@optimystic/quereus-plugin-crypto 0.3.0 → 0.3.1

package/package.json

@@ -1,71 +1,83 @@
 {
-	"name": "@optimystic/quereus-plugin-crypto",
-	"version": "0.3.0",
-	"description": "Quereus plugin providing cryptographic functions (digest, sign, verify)",
-	"type": "module",
-	"main": "dist/index.js",
-	"types": "dist/index.d.ts",
-	"exports": {
-		".": {
-			"import": "./dist/index.js",
-			"types": "./dist/index.d.ts"
-		},
-		"./plugin": {
-			"import": "./dist/plugin.js",
-			"types": "./dist/plugin.d.ts"
-		}
-	},
-	"files": [
-		"dist",
-		"src",
-		"README.md"
-	],
-	"scripts": {
-		"build": "tsup",
-		"dev": "tsup --watch",
-		"clean": "rm -rf dist",
-		"typecheck": "tsc --noEmit"
-	},
-	"devDependencies": {
-		"@quereus/quereus": "^0.6.1",
-		"@types/node": "^24.0.12",
-		"aegir": "^47.0.20",
-		"tsup": "^8.5.0",
-		"typescript": "^5.8.3"
-	},
-	"dependencies": {
-		"@noble/curves": "^1.9.6",
-		"@noble/hashes": "^1.8.0",
-		"uint8arrays": "^5.1.0"
-	},
-	"peerDependencies": {
-		"@quereus/quereus": "^0.6.1"
-	},
-	"engines": {
-		"quereus": "^0.6.1"
-	},
-	"keywords": [
-		"quereus-plugin",
-		"quereus",
-		"crypto",
-		"cryptography",
-		"digest",
-		"hash",
-		"signature",
-		"sign",
-		"verify",
-		"secp256k1",
-		"ed25519",
-		"p256"
-	],
-	"author": "Optimystic Team",
-	"license": "MIT",
-	"quereus": {
-		"provides": {
-			"functions": ["digest", "sign", "verify", "hash_mod", "random_bytes"],
-			"vtables": [],
-			"collations": []
-		},
-		"settings": []
-	}
-}
+  "name": "@optimystic/quereus-plugin-crypto",
+  "version": "0.3.1",
+  "description": "Quereus plugin providing cryptographic functions (digest, sign, verify)",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./plugin": {
+      "import": "./dist/plugin.js",
+      "types": "./dist/plugin.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "src",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsup",
+    "dev": "tsup --watch",
+    "clean": "rimraf dist",
+    "typecheck": "tsc --noEmit"
+  },
+  "devDependencies": {
+    "@quereus/quereus": "^0.16.2",
+    "@types/node": "^25.2.0",
+    "aegir": "^47.0.26",
+    "rimraf": "^6.1.2",
+    "tsup": "^8.5.1",
+    "typescript": "^5.9.3"
+  },
+  "dependencies": {
+    "@noble/curves": "^2.0.1",
+    "@noble/hashes": "^2.0.1",
+    "uint8arrays": "^5.1.0"
+  },
+  "peerDependencies": {
+    "@quereus/quereus": "^0.16.2"
+  },
+  "engines": {
+    "quereus": "^0.16.2"
+  },
+  "keywords": [
+    "quereus-plugin",
+    "quereus",
+    "crypto",
+    "cryptography",
+    "digest",
+    "hash",
+    "signature",
+    "sign",
+    "verify",
+    "secp256k1",
+    "ed25519",
+    "p256"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/gotchoices/optimystic.git",
+    "directory": "packages/quereus-plugin-crypto"
+  },
+  "author": "Got Choices Foundation",
+  "license": "MIT",
+  "quereus": {
+    "provides": {
+      "functions": [
+        "digest",
+        "sign",
+        "verify",
+        "hash_mod",
+        "random_bytes"
+      ],
+      "vtables": [],
+      "collations": []
+    },
+    "settings": []
+  }
+}

package/src/crypto.ts

@@ -5,13 +5,13 @@
  * All functions accept and return base64url strings by default for SQL compatibility.
  */
 
