rename tokens to token

token/delegation/delegation.go

@@ -0,0 +1,255 @@
+// Package delegation implements the UCAN [delegation] specification with
+// an immutable Token type as well as methods to convert the Token to and
+// from the [envelope]-enclosed, signed and DAG-CBOR-encoded form that
+// should most commonly be used for transport and storage.
+//
+// [delegation]: https://github.com/ucan-wg/delegation/tree/v1_ipld
+// [envelope]: https://github.com/ucan-wg/spec#envelope
+package delegation
+
+// TODO: change the "delegation" link above when the specification is merged
+
+import (
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/ipfs/go-cid"
+	"github.com/libp2p/go-libp2p/core/crypto"
+
+	"github.com/ucan-wg/go-ucan/did"
+	"github.com/ucan-wg/go-ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
+)
+
+// Token is an immutable type that holds the fields of a UCAN delegation.
+type Token struct {
+	// Issuer DID (sender)
+	issuer did.DID
+	// Audience DID (receiver)
+	audience did.DID
+	// Principal that the chain is about (the Subject)
+	subject did.DID
+	// The Command to eventually invoke
+	command command.Command
+	// The delegation policy
+	policy policy.Policy
+	// A unique, random nonce
+	nonce []byte
+	// Arbitrary Metadata
+	meta *meta.Meta
+	// "Not before" UTC Unix Timestamp in seconds (valid from), 53-bits integer
+	notBefore *time.Time
+	// The timestamp at which the Invocation becomes invalid
+	expiration *time.Time
+	// The CID of the Token when enclosed in an Envelope and encoded to DAG-CBOR
+	cid cid.Cid
+}
+
+// New creates a validated Token from the provided parameters and options.
+//
+// When creating a delegated token, the Issuer's (iss) DID is assembed
+// using the public key associated with the private key sent as the first
+// parameter.
+func New(privKey crypto.PrivKey, aud did.DID, cmd command.Command, pol policy.Policy, opts ...Option) (*Token, error) {
+	iss, err := did.FromPrivKey(privKey)
+	if err != nil {
+		return nil, err
+	}
+
+	tkn := &Token{
+		issuer:   iss,
+		audience: aud,
+		subject:  did.Undef,
+		command:  cmd,
+		policy:   pol,
+		meta:     meta.NewMeta(),
+		nonce:    nil,
+		cid:      cid.Undef,
+	}
+
+	for _, opt := range opts {
+		if err := opt(tkn); err != nil {
+			return nil, err
+		}
+	}
+
+	if len(tkn.nonce) == 0 {
+		tkn.nonce, err = generateNonce()
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	if err := tkn.validate(); err != nil {
+		return nil, err
+	}
+
+	return tkn, nil
+}
+
+// Root creates a validated UCAN delegation Token from the provided
+// parameters and options.
+//
+// When creating a root token, both the Issuer's (iss) and Subject's
+// (sub) DIDs are assembled from the public key associated with the
+// private key passed as the first argument.
+func Root(privKey crypto.PrivKey, aud did.DID, cmd command.Command, pol policy.Policy, opts ...Option) (*Token, error) {
+	sub, err := did.FromPrivKey(privKey)
+	if err != nil {
+		return nil, err
+	}
+
+	opts = append(opts, WithSubject(sub))
+
+	return New(privKey, aud, cmd, pol, opts...)
+}
+
+// Issuer returns the did.DID representing the Token's issuer.
+func (t *Token) Issuer() did.DID {
+	return t.issuer
+}
+
+// Audience returns the did.DID representing the Token's audience.
+func (t *Token) Audience() did.DID {
+	return t.audience
+}
+
+// Subject returns the did.DID representing the Token's subject.
+//
+// This field may be did.Undef for delegations that are [Powerlined] but
+// must be equal to the value returned by the Issuer method for root
+// tokens.
+func (t *Token) Subject() did.DID {
+	return t.subject
+}
+
+// Command returns the capability's command.Command.
+func (t *Token) Command() command.Command {
+	return t.command
+}
+
+// Policy returns the capability's policy.Policy.
+func (t *Token) Policy() policy.Policy {
+	return t.policy
+}
+
+// Nonce returns the random Nonce encapsulated in this Token.
+func (t *Token) Nonce() []byte {
+	return t.nonce
+}
+
+// Meta returns the Token's metadata.
+func (t *Token) Meta() *meta.Meta {
+	return t.meta
+}
+
+// NotBefore returns the time at which the Token becomes "active".
+func (t *Token) NotBefore() *time.Time {
+	return t.notBefore
+}
+
+// Expiration returns the time at which the Token expires.
+func (t *Token) Expiration() *time.Time {
+	return t.expiration
+}
+
+// CID returns the content identifier of the Token model when enclosed
+// in an Envelope and encoded to DAG-CBOR.
+// Returns cid.Undef if the token has not been serialized or deserialized yet.
+func (t *Token) CID() cid.Cid {
+	return t.cid
+}
+
+func (t *Token) validate() error {
+	var errs error
+
+	requiredDID := func(id did.DID, fieldname string) {
+		if !id.Defined() {
+			errs = errors.Join(errs, fmt.Errorf(`a valid did is required for %s: %s`, fieldname, id.String()))
+		}
+	}
+
+	requiredDID(t.issuer, "Issuer")
+	requiredDID(t.audience, "Audience")
+
+	if len(t.nonce) < 12 {
+		errs = errors.Join(errs, fmt.Errorf("token nonce too small"))
+	}
+
+	return errs
+}
+
+// tokenFromModel build a decoded view of the raw IPLD data.
+// This function also serves as validation.
+func tokenFromModel(m tokenPayloadModel) (*Token, error) {
+	var (
+		tkn Token
+		err error
+	)
+
+	tkn.issuer, err = did.Parse(m.Iss)
+	if err != nil {
+		return nil, fmt.Errorf("parse iss: %w", err)
+	}
+
+	tkn.audience, err = did.Parse(m.Aud)
+	if err != nil {
+		return nil, fmt.Errorf("parse audience: %w", err)
+	}
+
+	if m.Sub != nil {
+		tkn.subject, err = did.Parse(*m.Sub)
+		if err != nil {
+			return nil, fmt.Errorf("parse subject: %w", err)
+		}
+	} else {
+		tkn.subject = did.Undef
+	}
+
+	tkn.command, err = command.Parse(m.Cmd)
+	if err != nil {
+		return nil, fmt.Errorf("parse command: %w", err)
+	}
+
+	tkn.policy, err = policy.FromIPLD(m.Pol)
+	if err != nil {
+		return nil, fmt.Errorf("parse policy: %w", err)
+	}
+
+	if len(m.Nonce) == 0 {
+		return nil, fmt.Errorf("nonce is required")
+	}
+	tkn.nonce = m.Nonce
+
+	tkn.meta = &m.Meta
+
+	if m.Nbf != nil {
+		t := time.Unix(*m.Nbf, 0)
+		tkn.notBefore = &t
+	}
+
+	if m.Exp != nil {
+		t := time.Unix(*m.Exp, 0)
+		tkn.expiration = &t
+	}
+
+	if err := tkn.validate(); err != nil {
+		return nil, err
+	}
+
+	return &tkn, nil
+}
+
+// generateNonce creates a 12-byte random nonce.
+// TODO: some crypto scheme require more, is that our case?
+func generateNonce() ([]byte, error) {
+	res := make([]byte, 12)
+	_, err := rand.Read(res)
+	if err != nil {
+		return nil, err
+	}
+	return res, nil
+}

token/delegation/delegation.ipldsch

@@ -0,0 +1,29 @@
+type DID string
+
+# The Delegation payload MUST describe the authorization claims, who is involved, and its validity period.
+type Payload struct {
+    # Issuer DID (sender)
+    iss DID
+    # Audience DID (receiver)
+    aud DID
+    # Principal that the chain is about (the Subject)
+    sub optional DID
+
+    # The Command to eventually invoke
+    cmd String
+
+    # The delegation policy
+    # It doesn't seem possible to represent it with a schema.
+    pol Any
+
+    # A unique, random nonce
+    nonce Bytes
+
+    # Arbitrary Metadata
+    meta {String : Any}
+
+    # "Not before" UTC Unix Timestamp in seconds (valid from), 53-bits integer
+    nbf optional Int
+    # The timestamp at which the Invocation becomes invalid
+    exp nullable Int
+}

token/delegation/delegation_test.go

@@ -0,0 +1,136 @@
+package delegation_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/libp2p/go-libp2p/core/crypto"
+	"github.com/stretchr/testify/require"
+	"gotest.tools/v3/golden"
+
+	"github.com/ucan-wg/go-ucan/did"
+	"github.com/ucan-wg/go-ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/token/delegation"
+)
+
+const (
+	nonce = "6roDhGi0kiNriQAz7J3d+bOeoI/tj8ENikmQNbtjnD0"
+
+	AudiencePrivKeyCfg = "CAESQL1hvbXpiuk2pWr/XFbfHJcZNpJ7S90iTA3wSCTc/BPRneCwPnCZb6c0vlD6ytDWqaOt0HEOPYnqEpnzoBDprSM="
+	AudienceDID        = "did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv"
+
+	issuerPrivKeyCfg = "CAESQLSql38oDmQXIihFFaYIjb73mwbPsc7MIqn4o8PN4kRNnKfHkw5gRP1IV9b6d0estqkZayGZ2vqMAbhRixjgkDU="
+	issuerDID        = "did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2"
+
+	subjectPrivKeyCfg = "CAESQL9RtjZ4dQBeXtvDe53UyvslSd64kSGevjdNiA1IP+hey5i/3PfRXSuDr71UeJUo1fLzZ7mGldZCOZL3gsIQz5c="
+	subjectDID        = "did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2"
+	subJectCmd        = "/foo/bar"
+	subjectPol        = `
+[
+	[
+		"==",
+		".status",
+		"draft"
+	],
+	[
+		"all",
+		".reviewer",
+		[
+			"like",
+			".email",
+			"*@example.com"
+		]
+	],
+	[
+		"any",
+		".tags",
+		[
+			"or",
+			[
+				[
+					"==",
+					".",
+					"news"
+				],
+				[
+					"==",
+					".",
+					"press"
+				]
+			]
+		]
+	]
+]
+`
+
+	newCID  = "zdpuAn9JgGPvnt2WCmTaKktZdbuvcVGTg9bUT5kQaufwUtZ6e"
+	rootCID = "zdpuAkgGmUp5JrXvehGuuw9JA8DLQKDaxtK3R8brDQQVC2i5X"
+)
+
+func TestConstructors(t *testing.T) {
+	t.Parallel()
+
+	privKey := privKey(t, issuerPrivKeyCfg)
+
+	aud, err := did.Parse(AudienceDID)
+
+	sub, err := did.Parse(subjectDID)
+	require.NoError(t, err)
+
+	cmd, err := command.Parse(subJectCmd)
+	require.NoError(t, err)
+
+	pol, err := policy.FromDagJson(subjectPol)
+	require.NoError(t, err)
+
+	exp, err := time.Parse(time.RFC3339, "2200-01-01T00:00:00Z")
+	require.NoError(t, err)
+
+	t.Run("New", func(t *testing.T) {
+		tkn, err := delegation.New(privKey, aud, cmd, pol,
+			delegation.WithNonce([]byte(nonce)),
+			delegation.WithSubject(sub),
+			delegation.WithExpiration(exp),
+			delegation.WithMeta("foo", "fooo"),
+			delegation.WithMeta("bar", "barr"),
+		)
+		require.NoError(t, err)
+
+		data, err := tkn.ToDagJson(privKey)
+		require.NoError(t, err)
+
+		t.Log(string(data))
+
+		golden.Assert(t, string(data), "new.dagjson")
+	})
+
+	t.Run("Root", func(t *testing.T) {
+		t.Parallel()
+
+		tkn, err := delegation.Root(privKey, aud, cmd, pol,
+			delegation.WithNonce([]byte(nonce)),
+			delegation.WithExpiration(exp),
+			delegation.WithMeta("foo", "fooo"),
+			delegation.WithMeta("bar", "barr"),
+		)
+		require.NoError(t, err)
+
+		data, err := tkn.ToDagJson(privKey)
+		require.NoError(t, err)
+
+		t.Log(string(data))
+
+		golden.Assert(t, string(data), "root.dagjson")
+	})
+}
+
+func privKey(t require.TestingT, privKeyCfg string) crypto.PrivKey {
+	privKeyMar, err := crypto.ConfigDecodeKey(privKeyCfg)
+	require.NoError(t, err)
+
+	privKey, err := crypto.UnmarshalPrivateKey(privKeyMar)
+	require.NoError(t, err)
+
+	return privKey
+}

