@peac/crypto 0.10.9 → 0.10.11

package/dist/jws.js

@@ -1,219 +0,0 @@
-"use strict";
-/**
- * JWS compact serialization with Ed25519 (RFC 8032)
- * Implements peac-receipt/0.1 wire format
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sign = sign;
-exports.verify = verify;
-exports.decode = decode;
-exports.generateKeypair = generateKeypair;
-exports.derivePublicKey = derivePublicKey;
-exports.validateKeypair = validateKeypair;
-const ed25519 = __importStar(require("@noble/ed25519"));
-const schema_1 = require("@peac/schema");
-const base64url_1 = require("./base64url");
-const errors_1 = require("./errors");
-/**
- * Sign a payload with Ed25519 and return JWS compact serialization
- *
- * @param payload - JSON-serializable payload
- * @param privateKey - Ed25519 private key (32 bytes)
- * @param kid - Key ID (ISO 8601 timestamp)
- * @returns JWS compact serialization (header.payload.signature)
- */
-async function sign(payload, privateKey, kid) {
-    if (privateKey.length !== 32) {
-        throw new errors_1.CryptoError('CRYPTO_INVALID_KEY_LENGTH', 'Ed25519 private key must be 32 bytes');
-    }
-    // Create header
-    const header = {
-        typ: schema_1.PEAC_WIRE_TYP,
-        alg: schema_1.PEAC_ALG,
-        kid,
-    };
-    // Encode header and payload
-    const headerB64 = (0, base64url_1.base64urlEncodeString)(JSON.stringify(header));
-    const payloadB64 = (0, base64url_1.base64urlEncodeString)(JSON.stringify(payload));
-    // Create signing input
-    const signingInput = `${headerB64}.${payloadB64}`;
-    const signingInputBytes = new TextEncoder().encode(signingInput);
-    // Sign with Ed25519
-    const signatureBytes = await ed25519.signAsync(signingInputBytes, privateKey);
-    // Encode signature
-    const signatureB64 = (0, base64url_1.base64urlEncode)(signatureBytes);
-    // Return JWS compact serialization
-    return `${signingInput}.${signatureB64}`;
-}
-/**
- * Verify a JWS compact serialization with Ed25519
- *
- * @param jws - JWS compact serialization
- * @param publicKey - Ed25519 public key (32 bytes)
- * @returns Verification result with decoded header and payload
- */
-async function verify(jws, publicKey) {
-    if (publicKey.length !== 32) {
-        throw new errors_1.CryptoError('CRYPTO_INVALID_KEY_LENGTH', 'Ed25519 public key must be 32 bytes');
-    }
-    // Split JWS
-    const parts = jws.split('.');
-    if (parts.length !== 3) {
-        throw new errors_1.CryptoError('CRYPTO_INVALID_JWS_FORMAT', 'Invalid JWS: must have three dot-separated parts');
-    }
-    const [headerB64, payloadB64, signatureB64] = parts;
-    // Decode header
-    const headerJson = (0, base64url_1.base64urlDecodeString)(headerB64);
-    const header = JSON.parse(headerJson);
-    // Validate header
-    if (header.typ !== schema_1.PEAC_WIRE_TYP) {
-        throw new errors_1.CryptoError('CRYPTO_INVALID_TYP', `Invalid typ: expected ${schema_1.PEAC_WIRE_TYP}, got ${header.typ}`);
-    }
-    if (header.alg !== schema_1.PEAC_ALG) {
-        throw new errors_1.CryptoError('CRYPTO_INVALID_ALG', `Invalid alg: expected ${schema_1.PEAC_ALG}, got ${header.alg}`);
-    }
-    // Decode payload
-    const payloadJson = (0, base64url_1.base64urlDecodeString)(payloadB64);
-    const payload = JSON.parse(payloadJson);
-    // Decode signature
-    const signatureBytes = (0, base64url_1.base64urlDecode)(signatureB64);
-    // Verify signature
-    const signingInput = `${headerB64}.${payloadB64}`;
-    const signingInputBytes = new TextEncoder().encode(signingInput);
-    const valid = await ed25519.verifyAsync(signatureBytes, signingInputBytes, publicKey);
-    return {
-        header,
-        payload,
-        valid,
-    };
-}
-/**
- * Decode JWS without verifying signature (use with caution!)
- *
- * @param jws - JWS compact serialization
- * @returns Decoded header and payload (unverified)
- */
-function decode(jws) {
-    const parts = jws.split('.');
-    if (parts.length !== 3) {
-        throw new errors_1.CryptoError('CRYPTO_INVALID_JWS_FORMAT', 'Invalid JWS: must have three dot-separated parts');
-    }
-    const [headerB64, payloadB64] = parts;
-    const headerJson = (0, base64url_1.base64urlDecodeString)(headerB64);
-    const header = JSON.parse(headerJson);
-    const payloadJson = (0, base64url_1.base64urlDecodeString)(payloadB64);
-    const payload = JSON.parse(payloadJson);
-    return { header, payload };
-}
-/**
- * Generate a random Ed25519 keypair
- *
- * @returns Private key (32 bytes) and public key (32 bytes)
- */
-async function generateKeypair() {
-    const privateKey = ed25519.utils.randomPrivateKey();
-    const publicKey = await ed25519.getPublicKeyAsync(privateKey);
-    return { privateKey, publicKey };
-}
-/**
- * Derive the Ed25519 public key from a private key
- *
- * @param privateKey - Ed25519 private key (32 bytes)
- * @returns Public key (32 bytes)
- */
-async function derivePublicKey(privateKey) {
-    if (privateKey.length !== 32) {
-        throw new errors_1.CryptoError('CRYPTO_INVALID_KEY_LENGTH', 'Ed25519 private key must be 32 bytes');
-    }
-    return ed25519.getPublicKeyAsync(privateKey);
-}
-/**
- * Validate that an Ed25519 JWK has a consistent keypair
- *
- * Derives the public key from the private key (d) and verifies it matches
- * the declared public key (x). This catches configuration errors where
- * the wrong key components are paired.
- *
- * @param jwk - Ed25519 JWK with both public (x) and private (d) components
- * @returns true if the keypair is consistent, false otherwise
- *
- * @example
- * ```typescript
- * const jwk = {
- *   kty: 'OKP',
- *   crv: 'Ed25519',
- *   x: 'base64url-encoded-public-key',
- *   d: 'base64url-encoded-private-key',
- * };
- *
- * if (!await validateKeypair(jwk)) {
- *   throw new Error('Invalid keypair: d does not derive to x');
- * }
- * ```
- */
-async function validateKeypair(jwk) {
-    // Validate JWK structure
-    if (jwk.kty !== 'OKP' || jwk.crv !== 'Ed25519') {
-        return false;
-    }
-    // Decode the keys
-    let privateKeyBytes;
-    let declaredPublicKeyBytes;
-    try {
-        privateKeyBytes = (0, base64url_1.base64urlDecode)(jwk.d);
-        declaredPublicKeyBytes = (0, base64url_1.base64urlDecode)(jwk.x);
-    }
-    catch {
-        return false;
-    }
-    // Validate lengths
-    if (privateKeyBytes.length !== 32 || declaredPublicKeyBytes.length !== 32) {
-        return false;
-    }
-    // Derive the actual public key from the private key
-    const derivedPublicKeyBytes = await ed25519.getPublicKeyAsync(privateKeyBytes);
-    // Compare derived public key with declared public key
-    if (derivedPublicKeyBytes.length !== declaredPublicKeyBytes.length) {
-        return false;
-    }
-    for (let i = 0; i < derivedPublicKeyBytes.length; i++) {
-        if (derivedPublicKeyBytes[i] !== declaredPublicKeyBytes[i]) {
-            return false;
-        }
-    }
-    return true;
-}
-//# sourceMappingURL=jws.js.map

