@optimystic/quereus-plugin-crypto 0.2.0

package/dist/plugin.js

@@ -0,0 +1,212 @@
+import { sha512, sha256 } from '@noble/hashes/sha2';
+import { blake3 } from '@noble/hashes/blake3';
+import { utf8ToBytes } from '@noble/hashes/utils';
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { p256 } from '@noble/curves/nist';
+import { ed25519 } from '@noble/curves/ed25519';
+import { hexToBytes, bytesToHex } from '@noble/curves/abstract/utils';
+import { fromString, toString } from 'uint8arrays';
+
+// src/crypto.ts
+function toBytes(input, encoding = "base64url") {
+  if (input === null || input === void 0) {
+    return new Uint8Array(0);
+  }
+  if (input instanceof Uint8Array) {
+    return input;
+  }
+  if (typeof input === "string") {
+    switch (encoding) {
+      case "base64url":
+        return fromString(input, "base64url");
+      case "base64":
+        return fromString(input, "base64");
+      case "hex":
+        return hexToBytes(input);
+      case "utf8":
+        return utf8ToBytes(input);
+      default:
+        return fromString(input, "base64url");
+    }
+  }
+  throw new Error("Invalid input type");
+}
+function fromBytes(bytes, encoding = "base64url") {
+  switch (encoding) {
+    case "base64url":
+      return toString(bytes, "base64url");
+    case "base64":
+      return toString(bytes, "base64");
+    case "hex":
+      return bytesToHex(bytes);
+    case "utf8":
+      return toString(bytes, "utf8");
+    case "bytes":
+      return bytes;
+    default:
+      return toString(bytes, "base64url");
+  }
+}
+function digest(data, algorithm = "sha256", inputEncoding = "base64url", outputEncoding = "base64url") {
+  const bytes = toBytes(data, inputEncoding);
+  let hashBytes;
+  switch (algorithm) {
+    case "sha256":
+      hashBytes = sha256(bytes);
+      break;
+    case "sha512":
+      hashBytes = sha512(bytes);
+      break;
+    case "blake3":
+      hashBytes = blake3(bytes);
+      break;
+    default:
+      throw new Error(`Unsupported hash algorithm: ${algorithm}`);
+  }
+  return fromBytes(hashBytes, outputEncoding);
+}
+function hashMod(data, bits, algorithm = "sha256", inputEncoding = "base64url") {
+  if (bits <= 0 || bits > 53) {
+    throw new Error("Bits must be between 1 and 53 (JavaScript safe integer limit)");
+  }
+  const hashBytes = toBytes(digest(data, algorithm, inputEncoding, "base64url"), "base64url");
+  const view = new DataView(hashBytes.buffer, hashBytes.byteOffset, Math.min(8, hashBytes.length));
+  const fullHash = view.getBigUint64(0, false);
+  const modulus = BigInt(2) ** BigInt(bits);
+  const result = fullHash % modulus;
+  return Number(result);
+}
+function sign(data, privateKey, curve = "secp256k1", inputEncoding = "base64url", keyEncoding = "base64url", outputEncoding = "base64url") {
+  const dataBytes = toBytes(data, inputEncoding);
+  const keyBytes = toBytes(privateKey, keyEncoding);
+  let sigBytes;
+  switch (curve) {
+    case "secp256k1": {
+      const sig = secp256k1.sign(dataBytes, keyBytes, { lowS: true });
+      sigBytes = sig.toCompactRawBytes();
+      break;
+    }
+    case "p256": {
+      const sig = p256.sign(dataBytes, keyBytes, { lowS: true });
+      sigBytes = sig.toCompactRawBytes();
+      break;
+    }
+    case "ed25519": {
+      sigBytes = ed25519.sign(dataBytes, keyBytes);
+      break;
+    }
+    default:
+      throw new Error(`Unsupported curve: ${curve}`);
+  }
+  return fromBytes(sigBytes, outputEncoding);
+}
+function verify(data, signature, publicKey, curve = "secp256k1", inputEncoding = "base64url", sigEncoding = "base64url", keyEncoding = "base64url") {
+  try {
+    const dataBytes = toBytes(data, inputEncoding);
+    const sigBytes = toBytes(signature, sigEncoding);
+    const keyBytes = toBytes(publicKey, keyEncoding);
+    switch (curve) {
+      case "secp256k1": {
+        return secp256k1.verify(sigBytes, dataBytes, keyBytes);
+      }
+      case "p256": {
+        return p256.verify(sigBytes, dataBytes, keyBytes);
+      }
+      case "ed25519": {
+        return ed25519.verify(sigBytes, dataBytes, keyBytes);
+      }
+      default:
+        throw new Error(`Unsupported curve: ${curve}`);
+    }
+  } catch {
+    return false;
+  }
+}
+function randomBytes(bits = 256, encoding = "base64url") {
+  const bytes = Math.ceil(bits / 8);
+  const randomBytesArray = new Uint8Array(bytes);
+  crypto.getRandomValues(randomBytesArray);
+  return fromBytes(randomBytesArray, encoding);
+}
+
+// src/plugin.ts
+function register(_db, _config = {}) {
+  const functions = [
+    {
+      schema: {
+        name: "digest",
+        numArgs: -1,
+        // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?
+        flags: 1,
+        // UTF8
+        returnType: { typeClass: "scalar", sqlType: "TEXT" },
+        implementation: (...args) => {
+          const [data, algorithm = "sha256", inputEncoding = "base64url", outputEncoding = "base64url"] = args;
+          return digest(data, algorithm, inputEncoding, outputEncoding);
+        }
+      }
+    },
+    {
+      schema: {
+        name: "sign",
+        numArgs: -1,
+        // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?
+        flags: 1,
+        returnType: { typeClass: "scalar", sqlType: "TEXT" },
+        implementation: (...args) => {
+          const [data, privateKey, curve = "secp256k1", inputEncoding = "base64url", keyEncoding = "base64url", outputEncoding = "base64url"] = args;
+          return sign(data, privateKey, curve, inputEncoding, keyEncoding, outputEncoding);
+        }
+      }
+    },
+    {
+      schema: {
+        name: "verify",
+        numArgs: -1,
+        // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?
