@parmanasystems/crypto 1.71.5 → 1.71.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.d.ts +23 -17
  2. package/dist/index.js +22 -26
  3. package/dist/index.js.map +1 -1
  4. package/package.json +2 -2
package/dist/index.d.ts CHANGED
@@ -1,14 +1,17 @@
1
1
  /**
2
- * Reads the root trust private key PEM.
2
+ * Reads the root trust private key PEM from an explicit file path.
3
+ * Throws clearly if the file does not exist — never auto-generates keys.
3
4
  *
4
- * Production deployments should inject this
5
- * via secure secret management.
5
+ * @param keyPath - Absolute or CWD-relative path to the private key PEM file.
6
6
  */
7
- declare function loadPrivateKey(): string;
7
+ declare function loadPrivateKey(keyPath: string): string;
8
8
  /**
9
- * Reads the root trust public key PEM.
9
+ * Reads the root trust public key PEM from an explicit file path.
10
+ * Throws clearly if the file does not exist — never auto-generates keys.
11
+ *
12
+ * @param keyPath - Absolute or CWD-relative path to the public key PEM file.
10
13
  */
11
- declare function loadPublicKey(): string;
14
+ declare function loadPublicKey(keyPath: string): string;
12
15
 
13
16
  /**
14
17
  * Writes a base64 signature string to `<directory>/bundle.sig`.
@@ -20,21 +23,23 @@ declare function readSignature(directory: string): string;
20
23
 
21
24
  /**
22
25
  * Reads the manifest JSON at `manifestPath`, canonicalizes it, and returns a
23
- * base64-encoded Ed25519 signature produced with the dev private key.
26
+ * base64-encoded Ed25519 signature produced with the private key at `privateKeyPath`.
24
27
  *
25
- * @param manifestPath - Absolute or CWD-relative path to a `bundle.manifest.json` file.
28
+ * @param manifestPath - Absolute or CWD-relative path to a `bundle.manifest.json` file.
29
+ * @param privateKeyPath - Explicit path to the PEM-encoded Ed25519 private key.
26
30
  * @returns Base64-encoded Ed25519 signature over the canonical manifest bytes.
27
31
  */
28
- declare function signManifest(manifestPath: string): string;
32
+ declare function signManifest(manifestPath: string, privateKeyPath: string): string;
29
33
 
30
34
  /**
31
35
  * Reads the manifest JSON at `manifestPath`, canonicalizes it, and verifies
32
- * `signature` (base64 Ed25519) against the dev public key.
36
+ * `signature` (base64 Ed25519) against the public key at `publicKeyPath`.
33
37
  *
34
- * @param manifestPath - Path to the `bundle.manifest.json` file.
35
- * @param signature - Base64-encoded Ed25519 signature to verify.
38
+ * @param manifestPath - Path to the `bundle.manifest.json` file.
39
+ * @param signature - Base64-encoded Ed25519 signature to verify.
40
+ * @param publicKeyPath - Explicit path to the PEM-encoded Ed25519 public key.
36
41
  */
37
- declare function verifySignature(manifestPath: string, signature: string): boolean;
42
+ declare function verifySignature(manifestPath: string, signature: string, publicKeyPath: string): boolean;
38
43
  /**
39
44
  * Verifies a base64-encoded Ed25519 `signature` over an arbitrary UTF-8
40
45
  * `payload` using the provided `publicKey` PEM. Unlike `verifySignature`,
@@ -49,15 +54,16 @@ declare function verifyPayloadSignature(payload: string, signature: string, publ
49
54
 
50
55
  /**
51
56
  * Verifies `signature` (base64 Ed25519) over the already-serialized canonical
52
- * `manifest` string against the dev public key.
57
+ * `manifest` string against the public key at `publicKeyPath`.
53
58
  *
54
59
  * Unlike `verifySignature`, this function accepts the manifest bytes directly
55
60
  * rather than reading them from disk — suited for in-memory verification flows.
56
61
  *
57
- * @param manifest - Canonical manifest bytes (UTF-8 string).