-import { sha256, sha512 } from '@noble/hashes/sha2';
-import { blake3 } from '@noble/hashes/blake3';
-import { concatBytes, utf8ToBytes } from '@noble/hashes/utils';
-import { secp256k1 } from '@noble/curves/secp256k1';
-import { p256 } from '@noble/curves/nist';
-import { ed25519 } from '@noble/curves/ed25519';
-import { hexToBytes, bytesToHex } from '@noble/curves/abstract/utils';
+import { sha256, sha512 } from '@noble/hashes/sha2.js';
+import { blake3 } from '@noble/hashes/blake3.js';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { p256 } from '@noble/curves/nist.js';
+import { ed25519 } from '@noble/curves/ed25519.js';
+import { hexToBytes, bytesToHex } from '@noble/curves/utils.js';
 import { toString as uint8ArrayToString, fromString as uint8ArrayFromString } from 'uint8arrays';
 
 // Type definitions
@@ -192,20 +192,15 @@ export function sign(
 	let sigBytes: Uint8Array;
 
 	switch (curve) {
-		case 'secp256k1': {
-			const sig = secp256k1.sign(dataBytes, keyBytes, { lowS: true });
-			sigBytes = sig.toCompactRawBytes();
+		case 'secp256k1':
+			sigBytes = secp256k1.sign(dataBytes, keyBytes, { lowS: true });
 			break;
-		}
-		case 'p256': {
-			const sig = p256.sign(dataBytes, keyBytes, { lowS: true });
-			sigBytes = sig.toCompactRawBytes();
+		case 'p256':
+			sigBytes = p256.sign(dataBytes, keyBytes, { lowS: true });
 			break;
-		}
-		case 'ed25519': {
+		case 'ed25519':
 			sigBytes = ed25519.sign(dataBytes, keyBytes);
 			break;
-		}
 		default:
 			throw new Error(`Unsupported curve: ${curve}`);
 	}
@@ -288,13 +283,13 @@ export function generatePrivateKey(curve: CurveType = 'secp256k1', encoding: Enc
 
 	switch (curve) {
 		case 'secp256k1':
-			keyBytes = secp256k1.utils.randomPrivateKey();
+			keyBytes = secp256k1.utils.randomSecretKey();
 			break;
 		case 'p256':
-			keyBytes = p256.utils.randomPrivateKey();
+			keyBytes = p256.utils.randomSecretKey();
 			break;
 		case 'ed25519':
-			keyBytes = ed25519.utils.randomPrivateKey();
+			keyBytes = ed25519.utils.randomSecretKey();
 			break;
 		default:
 			throw new Error(`Unsupported curve: ${curve}`);

package/src/digest.ts

@@ -6,10 +6,10 @@
  * Compatible with React Native and all JS environments.
  */
 
-import { sha256 } from '@noble/hashes/sha2';
-import { sha512 } from '@noble/hashes/sha2';
-import { blake3 } from '@noble/hashes/blake3';
-import { concatBytes, utf8ToBytes } from '@noble/hashes/utils';
+import { sha256 } from '@noble/hashes/sha2.js';
+import { sha512 } from '@noble/hashes/sha2.js';
+import { blake3 } from '@noble/hashes/blake3.js';
+import { concatBytes, utf8ToBytes } from '@noble/hashes/utils.js';
 
