@nuggetslife/vc 0.0.21 → 0.0.24

package/test_bbs_2023.mjs

@@ -0,0 +1,195 @@
+import test from 'node:test';
+import assert from 'node:assert';
+import {
+    bbsIetfKeygen,
+    bbs2023Sign,
+    bbs2023Derive,
+    bbs2023Verify,
+} from './index.js';
+
+// =====================================================================
+// Helpers
+// =====================================================================
+
+function makeKeyPair() {
+    const kp = bbsIetfKeygen();
+    return { secretKey: kp.secretKey, publicKey: kp.publicKey };
+}
+
+function sampleCredential() {
+    return {
+        '@context': [
+            'https://www.w3.org/2018/credentials/v1',
+            {
+                name: 'http://schema.org/name',
+                age: 'http://schema.org/age',
+                email: 'http://schema.org/email',
+                alumniOf: 'http://schema.org/alumniOf',
+            },
+        ],
+        type: ['VerifiableCredential'],
+        issuer: 'did:example:issuer',
+        issuanceDate: '2024-01-01T00:00:00Z',
+        credentialSubject: {
+            id: 'did:example:user123',
+            name: 'Alice',
+            age: 30,
+            email: 'alice@example.com',
+            alumniOf: 'Example University',
+        },
+    };
+}
+
+// =====================================================================
+// BBS-2023 Round-Trip: Sign → Verify Base Proof
+// =====================================================================
+
+test('bbs-2023: sign and verify base proof', () => {
+    const kp = makeKeyPair();
+    const doc = sampleCredential();
+
+    const signed = bbs2023Sign({
+        document: doc,
+        secretKey: kp.secretKey,
+        publicKey: kp.publicKey,
+        mandatoryPointers: ['/issuer', '/issuanceDate'],
+        verificationMethod: 'did:example:issuer#bbs-key-1',
+        proofPurpose: 'assertionMethod',
+    });
+
+    assert.ok(signed.proof, 'signed document has proof');
+    assert.equal(signed.proof.type, 'DataIntegrityProof');
+    assert.equal(signed.proof.cryptosuite, 'bbs-2023');
+    assert.ok(signed.proof.proofValue.startsWith('u'), 'proofValue starts with multibase u');
+
+    // Verify
+    const result = bbs2023Verify(signed, kp.publicKey);
+    assert.ok(result.verified, 'base proof verified');
+    assert.equal(result.error, null);
+});
+
+// =====================================================================
+// BBS-2023 Full Round-Trip: Sign → Derive → Verify
+// =====================================================================
+
+test('bbs-2023: sign → derive → verify round-trip', () => {
+    const kp = makeKeyPair();
+    const doc = sampleCredential();
+
+    // Issuer signs
+    const signed = bbs2023Sign({
+        document: doc,
+        secretKey: kp.secretKey,
+        publicKey: kp.publicKey,
+        mandatoryPointers: ['/issuer', '/issuanceDate'],
+    });
+
+    // Holder derives selective disclosure
+    const derived = bbs2023Derive({
+        document: signed,
+        selectivePointers: ['/credentialSubject/name'],
+    });
+
+    assert.ok(derived.proof, 'derived document has proof');
+    assert.equal(derived.proof.cryptosuite, 'bbs-2023');
+
+    // Verifier verifies
+    const result = bbs2023Verify(derived, kp.publicKey);
+    assert.ok(result.verified, 'derived proof verified');
+    assert.equal(result.error, null);
+});
+
+// =====================================================================
+// Wrong Key Rejection
+// =====================================================================
+
+test('bbs-2023: verification fails with wrong key', () => {
+    const kp = makeKeyPair();
+    const wrongKp = makeKeyPair();
+    const doc = sampleCredential();
+
+    const signed = bbs2023Sign({
+        document: doc,
+        secretKey: kp.secretKey,
