@parmanasystems/crypto 1.0.19 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +9 -1
- package/dist/index.js +53 -9
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/dist/index.d.ts
CHANGED
|
@@ -59,4 +59,12 @@ declare function verifyPayloadSignature(payload: string, signature: string, publ
|
|
|
59
59
|
*/
|
|
60
60
|
declare function verifyManifestSignature(manifest: string, signature: string): boolean;
|
|
61
61
|
|
|
62
|
-
|
|
62
|
+
type SignBundleOptions = {
|
|
63
|
+
bundlePath: string;
|
|
64
|
+
signer: {
|
|
65
|
+
sign(payload: string): Promise<string>;
|
|
66
|
+
};
|
|
67
|
+
};
|
|
68
|
+
declare function signBundle(options: SignBundleOptions): Promise<void>;
|
|
69
|
+
|
|
70
|
+
export { loadPrivateKey, loadPublicKey, readSignature, signBundle, signManifest, verifyManifestSignature, verifyPayloadSignature, verifySignature, writeSignature };
|
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
// src/keys.ts
|
|
2
|
-
import fs from "fs";
|
|
3
|
-
import path from "path";
|
|
2
|
+
import * as fs from "fs";
|
|
3
|
+
import * as path from "path";
|
|
4
4
|
var PRIVATE_KEY_PATH = path.resolve(
|
|
5
5
|
"./trust/root.key"
|
|
6
6
|
);
|
|
@@ -21,8 +21,8 @@ function loadPublicKey() {
|
|
|
21
21
|
}
|
|
22
22
|
|
|
23
23
|
// src/persist.ts
|
|
24
|
-
import fs2 from "fs";
|
|
25
|
-
import path2 from "path";
|
|
24
|
+
import * as fs2 from "fs";
|
|
25
|
+
import * as path2 from "path";
|
|
26
26
|
function writeSignature(signature, directory) {
|
|
27
27
|
const signaturePath = path2.join(
|
|
28
28
|
directory,
|
|
@@ -46,8 +46,8 @@ function readSignature(directory) {
|
|
|
46
46
|
}
|
|
47
47
|
|
|
48
48
|
// src/sign.ts
|
|
49
|
-
import fs3 from "fs";
|
|
50
|
-
import crypto from "crypto";
|
|
49
|
+
import * as fs3 from "fs";
|
|
50
|
+
import * as crypto from "crypto";
|
|
51
51
|
import {
|
|
52
52
|
canonicalize
|
|
53
53
|
} from "@parmanasystems/bundle";
|
|
@@ -76,8 +76,8 @@ function signManifest(manifestPath) {
|
|
|
76
76
|
}
|
|
77
77
|
|
|
78
78
|
// src/verify.ts
|
|
79
|
-
import fs4 from "fs";
|
|
80
|
-
import crypto2 from "crypto";
|
|
79
|
+
import * as fs4 from "fs";
|
|
80
|
+
import * as crypto2 from "crypto";
|
|
81
81
|
import {
|
|
82
82
|
canonicalize as canonicalize2
|
|
83
83
|
} from "@parmanasystems/bundle";
|
|
@@ -121,7 +121,7 @@ function verifyPayloadSignature(payload, signature, publicKey) {
|
|
|
121
121
|
}
|
|
122
122
|
|
|
123
123
|
// src/verify-manifest-signature.ts
|
|
124
|
-
import crypto3 from "crypto";
|
|
124
|
+
import * as crypto3 from "crypto";
|
|
125
125
|
function verifyManifestSignature(manifest, signature) {
|
|
126
126
|
const publicKey = loadPublicKey();
|
|
127
127
|
return crypto3.verify(
|
|
@@ -136,10 +136,54 @@ function verifyManifestSignature(manifest, signature) {
|
|
|
136
136
|
)
|
|
137
137
|
);
|
|
138
138
|
}
|
|
139
|
+
|
|
140
|
+
// src/sign-bundle.ts
|
|
141
|
+
import fs5 from "fs";
|
|
142
|
+
import path3 from "path";
|
|
143
|
+
function canonicalize3(value) {
|
|
144
|
+
if (value === null || typeof value !== "object") {
|
|
145
|
+
return JSON.stringify(value);
|
|
146
|
+
}
|
|
147
|
+
if (Array.isArray(value)) {
|
|
148
|
+
return `[${value.map(canonicalize3).join(",")}]`;
|
|
149
|
+
}
|
|
150
|
+
const entries = Object.entries(
|
|
151
|
+
value
|
|
152
|
+
).sort(
|
|
153
|
+
([a], [b]) => a.localeCompare(b)
|
|
154
|
+
);
|
|
155
|
+
return `{${entries.map(
|
|
156
|
+
([key, val]) => `${JSON.stringify(key)}:${canonicalize3(val)}`
|
|
157
|
+
).join(",")}}`;
|
|
158
|
+
}
|
|
159
|
+
async function signBundle(options) {
|
|
160
|
+
const manifestPath = path3.join(
|
|
161
|
+
options.bundlePath,
|
|
162
|
+
"bundle.manifest.json"
|
|
163
|
+
);
|
|
164
|
+
const manifest = JSON.parse(
|
|
165
