@twin.org/standards-w3c-did 0.0.1-next.24 → 0.0.1-next.26

package/dist/cjs/index.cjs

@@ -1,5 +1,10 @@
 'use strict';
 
+var core = require('@twin.org/core');
+var crypto = require('@twin.org/crypto');
+var web = require('@twin.org/web');
+var dataJsonLd = require('@twin.org/data-json-ld');
+
 // Copyright 2024 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 /**
@@ -30,7 +35,15 @@ const DidContexts = {
     /**
      * The context root for VC Data Integrity.
      */
-    ContextVCDataIntegrity: "https://w3id.org/security/data-integrity/v2"
+    ContextDataIntegrity: "https://www.w3.org/ns/credentials/v2",
+    /**
+     * The context root for VC Data Integrity.
+     */
+    ContextControllerIdentifiers: "https://www.w3.org/ns/cid/v1",
+    /**
+     * The context root for security multikey suites.
+     */
+    ContextSecurityMultikey: "https://w3id.org/security/multikey/v1"
 };
 
 // Copyright 2024 IOTA Stiftung.
@@ -67,10 +80,6 @@ const DidTypes = {
      * The type for Verifiable Presentation.
      */
     VerifiablePresentation: "VerifiablePresentation",
-    /**
-     * The type for Data Integrity Proof.
-     */
-    DataIntegrityProof: "DataIntegrityProof",
     /**
      * The type for Ed25519VerificationKey2020.
      */
@@ -82,7 +91,11 @@ const DidTypes = {
     /**
      * The type for LinkedDomains.
      */
-    LinkedDomains: "LinkedDomains"
+    LinkedDomains: "LinkedDomains",
+    /**
+     * The type for Multikey.
+     */
+    Multikey: "Multikey"
 };
 
 /**
@@ -116,7 +129,369 @@ const DidVerificationMethodType = {
     CapabilityDelegation: "capabilityDelegation"
 };
 
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * The types for proofs.
+ */
+// eslint-disable-next-line @typescript-eslint/naming-convention
+const ProofTypes = {
+    /**
+     * The type for Data Integrity Proof.
+     */
+    DataIntegrityProof: "DataIntegrityProof",
+    /**
+     * The type for Json Web Signature 2020.
+     */
+    JsonWebSignature2020: "JsonWebSignature2020"
+};
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Helper methods for creating and verifying proofs.
+ * https://www.w3.org/TR/vc-di-eddsa/#eddsa-jcs-2022
+ */
+class DataIntegrityProofSignerVerifier {
+    /**
+     * Runtime name for the class.
+     */
+    CLASS_NAME = "DataIntegrityProofSignerVerifier";
+    /**
+     * Create a proof for the given data.
+     * @param unsecuredDocument The data to create the proof for.
+     * @param unsignedProof The proof options.
+     * @param signKey The key to sign the proof with.
+     * @returns The created proof.
+     */
+    async createProof(unsecuredDocument, unsignedProof, signKey) {
+        core.Guards.object(this.CLASS_NAME, "unsecuredDocument", unsecuredDocument);
+        core.Guards.object(this.CLASS_NAME, "unsignedProof", unsignedProof);
+        core.Guards.object(this.CLASS_NAME, "signKey", signKey);
+        const rawKeys = await web.Jwk.toRaw(signKey);
+        if (!core.Is.uint8Array(rawKeys.privateKey)) {
+            throw new core.GeneralError(this.CLASS_NAME, "missingPrivateKey");
+        }
+        const combinedHash = await this.createHash(unsecuredDocument, unsignedProof);
+        const signature = crypto.Ed25519.sign(rawKeys.privateKey, combinedHash);
+        const signedProof = core.ObjectHelper.clone(unsignedProof);
+        signedProof.proofValue = `z${core.Converter.bytesToBase58(signature)}`;
+        return signedProof;
+    }
+    /**
+     * Verify a proof for the given data in format.
+     * @param securedDocument The credential to verify.
+     * @param signedProof The proof to verify.
+     * @param verifyKey The public key to verify the proof with.
