@peac/crypto 0.9.18

package/README.md

@@ -0,0 +1,23 @@
+# @peac/crypto
+
+Ed25519 JWS signing and verification for PEAC protocol
+
+## Installation
+
+```bash
+pnpm add @peac/crypto
+```
+
+## Documentation
+
+See [peacprotocol.org](https://peacprotocol.org) for full documentation.
+
+## License
+
+Apache-2.0
+
+---
+
+PEAC Protocol is an open source project stewarded by Originary and community contributors.
+
+[Originary](https://www.originary.xyz) | [Docs](https://peacprotocol.org) | [GitHub](https://github.com/peacprotocol/peac)

package/dist/base64url.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Base64url encoding/decoding (RFC 4648 §5)
+ * Used for JWS compact serialization
+ */
+/**
+ * Encode bytes to base64url string (no padding)
+ */
+export declare function base64urlEncode(bytes: Uint8Array): string;
+/**
+ * Decode base64url string to bytes
+ */
+export declare function base64urlDecode(str: string): Uint8Array;
+/**
+ * Encode UTF-8 string to base64url
+ */
+export declare function base64urlEncodeString(str: string): string;
+/**
+ * Decode base64url to UTF-8 string
+ */
+export declare function base64urlDecodeString(str: string): string;
+//# sourceMappingURL=base64url.d.ts.map

package/dist/base64url.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.d.ts","sourceRoot":"","sources":["../src/base64url.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAGzD;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAYvD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEzD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEzD"}

package/dist/base64url.js

@@ -0,0 +1,44 @@
+"use strict";
+/**
+ * Base64url encoding/decoding (RFC 4648 §5)
+ * Used for JWS compact serialization
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.base64urlEncode = base64urlEncode;
+exports.base64urlDecode = base64urlDecode;
+exports.base64urlEncodeString = base64urlEncodeString;
+exports.base64urlDecodeString = base64urlDecodeString;
+/**
+ * Encode bytes to base64url string (no padding)
+ */
+function base64urlEncode(bytes) {
+    const base64 = Buffer.from(bytes).toString('base64');
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+/**
+ * Decode base64url string to bytes
+ */
+function base64urlDecode(str) {
+    // Add padding if needed
+    let padded = str;
+    const mod = str.length % 4;
+    if (mod > 0) {
+        padded += '='.repeat(4 - mod);
+    }
+    // Convert base64url to base64
+    const base64 = padded.replace(/-/g, '+').replace(/_/g, '/');
+    return new Uint8Array(Buffer.from(base64, 'base64'));
+}
+/**
+ * Encode UTF-8 string to base64url
+ */
+function base64urlEncodeString(str) {
+    return base64urlEncode(new TextEncoder().encode(str));
+}
+/**
+ * Decode base64url to UTF-8 string
+ */
+function base64urlDecodeString(str) {
+    return new TextDecoder().decode(base64urlDecode(str));
+}
+//# sourceMappingURL=base64url.js.map

package/dist/base64url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base64url.js","sourceRoot":"","sources":["../src/base64url.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAKH,0CAGC;AAKD,0CAYC;AAKD,sDAEC;AAKD,sDAEC;AArCD;;GAEG;AACH,SAAgB,eAAe,CAAC,KAAiB;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,SAAgB,eAAe,CAAC,GAAW;IACzC,wBAAwB;IACxB,IAAI,MAAM,GAAG,GAAG,CAAC;IACjB,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;IAC3B,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,8BAA8B;IAC9B,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAE5D,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;AACvD,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,GAAW;IAC/C,OAAO,eAAe,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,GAAW;IAC/C,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,8 @@
+/**
+ * PEAC Protocol Crypto Package
+ * Ed25519 JWS signing/verification and JSON Canonicalization (RFC 8785)
+ */
+export * from './base64url';
+export * from './jcs';
+export * from './jws';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,aAAa,CAAC;AAC5B,cAAc,OAAO,CAAC;AACtB,cAAc,OAAO,CAAC"}

