Skip to content

FEAT: Add offline verifyWithPublicKey and make the package requirable.#6

Open
oleksandrlazarenko-pi wants to merge 1 commit into
SWAN-community:mainfrom
51Degrees:feature/offline-verify
Open

FEAT: Add offline verifyWithPublicKey and make the package requirable.#6
oleksandrlazarenko-pi wants to merge 1 commit into
SWAN-community:mainfrom
51Degrees:feature/offline-verify

Conversation

@oleksandrlazarenko-pi

@oleksandrlazarenko-pi oleksandrlazarenko-pi commented Jun 29, 2026

Copy link
Copy Markdown

Summary

Adds an offline verifyWithPublicKey(publicPem, others) method that verifies
an OWID against a caller-supplied SPKI public key using Web Crypto, working
in Node as well as the browser. Also adds name/version/main to
package.json so the library can be consumed as a module (require('owid')).
Both changes are additive — no existing behaviour is modified.

Motivation

The existing verify() always reaches the network: it either POSTs to the
/owid/api/v{n}/verify endpoint, or fetches the creator's key from
/owid/api/v1/creator and then verifies locally. There was no way to verify an
OWID offline against a key the caller already holds.

51Degrees consumes owid-js from a Node SDK (the 51Did / FodId reader in
pipeline-node) where there is no browser, no window, and the public key is
supplied directly. That needs (a) an offline verify with a supplied key and
(b) a Web Crypto lookup that does not assume window. It also needs owid-js to
be a requirable package.

Changes

  • v1.js
    • Added this.verifyWithPublicKey(publicPem, others) — imports the supplied
      SPKI PEM, rebuilds the signed message (getByteArray(this.owid) plus each of
      others, in order), and calls crypto.subtle.verify. Returns a
      Promise<boolean>. No network access.
    • Added getSubtle() — resolves globalThis.crypto.subtle (Node 19+ and
      browsers), falling back to window.crypto — so the code is not hard-wired to
      the browser global.
    • Added importSpkiKey(subtle, pem) — a Node-and-browser SPKI PEM importer
      used by the above (the existing importEcdsaKey is unchanged).
  • package.json
    • Added name (owid), version, main (v1.js), description, license
      so the package can be installed and required.

Compatibility & behaviour

  • Purely additive. No existing function, signature or behaviour changes; the
    new method sits alongside verify().
  • Browser unaffected. In the browser getSubtle() resolves the same
    crypto.subtle as before.
  • Node support. The new path uses no window, fetch, or DOM APIs, so it
    runs under Node's Web Crypto.

Usage

const owid = require('owid');
const o = new owid(base64);
const ok = await o.verifyWithPublicKey(publicKeySpkiPem); // Promise<boolean>

Testing

  • The existing owid-js test suite (jsdom) continues to pass — the change only
    adds code.
  • The new method is exercised end to end by the 51Degrees pipeline-node
    FodId suite (31 tests, including "cryptographically verifiable" and "verify
    with the wrong key returns false"), which signs OWIDs with Node Web Crypto and
    verifies them offline through verifyWithPublicKey.

Notes for reviewers

  • Happy to add a dedicated owid-js test for verifyWithPublicKey (sign with Web
    Crypto in the test, verify with the exported SPKI key) if you would like the
    coverage to live in this repo as well.
  • getSubtle() prefers globalThis.crypto; on older browsers that only expose
    window.crypto the fallback covers it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants