages
+                .iter()
+                .map(|m| vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Sha256>(m.as_bytes()))
+                .collect();
+            vc::bbs_ietf::proof_gen::<vc::bbs_ietf::Bls12381Sha256>(
+                &pk, &sig, header, ph, &scalars, &indices,
+            )
+        }
+    }
+    .map_err(|e| napi::Error::from_reason(format!("bbsIetfProofGen: {e}")))?;
+
+    Ok(Buffer::from(proof))
+}
+
+// ---------------------------------------------------------------------------
+// ProofVerify
+// ---------------------------------------------------------------------------
+
+#[napi(js_name = "bbsIetfProofVerify")]
+pub fn bbs_ietf_proof_verify(
+    public_key: Buffer,
+    proof: Buffer,
+    header: Option<Buffer>,
+    presentation_header: Option<Buffer>,
+    disclosed_messages: Value, // { "0": "msg0", "2": "msg2", ... }
+    total_message_count: u32,
+    ciphersuite: Option<String>,
+) -> napi::Result<bool> {
+    let pk_point = vc::bbs_ietf::serialize::octets_to_point_g2(&public_key)
+        .map_err(|e| napi::Error::from_reason(format!("bbsIetfProofVerify invalid PK: {e}")))?;
+
+    let header = header.as_deref().unwrap_or(&[]);
+    let ph = presentation_header.as_deref().unwrap_or(&[]);
+    let cs = ciphersuite.as_deref().unwrap_or("SHA-256");
+    let pk = vc::bbs_ietf::PublicKey(pk_point);
+
+    let obj = disclosed_messages
+        .as_object()
+        .ok_or_else(|| napi::Error::from_reason("disclosedMessages must be an object"))?;
+
+    match cs {
+        "SHAKE-256" => {
+            let disclosed: Vec<(usize, vc::bbs_ietf::Scalar)> = obj
+                .iter()
+                .map(|(k, v)| {
+                    let idx: usize = k.parse().map_err(|_| {
+                        napi::Error::from_reason(format!("invalid index: {k}"))
+                    })?;
+                    let msg_str = v.as_str().unwrap_or("");
+                    let scalar = vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Shake256>(msg_str.as_bytes());
+                    Ok((idx, scalar))
+                })
+                .collect::<napi::Result<_>>()?;
+            vc::bbs_ietf::proof_verify::<vc::bbs_ietf::Bls12381Shake256>(
+                &pk,
+                &proof,
+                header,
+                ph,
+                &disclosed,
+                total_message_count as usize,
+            )
+            .map_err(|e| napi::Error::from_reason(format!("bbsIetfProofVerify: {e}")))
+        }
+        _ => {
+            let disclosed: Vec<(usize, vc::bbs_ietf::Scalar)> = obj
+                .iter()
+                .map(|(k, v)| {
+                    let idx: usize = k.parse().map_err(|_| {
+                        napi::Error::from_reason(format!("invalid index: {k}"))
+                    })?;
+                    let msg_str = v.as_str().unwrap_or("");
+                    let scalar = vc::bbs_ietf::map_message_to_scalar::<vc::bbs_ietf::Bls12381Sha256>(msg_str.as_bytes());
+                    Ok((idx, scalar))
+                })
+                .collect::<napi::Result<_>>()?;
+            vc::bbs_ietf::proof_verify::<vc::bbs_ietf::Bls12381Sha256>(
+                &pk,
+                &proof,
+                header,
+                ph,
+                &disclosed,
+                total_message_count as usize,
+            )
+            .map_err(|e| napi::Error::from_reason(format!("bbsIetfProofVerify: {e}")))
+        }
+    }
+}

package/src/bls_signatures/bbs_bls_holder_bound_signature_2022/mod.rs

@@ -1,10 +1,10 @@
-#![allow(dead_code)]
 use napi::bindgen_prelude::*;
 use serde_json::json;
 use types::{BoundCreateProofOptions, BoundSignatureSuiteOptions, BoundVerifyProofOptions};
 
+use super::bbs_bls_signature_2020::napi_key_to_rust_key;
 use super::bls_12381_g2_keypair::Bls12381G2KeyPair;
-use crate::ld_signatures::{create_document_loader, parse_contexts};
+use crate::ld_signatures::loader_from_contexts;
 
 pub mod types;
 
@@ -80,22 +80,9 @@ impl BbsBlsHolderBoundSignature2022 {
     &self,
     options: BoundCreateProofOptions,
   ) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
-    let rust_key =
-      vc::jsonld::signatures::bbs::bls_12381_g2_keypair::Bls12381G2KeyPair::new(Some(
-        vc::jsonld::signatures::bbs::bls_12381_g2_keypair::types::KeyPairOptions {
-          id: self.key.id.clone(),
-          controller: self.key.controller.clone(),
-          public_key_base58: self.key.public_key(),
-          private_key_base58: self.key.private_key(),
-        },
-      ));
+    let rust_key = napi_key_to_rust_key(&self.key);
 