+        flags: 1,
+        returnType: { typeClass: "scalar", sqlType: "INTEGER" },
+        implementation: (...args) => {
+          const [data, signature, publicKey, curve = "secp256k1", inputEncoding = "base64url", sigEncoding = "base64url", keyEncoding = "base64url"] = args;
+          const result = verify(data, signature, publicKey, curve, inputEncoding, sigEncoding, keyEncoding);
+          return result ? 1 : 0;
+        }
+      }
+    },
+    {
+      schema: {
+        name: "hash_mod",
+        numArgs: -1,
+        // Variable arguments: data, bits, algorithm?, inputEncoding?
+        flags: 1,
+        returnType: { typeClass: "scalar", sqlType: "INTEGER" },
+        implementation: (...args) => {
+          const [data, bits, algorithm = "sha256", inputEncoding = "base64url"] = args;
+          return hashMod(data, bits, algorithm, inputEncoding);
+        }
+      }
+    },
+    {
+      schema: {
+        name: "random_bytes",
+        numArgs: -1,
+        // Variable arguments: bits?, encoding?
+        flags: 1,
+        returnType: { typeClass: "scalar", sqlType: "TEXT" },
+        implementation: (...args) => {
+          const [bits = 256, encoding = "base64url"] = args;
+          return randomBytes(bits, encoding);
+        }
+      }
+    }
+  ];
+  return {
+    functions,
+    vtables: [],
+    collations: []
+  };
+}
+
+export { register as default };
+//# sourceMappingURL=plugin.js.map
+//# sourceMappingURL=plugin.js.map

package/dist/plugin.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/crypto.ts","../src/plugin.ts"],"names":["uint8ArrayFromString","uint8ArrayToString"],"mappings":";;;;;;;;;;AAwBA,SAAS,OAAA,CAAQ,KAAA,EAA+C,QAAA,GAAqB,WAAA,EAAyB;AAC7G,EAAA,IAAI,KAAA,KAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,EAAW;AAC1C,IAAA,OAAO,IAAI,WAAW,CAAC,CAAA;AAAA,EACxB;AAEA,EAAA,IAAI,iBAAiB,UAAA,EAAY;AAChC,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAC9B,IAAA,QAAQ,QAAA;AAAU,MACjB,KAAK,WAAA;AACJ,QAAA,OAAOA,UAAA,CAAqB,OAAO,WAAW,CAAA;AAAA,MAC/C,KAAK,QAAA;AACJ,QAAA,OAAOA,UAAA,CAAqB,OAAO,QAAQ,CAAA;AAAA,MAC5C,KAAK,KAAA;AACJ,QAAA,OAAO,WAAW,KAAK,CAAA;AAAA,MACxB,KAAK,MAAA;AACJ,QAAA,OAAO,YAAY,KAAK,CAAA;AAAA,MACzB;AACC,QAAA,OAAOA,UAAA,CAAqB,OAAO,WAAW,CAAA;AAAA;AAChD,EACD;AAEA,EAAA,MAAM,IAAI,MAAM,oBAAoB,CAAA;AACrC;AAKA,SAAS,SAAA,CAAU,KAAA,EAAmB,QAAA,GAAqB,WAAA,EAAkC;AAC5F,EAAA,QAAQ,QAAA;AAAU,IACjB,KAAK,WAAA;AACJ,MAAA,OAAOC,QAAA,CAAmB,OAAO,WAAW,CAAA;AAAA,IAC7C,KAAK,QAAA;AACJ,MAAA,OAAOA,QAAA,CAAmB,OAAO,QAAQ,CAAA;AAAA,IAC1C,KAAK,KAAA;AACJ,MAAA,OAAO,WAAW,KAAK,CAAA;AAAA,IACxB,KAAK,MAAA;AACJ,MAAA,OAAOA,QAAA,CAAmB,OAAO,MAAM,CAAA;AAAA,IACxC,KAAK,OAAA;AACJ,MAAA,OAAO,KAAA;AAAA,IACR;AACC,MAAA,OAAOA,QAAA,CAAmB,OAAO,WAAW,CAAA;AAAA;AAE/C;AAuBO,SAAS,OACf,IAAA,EACA,SAAA,GAA2B,UAC3B,aAAA,GAA0B,WAAA,EAC1B,iBAA2B,WAAA,EACL;AACtB,EAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAEzC,EAAA,IAAI,SAAA;AACJ,EAAA,QAAQ,SAAA;AAAW,IAClB,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD,KAAK,QAAA;AACJ,MAAA,SAAA,GAAY,OAAO,KAAK,CAAA;AACxB,MAAA;AAAA,IACD;AACC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,4BAAA,EAA+B,SAAS,CAAA,CAAE,CAAA;AAAA;AAG5D,EAAA,OAAO,SAAA,CAAU,WAAW,cAAc,CAAA;AAC3C;AAqBO,SAAS,QACf,IAAA,EACA,IAAA,EACA,SAAA,GAA2B,QAAA,EAC3B,gBAA0B,WAAA,EACjB;AACT,EAAA,IAAI,IAAA,IAAQ,CAAA,IAAK,IAAA,GAAO,EAAA,EAAI;AAC3B,IAAA,MAAM,IAAI,MAAM,+DAA+D,CAAA;AAAA,EAChF;AAEA,EAAA,MAAM,SAAA,GAAY,QAAQ,MAAA,CAAO,IAAA,EAAM,WAAW,aAAA,EAAe,WAAW,GAAa,WAAW,CAAA;AAGpG,EAAA,MAAM,IAAA,GAAO,IAAI,QAAA,CAAS,SAAA,CAAU,MAAA,EAAQ,SAAA,CAAU,UAAA,EAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,SAAA,CAAU,MAAM,CAAC,CAAA;AAC/F,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,YAAA,CAAa,CAAA,EAAG,KAAK,CAAA;AAG3C,EAAA,MAAM,OAAA,GAAU,MAAA,CAAO,CAAC,CAAA,IAAK,OAAO,IAAI,CAAA;AACxC,EAAA,MAAM,SAAS,QAAA,GAAW,OAAA;AAE1B,EAAA,OAAO,OAAO,MAAM,CAAA;AACrB;AAsBO,SAAS,IAAA,CACf,IAAA,EACA,UAAA,EACA,KAAA,GAAmB,WAAA,EACnB,gBAA0B,WAAA,EAC1B,WAAA,GAAwB,WAAA,EACxB,cAAA,GAA2B,WAAA,EACL;AACtB,EAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAC7C,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,UAAA,EAAY,WAAW,CAAA;AAEhD,EAAA,IAAI,QAAA;AAEJ,EAAA,QAAQ,KAAA;AAAO,IACd,KAAK,WAAA,EAAa;AACjB,MAAA,MAAM,GAAA,GAAM,UAAU,IAAA,CAAK,SAAA,EAAW,UAAU,EAAE,IAAA,EAAM,MAAM,CAAA;AAC9D,MAAA,QAAA,GAAW,IAAI,iBAAA,EAAkB;AACjC,MAAA;AAAA,IACD;AAAA,IACA,KAAK,MAAA,EAAQ;AACZ,MAAA,MAAM,GAAA,GAAM,KAAK,IAAA,CAAK,SAAA,EAAW,UAAU,EAAE,IAAA,EAAM,MAAM,CAAA;AACzD,MAAA,QAAA,GAAW,IAAI,iBAAA,EAAkB;AACjC,MAAA;AAAA,IACD;AAAA,IACA,KAAK,SAAA,EAAW;AACf,MAAA,QAAA,GAAW,OAAA,CAAQ,IAAA,CAAK,SAAA,EAAW,QAAQ,CAAA;AAC3C,MAAA;AAAA,IACD;AAAA,IACA;AACC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,CAAE,CAAA;AAAA;AAG/C,EAAA,OAAO,SAAA,CAAU,UAAU,cAAc,CAAA;AAC1C;AAuBO,SAAS,MAAA,CACf,IAAA,EACA,SAAA,EACA,SAAA,EACA,KAAA,GAAmB,WAAA,EACnB,aAAA,GAA0B,WAAA,EAC1B,WAAA,GAAwB,WAAA,EACxB,WAAA,GAAwB,WAAA,EACd;AACV,EAAA,IAAI;AACH,IAAA,MAAM,SAAA,GAAY,OAAA,CAAQ,IAAA,EAAM,aAAa,CAAA;AAC7C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,SAAA,EAAW,WAAW,CAAA;AAC/C,IAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,SAAA,EAAW,WAAW,CAAA;AAE/C,IAAA,QAAQ,KAAA;AAAO,MACd,KAAK,WAAA,EAAa;AACjB,QAAA,OAAO,SAAA,CAAU,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACtD;AAAA,MACA,KAAK,MAAA,EAAQ;AACZ,QAAA,OAAO,IAAA,CAAK,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACjD;AAAA,MACA,KAAK,SAAA,EAAW;AACf,QAAA,OAAO,OAAA,CAAQ,MAAA,CAAO,QAAA,EAAU,SAAA,EAAW,QAAQ,CAAA;AAAA,MACpD;AAAA,MACA;AACC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,CAAA,CAAE,CAAA;AAAA;AAC/C,EACD,CAAA,CAAA,MAAQ;AACP,IAAA,OAAO,KAAA;AAAA,EACR;AACD;AASO,SAAS,WAAA,CAAY,IAAA,GAAe,GAAA,EAAK,QAAA,GAAqB,WAAA,EAAkC;AACtG,EAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,IAAA,CAAK,IAAA,GAAO,CAAC,CAAA;AAChC,EAAA,MAAM,gBAAA,GAAmB,IAAI,UAAA,CAAW,KAAK,CAAA;AAC7C,EAAA,MAAA,CAAO,gBAAgB,gBAAgB,CAAA;AACvC,EAAA,OAAO,SAAA,CAAU,kBAAkB,QAAQ,CAAA;AAC5C;;;AC1Qe,SAAR,QAAA,CAA0B,GAAA,EAAe,OAAA,GAAoC,EAAC,EAAG;AAEvF,EAAA,MAAM,SAAA,GAAY;AAAA,IACjB;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,QAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,MAAA,EAAO;AAAA,QAC5D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,MAAM,SAAA,GAAY,QAAA,EAAU,gBAAgB,WAAA,EAAa,cAAA,GAAiB,WAAW,CAAA,GAAI,IAAA;AAChG,UAAA,OAAO,MAAA,CAAO,IAAA,EAAgB,SAAA,EAAkB,aAAA,EAAsB,cAAqB,CAAA;AAAA,QAC5F;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,MAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,MAAA,EAAO;AAAA,QAC5D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,UAAA,EAAY,KAAA,GAAQ,WAAA,EAAa,aAAA,GAAgB,WAAA,EAAa,WAAA,GAAc,WAAA,EAAa,cAAA,GAAiB,WAAW,CAAA,GAAI,IAAA;AACtI,UAAA,OAAO,KAAK,IAAA,EAAgB,UAAA,EAAsB,KAAA,EAAc,aAAA,EAAsB,aAAoB,cAAqB,CAAA;AAAA,QAChI;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,QAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,SAAA,EAAU;AAAA,QAC/D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,SAAA,EAAW,SAAA,EAAW,KAAA,GAAQ,WAAA,EAAa,aAAA,GAAgB,WAAA,EAAa,WAAA,GAAc,WAAA,EAAa,WAAA,GAAc,WAAW,CAAA,GAAI,IAAA;AAC7I,UAAA,MAAM,MAAA,GAAS,OAAO,IAAA,EAAgB,SAAA,EAAqB,WAAqB,KAAA,EAAc,aAAA,EAAsB,aAAoB,WAAkB,CAAA;AAC1J,UAAA,OAAO,SAAS,CAAA,GAAI,CAAA;AAAA,QACrB;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,UAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,SAAA,EAAU;AAAA,QAC/D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,EAAM,IAAA,EAAM,YAAY,QAAA,EAAU,aAAA,GAAgB,WAAW,CAAA,GAAI,IAAA;AACxE,UAAA,OAAO,OAAA,CAAQ,IAAA,EAAgB,IAAA,EAAgB,SAAA,EAAkB,aAAoB,CAAA;AAAA,QACtF;AAAA;AACD,KACD;AAAA,IACA;AAAA,MACC,MAAA,EAAQ;AAAA,QACP,IAAA,EAAM,cAAA;AAAA,QACN,OAAA,EAAS,EAAA;AAAA;AAAA,QACT,KAAA,EAAO,CAAA;AAAA,QACP,UAAA,EAAY,EAAE,SAAA,EAAW,QAAA,EAAmB,SAAS,MAAA,EAAO;AAAA,QAC5D,cAAA,EAAgB,IAAI,IAAA,KAAqB;AACxC,UAAA,MAAM,CAAC,IAAA,GAAO,GAAA,EAAK,QAAA,GAAW,WAAW,CAAA,GAAI,IAAA;AAC7C,UAAA,OAAO,WAAA,CAAY,MAAgB,QAAe,CAAA;AAAA,QACnD;AAAA;AACD;AACD,GACD;AAEA,EAAA,OAAO;AAAA,IACN,SAAA;AAAA,IACA,SAAS,EAAC;AAAA,IACV,YAAY;AAAC,GACd;AACD","file":"plugin.js","sourcesContent":["/**\n * Cryptographic Functions for Quereus\n *\n * Idiomatic ES module exports with base64url as default encoding.\n * All functions accept and return base64url strings by default for SQL compatibility.\n */\n\nimport { sha256, sha512 } from '@noble/hashes/sha2';\nimport { blake3 } from '@noble/hashes/blake3';\nimport { concatBytes, utf8ToBytes } from '@noble/hashes/utils';\nimport { secp256k1 } from '@noble/curves/secp256k1';\nimport { p256 } from '@noble/curves/nist';\nimport { ed25519 } from '@noble/curves/ed25519';\nimport { hexToBytes, bytesToHex } from '@noble/curves/abstract/utils';\nimport { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays';\n\n// Type definitions\nexport type HashAlgorithm = 'sha256' | 'sha512' | 'blake3';\nexport type CurveType = 'secp256k1' | 'p256' | 'ed25519';\nexport type Encoding = 'base64url' | 'base64' | 'hex' | 'utf8' | 'bytes';\n\n/**\n * Convert input to Uint8Array, handling various encodings\n */\nfunction toBytes(input: string | Uint8Array | null | undefined, encoding: Encoding = 'base64url'): Uint8Array {\n\tif (input === null || input === undefined) {\n\t\treturn new Uint8Array(0);\n\t}\n\n\tif (input instanceof Uint8Array) {\n\t\treturn input;\n\t}\n\n\tif (typeof input === 'string') {\n\t\tswitch (encoding) {\n\t\t\tcase 'base64url':\n\t\t\t\treturn uint8ArrayFromString(input, 'base64url');\n\t\t\tcase 'base64':\n\t\t\t\treturn uint8ArrayFromString(input, 'base64');\n\t\t\tcase 'hex':\n\t\t\t\treturn hexToBytes(input);\n\t\t\tcase 'utf8':\n\t\t\t\treturn utf8ToBytes(input);\n\t\t\tdefault:\n\t\t\t\treturn uint8ArrayFromString(input, 'base64url');\n\t\t}\n\t}\n\n\tthrow new Error('Invalid input type');\n}\n\n/**\n * Convert Uint8Array to string in specified encoding\n */\nfunction fromBytes(bytes: Uint8Array, encoding: Encoding = 'base64url'): string | Uint8Array {\n\tswitch (encoding) {\n\t\tcase 'base64url':\n\t\t\treturn uint8ArrayToString(bytes, 'base64url');\n\t\tcase 'base64':\n\t\t\treturn uint8ArrayToString(bytes, 'base64');\n\t\tcase 'hex':\n\t\t\treturn bytesToHex(bytes);\n\t\tcase 'utf8':\n\t\t\treturn uint8ArrayToString(bytes, 'utf8');\n\t\tcase 'bytes':\n\t\t\treturn bytes;\n\t\tdefault:\n\t\t\treturn uint8ArrayToString(bytes, 'base64url');\n\t}\n}\n\n/**\n * Compute hash digest of input data\n *\n * @param data - Data to hash (base64url string or Uint8Array)\n * @param algorithm - Hash algorithm (default: 'sha256')\n * @param inputEncoding - Encoding of input string (default: 'base64url')\n * @param outputEncoding - Encoding of output (default: 'base64url')\n * @returns Hash digest in specified encoding\n *\n * @example\n * ```typescript\n * // Hash UTF-8 text, output as base64url\n * const hash = digest('hello world', 'sha256', 'utf8');\n *\n * // Hash base64url data with SHA-512\n * const hash2 = digest('SGVsbG8', 'sha512');\n *\n * // Get raw bytes\n * const bytes = digest('data', 'blake3', 'utf8', 'bytes');\n * ```\n */\nexport function digest(\n\tdata: string | Uint8Array,\n\talgorithm: HashAlgorithm = 'sha256',\n\tinputEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst bytes = toBytes(data, inputEncoding);\n\n\tlet hashBytes: Uint8Array;\n\tswitch (algorithm) {\n\t\tcase 'sha256':\n\t\t\thashBytes = sha256(bytes);\n\t\t\tbreak;\n\t\tcase 'sha512':\n\t\t\thashBytes = sha512(bytes);\n\t\t\tbreak;\n\t\tcase 'blake3':\n\t\t\thashBytes = blake3(bytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported hash algorithm: ${algorithm}`);\n\t}\n\n\treturn fromBytes(hashBytes, outputEncoding);\n}\n\n/**\n * Hash data and return modulo of specified bit length\n * Useful for generating fixed-size hash values (e.g., 16-bit, 32-bit)\n *\n * @param data - Data to hash\n * @param bits - Number of bits for the result (e.g., 16 for 16-bit hash)\n * @param algorithm - Hash algorithm (default: 'sha256')\n * @param inputEncoding - Encoding of input string (default: 'base64url')\n * @returns Integer hash value modulo 2^bits\n *\n * @example\n * ```typescript\n * // Get 16-bit hash (0-65535)\n * const hash16 = hashMod('hello', 16, 'sha256', 'utf8');\n *\n * // Get 32-bit hash\n * const hash32 = hashMod('world', 32, 'sha256', 'utf8');\n * ```\n */\nexport function hashMod(\n\tdata: string | Uint8Array,\n\tbits: number,\n\talgorithm: HashAlgorithm = 'sha256',\n\tinputEncoding: Encoding = 'base64url'\n): number {\n\tif (bits <= 0 || bits > 53) {\n\t\tthrow new Error('Bits must be between 1 and 53 (JavaScript safe integer limit)');\n\t}\n\n\tconst hashBytes = toBytes(digest(data, algorithm, inputEncoding, 'base64url') as string, 'base64url');\n\n\t// Take first 8 bytes and convert to number\n\tconst view = new DataView(hashBytes.buffer, hashBytes.byteOffset, Math.min(8, hashBytes.length));\n\tconst fullHash = view.getBigUint64(0, false); // big-endian\n\n\t// Modulo by 2^bits\n\tconst modulus = BigInt(2) ** BigInt(bits);\n\tconst result = fullHash % modulus;\n\n\treturn Number(result);\n}\n\n/**\n * Sign data with a private key\n *\n * @param data - Data to sign (typically a hash)\n * @param privateKey - Private key (base64url string or Uint8Array)\n * @param curve - Elliptic curve (default: 'secp256k1')\n * @param inputEncoding - Encoding of data input (default: 'base64url')\n * @param keyEncoding - Encoding of private key (default: 'base64url')\n * @param outputEncoding - Encoding of signature output (default: 'base64url')\n * @returns Signature in specified encoding\n *\n * @example\n * ```typescript\n * // Sign a hash with secp256k1\n * const sig = sign(hashData, privateKey);\n *\n * // Sign with Ed25519\n * const sig2 = sign(hashData, privateKey, 'ed25519');\n * ```\n */\nexport function sign(\n\tdata: string | Uint8Array,\n\tprivateKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tinputEncoding: Encoding = 'base64url',\n\tkeyEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst dataBytes = toBytes(data, inputEncoding);\n\tconst keyBytes = toBytes(privateKey, keyEncoding);\n\n\tlet sigBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1': {\n\t\t\tconst sig = secp256k1.sign(dataBytes, keyBytes, { lowS: true });\n\t\t\tsigBytes = sig.toCompactRawBytes();\n\t\t\tbreak;\n\t\t}\n\t\tcase 'p256': {\n\t\t\tconst sig = p256.sign(dataBytes, keyBytes, { lowS: true });\n\t\t\tsigBytes = sig.toCompactRawBytes();\n\t\t\tbreak;\n\t\t}\n\t\tcase 'ed25519': {\n\t\t\tsigBytes = ed25519.sign(dataBytes, keyBytes);\n\t\t\tbreak;\n\t\t}\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(sigBytes, outputEncoding);\n}\n\n/**\n * Verify a signature\n *\n * @param data - Data that was signed\n * @param signature - Signature to verify\n * @param publicKey - Public key\n * @param curve - Elliptic curve (default: 'secp256k1')\n * @param inputEncoding - Encoding of data input (default: 'base64url')\n * @param sigEncoding - Encoding of signature (default: 'base64url')\n * @param keyEncoding - Encoding of public key (default: 'base64url')\n * @returns true if signature is valid, false otherwise\n *\n * @example\n * ```typescript\n * // Verify a signature\n * const isValid = verify(hashData, signature, publicKey);\n *\n * // Verify with Ed25519\n * const isValid2 = verify(hashData, signature, publicKey, 'ed25519');\n * ```\n */\nexport function verify(\n\tdata: string | Uint8Array,\n\tsignature: string | Uint8Array,\n\tpublicKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tinputEncoding: Encoding = 'base64url',\n\tsigEncoding: Encoding = 'base64url',\n\tkeyEncoding: Encoding = 'base64url'\n): boolean {\n\ttry {\n\t\tconst dataBytes = toBytes(data, inputEncoding);\n\t\tconst sigBytes = toBytes(signature, sigEncoding);\n\t\tconst keyBytes = toBytes(publicKey, keyEncoding);\n\n\t\tswitch (curve) {\n\t\t\tcase 'secp256k1': {\n\t\t\t\treturn secp256k1.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tcase 'p256': {\n\t\t\t\treturn p256.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tcase 'ed25519': {\n\t\t\t\treturn ed25519.verify(sigBytes, dataBytes, keyBytes);\n\t\t\t}\n\t\t\tdefault:\n\t\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t\t}\n\t} catch {\n\t\treturn false;\n\t}\n}\n\n/**\n * Generate cryptographically secure random bytes\n *\n * @param bits - Number of bits to generate (default: 256)\n * @param encoding - Output encoding (default: 'base64url')\n * @returns Random bytes in the specified encoding\n */\nexport function randomBytes(bits: number = 256, encoding: Encoding = 'base64url'): string | Uint8Array {\n\tconst bytes = Math.ceil(bits / 8);\n\tconst randomBytesArray = new Uint8Array(bytes);\n\tcrypto.getRandomValues(randomBytesArray);\n\treturn fromBytes(randomBytesArray, encoding);\n}\n\n/**\n * Generate a random private key\n */\nexport function generatePrivateKey(curve: CurveType = 'secp256k1', encoding: Encoding = 'base64url'): string | Uint8Array {\n\tlet keyBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1':\n\t\t\tkeyBytes = secp256k1.utils.randomPrivateKey();\n\t\t\tbreak;\n\t\tcase 'p256':\n\t\t\tkeyBytes = p256.utils.randomPrivateKey();\n\t\t\tbreak;\n\t\tcase 'ed25519':\n\t\t\tkeyBytes = ed25519.utils.randomPrivateKey();\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(keyBytes, encoding);\n}\n\n/**\n * Get public key from private key\n */\nexport function getPublicKey(\n\tprivateKey: string | Uint8Array,\n\tcurve: CurveType = 'secp256k1',\n\tkeyEncoding: Encoding = 'base64url',\n\toutputEncoding: Encoding = 'base64url'\n): string | Uint8Array {\n\tconst keyBytes = toBytes(privateKey, keyEncoding);\n\n\tlet pubBytes: Uint8Array;\n\n\tswitch (curve) {\n\t\tcase 'secp256k1':\n\t\t\tpubBytes = secp256k1.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tcase 'p256':\n\t\t\tpubBytes = p256.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tcase 'ed25519':\n\t\t\tpubBytes = ed25519.getPublicKey(keyBytes);\n\t\t\tbreak;\n\t\tdefault:\n\t\t\tthrow new Error(`Unsupported curve: ${curve}`);\n\t}\n\n\treturn fromBytes(pubBytes, outputEncoding);\n}\n\n","/**\n * Quereus Plugin Entry Point for Crypto Functions\n *\n * This module provides the plugin registration following Quereus 0.4.5 format.