@originals/sdk 1.8.0 → 1.8.2

package/src/did/Ed25519Verifier.ts

@@ -0,0 +1,68 @@
+import { verifyAsync } from '@noble/ed25519';
+import type { ExternalVerifier } from '../types/common.js';
+
+/**
+ * Ed25519Verifier - A simple Ed25519 verifier for DID operations
+ * Compatible with didwebvh-ts resolveDIDFromLog
+ */
+export class Ed25519Verifier implements ExternalVerifier {
+  private verificationMethodId?: string;
+  private publicKey?: Uint8Array;
+
+  constructor(verificationMethodId?: string, publicKey?: Uint8Array) {
+    this.verificationMethodId = verificationMethodId;
+    this.publicKey = publicKey;
+  }
+
+  /**
+   * Verify a signature using Ed25519
+   * @param signature - The signature bytes
+   * @param message - The message bytes that were signed
+   * @param publicKey - The public key bytes (can be different from constructor publicKey)
+   * @returns True if the signature is valid
+   */
+  async verify(signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array): Promise<boolean> {
+    try {
+      // Ed25519 public keys must be exactly 32 bytes
+      // Some keys may have a version byte prefix, so remove it if present
+      let ed25519PublicKey = publicKey;
+      if (publicKey.length === 33) {
+        ed25519PublicKey = publicKey.slice(1);
+      } else if (publicKey.length !== 32) {
+        console.error(`[Ed25519Verifier] Invalid public key length: ${publicKey.length} (expected 32 bytes)`);
+        return false;
+      }
+      
+      // Correct parameter order: verifyAsync(signature, message, publicKey)
+      return await verifyAsync(signature, message, ed25519PublicKey);
+    } catch (error) {
+      console.error('[Ed25519Verifier] Verification error:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Get the verification method ID associated with this verifier
+   */
+  getVerificationMethodId(): string | undefined {
+    return this.verificationMethodId;
+  }
+
+  /**
+   * Get the public key as Uint8Array
+   */
+  getPublicKey(): Uint8Array | undefined {
+    return this.publicKey;
+  }
+
+  /**
+   * Get the public key in multibase format (base64url with 'z' prefix)
+   */
+  getPublicKeyMultibase(): string | undefined {
+    if (!this.publicKey) {
+      return undefined;
+    }
+    return `z${Buffer.from(this.publicKey).toString('base64')}`;
+  }
+}
+

package/src/did/KeyManager.ts

@@ -0,0 +1,239 @@
+// Initialize noble crypto libraries first (idempotent - safe to import multiple times)
+import '../crypto/noble-init.js';
+
+import { DIDDocument, KeyPair, KeyType, KeyRecoveryCredential } from '../types';
+import * as secp256k1 from '@noble/secp256k1';
+import * as ed25519 from '@noble/ed25519';
+import { p256 } from '@noble/curves/p256';
+import { multikey, MultikeyType } from '../crypto/Multikey';
+
+function toMultikeyType(type: KeyType): MultikeyType {
+        if (type === 'ES256K') return 'Secp256k1';
+        if (type === 'Ed25519') return 'Ed25519';
+        if (type === 'ES256') return 'P256';
+        const _exhaustiveCheck: never = type;
+        throw new Error(`Unsupported key type: ${String(_exhaustiveCheck)}`);
+}
+
+function fromMultikeyType(type: MultikeyType): KeyType {
+        if (type === 'Secp256k1') return 'ES256K';
+        if (type === 'Ed25519') return 'Ed25519';
+        if (type === 'P256') return 'ES256';
+        throw new Error('Unsupported key type');
+}
+
+export class KeyManager {
+	constructor() {
+		// Noble crypto libraries are initialized via noble-init.ts (imported at SDK entry point)
+		// No initialization needed here
+	}
+	async generateKeyPair(type: KeyType): Promise<KeyPair> {
+                if (type === 'ES256K') {
+                        const privateKeyBytes = secp256k1.utils.randomPrivateKey();