package/dist/index.js

@@ -0,0 +1,24 @@
+"use strict";
+/**
+ * PEAC Protocol Crypto Package
+ * Ed25519 JWS signing/verification and JSON Canonicalization (RFC 8785)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./base64url"), exports);
+__exportStar(require("./jcs"), exports);
+__exportStar(require("./jws"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,8CAA4B;AAC5B,wCAAsB;AACtB,wCAAsB"}

package/dist/jcs.d.ts

@@ -0,0 +1,17 @@
+/**
+ * JSON Canonicalization Scheme (RFC 8785)
+ * Deterministic JSON serialization for cryptographic hashing
+ */
+/**
+ * Canonicalize a JSON value according to RFC 8785
+ */
+export declare function canonicalize(obj: unknown): string;
+/**
+ * Canonicalize and encode as UTF-8 bytes
+ */
+export declare function canonicalizeBytes(obj: unknown): Uint8Array;
+/**
+ * Compute JCS+SHA-256 hash of an object
+ */
+export declare function jcsHash(obj: unknown): Promise<string>;
+//# sourceMappingURL=jcs.d.ts.map

package/dist/jcs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jcs.d.ts","sourceRoot":"","sources":["../src/jcs.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CA8CjD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,GAAG,UAAU,CAG1D;AAED;;GAEG;AACH,wBAAsB,OAAO,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAO3D"}

package/dist/jcs.js

@@ -0,0 +1,72 @@
+"use strict";
+/**
+ * JSON Canonicalization Scheme (RFC 8785)
+ * Deterministic JSON serialization for cryptographic hashing
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.canonicalize = canonicalize;
+exports.canonicalizeBytes = canonicalizeBytes;
+exports.jcsHash = jcsHash;
+/**
+ * Canonicalize a JSON value according to RFC 8785
+ */
+function canonicalize(obj) {
+    if (obj === null) {
+        return 'null';
+    }
+    if (typeof obj === 'boolean') {
+        return obj ? 'true' : 'false';
+    }
+    if (typeof obj === 'number') {
+        // RFC 8785 number serialization (no trailing zeros, no exponential for small numbers)
+        if (!Number.isFinite(obj)) {
+            throw new Error('Cannot canonicalize non-finite number');
+        }
+        if (Object.is(obj, -0)) {
+            return '0';
+        }
+        // Use JSON.stringify for proper number formatting per RFC 8785
+        const str = JSON.stringify(obj);
+        // Ensure no exponential notation for integers
+        if (Number.isInteger(obj) && str.includes('e')) {
+            return obj.toString();
+        }
+        return str;
+    }
+    if (typeof obj === 'string') {
+        return JSON.stringify(obj);
+    }
+    if (Array.isArray(obj)) {
+        const elements = obj.map(canonicalize);
+        return `[${elements.join(',')}]`;
+    }
+    if (typeof obj === 'object') {
+        // Sort keys lexicographically by UTF-16 code unit
+        const keys = Object.keys(obj).sort();
+        const pairs = keys.map((key) => {
+            const value = obj[key];
+            return `${JSON.stringify(key)}:${canonicalize(value)}`;
+        });
+        return `{${pairs.join(',')}}`;
+    }
+    throw new Error(`Cannot canonicalize type: ${typeof obj}`);
+}
+/**
+ * Canonicalize and encode as UTF-8 bytes
+ */
+function canonicalizeBytes(obj) {
+    const canonical = canonicalize(obj);
+    return new TextEncoder().encode(canonical);
+}
+/**
+ * Compute JCS+SHA-256 hash of an object
+ */
+async function jcsHash(obj) {
+    const bytes = canonicalizeBytes(obj);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', bytes);
+    const hashArray = new Uint8Array(hashBuffer);
+    return Array.from(hashArray)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+//# sourceMappingURL=jcs.js.map