\n * All metadata is in package.json - no manifest export needed.\n */\n\nimport type { Database, FunctionFlags, SqlValue } from '@quereus/quereus';\nimport { digest, sign, verify, hashMod, randomBytes } from './crypto.js';\n\n/**\n * Plugin registration function\n * This is called by Quereus when the plugin is loaded\n */\nexport default function register(_db: Database, _config: Record<string, SqlValue> = {}) {\n\t// Register crypto functions with Quereus\n\tconst functions = [\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'digest',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?\n\t\t\t\tflags: 1 as FunctionFlags, // UTF8\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, algorithm = 'sha256', inputEncoding = 'base64url', outputEncoding = 'base64url'] = args;\n\t\t\t\t\treturn digest(data as string, algorithm as any, inputEncoding as any, outputEncoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'sign',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, privateKey, curve = 'secp256k1', inputEncoding = 'base64url', keyEncoding = 'base64url', outputEncoding = 'base64url'] = args;\n\t\t\t\t\treturn sign(data as string, privateKey as string, curve as any, inputEncoding as any, keyEncoding as any, outputEncoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'verify',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'INTEGER' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, signature, publicKey, curve = 'secp256k1', inputEncoding = 'base64url', sigEncoding = 'base64url', keyEncoding = 'base64url'] = args;\n\t\t\t\t\tconst result = verify(data as string, signature as string, publicKey as string, curve as any, inputEncoding as any, sigEncoding as any, keyEncoding as any);\n\t\t\t\t\treturn result ? 1 : 0;\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'hash_mod',\n\t\t\t\tnumArgs: -1, // Variable arguments: data, bits, algorithm?, inputEncoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'INTEGER' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [data, bits, algorithm = 'sha256', inputEncoding = 'base64url'] = args;\n\t\t\t\t\treturn hashMod(data as string, bits as number, algorithm as any, inputEncoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\t{\n\t\t\tschema: {\n\t\t\t\tname: 'random_bytes',\n\t\t\t\tnumArgs: -1, // Variable arguments: bits?, encoding?\n\t\t\t\tflags: 1 as FunctionFlags,\n\t\t\t\treturnType: { typeClass: 'scalar' as const, sqlType: 'TEXT' },\n\t\t\t\timplementation: (...args: SqlValue[]) => {\n\t\t\t\t\tconst [bits = 256, encoding = 'base64url'] = args;\n\t\t\t\t\treturn randomBytes(bits as number, encoding as any);\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t];\n\n\treturn {\n\t\tfunctions,\n\t\tvtables: [],\n\t\tcollations: [],\n\t};\n}\n\n"]}

package/package.json

@@ -0,0 +1,71 @@
+{
+	"name": "@optimystic/quereus-plugin-crypto",
+	"version": "0.2.0",
+	"description": "Quereus plugin providing cryptographic functions (digest, sign, verify)",
+	"type": "module",
+	"main": "dist/index.js",
+	"types": "dist/index.d.ts",
+	"exports": {
+		".": {
+			"import": "./dist/index.js",
+			"types": "./dist/index.d.ts"
+		},
+		"./plugin": {
+			"import": "./dist/plugin.js",
+			"types": "./dist/plugin.d.ts"
+		}
+	},
+	"files": [
+		"dist",
+		"src",
+		"README.md"
+	],
+	"scripts": {
+		"build": "tsup",
+		"dev": "tsup --watch",
+		"clean": "rm -rf dist",
+		"typecheck": "tsc --noEmit"
+	},
+	"devDependencies": {
+		"@quereus/quereus": "^0.4.5",
+		"@types/node": "^24.0.12",
+		"aegir": "^47.0.20",
+		"tsup": "^8.5.0",
+		"typescript": "^5.8.3"
+	},
+	"dependencies": {
+		"@noble/curves": "^1.9.6",
+		"@noble/hashes": "^1.8.0",
+		"uint8arrays": "^5.1.0"
+	},
+	"peerDependencies": {
+		"@quereus/quereus": "^0.4.5"
+	},
+	"engines": {
+		"quereus": "^0.4.5"
+	},
+	"keywords": [
+		"quereus-plugin",
+		"quereus",
+		"crypto",
+		"cryptography",
+		"digest",
+		"hash",
+		"signature",
+		"sign",
+		"verify",
+		"secp256k1",
+		"ed25519",
+		"p256"
+	],
+	"author": "Optimystic Team",
+	"license": "MIT",
+	"quereus": {
+		"provides": {
+			"functions": ["digest", "sign", "verify", "hash_mod", "random_bytes"],
+			"vtables": [],
+			"collations": []
+		},
+		"settings": []
+	}
+}

package/src/crypto.ts

@@ -0,0 +1,335 @@
+/**
+ * Cryptographic Functions for Quereus
+ *
+ * Idiomatic ES module exports with base64url as default encoding.