+     * @returns True if the credential was verified.
+     */
+    async verifyProof(securedDocument, signedProof, verifyKey) {
+        core.Guards.object(this.CLASS_NAME, "securedDocument", securedDocument);
+        core.Guards.object(this.CLASS_NAME, "signedProof", signedProof);
+        core.Guards.object(this.CLASS_NAME, "verifyKey", verifyKey);
+        const rawKeys = await web.Jwk.toRaw(verifyKey);
+        if (!core.Is.uint8Array(rawKeys.publicKey)) {
+            throw new core.GeneralError(this.CLASS_NAME, "missingPublicKey");
+        }
+        if (!core.Is.stringValue(signedProof.proofValue) || !signedProof.proofValue.startsWith("z")) {
+            throw new core.GeneralError(this.CLASS_NAME, "missingProofValue");
+        }
+        const combinedHash = await this.createHash(securedDocument, signedProof);
+        return crypto.Ed25519.verify(rawKeys.publicKey, combinedHash, core.Converter.base58ToBytes(signedProof.proofValue.slice(1)));
+    }
+    /**
+     * Create a hash for the given data.
+     * @param unsecuredDocument The data to create the proof for.
+     * @param unsignedProof The unsigned proof.
+     * @returns The created hash.
+     */
+    async createHash(unsecuredDocument, unsignedProof) {
+        core.Guards.object(this.CLASS_NAME, "unsecuredDocument", unsecuredDocument);
+        core.Guards.object(this.CLASS_NAME, "unsignedProof", unsignedProof);
+        core.Guards.stringValue(this.CLASS_NAME, "unsignedProof.cryptosuite", unsignedProof.cryptosuite);
+        core.Guards.stringValue(this.CLASS_NAME, "unsignedProof.verificationMethod", unsignedProof.verificationMethod);
+        const unsecuredDocumentClone = core.ObjectHelper.clone(unsecuredDocument);
+        const proofOptionsClone = core.ObjectHelper.clone(unsignedProof);
+        delete unsecuredDocumentClone.proof;
+        delete proofOptionsClone.proofValue;
+        if (proofOptionsClone.cryptosuite !== DidCryptoSuites.EdDSAJcs2022) {
+            throw new core.GeneralError(this.CLASS_NAME, "cryptosuiteNotSupported", {
+                cryptoSuite: proofOptionsClone.cryptosuite
+            });
+        }
+        if (!core.Is.empty(unsecuredDocumentClone["@context"])) {
+            proofOptionsClone["@context"] = unsecuredDocumentClone["@context"];
+        }
+        const transformedDocument = core.JsonHelper.canonicalize(unsecuredDocumentClone);
+        const transformedDocumentHash = crypto.Sha256.sum256(core.Converter.utf8ToBytes(transformedDocument));
+        const transformedProofOptions = core.JsonHelper.canonicalize(proofOptionsClone);
+        const proofOptionsHash = crypto.Sha256.sum256(core.Converter.utf8ToBytes(transformedProofOptions));
+        return core.Uint8ArrayHelper.concat([proofOptionsHash, transformedDocumentHash]);
+    }
+}
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Helper methods for creating and verifying proofs.
+ */
+class JsonWebSignature2020SignerVerifier {
+    /**
+     * Runtime name for the class.
+     */
+    CLASS_NAME = "JsonWebSignature2020SignerVerifier";
+    /**
+     * Create a proof for the given data.
+     * @param unsecuredDocument The data to create the proof for.
+     * @param unsignedProof The proof options.
+     * @param signKey The key to sign the proof with.
+     * @returns The created proof.
+     */
+    async createProof(unsecuredDocument, unsignedProof, signKey) {
+        core.Guards.object(this.CLASS_NAME, "unsecuredDocument", unsecuredDocument);
+        core.Guards.object(this.CLASS_NAME, "unsignedProof", unsignedProof);
+        core.Guards.object(this.CLASS_NAME, "signKey", signKey);
+        const hash = await this.createHash(unsecuredDocument, unsignedProof);
+        const cryptoKey = await web.Jwk.toCryptoKey(signKey);
+        const signature = await web.Jws.create(cryptoKey, hash);
+        const signedProof = core.ObjectHelper.clone(unsignedProof);
+        signedProof.jws = signature;
+        return signedProof;
+    }
+    /**
+     * Verify a proof for the given data in format.
