FEAT: Add offline verifyWithPublicKey and make the package requirable.#6
Open
oleksandrlazarenko-pi wants to merge 1 commit into
Open
FEAT: Add offline verifyWithPublicKey and make the package requirable.#6oleksandrlazarenko-pi wants to merge 1 commit into
oleksandrlazarenko-pi wants to merge 1 commit into
Conversation
This was referenced Jun 29, 2026
Merged
Jamesr51d
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an offline
verifyWithPublicKey(publicPem, others)method that verifiesan OWID against a caller-supplied SPKI public key using Web Crypto, working
in Node as well as the browser. Also adds
name/version/maintopackage.jsonso the library can be consumed as a module (require('owid')).Both changes are additive — no existing behaviour is modified.
Motivation
The existing
verify()always reaches the network: it either POSTs to the/owid/api/v{n}/verifyendpoint, or fetches the creator's key from/owid/api/v1/creatorand then verifies locally. There was no way to verify anOWID offline against a key the caller already holds.
51Degrees consumes owid-js from a Node SDK (the 51Did /
FodIdreader inpipeline-node) where there is no browser, nowindow, and the public key issupplied directly. That needs (a) an offline verify with a supplied key and
(b) a Web Crypto lookup that does not assume
window. It also needs owid-js tobe a requirable package.
Changes
v1.jsthis.verifyWithPublicKey(publicPem, others)— imports the suppliedSPKI PEM, rebuilds the signed message (
getByteArray(this.owid)plus each ofothers, in order), and callscrypto.subtle.verify. Returns aPromise<boolean>. No network access.getSubtle()— resolvesglobalThis.crypto.subtle(Node 19+ andbrowsers), falling back to
window.crypto— so the code is not hard-wired tothe browser global.
importSpkiKey(subtle, pem)— a Node-and-browser SPKI PEM importerused by the above (the existing
importEcdsaKeyis unchanged).package.jsonname(owid),version,main(v1.js),description,licenseso the package can be installed and
required.Compatibility & behaviour
new method sits alongside
verify().getSubtle()resolves the samecrypto.subtleas before.window,fetch, or DOM APIs, so itruns under Node's Web Crypto.
Usage
Testing
adds code.
pipeline-nodeFodIdsuite (31 tests, including "cryptographically verifiable" and "verifywith the wrong key returns false"), which signs OWIDs with Node Web Crypto and
verifies them offline through
verifyWithPublicKey.Notes for reviewers
verifyWithPublicKey(sign with WebCrypto in the test, verify with the exported SPKI key) if you would like the
coverage to live in this repo as well.
getSubtle()prefersglobalThis.crypto; on older browsers that only exposewindow.cryptothe fallback covers it.