+        publicKey: kp.publicKey,
+        mandatoryPointers: ['/issuer'],
+    });
+
+    const result = bbs2023Verify(signed, wrongKp.publicKey);
+    assert.equal(result.verified, false, 'should not verify with wrong key');
+});
+
+// =====================================================================
+// Mandatory-Only (No Selective Disclosure)
+// =====================================================================
+
+test('bbs-2023: derive with no selective pointers', () => {
+    const kp = makeKeyPair();
+    const doc = sampleCredential();
+
+    const signed = bbs2023Sign({
+        document: doc,
+        secretKey: kp.secretKey,
+        publicKey: kp.publicKey,
+        mandatoryPointers: ['/issuer', '/issuanceDate'],
+    });
+
+    // Derive with no selective pointers — only mandatory fields disclosed
+    const derived = bbs2023Derive({
+        document: signed,
+        selectivePointers: [],
+    });
+
+    const result = bbs2023Verify(derived, kp.publicKey);
+    assert.ok(result.verified, 'mandatory-only derived proof verified');
+});
+
+// =====================================================================
+// All Fields Selective
+// =====================================================================
+
+test('bbs-2023: derive revealing all fields', () => {
+    const kp = makeKeyPair();
+    const doc = sampleCredential();
+
+    const signed = bbs2023Sign({
+        document: doc,
+        secretKey: kp.secretKey,
+        publicKey: kp.publicKey,
+        mandatoryPointers: ['/issuer'],
+    });
+
+    // Reveal everything that's non-mandatory
+    const derived = bbs2023Derive({
+        document: signed,
+        selectivePointers: [
+            '/credentialSubject/name',
+            '/credentialSubject/age',
+            '/credentialSubject/email',
+            '/credentialSubject/alumniOf',
+            '/issuanceDate',
+        ],
+    });
+
+    const result = bbs2023Verify(derived, kp.publicKey);
+    assert.ok(result.verified, 'all-selective derived proof verified');
+});
+
+// =====================================================================
+// No Mandatory Pointers
+// =====================================================================
+
+test('bbs-2023: sign with no mandatory pointers', () => {
+    const kp = makeKeyPair();
+    const doc = sampleCredential();
+
+    const signed = bbs2023Sign({
+        document: doc,
+        secretKey: kp.secretKey,
+        publicKey: kp.publicKey,
+        mandatoryPointers: [],
+    });
+
+    const result = bbs2023Verify(signed, kp.publicKey);
+    assert.ok(result.verified, 'base proof with no mandatory pointers verified');
+});

package/test_bbs_ietf.mjs

@@ -0,0 +1,168 @@
+import test from 'node:test';
+import assert from 'node:assert';
+import {
+    bbsIetfKeygen,
+    bbsIetfSign,
+    bbsIetfVerify,
+    bbsIetfProofGen,
+    bbsIetfProofVerify,
+} from './index.js';
+
+// =====================================================================
+// Helper
+// =====================================================================
+
+function makeKeyPair(ciphersuite) {
+    // Generate a 32-byte IKM
+    const ikm = Buffer.alloc(32);
+    for (let i = 0; i < 32; i++) ikm[i] = i + 1;
+
+    const kp = bbsIetfKeygen(ikm, null, ciphersuite);
+    return {
+        secretKey: Buffer.from(kp.secretKey, 'hex'),
+        publicKey: Buffer.from(kp.publicKey, 'hex'),
+    };
+}
+
+// =====================================================================
+// KeyGen Tests
+// =====================================================================
+
+test('BBS IETF keygen produces deterministic keys', () => {
+    const ikm = Buffer.alloc(32, 42);
+    const kp1 = bbsIetfKeygen(ikm);
+    const kp2 = bbsIetfKeygen(ikm);
+    assert.equal(kp1.secretKey, kp2.secretKey, 'same IKM -> same SK');