package/dist/jcs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jcs.js","sourceRoot":"","sources":["../src/jcs.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAKH,oCA8CC;AAKD,8CAGC;AAKD,0BAOC;AArED;;GAEG;AACH,SAAgB,YAAY,CAAC,GAAY;IACvC,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QACjB,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,SAAS,EAAE,CAAC;QAC7B,OAAO,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC;IAChC,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,sFAAsF;QACtF,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;QACD,IAAI,MAAM,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACvB,OAAO,GAAG,CAAC;QACb,CAAC;QACD,+DAA+D;QAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;QAChC,8CAA8C;QAC9C,IAAI,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;QACxB,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACvC,OAAO,IAAI,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IACnC,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,kDAAkD;QAClD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;YAC7B,MAAM,KAAK,GAAI,GAA+B,CAAC,GAAG,CAAC,CAAC;YACpD,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;QACzD,CAAC,CAAC,CAAC;QACH,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IAChC,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,6BAA6B,OAAO,GAAG,EAAE,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,GAAY;IAC5C,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IACpC,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,OAAO,CAAC,GAAY;IACxC,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAC7C,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;SACzB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}

package/dist/jws.d.ts

@@ -0,0 +1,58 @@
+/**
+ * JWS compact serialization with Ed25519 (RFC 8032)
+ * Implements peac.receipt/0.9 wire format
+ */
+import { PEAC_WIRE_TYP, PEAC_ALG } from '@peac/schema';
+/**
+ * JWS header for PEAC receipts
+ */
+export interface JWSHeader {
+    typ: typeof PEAC_WIRE_TYP;
+    alg: typeof PEAC_ALG;
+    kid: string;
+}
+/**
+ * Result of JWS verification
+ */
+export interface VerifyResult<T = unknown> {
+    header: JWSHeader;
+    payload: T;
+    valid: boolean;
+}
+/**
+ * Sign a payload with Ed25519 and return JWS compact serialization
+ *
+ * @param payload - JSON-serializable payload
+ * @param privateKey - Ed25519 private key (32 bytes)
+ * @param kid - Key ID (ISO 8601 timestamp)
+ * @returns JWS compact serialization (header.payload.signature)
+ */
+export declare function sign(payload: unknown, privateKey: Uint8Array, kid: string): Promise<string>;
+/**
+ * Verify a JWS compact serialization with Ed25519
+ *
+ * @param jws - JWS compact serialization
+ * @param publicKey - Ed25519 public key (32 bytes)
+ * @returns Verification result with decoded header and payload
+ */
+export declare function verify<T = unknown>(jws: string, publicKey: Uint8Array): Promise<VerifyResult<T>>;
+/**
+ * Decode JWS without verifying signature (use with caution!)
+ *
+ * @param jws - JWS compact serialization
+ * @returns Decoded header and payload (unverified)
+ */
+export declare function decode<T = unknown>(jws: string): {
+    header: JWSHeader;
+    payload: T;
+};
+/**
+ * Generate a random Ed25519 keypair
+ *
+ * @returns Private key (32 bytes) and public key (32 bytes)
+ */
+export declare function generateKeypair(): Promise<{
+    privateKey: Uint8Array;
+    publicKey: Uint8Array;
+}>;
+//# sourceMappingURL=jws.d.ts.map

package/dist/jws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.d.ts","sourceRoot":"","sources":["../src/jws.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAGH,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAQvD;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,OAAO,aAAa,CAAC;IAC1B,GAAG,EAAE,OAAO,QAAQ,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,YAAY,CAAC,CAAC,GAAG,OAAO;IACvC,MAAM,EAAE,SAAS,CAAC;IAClB,OAAO,EAAE,CAAC,CAAC;IACX,KAAK,EAAE,OAAO,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA4BjG;AAED;;;;;;GAMG;AACH,wBAAsB,MAAM,CAAC,CAAC,GAAG,OAAO,EACtC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CA2C1B;AAED;;;;;GAKG;AACH,wBAAgB,MAAM,CAAC,CAAC,GAAG,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,OAAO,EAAE,CAAC,CAAA;CAAE,CAelF;AAED;;;;GAIG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC;IAC/C,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,UAAU,CAAC;CACvB,CAAC,CAKD"}