58
- * @param signature - Base64-encoded Ed25519 signature.
62
+ * @param manifest - Canonical manifest bytes (UTF-8 string).
63
+ * @param signature - Base64-encoded Ed25519 signature.
64
+ * @param publicKeyPath - Explicit path to the PEM-encoded Ed25519 public key.
59
65
  */
60
- declare function verifyManifestSignature(manifest: string, signature: string): boolean;
66
+ declare function verifyManifestSignature(manifest: string, signature: string, publicKeyPath: string): boolean;
61
67
 
62
68
  type SignBundleOptions = {
63
69
  bundlePath: string;
package/dist/index.js CHANGED
@@ -1,27 +1,23 @@
1
1
  // src/keys.ts
2
2
  import * as fs from "fs";
3
3
  import * as path from "path";
4
- var PRIVATE_KEY_PATH = path.resolve(
5
- process.cwd(),
6
- "trust",
7
- "root.key"
8
- );
9
- var PUBLIC_KEY_PATH = path.resolve(
10
- process.cwd(),
11
- "trust",
12
- "root.pub"
13
- );
14
- function loadPrivateKey() {
15
- return fs.readFileSync(
16
- PRIVATE_KEY_PATH,
17
- "utf8"
18
- );
4
+ function loadPrivateKey(keyPath) {
5
+ const resolved = path.resolve(keyPath);
6
+ if (!fs.existsSync(resolved)) {
7
+ throw new Error(
8
+ `Trust key not found at ${resolved}. Provide an explicit key path or initialize trust keys using parmana workspace init.`
9
+ );
10
+ }
11
+ return fs.readFileSync(resolved, "utf8");
19
12
  }
20
- function loadPublicKey() {
21
- return fs.readFileSync(
22
- PUBLIC_KEY_PATH,
23
- "utf8"
24
- );
13
+ function loadPublicKey(keyPath) {
14
+ const resolved = path.resolve(keyPath);
15
+ if (!fs.existsSync(resolved)) {
16
+ throw new Error(
17
+ `Trust key not found at ${resolved}. Provide an explicit key path or initialize trust keys using parmana workspace init.`
18
+ );
19
+ }
20
+ return fs.readFileSync(resolved, "utf8");
25
21
  }
26
22
 
27
23
  // src/persist.ts
@@ -55,7 +51,7 @@ import * as crypto from "crypto";
55
51
  import {
56
52
  canonicalize
57
53
  } from "@parmanasystems/bundle";
58
- function signManifest(manifestPath) {
54
+ function signManifest(manifestPath, privateKeyPath) {
59
55
  const manifest = JSON.parse(
60
56
  fs3.readFileSync(
61
57
  manifestPath,
@@ -65,7 +61,7 @@ function signManifest(manifestPath) {
65
61
  const canonical = canonicalize(
66
62
  manifest
67
63
  );
68
- const privateKey = loadPrivateKey();
64
+ const privateKey = loadPrivateKey(privateKeyPath);
69
65
  const signature = crypto.sign(
70
66
  null,
71
67
  Buffer.from(
@@ -85,7 +81,7 @@ import * as crypto2 from "crypto";
85
81
  import {
86
82
  canonicalize as canonicalize2
87
83
  } from "@parmanasystems/bundle";
88
- function verifySignature(manifestPath, signature) {
84
+ function verifySignature(manifestPath, signature, publicKeyPath) {
89
85
  const manifest = JSON.parse(
90
86
  fs4.readFileSync(
91
87
  manifestPath,
@@ -95,7 +91,7 @@ function verifySignature(manifestPath, signature) {
95
91
  const canonical = canonicalize2(
96
92
  manifest
97
93
  );
98
- const publicKey = loadPublicKey();
94
+ const publicKey = loadPublicKey(publicKeyPath);
99
95
  return crypto2.verify(
100
96
  null,
101
97
  Buffer.from(
@@ -126,8 +122,8 @@ function verifyPayloadSignature(payload, signature, publicKey) {
126
122
 
127
123
  // src/verify-manifest-signature.ts
128
124
  import * as crypto3 from "crypto";
129