token/delegation/examples_test.go

@@ -0,0 +1,314 @@
+package delegation_test
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+
+	"github.com/ipfs/go-cid"
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/codec/dagjson"
+	"github.com/libp2p/go-libp2p/core/crypto"
+
+	"github.com/ucan-wg/go-ucan/did"
+	"github.com/ucan-wg/go-ucan/pkg/command"
+	"github.com/ucan-wg/go-ucan/pkg/policy"
+	"github.com/ucan-wg/go-ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+// The following example shows how to create a delegation.Token with
+// distinct DIDs for issuer (iss), audience (aud) and subject (sub).
+func ExampleNew() {
+	issuerPrivKey := examplePrivKey(issuerPrivKeyCfg)
+	audienceDID := exampleDID(AudienceDID)
+	command := exampleCommand(subJectCmd)
+	policy := examplePolicy(subjectPol)
+	subjectDID := exampleDID(subjectDID)
+
+	// Don't do this in your code - a nonce should be a cryptographically
+	// strong random slice of bytes to ensure the integrity of your private
+	// key.  For this example, a fixed nonce is required to obtain the fixed
+	// printed output (below).  If unsure of what value to supply for the
+	// nonce, don't pass the WithNonce option and one will be generated
+	// when the token is created.
+	nonce := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b}
+
+	tkn, err := delegation.New(
+		issuerPrivKey,
+		audienceDID,
+		command,
+		policy,
+		delegation.WithSubject(subjectDID),
+		delegation.WithNonce(nonce),
+	)
+	printThenPanicOnErr(err)
+	data, id, err := tkn.ToSealed(issuerPrivKey)
+	printThenPanicOnErr(err)
+
+	printCIDAndSealed(id, data)
+
+	// Output:
+	// CID (base58BTC): zdpuAw26pFuvZa2Z9YAtpZZnWN6VmnRFr7Z8LVY5c7RVWoxGY
+	// DAG-CBOR (base64) out: glhAmnAkgfjAx4SA5pzJmtaHRJtTGNpF1y6oqb4yhGoM2H2EUGbBYT4rVDjMKBgCjhdGHjipm00L8iR5SsQh3sIEBaJhaEQ07QFxc3VjYW4vZGxnQDEuMC4wLXJjLjGoY2F1ZHg4ZGlkOmtleTp6Nk1rcTVZbWJKY1RyUEV4TkRpMjZpbXJUQ3BLaGVwakJGQlNIcXJCRE4yQXJQa3ZjY21kaC9mb28vYmFyY2V4cPZjaXNzeDhkaWQ6a2V5Ono2TWtwem4ybjNaR1QyVmFxTUdTUUMzdHptelY0VFM5UzcxaUZzRFhFMVdub05IMmNwb2yDg2I9PWcuc3RhdHVzZWRyYWZ0g2NhbGxpLnJldmlld2Vyg2RsaWtlZi5lbWFpbG0qQGV4YW1wbGUuY29tg2NhbnllLnRhZ3OCYm9ygoNiPT1hLmRuZXdzg2I9PWEuZXByZXNzY3N1Yng4ZGlkOmtleTp6Nk1rdEExdUJkQ3BxNHVKQnFFOWpqTWlMeXhaQmc5YTZ4Z1BQS0pqTXFzczZaYzJkbWV0YaBlbm9uY2VMAAECAwQFBgcICQoL
+	// Converted to DAG-JSON out:
+	// [
+	//	{
+	//		"/": {
+	//			"bytes": "mnAkgfjAx4SA5pzJmtaHRJtTGNpF1y6oqb4yhGoM2H2EUGbBYT4rVDjMKBgCjhdGHjipm00L8iR5SsQh3sIEBQ"
+	//		}
+	//	},
+	//	{
+	//		"h": {
+	//			"/": {
+	//				"bytes": "NO0BcQ"
+	//			}
+	//		},
+	//		"ucan/dlg@1.0.0-rc.1": {
+	//			"aud": "did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv",
+	//			"cmd": "/foo/bar",
+	//			"exp": null,
+	//			"iss": "did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2",
+	//			"meta": {},
+	//			"nonce": {
+	//				"/": {
+	//					"bytes": "AAECAwQFBgcICQoL"
+	//				}
+	//			},
+	//			"pol": [
+	//				[
+	//					"==",
+	//					".status",
+	//					"draft"
+	//				],
+	//				[
+	//					"all",
+	//					".reviewer",
+	//					[
+	//						"like",
+	//						".email",
+	//						"*@example.com"
+	//					]
+	//				],
+	//				[
+	//					"any",
+	//					".tags",
+	//					[
+	//						"or",
+	//						[
+	//							[
+	//								"==",
+	//								".",
+	//								"news"
+	//							],
+	//							[
+	//								"==",
+	//								".",
+	//								"press"
+	//							]
+	//						]
+	//					]
+	//				]
+	//			],
+	//			"sub": "did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2"
+	//		}
+	//	}
+	// ]
+}
+
+// The following example shows how to create a UCAN root delegation.Token
+// - a delegation.Token with the subject (sub) set to the value of issuer
+// (iss).
+func ExampleRoot() {
+	issuerPrivKey := examplePrivKey(issuerPrivKeyCfg)
+	audienceDID := exampleDID(AudienceDID)
+	command := exampleCommand(subJectCmd)
+	policy := examplePolicy(subjectPol)
+
+	// Don't do this in your code - a nonce should be a cryptographically
+	// strong random slice of bytes to ensure the integrity of your private
+	// key.  For this example, a fixed nonce is required to obtain the fixed
+	// printed output (below).  If unsure of what value to supply for the
+	// nonce, don't pass the WithNonce option and one will be generated
+	// when the token is created.
+	nonce := []byte{0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b}
+
+	tkn, err := delegation.Root(
+		issuerPrivKey,
+		audienceDID,
+		command,
+		policy,
+		delegation.WithNonce(nonce),
+	)
+	printThenPanicOnErr(err)
+	data, id, err := tkn.ToSealed(issuerPrivKey)
+	printThenPanicOnErr(err)
+
+	printCIDAndSealed(id, data)
+
+	// Output:
+	// CID (base58BTC): zdpuAnbsR3e6DK8hBk5WA7KwbHYN6CKY4a3Bv1GNehvFYShQ8
+	// DAG-CBOR (base64) out: glhA67ASBczF/wlIP0ESENn+4ZNQKukjcTNz+fo7K2tYa6OUm0rWICDJJkDWm7lJeQt+KvSA+Y4ctHTQbAr3Lr7mDqJhaEQ07QFxc3VjYW4vZGxnQDEuMC4wLXJjLjGoY2F1ZHg4ZGlkOmtleTp6Nk1rcTVZbWJKY1RyUEV4TkRpMjZpbXJUQ3BLaGVwakJGQlNIcXJCRE4yQXJQa3ZjY21kaC9mb28vYmFyY2V4cPZjaXNzeDhkaWQ6a2V5Ono2TWtwem4ybjNaR1QyVmFxTUdTUUMzdHptelY0VFM5UzcxaUZzRFhFMVdub05IMmNwb2yDg2I9PWcuc3RhdHVzZWRyYWZ0g2NhbGxpLnJldmlld2Vyg2RsaWtlZi5lbWFpbG0qQGV4YW1wbGUuY29tg2NhbnllLnRhZ3OCYm9ygoNiPT1hLmRuZXdzg2I9PWEuZXByZXNzY3N1Yng4ZGlkOmtleTp6Nk1rcHpuMm4zWkdUMlZhcU1HU1FDM3R6bXpWNFRTOVM3MWlGc0RYRTFXbm9OSDJkbWV0YaBlbm9uY2VMAAECAwQFBgcICQoL
+	// Converted to DAG-JSON out:
+	// [
+	//	{
+	//		"/": {
+	//			"bytes": "67ASBczF/wlIP0ESENn+4ZNQKukjcTNz+fo7K2tYa6OUm0rWICDJJkDWm7lJeQt+KvSA+Y4ctHTQbAr3Lr7mDg"
+	//		}
+	//	},
+	//	{
+	//		"h": {
+	//			"/": {
+	//				"bytes": "NO0BcQ"
+	//			}
+	//		},
+	//		"ucan/dlg@1.0.0-rc.1": {
+	//			"aud": "did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv",
+	//			"cmd": "/foo/bar",
+	//			"exp": null,
+	//			"iss": "did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2",
+	//			"meta": {},
+	//			"nonce": {
+	//				"/": {
+	//					"bytes": "AAECAwQFBgcICQoL"
+	//				}
+	//			},
+	//			"pol": [
+	//				[
+	//					"==",
+	//					".status",
+	//					"draft"
+	//				],
+	//				[
+	//					"all",
+	//					".reviewer",
+	//					[
+	//						"like",
+	//						".email",
+	//						"*@example.com"
+	//					]
+	//				],
+	//				[
+	//					"any",
+	//					".tags",
+	//					[
+	//						"or",
+	//						[
+	//							[
+	//								"==",
+	//								".",
+	//								"news"
+	//							],
+	//							[
+	//								"==",
+	//								".",
+	//								"press"
+	//							]
+	//						]
+	//					]
+	//				]
+	//			],
+	//			"sub": "did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2"
+	//		}
+	//	}
+	// ]
+}
+
+// The following example demonstrates how to get a delegation.Token from
+// a DAG-CBOR []byte.
+func ExampleToken_FromSealed() {
+	cborBytes := exampleCBORData()
+	fmt.Println("DAG-CBOR (base64) in:", base64.StdEncoding.EncodeToString(cborBytes))
+
+	tkn, err := delegation.FromSealed(cborBytes)
+	printThenPanicOnErr(err)
+
+	fmt.Println("CID (base58BTC):", envelope.CIDToBase58BTC(tkn.CID()))
+	fmt.Println("Issuer (iss):", tkn.Issuer().String())
+	fmt.Println("Audience (aud):", tkn.Audience().String())
+	fmt.Println("Subject (sub):", tkn.Subject().String())
+	fmt.Println("Command (cmd):", tkn.Command().String())
+	fmt.Println("Policy (pol): TODO")
+	fmt.Println("Nonce (nonce):", hex.EncodeToString(tkn.Nonce()))
+	fmt.Println("Meta (meta): TODO")
+	fmt.Println("NotBefore (nbf):", tkn.NotBefore())
+	fmt.Println("Expiration (exp):", tkn.Expiration())
+
+	// Output:
+	// DAG-CBOR (base64) in: glhAmnAkgfjAx4SA5pzJmtaHRJtTGNpF1y6oqb4yhGoM2H2EUGbBYT4rVDjMKBgCjhdGHjipm00L8iR5SsQh3sIEBaJhaEQ07QFxc3VjYW4vZGxnQDEuMC4wLXJjLjGoY2F1ZHg4ZGlkOmtleTp6Nk1rcTVZbWJKY1RyUEV4TkRpMjZpbXJUQ3BLaGVwakJGQlNIcXJCRE4yQXJQa3ZjY21kaC9mb28vYmFyY2V4cPZjaXNzeDhkaWQ6a2V5Ono2TWtwem4ybjNaR1QyVmFxTUdTUUMzdHptelY0VFM5UzcxaUZzRFhFMVdub05IMmNwb2yDg2I9PWcuc3RhdHVzZWRyYWZ0g2NhbGxpLnJldmlld2Vyg2RsaWtlZi5lbWFpbG0qQGV4YW1wbGUuY29tg2NhbnllLnRhZ3OCYm9ygoNiPT1hLmRuZXdzg2I9PWEuZXByZXNzY3N1Yng4ZGlkOmtleTp6Nk1rdEExdUJkQ3BxNHVKQnFFOWpqTWlMeXhaQmc5YTZ4Z1BQS0pqTXFzczZaYzJkbWV0YaBlbm9uY2VMAAECAwQFBgcICQoL
+	// CID (base58BTC): zdpuAw26pFuvZa2Z9YAtpZZnWN6VmnRFr7Z8LVY5c7RVWoxGY
+	// Issuer (iss): did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2
+	// Audience (aud): did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv
+	// Subject (sub): did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2
+	// Command (cmd): /foo/bar
+	// Policy (pol): TODO
+	// Nonce (nonce): 000102030405060708090a0b
+	// Meta (meta): TODO
+	// NotBefore (nbf): <nil>
+	// Expiration (exp): <nil>
+}
+
+func exampleCBORData() []byte {
+	data, err := base64.StdEncoding.DecodeString("glhAmnAkgfjAx4SA5pzJmtaHRJtTGNpF1y6oqb4yhGoM2H2EUGbBYT4rVDjMKBgCjhdGHjipm00L8iR5SsQh3sIEBaJhaEQ07QFxc3VjYW4vZGxnQDEuMC4wLXJjLjGoY2F1ZHg4ZGlkOmtleTp6Nk1rcTVZbWJKY1RyUEV4TkRpMjZpbXJUQ3BLaGVwakJGQlNIcXJCRE4yQXJQa3ZjY21kaC9mb28vYmFyY2V4cPZjaXNzeDhkaWQ6a2V5Ono2TWtwem4ybjNaR1QyVmFxTUdTUUMzdHptelY0VFM5UzcxaUZzRFhFMVdub05IMmNwb2yDg2I9PWcuc3RhdHVzZWRyYWZ0g2NhbGxpLnJldmlld2Vyg2RsaWtlZi5lbWFpbG0qQGV4YW1wbGUuY29tg2NhbnllLnRhZ3OCYm9ygoNiPT1hLmRuZXdzg2I9PWEuZXByZXNzY3N1Yng4ZGlkOmtleTp6Nk1rdEExdUJkQ3BxNHVKQnFFOWpqTWlMeXhaQmc5YTZ4Z1BQS0pqTXFzczZaYzJkbWV0YaBlbm9uY2VMAAECAwQFBgcICQoL")
+	printThenPanicOnErr(err)
+
+	return data
+}
+
+func exampleDID(didStr string) did.DID {
+	id, err := did.Parse(didStr)
+	printThenPanicOnErr(err)
+
+	return id
+}
+
+func exampleCommand(cmdStr string) command.Command {
+	cmd, err := command.Parse(cmdStr)
+	printThenPanicOnErr(err)
+
+	return cmd
+}
+
+func examplePolicy(policyJSON string) policy.Policy {
+	pol, err := policy.FromDagJson(policyJSON)
+	printThenPanicOnErr(err)
+
+	return pol
+}
+
+func examplePrivKey(privKeyCfg string) crypto.PrivKey {
+	privKeyMar, err := crypto.ConfigDecodeKey(privKeyCfg)
+	printThenPanicOnErr(err)
+
+	privKey, err := crypto.UnmarshalPrivateKey(privKeyMar)
+	printThenPanicOnErr(err)
+
+	return privKey
+}
+
+func printCIDAndSealed(id cid.Cid, data []byte) {
+	fmt.Println("CID (base58BTC):", envelope.CIDToBase58BTC(id))
+	fmt.Println("DAG-CBOR (base64) out:", base64.StdEncoding.EncodeToString(data))
+	fmt.Println("Converted to DAG-JSON out:")
+
+	node, err := ipld.Decode(data, dagcbor.Decode)
+	printThenPanicOnErr(err)
+
+	rawJSON, err := ipld.Encode(node, dagjson.Encode)
+	printThenPanicOnErr(err)
+
+	prettyJSON := &bytes.Buffer{}
+	err = json.Indent(prettyJSON, rawJSON, "", "\t")
+	printThenPanicOnErr(err)
+
+	fmt.Println(prettyJSON.String())
+}
+
+func printThenPanicOnErr(err error) {
+	if err != nil {
+		panic(err)
+	}
+}