+ * All functions accept and return base64url strings by default for SQL compatibility.
+ */
+
+import { sha256, sha512 } from '@noble/hashes/sha2';
+import { blake3 } from '@noble/hashes/blake3';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { p256 } from '@noble/curves/nist';
+import { ed25519 } from '@noble/curves/ed25519';
+import { hexToBytes, bytesToHex } from '@noble/curves/abstract/utils';
+import { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays';
+
+// Type definitions
+export type HashAlgorithm = 'sha256' | 'sha512' | 'blake3';
+export type CurveType = 'secp256k1' | 'p256' | 'ed25519';
+export type Encoding = 'base64url' | 'base64' | 'hex' | 'utf8' | 'bytes';
+
+/**
+ * Convert input to Uint8Array, handling various encodings
+ */
+function toBytes(input: string | Uint8Array | null | undefined, encoding: Encoding = 'base64url'): Uint8Array {
+	if (input === null || input === undefined) {
+		return new Uint8Array(0);
+	}
+
+	if (input instanceof Uint8Array) {
+		return input;
+	}
+
+	if (typeof input === 'string') {
+		switch (encoding) {
+			case 'base64url':
+				return uint8ArrayFromString(input, 'base64url');
+			case 'base64':
+				return uint8ArrayFromString(input, 'base64');
+			case 'hex':
+				return hexToBytes(input);
+			case 'utf8':
+				return utf8ToBytes(input);
+			default:
+				return uint8ArrayFromString(input, 'base64url');
+		}
+	}
+
+	throw new Error('Invalid input type');
+}
+
+/**
+ * Convert Uint8Array to string in specified encoding
+ */
+function fromBytes(bytes: Uint8Array, encoding: Encoding = 'base64url'): string | Uint8Array {
+	switch (encoding) {
+		case 'base64url':
+			return uint8ArrayToString(bytes, 'base64url');
+		case 'base64':
+			return uint8ArrayToString(bytes, 'base64');
+		case 'hex':
+			return bytesToHex(bytes);
+		case 'utf8':
+			return uint8ArrayToString(bytes, 'utf8');
+		case 'bytes':
+			return bytes;
+		default:
+			return uint8ArrayToString(bytes, 'base64url');
+	}
+}
+
+/**
+ * Compute hash digest of input data
+ *
+ * @param data - Data to hash (base64url string or Uint8Array)
+ * @param algorithm - Hash algorithm (default: 'sha256')
+ * @param inputEncoding - Encoding of input string (default: 'base64url')
+ * @param outputEncoding - Encoding of output (default: 'base64url')
+ * @returns Hash digest in specified encoding
+ *
+ * @example
+ * ```typescript
+ * // Hash UTF-8 text, output as base64url
+ * const hash = digest('hello world', 'sha256', 'utf8');
+ *
+ * // Hash base64url data with SHA-512
+ * const hash2 = digest('SGVsbG8', 'sha512');
+ *
+ * // Get raw bytes
+ * const bytes = digest('data', 'blake3', 'utf8', 'bytes');
+ * ```
+ */
+export function digest(
+	data: string | Uint8Array,
+	algorithm: HashAlgorithm = 'sha256',
+	inputEncoding: Encoding = 'base64url',
+	outputEncoding: Encoding = 'base64url'
+): string | Uint8Array {
+	const bytes = toBytes(data, inputEncoding);
+
+	let hashBytes: Uint8Array;
+	switch (algorithm) {
+		case 'sha256':
+			hashBytes = sha256(bytes);
+			break;
+		case 'sha512':
+			hashBytes = sha512(bytes);
+			break;
+		case 'blake3':
+			hashBytes = blake3(bytes);
+			break;
+		default:
+			throw new Error(`Unsupported hash algorithm: ${algorithm}`);
+	}
+
+	return fromBytes(hashBytes, outputEncoding);
+}
+
+/**
+ * Hash data and return modulo of specified bit length
+ * Useful for generating fixed-size hash values (e.g., 16-bit, 32-bit)
+ *
+ * @param data - Data to hash
+ * @param bits - Number of bits for the result (e.g., 16 for 16-bit hash)
+ * @param algorithm - Hash algorithm (default: 'sha256')
+ * @param inputEncoding - Encoding of input string (default: 'base64url')
+ * @returns Integer hash value modulo 2^bits
+ *
+ * @example
+ * ```typescript
+ * // Get 16-bit hash (0-65535)
+ * const hash16 = hashMod('hello', 16, 'sha256', 'utf8');
+ *
+ * // Get 32-bit hash
+ * const hash32 = hashMod('world', 32, 'sha256', 'utf8');
+ * ```
+ */
+export function hashMod(
+	data: string | Uint8Array,
+	bits: number,
+	algorithm: HashAlgorithm = 'sha256',
+	inputEncoding: Encoding = 'base64url'
+): number {
+	if (bits <= 0 || bits > 53) {
+		throw new Error('Bits must be between 1 and 53 (JavaScript safe integer limit)');
+	}
+
+	const hashBytes = toBytes(digest(data, algorithm, inputEncoding, 'base64url') as string, 'base64url');
+
+	// Take first 8 bytes and convert to number
+	const view = new DataView(hashBytes.buffer, hashBytes.byteOffset, Math.min(8, hashBytes.length));
+	const fullHash = view.getBigUint64(0, false); // big-endian
+
+	// Modulo by 2^bits
+	const modulus = BigInt(2) ** BigInt(bits);
+	const result = fullHash % modulus;
+
+	return Number(result);
+}
+
+/**
+ * Sign data with a private key
+ *
+ * @param data - Data to sign (typically a hash)
+ * @param privateKey - Private key (base64url string or Uint8Array)