- function verifyManifestSignature(manifest, signature) {
130
- const publicKey = loadPublicKey();
125
+ function verifyManifestSignature(manifest, signature, publicKeyPath) {
126
+ const publicKey = loadPublicKey(publicKeyPath);
131
127
  return crypto3.verify(
132
128
  null,
133
129
  Buffer.from(
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/keys.ts","../src/persist.ts","../src/sign.ts","../src/verify.ts","../src/verify-manifest-signature.ts","../src/sign-bundle.ts"],"sourcesContent":["import * as fs from \"node:fs\";\r\n\r\nimport * as path from \"node:path\";\r\n\r\nconst PRIVATE_KEY_PATH =\r\n path.resolve(\r\n process.cwd(),\r\n \"trust\",\r\n \"root.key\"\r\n );\r\n\r\nconst PUBLIC_KEY_PATH =\r\n path.resolve(\r\n process.cwd(),\r\n \"trust\",\r\n \"root.pub\"\r\n );\r\n\r\n/**\r\n * Reads the root trust private key PEM.\r\n *\r\n * Production deployments should inject this\r\n * via secure secret management.\r\n */\r\nexport function loadPrivateKey(): string {\r\n\r\n return fs.readFileSync(\r\n PRIVATE_KEY_PATH,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n/**\r\n * Reads the root trust public key PEM.\r\n */\r\nexport function loadPublicKey(): string {\r\n\r\n return fs.readFileSync(\r\n PUBLIC_KEY_PATH,\r\n \"utf8\"\r\n );\r\n}\r\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/**\r\n * Writes a base64 signature string to `<directory>/bundle.sig`.\r\n * Overwrites any existing file at that path.\r\n */\r\nexport function writeSignature(\r\n signature: string,\r\n directory: string\r\n): void {\r\n const signaturePath = path.join(\r\n directory,\r\n \"bundle.sig\"\r\n );\r\n\r\n fs.writeFileSync(\r\n signaturePath,\r\n signature,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n/** Reads and returns the raw base64 signature from `<directory>/bundle.sig`. */\r\nexport function readSignature(\r\n directory: string\r\n): string {\r\n const signaturePath = path.join(\r\n directory,\r\n \"bundle.sig\"\r\n );\r\n\r\n return fs.readFileSync(\r\n signaturePath,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\n\r\nimport * as crypto from \"node:crypto\";\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n loadPrivateKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Reads the manifest JSON at `manifestPath`, canonicalizes it, and returns a\r\n * base64-encoded Ed25519 signature produced with the dev private key.\r\n *\r\n * @param manifestPath - Absolute or CWD-relative path to a `bundle.manifest.json` file.\r\n * @returns Base64-encoded Ed25519 signature over the canonical manifest bytes.\r\n */\r\nexport function signManifest(\r\n manifestPath: string\r\n): string {\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(\r\n manifest\r\n );\r\n\r\n const privateKey =\r\n loadPrivateKey();\r\n\r\n const signature =\r\n crypto.sign(\r\n null,\r\n\r\n Buffer.from(\r\n canonical,\r\n \"utf8\"\r\n ),\r\n\r\n privateKey\r\n );\r\n\r\n return signature.toString(\r\n \"base64\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\n\r\nimport * as crypto from \"node:crypto\";\r\n\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n loadPublicKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Reads the manifest JSON at `manifestPath`, canonicalizes it, and verifies\r\n * `signature` (base64 Ed25519) against the dev public key.