@nuggetslife/vc 0.0.6 → 0.0.8

package/Cargo.toml

@@ -10,6 +10,7 @@ crate-type = ["cdylib"]
 # Default enable napi4 feature, see https://nodejs.org/api/n-api.html#node-api-version-matrix
 base64 = "0.22.1"
 bs58 = "0.5.1"
+hex = "0.4.3"
 # Default enable napi4 feature, see https://nodejs.org/api/n-api.html#node-api-version-matrix
 napi = { version = "2.12.2", default-features = false, features = ["napi4", "tokio_rt"] }
 napi-derive = "2.12.2"

package/index.d.ts

@@ -9,11 +9,91 @@ export interface KeyPairOptions {
   privateKeyBase58?: string
   publicKeyBase58?: string
 }
+export interface JwkKeyPairOptions {
+  id?: string
+  controller?: string
+  privateKeyJwk?: JsonWebKey
+  publicKeyJwk?: JsonWebKey
+}
+export interface FingerPrintFromPublicKeyOptions {
+  publicKeyBase58: string
+}
+export interface KeyPairFromFingerPrintOptions {
+  id?: string
+  controller?: string
+  fingerprint: string
+}
+export interface JsonWebKey {
+  /**
+   * Indicates the key type used
+   * For BLS12381_G1 and BLS12381_G2 the string "EC" MUST be used
+   * @see https://tools.ietf.org/html/rfc7517#section-4.1
+   *
+   */
+  kty: string
+  /**
+   * Indicates the curve this key is associated with
+   * In the case of BLS12-381, the curve will also indicate if it's a G1 or G2 point
+   * For a G1 point, use the string "BLS12381_G1"
+   * For a G2 point, use the string "BLS12381_G2"
+   */
+  crv: string
+  /**
+   * This is a compression of the public key point
+   * For a G1 public key, X is a 384bit base64url encoding of the octet string representation of the coordinate
+   * For a G2 public key, X is a 768bit made up of the concatenation of two 384 bit x coordinates known as
+   * x_a and x_b in the following form (x_a || x_b) as a base64url encoding of the octet string representation of the two coordinates
+   *
+   */
+  x: string
+  /** @see https://tools.ietf.org/html/rfc7517#section-4.2 */
+  use?: string
+  /**
+   * @see https://tools.ietf.org/html/rfc7517#section-4.3
+   *
+   */
+  keyOps?: Array<string>
+  /**
+   * @see https://tools.ietf.org/html/rfc7517#section-4.4
+   *
+   */
+  alg?: string
+  /**
+   * @see https://tools.ietf.org/html/rfc7517#section-4.5
+   * TODO: Add note about referencing did-jose-extensions when ready
+   *
+   */
+  kid?: string
+  /**
+   * IMPORTANT NOTE: d represents the private key value and should not be shared
+   * IT IS HIGHLY SENSITIVE DATA AND IF NOT SECURED PROPERLY CONSIDER THE KEY COMPROMISED
+   * @see https://tools.ietf.org/html/rfc7517#section-9.2
+   *
+   */
+  d?: string
+  /**
+   * This coordinate is not used for BLS Keys, but is kept here to make the interface more standard
+   *
+   */
+  y?: string
+  /**
+   * @see https://www.w3.org/TR/WebCryptoAPI/#cryptokey-interface-members
+   *
+   */
+  ext?: boolean
+}
 export interface GenerateKeyPairOptions {
   id?: string
   controller?: string
   seed?: Buffer
 }
+export interface KeyPairSignerOptions {
+  data: Array<Uint8Array>
+}
+export interface KeyPairVerifierOptions {
+  data: Array<Uint8Array>
+  signature: Uint8Array
+}
 export class Bls12381G2KeyPair {
   id?: string
   controller?: string
@@ -23,6 +103,21 @@ export class Bls12381G2KeyPair {
   constructor(options?: KeyPairOptions | undefined | null)
   static generate(options?: GenerateKeyPairOptions | undefined | null): Promise<Bls12381G2KeyPair>
   static from(options: KeyPairOptions): Promise<Bls12381G2KeyPair>
+  static fromJwk(options: JwkKeyPairOptions): Promise<Bls12381G2KeyPair>
+  static fromFingerprint(options: KeyPairFromFingerPrintOptions): Promise<Bls12381G2KeyPair>
   get publicKey(): string | null
+  publicKeyJwk(): JsonWebKey
   get privateKey(): string | null
+  privateKeyJwk(): JsonWebKey
+  signer(): KeyPairSigner
+  verifier(): KeyPairVerifier
+  fingerprint(): string
+  static fingerprintFromPublicKey(options: FingerPrintFromPublicKeyOptions): string
+  verifyFingerprint(fingerprint: string): void
+}
+export class KeyPairSigner {
+  sign(options: KeyPairSignerOptions): Promise<Uint8Array>
+}
+export class KeyPairVerifier {
+  verify(options: KeyPairVerifierOptions): Promise<boolean>
 }

