Add usage docs to the readme.

Something seems to be wrong with this import https://github.com/digitalbazaar/ed25519-signature-2020/blob/main/lib/Ed25519Signature2020.js#L12 when consuming this library in a typescript project. Specifically I'm hitting this error while running tests in jest.

/path-to-project/node_modules/@digitalbazaar/ed25519-signature-2020/lib/Ed25519Signature2020.js:1
    TypeError: Cannot read property 'constants' of undefined

      at Object.<anonymous> (node_modules/@digitalbazaar/ed25519-signature-2020/lib/Ed25519Signature2020.js:14:40)
          at Object.<anonymous> (/path-to-project/node_modules/@digitalbazaar/ed25519-signature-2020/lib/main.js:1)

Just wondering if anyone has seen anything like this and how I could get around it

So when I click on Ed25519Signature2020 Crypto Suite in the readme, I get a 404 page.

When using the library in conjunction with vc-js as described in the example

import vc from '@digitalbazaar/vc';

// Required to set up a suite instance with private key
import {Ed25519VerificationKey2020} from
  '@digitalbazaar/ed25519-verification-key-2020';
import {Ed25519Signature2020} from '@digitalbazaar/ed25519-signature-2020';

const keyPair = await Ed25519VerificationKey2020.generate();

const suite = new Ed25519Signature2020({key: keyPair});

// Sample unsigned credential
const credential = {
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://www.w3.org/2018/credentials/examples/v1"
  ],
  "id": "https://example.com/credentials/1872",
  "type": ["VerifiableCredential", "AlumniCredential"],
  "issuer": "https://example.edu/issuers/565049",
  "issuanceDate": "2010-01-01T19:23:24Z",
  "credentialSubject": {
    "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
    "alumniOf": "Example University"
  }
};

const signedVC = await vc.issue({credential, suite, documentLoader});
console.log(JSON.stringify(signedVC, null, 2));

It produces throw new TypeError('"suite.verificationMethod" property is required.');

When looking into the suite Object the verificationMethod is indeed undefined. Shouldn't the library include a default verification method, e.g. the publicKey of the keyPair which is given to the contructor?

If the 2020 signature suite encounters a 2018 type key, convert it to 2020 and enable verification.

Desired Behavior

The additional functionality we're looking for is:

Be able to verify proofs of type Ed25519Signature2020, using legacy 2018 keys (keys of type Ed25519VerificationKey2018). (This is needed since much of our peer ecosystem does not have 2020 keys implemented, so we need this for wallet interop, etc.)

Specifically, when a documentLoader returns a public key object of type 2018 (AND that key object has the 2018 context), allow the 2020 signature suite to verify a 2020 signature with that 2018 key.

If it receives a type 2018 key but it does not have a context (or is using the 2020 context for some reason), then throw an error.

Implementation Notes

• Add @digitalbazaar/ed25519-verification-key-2018 lib to devDependencies.
• Replace test suite documentLoader setup with our jsonld-document-loader, and load it up with the ed25519 2020 AND the 2018 context.
• Add a couple of unit tests to the test suite. For these, you'll want to add a static entry to the document loader that's like keyId -> public key object of type 2018
  • If a 2020 signature's verificationMethod is a 2018 key, validate the signature with that key correctly (but only if the resolved key object has a 2018 context).
  • If a 2020 signature's verificationMethod is a 2018 key, BUT the resolved key object (resolved via the documentLoader) does NOT have a 2018 context, throw error.
  • Same as above, but instead of no context, have the 2018 type key object have the wrong context (like a 2020 one).
• To pass these tests, you'll be modifying the 2020 signature suite itself. First, modify the assertVerificationMethod code. Add support for the 2018 context (but only if the type is 2018 as well).
• Modify getVerificationMethod -- (after the assertVerificationMethod call, at the bottom) will need to convert from a 2018 key to a 2020 key (so that the verifySignature logic, later on, can proceed as normal, with a 2020 key).

The Example https://github.com/digitalbazaar/ed25519-signature-2020#usage uses a documentLoader which is not imported. Could you add an example where to get the loader from?

Hi,
Our recent WhiteSource scan reported a a medium severity vulnerabilities from @digitalbazaar/ed25519-signature-2020 3.0.0.
According to WhiteSource, this vulnerabilities is caused by this chain of dependencies:
ed25519-signature-2020 3.0.0
->[email protected]
->[email protected]
->@digitalbazaar/[email protected]
->[email protected]
->[email protected]
[email protected] causes CVE-2022-0235.
It seems that upgrading to the latest ky-universal (0.10.1) will solve this issue.
Thanks