\r\n *\r\n * @param manifestPath - Path to the `bundle.manifest.json` file.\r\n * @param signature - Base64-encoded Ed25519 signature to verify.\r\n */\r\nexport function verifySignature(\r\n manifestPath: string,\r\n signature: string\r\n): boolean {\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(\r\n manifest\r\n );\r\n\r\n const publicKey =\r\n loadPublicKey();\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n canonical,\r\n \"utf8\"\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n/**\r\n * Verifies a base64-encoded Ed25519 `signature` over an arbitrary UTF-8\r\n * `payload` using the provided `publicKey` PEM. Unlike `verifySignature`,\r\n * this function accepts any payload string rather than reading a manifest\r\n * file from disk.\r\n *\r\n * @param payload - The original signed UTF-8 string.\r\n * @param signature - Base64-encoded Ed25519 signature.\r\n * @param publicKey - PEM-encoded Ed25519 public key.\r\n */\r\nexport function verifyPayloadSignature(\r\n payload: string,\r\n signature: string,\r\n publicKey: string\r\n): boolean {\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as crypto from \"node:crypto\";\r\n\r\nimport {\r\n loadPublicKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Verifies `signature` (base64 Ed25519) over the already-serialized canonical\r\n * `manifest` string against the dev public key.\r\n *\r\n * Unlike `verifySignature`, this function accepts the manifest bytes directly\r\n * rather than reading them from disk — suited for in-memory verification flows.\r\n *\r\n * @param manifest - Canonical manifest bytes (UTF-8 string).\r\n * @param signature - Base64-encoded Ed25519 signature.\r\n */\r\nexport function verifyManifestSignature(\r\n manifest: string,\r\n signature: string\r\n): boolean {\r\n\r\n const publicKey =\r\n loadPublicKey();\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n manifest\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import fs from \"node:fs\";\r\nimport path from \"node:path\";\r\n\r\n// ----------------------------------\r\n// Local deterministic canonicalize\r\n// ----------------------------------\r\n\r\nfunction canonicalize(\r\n value: unknown\r\n): string {\r\n\r\n if (\r\n value === null ||\r\n typeof value !== \"object\"\r\n ) {\r\n return JSON.stringify(value);\r\n }\r\n\r\n if (Array.isArray(value)) {\r\n return `[${value\r\n .map(canonicalize)\r\n .join(\",\")}]`;\r\n }\r\n\r\n const entries =\r\n Object.entries(\r\n value as Record<string, unknown>\r\n )\r\n .sort(([a], [b]) =>\r\n a.localeCompare(b)\r\n );\r\n\r\n return `{${entries\r\n .map(\r\n ([key, val]) =>\r\n `${JSON.stringify(key)}:${canonicalize(val)}`\r\n )\r\n .join(\",\")}}`;\r\n}\r\n\r\ntype SignBundleOptions = {\r\n\r\n bundlePath: string;\r\n\r\n signer: {\r\n\r\n sign(\r\n payload: string\r\n ): Promise<string>;\r\n };\r\n};\r\n\r\nexport async function signBundle(\r\n options: SignBundleOptions\r\n): Promise<void> {\r\n\r\n const manifestPath =\r\n path.join(\r\n options.bundlePath,\r\n \"bundle.manifest.json\"\r\n );\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(manifest);\r\n\r\n const signature =\r\n await options.signer.sign(\r\n canonical\r\n );\r\n\r\n fs.writeFileSync(\r\n\r\n