package/dist/jws.js

@@ -0,0 +1,148 @@
+"use strict";
+/**
+ * JWS compact serialization with Ed25519 (RFC 8032)
+ * Implements peac.receipt/0.9 wire format
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sign = sign;
+exports.verify = verify;
+exports.decode = decode;
+exports.generateKeypair = generateKeypair;
+const ed25519 = __importStar(require("@noble/ed25519"));
+const schema_1 = require("@peac/schema");
+const base64url_1 = require("./base64url");
+/**
+ * Sign a payload with Ed25519 and return JWS compact serialization
+ *
+ * @param payload - JSON-serializable payload
+ * @param privateKey - Ed25519 private key (32 bytes)
+ * @param kid - Key ID (ISO 8601 timestamp)
+ * @returns JWS compact serialization (header.payload.signature)
+ */
+async function sign(payload, privateKey, kid) {
+    if (privateKey.length !== 32) {
+        throw new Error('Ed25519 private key must be 32 bytes');
+    }
+    // Create header
+    const header = {
+        typ: schema_1.PEAC_WIRE_TYP,
+        alg: schema_1.PEAC_ALG,
+        kid,
+    };
+    // Encode header and payload
+    const headerB64 = (0, base64url_1.base64urlEncodeString)(JSON.stringify(header));
+    const payloadB64 = (0, base64url_1.base64urlEncodeString)(JSON.stringify(payload));
+    // Create signing input
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingInputBytes = new TextEncoder().encode(signingInput);
+    // Sign with Ed25519
+    const signatureBytes = await ed25519.signAsync(signingInputBytes, privateKey);
+    // Encode signature
+    const signatureB64 = (0, base64url_1.base64urlEncode)(signatureBytes);
+    // Return JWS compact serialization
+    return `${signingInput}.${signatureB64}`;
+}
+/**
+ * Verify a JWS compact serialization with Ed25519
+ *
+ * @param jws - JWS compact serialization
+ * @param publicKey - Ed25519 public key (32 bytes)
+ * @returns Verification result with decoded header and payload
+ */
+async function verify(jws, publicKey) {
+    if (publicKey.length !== 32) {
+        throw new Error('Ed25519 public key must be 32 bytes');
+    }
+    // Split JWS
+    const parts = jws.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid JWS: must have three dot-separated parts');
+    }
+    const [headerB64, payloadB64, signatureB64] = parts;
+    // Decode header
+    const headerJson = (0, base64url_1.base64urlDecodeString)(headerB64);
+    const header = JSON.parse(headerJson);
+    // Validate header
+    if (header.typ !== schema_1.PEAC_WIRE_TYP) {
+        throw new Error(`Invalid typ: expected ${schema_1.PEAC_WIRE_TYP}, got ${header.typ}`);
+    }
+    if (header.alg !== schema_1.PEAC_ALG) {
+        throw new Error(`Invalid alg: expected ${schema_1.PEAC_ALG}, got ${header.alg}`);
+    }
+    // Decode payload
+    const payloadJson = (0, base64url_1.base64urlDecodeString)(payloadB64);
+    const payload = JSON.parse(payloadJson);
+    // Decode signature
+    const signatureBytes = (0, base64url_1.base64urlDecode)(signatureB64);
+    // Verify signature
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const signingInputBytes = new TextEncoder().encode(signingInput);
+    const valid = await ed25519.verifyAsync(signatureBytes, signingInputBytes, publicKey);
+    return {
+        header,
+        payload,
+        valid,
+    };
+}
+/**
+ * Decode JWS without verifying signature (use with caution!)
+ *
+ * @param jws - JWS compact serialization
+ * @returns Decoded header and payload (unverified)
+ */
+function decode(jws) {
+    const parts = jws.split('.');
+    if (parts.length !== 3) {
+        throw new Error('Invalid JWS: must have three dot-separated parts');
+    }
+    const [headerB64, payloadB64] = parts;
+    const headerJson = (0, base64url_1.base64urlDecodeString)(headerB64);
+    const header = JSON.parse(headerJson);
+    const payloadJson = (0, base64url_1.base64urlDecodeString)(payloadB64);
+    const payload = JSON.parse(payloadJson);
+    return { header, payload };
+}
+/**
+ * Generate a random Ed25519 keypair
+ *
+ * @returns Private key (32 bytes) and public key (32 bytes)
+ */
+async function generateKeypair() {
+    const privateKey = ed25519.utils.randomPrivateKey();
+    const publicKey = await ed25519.getPublicKeyAsync(privateKey);
+    return { privateKey, publicKey };
+}
+//# sourceMappingURL=jws.js.map

