@nuggetslife/vc 0.0.23 → 0.0.25

package/demo_bbs_2023.mjs

@@ -0,0 +1,203 @@
+/**
+ * BBS-2023 Data Integrity Demo — W3C Verifiable Credentials with Selective Disclosure
+ *
+ * This demo walks through the full BBS-2023 cryptosuite lifecycle:
+ *   1. Issuer signs a JSON-LD Verifiable Credential with a DataIntegrityProof
+ *   2. Holder derives a selective disclosure proof (reveals only chosen fields)
+ *   3. Verifier checks the derived proof
+ *   4. Bonus: Blind signing with holder commitment (holder binding)
+ *
+ * BBS-2023 replaces BbsBlsSignature2020 for W3C Data Integrity proofs.
+ *
+ * Key differences from BbsBlsSignature2020:
+ *   OLD: JSON-LD framing with @explicit reveal documents, base58 key pairs,
+ *        BbsBlsSignature2020/BbsBlsSignatureProof2020 proof types,
+ *        class-based API (new BbsBlsSignature2020({key})), async operations
+ *   NEW: JSON Pointers for field selection, hex-encoded BBS keys,
+ *        single "DataIntegrityProof" type with cryptosuite "bbs-2023",
+ *        function-based API, mandatory vs selective pointer split
+ */
+
+import {
+    bbsIetfKeygen,
+    bbs2023Sign,
+    bbs2023Derive,
+    bbs2023Verify,
+    bbs2023HolderCommit,
+    bbs2023BlindSign,
+} from './index.js';
+
+function separator(title) {
+    console.log('\n' + '='.repeat(70));
+    console.log(`  ${title}`);
+    console.log('='.repeat(70) + '\n');
+}
+
+function printProof(doc) {
+    const { proof, ...rest } = doc;
+    console.log('Document (without proof):', JSON.stringify(rest, null, 2));
+    console.log('Proof:');
+    console.log('  type:', proof.type);
+    console.log('  cryptosuite:', proof.cryptosuite);
+    console.log('  proofValue:', proof.proofValue.substring(0, 60) + '...');
+    if (proof.verificationMethod) console.log('  verificationMethod:', proof.verificationMethod);
+}
+
+// ── Key Setup ────────────────────────────────────────────────────────
+
+separator('Step 0: Generate BBS Key Pair');
+
+const kp = bbsIetfKeygen();
+console.log('BBS key pair (IETF draft-irtf-cfrg-bbs-signatures):');
+console.log('  Secret key (hex, 32 bytes):', kp.secretKey.substring(0, 20) + '...');
+console.log('  Public key (hex, 96 bytes):', kp.publicKey.substring(0, 20) + '...');
+
+// ── Sample Credential ────────────────────────────────────────────────
+
+const credential = {
+    '@context': [
+        'https://www.w3.org/2018/credentials/v1',
+        {
+            // Inline context defining terms (in production, use published contexts)
+            givenName: 'http://schema.org/givenName',
+            familyName: 'http://schema.org/familyName',
+            email: 'http://schema.org/email',
+            birthDate: 'http://schema.org/birthDate',
+            alumniOf: 'http://schema.org/alumniOf',
+        },
+    ],
+    type: ['VerifiableCredential'],
+    issuer: 'did:example:issuer',
+    issuanceDate: '2025-01-01T00:00:00Z',
+    credentialSubject: {
+        id: 'did:example:alice',
+        givenName: 'Alice',
+        familyName: 'Smith',
+        email: 'alice@example.com',
+        birthDate: '1990-01-15',
+        alumniOf: 'Example University',
+    },
+};
+
+// ── 1. Sign ──────────────────────────────────────────────────────────
+
+separator('Step 1: Issuer signs the credential (base proof)');
+
+console.log('Mandatory pointers (always revealed): /issuer, /issuanceDate');
+console.log('Everything else can be selectively disclosed by the holder.\n');
+
+const signed = bbs2023Sign({