+ * @param curve - Elliptic curve (default: 'secp256k1')
+ * @param inputEncoding - Encoding of data input (default: 'base64url')
+ * @param keyEncoding - Encoding of private key (default: 'base64url')
+ * @param outputEncoding - Encoding of signature output (default: 'base64url')
+ * @returns Signature in specified encoding
+ *
+ * @example
+ * ```typescript
+ * // Sign a hash with secp256k1
+ * const sig = sign(hashData, privateKey);
+ *
+ * // Sign with Ed25519
+ * const sig2 = sign(hashData, privateKey, 'ed25519');
+ * ```
+ */
+export function sign(
+	data: string | Uint8Array,
+	privateKey: string | Uint8Array,
+	curve: CurveType = 'secp256k1',
+	inputEncoding: Encoding = 'base64url',
+	keyEncoding: Encoding = 'base64url',
+	outputEncoding: Encoding = 'base64url'
+): string | Uint8Array {
+	const dataBytes = toBytes(data, inputEncoding);
+	const keyBytes = toBytes(privateKey, keyEncoding);
+
+	let sigBytes: Uint8Array;
+
+	switch (curve) {
+		case 'secp256k1': {
+			const sig = secp256k1.sign(dataBytes, keyBytes, { lowS: true });
+			sigBytes = sig.toCompactRawBytes();
+			break;
+		}
+		case 'p256': {
+			const sig = p256.sign(dataBytes, keyBytes, { lowS: true });
+			sigBytes = sig.toCompactRawBytes();
+			break;
+		}
+		case 'ed25519': {
+			sigBytes = ed25519.sign(dataBytes, keyBytes);
+			break;
+		}
+		default:
+			throw new Error(`Unsupported curve: ${curve}`);
+	}
+
+	return fromBytes(sigBytes, outputEncoding);
+}
+
+/**
+ * Verify a signature
+ *
+ * @param data - Data that was signed
+ * @param signature - Signature to verify
+ * @param publicKey - Public key
+ * @param curve - Elliptic curve (default: 'secp256k1')
+ * @param inputEncoding - Encoding of data input (default: 'base64url')
+ * @param sigEncoding - Encoding of signature (default: 'base64url')
+ * @param keyEncoding - Encoding of public key (default: 'base64url')
+ * @returns true if signature is valid, false otherwise
+ *
+ * @example
+ * ```typescript
+ * // Verify a signature
+ * const isValid = verify(hashData, signature, publicKey);
+ *
+ * // Verify with Ed25519
+ * const isValid2 = verify(hashData, signature, publicKey, 'ed25519');
+ * ```
+ */
+export function verify(
+	data: string | Uint8Array,
+	signature: string | Uint8Array,
+	publicKey: string | Uint8Array,
+	curve: CurveType = 'secp256k1',
+	inputEncoding: Encoding = 'base64url',
+	sigEncoding: Encoding = 'base64url',
+	keyEncoding: Encoding = 'base64url'
+): boolean {
+	try {
+		const dataBytes = toBytes(data, inputEncoding);
+		const sigBytes = toBytes(signature, sigEncoding);
+		const keyBytes = toBytes(publicKey, keyEncoding);
+
+		switch (curve) {
+			case 'secp256k1': {
+				return secp256k1.verify(sigBytes, dataBytes, keyBytes);
+			}
+			case 'p256': {
+				return p256.verify(sigBytes, dataBytes, keyBytes);
+			}
+			case 'ed25519': {
+				return ed25519.verify(sigBytes, dataBytes, keyBytes);
+			}
+			default:
+				throw new Error(`Unsupported curve: ${curve}`);
+		}
+	} catch {
+		return false;
+	}
+}
+
+/**
+ * Generate cryptographically secure random bytes
+ *
+ * @param bits - Number of bits to generate (default: 256)
+ * @param encoding - Output encoding (default: 'base64url')
+ * @returns Random bytes in the specified encoding
+ */
+export function randomBytes(bits: number = 256, encoding: Encoding = 'base64url'): string | Uint8Array {
+	const bytes = Math.ceil(bits / 8);
+	const randomBytesArray = new Uint8Array(bytes);
+	crypto.getRandomValues(randomBytesArray);
+	return fromBytes(randomBytesArray, encoding);
+}
+
+/**
+ * Generate a random private key
+ */
+export function generatePrivateKey(curve: CurveType = 'secp256k1', encoding: Encoding = 'base64url'): string | Uint8Array {
+	let keyBytes: Uint8Array;
+
+	switch (curve) {
+		case 'secp256k1':
+			keyBytes = secp256k1.utils.randomPrivateKey();
+			break;
+		case 'p256':
+			keyBytes = p256.utils.randomPrivateKey();
+			break;
+		case 'ed25519':
+			keyBytes = ed25519.utils.randomPrivateKey();
+			break;
+		default:
+			throw new Error(`Unsupported curve: ${curve}`);
+	}
+
+	return fromBytes(keyBytes, encoding);
+}
+
+/**
+ * Get public key from private key
+ */
+export function getPublicKey(
+	privateKey: string | Uint8Array,
+	curve: CurveType = 'secp256k1',
+	keyEncoding: Encoding = 'base64url',
+	outputEncoding: Encoding = 'base64url'
+): string | Uint8Array {
+	const keyBytes = toBytes(privateKey, keyEncoding);
+
+	let pubBytes: Uint8Array;
+
+	switch (curve) {
+		case 'secp256k1':
+			pubBytes = secp256k1.getPublicKey(keyBytes);
+			break;
+		case 'p256':
+			pubBytes = p256.getPublicKey(keyBytes);
+			break;
+		case 'ed25519':
+			pubBytes = ed25519.getPublicKey(keyBytes);
+			break;
+		default:
+			throw new Error(`Unsupported curve: ${curve}`);
+	}
+
+	return fromBytes(pubBytes, outputEncoding);
+}
+