token/delegation/ipld.go

@@ -0,0 +1,237 @@
+package delegation
+
+import (
+	"io"
+
+	"github.com/ipfs/go-cid"
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/codec"
+	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/codec/dagjson"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/libp2p/go-libp2p/core/crypto"
+
+	"github.com/ucan-wg/go-ucan/did"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+// ToSealed wraps the delegation token in an envelope, generates the
+// signature, encodes the result to DAG-CBOR and calculates the CID of
+// the resulting binary data.
+func (t *Token) ToSealed(privKey crypto.PrivKey) ([]byte, cid.Cid, error) {
+	data, err := t.ToDagCbor(privKey)
+	if err != nil {
+		return nil, cid.Undef, err
+	}
+
+	id, err := envelope.CIDFromBytes(data)
+	if err != nil {
+		return nil, cid.Undef, err
+	}
+
+	return data, id, nil
+}
+
+// ToSealedWriter is the same as Seal but accepts an io.Writer.
+func (t *Token) ToSealedWriter(w io.Writer, privKey crypto.PrivKey) (cid.Cid, error) {
+	cidWriter := envelope.NewCIDWriter(w)
+
+	if err := t.ToDagCborWriter(cidWriter, privKey); err != nil {
+		return cid.Undef, err
+	}
+
+	return cidWriter.CID()
+}
+
+// FromSealed decodes the provided binary data from the DAG-CBOR format,
+// verifies that the envelope's signature is correct based on the public
+// key taken from the issuer (iss) field and calculates the CID of the
+// incoming data.
+func FromSealed(data []byte) (*Token, error) {
+	tkn, err := FromDagCbor(data)
+	if err != nil {
+		return nil, err
+	}
+
+	id, err := envelope.CIDFromBytes(data)
+	if err != nil {
+		return nil, err
+	}
+
+	tkn.cid = id
+
+	return tkn, nil
+}
+
+// FromSealedReader is the same as Unseal but accepts an io.Reader.
+func FromSealedReader(r io.Reader) (*Token, error) {
+	cidReader := envelope.NewCIDReader(r)
+
+	tkn, err := FromDagCborReader(cidReader)
+	if err != nil {
+		return nil, err
+	}
+
+	id, err := cidReader.CID()
+	if err != nil {
+		return nil, err
+	}
+
+	tkn.cid = id
+
+	return tkn, nil
+}
+
+// Encode marshals a Token to the format specified by the provided
+// codec.Encoder.
+func (t *Token) Encode(privKey crypto.PrivKey, encFn codec.Encoder) ([]byte, error) {
+	node, err := t.toIPLD(privKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return ipld.Encode(node, encFn)
+}
+
+// EncodeWriter is the same as Encode but accepts an io.Writer.
+func (t *Token) EncodeWriter(w io.Writer, privKey crypto.PrivKey, encFn codec.Encoder) error {
+	node, err := t.toIPLD(privKey)
+	if err != nil {
+		return err
+	}
+
+	return ipld.EncodeStreaming(w, node, encFn)
+}
+
+// ToDagCbor marshals the Token to the DAG-CBOR format.
+func (t *Token) ToDagCbor(privKey crypto.PrivKey) ([]byte, error) {
+	return t.Encode(privKey, dagcbor.Encode)
+}
+
+// ToDagCborWriter is the same as ToDagCbor but it accepts an io.Writer.
+func (t *Token) ToDagCborWriter(w io.Writer, privKey crypto.PrivKey) error {
+	return t.EncodeWriter(w, privKey, dagcbor.Encode)
+}
+
+// ToDagJson marshals the Token to the DAG-JSON format.
+func (t *Token) ToDagJson(privKey crypto.PrivKey) ([]byte, error) {
+	return t.Encode(privKey, dagjson.Encode)
+}
+
+// ToDagJsonWriter is the same as ToDagJson but it accepts an io.Writer.
+func (t *Token) ToDagJsonWriter(w io.Writer, privKey crypto.PrivKey) error {
+	return t.EncodeWriter(w, privKey, dagjson.Encode)
+}
+
+// Decode unmarshals the input data using the format specified by the
+// provided codec.Decoder into a Token.
+//
+// An error is returned if the conversion fails, or if the resulting
+// Token is invalid.
+func Decode(b []byte, decFn codec.Decoder) (*Token, error) {
+	node, err := ipld.Decode(b, decFn)
+	if err != nil {
+		return nil, err
+	}
+	return FromIPLD(node)
+}
+
+// DecodeReader is the same as Decode, but accept an io.Reader.
+func DecodeReader(r io.Reader, decFn codec.Decoder) (*Token, error) {
+	node, err := ipld.DecodeStreaming(r, decFn)
+	if err != nil {
+		return nil, err
+	}
+	return FromIPLD(node)
+}
+
+// FromDagCbor unmarshals the input data into a Token.
+//
+// An error is returned if the conversion fails, or if the resulting
+// Token is invalid.
+func FromDagCbor(data []byte) (*Token, error) {
+	pay, err := envelope.FromDagCbor[*tokenPayloadModel](data)
+	if err != nil {
+		return nil, err
+	}
+
+	tkn, err := tokenFromModel(*pay)
+	if err != nil {
+		return nil, err
+	}
+
+	return tkn, err
+}
+
+// FromDagCborReader is the same as FromDagCbor, but accept an io.Reader.
+func FromDagCborReader(r io.Reader) (*Token, error) {
+	return DecodeReader(r, dagcbor.Decode)
+}
+
+// FromDagJson unmarshals the input data into a Token.
+//
+// An error is returned if the conversion fails, or if the resulting
+// Token is invalid.
+func FromDagJson(data []byte) (*Token, error) {
+	return Decode(data, dagjson.Decode)
+}
+
+// FromDagJsonReader is the same as FromDagJson, but accept an io.Reader.
+func FromDagJsonReader(r io.Reader) (*Token, error) {
+	return DecodeReader(r, dagjson.Decode)
+}
+
+// FromIPLD decode the given IPLD representation into a Token.
+func FromIPLD(node datamodel.Node) (*Token, error) {
+	pay, err := envelope.FromIPLD[*tokenPayloadModel](node)
+	if err != nil {
+		return nil, err
+	}
+
+	tkn, err := tokenFromModel(*pay)
+	if err != nil {
+		return nil, err
+	}
+
+	return tkn, err
+}
+
+func (t *Token) toIPLD(privKey crypto.PrivKey) (datamodel.Node, error) {
+	var sub *string
+
+	if t.subject != did.Undef {
+		s := t.subject.String()
+		sub = &s
+	}
+
+	pol, err := t.policy.ToIPLD()
+	if err != nil {
+		return nil, err
+	}
+
+	var nbf *int64
+	if t.notBefore != nil {
+		u := t.notBefore.Unix()
+		nbf = &u
+	}
+
+	var exp *int64
+	if t.expiration != nil {
+		u := t.expiration.Unix()
+		exp = &u
+	}
+
+	model := &tokenPayloadModel{
+		Iss:   t.issuer.String(),
+		Aud:   t.audience.String(),
+		Sub:   sub,
+		Cmd:   t.command.String(),
+		Pol:   pol,
+		Nonce: t.nonce,
+		Meta:  *t.meta,
+		Nbf:   nbf,
+		Exp:   exp,
+	}
+
+	return envelope.ToIPLD(privKey, model)
+}