path.join(\r\n options.bundlePath,\r\n \"bundle.sig\"\r\n ),\r\n\r\n signature\r\n );\r\n}\r\n"],"mappings":";AAAA,YAAY,QAAQ;AAEpB,YAAY,UAAU;AAEtB,IAAM,mBACC;AAAA,EACH,QAAQ,IAAI;AAAA,EACZ;AAAA,EACA;AACF;AAEF,IAAM,kBACC;AAAA,EACH,QAAQ,IAAI;AAAA,EACZ;AAAA,EACA;AACF;AAQK,SAAS,iBAAyB;AAEvC,SAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;AAKO,SAAS,gBAAwB;AAEtC,SAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;;;ACzCA,YAAYA,SAAQ;AACpB,YAAYC,WAAU;AAMf,SAAS,eACd,WACA,WACM;AACN,QAAM,gBAAqB;AAAA,IACzB;AAAA,IACA;AAAA,EACF;AAEA,EAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAGO,SAAS,cACd,WACQ;AACR,QAAM,gBAAqB;AAAA,IACzB;AAAA,IACA;AAAA,EACF;AAEA,SAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;;;ACpCA,YAAYC,SAAQ;AAEpB,YAAY,YAAY;AACxB;AAAA,EACE;AAAA,OACK;AAaA,SAAS,aACd,cACQ;AAER,QAAM,WACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF,QAAM,aACJ,eAAe;AAEjB,QAAM,YACG;AAAA,IACL;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AAEF,SAAO,UAAU;AAAA,IACf;AAAA,EACF;AACF;;;ACrDA,YAAYC,SAAQ;AAEpB,YAAYC,aAAY;AAExB;AAAA,EACE,gBAAAC;AAAA,OACK;AAaA,SAAS,gBACd,cACA,WACS;AAET,QAAM,WACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJC;AAAA,IACE;AAAA,EACF;AAEF,QAAM,YACJ,cAAc;AAEhB,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAYO,SAAS,uBACd,SACA,WACA,WACS;AAET,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;ACxFA,YAAYC,aAAY;AAgBjB,SAAS,wBACd,UACA,WACS;AAET,QAAM,YACJ,cAAc;AAEhB,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;ACtCA,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAMjB,SAASC,cACP,OACQ;AAER,MACE,UAAU,QACV,OAAO,UAAU,UACjB;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,IAAI,MACR,IAAIA,aAAY,EAChB,KAAK,GAAG,CAAC;AAAA,EACd;AAEA,QAAM,UACJ,OAAO;AAAA,IACL;AAAA,EACF,EACC;AAAA,IAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MACZ,EAAE,cAAc,CAAC;AAAA,EACnB;AAEF,SAAO,IAAI,QACR;AAAA,IACC,CAAC,CAAC,KAAK,GAAG,MACR,GAAG,KAAK,UAAU,GAAG,CAAC,IAAIA,cAAa,GAAG,CAAC;AAAA,EAC/C,EACC,KAAK,GAAG,CAAC;AACd;AAcA,eAAsB,WACpB,SACe;AAEf,QAAM,eACJD,MAAK;AAAA,IACH,QAAQ;AAAA,IACR;AAAA,EACF;AAEF,QAAM,WACJ,KAAK;AAAA,IACHD,IAAG;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJE,cAAa,QAAQ;AAEvB,QAAM,YACJ,MAAM,QAAQ,OAAO;AAAA,IACnB;AAAA,EACF;AAEF,EAAAF,IAAG;AAAA,IAEDC,MAAK;AAAA,MACH,QAAQ;AAAA,MACR;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AACF;","names":["fs","path","fs","fs","crypto","canonicalize","canonicalize","crypto","fs","path","canonicalize"]}
1
+ {"version":3,"sources":["../src/keys.ts","../src/persist.ts","../src/sign.ts","../src/verify.ts","../src/verify-manifest-signature.ts","../src/sign-bundle.ts"],"sourcesContent":["import * as fs from \"node:fs\";\n\nimport * as path from \"node:path\";\n\n/**\n * Reads the root trust private key PEM from an explicit file path.\n * Throws clearly if the file does not exist — never auto-generates keys.\n *\n * @param keyPath - Absolute or CWD-relative path to the private key PEM file.\n */\nexport function loadPrivateKey(keyPath: string): string {\n\n const resolved = path.resolve(keyPath);\n\n if (!fs.existsSync(resolved)) {\n throw new Error(\n `Trust key not found at ${resolved}. ` +\n `Provide an explicit key path or initialize trust keys ` +\n `using parmana workspace init.