 /**
  * Hash algorithm options

package/src/plugin.ts

@@ -1,88 +1,93 @@
-/**
- * Quereus Plugin Entry Point for Crypto Functions
- *
- * This module provides the plugin registration following Quereus 0.4.5 format.
- * All metadata is in package.json - no manifest export needed.
- */
-
-import type { Database, FunctionFlags, SqlValue } from '@quereus/quereus';
-import { TEXT_TYPE, INTEGER_TYPE, BOOLEAN_TYPE } from '@quereus/quereus';
-import { digest, sign, verify, hashMod, randomBytes } from './crypto.js';
-
-/**
- * Plugin registration function
- * This is called by Quereus when the plugin is loaded
- */
-export default function register(_db: Database, _config: Record<string, SqlValue> = {}) {
-	// Register crypto functions with Quereus
-	const functions = [
-		{
-			schema: {
-				name: 'digest',
-				numArgs: -1, // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?
-				flags: 1 as FunctionFlags, // UTF8
-				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
-				implementation: (...args: SqlValue[]) => {
-					const [data, algorithm = 'sha256', inputEncoding = 'base64url', outputEncoding = 'base64url'] = args;
-					return digest(data as string, algorithm as any, inputEncoding as any, outputEncoding as any);
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'sign',
-				numArgs: -1, // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
-				implementation: (...args: SqlValue[]) => {
-					const [data, privateKey, curve = 'secp256k1', inputEncoding = 'base64url', keyEncoding = 'base64url', outputEncoding = 'base64url'] = args;
-					return sign(data as string, privateKey as string, curve as any, inputEncoding as any, keyEncoding as any, outputEncoding as any);
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'verify',
-				numArgs: -1, // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, logicalType: BOOLEAN_TYPE, nullable: false },
-				implementation: (...args: SqlValue[]) => {
-					const [data, signature, publicKey, curve = 'secp256k1', inputEncoding = 'base64url', sigEncoding = 'base64url', keyEncoding = 'base64url'] = args;
-					const result = verify(data as string, signature as string, publicKey as string, curve as any, inputEncoding as any, sigEncoding as any, keyEncoding as any);
-					return result;
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'hash_mod',
-				numArgs: -1, // Variable arguments: data, bits, algorithm?, inputEncoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, logicalType: INTEGER_TYPE, nullable: false },
-				implementation: (...args: SqlValue[]) => {
-					const [data, bits, algorithm = 'sha256', inputEncoding = 'base64url'] = args;
-					return hashMod(data as string, bits as number, algorithm as any, inputEncoding as any);
-				},
-			},
-		},
-		{
-			schema: {
-				name: 'random_bytes',
-				numArgs: -1, // Variable arguments: bits?, encoding?
-				flags: 1 as FunctionFlags,
-				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
-				implementation: (...args: SqlValue[]) => {
-					const [bits = 256, encoding = 'base64url'] = args;
-					return randomBytes(bits as number, encoding as any);
-				},
-			},
-		},
-	];
-
-	return {
-		functions,
-		vtables: [],
-		collations: [],
-	};
-}
-
+/**
+ * Quereus Plugin Entry Point for Crypto Functions
+ *
+ * This module provides the plugin registration following Quereus 0.4.5 format.
+ * All metadata is in package.json - no manifest export needed.
+ */
+
+import type { Database, SqlValue } from '@quereus/quereus';
+import { FunctionFlags, TEXT_TYPE, INTEGER_TYPE, BOOLEAN_TYPE } from '@quereus/quereus';
+import { digest, sign, verify, hashMod, randomBytes } from './crypto.js';
+
+// Flags for deterministic functions (UTF8 + DETERMINISTIC)
+const DETERMINISTIC_FLAGS = FunctionFlags.UTF8 | FunctionFlags.DETERMINISTIC;
+// Flags for non-deterministic functions (UTF8 only)
+const NON_DETERMINISTIC_FLAGS = FunctionFlags.UTF8;
+
+/**
+ * Plugin registration function
+ * This is called by Quereus when the plugin is loaded
+ */
+export default function register(_db: Database, _config: Record<string, SqlValue> = {}) {
+	// Register crypto functions with Quereus
+	const functions = [
+		{
+			schema: {
+				name: 'digest',
+				numArgs: -1, // Variable arguments: data, algorithm?, inputEncoding?, outputEncoding?
+				flags: DETERMINISTIC_FLAGS, // digest is deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, algorithm = 'sha256', inputEncoding = 'base64url', outputEncoding = 'base64url'] = args;
+					return digest(data as string, algorithm as any, inputEncoding as any, outputEncoding as any);
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'sign',
+				numArgs: -1, // Variable arguments: data, privateKey, curve?, inputEncoding?, keyEncoding?, outputEncoding?
+				flags: DETERMINISTIC_FLAGS, // sign is deterministic (same key + data = same signature)
+				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, privateKey, curve = 'secp256k1', inputEncoding = 'base64url', keyEncoding = 'base64url', outputEncoding = 'base64url'] = args;
+					return sign(data as string, privateKey as string, curve as any, inputEncoding as any, keyEncoding as any, outputEncoding as any);
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'verify',
+				numArgs: -1, // Variable arguments: data, signature, publicKey, curve?, inputEncoding?, sigEncoding?, keyEncoding?
+				flags: DETERMINISTIC_FLAGS, // verify is deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: BOOLEAN_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, signature, publicKey, curve = 'secp256k1', inputEncoding = 'base64url', sigEncoding = 'base64url', keyEncoding = 'base64url'] = args;
+					const result = verify(data as string, signature as string, publicKey as string, curve as any, inputEncoding as any, sigEncoding as any, keyEncoding as any);
+					return result;
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'hash_mod',
+				numArgs: -1, // Variable arguments: data, bits, algorithm?, inputEncoding?
+				flags: DETERMINISTIC_FLAGS, // hash_mod is deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: INTEGER_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [data, bits, algorithm = 'sha256', inputEncoding = 'base64url'] = args;
+					return hashMod(data as string, bits as number, algorithm as any, inputEncoding as any);
+				},
+			},
+		},
+		{
+			schema: {
+				name: 'random_bytes',
+				numArgs: -1, // Variable arguments: bits?, encoding?
+				flags: NON_DETERMINISTIC_FLAGS, // random_bytes is NOT deterministic
+				returnType: { typeClass: 'scalar' as const, logicalType: TEXT_TYPE, nullable: false },
+				implementation: (...args: SqlValue[]) => {
+					const [bits = 256, encoding = 'base64url'] = args;
+					return randomBytes(bits as number, encoding as any);
+				},
+			},
+		},
+	];
+
+	return {
+		functions,
+		vtables: [],
+		collations: [],
+	};
+}
+