token/delegation/options.go

@@ -0,0 +1,72 @@
+package delegation
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/ucan-wg/go-ucan/did"
+)
+
+// Option is a type that allows optional fields to be set during the
+// creation of a Token.
+type Option func(*Token) error
+
+// WithExpiration set's the Token's optional "expiration" field to the
+// value of the provided time.Time.
+func WithExpiration(exp time.Time) Option {
+	return func(t *Token) error {
+		if exp.Before(time.Now()) {
+			return fmt.Errorf("a Token's expiration should be set to a time in the future: %s", exp.String())
+		}
+
+		t.expiration = &exp
+		return nil
+	}
+}
+
+// WithMeta adds a key/value pair in the "meta" field.
+//
+// WithMeta can be used multiple times in the same call.
+// Accepted types for the value are: bool, string, int, int32, int64, []byte,
+// and ipld.Node.
+func WithMeta(key string, val any) Option {
+	return func(t *Token) error {
+		return t.meta.Add(key, val)
+	}
+}
+
+// WithNotBefore set's the Token's optional "notBefore" field to the value
+// of the provided time.Time.
+func WithNotBefore(nbf time.Time) Option {
+	return func(t *Token) error {
+		if nbf.Before(time.Now()) {
+			return fmt.Errorf("a Token's \"not before\" field should be set to a time in the future: %s", nbf.String())
+		}
+
+		t.notBefore = &nbf
+		return nil
+	}
+}
+
+// WithSubject sets the Tokens's optional "subject" field to the value of
+// provided did.DID.
+//
+// This Option should only be used with the New constructor - since
+// Subject is a required parameter when creating a Token via the  Root
+// constructor, any value provided via this Option will be silently
+// overwritten.
+func WithSubject(sub did.DID) Option {
+	return func(t *Token) error {
+		t.subject = sub
+		return nil
+	}
+}
+
+// WithNonce sets the Token's nonce with the given value.
+// If this option is not used, a random 12-byte nonce is generated for this required field.
+func WithNonce(nonce []byte) Option {
+	return func(t *Token) error {
+		t.nonce = nonce
+		return nil
+	}
+}

token/delegation/schema.go

@@ -0,0 +1,85 @@
+package delegation
+
+import (
+	_ "embed"
+	"fmt"
+	"sync"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/node/bindnode"
+	"github.com/ipld/go-ipld-prime/schema"
+
+	"github.com/ucan-wg/go-ucan/pkg/meta"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+// [Tag] is the string used as a key within the SigPayload that identifies
+// that the TokenPayload is a delegation.
+//
+// [Tag]: https://github.com/ucan-wg/delegation/tree/v1_ipld#type-tag
+const Tag = "ucan/dlg@1.0.0-rc.1"
+
+// TODO: update the above Tag URL once the delegation specification is merged.
+
+//go:embed delegation.ipldsch
+var schemaBytes []byte
+
+var (
+	once sync.Once
+	ts   *schema.TypeSystem
+	err  error
+)
+
+func mustLoadSchema() *schema.TypeSystem {
+	once.Do(func() {
+		ts, err = ipld.LoadSchemaBytes(schemaBytes)
+	})
+	if err != nil {
+		panic(fmt.Errorf("failed to load IPLD schema: %s", err))
+	}
+	return ts
+}
+
+func payloadType() schema.Type {
+	return mustLoadSchema().TypeByName("Payload")
+}
+
+var _ envelope.Tokener = (*tokenPayloadModel)(nil)
+
+type tokenPayloadModel struct {
+	// Issuer DID (sender)
+	Iss string
+	// Audience DID (receiver)
+	Aud string
+	// Principal that the chain is about (the Subject)
+	// optional: can be nil
+	Sub *string
+
+	// The Command to eventually invoke
+	Cmd string
+
+	// The delegation policy
+	Pol datamodel.Node
+
+	// A unique, random nonce
+	Nonce []byte
+
+	// Arbitrary Metadata
+	Meta meta.Meta
+
+	// "Not before" UTC Unix Timestamp in seconds (valid from), 53-bits integer
+	// optional: can be nil
+	Nbf *int64
+	// The timestamp at which the Invocation becomes invalid
+	// optional: can be nil
+	Exp *int64
+}
+
+func (e *tokenPayloadModel) Prototype() schema.TypedPrototype {
+	return bindnode.Prototype((*tokenPayloadModel)(nil), payloadType())
+}
+
+func (*tokenPayloadModel) Tag() string {
+	return Tag
+}

token/delegation/schema_test.go

@@ -0,0 +1,177 @@
+package delegation_test
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"testing"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gotest.tools/v3/golden"
+
+	"github.com/ucan-wg/go-ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+//go:embed delegation.ipldsch
+var schemaBytes []byte
+
+func TestSchemaRoundTrip(t *testing.T) {
+	t.Parallel()
+
+	delegationJson := golden.Get(t, "new.dagjson")
+	privKey := privKey(t, issuerPrivKeyCfg)
+
+	t.Run("via buffers", func(t *testing.T) {
+		t.Parallel()
+
+		// format:    dagJson   -->   PayloadModel   -->   dagCbor   -->   PayloadModel   -->   dagJson
+		// function:      DecodeDagJson()           Seal()        Unseal()          EncodeDagJson()
+
+		p1, err := delegation.FromDagJson(delegationJson)
+		require.NoError(t, err)
+
+		cborBytes, id, err := p1.ToSealed(privKey)
+		require.NoError(t, err)
+		assert.Equal(t, newCID, envelope.CIDToBase58BTC(id))
+		fmt.Println("cborBytes length", len(cborBytes))
+		fmt.Println("cbor", string(cborBytes))
+
+		p2, err := delegation.FromSealed(cborBytes)
+		require.NoError(t, err)
+		assert.Equal(t, id, p2.CID())
+		fmt.Println("read Cbor", p2)
+
+		readJson, err := p2.ToDagJson(privKey)
+		require.NoError(t, err)
+		fmt.Println("readJson length", len(readJson))
+		fmt.Println("json: ", string(readJson))
+
+		assert.JSONEq(t, string(delegationJson), string(readJson))
+	})
+
+	t.Run("via streaming", func(t *testing.T) {
+		t.Parallel()
+
+		buf := bytes.NewBuffer(delegationJson)
+
+		// format:    dagJson   -->   PayloadModel   -->   dagCbor   -->   PayloadModel   -->   dagJson
+		// function:      DecodeDagJson()           Seal()         Unseal()         EncodeDagJson()
+
+		p1, err := delegation.FromDagJsonReader(buf)
+		require.NoError(t, err)
+
+		cborBytes := &bytes.Buffer{}
+		id, err := p1.ToSealedWriter(cborBytes, privKey)
+		t.Log(len(id.Bytes()), id.Bytes())
+		require.NoError(t, err)
+		assert.Equal(t, newCID, envelope.CIDToBase58BTC(id))
+
+		// buf = bytes.NewBuffer(cborBytes.Bytes())
+		p2, err := delegation.FromSealedReader(cborBytes)
+		require.NoError(t, err)
+		t.Log(len(p2.CID().Bytes()), p2.CID().Bytes())
+		assert.Equal(t, envelope.CIDToBase58BTC(id), envelope.CIDToBase58BTC(p2.CID()))
+
+		readJson := &bytes.Buffer{}
+		require.NoError(t, p2.ToDagJsonWriter(readJson, privKey))
+
+		assert.JSONEq(t, string(delegationJson), readJson.String())
+	})
+}
+
+func BenchmarkSchemaLoad(b *testing.B) {
+	b.ReportAllocs()
+	for i := 0; i < b.N; i++ {
+		_, _ = ipld.LoadSchemaBytes(schemaBytes)
+	}
+}
+
+func BenchmarkRoundTrip(b *testing.B) {
+	delegationJson := golden.Get(b, "new.dagjson")
+	privKey := privKey(b, issuerPrivKeyCfg)
+
+	b.Run("via buffers", func(b *testing.B) {
+		p1, _ := delegation.FromDagJson(delegationJson)
+		cborBytes, _, _ := p1.ToSealed(privKey)
+		p2, _ := delegation.FromSealed(cborBytes)
+
+		b.ResetTimer()
+
+		b.Run("FromDagJson", func(b *testing.B) {
+			b.ReportAllocs()
+			for i := 0; i < b.N; i++ {
+				_, _ = delegation.FromDagJson(delegationJson)
+			}
+		})
+
+		b.Run("Seal", func(b *testing.B) {
+			b.ReportAllocs()
+			for i := 0; i < b.N; i++ {
+				_, _, _ = p1.ToSealed(privKey)
+			}
+		})
+
+		b.Run("Unseal", func(b *testing.B) {
+			b.ReportAllocs()
+			for i := 0; i < b.N; i++ {
+				_, _ = delegation.FromSealed(cborBytes)
+			}
+		})
+
+		b.Run("ToDagJson", func(b *testing.B) {
+			b.ReportAllocs()
+			for i := 0; i < b.N; i++ {
+				_, _ = p2.ToDagJson(privKey)
+			}
+		})
+	})
+
+	b.Run("via streaming", func(b *testing.B) {
+		p1, _ := delegation.FromDagJsonReader(bytes.NewReader(delegationJson))
+		cborBuf := &bytes.Buffer{}
+		_, _ = p1.ToSealedWriter(cborBuf, privKey)
+		cborBytes := cborBuf.Bytes()
+		p2, _ := delegation.FromSealedReader(bytes.NewReader(cborBytes))
+
+		b.ResetTimer()
+
+		b.Run("FromDagJsonReader", func(b *testing.B) {
+			b.ReportAllocs()
+			reader := bytes.NewReader(delegationJson)
+			for i := 0; i < b.N; i++ {
+				_, _ = reader.Seek(0, 0)
+				_, _ = delegation.FromDagJsonReader(reader)
+			}
+		})
+
+		b.Run("SealWriter", func(b *testing.B) {
+			b.ReportAllocs()
+			buf := &bytes.Buffer{}
+			for i := 0; i < b.N; i++ {
+				buf.Reset()
+				_, _ = p1.ToSealedWriter(buf, privKey)
+			}
+		})
+
+		b.Run("UnsealReader", func(b *testing.B) {
+			b.ReportAllocs()
+			reader := bytes.NewReader(cborBytes)
+			for i := 0; i < b.N; i++ {
+				_, _ = reader.Seek(0, 0)
+				_, _ = delegation.FromSealedReader(reader)
+			}
+		})
+
+		b.Run("ToDagJsonReader", func(b *testing.B) {
+			b.ReportAllocs()
+			buf := &bytes.Buffer{}
+			for i := 0; i < b.N; i++ {
+				buf.Reset()
+				_ = p2.ToDagJsonWriter(buf, privKey)
+			}
+		})
+	})
+}