+                        const publicKeyBytes = secp256k1.getPublicKey(privateKeyBytes, true);
+                        return {
+                                privateKey: multikey.encodePrivateKey(privateKeyBytes, 'Secp256k1'),
+                                publicKey: multikey.encodePublicKey(publicKeyBytes, 'Secp256k1')
+                        };
+                }
+
+                if (type === 'Ed25519') {
+                        const privateKeyBytes = ed25519.utils.randomPrivateKey();
+                        const ed25519Module = ed25519 as unknown as { getPublicKeyAsync: (privateKey: Uint8Array) => Promise<Uint8Array> };
+                        const publicKeyBytes = await ed25519Module.getPublicKeyAsync(privateKeyBytes);
+                        return {
+                                privateKey: multikey.encodePrivateKey(privateKeyBytes, 'Ed25519'),
+                                publicKey: multikey.encodePublicKey(publicKeyBytes, 'Ed25519')
+                        };
+                }
+
+                if (type === 'ES256') {
+                        const privateKeyBytes = p256.utils.randomPrivateKey();
+                        const publicKeyBytes = p256.getPublicKey(privateKeyBytes, true);
+                        return {
+                                privateKey: multikey.encodePrivateKey(privateKeyBytes, 'P256'),
+                                publicKey: multikey.encodePublicKey(publicKeyBytes, 'P256')
+                        };
+                }
+
+		const _exhaustiveCheck: never = type;
+		throw new Error(`Unsupported key type: ${String(_exhaustiveCheck)}`);
+        }
+
+	rotateKeys(didDoc: DIDDocument, newKeyPair: KeyPair): DIDDocument {
+		const multikeyContext = 'https://w3id.org/security/multikey/v1';
+		const securityContext = 'https://w3id.org/security/v1';
+		
+		// Ensure required contexts are present
+		const updatedContext = [...didDoc['@context']];
+		if (!updatedContext.includes(multikeyContext)) {
+			updatedContext.push(multikeyContext);
+		}
+		if (!updatedContext.includes(securityContext)) {
+			updatedContext.push(securityContext);
+		}
+
+		// Generate new key ID
+		const existingKeys = didDoc.verificationMethod || [];
+		const keyIndex = existingKeys.length;
+		const newKeyId = `${didDoc.id}#keys-${keyIndex}`;
+		
+		// Mark all existing verification methods as revoked with current timestamp
+		const revokedTimestamp = new Date().toISOString();
+		const revokedVerificationMethods = existingKeys.map(vm => ({
+			...vm,
+			revoked: revokedTimestamp
+		}));
+
+		// Create new verification method
+		const newVerificationMethod = {
+			id: newKeyId,
+			type: 'Multikey',
+			controller: didDoc.id,
+			publicKeyMultibase: newKeyPair.publicKey
+		};
+
+		// Update authentication and assertionMethod arrays to reference only the new key
+		const newKeyReference = newKeyId;
+		
+		const updated: DIDDocument = {
+			...didDoc,
+			'@context': updatedContext,
+			verificationMethod: [...revokedVerificationMethods, newVerificationMethod],
+			authentication: [newKeyReference],
+			assertionMethod: [newKeyReference]
+		};
+
+		// Preserve other properties if they exist
+		if (didDoc.keyAgreement) {
+			updated.keyAgreement = didDoc.keyAgreement;
+		}
+		if (didDoc.capabilityInvocation) {
+			updated.capabilityInvocation = didDoc.capabilityInvocation;
+		}
+		if (didDoc.capabilityDelegation) {
+			updated.capabilityDelegation = didDoc.capabilityDelegation;
+		}
+		if (didDoc.service) {
+			updated.service = didDoc.service;
+		}
+
+		return updated;
+	}
+
+	async recoverFromCompromise(didDoc: DIDDocument): Promise<{ 
+		didDocument: DIDDocument; 
+		recoveryCredential: KeyRecoveryCredential;
+		newKeyPair: KeyPair;
+	}> {
+		// Determine key type from existing verification methods or default to Ed25519