package/src/sign.ts

@@ -6,10 +6,10 @@
  * Compatible with React Native and all JS environments.
  */
 
-import { secp256k1 } from '@noble/curves/secp256k1';
-import { p256 } from '@noble/curves/nist';
-import { ed25519 } from '@noble/curves/ed25519';
-import { bytesToHex, hexToBytes } from '@noble/curves/abstract/utils';
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { p256 } from '@noble/curves/nist.js';
+import { ed25519 } from '@noble/curves/ed25519.js';
+import { bytesToHex, hexToBytes } from '@noble/curves/utils.js';
 
 /**
  * Supported elliptic curve types
@@ -83,35 +83,25 @@ function normalizeDigest(digest: DigestInput): Uint8Array {
 }
 
 /**
- * Format signature based on requested format
+ * Format signature based on requested format.
+ * In @noble/curves v2.0.1, sign() returns Uint8Array directly.
  */
-function formatSignature(signature: any, format: SignatureFormat, curve: CurveType): Uint8Array | string {
+function formatSignature(signature: Uint8Array, format: SignatureFormat, curve: CurveType): Uint8Array | string {
   switch (format) {
     case 'uint8array':
-      if (curve === 'ed25519') {
-        return signature;
-      }
-      return signature.toCompactRawBytes();
+    case 'compact':
+      return signature;
 
     case 'hex':
-      if (curve === 'ed25519') {
-        return bytesToHex(signature);
-      }
-      return signature.toCompactHex();
-
-    case 'compact':
-      if (curve === 'ed25519') {
-        return signature;
-      }
-      return signature.toCompactRawBytes();
+      return bytesToHex(signature);
 