+    document: credential,
+    secretKey: kp.secretKey,
+    publicKey: kp.publicKey,
+    mandatoryPointers: ['/issuer', '/issuanceDate'],
+    verificationMethod: 'did:example:issuer#bbs-key-1',
+    proofPurpose: 'assertionMethod',
+});
+
+printProof(signed);
+
+console.log('\nCompare with old BbsBlsSignature2020:');
+console.log('  OLD: proof.type = "BbsBlsSignature2020"');
+console.log('  NEW: proof.type = "DataIntegrityProof", proof.cryptosuite = "bbs-2023"');
+
+// Verify the base proof
+const baseResult = bbs2023Verify(signed, kp.publicKey);
+console.log('\nBase proof verified:', baseResult.verified);
+
+// ── 2. Derive ────────────────────────────────────────────────────────
+
+separator('Step 2: Holder derives selective disclosure proof');
+
+console.log('Selective pointers (holder chooses to reveal): /credentialSubject/givenName');
+console.log('Hidden: familyName, email, birthDate, alumniOf\n');
+
+console.log('Compare with old BbsBlsSignature2020:');
+console.log('  OLD: revealDocument = { credentialSubject: { "@explicit": true, givenName: {} } }');
+console.log('  NEW: selectivePointers = ["/credentialSubject/givenName"]\n');
+
+const derived = bbs2023Derive({
+    document: signed,
+    selectivePointers: ['/credentialSubject/givenName'],
+});
+
+printProof(derived);
+
+console.log('\nNote: the derived proof only covers mandatory + selected fields.');
+console.log('The proof will not verify claims outside those sets.');
+console.log('In practice, the holder strips undisclosed fields before sharing.');
+
+// ── 3. Verify ────────────────────────────────────────────────────────
+
+separator('Step 3: Verifier checks the derived proof');
+
+const derivedResult = bbs2023Verify(derived, kp.publicKey);
+console.log('Derived proof verified:', derivedResult.verified);
+console.log('Error:', derivedResult.error ?? 'none');
+
+// Show what's cryptographically attested
+console.log('\nCryptographically attested fields (mandatory + selective pointers):');
+console.log('  issuer:', derived.issuer, '(mandatory)');
+console.log('  issuanceDate:', derived.issuanceDate, '(mandatory)');
+console.log('  credentialSubject.givenName:', derived.credentialSubject?.givenName, '(selective)');
+console.log('  credentialSubject.familyName: present but NOT attested by derived proof');
+console.log('  credentialSubject.email: present but NOT attested by derived proof');
+
+// Wrong key should fail
+const wrongKp = bbsIetfKeygen();
+const wrongResult = bbs2023Verify(derived, wrongKp.publicKey);
+console.log('\nVerify with wrong key:', wrongResult.verified, '(expected false)');
+
+// ── 4. Blind Signing (Holder Commitment) ─────────────────────────────
+
+separator('Step 4: Blind Signing — Holder Binding');
+
+console.log('Blind signing lets the holder commit to secret fields before the issuer signs.');
+console.log('The issuer signs without seeing the committed values.');
+console.log('This has no equivalent in BbsBlsSignature2020.\n');
+
+// 4a. Holder creates a commitment
+const commitment = bbs2023HolderCommit({
+    document: credential,
+    publicKey: kp.publicKey,
+    mandatoryPointers: ['/issuer', '/issuanceDate'],
+    committedPointers: ['/credentialSubject/email'],
+});
+
+console.log('Holder commitment:');
+console.log('  commitment (hex):', commitment.commitment.substring(0, 40) + '...');
+console.log('  blindFactor (hex):', commitment.blindFactor.substring(0, 40) + '...');
+console.log('  committedIndices:', commitment.committedIndices);