     // Commitment/blinded not needed for counting messages — use empty placeholders.
     let bound_key = vc::jsonld::signatures::bbs::bound_keypair::BoundBls12381G2KeyPair::new(
@@ -128,12 +115,7 @@ impl BbsBlsHolderBoundSignature2022 {
     &self,
     options: BoundCreateProofOptions,
   ) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let commitment = self
       .commitment
@@ -144,15 +126,7 @@ impl BbsBlsHolderBoundSignature2022 {
       .as_ref()
       .ok_or_else(|| napi::Error::from_reason("No blinded indices set on suite"))?;
 
-    let rust_key =
-      vc::jsonld::signatures::bbs::bls_12381_g2_keypair::Bls12381G2KeyPair::new(Some(
-        vc::jsonld::signatures::bbs::bls_12381_g2_keypair::types::KeyPairOptions {
-          id: self.key.id.clone(),
-          controller: self.key.controller.clone(),
-          public_key_base58: self.key.public_key(),
-          private_key_base58: self.key.private_key(),
-        },
-      ));
+    let rust_key = napi_key_to_rust_key(&self.key);
 
     let bound_key = vc::jsonld::signatures::bbs::bound_keypair::BoundBls12381G2KeyPair::new(
       rust_key,
@@ -189,12 +163,7 @@ impl BbsBlsHolderBoundSignature2022 {
     &self,
     options: BoundVerifyProofOptions,
   ) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let blinding_factor = options.blinding_factor.to_vec();
     let blinded_messages: Vec<Vec<u8>> =

package/src/bls_signatures/bbs_bls_holder_bound_signature_proof_2022/mod.rs

@@ -2,7 +2,7 @@ use napi::bindgen_prelude::*;
 use serde_json::json;
 use types::{BoundDeriveProofOptions, BoundVerifyDerivedProofOptions};
 
-use crate::ld_signatures::{create_document_loader, parse_contexts};
+use crate::ld_signatures::loader_from_contexts;
 
 pub mod types;
 
@@ -27,12 +27,7 @@ impl BbsBlsHolderBoundSignatureProof2022 {
     &self,
     options: BoundDeriveProofOptions,
   ) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let blinding_factor = options.blinding_factor.to_vec();
     let blinded_messages: Vec<Vec<u8>> =
@@ -60,12 +55,7 @@ impl BbsBlsHolderBoundSignatureProof2022 {
     &self,
     options: BoundVerifyDerivedProofOptions,
   ) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let purpose = vc::jsonld::signatures::AssertionProofPurpose::new();
     let result = vc::jsonld::signatures::verify(&options.document, &purpose, loader, cr)

package/src/bls_signatures/bbs_bls_signature_2020/mod.rs

@@ -1,4 +1,3 @@
-#![allow(dead_code)]
 use base64::{engine::general_purpose::STANDARD, Engine as _};
 use chrono::Utc;
 use napi::bindgen_prelude::*;
@@ -11,12 +10,12 @@ use types::{
 use super::bls_12381_g2_keypair::{
   Bls12381G2KeyPair, KeyPairSigner, KeyPairSignerOptions, KeyPairVerifier, KeyPairVerifierOptions,
 };
-use crate::ld_signatures::{create_document_loader, parse_contexts};
+use crate::ld_signatures::loader_from_contexts;
 
 pub mod types;
 
 /// Convert a NAPI Bls12381G2KeyPair to a Rust core Bls12381G2KeyPair.
-fn napi_key_to_rust_key(
+pub(crate) fn napi_key_to_rust_key(
   napi_key: &Bls12381G2KeyPair,
 ) -> vc::jsonld::signatures::bbs::bls_12381_g2_keypair::Bls12381G2KeyPair {
   vc::jsonld::signatures::bbs::bls_12381_g2_keypair::Bls12381G2KeyPair::new(Some(
@@ -166,12 +165,7 @@ impl BbsBlsSignature2020 {
   /// Returns just the proof object (matching JS reference behavior).
   #[napi]
   pub async fn create_proof(&self, options: CreateProofOptions) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let rust_key = napi_key_to_rust_key(&self.key);
     let suite = vc::jsonld::signatures::bbs::BbsBlsSignature2020::new(
@@ -200,12 +194,7 @@ impl BbsBlsSignature2020 {
   /// Returns `{ verified: boolean, error?: string }`.
   #[napi]
   pub async fn verify_proof(&self, options: VerifyProofOptions) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let purpose = vc::jsonld::signatures::AssertionProofPurpose::new();
     let result = vc::jsonld::signatures::verify(&options.document, &purpose, loader, cr)
@@ -308,22 +297,3 @@ impl BbsBlsSignature2020 {
     Ok(verified)
   }
 }
-
-#[cfg(test)]
-mod tests {
-
-  use super::*;
-  #[test]
-  pub fn it_works() {
-    let mut j = json!({});
-
-    let Some(obj) = j.as_object_mut() else {
-      return ();
-    };
-
-    obj.insert(String::from("hello"), "there".into());
-    let _x = STANDARD.decode("hello");
-
-    println!("{j}")
-  }
-}

package/src/bls_signatures/bbs_bls_signature_2020/types.rs

@@ -1,4 +1,3 @@
-#![allow(dead_code)]
 use napi::bindgen_prelude::Uint8Array;
 
 use crate::bls_signatures::bls_12381_g2_keypair::types::KeyPairOptions;

package/src/bls_signatures/bbs_bls_signature_proof_2020/mod.rs

@@ -2,7 +2,7 @@ use napi::bindgen_prelude::*;
 use serde_json::json;
 use types::{DeriveProofOptions, VerifyDerivedProofOptions};
 