package/dist/jws.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"jws.js","sourceRoot":"","sources":["../src/jws.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,oBA4BC;AASD,wBAuDC;AAQD,wBAkBC;AAOD,0CAQC;AAwBD,0CAKC;AA0BD,0CAqCC;AArQD,wDAA0C;AAC1C,yCAAuD;AACvD,2CAKqB;AACrB,qCAAuC;AAoBvC;;;;;;;GAOG;AACI,KAAK,UAAU,IAAI,CAAC,OAAgB,EAAE,UAAsB,EAAE,GAAW;IAC9E,IAAI,UAAU,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,oBAAW,CAAC,2BAA2B,EAAE,sCAAsC,CAAC,CAAC;IAC7F,CAAC;IAED,gBAAgB;IAChB,MAAM,MAAM,GAAc;QACxB,GAAG,EAAE,sBAAa;QAClB,GAAG,EAAE,iBAAQ;QACb,GAAG;KACJ,CAAC;IAEF,4BAA4B;IAC5B,MAAM,SAAS,GAAG,IAAA,iCAAqB,EAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,IAAA,iCAAqB,EAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAElE,uBAAuB;IACvB,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAEjE,oBAAoB;IACpB,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;IAE9E,mBAAmB;IACnB,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,cAAc,CAAC,CAAC;IAErD,mCAAmC;IACnC,OAAO,GAAG,YAAY,IAAI,YAAY,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,MAAM,CAC1B,GAAW,EACX,SAAqB;IAErB,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,oBAAW,CAAC,2BAA2B,EAAE,qCAAqC,CAAC,CAAC;IAC5F,CAAC;IAED,YAAY;IACZ,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,oBAAW,CACnB,2BAA2B,EAC3B,kDAAkD,CACnD,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IAEpD,gBAAgB;IAChB,MAAM,UAAU,GAAG,IAAA,iCAAqB,EAAC,SAAS,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAc,CAAC;IAEnD,kBAAkB;IAClB,IAAI,MAAM,CAAC,GAAG,KAAK,sBAAa,EAAE,CAAC;QACjC,MAAM,IAAI,oBAAW,CACnB,oBAAoB,EACpB,yBAAyB,sBAAa,SAAS,MAAM,CAAC,GAAG,EAAE,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,iBAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,oBAAW,CACnB,oBAAoB,EACpB,yBAAyB,iBAAQ,SAAS,MAAM,CAAC,GAAG,EAAE,CACvD,CAAC;IACJ,CAAC;IAED,iBAAiB;IACjB,MAAM,WAAW,GAAG,IAAA,iCAAqB,EAAC,UAAU,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAM,CAAC;IAE7C,mBAAmB;IACnB,MAAM,cAAc,GAAG,IAAA,2BAAe,EAAC,YAAY,CAAC,CAAC;IAErD,mBAAmB;IACnB,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAEjE,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAEtF,OAAO;QACL,MAAM;QACN,OAAO;QACP,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,MAAM,CAAc,GAAW;IAC7C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,oBAAW,CACnB,2BAA2B,EAC3B,kDAAkD,CACnD,CAAC;IACJ,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;IAEtC,MAAM,UAAU,GAAG,IAAA,iCAAqB,EAAC,SAAS,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAc,CAAC;IAEnD,MAAM,WAAW,GAAG,IAAA,iCAAqB,EAAC,UAAU,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAM,CAAC;IAE7C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,eAAe;IAInC,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE9D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AACnC,CAAC;AAkBD;;;;;GAKG;AACI,KAAK,UAAU,eAAe,CAAC,UAAsB;IAC1D,IAAI,UAAU,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,oBAAW,CAAC,2BAA2B,EAAE,sCAAsC,CAAC,CAAC;IAC7F,CAAC;IACD,OAAO,OAAO,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACI,KAAK,UAAU,eAAe,CAAC,GAAsB;IAC1D,yBAAyB;IACzB,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC/C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kBAAkB;IAClB,IAAI,eAA2B,CAAC;IAChC,IAAI,sBAAkC,CAAC;IAEvC,IAAI,CAAC;QACH,eAAe,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QACzC,sBAAsB,GAAG,IAAA,2BAAe,EAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mBAAmB;IACnB,IAAI,eAAe,CAAC,MAAM,KAAK,EAAE,IAAI,sBAAsB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oDAAoD;IACpD,MAAM,qBAAqB,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAE/E,sDAAsD;IACtD,IAAI,qBAAqB,CAAC,MAAM,KAAK,sBAAsB,CAAC,MAAM,EAAE,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,qBAAqB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtD,IAAI,qBAAqB,CAAC,CAAC,CAAC,KAAK,sBAAsB,CAAC,CAAC,CAAC,EAAE,CAAC;YAC3D,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/testkit.js