+    assert.equal(kp1.publicKey, kp2.publicKey, 'same IKM -> same PK');
+});
+
+test('BBS IETF keygen with random IKM', () => {
+    const kp = bbsIetfKeygen();
+    assert.ok(kp.secretKey, 'SK is present');
+    assert.ok(kp.publicKey, 'PK is present');
+    assert.equal(kp.secretKey.length, 64, 'SK is 32 bytes hex');
+    assert.equal(kp.publicKey.length, 192, 'PK is 96 bytes hex');
+});
+
+// =====================================================================
+// Sign / Verify Round-Trip (SHA-256)
+// =====================================================================
+
+test('BBS IETF sign/verify round-trip (SHA-256)', () => {
+    const kp = makeKeyPair('SHA-256');
+    const messages = ['message1', 'message2', 'message3'];
+    const header = Buffer.from('test-header');
+
+    const signature = bbsIetfSign(kp.secretKey, kp.publicKey, header, messages, 'SHA-256');
+    assert.equal(signature.length, 80, 'signature is 80 bytes');
+
+    const verified = bbsIetfVerify(kp.publicKey, signature, header, messages, 'SHA-256');
+    assert.ok(verified, 'valid signature verifies');
+});
+
+// =====================================================================
+// Sign / Verify Round-Trip (SHAKE-256)
+// =====================================================================
+
+test('BBS IETF sign/verify round-trip (SHAKE-256)', () => {
+    const ikm = Buffer.alloc(32, 99);
+    const kp = bbsIetfKeygen(ikm, null, 'SHAKE-256');
+    const sk = Buffer.from(kp.secretKey, 'hex');
+    const pk = Buffer.from(kp.publicKey, 'hex');
+
+    const messages = ['hello', 'world'];
+    const signature = bbsIetfSign(sk, pk, null, messages, 'SHAKE-256');
+    assert.equal(signature.length, 80);
+
+    const verified = bbsIetfVerify(pk, signature, null, messages, 'SHAKE-256');
+    assert.ok(verified, 'SHAKE-256 signature verifies');
+});
+
+// =====================================================================
+// Wrong Key Rejection
+// =====================================================================
+
+test('BBS IETF wrong key rejected', () => {
+    const kp1 = makeKeyPair('SHA-256');
+    const kp2Raw = bbsIetfKeygen(); // different key (random IKM)
+    const kp2 = {
+        secretKey: Buffer.from(kp2Raw.secretKey, 'hex'),
+        publicKey: Buffer.from(kp2Raw.publicKey, 'hex'),
+    };
+
+    const messages = ['msg1', 'msg2'];
+    const signature = bbsIetfSign(kp1.secretKey, kp1.publicKey, null, messages, 'SHA-256');
+
+    const verified = bbsIetfVerify(kp2.publicKey, signature, null, messages, 'SHA-256');
+    assert.ok(!verified, 'wrong key should not verify');
+});
+
+// =====================================================================
+// Selective Disclosure (ProofGen -> ProofVerify)
+// =====================================================================
+
+test('BBS IETF selective disclosure proof', () => {
+    const kp = makeKeyPair('SHA-256');
+    const messages = ['claim-a', 'claim-b', 'claim-c', 'claim-d'];
+    const header = Buffer.from('proof-header');
+    const ph = Buffer.from('presentation-header');
+
+    // Sign all messages
+    const signature = bbsIetfSign(kp.secretKey, kp.publicKey, header, messages, 'SHA-256');
+
+    // Generate proof disclosing messages at indices 0 and 2
+    const disclosedIndices = [0, 2];
+    const proof = bbsIetfProofGen(
+        kp.publicKey, signature, header, ph, messages, disclosedIndices, 'SHA-256'
+    );
+    assert.ok(proof.length > 0, 'proof generated');
+
+    // Build disclosed messages map
+    const disclosedMessages = {};
+    for (const idx of disclosedIndices) {
+        disclosedMessages[idx] = messages[idx];
+    }
+
+    // Verify proof
+    const verified = bbsIetfProofVerify(
+        kp.publicKey, proof, header, ph, disclosedMessages, messages.length, 'SHA-256'