package/index.js

@@ -310,6 +310,8 @@ if (!nativeBinding) {
   throw new Error(`Failed to load native binding`)
 }
 
-const { Bls12381G2KeyPair } = nativeBinding
+const { Bls12381G2KeyPair, KeyPairSigner, KeyPairVerifier } = nativeBinding
 
 module.exports.Bls12381G2KeyPair = Bls12381G2KeyPair
+module.exports.KeyPairSigner = KeyPairSigner
+module.exports.KeyPairVerifier = KeyPairVerifier

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nuggetslife/vc",
-  "version": "0.0.6",
+  "version": "0.0.8",
   "main": "index.js",
   "types": "index.d.ts",
   "napi": {
@@ -38,6 +38,6 @@
   },
   "packageManager": "yarn@4.3.1",
   "optionalDependencies": {
-    "@nuggetslife/vc-darwin-arm64": "0.0.6"
+    "@nuggetslife/vc-darwin-arm64": "0.0.8"
   }
 }

package/src/lib.rs

@@ -3,34 +3,23 @@
 #[macro_use]
 extern crate napi_derive;
 
-// use base64::{engine::general_purpose::STANDARD, Engine as _};
+use base64::{
+  engine::general_purpose::URL_SAFE, engine::general_purpose::URL_SAFE_NO_PAD, Engine as _,
+};
 use napi::bindgen_prelude::*;
-use vc::bbs_signatures::bls12381::bls_generate_g2_key;
+use types::{
+  Bls12381G2KeyPair, BlsCurveName, FingerPrintFromPublicKeyOptions, GenerateKeyPairOptions,
+  JsonWebKey, JwkKeyPairOptions, JwkKty, KeyPairFromFingerPrintOptions, KeyPairOptions,
+};
+use validators::{assert_bls_12381_g2_private_jwk, assert_bls_12381_g2_public_jwk};
+use vc::bbs_signatures::bls12381::{
+  bls_generate_g2_key, bls_sign, bls_verify, BlsBbsSignRequest, BlsBbsVerifyRequest, BlsKeyPair,
+  BLS12381G2_MULTICODEC_IDENTIFIER, DEFAULT_BLS12381_G2_PUBLIC_KEY_LENGTH,
+  MULTIBASE_ENCODED_BASE58_IDENTIFIER, VARIABLE_INTEGER_TRAILING_BYTE,
+};
 
-#[napi]
-pub struct Bls12381G2KeyPair {
-  pub id: Option<String>,
-  pub controller: Option<String>,
-  pub private_key_buffer: Option<Vec<u8>>,
-  pub public_key_buffer: Option<Vec<u8>>,
-  #[napi(js_name = "type")]
-  pub type_: String,
-}
-
-#[napi(object)]
-pub struct KeyPairOptions {
-  pub id: Option<String>,
-  pub controller: Option<String>,
-  pub private_key_base58: Option<String>,
-  pub public_key_base58: Option<String>,
-}
-
-#[napi(object)]
-pub struct GenerateKeyPairOptions {
-  pub id: Option<String>,
-  pub controller: Option<String>,
-  pub seed: Option<Buffer>,
-}
+pub mod types;
+pub mod validators;
 