+
+// 4b. Issuer blind-signs with the commitment
+const blindSigned = bbs2023BlindSign({
+    document: credential,
+    secretKey: kp.secretKey,
+    publicKey: kp.publicKey,
+    commitment: commitment.commitment,
+    hmacKey: commitment.hmacKey,
+    committedIndices: commitment.committedIndices,
+    mandatoryPointers: ['/issuer', '/issuanceDate'],
+    verificationMethod: 'did:example:issuer#bbs-key-1',
+});
+
+console.log('\nBlind-signed proof created:', blindSigned.proof.type, blindSigned.proof.cryptosuite);
+
+// 4c. Holder derives (must include blindFactor)
+const blindDerived = bbs2023Derive({
+    document: blindSigned,
+    selectivePointers: ['/credentialSubject/givenName', '/credentialSubject/email'],
+    blindFactor: commitment.blindFactor,
+});
+
+// 4d. Verify
+const blindResult = bbs2023Verify(blindDerived, kp.publicKey);
+console.log('Blind-signed derived proof verified:', blindResult.verified);
+
+separator('Demo Complete');
+console.log('BBS-2023 provides W3C-standard selective disclosure with:');
+console.log('  - JSON Pointers instead of JSON-LD framing');
+console.log('  - DataIntegrityProof type (not BbsBlsSignature2020)');
+console.log('  - Mandatory vs selective pointer split');
+console.log('  - Blind signing for holder binding (new capability)');
+console.log('');

package/demo_bbs_ietf.mjs

@@ -0,0 +1,193 @@
+/**
+ * BBS IETF Demo — Low-Level BBS Signatures (draft-irtf-cfrg-bbs-signatures)
+ *
+ * This demo shows the raw BBS cryptographic primitives:
+ *   1. Key generation
+ *   2. Sign a set of messages
+ *   3. Verify the signature
+ *   4. Generate a selective disclosure proof (reveal only some messages)
+ *   5. Verify the proof
+ *
+ * This is the low-level layer that BBS-2023 is built on top of.
+ * Most developers will use BBS-2023 (for VCs) or SD-JWT (for plain claims)
+ * instead of calling these directly. But understanding the primitives helps.
+ *
+ * Key concepts:
+ *   - BBS signs a list of messages as a single signature
+ *   - A holder can create a zero-knowledge proof revealing only some messages
+ *   - The verifier learns nothing about hidden messages
+ *   - Two ciphersuites: SHA-256 (default) and SHAKE-256
+ */
+
+import {
+    bbsIetfKeygen,
+    bbsIetfSign,
+    bbsIetfVerify,
+    bbsIetfProofGen,
+    bbsIetfProofVerify,
+} from './index.js';
+
+function separator(title) {
+    console.log('\n' + '='.repeat(70));
+    console.log(`  ${title}`);
+    console.log('='.repeat(70) + '\n');
+}
+
+// ── 1. Key Generation ────────────────────────────────────────────────
+
+separator('Step 1: Key Generation');
+
+// Generate a random BBS key pair
+const kp = bbsIetfKeygen();
+console.log('Random BBS key pair:');
+console.log('  Secret key (32 bytes hex):', kp.secretKey);
+console.log('  Public key (96 bytes hex):', kp.publicKey.substring(0, 40) + '...');
+
+// Deterministic keygen with IKM (Input Key Material)
+const ikm = Buffer.alloc(32);
+for (let i = 0; i < 32; i++) ikm[i] = i + 1;
+const kpDet = bbsIetfKeygen(ikm);
+const kpDet2 = bbsIetfKeygen(ikm);
+console.log('\nDeterministic keygen (same IKM = same keys):');
+console.log('  Keys match:', kpDet.secretKey === kpDet2.secretKey);
+
+// ── 2. Sign Messages ────────────────────────────────────────────────
+
+separator('Step 2: Sign a Set of Messages');
+
+// BBS signs an ordered list of messages in a single operation.
+// Each message is a string; the library handles hashing to curve scalars.