     case 'der':
       if (curve === 'ed25519') {
         throw new Error('DER format not supported for ed25519');
       }
-      // Note: DER encoding would require additional implementation
-      // For now, fall back to compact
-      return signature.toCompactRawBytes();
+      // DER format requires the sign() call to request it via format option
+      // For now, return compact format as fallback
+      return signature;
 
     default:
       throw new Error(`Unsupported signature format: ${format}`);
@@ -214,11 +204,11 @@ Sign.ed25519 = (digest: DigestInput, privateKey: PrivateKeyInput, options: Omit<
 Sign.generatePrivateKey = (curve: CurveType = 'secp256k1'): Uint8Array => {
   switch (curve) {
     case 'secp256k1':
-      return secp256k1.utils.randomPrivateKey();
+      return secp256k1.utils.randomSecretKey();
     case 'p256':
-      return p256.utils.randomPrivateKey();
+      return p256.utils.randomSecretKey();
     case 'ed25519':
-      return ed25519.utils.randomPrivateKey();
+      return ed25519.utils.randomSecretKey();
     default:
       throw new Error(`Unsupported curve: ${curve}`);
   }

package/src/signature-valid.ts

@@ -6,10 +6,10 @@
  * Compatible with React Native and all JS environments.
  */
 
-import { secp256k1 } from '@noble/curves/secp256k1';
-import { p256 } from '@noble/curves/nist';
-import { ed25519 } from '@noble/curves/ed25519';
-import { hexToBytes } from '@noble/curves/abstract/utils';
+import { secp256k1 } from '@noble/curves/secp256k1.js';
+import { p256 } from '@noble/curves/nist.js';
+import { ed25519 } from '@noble/curves/ed25519.js';
+import { hexToBytes } from '@noble/curves/utils.js';
 
 /**
  * Supported elliptic curve types
@@ -72,40 +72,23 @@ function detectSignatureFormat(signature: Uint8Array, curve: CurveType): 'compac
 }
 
 /**
- * Parse signature based on format and curve
+ * Parse signature based on format and curve.
+ * In @noble/curves v2.0.1, uses Signature.fromBytes(bytes, format).
  */
-function parseSignature(signature: Uint8Array, format: 'compact' | 'der' | 'raw', curve: CurveType): any {
+function parseSignature(signature: Uint8Array, format: 'compact' | 'der' | 'raw', curve: CurveType): Uint8Array {
   if (curve === 'ed25519') {
     // Ed25519 signatures are always raw 64-byte format
     return signature;
   }
 
-  // For ECDSA curves
-  switch (format) {
-    case 'compact':
-      if (curve === 'secp256k1') {
-        return secp256k1.Signature.fromCompact(signature);
-      } else if (curve === 'p256') {
-        return p256.Signature.fromCompact(signature);
-      }
-      break;
-
-    case 'der':
-      if (curve === 'secp256k1') {
-        return secp256k1.Signature.fromDER(signature);
-      } else if (curve === 'p256') {
-        return p256.Signature.fromDER(signature);
-      }
-      break;
-
-    case 'raw':
-      // Treat as compact for ECDSA
-      if (curve === 'secp256k1') {
-        return secp256k1.Signature.fromCompact(signature);
-      } else if (curve === 'p256') {
-        return p256.Signature.fromCompact(signature);
-      }
-      break;
+  // For ECDSA curves in v2.0.1, verify() accepts raw bytes directly
+  // The format parameter is used to parse signature bytes into the expected format
+  const sigFormat = format === 'raw' ? 'compact' : format;
+
+  if (curve === 'secp256k1') {
+    return secp256k1.Signature.fromBytes(signature, sigFormat).toBytes();
+  } else if (curve === 'p256') {
+    return p256.Signature.fromBytes(signature, sigFormat).toBytes();
   }
 
   throw new Error(`Failed to parse signature for curve ${curve} with format ${format}`);