|
+
fs5.readFileSync(
|
|
166
|
+
manifestPath,
|
|
167
|
+
"utf8"
|
|
168
|
+
)
|
|
169
|
+
);
|
|
170
|
+
const canonical = canonicalize3(manifest);
|
|
171
|
+
const signature = await options.signer.sign(
|
|
172
|
+
canonical
|
|
173
|
+
);
|
|
174
|
+
fs5.writeFileSync(
|
|
175
|
+
path3.join(
|
|
176
|
+
options.bundlePath,
|
|
177
|
+
"bundle.sig"
|
|
178
|
+
),
|
|
179
|
+
signature
|
|
180
|
+
);
|
|
181
|
+
}
|
|
139
182
|
export {
|
|
140
183
|
loadPrivateKey,
|
|
141
184
|
loadPublicKey,
|
|
142
185
|
readSignature,
|
|
186
|
+
signBundle,
|
|
143
187
|
signManifest,
|
|
144
188
|
verifyManifestSignature,
|
|
145
189
|
verifyPayloadSignature,
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/keys.ts","../src/persist.ts","../src/sign.ts","../src/verify.ts","../src/verify-manifest-signature.ts"],"sourcesContent":["import fs from \"fs\";\n\nimport path from \"path\";\n\nconst PRIVATE_KEY_PATH =\n path.resolve(\n \"./trust/root.key\"\n );\n\nconst PUBLIC_KEY_PATH =\n path.resolve(\n \"./trust/root.pub\"\n );\n\n/**\n * Reads the root trust private key PEM.\n *\n * Production deployments should inject this\n * via secure secret management.\n */\nexport function loadPrivateKey(): string {\n\n return fs.readFileSync(\n PRIVATE_KEY_PATH,\n \"utf8\"\n );\n}\n\n/**\n * Reads the root trust public key PEM.\n */\nexport function loadPublicKey(): string {\n\n return fs.readFileSync(\n PUBLIC_KEY_PATH,\n \"utf8\"\n );\n}","import fs from \"fs\";\nimport path from \"path\";\n\n/**\n * Writes a base64 signature string to `<directory>/bundle.sig`.\n * Overwrites any existing file at that path.\n */\nexport function writeSignature(\n signature: string,\n directory: string\n): void {\n const signaturePath = path.join(\n directory,\n \"bundle.sig\"\n );\n\n fs.writeFileSync(\n signaturePath,\n signature,\n \"utf8\"\n );\n}\n\n/** Reads and returns the raw base64 signature from `<directory>/bundle.sig`. */\nexport function readSignature(\n directory: string\n): string {\n const signaturePath = path.join(\n directory,\n \"bundle.sig\"\n );\n\n return fs.readFileSync(\n signaturePath,\n \"utf8\"\n );\n}\n\n\n\n\n","import fs from \"fs\";\n\nimport crypto from \"crypto\";\
|
|
1
|
+
{"version":3,"sources":["../src/keys.ts","../src/persist.ts","../src/sign.ts","../src/verify.ts","../src/verify-manifest-signature.ts","../src/sign-bundle.ts"],"sourcesContent":["import * as fs from \"node:fs\";\r\n\r\nimport * as path from \"node:path\";\r\n\r\nconst PRIVATE_KEY_PATH =\r\n path.resolve(\r\n \"./trust/root.key\"\r\n );\r\n\r\nconst PUBLIC_KEY_PATH =\r\n path.resolve(\r\n \"./trust/root.pub\"\r\n );\r\n\r\n/**\r\n * Reads the root trust private key PEM.\r\n *\r\n * Production deployments should inject this\r\n * via secure secret management.\r\n */\r\nexport function loadPrivateKey(): string {\r\n\r\n return fs.readFileSync(\r\n PRIVATE_KEY_PATH,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n/**\r\n * Reads the root trust public key PEM.\r\n */\r\nexport function loadPublicKey(): string {\r\n\r\n return fs.readFileSync(\r\n PUBLIC_KEY_PATH,\r\n \"utf8\"\r\n );\r\n}\r\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/**\r\n * Writes a base64 signature string to `<directory>/bundle.sig`.\r\n * Overwrites any existing file at that path.\r\n */\r\nexport function writeSignature(\r\n signature: string,\r\n directory: string\r\n): void {\r\n const signaturePath = path.join(\r\n directory,\r\n \"bundle.sig\"\r\n );\r\n\r\n fs.writeFileSync(\r\n signaturePath,\r\n signature,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n/** Reads and returns the raw base64 signature from `<directory>/bundle.sig`. */\r\nexport function readSignature(\r\n directory: string\r\n): string {\r\n const signaturePath = path.join(\r\n directory,\r\n \"bundle.sig\"\r\n );\r\n\r\n return fs.readFileSync(\r\n signaturePath,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\n\r\nimport * as crypto from \"node:crypto\";\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n loadPrivateKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Reads the manifest JSON at `manifestPath`, canonicalizes it, and returns a\r\n * base64-encoded Ed25519 signature produced with the dev private key.