+const messages = [
+    'given_name: Alice',
+    'family_name: Smith',
+    'date_of_birth: 1990-01-15',
+    'email: alice@example.com',
+    'employee_id: EMP-42',
+];
+
+console.log('Messages to sign:');
+messages.forEach((m, i) => console.log(`  [${i}] ${m}`));
+
+const sk = Buffer.from(kp.secretKey, 'hex');
+const pk = Buffer.from(kp.publicKey, 'hex');
+const header = Buffer.from('credential-context-v1');
+
+const signature = bbsIetfSign(sk, pk, header, messages, 'SHA-256');
+console.log('\nSignature (80 bytes):', signature.toString('hex').substring(0, 40) + '...');
+
+// ── 3. Verify Signature ─────────────────────────────────────────────
+
+separator('Step 3: Verify the Signature');
+
+const isValid = bbsIetfVerify(pk, signature, header, messages, 'SHA-256');
+console.log('Signature valid:', isValid);
+
+// Wrong key
+const wrongKp = bbsIetfKeygen();
+const wrongPk = Buffer.from(wrongKp.publicKey, 'hex');
+const isValidWrong = bbsIetfVerify(wrongPk, signature, header, messages, 'SHA-256');
+console.log('Wrong key valid:', isValidWrong, '(expected false)');
+
+// Tampered message
+const tampered = [...messages];
+tampered[2] = 'date_of_birth: 2000-01-01';
+const isValidTampered = bbsIetfVerify(pk, signature, header, tampered, 'SHA-256');
+console.log('Tampered message valid:', isValidTampered, '(expected false)');
+
+// ── 4. Selective Disclosure Proof ────────────────────────────────────
+
+separator('Step 4: Generate Selective Disclosure Proof');
+
+// The holder wants to prove they have a valid credential but only
+// reveal their name and employee ID (indices 0, 1, 4).
+// date_of_birth (2) and email (3) stay hidden.
+
+const disclosedIndices = [0, 1, 4];
+const presentationHeader = Buffer.from('verifier-challenge-xyz');
+
+console.log('Disclosed messages (what the verifier will see):');
+for (const idx of disclosedIndices) {
+    console.log(`  [${idx}] ${messages[idx]}`);
+}
+console.log('Hidden messages (verifier learns nothing about these):');
+for (let i = 0; i < messages.length; i++) {
+    if (!disclosedIndices.includes(i)) {
+        console.log(`  [${i}] ${messages[i]}`);
+    }
+}
+
+const proof = bbsIetfProofGen(
+    pk,
+    signature,
+    header,
+    presentationHeader,
+    messages,
+    disclosedIndices,
+    'SHA-256',
+);
+
+console.log(`\nProof generated (${proof.length} bytes)`);
+
+// ── 5. Verify Proof ─────────────────────────────────────────────────
+
+separator('Step 5: Verify the Selective Disclosure Proof');
+
+// The verifier only has: public key, proof, disclosed messages, total count
+// They do NOT have the original signature or hidden messages.
+const disclosedMessages = {};
+for (const idx of disclosedIndices) {
+    disclosedMessages[idx] = messages[idx];
+}
+
+console.log('Verifier inputs:');
+console.log('  Public key: (96 bytes)');
+console.log('  Proof: (' + proof.length + ' bytes)');
+console.log('  Disclosed messages:', JSON.stringify(disclosedMessages, null, 4));
+console.log('  Total message count:', messages.length);
+
+const proofValid = bbsIetfProofVerify(
+    pk,
+    proof,
+    header,
+    presentationHeader,
+    disclosedMessages,
+    messages.length,
+    'SHA-256',
+);
+
+console.log('\nProof valid:', proofValid);
+
+// Try with wrong disclosed message
+const wrongDisclosed = { ...disclosedMessages, 0: 'given_name: Bob' };
+const proofValidWrong = bbsIetfProofVerify(
+    pk, proof, header, presentationHeader,
+    wrongDisclosed, messages.length, 'SHA-256',
+);
+console.log('Wrong disclosed message valid:', proofValidWrong, '(expected false)');
+
+// ── 6. Ciphersuites ─────────────────────────────────────────────────
+
+separator('Step 6: Ciphersuite Comparison');
+
+console.log('Two ciphersuites available:');
+console.log('  SHA-256  — default, widely compatible');
+console.log('  SHAKE-256 — alternative hash, same security level\n');
+
+const shakekp = bbsIetfKeygen(ikm, null, 'SHAKE-256');
+const shakeSk = Buffer.from(shakekp.secretKey, 'hex');
+const shakePk = Buffer.from(shakekp.publicKey, 'hex');
+
+const shakeSig = bbsIetfSign(shakeSk, shakePk, null, ['test'], 'SHAKE-256');
+const shakeValid = bbsIetfVerify(shakePk, shakeSig, null, ['test'], 'SHAKE-256');
+console.log('SHAKE-256 sign + verify:', shakeValid);
+
+// Cross-ciphersuite: should NOT work
+const crossValid = bbsIetfVerify(shakePk, shakeSig, null, ['test'], 'SHA-256');
+console.log('SHA-256 verify of SHAKE-256 sig:', crossValid, '(expected false)');
+
+separator('Demo Complete');
+console.log('BBS IETF provides the cryptographic foundation for:');
+console.log('  - BBS-2023 Data Integrity proofs (high-level VC API)');
+console.log('  - Any application needing multi-message signatures with selective disclosure');
+console.log('  - Zero-knowledge proofs: verifier learns nothing about hidden messages');
+console.log('');

package/demo_sd_jwt.mjs

@@ -0,0 +1,148 @@
+/**
+ * SD-JWT Demo — Selective Disclosure using JSON Web Tokens
+ *
+ * This demo walks through the full SD-JWT lifecycle:
+ *   1. Issuer creates a credential with selectively-disclosable claims
+ *   2. Holder creates a presentation revealing only chosen claims
+ *   3. Verifier checks the presentation
+ *
+ * SD-JWT (RFC 9901) is a simpler alternative to BBS+ for selective disclosure.
+ * It works with standard JWTs (ES256, EdDSA, etc.) — no pairing-based crypto needed.
+ *
+ * Compare with BbsBlsSignature2020:
+ *   OLD: Requires JSON-LD framing, BLS key pairs, reveal documents, linked data suites
+ *   NEW: Plain JSON claims, standard JWK keys, just list which fields are disclosable
+ */
+
+import {
+    JoseNamedCurve,
+    generateJwk,
+    sdJwtIssue,
+    sdJwtPresent,
+    sdJwtVerify,
+} from './index.js';
+
+function separator(title) {
+    console.log('\n' + '='.repeat(70));
+    console.log(`  ${title}`);
+    console.log('='.repeat(70) + '\n');
+}
+
+// ── Key Setup ────────────────────────────────────────────────────────
+
+separator('Step 0: Generate Keys');
+
+const issuerJwk = generateJwk(JoseNamedCurve.P256);
+const { d: _issD, ...issuerPublicJwk } = issuerJwk;
+console.log('Issuer key (ES256/P-256):');
+console.log('  Public:', JSON.stringify(issuerPublicJwk));
+
+const holderJwk = generateJwk(JoseNamedCurve.P256);
+const { d: _holD, ...holderPublicJwk } = holderJwk;
+console.log('Holder key (ES256/P-256):');
+console.log('  Public:', JSON.stringify(holderPublicJwk));
+
+// ── 1. Issue ─────────────────────────────────────────────────────────
+
+separator('Step 1: Issuer creates SD-JWT credential');
+
+const claims = {
+    iss: 'https://issuer.example.com',
+    sub: 'did:example:user123',
+    given_name: 'Alice',
+    family_name: 'Smith',
+    email: 'alice@example.com',
+    birthdate: '1990-01-15',
+    nationalities: ['US', 'DE'],
+};
+
+// Mark which claims the holder can choose to reveal or hide.