+     * @param securedDocument The credential to verify.
+     * @param signedProof The proof to verify.
+     * @param verifyKey The public key to verify the proof with.
+     * @returns True if the credential was verified.
+     */
+    async verifyProof(securedDocument, signedProof, verifyKey) {
+        core.Guards.object(this.CLASS_NAME, "securedDocument", securedDocument);
+        core.Guards.object(this.CLASS_NAME, "signedProof", signedProof);
+        core.Guards.object(this.CLASS_NAME, "verifyKey", verifyKey);
+        const jws = signedProof.jws;
+        if (!core.Is.stringValue(jws)) {
+            throw new core.GeneralError(this.CLASS_NAME, "jwsMissing");
+        }
+        const hash = await this.createHash(securedDocument, signedProof);
+        const cryptoKey = await web.Jwk.toCryptoKey(verifyKey);
+        return web.Jws.verify(jws, cryptoKey, hash);
+    }
+    /**
+     * Create a hash for the given data.
+     * @param unsecuredDocument The data to create the proof for.
+     * @param unsignedProof The unsigned proof.
+     * @returns The created hash.
+     */
+    async createHash(unsecuredDocument, unsignedProof) {
+        core.Guards.object(this.CLASS_NAME, "unsecuredDocument", unsecuredDocument);
+        core.Guards.object(this.CLASS_NAME, "unsignedProof", unsignedProof);
+        core.Guards.stringValue(this.CLASS_NAME, "unsignedProof.verificationMethod", unsignedProof.verificationMethod);
+        const unsecuredDocumentClone = core.ObjectHelper.clone(unsecuredDocument);
+        const proofOptionsClone = core.ObjectHelper.clone(unsignedProof);
+        unsecuredDocumentClone["@context"] = dataJsonLd.JsonLdProcessor.combineContexts(unsecuredDocumentClone["@context"], DidContexts.ContextSecurityJws2020);
+        proofOptionsClone["@context"] = unsecuredDocumentClone["@context"];
+        delete unsecuredDocumentClone.proof;
+        delete proofOptionsClone.jws;
+        const canonizedData = await dataJsonLd.JsonLdProcessor.canonize(unsecuredDocumentClone);
+        const canonizedProof = await dataJsonLd.JsonLdProcessor.canonize(proofOptionsClone);
+        const hashedProof = crypto.Sha256.sum256(core.Converter.utf8ToBytes(canonizedProof));
+        const hashedData = crypto.Sha256.sum256(core.Converter.utf8ToBytes(canonizedData));
+        return core.Uint8ArrayHelper.concat([hashedProof, hashedData]);
+    }
+}
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Helper methods for multikey.
+ */
+class MultikeyHelper {
+    /**
+     * Runtime name for the class.
+     */
+    static CLASS_NAME = "MultikeyHelper";
+    /**
+     * Convert a multikey to a JWK.
+     * @param multikey The multikey to convert.
+     * @returns The JWK.
+     * @throws GeneralError if the multikey is invalid.
+     */
+    static toJwk(multikey) {
+        core.Guards.object(MultikeyHelper.CLASS_NAME, "multikey", multikey);
+        const { publicKey, privateKey } = MultikeyHelper.toRaw(multikey);
+        return {
+            kty: "OKP",
+            crv: "Ed25519",
+            alg: "EdDSA",
+            x: core.Is.uint8Array(publicKey) ? core.Converter.bytesToBase64Url(publicKey) : undefined,
+            d: core.Is.uint8Array(privateKey) ? core.Converter.bytesToBase64Url(privateKey) : undefined
+        };
+    }
+    /**
+     * Convert a JWK to a Multikey.
+     * @param controller The controller of the multikey.
