Skip to main content

Documentation Index

Fetch the complete documentation index at: https://parmanasystems.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

@parmanasystems/crypto provides the cryptographic signing and verification primitives used throughout the Parmana Systems runtime. It wraps Node.js’s crypto module behind typed interfaces.

Install

npm install @parmanasystems/crypto

Key concepts

All signing in Parmana Systems uses Ed25519 — a high-performance elliptic-curve signature scheme. Key properties:
  • Deterministic — the same message + private key always produces the same signature
  • Fast — optimized for high-throughput signing
  • Compact — 64-byte signatures, 32-byte public keys
  • Secure — no random nonce, no timing side-channels

Key exports

LocalSigner

Signs arbitrary byte strings with an Ed25519 private key in PEM format. 
import { LocalSigner } from "@parmanasystems/crypto";
import crypto from "crypto";

const { privateKey } = crypto.generateKeyPairSync("ed25519", {
  privateKeyEncoding: { type: "pkcs8", format: "pem" },
});

const signer = new LocalSigner(privateKey);
const signature = signer.sign("canonical-attestation-json");
// → base64-encoded 64-byte Ed25519 signature

LocalVerifier

Verifies an Ed25519 signature against a public key in PEM format. 
import { LocalVerifier } from "@parmanasystems/crypto";

const verifier = new LocalVerifier(publicKey);
const valid = verifier.verify("canonical-attestation-json", signature);
// → true or false

signBundle(bundle, signer): SignedBundle

Signs a governance bundle manifest.

Signer interface

Both LocalSigner and AwsKmsSigner (in @parmanasystems/execution) implement the same Signer interface: 
interface Signer {
  sign(input: string): string;  // returns base64 signature
}
Swap LocalSigner for AwsKmsSigner to move signing to AWS KMS without changing any other code.

Key generation (development)

import crypto from "crypto";

const { privateKey, publicKey } = crypto.generateKeyPairSync("ed25519", {
  privateKeyEncoding: { type: "pkcs8", format: "pem" },
  publicKeyEncoding:  { type: "spki",  format: "pem" },
});
Never commit private keys. In production, use AWS KMS, HashiCorp Vault, or another HSM-backed key provider. The LocalSigner is for development and testing only.