`\n );\n }\n\n return fs.readFileSync(resolved, \"utf8\");\n}\n\n/**\n * Reads the root trust public key PEM from an explicit file path.\n * Throws clearly if the file does not exist — never auto-generates keys.\n *\n * @param keyPath - Absolute or CWD-relative path to the public key PEM file.\n */\nexport function loadPublicKey(keyPath: string): string {\n\n const resolved = path.resolve(keyPath);\n\n if (!fs.existsSync(resolved)) {\n throw new Error(\n `Trust key not found at ${resolved}. ` +\n `Provide an explicit key path or initialize trust keys ` +\n `using parmana workspace init.`\n );\n }\n\n return fs.readFileSync(resolved, \"utf8\");\n}\n","import * as fs from \"node:fs\";\r\nimport * as path from \"node:path\";\r\n\r\n/**\r\n * Writes a base64 signature string to `<directory>/bundle.sig`.\r\n * Overwrites any existing file at that path.\r\n */\r\nexport function writeSignature(\r\n signature: string,\r\n directory: string\r\n): void {\r\n const signaturePath = path.join(\r\n directory,\r\n \"bundle.sig\"\r\n );\r\n\r\n fs.writeFileSync(\r\n signaturePath,\r\n signature,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n/** Reads and returns the raw base64 signature from `<directory>/bundle.sig`. */\r\nexport function readSignature(\r\n directory: string\r\n): string {\r\n const signaturePath = path.join(\r\n directory,\r\n \"bundle.sig\"\r\n );\r\n\r\n return fs.readFileSync(\r\n signaturePath,\r\n \"utf8\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\n\r\nimport * as crypto from \"node:crypto\";\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n loadPrivateKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Reads the manifest JSON at `manifestPath`, canonicalizes it, and returns a\r\n * base64-encoded Ed25519 signature produced with the private key at `privateKeyPath`.\r\n *\r\n * @param manifestPath - Absolute or CWD-relative path to a `bundle.manifest.json` file.\r\n * @param privateKeyPath - Explicit path to the PEM-encoded Ed25519 private key.\r\n * @returns Base64-encoded Ed25519 signature over the canonical manifest bytes.\r\n */\r\nexport function signManifest(\r\n manifestPath: string,\r\n privateKeyPath: string\r\n): string {\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(\r\n manifest\r\n );\r\n\r\n const privateKey =\r\n loadPrivateKey(privateKeyPath);\r\n\r\n const signature =\r\n crypto.sign(\r\n null,\r\n\r\n Buffer.from(\r\n canonical,\r\n \"utf8\"\r\n ),\r\n\r\n privateKey\r\n );\r\n\r\n return signature.toString(\r\n \"base64\"\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as fs from \"node:fs\";\r\n\r\nimport * as crypto from \"node:crypto\";\r\n\r\nimport {\r\n canonicalize,\r\n} from \"@parmanasystems/bundle\";\r\n\r\nimport {\r\n loadPublicKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Reads the manifest JSON at `manifestPath`, canonicalizes it, and verifies\r\n * `signature` (base64 Ed25519) against the public key at `publicKeyPath`.\r\n *\r\n * @param manifestPath - Path to the `bundle.manifest.json` file.\r\n * @param signature - Base64-encoded Ed25519 signature to verify.\r\n * @param publicKeyPath - Explicit path to the PEM-encoded Ed25519 public key.