 #[napi]
 impl Bls12381G2KeyPair {
@@ -126,6 +115,127 @@ impl Bls12381G2KeyPair {
     Bls12381G2KeyPair::new(Some(options)).await
   }
 
+  #[napi(factory)]
+  pub async fn from_jwk(options: JwkKeyPairOptions) -> Result<Bls12381G2KeyPair> {
+    let JwkKeyPairOptions {
+      id,
+      controller,
+      private_key_jwk,
+      public_key_jwk,
+    } = options;
+
+    if let Some(jwk) = private_key_jwk {
+      assert_bls_12381_g2_private_jwk(&jwk)?;
+      let public_key_base58 = Some(convert_base64_url_to_base58(jwk.x)?);
+      let d = jwk
+        .d
+        .ok_or(napi::Error::from_reason("jwk.d value is none"))?;
+      let private_key_base58 = Some(convert_base64_url_to_base58(d)?);
+
+      let kp = Bls12381G2KeyPair::new(Some(KeyPairOptions {
+        id,
+        controller,
+        public_key_base58,
+        private_key_base58,
+      }))
+      .await;
+
+      Ok(kp)
+    } else if let Some(jwk) = public_key_jwk {
+      assert_bls_12381_g2_public_jwk(&jwk)?;
+      let public_key_base58 = Some(convert_base64_url_to_base58(jwk.x)?);
+      let kp = Bls12381G2KeyPair::new(Some(KeyPairOptions {
+        id,
+        controller,
+        public_key_base58,
+        private_key_base58: None,
+      }))
+      .await;
+
+      Ok(kp)
+    } else {
+      Err(napi::Error::from_reason("The JWK provided is not a valid"))
+    }
+  }
+
+  #[napi(factory)]
+  pub async fn from_fingerprint(
+    options: KeyPairFromFingerPrintOptions,
+  ) -> Result<Bls12381G2KeyPair> {
+    let KeyPairFromFingerPrintOptions {
+      id,
+      controller,
+      fingerprint,
+    } = options;
+    let mut chars = fingerprint.chars();
+    let head = chars
+      .next()
+      .ok_or(napi::Error::from_reason("fingerprint string is empty"))?
+      .to_string();
+
+    if head != MULTIBASE_ENCODED_BASE58_IDENTIFIER {
+      return Err(napi::Error::from_reason(
+      format!("Unsupported fingerprint type: expected first character to be `z` indicating base58 encoding, received {head}")
+    ));
+    };
+
+    let rest = chars.collect::<String>();
+    let buffer = bs58::decode(rest).into_vec().map_err(|err| {
+      napi::Error::from_reason(format!(
+        "failed to decode bs58 fingerprint to bytes. error: {err}"
+      ))
+    })?;
+
+    if buffer.len() != BLS12381G2_MULTICODEC_IDENTIFIER as usize {
+      return Err(napi::Error::from_reason(
+      format!("Unsupported public key length: expected `${DEFAULT_BLS12381_G2_PUBLIC_KEY_LENGTH}` received {}", buffer.len())
+    ));
+    }
+
+    if buffer[0] != DEFAULT_BLS12381_G2_PUBLIC_KEY_LENGTH {
+      return Err(napi::Error::from_reason(
+      format!("Unsupported public key identifier: expected second character to be {BLS12381G2_MULTICODEC_IDENTIFIER} indicating BLS12381G2 key pair, received  {}", buffer[0])
+    ));
+    }
+
+    if buffer[1] != VARIABLE_INTEGER_TRAILING_BYTE {
+      return Err(napi::Error::from_reason(
+      format!("Missing variable integer trailing byte: expected third character to be {BLS12381G2_MULTICODEC_IDENTIFIER} indicating BLS12381G2 key pair, received  {}", buffer[1])
+    ));
+    }
+
+    let pubkey_base58 = bs58::encode(buffer).into_string();
+    let opts = FingerPrintFromPublicKeyOptions {
+      public_key_base58: pubkey_base58.clone(),
+    };
+    let fingerprint = Bls12381G2KeyPair::fingerprint_from_public_key(opts).map_err(|err| {
+      napi::Error::from_reason(format!("fingerprint_from_public_key failed. error: {err}"))
+    })?;
+    let mapped_controller = match controller {
+      Some(v) => v,
+      None => {
+        format!("did:key:{fingerprint}",)
+      }
+    };
+
+    let mapped_id = match id {
+      Some(v) => v,
+      None => {
+        format!("#{fingerprint}",)
+      }
+    };
+
+    let kp = Bls12381G2KeyPair::new(Some(KeyPairOptions {
+      id: Some(mapped_id),
+      controller: Some(mapped_controller),
+      public_key_base58: Some(pubkey_base58),
+      private_key_base58: None,
+    }))
+    .await;
+
+    Ok(kp)
+  }
+
   #[napi(getter)]
   pub fn public_key(&self) -> Option<String> {
     self
@@ -134,6 +244,26 @@ impl Bls12381G2KeyPair {
       .map(|b| bs58::encode(b).into_string())
   }
 