token/delegation/testdata/new.dagjson

@@ -0,0 +1 @@
+[{"/":{"bytes":"FM6otj0r/noJWiGAC5WV86xAazxrF173IihuHJgEt35CtSzjeaelrR3UwaSr8xbE9sLpo5xJhUbo0QLI273hDA"}},{"h":{"/":{"bytes":"NO0BcQ"}},"ucan/dlg@1.0.0-rc.1":{"aud":"did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv","cmd":"/foo/bar","exp":7258118400,"iss":"did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2","meta":{"bar":"barr","foo":"fooo"},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"pol":[["==",".status","draft"],["all",".reviewer",["like",".email","*@example.com"]],["any",".tags",["or",[["==",".","news"],["==",".","press"]]]]],"sub":"did:key:z6MktA1uBdCpq4uJBqE9jjMiLyxZBg9a6xgPPKJjMqss6Zc2"}}]

token/delegation/testdata/root.dagjson

@@ -0,0 +1 @@
+[{"/":{"bytes":"aYBq08tfm0zQZnPg/5tB9kM5mklRU9PPIkV7CK68jEgbd76JbCGuu75vfLyBu3WTqKzLSJ583pbwu668m/7MBQ"}},{"h":{"/":{"bytes":"NO0BcQ"}},"ucan/dlg@1.0.0-rc.1":{"aud":"did:key:z6Mkq5YmbJcTrPExNDi26imrTCpKhepjBFBSHqrBDN2ArPkv","cmd":"/foo/bar","exp":7258118400,"iss":"did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2","meta":{"bar":"barr","foo":"fooo"},"nonce":{"/":{"bytes":"NnJvRGhHaTBraU5yaVFBejdKM2QrYk9lb0kvdGo4RU5pa21RTmJ0am5EMA"}},"pol":[["==",".status","draft"],["all",".reviewer",["like",".email","*@example.com"]],["any",".tags",["or",[["==",".","news"],["==",".","press"]]]]],"sub":"did:key:z6Mkpzn2n3ZGT2VaqMGSQC3tzmzV4TS9S71iFsDXE1WnoNH2"}}]

token/inspect.go

@@ -0,0 +1,19 @@
+package token
+
+import (
+	"github.com/ipld/go-ipld-prime/datamodel"
+
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+type Info = envelope.Info
+
+// Inspect inspects the given token IPLD representation and extract some envelope facts.
+func Inspect(node datamodel.Node) (Info, error) {
+	return envelope.Inspect(node)
+}
+
+// FindTag inspect the given token IPLD representation and extract the token tag.
+func FindTag(node datamodel.Node) (string, error) {
+	return envelope.FindTag(node)
+}

token/internal/envelope/cid.go

@@ -0,0 +1,124 @@
+package envelope
+
+import (
+	"crypto/sha256"
+	"hash"
+	"io"
+
+	"github.com/ipfs/go-cid"
+	"github.com/multiformats/go-multibase"
+	"github.com/multiformats/go-multicodec"
+	"github.com/multiformats/go-multihash"
+)
+
+var b58BTCEnc = multibase.MustNewEncoder(multibase.Base58BTC)
+
+// CIDToBase56BTC is a utility method to convert a CIDv1 to the canonical
+// string representation used by UCAN.
+func CIDToBase58BTC(id cid.Cid) string {
+	return id.Encode(b58BTCEnc)
+}
+
+// CIDFromBytes returns the UCAN content identifier for an arbitrary slice
+// of bytes.
+func CIDFromBytes(b []byte) (cid.Cid, error) {
+	return cid.V1Builder{
+		Codec:    uint64(multicodec.DagCbor),
+		MhType:   multihash.SHA2_256,
+		MhLength: 0,
+	}.Sum(b)
+}
+
+var _ io.Reader = (*CIDReader)(nil)
+
+// CIDReader wraps an io.Reader and includes a hash.Hash that is
+// incrementally updated as data is read from the child io.Reader.
+type CIDReader struct {
+	hash hash.Hash
+	r    io.Reader
+	err  error
+}
+
+// NewCIDReader initializes a hash.Hash to calculate the CID's hash and
+// returns the wrapped io.Reader.
+func NewCIDReader(r io.Reader) *CIDReader {
+	h := sha256.New()
+	h.Reset()
+
+	return &CIDReader{
+		hash: h,
+		r:    r,
+	}
+}
+
+// CID returns the UCAN-formatted cid.Cid created from the hash calculated
+// as bytes were read from the inner io.Reader.
+func (r *CIDReader) CID() (cid.Cid, error) {
+	if r.err != nil {
+		return cid.Undef, r.err // TODO: Wrap to say it's an error during streaming?
+	}
+
+	return cidFromHash(r.hash)
+}
+
+// Read implements io.Reader.
+func (r *CIDReader) Read(p []byte) (n int, err error) {
+	n, err = r.r.Read(p)
+	if err != nil && err != io.EOF {
+		r.err = err
+
+		return
+	}
+
+	_, _ = r.hash.Write(p[:n])
+
+	return
+}
+
+var _ io.Writer = (*CIDWriter)(nil)
+
+// CIDWriter wraps an io.Writer and includes a hash.Hash that is
+// incrementally updated as data is written to the child io.Writer.
+type CIDWriter struct {
+	hash hash.Hash
+	w    io.Writer
+	err  error
+}
+
+// NewCIDWriter initializes a hash.Hash to calculate the CID's hash and
+// returns the wrapped io.Writer.
+func NewCIDWriter(w io.Writer) *CIDWriter {
+	h := sha256.New()
+	h.Reset()
+
+	return &CIDWriter{
+		hash: h,
+		w:    w,
+	}
+}
+
+// CID returns the UCAN-formatted cid.Cid created from the hash calculated
+// as bytes were written from the inner io.Reader.
+func (w *CIDWriter) CID() (cid.Cid, error) {
+	return cidFromHash(w.hash)
+}
+
+// Write implements io.Writer.
+func (w *CIDWriter) Write(p []byte) (n int, err error) {
+	if _, err = w.hash.Write(p); err != nil {
+		w.err = err
+
+		return
+	}
+
+	return w.w.Write(p)
+}
+
+func cidFromHash(hash hash.Hash) (cid.Cid, error) {
+	mh, err := multihash.Encode(hash.Sum(nil), multihash.SHA2_256)
+	if err != nil {
+		return cid.Undef, err
+	}
+
+	return cid.NewCidV1(uint64(multicodec.DagCbor), mh), nil
+}

token/internal/envelope/cid_test.go

@@ -0,0 +1,86 @@
+package envelope_test
+
+import (
+	"io"
+	"testing"
+
+	"github.com/ipfs/go-cid"
+	"github.com/multiformats/go-multicodec"
+	"github.com/multiformats/go-multihash"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gotest.tools/v3/golden"
+
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+func TestCidFromBytes(t *testing.T) {
+	t.Parallel()
+
+	expData := golden.Get(t, "example.dagcbor")
+	expHash, err := multihash.Sum(expData, uint64(multicodec.Sha2_256), -1)
+	require.NoError(t, err)
+
+	data, err := envelope.ToDagCbor(examplePrivKey(t), newExample(t))
+	require.NoError(t, err)
+
+	id, err := envelope.CIDFromBytes(data)
+	require.NoError(t, err)
+	assert.Equal(t, exampleCID, envelope.CIDToBase58BTC(id))
+	assert.Equal(t, expHash, id.Hash())
+}
+
+func TestStreaming(t *testing.T) {
+	t.Parallel()
+
+	expData := []byte("this is a test")
+
+	expCID, err := cid.V1Builder{
+		Codec:    uint64(multicodec.DagCbor),
+		MhType:   multihash.SHA2_256,
+		MhLength: 0,
+	}.Sum(expData)
+	require.NoError(t, err)
+
+	t.Run("CIDReader()", func(t *testing.T) {
+		t.Parallel()
+
+		r, w := io.Pipe() //nolint:varnamelen
+		cidReader := envelope.NewCIDReader(r)
+
+		go func() {
+			_, err := w.Write(expData)
+			assert.NoError(t, err)
+			assert.NoError(t, w.Close())
+		}()
+
+		actData, err := io.ReadAll(cidReader)
+		require.NoError(t, err)
+		assert.Equal(t, expData, actData)
+
+		actCID, err := cidReader.CID()
+		require.NoError(t, err)
+		assert.Equal(t, expCID, actCID)
+	})
+
+	t.Run("CIDWriter", func(t *testing.T) {
+		t.Parallel()
+
+		r, w := io.Pipe() //nolint:varnamelen
+		cidWriter := envelope.NewCIDWriter(w)
+
+		go func() {
+			_, err := cidWriter.Write(expData)
+			assert.NoError(t, err)
+			assert.NoError(t, w.Close())
+		}()
+
+		actData, err := io.ReadAll(r)
+		require.NoError(t, err)
+		assert.Equal(t, expData, actData)
+
+		actCID, err := cidWriter.CID()
+		require.NoError(t, err)
+		assert.Equal(t, expCID, actCID)
+	})
+}