@@ -1,82 +0,0 @@
-"use strict";
-/**
- * PEAC Crypto Test Kit
- *
- * This module contains utilities for TEST FIXTURES ONLY.
- * These functions are NOT exported from the main entry point.
- *
- * Import path: @peac/crypto/testkit
- *
- * SECURITY: Never use these in production. Production bundlers can
- * tree-shake this module away since it's a separate export path.
- */
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.generateKeypairFromSeed = generateKeypairFromSeed;
-const ed25519 = __importStar(require("@noble/ed25519"));
-const errors_js_1 = require("./errors.js");
-/**
- * Generate an Ed25519 keypair from a deterministic seed.
- *
- * WARNING: FOR TEST FIXTURES ONLY. DO NOT USE IN PRODUCTION.
- * Production code should use generateKeypair() which uses cryptographically
- * secure random bytes. Seeded keys are predictable and compromise security.
- *
- * This function is intentionally in a separate module (@peac/crypto/testkit)
- * so that production bundlers can tree-shake it away.
- *
- * @param seed - 32-byte seed (e.g., SHA-256 hash of a known string)
- * @returns Private key (32 bytes) and public key (32 bytes)
- *
- * @example
- * ```ts
- * // Use only in test fixtures for reproducibility
- * import { generateKeypairFromSeed } from '@peac/crypto/testkit';
- *
- * const seed = sha256('peac-test-key-001');
- * const { privateKey, publicKey } = await generateKeypairFromSeed(seed);
- * ```
- */
-async function generateKeypairFromSeed(seed) {
-    if (seed.length !== 32) {
-        throw new errors_js_1.CryptoError('CRYPTO_INVALID_SEED_LENGTH', 'Ed25519 seed must be 32 bytes');
-    }
-    // In Ed25519, the private key IS the seed (32 bytes)
-    // The public key is derived from it
-    const privateKey = seed;
-    const publicKey = await ed25519.getPublicKeyAsync(privateKey);
-    return { privateKey, publicKey };
-}
-//# sourceMappingURL=testkit.js.map

package/dist/testkit.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"testkit.js","sourceRoot":"","sources":["../src/testkit.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BH,0DAcC;AAvCD,wDAA0C;AAC1C,2CAA0C;AAE1C;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,KAAK,UAAU,uBAAuB,CAAC,IAAgB;IAI5D,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,uBAAW,CAAC,4BAA4B,EAAE,+BAA+B,CAAC,CAAC;IACvF,CAAC;IAED,qDAAqD;IACrD,oCAAoC;IACpC,MAAM,UAAU,GAAG,IAAI,CAAC;IACxB,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE9D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AACnC,CAAC"}