+     * @param id The id of the multikey.
+     * @param jwk The jwk to convert.
+     * @returns The multikey.
+     * @throws GeneralError if the jwk is invalid.
+     */
+    static fromJwk(controller, id, jwk) {
+        core.Guards.stringValue(MultikeyHelper.CLASS_NAME, "controller", controller);
+        core.Guards.stringValue(MultikeyHelper.CLASS_NAME, "id", id);
+        core.Guards.object(MultikeyHelper.CLASS_NAME, "jwk", jwk);
+        core.Guards.stringValue(MultikeyHelper.CLASS_NAME, "jwk.x", jwk.x);
+        if (jwk.kty !== "OKP") {
+            throw new core.GeneralError(MultikeyHelper.CLASS_NAME, "unsupportedKty", { kty: jwk.kty });
+        }
+        if (jwk.crv !== "Ed25519") {
+            throw new core.GeneralError(MultikeyHelper.CLASS_NAME, "unsupportedCrv", { crv: jwk.crv });
+        }
+        const publicRaw = core.Converter.base64UrlToBytes(jwk.x);
+        const publicKey = new Uint8Array(2 + publicRaw.length);
+        publicKey[0] = 0xed;
+        publicKey[1] = 0x01;
+        publicKey.set(publicRaw, 2);
+        const multikey = {
+            "@context": DidContexts.ContextControllerIdentifiers,
+            type: DidTypes.Multikey,
+            controller,
+            id,
+            publicKeyMultibase: `z${core.Converter.bytesToBase58(publicKey)}`
+        };
+        if (core.Is.stringValue(jwk.d)) {
+            const privateRaw = core.Converter.base64UrlToBytes(jwk.d);
+            const secretKey = new Uint8Array(2 + privateRaw.length);
+            secretKey[0] = 0x80;
+            secretKey[1] = 0x26;
+            secretKey.set(privateRaw, 2);
+            multikey.secretKeyMultibase = `z${core.Converter.bytesToBase58(secretKey)}`;
+        }
+        return multikey;
+    }
+    /**
+     * Convert a multikey to raw keys.
+     * @param multikey The multikey to convert.
+     * @returns The JWK.
+     * @throws GeneralError if the multikey is invalid.
+     */
+    static toRaw(multikey) {
+        core.Guards.object(MultikeyHelper.CLASS_NAME, "multikey", multikey);
+        let publicKeyRaw;
+        let secretKeyRaw;
+        if (core.Is.stringValue(multikey.publicKeyMultibase)) {
+            if (!multikey.publicKeyMultibase.startsWith("z")) {
+                throw new core.GeneralError(MultikeyHelper.CLASS_NAME, "invalidPublicKeyMultibase", {
+                    publicKeyMultibase: multikey.publicKeyMultibase
+                });
+            }
+            publicKeyRaw = core.Converter.base58ToBytes(multikey.publicKeyMultibase.slice(1));
+            if (publicKeyRaw[0] !== 0xed || publicKeyRaw[1] !== 0x01) {
+                throw new core.GeneralError(MultikeyHelper.CLASS_NAME, "publicKeyMultibaseMissingHeader", {
+                    publicKeyMultibase: multikey.publicKeyMultibase
+                });
+            }
+        }
+        if (core.Is.stringValue(multikey.secretKeyMultibase)) {
+            if (!multikey.secretKeyMultibase.startsWith("z")) {
+                throw new core.GeneralError(MultikeyHelper.CLASS_NAME, "invalidSecretKeyMultibase", {
+                    secretKeyMultibase: multikey.secretKeyMultibase
+                });
+            }
+            secretKeyRaw = core.Converter.base58ToBytes(multikey.secretKeyMultibase.slice(1));
+            if (secretKeyRaw[0] !== 0x80 || secretKeyRaw[1] !== 0x26) {
+                throw new core.GeneralError(MultikeyHelper.CLASS_NAME, "publicKeyMultibaseMissingHeader", {
+                    publicKeyMultibase: multikey.publicKeyMultibase
+                });
+            }
+        }
+        return {
+            publicKey: publicKeyRaw?.slice(2) ?? new Uint8Array(),
+            privateKey: secretKeyRaw?.slice(2, 34) ?? new Uint8Array()
+        };
+    }
+}
+
+// Copyright 2024 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+/**
+ * Helper methods for creating and verifying proofs.
