Skip to main content
[AVAILABLE] for every export below. [ROADMAP] for KMS/HSM key custody, no provider class exists for it yet, see Deploy patterns.

Purpose

Every hash and signature in Parmana goes through this package: trust record hashing, authorization signing and verification, receipt signing, and canonical JSON serialization so the signing side and verifying side always compute byte-identical input.

Install

npm install @parmana/crypto

Key exports

Bootstrap, [AVAILABLE]

ExportSignature
CryptoBootstrap.create()(): CryptoProvider, builds from config.crypto.primarySignatureProvider
CryptoBootstrap.createHybrid()(): HybridCryptoProvider, requires SECONDARY_SIGNATURE_PROVIDER set, throws otherwise
See Choose a signature provider for both, run live.

High-level services, [AVAILABLE]

ExportPurpose
VerificationCrypto.hash(), .sign(), .verifySignature(), .verify() on an ExecutionTrustRecord. No constructor arguments, builds its own FileKeyProvider internally. See Verify a trust record independently.
AuthorizationSigner.sign({ decisionId, businessTransactionId, policyName, policyVersion, executableContent }, privateKey, keyId, ttlSeconds): Promise<SignedExecutionAuthorization>
AuthorizationVerifierVerifies a SignedExecutionAuthorization’s signature independent of @parmana/envelope-verifier’s fuller checks (expiry, nonce, TTL policy)
ReceiptCryptoSigns and verifies Receipt artifacts
TrustRecordHasherCanonical hash of an ExecutionTrustRecord’s signed fields, see Execution trust records for exactly which fields
ExecutableContentHasherCanonical hash of { businessTransactionId, action, target, parameters }, the value bound into businessTransactionHash, see The gateway
ReceiptHasherCanonical hash for receipts

Low-level primitives, [AVAILABLE]

ExportPurpose
ArtifactSigner / SignatureVerifierSign/verify any canonically-serializable object with a given CryptoProvider
CanonicalSerializerKey-sorted, deterministic JSON serialization, what makes hashing reproducible
Ed25519SignatureProviderDefault signature provider
Dilithium3SignatureProviderML-DSA-65 (FIPS 204) provider, requires Node ≥ 24, produces randomized (non-deterministic) signatures
SHA256HashProviderDefault hash provider
FileKeyProvider.getPrivateKey(keyId), .getPublicKey(keyId), reads <PARMANA_KEY_DIR>/<keyId>.{private,public}.pem. getPublicKey never checks for the private key file. The only implemented KeyProvider.
assertKeyTypeFails closed, naming both expected and actual key type, if a key doesn’t match the configured provider (CLAIMS.md 2.13)

Hybrid signing, [AVAILABLE]

ExportPurpose
HybridSigner / HybridVerifierSign or verify with two CryptoProviders at once
SignatureBundleBuilderBuilds a SignatureBundle (primary + secondary signature)

Minimal example

import { readFileSync } from "node:fs";
import { VerificationCrypto } from "@parmana/crypto";

const trustRecord = JSON.parse(readFileSync("trust-record.json", "utf8"));
const crypto = new VerificationCrypto();
const verified = await crypto.verify(trustRecord); // true, offline, no server needed
Full runnable version: Verify a trust record independently.

Next

Choose a signature provider

Ed25519, ML-DSA-65, and hybrid signing, all run live.

@parmana/envelope-verifier

Where AuthorizationVerifier’s check fits into the fuller envelope verification flow.