\r\n */\r\nexport function verifySignature(\r\n manifestPath: string,\r\n signature: string,\r\n publicKeyPath: string\r\n): boolean {\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(\r\n manifest\r\n );\r\n\r\n const publicKey =\r\n loadPublicKey(publicKeyPath);\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n canonical,\r\n \"utf8\"\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n/**\r\n * Verifies a base64-encoded Ed25519 `signature` over an arbitrary UTF-8\r\n * `payload` using the provided `publicKey` PEM. Unlike `verifySignature`,\r\n * this function accepts any payload string rather than reading a manifest\r\n * file from disk.\r\n *\r\n * @param payload - The original signed UTF-8 string.\r\n * @param signature - Base64-encoded Ed25519 signature.\r\n * @param publicKey - PEM-encoded Ed25519 public key.\r\n */\r\nexport function verifyPayloadSignature(\r\n payload: string,\r\n signature: string,\r\n publicKey: string\r\n): boolean {\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n payload,\r\n \"utf8\"\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import * as crypto from \"node:crypto\";\r\n\r\nimport {\r\n loadPublicKey,\r\n} from \"./keys.js\";\r\n\r\n/**\r\n * Verifies `signature` (base64 Ed25519) over the already-serialized canonical\r\n * `manifest` string against the public key at `publicKeyPath`.\r\n *\r\n * Unlike `verifySignature`, this function accepts the manifest bytes directly\r\n * rather than reading them from disk — suited for in-memory verification flows.\r\n *\r\n * @param manifest - Canonical manifest bytes (UTF-8 string).\r\n * @param signature - Base64-encoded Ed25519 signature.\r\n * @param publicKeyPath - Explicit path to the PEM-encoded Ed25519 public key.\r\n */\r\nexport function verifyManifestSignature(\r\n manifest: string,\r\n signature: string,\r\n publicKeyPath: string\r\n): boolean {\r\n\r\n const publicKey =\r\n loadPublicKey(publicKeyPath);\r\n\r\n return crypto.verify(\r\n null,\r\n\r\n Buffer.from(\r\n manifest\r\n ),\r\n\r\n publicKey,\r\n\r\n Buffer.from(\r\n signature,\r\n \"base64\"\r\n )\r\n );\r\n}\r\n\r\n\r\n\r\n\r\n","import fs from \"node:fs\";\r\nimport path from \"node:path\";\r\n\r\n// ----------------------------------\r\n// Local deterministic canonicalize\r\n// ----------------------------------\r\n\r\nfunction canonicalize(\r\n value: unknown\r\n): string {\r\n\r\n if (\r\n value === null ||\r\n typeof value !== \"object\"\r\n ) {\r\n return JSON.stringify(value);\r\n }\r\n\r\n if (Array.isArray(value)) {\r\n return `[${value\r\n .map(canonicalize)\r\n .join(\",\")}]`;\r\n }\r\n\r\n const entries =\r\n Object.entries(\r\n value as Record<string, unknown>\r\n )\r\n .sort(([a], [b]) =>\r\n a.localeCompare(b)\r\n );\r\n\r\n return `{${entries\r\n .map(\r\n ([key, val]) =>\r\n `${JSON.stringify(key)}:${canonicalize(val)}`\r\n )\r\n .join(\",\")}}`;\r\n}\r\n\r\ntype SignBundleOptions = {\r\n\r\n bundlePath: string;\r\n\r\n signer: {\r\n\r\n sign(\r\n payload: string\r\n ): Promise<string>;\r\n };\r\n};\r\n\r\nexport async function signBundle(\r\n options: SignBundleOptions\r\n): Promise<void> {\r\n\r\n const manifestPath =\r\n path.join(\r\n options.bundlePath,\r\n \"bundle.manifest.json\"\r\n );\r\n\r\n const manifest =\r\n JSON.parse(\r\n fs.readFileSync(\r\n manifestPath,\r\n \"utf8\"\r\n )\r\n );\r\n\r\n const canonical =\r\n canonicalize(manifest);\r\n\r\n const signature =\r\n await