\r\n *\r\n * @param manifestPath - Absolute or CWD-relative path to a `bundle.manifest.json` file.\r\n * @returns Base64-encoded Ed25519 signature over the canonical manifest bytes.\r\n */\r\nexport function signManifest(\r\n manifestPath: string\r\n): string {\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(\r\n manifest\r\n );\r\n\r\n const privateKey =\r\n loadPrivateKey();\r\n\r\n const signature =\r\n crypto.sign(\r\n null,\r\n\r\n Buffer.from(\r\n canonical,\r\n \"utf8\"\r\n ),\r\n\r\n privateKey\r\n );\r\n\r\n return signature.toString(\r\n \"base64\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\n\r\nimport * as crypto from \"node:crypto\";\r\n\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n loadPublicKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Reads the manifest JSON at `manifestPath`, canonicalizes it, and verifies\r\n * `signature` (base64 Ed25519) against the dev public key.\r\n *\r\n * @param manifestPath - Path to the `bundle.manifest.json` file.\r\n * @param signature - Base64-encoded Ed25519 signature to verify.\r\n */\r\nexport function verifySignature(\r\n manifestPath: string,\r\n signature: string\r\n): boolean {\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(\r\n manifest\r\n );\r\n\r\n const publicKey =\r\n loadPublicKey();\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n canonical,\r\n \"utf8\"\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n/**\r\n * Verifies a base64-encoded Ed25519 `signature` over an arbitrary UTF-8\r\n * `payload` using the provided `publicKey` PEM. Unlike `verifySignature`,\r\n * this function accepts any payload string rather than reading a manifest\r\n * file from disk.\r\n *\r\n * @param payload - The original signed UTF-8 string.\r\n * @param signature - Base64-encoded Ed25519 signature.\r\n * @param publicKey - PEM-encoded Ed25519 public key.\r\n */\r\nexport function verifyPayloadSignature(\r\n payload: string,\r\n signature: string,\r\n publicKey: string\r\n): boolean {\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as crypto from \"node:crypto\";\r\n\r\nimport {\r\n loadPublicKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Verifies `signature` (base64 Ed25519) over the already-serialized canonical\r\n * `manifest` string against the dev public key.\r\n *\r\n * Unlike `verifySignature`, this function accepts the manifest bytes directly\r\n * rather than reading them from disk — suited for in-memory verification flows.\r\n *\r\n * @param manifest - Canonical manifest bytes (UTF-8 string).\r\n * @param signature - Base64-encoded Ed25519 signature.\r\n */\r\nexport function verifyManifestSignature(\r\n manifest: string,\r\n signature: string\r\n): boolean {\r\n\r\n const publicKey =\r\n loadPublicKey();\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n manifest\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import fs from \"node:fs\";\r\nimport path from \"node:path\";\r\n\r\n// ----------------------------------\r\n// Local deterministic canonicalize\r\n// ----------------------------------\r\n\r\nfunction canonicalize(\r\n value: unknown\r\n): string {\r\n\r\n if (\r\n value === null ||\r\n typeof value !