+ */
+class ProofHelper {
+    /**
+     * Runtime name for the class.
+     */
+    static CLASS_NAME = "ProofHelper";
+    /**
+     * Create a signer verifier.
+     * @param proofType The type of proof to create.
+     * @returns The created signer verifier.
+     * @throws GeneralError if the proof type is not supported.
+     */
+    static createSignerVerifier(proofType) {
+        core.Guards.arrayOneOf(this.CLASS_NAME, "proofType", proofType, Object.values(ProofTypes));
+        let signerVerifier;
+        if (proofType === ProofTypes.DataIntegrityProof) {
+            signerVerifier = new DataIntegrityProofSignerVerifier();
+        }
+        else if (proofType === ProofTypes.JsonWebSignature2020) {
+            signerVerifier = new JsonWebSignature2020SignerVerifier();
+        }
+        if (core.Is.empty(signerVerifier)) {
+            throw new core.GeneralError(ProofHelper.CLASS_NAME, "unsupportedProofType", { proofType });
+        }
+        return signerVerifier;
+    }
+    /**
+     * Create a proof for the given data.
+     * @param proofType The type of proof to create.
+     * @param unsecuredDocument The data to create the proof for.
+     * @param unsignedProof The proof options.
+     * @param signKey The key to sign the proof with.
+     * @returns The created proof.
+     */
+    static async createProof(proofType, unsecuredDocument, unsignedProof, signKey) {
+        core.Guards.arrayOneOf(this.CLASS_NAME, "proofType", proofType, Object.values(ProofTypes));
+        core.Guards.object(this.CLASS_NAME, "unsecuredDocument", unsecuredDocument);
+        core.Guards.object(this.CLASS_NAME, "unsignedProof", unsignedProof);
+        core.Guards.object(this.CLASS_NAME, "signKey", signKey);
+        return ProofHelper.createSignerVerifier(proofType).createProof(unsecuredDocument, unsignedProof, signKey);
+    }
+    /**
+     * Verify a proof for the given data.
+     * @param securedDocument The credential to verify.
+     * @param signedProof The proof to verify.
+     * @param verifyKey The public key to verify the proof with.
+     * @returns True if the credential was verified.
+     */
+    static async verifyProof(securedDocument, signedProof, verifyKey) {
+        core.Guards.object(this.CLASS_NAME, "securedDocument", securedDocument);
+        core.Guards.object(this.CLASS_NAME, "signedProof", signedProof);
+        core.Guards.object(this.CLASS_NAME, "verifyKey", verifyKey);
+        if (core.Is.empty(securedDocument.proof)) {
+            throw new core.GeneralError(ProofHelper.CLASS_NAME, "proofMissing");
+        }
+        const proofs = core.Is.array(securedDocument.proof)
+            ? securedDocument.proof
+            : [securedDocument.proof];
+        let verified = false;
+        for (const proof of proofs) {
+            const signerVerifier = ProofHelper.createSignerVerifier(proof.type);
+            verified = await signerVerifier.verifyProof(securedDocument, proof, verifyKey);
+            if (!verified) {
+                return false;
+            }
+        }
+        return verified;
+    }
+}
+
+exports.DataIntegrityProofSignerVerifier = DataIntegrityProofSignerVerifier;
 exports.DidContexts = DidContexts;
 exports.DidCryptoSuites = DidCryptoSuites;
 exports.DidTypes = DidTypes;
 exports.DidVerificationMethodType = DidVerificationMethodType;
+exports.JsonWebSignature2020SignerVerifier = JsonWebSignature2020SignerVerifier;
+exports.MultikeyHelper = MultikeyHelper;
+exports.ProofHelper = ProofHelper;
+exports.ProofTypes = ProofTypes;