token/internal/envelope/example_test.go

@@ -0,0 +1,138 @@
+package envelope_test
+
+import (
+	_ "embed"
+	"encoding/base64"
+	"fmt"
+	"sync"
+	"testing"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/fluent/qp"
+	"github.com/ipld/go-ipld-prime/node/basicnode"
+	"github.com/ipld/go-ipld-prime/node/bindnode"
+	"github.com/ipld/go-ipld-prime/schema"
+	"github.com/libp2p/go-libp2p/core/crypto"
+	"github.com/stretchr/testify/require"
+	"gotest.tools/v3/golden"
+
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+const (
+	exampleCID             = "zdpuAyw6R5HvKSPzztuzXNYFx3ZGoMHMuAsXL6u3xLGQriRXQ"
+	exampleDID             = "did:key:z6MkpuK2Amsu1RqcLGgmHHQHhvmeXCCBVsM4XFSg2cCyg4Nh"
+	exampleGreeting        = "world"
+	examplePrivKeyCfg      = "CAESQP9v2uqECTuIi45dyg3znQvsryvf2IXmOF/6aws6aCehm0FVrj0zHR5RZSDxWNjcpcJqsGym3sjCungX9Zt5oA4="
+	exampleSignatureStr    = "PZV6A2aI7n+MlyADqcqmWhkuyNrgUCDz+qSLSnI9bpasOwOhKUTx95m5Nu5CO/INa1LqzHGioD9+PVf6qdtTBg"
+	exampleTag             = "ucan/example@v1.0.0-rc.1"
+	exampleTypeName        = "Example"
+	exampleVarsigHeaderStr = "NO0BcQ"
+
+	invalidSignatureStr = "PZV6A2aI7n+MlyADqcqmWhkuyNrgUCDz+qSLSnI9bpasOwOhKUTx95m5Nu5CO/INa1LqzHGioD9+PVf6qdtTBK"
+
+	exampleDAGCBORFilename = "example.dagcbor"
+	exampleDAGJSONFilename = "example.dagjson"
+)
+
+//go:embed testdata/example.ipldsch
+var schemaBytes []byte
+
+var (
+	once sync.Once
+	ts   *schema.TypeSystem
+	err  error
+)
+
+func mustLoadSchema() *schema.TypeSystem {
+	once.Do(func() {
+		ts, err = ipld.LoadSchemaBytes(schemaBytes)
+	})
+
+	if err != nil {
+		panic(fmt.Errorf("failed to load IPLD schema: %s", err))
+	}
+
+	return ts
+}
+
+func exampleType() schema.Type {
+	return mustLoadSchema().TypeByName(exampleTypeName)
+}
+
+var _ envelope.Tokener = (*Example)(nil)
+
+type Example struct {
+	Hello  string
+	Issuer string
+}
+
+func newExample(t *testing.T) *Example {
+	t.Helper()
+
+	return &Example{
+		Hello:  exampleGreeting,
+		Issuer: exampleDID,
+	}
+}
+
+func (e *Example) Prototype() schema.TypedPrototype {
+	return bindnode.Prototype(e, exampleType())
+}
+
+func (*Example) Tag() string {
+	return exampleTag
+}
+
+func exampleGoldenNode(t *testing.T) datamodel.Node {
+	t.Helper()
+
+	cbor := golden.Get(t, exampleDAGCBORFilename)
+
+	node, err := ipld.Decode(cbor, dagcbor.Decode)
+	require.NoError(t, err)
+
+	return node
+}
+
+func examplePrivKey(t *testing.T) crypto.PrivKey {
+	t.Helper()
+
+	privKeyEnc, err := crypto.ConfigDecodeKey(examplePrivKeyCfg)
+	require.NoError(t, err)
+
+	privKey, err := crypto.UnmarshalPrivateKey(privKeyEnc)
+	require.NoError(t, err)
+
+	return privKey
+}
+
+func exampleSignature(t *testing.T) []byte {
+	t.Helper()
+
+	sig, err := base64.RawStdEncoding.DecodeString(exampleSignatureStr)
+	require.NoError(t, err)
+
+	return sig
+}
+
+func invalidNodeFromGolden(t *testing.T) datamodel.Node {
+	t.Helper()
+
+	invalidSig, err := base64.RawStdEncoding.DecodeString(invalidSignatureStr)
+	require.NoError(t, err)
+
+	envelNode := exampleGoldenNode(t)
+	sigPayloadNode, err := envelNode.LookupByIndex(1)
+	require.NoError(t, err)
+
+	node, err := qp.BuildList(basicnode.Prototype.Any, 2, func(la datamodel.ListAssembler) {
+		qp.ListEntry(la, qp.Bytes(invalidSig))
+		qp.ListEntry(la, qp.Node(sigPayloadNode))
+	})
+	require.NoError(t, err)
+
+	return node
+}

token/internal/envelope/ipld.go

@@ -0,0 +1,393 @@
+// Package envelope provides functions that convert between wire-format
+// encoding of a [UCAN] token's [Envelope] and the Go type representing
+// a verified [TokenPayload].
+//
+// Encoding functions in this package require a private key as a
+// parameter so the VarsigHeader can be set and so that a
+// cryptographic signature can be generated.
+//
+// Decoding functions in this package likewise perform the signature
+// verification using a public key extracted from the TokenPayload as
+// described by requirement two below.
+//
+// Types that wish to be marshaled and unmarshaled from the using
+// is package have two requirements.
+//
+//  1. The type must implement the Tokener interface.
+//
+//  2. The IPLD Representation of the type must include an "iss"
+//     field when the TokenPayload is extracted from the Envelope.
+//     This field must contain the string representation of a
+//     "did:key" so that a public key can be extracted from the
+//
+// [Envelope]:https://github.com/ucan-wg/spec#envelope
+// [TokenPayload]: https://github.com/ucan-wg/spec#envelope
+// [UCAN]: https://ucan.xyz
+package envelope
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/codec"
+	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/codec/dagjson"
+	"github.com/ipld/go-ipld-prime/datamodel"
+	"github.com/ipld/go-ipld-prime/fluent/qp"
+	"github.com/ipld/go-ipld-prime/node/basicnode"
+	"github.com/ipld/go-ipld-prime/node/bindnode"
+	"github.com/ipld/go-ipld-prime/schema"
+	"github.com/libp2p/go-libp2p/core/crypto"
+
+	"github.com/ucan-wg/go-ucan/did"
+	"github.com/ucan-wg/go-ucan/token/internal/varsig"
+)
+
+const (
+	VarsigHeaderKey = "h"
+	UCANTagPrefix   = "ucan/"
+)
+
+// Tokener must be implemented by types that wish to be enclosed in a
+// UCAN Envelope (presumbably one of the UCAN token types).
+type Tokener interface {
+	// Prototype provides the schema representation for an IPLD type so
+	// that the incoming datamodel.Kinds can be mapped to the appropriate
+	// schema.Kinds.
+	Prototype() schema.TypedPrototype
+
+	// Tag returns the expected key denoting the name of the IPLD node
+	// that should be processed as the token payload while decoding
+	// incoming bytes.
+	Tag() string
+}
+
+// Decode unmarshals the input data using the format specified by the
+// provided codec.Decoder into a Tokener.
+//
+// An error is returned if the conversion fails, or if the resulting
+// Tokener is invalid.
+func Decode[T Tokener](b []byte, decFn codec.Decoder) (T, error) {
+	node, err := ipld.Decode(b, decFn)
+	if err != nil {
+		return *new(T), err
+	}
+
+	return FromIPLD[T](node)
+}
+
+// DecodeReader is the same as Decode, but accept an io.Reader.
+func DecodeReader[T Tokener](r io.Reader, decFn codec.Decoder) (T, error) {
+	node, err := ipld.DecodeStreaming(r, decFn)
+	if err != nil {
+		return *new(T), err
+	}
+
+	return FromIPLD[T](node)
+}
+
+// FromDagCbor unmarshals the input data into a Tokener.
+//
+// An error is returned if the conversion fails, or if the resulting
+// Tokener is invalid.
+func FromDagCbor[T Tokener](b []byte) (T, error) {
+	return Decode[T](b, dagcbor.Decode)
+}
+
+// FromDagCborReader is the same as FromDagCbor, but accept an io.Reader.
+func FromDagCborReader[T Tokener](r io.Reader) (T, error) {
+	return DecodeReader[T](r, dagcbor.Decode)
+}
+
+// FromDagJson unmarshals the input data into a Tokener.
+//
+// An error is returned if the conversion fails, or if the resulting
+// Tokener is invalid.
+func FromDagJson[T Tokener](b []byte) (T, error) {
+	return Decode[T](b, dagjson.Decode)
+}
+
+// FromDagJsonReader is the same as FromDagJson, but accept an io.Reader.
+func FromDagJsonReader[T Tokener](r io.Reader) (T, error) {
+	return DecodeReader[T](r, dagjson.Decode)
+}
+
+// FromIPLD unwraps a Tokener from the provided IPLD datamodel.Node.
+//
+// An error is returned if the conversion fails, or if the resulting
+// Tokener is invalid.
+func FromIPLD[T Tokener](node datamodel.Node) (T, error) {
+	zero := *new(T)
+
+	info, err := Inspect(node)
+	if err != nil {
+		return zero, err
+	}
+
+	if info.Tag != zero.Tag() {
+		return zero, errors.New("data doesn't match the expected type")
+	}
+
+	// This needs to be done before converting this node to its schema
+	// representation (afterwards, the field might be renamed os it's safer
+	// to use the wire name).
+	issuerNode, err := info.tokenPayloadNode.LookupByString("iss")
+	if err != nil {
+		return zero, err
+	}
+
+	// Replaces the datamodel.Node in tokenPayloadNode with a
+	// schema.TypedNode so that we can cast it to a *token.Token after
+	// unwrapping it.
+	nb := zero.Prototype().Representation().NewBuilder()
+
+	err = nb.AssignNode(info.tokenPayloadNode)
+	if err != nil {
+		return zero, err
+	}
+
+	tokenPayloadNode := nb.Build()
+
+	tokenPayload := bindnode.Unwrap(tokenPayloadNode)
+	if tokenPayload == nil {
+		return zero, errors.New("failed to Unwrap the TokenPayload")
+	}
+
+	tkn, ok := tokenPayload.(T)
+	if !ok {
+		return zero, errors.New("failed to assert the TokenPayload type as *token.Token")
+	}
+
+	// Check that the issuer's DID contains a public key with a type that
+	// matches the VarsigHeader and then verify the SigPayload.
+	issuer, err := issuerNode.AsString()
+	if err != nil {
+		return zero, err
+	}
+
+	issuerDID, err := did.Parse(issuer)
+	if err != nil {
+		return zero, err
+	}
+
+	issuerPubKey, err := issuerDID.PubKey()
+	if err != nil {
+		return zero, err
+	}
+
+	issuerVarsigHeader, err := varsig.Encode(issuerPubKey.Type())
+	if err != nil {
+		return zero, err
+	}
+
+	if string(info.VarsigHeader) != string(issuerVarsigHeader) {
+		return zero, errors.New("the VarsigHeader key type doesn't match the issuer's key type")
+	}
+
+	data, err := ipld.Encode(info.sigPayloadNode, dagcbor.Encode)
+	if err != nil {
+		return zero, err
+	}
+
+	ok, err = issuerPubKey.Verify(data, info.Signature)
+	if err != nil || !ok {
+		return zero, errors.New("failed to verify the token's signature")
+	}
+
+	return tkn, nil
+}
+
+// Encode marshals a Tokener to the format specified by the provided
+// codec.Encoder.
+func Encode(privKey crypto.PrivKey, token Tokener, encFn codec.Encoder) ([]byte, error) {
+	node, err := ToIPLD(privKey, token)
+	if err != nil {
+		return nil, err
+	}
+
+	return ipld.Encode(node, encFn)
+}
+
+// EncodeWriter is the same as Encode but outputs to an io.Writer instead
+// of encoding into a []byte.
+func EncodeWriter(w io.Writer, privKey crypto.PrivKey, token Tokener, encFn codec.Encoder) error {
+	node, err := ToIPLD(privKey, token)
+	if err != nil {
+		return err
+	}
+
+	return ipld.EncodeStreaming(w, node, encFn)
+}
+
+// ToDagCbor marshals the Tokener to the DAG-CBOR format.
+func ToDagCbor(privKey crypto.PrivKey, token Tokener) ([]byte, error) {
+	return Encode(privKey, token, dagcbor.Encode)
+}
+
+// ToDagCborWriter is the same as ToDagCbor but outputs to an io.Writer
+// instead of encoding into a []byte.
+func ToDagCborWriter(w io.Writer, privKey crypto.PrivKey, token Tokener) error {
+	return EncodeWriter(w, privKey, token, dagcbor.Encode)
+}
+
+// ToDagJson marshals the Tokener to the DAG-JSON format.
+func ToDagJson(privKey crypto.PrivKey, token Tokener) ([]byte, error) {
+	return Encode(privKey, token, dagjson.Encode)
+}
+
+// ToDagJsonWriter is the same as ToDagJson but outputs to an io.Writer
+// instead of encoding into a []byte.
+func ToDagJsonWriter(w io.Writer, privKey crypto.PrivKey, token Tokener) error {
+	return EncodeWriter(w, privKey, token, dagjson.Encode)
+}
+
+// ToIPLD wraps the Tokener in an IPLD datamodel.Node.
+func ToIPLD(privKey crypto.PrivKey, token Tokener) (datamodel.Node, error) {
+	tokenPayloadNode := bindnode.Wrap(token, token.Prototype().Type()).Representation()
+
+	varsigHeader, err := varsig.Encode(privKey.Type())
+	if err != nil {
+		return nil, err
+	}
+
+	sigPayloadNode, err := qp.BuildMap(basicnode.Prototype.Any, 2, func(ma datamodel.MapAssembler) {
+		qp.MapEntry(ma, VarsigHeaderKey, qp.Bytes(varsigHeader))
+		qp.MapEntry(ma, token.Tag(), qp.Node(tokenPayloadNode))
+	})
+
+	data, err := ipld.Encode(sigPayloadNode, dagcbor.Encode)
+	if err != nil {
+		return nil, err
+	}
+
+	signature, err := privKey.Sign(data)
+	if err != nil {
+		return nil, err
+	}
+
+	return qp.BuildList(basicnode.Prototype.Any, 2, func(la datamodel.ListAssembler) {
+		qp.ListEntry(la, qp.Bytes(signature))
+		qp.ListEntry(la, qp.Node(sigPayloadNode))
+	})
+}
+
+// FindTag inspects the given token IPLD representation and extract the token tag.
+func FindTag(node datamodel.Node) (string, error) {
+	sigPayloadNode, err := node.LookupByIndex(1)
+	if err != nil {
+		return "", err
+	}
+
+	if sigPayloadNode.Kind() != datamodel.Kind_Map {
+		return "", fmt.Errorf("unexpected type instead of map")
+	}
+
+	it := sigPayloadNode.MapIterator()
+	i := 0
+
+	for !it.Done() {
+		if i >= 2 {
+			return "", fmt.Errorf("expected two and only two fields in SigPayload")
+		}
+		i++
+
+		k, _, err := it.Next()
+		if err != nil {
+			return "", err
+		}
+
+		key, err := k.AsString()
+		if err != nil {
+			return "", err
+		}
+
+		if strings.HasPrefix(key, UCANTagPrefix) {
+			return key, nil
+		}
+	}
+	return "", fmt.Errorf("no token tag found")
+}
+
+type Info struct {
+	Tag              string
+	Signature        []byte
+	VarsigHeader     []byte
+	sigPayloadNode   datamodel.Node // private, we don't want to expose that
+	tokenPayloadNode datamodel.Node // private, we don't want to expose that
+}
+
+// Inspect inspects the given token IPLD representation and extract some envelope facts.
+func Inspect(node datamodel.Node) (Info, error) {
+	var res Info
+
+	signatureNode, err := node.LookupByIndex(0)
+	if err != nil {
+		return Info{}, err
+	}
+
+	res.Signature, err = signatureNode.AsBytes()
+	if err != nil {
+		return Info{}, err
+	}
+
+	res.sigPayloadNode, err = node.LookupByIndex(1)
+	if err != nil {
+		return Info{}, err
+	}
+
+	if res.sigPayloadNode.Kind() != datamodel.Kind_Map {
+		return Info{}, fmt.Errorf("unexpected type instead of map")
+	}
+
+	it := res.sigPayloadNode.MapIterator()
+	foundVarsigHeader := false
+	foundTokenPayload := false
+	i := 0
+
+	for !it.Done() {
+		if i >= 2 {
+			return Info{}, fmt.Errorf("expected two and only two fields in SigPayload")
+		}
+		i++
+
+		k, v, err := it.Next()
+		if err != nil {
+			return Info{}, err
+		}
+
+		key, err := k.AsString()
+		if err != nil {
+			return Info{}, err
+		}
+
+		switch {
+		case key == VarsigHeaderKey:
+			foundVarsigHeader = true
+			res.VarsigHeader, err = v.AsBytes()
+			if err != nil {
+				return Info{}, err
+			}
+		case strings.HasPrefix(key, UCANTagPrefix):
+			foundTokenPayload = true
+			res.Tag = key
+			res.tokenPayloadNode = v
+		default:
+			return Info{}, fmt.Errorf("unexpected key type %q", key)
+		}
+	}
+
+	if i != 2 {
+		return Info{}, fmt.Errorf("expected two and only two fields in SigPayload: %d", i)
+	}
+	if !foundVarsigHeader {
+		return Info{}, errors.New("failed to find VarsigHeader field")
+	}
+	if !foundTokenPayload {
+		return Info{}, errors.New("failed to find TokenPayload field")
+	}
+
+	return res, nil
+}