== \"object\"\r\n ) {\r\n return JSON.stringify(value);\r\n }\r\n\r\n if (Array.isArray(value)) {\r\n return `[${value\r\n .map(canonicalize)\r\n .join(\",\")}]`;\r\n }\r\n\r\n const entries =\r\n Object.entries(\r\n value as Record<string, unknown>\r\n )\r\n .sort(([a], [b]) =>\r\n a.localeCompare(b)\r\n );\r\n\r\n return `{${entries\r\n .map(\r\n ([key, val]) =>\r\n `${JSON.stringify(key)}:${canonicalize(val)}`\r\n )\r\n .join(\",\")}}`;\r\n}\r\n\r\ntype SignBundleOptions = {\r\n\r\n bundlePath: string;\r\n\r\n signer: {\r\n\r\n sign(\r\n payload: string\r\n ): Promise<string>;\r\n };\r\n};\r\n\r\nexport async function signBundle(\r\n options: SignBundleOptions\r\n): Promise<void> {\r\n\r\n const manifestPath =\r\n path.join(\r\n options.bundlePath,\r\n \"bundle.manifest.json\"\r\n );\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(manifest);\r\n\r\n const signature =\r\n await options.signer.sign(\r\n canonical\r\n );\r\n\r\n fs.writeFileSync(\r\n\r\n path.join(\r\n options.bundlePath,\r\n \"bundle.sig\"\r\n ),\r\n\r\n signature\r\n );\r\n}"],"mappings":";AAAA,YAAY,QAAQ;AAEpB,YAAY,UAAU;AAEtB,IAAM,mBACC;AAAA,EACH;AACF;AAEF,IAAM,kBACC;AAAA,EACH;AACF;AAQK,SAAS,iBAAyB;AAEvC,SAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;AAKO,SAAS,gBAAwB;AAEtC,SAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;;;ACrCA,YAAYA,SAAQ;AACpB,YAAYC,WAAU;AAMf,SAAS,eACd,WACA,WACM;AACN,QAAM,gBAAqB;AAAA,IACzB;AAAA,IACA;AAAA,EACF;AAEA,EAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAGO,SAAS,cACd,WACQ;AACR,QAAM,gBAAqB;AAAA,IACzB;AAAA,IACA;AAAA,EACF;AAEA,SAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;;;ACpCA,YAAYC,SAAQ;AAEpB,YAAY,YAAY;AACxB;AAAA,EACE;AAAA,OACK;AAaA,SAAS,aACd,cACQ;AAER,QAAM,WACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF,QAAM,aACJ,eAAe;AAEjB,QAAM,YACG;AAAA,IACL;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AAEF,SAAO,UAAU;AAAA,IACf;AAAA,EACF;AACF;;;ACrDA,YAAYC,SAAQ;AAEpB,YAAYC,aAAY;AAExB;AAAA,EACE,gBAAAC;AAAA,OACK;AAaA,SAAS,gBACd,cACA,WACS;AAET,QAAM,WACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJC;AAAA,IACE;AAAA,EACF;AAEF,QAAM,YACJ,cAAc;AAEhB,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAYO,SAAS,uBACd,SACA,WACA,WACS;AAET,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;ACxFA,YAAYC,aAAY;AAgBjB,SAAS,wBACd,UACA,WACS;AAET,QAAM,YACJ,cAAc;AAEhB,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;ACtCA,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAMjB,SAASC,cACP,OACQ;AAER,MACE,UAAU,QACV,OAAO,UAAU,UACjB;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,IAAI,MACR,IAAIA,aAAY,EAChB,KAAK,GAAG,CAAC;AAAA,EACd;AAEA,QAAM,UACJ,OAAO;AAAA,IACL;AAAA,EACF,EACC;AAAA,IAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MACZ,EAAE,cAAc,CAAC;AAAA,EACnB;AAEF,SAAO,IAAI,QACR;AAAA,IACC,CAAC,CAAC,KAAK,GAAG,MACR,GAAG,KAAK,UAAU,GAAG,CAAC,IAAIA,cAAa,GAAG,CAAC;AAAA,EAC/C,EACC,KAAK,GAAG,CAAC;AACd;AAcA,eAAsB,WACpB,SACe;AAEf,QAAM,eACJD,MAAK;AAAA,IACH,QAAQ;AAAA,IACR;AAAA,EACF;AAEF,QAAM,WACJ,KAAK;AAAA,IACHD,IAAG;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJE,cAAa,QAAQ;AAEvB,QAAM,YACJ,MAAM,QAAQ,OAAO;AAAA,IACnB;AAAA,EACF;AAEF,EAAAF,IAAG;AAAA,IAEDC,MAAK;AAAA,MACH,QAAQ;AAAA,MACR;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AACF;","names":["fs","path","fs","fs","crypto","canonicalize","canonicalize","crypto","fs","path","canonicalize"]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@parmanasystems/crypto",
|
|
3
|
-
"version": "1.0
|
|
3
|
+
"version": "1.4.0",
|
|
4
4
|
"private": false,
|
|
5
5
|
"type": "module",
|
|
6
6
|
"scripts": {
|
|
@@ -18,7 +18,7 @@
|
|
|
18
18
|
],
|
|
19
19
|
"sideEffects": false,
|
|
20
20
|
"dependencies": {
|
|
21
|
-
"@parmanasystems/bundle": "^1.0
|
|
21
|
+
"@parmanasystems/bundle": "^1.4.0"
|
|
22
22
|
},
|
|
23
23
|
"description": "Signing and verification primitives for deterministic governance infrastructure.",
|
|
24
24
|
"license": "Apache-2.0",
|