options.signer.sign(\r\n canonical\r\n );\r\n\r\n fs.writeFileSync(\r\n\r\n path.join(\r\n options.bundlePath,\r\n \"bundle.sig\"\r\n ),\r\n\r\n signature\r\n );\r\n}\r\n"],"mappings":";AAAA,YAAY,QAAQ;AAEpB,YAAY,UAAU;AAQf,SAAS,eAAe,SAAyB;AAEtD,QAAM,WAAgB,aAAQ,OAAO;AAErC,MAAI,CAAI,cAAW,QAAQ,GAAG;AAC5B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IAGpC;AAAA,EACF;AAEA,SAAU,gBAAa,UAAU,MAAM;AACzC;AAQO,SAAS,cAAc,SAAyB;AAErD,QAAM,WAAgB,aAAQ,OAAO;AAErC,MAAI,CAAI,cAAW,QAAQ,GAAG;AAC5B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ;AAAA,IAGpC;AAAA,EACF;AAEA,SAAU,gBAAa,UAAU,MAAM;AACzC;;;AC5CA,YAAYA,SAAQ;AACpB,YAAYC,WAAU;AAMf,SAAS,eACd,WACA,WACM;AACN,QAAM,gBAAqB;AAAA,IACzB;AAAA,IACA;AAAA,EACF;AAEA,EAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAGO,SAAS,cACd,WACQ;AACR,QAAM,gBAAqB;AAAA,IACzB;AAAA,IACA;AAAA,EACF;AAEA,SAAU;AAAA,IACR;AAAA,IACA;AAAA,EACF;AACF;;;ACpCA,YAAYC,SAAQ;AAEpB,YAAY,YAAY;AACxB;AAAA,EACE;AAAA,OACK;AAcA,SAAS,aACd,cACA,gBACQ;AAER,QAAM,WACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF,QAAM,aACJ,eAAe,cAAc;AAE/B,QAAM,YACG;AAAA,IACL;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AAEF,SAAO,UAAU;AAAA,IACf;AAAA,EACF;AACF;;;ACvDA,YAAYC,SAAQ;AAEpB,YAAYC,aAAY;AAExB;AAAA,EACE,gBAAAC;AAAA,OACK;AAcA,SAAS,gBACd,cACA,WACA,eACS;AAET,QAAM,WACJ,KAAK;AAAA,IACA;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJC;AAAA,IACE;AAAA,EACF;AAEF,QAAM,YACJ,cAAc,aAAa;AAE7B,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AAYO,SAAS,uBACd,SACA,WACA,WACS;AAET,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;AC1FA,YAAYC,aAAY;AAiBjB,SAAS,wBACd,UACA,WACA,eACS;AAET,QAAM,YACJ,cAAc,aAAa;AAE7B,SAAc;AAAA,IACZ;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,IACF;AAAA,IAEA;AAAA,IAEA,OAAO;AAAA,MACL;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;;;ACxCA,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAMjB,SAASC,cACP,OACQ;AAER,MACE,UAAU,QACV,OAAO,UAAU,UACjB;AACA,WAAO,KAAK,UAAU,KAAK;AAAA,EAC7B;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,IAAI,MACR,IAAIA,aAAY,EAChB,KAAK,GAAG,CAAC;AAAA,EACd;AAEA,QAAM,UACJ,OAAO;AAAA,IACL;AAAA,EACF,EACC;AAAA,IAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,MACZ,EAAE,cAAc,CAAC;AAAA,EACnB;AAEF,SAAO,IAAI,QACR;AAAA,IACC,CAAC,CAAC,KAAK,GAAG,MACR,GAAG,KAAK,UAAU,GAAG,CAAC,IAAIA,cAAa,GAAG,CAAC;AAAA,EAC/C,EACC,KAAK,GAAG,CAAC;AACd;AAcA,eAAsB,WACpB,SACe;AAEf,QAAM,eACJD,MAAK;AAAA,IACH,QAAQ;AAAA,IACR;AAAA,EACF;AAEF,QAAM,WACJ,KAAK;AAAA,IACHD,IAAG;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAEF,QAAM,YACJE,cAAa,QAAQ;AAEvB,QAAM,YACJ,MAAM,QAAQ,OAAO;AAAA,IACnB;AAAA,EACF;AAEF,EAAAF,IAAG;AAAA,IAEDC,MAAK;AAAA,MACH,QAAQ;AAAA,MACR;AAAA,IACF;AAAA,IAEA;AAAA,EACF;AACF;","names":["fs","path","fs","fs","crypto","canonicalize","canonicalize","crypto","fs","path","canonicalize"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@parmanasystems/crypto",
3
- "version": "1.71.5",
3
+ "version": "1.71.12",
4
4
  "private": false,
5
5
  "type": "module",
6
6
  "scripts": {
@@ -18,7 +18,7 @@
18
18
  ],
19
19
  "sideEffects": false,
20
20
  "dependencies": {
21
- "@parmanasystems/bundle": "^1.71.5"
21
+ "@parmanasystems/bundle": "^1.71.12"
22
22
  },
23
23
  "description": "Signing and verification primitives for deterministic governance infrastructure.",
24
24
  "license": "Apache-2.0",