+  #[napi]
+  pub fn public_key_jwk(&self) -> Result<JsonWebKey> {
+    let Some(ref public_key_buffer) = self.public_key_buffer else {
+      return Err(napi::Error::from_reason("no public_key_buffer"));
+    };
+
+    Ok(JsonWebKey {
+      kid: self.id.to_owned(),
+      kty: JwkKty::EC.into(),
+      crv: BlsCurveName::G2.into(),
+      x: URL_SAFE_NO_PAD.encode(public_key_buffer),
+      use_: None,
+      key_ops: None,
+      alg: None,
+      d: None,
+      y: None,
+      ext: None,
+    })
+  }
+
   #[napi(getter)]
   pub fn private_key(&self) -> Option<String> {
     self
@@ -141,6 +271,188 @@ impl Bls12381G2KeyPair {
       .clone()
       .map(|b| bs58::encode(b).into_string())
   }
+
+  #[napi]
+  pub fn private_key_jwk(&self) -> Result<JsonWebKey> {
+    let Some(ref public_key_buffer) = self.public_key_buffer else {
+      return Err(napi::Error::from_reason("no public_key_buffer"));
+    };
+
+    let Some(ref private_key_buffer) = self.private_key_buffer else {
+      return Err(napi::Error::from_reason("no private_key_buffer"));
+    };
+
+    Ok(JsonWebKey {
+      kid: self.id.to_owned(),
+      kty: JwkKty::EC.into(),
+      crv: BlsCurveName::G2.into(),
+      x: URL_SAFE_NO_PAD.encode(public_key_buffer),
+      d: Some(URL_SAFE_NO_PAD.encode(private_key_buffer)),
+      use_: None,
+      key_ops: None,
+      alg: None,
+      y: None,
+      ext: None,
+    })
+  }
+
+  #[napi]
+  pub fn signer(&self) -> KeyPairSigner {
+    KeyPairSigner { key: self.clone() }
+  }
+
+  #[napi]
+  pub fn verifier(&self) -> KeyPairVerifier {
+    KeyPairVerifier { key: self.clone() }
+  }
+
+  #[napi]
+  pub fn fingerprint(&self) -> Result<String> {
+    let Some(public_key_base58) = self.public_key() else {
+      return Err(napi::Error::from_reason("no public key"));
+    };
+    Bls12381G2KeyPair::fingerprint_from_public_key(FingerPrintFromPublicKeyOptions {
+      public_key_base58,
+    })
+  }
+
+  #[napi]
+  pub fn fingerprint_from_public_key(options: FingerPrintFromPublicKeyOptions) -> Result<String> {
+    let FingerPrintFromPublicKeyOptions { public_key_base58 } = options;
+    let mut key_bytes = bs58::decode(public_key_base58).into_vec().map_err(|err| {
+      napi::Error::from_reason(format!(
+        "failed to decode public_key_base58 value. error: {err}"
+      ))
+    })?;
+
+    let mut buffer = vec![
+      BLS12381G2_MULTICODEC_IDENTIFIER,
+      VARIABLE_INTEGER_TRAILING_BYTE,
+    ];
+    buffer.append(&mut key_bytes);
+
+    Ok(format!(
+      "{}{}",
+      MULTIBASE_ENCODED_BASE58_IDENTIFIER,
+      bs58::encode(buffer).into_string()
+    ))
+  }
+
+  #[napi]
+  pub fn verify_fingerprint(&self, fingerprint: String) -> Result<()> {
+    // fingerprint should have `z` prefix indicating
+    // that it's multi-base encoded
+    let mut chars = fingerprint.chars();
+    let head = chars
+      .next()
+      .ok_or(napi::Error::from_reason("fingerprint string is empty"))?
+      .to_string();
+
+    let rest = chars.collect::<String>();
+
+    if head != MULTIBASE_ENCODED_BASE58_IDENTIFIER {
+      return Err(napi::Error::from_reason(
+        "`fingerprint` must be a multibase encoded string.",
+      ));
+    };
+
+    let fingerprint_buffer = bs58::decode(rest).into_vec().map_err(|err| {
+      napi::Error::from_reason(format!("failed to decode bs58 value: error: {err}"))
+    })?;
+
+    let public_key_buffer = self
+      .public_key_buffer
+      .clone()
+      .ok_or(napi::Error::from_reason("public key buffer is missing"))?;
+
+    let leader = hex::encode(&fingerprint_buffer[..2]);
+    let leader_match = if leader == "eb01" { true } else { false };
+    let bytes_match = if &public_key_buffer == &fingerprint_buffer[2..] {
+      true
+    } else {
+      false
+    };
+
+    if leader_match && bytes_match {
+      Ok(())
+    } else {
+      Err(napi::Error::from_reason(
+        "The fingerprint does not match the public key",
+      ))
+    }
+  }
+}
+
+pub fn convert_base64_url_to_base58(value: String) -> Result<String> {
+  let decoded = URL_SAFE.decode(value).map_err(|err| {
+    napi::Error::from_reason(format!("failed to decode base64 url_safe. error {err}"))
+  })?;
+  Ok(bs58::encode(decoded).into_string())
+}
+
+#[napi]
+pub struct KeyPairSigner {
+  key: Bls12381G2KeyPair,
+}
+
+#[napi(object)]
+pub struct KeyPairSignerOptions {
+  pub data: Vec<Uint8Array>,
+}
+
+#[napi]
+impl KeyPairSigner {
+  #[napi]
+  pub async fn sign(&self, options: KeyPairSignerOptions) -> Result<Uint8Array> {
+    if self.key.private_key_buffer.is_none() {
+      return Err(napi::Error::from_reason("No private key to sign with."));
+    }
+
+    let messages: Vec<Vec<u8>> = options.data.into_iter().map(|x| x.to_vec()).collect();
+    let key_pair = BlsKeyPair {
+      public_key: self.key.public_key_buffer.clone(),
+      secret_key: self.key.private_key_buffer.clone(),
+    };
+    let sig = bls_sign(BlsBbsSignRequest { messages, key_pair })
+      .await
+      .map_err(|err| napi::Error::from_reason(format!("bls_signed failed: {err}")))?;
+
+    Ok(Uint8Array::from(sig))
+  }
 }
 
