UNPKG

vouchsafe

Version:

Vouchsafe Decentralized Identity and Trust Verification module

github.com/ionzero/vouchsafe

ionzero/vouchsafe-js

125 lines (100 loc) 4.45 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
import { getKeyBytes, generateKeyPair, sha256, sha512 } from './crypto/index.mjs'; import { VOUCHSAFE_SPEC_VERSION } from './version.mjs'; import { base32Encode, toBase64, fromBase64 } from './utils.mjs'; const SUPPORTED_HASHES = { sha256, sha512, }; /** * Create a new Vouchsafe identity * @param {string} label - Required, lowercase a-z0-9 and hyphen * @param {string} hashAlg - Optional: 'sha256' (default) or 'sha512' * @returns {Promise<{ urn, publicKey, privateKey, publicKeyHash }>} */ export async function createVouchsafeIdentity(label, hashAlg = 'sha256') { if (!label || typeof label !== 'string' || !/^[a-zA-Z0-9\-_%\+]{1,32}$/.test(label)) { throw new Error("Invalid label. Must be lowercase, 1–32 chars, letters/numbers/hyphens only."); } const hashFn = SUPPORTED_HASHES[hashAlg]; if (!hashFn) throw new Error(`Unsupported hash algorithm: ${hashAlg}`); const { publicKey, privateKey } = await generateKeyPair(); const pemPubBytes = new Uint8Array(publicKey); const rawPubKey = await getKeyBytes('public', publicKey); const pubBytes = new Uint8Array(rawPubKey); const hash = new Uint8Array(await hashFn(pubBytes)); const hashB32 = base32Encode(hash).toLowerCase(); const urn = `urn:vouchsafe:${label}.${hashB32}` + (hashAlg !== 'sha256' ? `.${hashAlg}` : ''); return { urn, keypair: { publicKey: toBase64(pemPubBytes), privateKey: toBase64(new Uint8Array(privateKey)), }, publicKeyHash: hashB32, version: VOUCHSAFE_SPEC_VERSION }; } /** * Verify a Vouchsafe URN matches a given public key * @param {string} urn * @param {string} publicKeyBase64 * @returns {Promise<boolean>} */ export async function verifyUrnMatchesKey(urn, publicKeyBase64) { const match = urn.match(/^urn:vouchsafe:([a-zA-Z0-9\-_%\+]+)\.([a-z2-7]{52})(?:\.(sha256|sha512))?$/); if (!match) return false; const [, , expectedHash, hashAlg = 'sha256'] = match; const hashFn = SUPPORTED_HASHES[hashAlg]; if (!hashFn) return false; const rawPubKey = await getKeyBytes('public', publicKeyBase64); const pubBytes = new Uint8Array(rawPubKey); const hash = new Uint8Array(await hashFn(pubBytes)); const actualB32 = base32Encode(hash).toLowerCase(); return actualB32 === expectedHash; } /** * Create a Vouchsafe identity from an existing DER-based Ed25519 keypair * @param {string} label - human-readable label (3–32 chars, a-zA-Z0-9-_+%) * @param {{ publicKey: string, privateKey: string }} keypair - base64-encoded DER keys * @param {string} hashAlg - 'sha256' (default) or 'sha512' * @returns {Promise<{ urn, keypair, publicKeyHash, version }>} */ export async function createVouchsafeIdentityFromKeypair(label, keypair, hashAlg = 'sha256') { if (!label || typeof label !== 'string' || !/^[a-zA-Z0-9\-_%\+]{3,32}$/.test(label)) { throw new Error("Invalid label. Must be 1–32 characters (a–z, 0–9, -, _, %, +)."); } const hashFn = SUPPORTED_HASHES[hashAlg]; if (!hashFn) throw new Error(`Unsupported hash algorithm: ${hashAlg}`); if (!keypair || typeof keypair !== 'object' || !keypair.publicKey || !keypair.privateKey) { throw new Error("Keypair must include base64-encoded publicKey and privateKey."); } // ✅ Verify public key and extract raw bytes (throws if invalid) const rawPubKey = await getKeyBytes('public', keypair.publicKey); // ✅ Optionally verify private key format and Ed25519 algorithm await getKeyBytes('private', keypair.privateKey); // throws if invalid // ✅ Hash the raw public key for URN const pubBytes = new Uint8Array(rawPubKey); const hash = new Uint8Array(await hashFn(pubBytes)); const hashB32 = base32Encode(hash).toLowerCase(); /* const hash = new Uint8Array(await hashFn(rawPubKey)); const hashB32 = base32Encode(hash).toLowerCase(); */ const urn = `urn:vouchsafe:${label}.${hashB32}` + (hashAlg !== 'sha256' ? `.${hashAlg}` : ''); return { urn, keypair: { publicKey: keypair.publicKey, // original DER b64 privateKey: keypair.privateKey }, publicKeyHash: hashB32, version: VOUCHSAFE_SPEC_VERSION }; } function toHexString(uint8arr) { return Array.from(uint8arr) .map(b => b.toString(16).padStart(2, '0')) .join(''); }