Package xyz.tcheeric.cashu.voucher.domain

Class VoucherSignatureService

java.lang.Object

xyz.tcheeric.cashu.voucher.domain.VoucherSignatureService

public final class VoucherSignatureService
extends Object

Service for ED25519 signature generation and verification of voucher secrets.

This service provides cryptographic operations for vouchers:

• Signing voucher secrets with issuer private keys (ED25519)
• Verifying signatures with issuer public keys (ED25519)
• Creating complete SignedVoucher instances

Cryptographic Details

Uses ED25519 signatures over the canonical CBOR representation of the voucher secret. The canonical bytes are obtained via VoucherSecret.toCanonicalBytes(), which ensures deterministic serialization.

Key Format

Keys are expected as hex-encoded strings:

• Private key: 64 hex characters (32 bytes)
• Public key: 64 hex characters (32 bytes)

Thread Safety

All methods are stateless and thread-safe.

See Also:

• VoucherSecret
• SignedVoucher
• ED25519 Specification

Method Summary

Modifier and Type	Method	Description
static SignedVoucher	createSigned(@NonNull VoucherSecret secret, @NonNull String issuerPrivateKeyHex, @NonNull String issuerPublicKeyHex)	Creates a signed voucher by signing the secret and wrapping it.
static byte[]	sign(@NonNull VoucherSecret secret, @NonNull String issuerPrivateKeyHex)	Signs a voucher secret with an issuer's private key.
static boolean	verify(@NonNull VoucherSecret secret, @lombok.NonNull byte[] signature, @NonNull String issuerPublicKeyHex)	Verifies a voucher signature using the issuer's public key.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Details

sign

public static byte[] sign(@NonNull
 @NonNull VoucherSecret secret,
 @NonNull
 @NonNull String issuerPrivateKeyHex)

Signs a voucher secret with an issuer's private key.

The signature is generated over the canonical CBOR bytes of the voucher secret using ED25519. The resulting signature is 64 bytes.

Parameters:

secret - the voucher secret to sign (must not be null)

issuerPrivateKeyHex - the issuer's private key as hex string (64 chars, must not be null)

Returns:

the ED25519 signature (64 bytes)

Throws:

IllegalArgumentException - if the private key format is invalid

verify

public static boolean verify(@NonNull
 @NonNull VoucherSecret secret,
 @NonNull
 @lombok.NonNull byte[] signature,
 @NonNull
 @NonNull String issuerPublicKeyHex)

Verifies a voucher signature using the issuer's public key.

Verifies that the signature is valid for the voucher secret's canonical bytes using ED25519 signature verification.

Parameters:

secret - the voucher secret (must not be null)

signature - the signature to verify (must not be null, 64 bytes)

issuerPublicKeyHex - the issuer's public key as hex string (64 chars, must not be null)

Returns:

true if the signature is valid, false otherwise

createSigned

public static SignedVoucher createSigned(@NonNull
 @NonNull VoucherSecret secret,
 @NonNull
 @NonNull String issuerPrivateKeyHex,
 @NonNull
 @NonNull String issuerPublicKeyHex)

Creates a signed voucher by signing the secret and wrapping it.

This is a convenience method that combines signing and voucher creation:

1. Signs the voucher secret with the private key
2. Creates a SignedVoucher with the signature and public key

Parameters:

secret - the voucher secret to sign (must not be null)

issuerPrivateKeyHex - the issuer's private key as hex string (must not be null)

issuerPublicKeyHex - the issuer's public key as hex string (must not be null)

Returns:

a new SignedVoucher instance

Throws:

IllegalArgumentException - if key formats are invalid