-pub fn test() {}
+#[napi]
+pub struct KeyPairVerifier {
+  key: Bls12381G2KeyPair,
+}
+
+#[napi(object)]
+pub struct KeyPairVerifierOptions {
+  pub data: Vec<Uint8Array>,
+  pub signature: Uint8Array,
+}
+
+#[napi]
+impl KeyPairVerifier {
+  #[napi]
+  pub async fn verify(&self, options: KeyPairVerifierOptions) -> Result<bool> {
+    let KeyPairVerifierOptions { data, signature } = options;
+    let Some(public_key) = self.key.public_key_buffer.clone() else {
+      return Err(napi::Error::from_reason(
+        "key.public_key is required for verify",
+      ));
+    };
+    let signature = signature.to_vec();
+    let messages = data.into_iter().map(|a| a.to_vec()).collect::<Vec<_>>();
+
+    let verified = bls_verify(BlsBbsVerifyRequest {
+      public_key,
+      signature,
+      messages,
+    })
+    .await
+    .map_err(|err| napi::Error::from_reason(format!("bls_verify failed: {err}")))?;
+
+    Ok(verified)
+  }
+}

package/src/types.rs

@@ -0,0 +1,187 @@
+use napi::bindgen_prelude::*;
+
+#[derive(Clone)]
+#[napi]
+pub struct Bls12381G2KeyPair {
+  pub id: Option<String>,
+  pub controller: Option<String>,
+  pub private_key_buffer: Option<Vec<u8>>,
+  pub public_key_buffer: Option<Vec<u8>>,
+  #[napi(js_name = "type")]
+  pub type_: String,
+}
+
+#[napi(object)]
+pub struct KeyPairOptions {
+  pub id: Option<String>,
+  pub controller: Option<String>,
+  pub private_key_base58: Option<String>,
+  pub public_key_base58: Option<String>,
+}
+
+#[napi(object)]
+pub struct JwkKeyPairOptions {
+  pub id: Option<String>,
+  pub controller: Option<String>,
+  pub private_key_jwk: Option<JsonWebKey>,
+  pub public_key_jwk: Option<JsonWebKey>,
+}
+
+#[napi(object)]
+pub struct FingerPrintFromPublicKeyOptions {
+  pub public_key_base58: String,
+}
+
+#[napi(object)]
+pub struct KeyPairFromFingerPrintOptions {
+  pub id: Option<String>,
+  pub controller: Option<String>,
+  pub fingerprint: String,
+}
+
+#[napi(object)]
+pub struct JsonWebKey {
+  /////
+  /// Indicates the key type used
+  /// For BLS12381_G1 and BLS12381_G2 the string "EC" MUST be used
+  //
+  /// @see https://tools.ietf.org/html/rfc7517#section-4.1
+  ///
+  pub kty: String,
+
+  /////
+  /// Indicates the curve this key is associated with
+  /// In the case of BLS12-381, the curve will also indicate if it's a G1 or G2 point
+  //
+  /// For a G1 point, use the string "BLS12381_G1"
+  /// For a G2 point, use the string "BLS12381_G2"
+  //
+  pub crv: String,
+
+  /////
+  /// This is a compression of the public key point
+  //
+  /// For a G1 public key, X is a 384bit base64url encoding of the octet string representation of the coordinate
+  /// For a G2 public key, X is a 768bit made up of the concatenation of two 384 bit x coordinates known as
+  /// x_a and x_b in the following form (x_a || x_b) as a base64url encoding of the octet string representation of the two coordinates
+  ///
+  pub x: String,