+    );
+    assert.ok(verified, 'proof verifies with correct disclosed messages');
+});
+
+// =====================================================================
+// Proof with wrong disclosed message
+// =====================================================================
+
+test('BBS IETF proof rejects wrong disclosed message', () => {
+    const kp = makeKeyPair('SHA-256');
+    const messages = ['msg0', 'msg1', 'msg2'];
+    const header = Buffer.from('h');
+
+    const signature = bbsIetfSign(kp.secretKey, kp.publicKey, header, messages, 'SHA-256');
+
+    const proof = bbsIetfProofGen(
+        kp.publicKey, signature, header, null, messages, [1], 'SHA-256'
+    );
+
+    // Provide wrong message for disclosed index
+    const verified = bbsIetfProofVerify(
+        kp.publicKey, proof, header, null, { 1: 'wrong-message' }, messages.length, 'SHA-256'
+    );
+    assert.ok(!verified, 'wrong disclosed message should not verify');
+});
+
+// =====================================================================
+// Cross-ciphersuite: SHA-256 vs SHAKE-256
+// =====================================================================
+
+test('BBS IETF cross-ciphersuite: SHA-256 sig not verifiable with SHAKE-256', () => {
+    const kp = makeKeyPair('SHA-256');
+    const messages = ['test'];
+
+    const signature = bbsIetfSign(kp.secretKey, kp.publicKey, null, messages, 'SHA-256');
+
+    // Try verifying with SHAKE-256 — should fail
+    const verified = bbsIetfVerify(kp.publicKey, signature, null, messages, 'SHAKE-256');
+    assert.ok(!verified, 'SHA-256 signature should not verify under SHAKE-256');
+});

package/test_fuzz.mjs

@@ -0,0 +1,202 @@
+import { strict as assert } from 'assert';
+
+// Import NAPI bindings - matching patterns from test.mjs and test_jose.mjs
+import {
+  JsonLd,
+  BbsBlsSignature2020,
+  BbsBlsSignatureProof2020,
+  Bls12381G2KeyPair,
+  generateJwk,
+  generateKeyPair,
+  generalEncryptJson,
+  decryptJson,
+  compactSignJson,
+  compactJsonVerify,
+  flattenedSignJson,
+  jsonVerify,
+  JoseNamedCurve,
+  JoseKeyEncryption,
+  JoseContentEncryption,
+  JoseSigningAlgorithm,
+} from './index.js';
+
+let passed = 0;
+let failed = 0;
+
+async function test(name, fn) {
+  try {
+    await fn();
+    passed++;
+    console.log(`  PASS: ${name}`);
+  } catch (e) {
+    failed++;
+    console.log(`  FAIL: ${name}`);
+    console.log(`    ${e.message}`);
+  }
+}
+
+function randomJson(depth = 0) {
+  if (depth > 3) return Math.random().toString(36);
+  const type = Math.floor(Math.random() * 5);
+  switch (type) {
+    case 0: return null;
+    case 1: return Math.random() * 1000 - 500;
+    case 2: return Math.random().toString(36).substring(2);
+    case 3: {
+      const arr = [];
+      for (let i = 0; i < Math.floor(Math.random() * 4); i++) arr.push(randomJson(depth + 1));
+      return arr;
+    }
+    case 4: {
+      const obj = {};
+      for (let i = 0; i < Math.floor(Math.random() * 4); i++) {
+        obj[Math.random().toString(36).substring(2, 7)] = randomJson(depth + 1);
+      }
+      return obj;
+    }
+  }
+}
+
+console.log('\n=== NAPI Fuzz Tests ===\n');
+
+// Category 1: Random JSON to JsonLd operations (should not crash)
+console.log('--- JSON-LD with random inputs ---');
+for (let i = 0; i < 20; i++) {
+  await test(`JsonLd.expand random input #${i}`, async () => {
+    const jsonld = new JsonLd();
+    try {
+      await jsonld.expand(randomJson());
+    } catch (e) {
+      // Errors are fine, crashes are not
+      assert.ok(e instanceof Error, 'should throw Error, not crash');
+    }
+  });
+}
+
+for (let i = 0; i < 10; i++) {
+  await test(`JsonLd.compact random input #${i}`, async () => {
+    const jsonld = new JsonLd();
+    try {
+      await jsonld.compact(randomJson(), randomJson());