+		let keyType: KeyType = 'Ed25519';
+		if (didDoc.verificationMethod && didDoc.verificationMethod.length > 0) {
+			try {
+				const firstKey = didDoc.verificationMethod[0];
+				const decoded = multikey.decodePublicKey(firstKey.publicKeyMultibase);
+				keyType = fromMultikeyType(decoded.type);
+			} catch (e) {
+				// If decoding fails, use default Ed25519
+			}
+		}
+
+		// Generate new key pair
+		const newKeyPair = await this.generateKeyPair(keyType);
+
+		// Ensure required contexts
+		const multikeyContext = 'https://w3id.org/security/multikey/v1';
+		const securityContext = 'https://w3id.org/security/v1';
+		const credentialsContext = 'https://www.w3.org/2018/credentials/v1';
+		
+		const updatedContext = [...didDoc['@context']];
+		if (!updatedContext.includes(multikeyContext)) {
+			updatedContext.push(multikeyContext);
+		}
+		if (!updatedContext.includes(securityContext)) {
+			updatedContext.push(securityContext);
+		}
+
+		// Mark all existing verification methods as compromised
+		const compromisedTimestamp = new Date().toISOString();
+		const existingKeys = didDoc.verificationMethod || [];
+		const compromisedVerificationMethods = existingKeys.map(vm => ({
+			...vm,
+			compromised: compromisedTimestamp
+		}));
+
+		// Collect IDs of compromised keys
+		const previousVerificationMethodIds = existingKeys.map(vm => vm.id);
+
+		// Generate new key ID
+		const keyIndex = existingKeys.length;
+		const newKeyId = `${didDoc.id}#keys-${keyIndex}`;
+
+		// Create new verification method
+		const newVerificationMethod = {
+			id: newKeyId,
+			type: 'Multikey',
+			controller: didDoc.id,
+			publicKeyMultibase: newKeyPair.publicKey
+		};
+
+		// Update DID document
+		const updatedDidDocument: DIDDocument = {
+			...didDoc,
+			'@context': updatedContext,
+			verificationMethod: [...compromisedVerificationMethods, newVerificationMethod],
+			authentication: [newKeyId],
+			assertionMethod: [newKeyId]
+		};
+
+		// Preserve other properties
+		if (didDoc.keyAgreement) {
+			updatedDidDocument.keyAgreement = didDoc.keyAgreement;
+		}
+		if (didDoc.capabilityInvocation) {
+			updatedDidDocument.capabilityInvocation = didDoc.capabilityInvocation;
+		}
+		if (didDoc.capabilityDelegation) {
+			updatedDidDocument.capabilityDelegation = didDoc.capabilityDelegation;
+		}
+		if (didDoc.service) {
+			updatedDidDocument.service = didDoc.service;
+		}
+
+		// Create recovery credential
+		const recoveryCredential: KeyRecoveryCredential = {
+			'@context': [credentialsContext, securityContext],
+			type: ['VerifiableCredential', 'KeyRecoveryCredential'],
+			issuer: didDoc.id,
+			issuanceDate: compromisedTimestamp,
+			credentialSubject: {
+				id: didDoc.id,
+				recoveredAt: compromisedTimestamp,
+				recoveryReason: 'key_compromise',
+				previousVerificationMethods: previousVerificationMethodIds,
+				newVerificationMethod: newKeyId
+			}
+		};
+
+		return { didDocument: updatedDidDocument, recoveryCredential, newKeyPair };
+	}
+
+        encodePublicKeyMultibase(publicKey: Buffer, type: KeyType): string {
+                const mkType = toMultikeyType(type);
+                return multikey.encodePublicKey(new Uint8Array(publicKey), mkType);
+        }
+
+        decodePublicKeyMultibase(encoded: string): { key: Buffer; type: KeyType } {
+                if (!encoded || typeof encoded !== 'string') {
+                        throw new Error('Invalid multibase string');
+                }
+                try {
+                        const decoded = multikey.decodePublicKey(encoded);
+                        return { key: Buffer.from(decoded.key), type: fromMultikeyType(decoded.type) };
+                } catch {
+                        throw new Error('Invalid multibase string');
+                }
+        }
+}
+
+