+
+  /////
+  /// @see https://tools.ietf.org/html/rfc7517#section-4.2
+  //
+  #[napi(js_name = "use")]
+  pub use_: Option<String>,
+
+  /////
+  /// @see https://tools.ietf.org/html/rfc7517#section-4.3
+  ///
+  pub key_ops: Option<Vec<String>>,
+
+  /////
+  /// @see https://tools.ietf.org/html/rfc7517#section-4.4
+  ///
+  pub alg: Option<String>,
+
+  /////
+  /// @see https://tools.ietf.org/html/rfc7517#section-4.5
+  //
+  /// TODO: Add note about referencing did-jose-extensions when ready
+  ///
+  pub kid: Option<String>,
+
+  /////
+  //
+  /// IMPORTANT NOTE: d represents the private key value and should not be shared
+  /// IT IS HIGHLY SENSITIVE DATA AND IF NOT SECURED PROPERLY CONSIDER THE KEY COMPROMISED
+  //
+  /// @see https://tools.ietf.org/html/rfc7517#section-9.2
+  ///
+  pub d: Option<String>,
+
+  /////
+  /// This coordinate is not used for BLS Keys, but is kept here to make the interface more standard
+  ///
+  pub y: Option<String>,
+
+  /////
+  /// @see https://www.w3.org/TR/WebCryptoAPI/#cryptokey-interface-members
+  ///
+  pub ext: Option<bool>,
+}
+
+#[napi(object)]
+pub struct GenerateKeyPairOptions {
+  pub id: Option<String>,
+  pub controller: Option<String>,
+  pub seed: Option<Buffer>,
+}
+
+#[derive(PartialEq)]
+pub enum BlsCurveName {
+  DeprecatedG1,
+  DeprecatedG2,
+  G1,
+  G2,
+}
+
+impl TryFrom<&str> for BlsCurveName {
+  type Error = napi::Error;
+
+  fn try_from(value: &str) -> std::result::Result<Self, Self::Error> {
+    match value {
+      "BLS12381_G1" => Ok(BlsCurveName::DeprecatedG1),
+      "BLS12381_G2" => Ok(BlsCurveName::DeprecatedG2),
+      "Bls12381G1" => Ok(BlsCurveName::G1),
+      "Bls12381G2" => Ok(BlsCurveName::G2),
+      _ => Err(napi::Error::from_reason(format!(
+        "no matching BlsNamedCurve for value: {}",
+        value
+      ))),
+    }
+  }
+}
+
+impl Into<String> for BlsCurveName {
+  fn into(self) -> String {
+    match self {
+      BlsCurveName::DeprecatedG1 => String::from("BLS12381_G1"),
+      BlsCurveName::DeprecatedG2 => String::from("BLS12381_G2"),
+      BlsCurveName::G1 => String::from("Bls12381G1"),
+      BlsCurveName::G2 => String::from("Bls12381G2"),
+    }
+  }
+}
+
+#[derive(PartialEq)]
+pub enum JwkKty {
+  OctetKeyPair,
+  EC,
+  RSA,
+}
+
+impl TryFrom<&str> for JwkKty {
+  type Error = napi::Error;
+
+  fn try_from(value: &str) -> std::result::Result<Self, Self::Error> {
+    match value {
+      "OKP" => Ok(JwkKty::OctetKeyPair),
+      "EC" => Ok(JwkKty::EC),
+      "RSA" => Ok(JwkKty::RSA),
+      _ => Err(napi::Error::from_reason(format!(
+        "no matching JwkKty for value: {}",
+        value
+      ))),
+    }
+  }
+}
+
+impl Into<String> for JwkKty {
+  fn into(self) -> String {
+    match self {
+      JwkKty::OctetKeyPair => String::from("OKP"),
+      JwkKty::EC => String::from("EC"),
+      JwkKty::RSA => String::from("RSA"),
+    }
+  }
+}