+    } catch (e) {
+      assert.ok(e instanceof Error);
+    }
+  });
+}
+
+for (let i = 0; i < 10; i++) {
+  await test(`JsonLd.frame random input #${i}`, async () => {
+    const jsonld = new JsonLd();
+    try {
+      await jsonld.frame(randomJson(), randomJson());
+    } catch (e) {
+      assert.ok(e instanceof Error);
+    }
+  });
+}
+
+// Category 2: Invalid key pairs to BBS operations
+console.log('\n--- BBS with invalid inputs ---');
+
+await test('BbsBlsSignature2020.createProof with no key (verifier-only)', async () => {
+  try {
+    const suite = new BbsBlsSignature2020();
+    await suite.createProof({ document: {}, contexts: {} });
+  } catch (e) {
+    assert.ok(e instanceof Error);
+  }
+});
+
+await test('BbsBlsSignature2020.verifyProof with random proof', async () => {
+  try {
+    const suite = new BbsBlsSignature2020();
+    await suite.verifyProof({ document: randomJson(), contexts: {} });
+  } catch (e) {
+    assert.ok(e instanceof Error);
+  }
+});
+
+// Category 3: Empty/null/undefined arguments
+console.log('\n--- Null/undefined arguments ---');
+
+await test('JsonLd.expand with null', async () => {
+  const jsonld = new JsonLd();
+  try { await jsonld.expand(null); } catch (e) { assert.ok(e instanceof Error); }
+});
+
+await test('JsonLd.expand with undefined', async () => {
+  const jsonld = new JsonLd();
+  try { await jsonld.expand(undefined); } catch (e) { assert.ok(e instanceof Error); }
+});
+
+await test('JsonLd.compact with null context', async () => {
+  const jsonld = new JsonLd();
+  try { await jsonld.compact({}, null); } catch (e) { assert.ok(e instanceof Error); }
+});
+
+await test('generateJwk with invalid enum value', async () => {
+  try { generateJwk(999); } catch (e) { assert.ok(e instanceof Error); }
+});
+
+// Category 4: JOSE with random inputs
+console.log('\n--- JOSE with random inputs ---');
+
+await test('compactSignJson with random payload', async () => {
+  try {
+    const key = generateJwk(JoseNamedCurve.P256);
+    compactSignJson(JoseSigningAlgorithm.Es256, randomJson(), key);
+  } catch (e) {
+    assert.ok(e instanceof Error);
+  }
+});
+
+await test('compactJsonVerify with random JWS string', async () => {
+  try {
+    const key = generateJwk(JoseNamedCurve.P256);
+    compactJsonVerify('not.a.jws', key);
+  } catch (e) {
+    assert.ok(e instanceof Error);
+  }
+});
+
+await test('decryptJson with random JWE', async () => {
+  try {
+    const key = generateJwk(JoseNamedCurve.X25519);
+    decryptJson(randomJson(), key);
+  } catch (e) {
+    assert.ok(e instanceof Error);
+  }
+});
+
+// Category 5: Concurrent calls
+console.log('\n--- Concurrent operations ---');
+
+await test('50 concurrent JsonLd.expand calls', async () => {
+  const jsonld = new JsonLd();
+  const doc = {"@context": {"name": "http://schema.org/name"}, "name": "test"};
+  const promises = Array.from({length: 50}, () => jsonld.expand(doc).catch(() => null));
+  const results = await Promise.all(promises);
+  // All should succeed or gracefully fail
+  assert.ok(results.length === 50);
+});
+
+await test('50 concurrent JOSE sign operations', async () => {
+  const key = generateJwk(JoseNamedCurve.P256);
+  const payload = {sub: "test", iat: Date.now()};
+  const results = [];
+  for (let i = 0; i < 50; i++) {
+    try {
+      results.push(compactSignJson(JoseSigningAlgorithm.Es256, payload, key));
+    } catch (e) {
+      results.push(null);
+    }
+  }
+  assert.ok(results.length === 50);
+  // All should have succeeded
+  const successes = results.filter(r => r !== null);
+  assert.ok(successes.length === 50, `Expected 50 successes, got ${successes.length}`);
+});
+
+// Summary
+console.log(`\n=== Results: ${passed} passed, ${failed} failed out of ${passed + failed} ===`);
+if (failed > 0) process.exit(1);