-use crate::ld_signatures::{create_document_loader, parse_contexts};
+use crate::ld_signatures::loader_from_contexts;
 
 pub mod types;
 
@@ -24,12 +24,7 @@ impl BbsBlsSignatureProof2020 {
   /// Derive a selective disclosure proof from a signed document.
   #[napi]
   pub async fn derive_proof(&self, options: DeriveProofOptions) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let nonce = options.nonce.map(|s| s.as_bytes().to_vec());
 
@@ -52,12 +47,7 @@ impl BbsBlsSignatureProof2020 {
     &self,
     options: VerifyDerivedProofOptions,
   ) -> Result<serde_json::Value> {
-    let additional_contexts = options
-      .contexts
-      .as_ref()
-      .map(|v| parse_contexts(&json!({ "contexts": v })))
-      .unwrap_or_default();
-    let (loader, cr) = create_document_loader(additional_contexts);
+    let (loader, cr) = loader_from_contexts(options.contexts.as_ref());
 
     let purpose = vc::jsonld::signatures::AssertionProofPurpose::new();
     let result = vc::jsonld::signatures::verify(&options.document, &purpose, loader, cr)

package/src/bls_signatures/bls_12381_g2_keypair/mod.rs

@@ -58,12 +58,8 @@ impl Bls12381G2KeyPair {
         //   }
         // };
 
-        let private_key_inner = o
-          .private_key_base58
-          .map(|v| bs58::decode(v).into_vec().unwrap());
-        let public_key_inner = o
-          .public_key_base58
-          .map(|v| bs58::decode(v).into_vec().unwrap());
+        let private_key_inner = o.private_key_base58.and_then(|v| bs58::decode(v).into_vec().ok());
+        let public_key_inner = o.public_key_base58.and_then(|v| bs58::decode(v).into_vec().ok());
 
         Self {
           id: o.id,
@@ -246,13 +242,21 @@ impl Bls12381G2KeyPair {
   }
 
   #[napi(getter)]
-  pub fn public_key_buffer(&self) -> Buffer {
-    self.public_key_inner.clone().unwrap().into()
+  pub fn public_key_buffer(&self) -> Result<Buffer> {
+    self
+      .public_key_inner
+      .clone()
+      .map(|b| b.into())
+      .ok_or_else(|| napi::Error::from_reason("no public key set"))
   }
 
   #[napi(getter)]
-  pub fn private_key_buffer(&self) -> Buffer {
-    self.private_key_inner.clone().unwrap().into()
+  pub fn private_key_buffer(&self) -> Result<Buffer> {
+    self
+      .private_key_inner
+      .clone()
+      .map(|b| b.into())
+      .ok_or_else(|| napi::Error::from_reason("no private key set"))
   }
 
   #[napi]
@@ -377,12 +381,8 @@ impl Bls12381G2KeyPair {
       .ok_or(napi::Error::from_reason("public key buffer is missing"))?;
 
     let leader = hex::encode(&fingerprint_buffer[..2]);
-    let leader_match = if leader == "eb01" { true } else { false };
-    let bytes_match = if &public_key_inner == &fingerprint_buffer[2..] {
-      true
-    } else {
-      false
-    };
+    let leader_match = leader == "eb01";
+    let bytes_match = public_key_inner == fingerprint_buffer[2..];
 
     if leader_match && bytes_match {
       Ok(())

package/src/bls_signatures/bound_bls_12381_g2_keypair/mod.rs

@@ -1,4 +1,3 @@
-#![allow(dead_code)]
 use napi::bindgen_prelude::*;
 
 use super::bls_12381_g2_keypair::Bls12381G2KeyPair;
@@ -64,12 +63,12 @@ impl BoundBls12381G2KeyPair {
   }
 
   #[napi(getter)]
-  pub fn public_key_buffer(&self) -> Buffer {
+  pub fn public_key_buffer(&self) -> Result<Buffer> {
     self.inner.public_key_buffer()
   }
 
   #[napi(getter)]
-  pub fn private_key_buffer(&self) -> Buffer {
+  pub fn private_key_buffer(&self) -> Result<Buffer> {
     self.inner.private_key_buffer()
   }
 
@@ -84,6 +83,7 @@ impl BoundBls12381G2KeyPair {
   }
 
   /// Convert to a Rust core BoundBls12381G2KeyPair for use in signing.
+  #[allow(dead_code)] // Used by holder-bound suite after refactoring
   pub(crate) fn to_rust_bound_key(
     &self,
   ) -> vc::jsonld::signatures::bbs::bound_keypair::BoundBls12381G2KeyPair {