package/src/validators.rs

@@ -0,0 +1,68 @@
+use crate::types::{BlsCurveName, JsonWebKey, JwkKty};
+
+pub fn check_common_bls_jwk_values(jwk: &JsonWebKey) -> napi::Result<()> {
+  BlsCurveName::try_from(jwk.crv.as_str())?;
+  let kty = JwkKty::try_from(jwk.kty.as_str())?;
+  if kty == JwkKty::EC || kty == JwkKty::OctetKeyPair {
+    Ok(())
+  } else {
+    Err(napi::Error::from_reason(format!(
+      "kty value: {} not allowed",
+      jwk.kty
+    )))
+  }
+}
+
+pub fn assert_public_bls_jwk(jwk: &JsonWebKey) -> napi::Result<()> {
+  check_common_bls_jwk_values(jwk)?;
+  if jwk.d.is_none() {
+    Ok(())
+  } else {
+    Err(napi::Error::from_reason(
+      "expected jwk.d to be none, found some value",
+    ))
+  }
+}
+
+pub fn assert_private_bls_jwk(jwk: &JsonWebKey) -> napi::Result<()> {
+  check_common_bls_jwk_values(jwk)?;
+  Ok(())
+}
+
+pub fn assert_bls_12381_g2_public_jwk(jwk: &JsonWebKey) -> napi::Result<()> {
+  let curve = BlsCurveName::try_from(jwk.crv.as_str())?;
+  if curve != BlsCurveName::DeprecatedG2 || curve != BlsCurveName::G2 {
+    return Err(napi::Error::from_reason(format!(
+      "curve value: {} not allowed",
+      jwk.crv
+    )));
+  }
+  assert_public_bls_jwk(jwk)?;
+  if jwk.x.len() != 128 {
+    Err(napi::Error::from_reason(format!(
+      "jwk.x expected length 128, got {}",
+      jwk.x.len()
+    )))
+  } else {
+    Ok(())
+  }
+}
+
+pub fn assert_bls_12381_g2_private_jwk(jwk: &JsonWebKey) -> napi::Result<()> {
+  let curve = BlsCurveName::try_from(jwk.crv.as_str())?;
+  if curve != BlsCurveName::DeprecatedG2 || curve != BlsCurveName::G2 {
+    return Err(napi::Error::from_reason(format!(
+      "curve value: {} not allowed",
+      jwk.crv
+    )));
+  }
+  assert_private_bls_jwk(jwk)?;
+  if jwk.x.len() != 128 {
+    Err(napi::Error::from_reason(format!(
+      "jwk.x expected length 128, got {}",
+      jwk.x.len()
+    )))
+  } else {
+    Ok(())
+  }
+}