+// Non-listed claims (iss, sub) are always visible.
+const disclosable = [
+    'given_name',
+    'family_name',
+    'email',
+    'birthdate',
+    'nationalities[0]',   // Individual array elements can be disclosable too
+    'nationalities[1]',
+];
+
+console.log('Claims:', JSON.stringify(claims, null, 2));
+console.log('Disclosable fields:', disclosable);
+
+const issued = sdJwtIssue(
+    claims,
+    disclosable,
+    issuerJwk,          // Issuer's private key (signs the JWT)
+    'ES256',            // Standard JWT algorithm
+    holderPublicJwk,    // Optional: bind to holder's key (Key Binding)
+    2,                  // Optional: add 2 decoy digests (privacy)
+);
+
+console.log('\nSD-JWT token (truncated):');
+console.log('  ' + issued.sdJwt.substring(0, 80) + '...');
+console.log(`\n${issued.disclosures.length} disclosures created:`);
+for (const d of issued.disclosures) {
+    const label = d.claimName || '(array element)';
+    console.log(`  - ${label}: ${JSON.stringify(d.claimValue)}`);
+}
+
+// ── 2. Present (selective disclosure) ────────────────────────────────
+
+separator('Step 2: Holder creates presentation (selective disclosure)');
+
+// The holder chooses which disclosures to reveal.
+// Here: reveal name but hide email, birthdate, and one nationality.
+const nameDisclosures = issued.disclosures.filter(
+    d => d.claimName === 'given_name' || d.claimName === 'family_name'
+);
+const usDisclosure = issued.disclosures.find(
+    d => !d.claimName && d.claimValue === 'US'
+);
+const toReveal = [...nameDisclosures, usDisclosure].filter(Boolean).map(d => d.encoded);
+
+console.log('Revealing:', nameDisclosures.map(d => d.claimName).join(', '), '+ US nationality');
+console.log('Hiding: email, birthdate, DE nationality');
+
+const presentation = sdJwtPresent(
+    issued.sdJwt,
+    toReveal,
+    holderJwk,                          // Holder's private key (for Key Binding JWT)
+    'ES256',
+    'https://verifier.example.com',     // Audience
+    'nonce-abc-123',                    // Nonce from verifier
+);
+
+console.log('\nPresentation token (truncated):');
+console.log('  ' + presentation.presentation.substring(0, 80) + '...');
+
+// ── 3. Verify ────────────────────────────────────────────────────────
+
+separator('Step 3: Verifier checks the presentation');
+
+const result = sdJwtVerify(
+    presentation.presentation,
+    issuerPublicJwk,                    // Issuer's public key
+    holderPublicJwk,                    // Holder's public key (verify Key Binding)
+    'https://verifier.example.com',     // Expected audience
+    'nonce-abc-123',                    // Expected nonce
+);
+
+console.log('Verified:', result.verified);
+console.log('Disclosed claims:', JSON.stringify(result.claims, null, 2));
+console.log('');
+
+// Show what the verifier can and cannot see
+console.log('What the verifier sees:');
+console.log('  iss:', result.claims.iss, '(always visible)');
+console.log('  sub:', result.claims.sub, '(always visible)');
+console.log('  given_name:', result.claims.given_name ?? '(hidden)');
+console.log('  family_name:', result.claims.family_name ?? '(hidden)');
+console.log('  email:', result.claims.email ?? '(hidden)');
+console.log('  birthdate:', result.claims.birthdate ?? '(hidden)');
+console.log('  nationalities:', JSON.stringify(result.claims.nationalities));
+
+separator('Demo Complete');
+console.log('SD-JWT provides selective disclosure with standard JWT infrastructure.');
+console.log('No JSON-LD, no BLS keys, no linked data suites required.');
+console.log('');