token/internal/envelope/ipld_test.go

@@ -0,0 +1,209 @@
+package envelope_test
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/base64"
+	"os"
+	"testing"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gotest.tools/v3/golden"
+
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+func TestDecode(t *testing.T) {
+	t.Parallel()
+
+	t.Run("via FromDagCbor", func(t *testing.T) {
+		t.Parallel()
+
+		data := golden.Get(t, "example.dagcbor")
+
+		tkn, err := envelope.FromDagCbor[*Example](data)
+		require.NoError(t, err)
+		assert.Equal(t, exampleGreeting, tkn.Hello)
+		assert.Equal(t, exampleDID, tkn.Issuer)
+	})
+
+	t.Run("via FromDagJson", func(t *testing.T) {
+		t.Parallel()
+
+		data := golden.Get(t, "example.dagjson")
+
+		tkn, err := envelope.FromDagJson[*Example](data)
+		require.NoError(t, err)
+		assert.Equal(t, exampleGreeting, tkn.Hello)
+		assert.Equal(t, exampleDID, tkn.Issuer)
+	})
+}
+
+func TestEncode(t *testing.T) {
+	t.Parallel()
+
+	t.Run("via ToDagCbor", func(t *testing.T) {
+		t.Parallel()
+
+		data, err := envelope.ToDagCbor(examplePrivKey(t), newExample(t))
+		require.NoError(t, err)
+		golden.AssertBytes(t, data, exampleDAGCBORFilename)
+	})
+
+	t.Run("via ToDagJson", func(t *testing.T) {
+		t.Parallel()
+
+		data, err := envelope.ToDagJson(examplePrivKey(t), newExample(t))
+		require.NoError(t, err)
+		golden.Assert(t, string(data), exampleDAGJSONFilename)
+	})
+}
+
+func TestRoundtrip(t *testing.T) {
+	t.Parallel()
+
+	t.Run("via FromDagCbor/ToDagCbor", func(t *testing.T) {
+		t.Parallel()
+
+		dataIn := golden.Get(t, exampleDAGCBORFilename)
+
+		tkn, err := envelope.FromDagCbor[*Example](dataIn)
+		require.NoError(t, err)
+		assert.Equal(t, exampleGreeting, tkn.Hello)
+		assert.Equal(t, exampleDID, tkn.Issuer)
+
+		dataOut, err := envelope.ToDagCbor(examplePrivKey(t), newExample(t))
+		require.NoError(t, err)
+		assert.Equal(t, dataIn, dataOut)
+	})
+
+	t.Run("via FromDagCborReader/ToDagCborWriter", func(t *testing.T) {
+		t.Parallel()
+
+		data := golden.Get(t, exampleDAGCBORFilename)
+
+		tkn, err := envelope.FromDagCborReader[*Example](bytes.NewReader(data))
+		require.NoError(t, err)
+		assert.Equal(t, exampleGreeting, tkn.Hello)
+		assert.Equal(t, exampleDID, tkn.Issuer)
+
+		w := &bytes.Buffer{}
+		require.NoError(t, envelope.ToDagCborWriter(w, examplePrivKey(t), newExample(t)))
+		assert.Equal(t, data, w.Bytes())
+	})
+
+	t.Run("via FromDagJson/ToDagJson", func(t *testing.T) {
+		t.Parallel()
+
+		dataIn := golden.Get(t, exampleDAGJSONFilename)
+
+		tkn, err := envelope.FromDagJson[*Example](dataIn)
+		require.NoError(t, err)
+		assert.Equal(t, exampleGreeting, tkn.Hello)
+		assert.Equal(t, exampleDID, tkn.Issuer)
+
+		dataOut, err := envelope.ToDagJson(examplePrivKey(t), newExample(t))
+		require.NoError(t, err)
+		assert.Equal(t, dataIn, dataOut)
+	})
+
+	t.Run("via FromDagJsonReader/ToDagJsonrWriter", func(t *testing.T) {
+		t.Parallel()
+
+		data := golden.Get(t, exampleDAGJSONFilename)
+
+		tkn, err := envelope.FromDagJsonReader[*Example](bytes.NewReader(data))
+		require.NoError(t, err)
+		assert.Equal(t, exampleGreeting, tkn.Hello)
+		assert.Equal(t, exampleDID, tkn.Issuer)
+
+		w := &bytes.Buffer{}
+		require.NoError(t, envelope.ToDagJsonWriter(w, examplePrivKey(t), newExample(t)))
+		assert.Equal(t, data, w.Bytes())
+	})
+}
+
+func TestFromIPLD_with_invalid_signature(t *testing.T) {
+	t.Parallel()
+
+	node := invalidNodeFromGolden(t)
+	tkn, err := envelope.FromIPLD[*Example](node)
+	assert.Nil(t, tkn)
+	require.EqualError(t, err, "failed to verify the token's signature")
+}
+
+func TestHash(t *testing.T) {
+	t.Parallel()
+
+	msg := []byte("this is a test")
+
+	hash1 := sha256.Sum256(msg)
+
+	hasher := sha256.New()
+
+	for _, b := range msg {
+		hasher.Write([]byte{b})
+	}
+
+	hash2 := hasher.Sum(nil)
+	hash3 := hasher.Sum(nil)
+
+	require.Equal(t, hash1[:], hash2)
+	require.Equal(t, hash1[:], hash3)
+}
+
+func TestInspect(t *testing.T) {
+	t.Parallel()
+
+	data := golden.Get(t, "example.dagcbor")
+	node, err := ipld.Decode(data, dagcbor.Decode)
+	require.NoError(t, err)
+
+	expSig, err := base64.RawStdEncoding.DecodeString("fPqfwL3iFpbw9SvBiq0DIbUurv9o6c36R08tC/yslGrJcwV51ghzWahxdetpEf6T5LCszXX9I/K8khvnmAxjAg")
+	require.NoError(t, err)
+
+	info, err := envelope.Inspect(node)
+	require.NoError(t, err)
+	assert.Equal(t, expSig, info.Signature)
+	assert.Equal(t, "ucan/example@v1.0.0-rc.1", info.Tag)
+	assert.Equal(t, []byte{0x34, 0xed, 0x1, 0x71}, info.VarsigHeader)
+}
+
+func FuzzInspect(f *testing.F) {
+	data, err := os.ReadFile("testdata/example.dagcbor")
+	require.NoError(f, err)
+
+	f.Add(data)
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		node, err := ipld.Decode(data, dagcbor.Decode)
+		if err != nil {
+			t.Skip()
+		}
+		_, err = envelope.Inspect(node)
+		if err != nil {
+			t.Skip()
+		}
+	})
+}
+
+func FuzzFindTag(f *testing.F) {
+	data, err := os.ReadFile("testdata/example.dagcbor")
+	require.NoError(f, err)
+
+	f.Add(data)
+
+	f.Fuzz(func(t *testing.T, data []byte) {
+		node, err := ipld.Decode(data, dagcbor.Decode)
+		if err != nil {
+			t.Skip()
+		}
+		_, err = envelope.FindTag(node)
+		if err != nil {
+			t.Skip()
+		}
+	})
+}