package/test.mjs

@@ -0,0 +1,78 @@
+import test from 'node:test';
+import assert from 'node:assert';
+import { Bls12381G2KeyPair } from '@mattrglobal/bls12381-key-pair';
+import { Bls12381G2KeyPair as NewKeyPairClass } from './index.js'
+import bs58 from 'bs58'
+import bbs from '@nuggetslife/ffi-bbs-signatures'
+
+const seed = Buffer.alloc(32, 0)
+const address = '0x581510277Bc56802dE75BA021b66873437e0169f'
+const addressBase58 = bs58.encode(Buffer.from(address.slice(2), 'hex'))
+
+//Set of messages we wish to sign
+const messages = [
+    Uint8Array.from(Buffer.from("message1", "utf8")),
+    Uint8Array.from(Buffer.from("message2", "utf8")),
+];
+
+test('gen keypair for same seed', async () => {
+    const mattr = await Bls12381G2KeyPair.generate({ seed, });
+    const harry = await NewKeyPairClass.generate({ seed })
+    const ffi = await bbs.generateBls12381G2KeyPair(seed)
+    const ffi_sec_key = bs58.encode(Buffer.from(ffi.secretKey))
+    const ffi_pub_key = bs58.encode(Buffer.from(ffi.publicKey))
+
+    // private keys match
+    assert.equal(mattr.privateKey, harry.privateKey)
+    assert.equal(ffi_sec_key, harry.privateKey)
+
+    // public keys match
+    assert.equal(mattr.publicKey, harry.publicKey)
+    assert.equal(ffi_pub_key, harry.publicKey)
+})
+
+
+test('keypair from keypair', async () => {
+    const mattr = await Bls12381G2KeyPair.generate({ seed, });
+    const harry = await NewKeyPairClass.from({
+        id: mattr.id,
+        controller: mattr.controller,
+        publicKeyBase58: mattr.publicKey,
+        privateKeyBase58: mattr.privateKey
+    })
+
+    // private keys match
+    assert.equal(mattr.id, harry.id)
+    assert.equal(mattr.controller, harry.controller)
+    assert.equal(mattr.publicKey, harry.publicKey)
+    assert.equal(mattr.privateKey, harry.privateKey)
+})
+
+
+test('sign and verify', async () => {
+    const mattr = await Bls12381G2KeyPair.generate({ seed, });
+    const harry = await NewKeyPairClass.generate({ seed })
+
+    const ms = mattr.signer();
+    const hs = harry.signer();
+
+    const sign_opts = { data: messages }
+
+    let ms_sig = await ms.sign(sign_opts);
+    let hs_sig = await hs.sign(sign_opts);
+
+    assert.equal(ms_sig.length, hs_sig.length)
+
+    const hsv = harry.verifier();
+    const msv = mattr.verifier();
+
+    let hs_verify_hs_sig = await hsv.verify({ data: messages, signature: hs_sig })
+    let hs_verify_ms_sig = await hsv.verify({ data: messages, signature: ms_sig })
+    let ms_verify_ms_sig = await msv.verify({ data: messages, signature: ms_sig })
+    let ms_verify_hs_sig = await msv.verify({ data: messages, signature: hs_sig })
+
+    assert.equal(hs_verify_hs_sig, true)
+    assert.equal(hs_verify_ms_sig, true)
+    assert.equal(ms_verify_ms_sig, true)
+    assert.equal(ms_verify_hs_sig, true)
+})