package/dist/jws.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.js","sourceRoot":"","sources":["../src/jws.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqCH,oBA4BC;AASD,wBA8CC;AAQD,wBAeC;AAOD,0CAQC;AA5JD,wDAA0C;AAC1C,yCAAuD;AACvD,2CAKqB;AAoBrB;;;;;;;GAOG;AACI,KAAK,UAAU,IAAI,CAAC,OAAgB,EAAE,UAAsB,EAAE,GAAW;IAC9E,IAAI,UAAU,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,gBAAgB;IAChB,MAAM,MAAM,GAAc;QACxB,GAAG,EAAE,sBAAa;QAClB,GAAG,EAAE,iBAAQ;QACb,GAAG;KACJ,CAAC;IAEF,4BAA4B;IAC5B,MAAM,SAAS,GAAG,IAAA,iCAAqB,EAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IAChE,MAAM,UAAU,GAAG,IAAA,iCAAqB,EAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;IAElE,uBAAuB;IACvB,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAEjE,oBAAoB;IACpB,MAAM,cAAc,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;IAE9E,mBAAmB;IACnB,MAAM,YAAY,GAAG,IAAA,2BAAe,EAAC,cAAc,CAAC,CAAC;IAErD,mCAAmC;IACnC,OAAO,GAAG,YAAY,IAAI,YAAY,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,MAAM,CAC1B,GAAW,EACX,SAAqB;IAErB,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,YAAY;IACZ,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IAEpD,gBAAgB;IAChB,MAAM,UAAU,GAAG,IAAA,iCAAqB,EAAC,SAAS,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAc,CAAC;IAEnD,kBAAkB;IAClB,IAAI,MAAM,CAAC,GAAG,KAAK,sBAAa,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,yBAAyB,sBAAa,SAAS,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,iBAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,yBAAyB,iBAAQ,SAAS,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC;IAC1E,CAAC;IAED,iBAAiB;IACjB,MAAM,WAAW,GAAG,IAAA,iCAAqB,EAAC,UAAU,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAM,CAAC;IAE7C,mBAAmB;IACnB,MAAM,cAAc,GAAG,IAAA,2BAAe,EAAC,YAAY,CAAC,CAAC;IAErD,mBAAmB;IACnB,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,iBAAiB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAEjE,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,cAAc,EAAE,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAEtF,OAAO;QACL,MAAM;QACN,OAAO;QACP,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,SAAgB,MAAM,CAAc,GAAW;IAC7C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,CAAC,SAAS,EAAE,UAAU,CAAC,GAAG,KAAK,CAAC;IAEtC,MAAM,UAAU,GAAG,IAAA,iCAAqB,EAAC,SAAS,CAAC,CAAC;IACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAc,CAAC;IAEnD,MAAM,WAAW,GAAG,IAAA,iCAAqB,EAAC,UAAU,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAM,CAAC;IAE7C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AAC7B,CAAC;AAED;;;;GAIG;AACI,KAAK,UAAU,eAAe;IAInC,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAE9D,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AACnC,CAAC"}

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "@peac/crypto",
+  "version": "0.9.18",
+  "description": "Ed25519 JWS signing and verification for PEAC protocol",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/peacprotocol/peac.git",
+    "directory": "packages/crypto"
+  },
+  "author": "jithinraj <7850727+jithinraj@users.noreply.github.com>",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/peacprotocol/peac/issues"
+  },
+  "homepage": "https://github.com/peacprotocol/peac#readme",
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "clean": "rm -rf dist"
+  },
+  "dependencies": {
+    "@noble/ed25519": "^2.0.0",
+    "@peac/schema": "workspace:*"
+  },
+  "devDependencies": {
+    "@types/node": "^20.10.0",
+    "typescript": "^5.3.3",
+    "vitest": "^1.1.0"
+  }
+}