token/internal/envelope/testdata/example.dagcbor

@@ -0,0 +1 @@
+‚X@|úŸÀ½â–ðõ+ÁŠ­!µ.®ÿhéÍúGO-ü¬”jÉsyÖsY¨quëiþ“ä°¬Íuý#ò¼’ç˜c¢ahD4í
qxucan/example@v1.0.0-rc.1¢cissx8did:key:z6MkpuK2Amsu1RqcLGgmHHQHhvmeXCCBVsM4XFSg2cCyg4Nhehelloeworld

token/internal/envelope/testdata/example.dagjson

@@ -0,0 +1 @@
+[{"/":{"bytes":"fPqfwL3iFpbw9SvBiq0DIbUurv9o6c36R08tC/yslGrJcwV51ghzWahxdetpEf6T5LCszXX9I/K8khvnmAxjAg"}},{"h":{"/":{"bytes":"NO0BcQ"}},"ucan/example@v1.0.0-rc.1":{"hello":"world","iss":"did:key:z6MkpuK2Amsu1RqcLGgmHHQHhvmeXCCBVsM4XFSg2cCyg4Nh"}}]

token/internal/envelope/testdata/example.ipldsch

@@ -0,0 +1,6 @@
+type DID string
+
+type Example struct {
+  hello String
+  issuer DID (rename "iss")
+}

token/internal/varsig/varsig.go

@@ -0,0 +1,133 @@
+// Package varsig implements the portion of the [varsig specification]
+// that's needed for the UCAN [Envelope].
+//
+// While the [Envelope] specification has a field that's labelled
+// "VarsigHeader", this field is actually the prefix, header and segments
+// of the body excluding the signature itself (which is a different field
+// in the [Envelope]).
+//
+// Given that [go-ucan] supports a limited number of public key types,
+// and that the signature isn't part of the resulting field, the values
+// that are used are constants.  Note that for key types that are fully
+// specified in the [did:key], the [VarsigHeader] field isn't technically
+// needed and could theoretically conflict with the DID.
+//
+// Treating these values as constants has no impact when issuing or
+// delegating tokens.  When decoding tokens, simply matching the strings
+// will allow us to detect errors but won't provide as much detail (e.g.
+// we can't indicate that the signature was incorrectly generated from
+// a DAG-JSON encoding.)
+//
+// [varsig specification]: https://github.com/ChainAgnostic/varsig
+// [Envelope]:https://github.com/ucan-wg/spec#envelope
+// [go-ucan]: https://github.com/ucan-wg/go-ucan
+package varsig
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+
+	"github.com/libp2p/go-libp2p/core/crypto/pb"
+	"github.com/multiformats/go-multicodec"
+)
+
+const (
+	Prefix = 0x34
+)
+
+// ErrUnknownHeader is returned when it's not possible to decode the
+// provided string into a libp2p public key type.
+var ErrUnknownHeader = errors.New("could not decode unknown header")
+
+// ErrUnknownKeyType is returned when value provided is not a valid
+// libp2p public key type.
+var ErrUnknownKeyType = errors.New("could not encode unsupported key type")
+
+var (
+	decMap = headerToKeyType()
+	encMap = keyTypeToHeader()
+)
+
+// Decode returns either the pb.KeyType associated with the provided Header
+// or an error.
+//
+// Currently, only the four key types supported by the [go-libp2p/core/crypto]
+// library are supported.
+//
+// [go-libp2p/core/crypto]: github.com/libp2p/go-libp2p/core/crypto
+func Decode(header []byte) (pb.KeyType, error) {
+	keyType, ok := decMap[string(header)]
+	if !ok {
+		return -1, fmt.Errorf("%w: %s", ErrUnknownHeader, header)
+	}
+
+	return keyType, nil
+}
+
+// Encode returns either the header associated with the provided pb.KeyType
+// or an error indicating the header was unknown.
+//
+// Currently, only the four key types supported by the [go-libp2p/core/crypto]
+// library are supported.
+//
+// [go-libp2p/core/crypto]: github.com/libp2p/go-libp2p/core/crypto
+func Encode(keyType pb.KeyType) ([]byte, error) {
+	header, ok := encMap[keyType]
+	if !ok {
+		return nil, fmt.Errorf("%w: %s", ErrUnknownKeyType, keyType.String())
+	}
+
+	return []byte(header), nil
+}
+
+func keyTypeToHeader() map[pb.KeyType]string {
+	const rsaSigLen = 0x100
+
+	return map[pb.KeyType]string{
+		pb.KeyType_RSA: header(
+			Prefix,
+			multicodec.RsaPub,
+			multicodec.Sha2_256,
+			rsaSigLen,
+			multicodec.DagCbor,
+		),
+		pb.KeyType_Ed25519: header(
+			Prefix,
+			multicodec.Ed25519Pub,
+			multicodec.DagCbor,
+		),
+		pb.KeyType_Secp256k1: header(
+			Prefix,
+			multicodec.Secp256k1Pub,
+			multicodec.Sha2_256,
+			multicodec.DagCbor,
+		),
+		pb.KeyType_ECDSA: header(
+			Prefix,
+			multicodec.Es256,
+			multicodec.Sha2_256,
+			multicodec.DagCbor,
+		),
+	}
+}
+
+func headerToKeyType() map[string]pb.KeyType {
+	out := make(map[string]pb.KeyType, len(encMap))
+
+	for keyType, header := range encMap {
+		out[header] = keyType
+	}
+
+	return out
+}
+
+func header(vals ...multicodec.Code) string {
+	var buf []byte
+
+	for _, val := range vals {
+		buf = binary.AppendUvarint(buf, uint64(val))
+	}
+
+	return string(buf)
+}

token/internal/varsig/varsig_test.go

@@ -0,0 +1,51 @@
+package varsig_test
+
+import (
+	"encoding/base64"
+	"fmt"
+	"testing"
+
+	"github.com/libp2p/go-libp2p/core/crypto/pb"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/ucan-wg/go-ucan/token/internal/varsig"
+)
+
+func TestDecode(t *testing.T) {
+	t.Parallel()
+
+	notAHeader := base64.RawStdEncoding.EncodeToString([]byte("not a header"))
+	keyType, err := varsig.Decode([]byte(notAHeader))
+	assert.Equal(t, pb.KeyType(-1), keyType)
+	assert.ErrorIs(t, err, varsig.ErrUnknownHeader)
+}
+
+func ExampleDecode() {
+	hdr, err := base64.RawStdEncoding.DecodeString("NIUkEoACcQ")
+	if err != nil {
+		fmt.Println(err.Error())
+
+		return
+	}
+
+	keyType, _ := varsig.Decode(hdr)
+	fmt.Println(keyType.String())
+	// Output:
+	// RSA
+}
+
+func TestEncode(t *testing.T) {
+	t.Parallel()
+
+	header, err := varsig.Encode(pb.KeyType(99))
+	assert.Nil(t, header)
+	assert.ErrorIs(t, err, varsig.ErrUnknownKeyType)
+}
+
+func ExampleEncode() {
+	header, _ := varsig.Encode(pb.KeyType_RSA)
+	fmt.Println(base64.RawStdEncoding.EncodeToString(header))
+
+	// Output:
+	// NIUkEoACcQ
+}

token/read.go

@@ -0,0 +1,80 @@
+package token
+
+import (
+	"fmt"
+	"io"
+
+	"github.com/ipld/go-ipld-prime"
+	"github.com/ipld/go-ipld-prime/codec"
+	"github.com/ipld/go-ipld-prime/codec/dagcbor"
+	"github.com/ipld/go-ipld-prime/codec/dagjson"
+	"github.com/ipld/go-ipld-prime/datamodel"
+
+	"github.com/ucan-wg/go-ucan/token/delegation"
+	"github.com/ucan-wg/go-ucan/token/internal/envelope"
+)
+
+// Decode unmarshals the input data using the format specified by the
+// provided codec.Decoder into an arbitrary UCAN token.
+// An error is returned if the conversion fails, or if the resulting
+// Token is invalid.
+// Supported and returned types are:
+// - delegation.Token
+func Decode(b []byte, decFn codec.Decoder) (Token, error) {
+	node, err := ipld.Decode(b, decFn)
+	if err != nil {
+		return nil, err
+	}
+	return fromIPLD(node)
+}
+
+// DecodeReader is the same as Decode, but accept an io.Reader.
+func DecodeReader(r io.Reader, decFn codec.Decoder) (Token, error) {
+	node, err := ipld.DecodeStreaming(r, decFn)
+	if err != nil {
+		return nil, err
+	}
+	return fromIPLD(node)
+}
+
+// FromDagCbor unmarshals an arbitrary DagCbor encoded UCAN token.
+// An error is returned if the conversion fails, or if the resulting
+// Token is invalid.
+// Supported and returned types are:
+// - delegation.Token
+func FromDagCbor(b []byte) (Token, error) {
+	return Decode(b, dagcbor.Decode)
+}
+
+// FromDagCborReader is the same as FromDagCbor, but accept an io.Reader.
+func FromDagCborReader(r io.Reader) (Token, error) {
+	return DecodeReader(r, dagcbor.Decode)
+}
+
+// FromDagCbor unmarshals an arbitrary DagJson encoded UCAN token.
+// An error is returned if the conversion fails, or if the resulting
+// Token is invalid.
+// Supported and returned types are:
+// - delegation.Token
+func FromDagJson(b []byte) (Token, error) {
+	return Decode(b, dagjson.Decode)
+}
+
+// FromDagJsonReader is the same as FromDagJson, but accept an io.Reader.
+func FromDagJsonReader(r io.Reader) (Token, error) {
+	return DecodeReader(r, dagjson.Decode)
+}
+
+func fromIPLD(node datamodel.Node) (Token, error) {
+	tag, err := envelope.FindTag(node)
+	if err != nil {
+		return nil, err
+	}
+
+	switch tag {
+	case delegation.Tag:
+		return delegation.FromIPLD(node)
+	default:
+		return nil, fmt.Errorf(`unknown tag "%s"`, tag)
+	}
+}