nats-io
diff --git a/‎core/src/test/java/io/nats/nkey/NKeyProviderTests.java‎
Lines changed: 71 additions & 0 deletions b/‎core/src/test/java/io/nats/nkey/NKeyProviderTests.java‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎core/src/test/resources/test-nkeys.txt‎
Lines changed: 350 additions & 0 deletions b/‎core/src/test/resources/test-nkeys.txt‎
Lines changed: 350 additions & 0 deletions
diff --git a/‎fips/src/main/java/io/nats/nkey/FipsNKeyProvider.java‎
Lines changed: 70 additions & 4 deletions b/‎fips/src/main/java/io/nats/nkey/FipsNKeyProvider.java‎
Lines changed: 70 additions & 4 deletions
diff --git a/‎fips/src/main/java/io/nats/nkey/PrivateKeyWrapper.java‎
Lines changed: 32 additions & 0 deletions b/‎fips/src/main/java/io/nats/nkey/PrivateKeyWrapper.java‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎fips/src/main/java/io/nats/nkey/PublicKeyWrapper.java‎
Lines changed: 32 additions & 0 deletions b/‎fips/src/main/java/io/nats/nkey/PublicKeyWrapper.java‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎fips/src/test/java/io/nats/nkey/FipsProviderTests.java‎
Lines changed: 41 additions & 0 deletions b/‎fips/src/test/java/io/nats/nkey/FipsProviderTests.java‎
Lines changed: 41 additions & 0 deletions
@@ -21,6 +21,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.List;
 
 import static io.nats.nkey.NKeyConstants.NKEY_PROVIDER_CLASS_SYSTEM_PROPERTY;
 import static io.nats.nkey.NKeyProvider.getProvider;
@@ -464,4 +465,74 @@ private static void _testFromPublicKey(String userEncodedSeed, String userEncode
         assertArrayEquals(userEncodedPubKey.toCharArray(), fromSeed.getPublicKey());
         assertArrayEquals(userEncodedPubKey.toCharArray(), fromKey.getPublicKey());
     }
+
+    static byte[] TO_SIGN = "Synadia".getBytes(StandardCharsets.UTF_8);
+
+    @Test
+    public void testFromText() {
+        List<String> inputs = ResourceUtils.resourceAsLines("test-nkeys.txt");
+        for (int i = 0; i < inputs.size(); ) {
+            String name = inputs.get(i++);
+            int prefix = Integer.parseInt(inputs.get(i++));
+            char[] seed = inputs.get(i++).toCharArray();
+            char[] publicKey = inputs.get(i++).toCharArray();
+            char[] privateKey = inputs.get(i++).toCharArray();
+            byte[] decoded = toBytes(inputs.get(i++));
+            byte[] signed = toBytes(inputs.get(i++));
+
+            NKeyType type = NKeyType.fromPrefix(prefix);
+            assertNotNull(type);
+            assertEquals(name, type.name());
+
+            NKey fromSeed = PROVIDER.fromSeed(seed);
+            NKey fromPublicKey = PROVIDER.fromPublicKey(publicKey);
+
+            assertArrayEquals(seed, fromSeed.getSeed());
+            assertArrayEquals(publicKey, fromSeed.getPublicKey());
+            assertArrayEquals(privateKey, fromSeed.getPrivateKey());
+            assertArrayEquals(publicKey, fromPublicKey.getPublicKey());
+            assertEquals(prefix, fromSeed.getDecodedSeed().prefix);
+            assertArrayEquals(decoded, fromSeed.getDecodedSeed().bytes);
+            assertArrayEquals(signed, fromSeed.sign(TO_SIGN));
+        }
+    }
+
+    @Test
+    public void testGenerateTestNkeysText() {
+        for (int x = 0; x < 10; x++) {
+            generateTestNkeysText(PROVIDER.createUser());
+            generateTestNkeysText(PROVIDER.createAccount());
+            generateTestNkeysText(PROVIDER.createOperator());
+            generateTestNkeysText(PROVIDER.createServer());
+            generateTestNkeysText(PROVIDER.createCluster());
+        }
+    }
+
+    private static void generateTestNkeysText(NKey theKey) {
+        char[] seed = theKey.getSeed();
+        char[] publicKey = theKey.getPublicKey();
+        char[] privateKey = theKey.getPrivateKey();
+        System.out.println(theKey.getType());
+        System.out.println(theKey.getType().prefix);
+        System.out.println(new String(seed));
+        System.out.println(new String(publicKey));
+        System.out.println(new String(privateKey));
+        byte[] bytes = theKey.getDecodedSeed().bytes;
+        System.out.println(toString(bytes));
+        bytes = theKey.sign(TO_SIGN);
+        System.out.println(toString(bytes));
+    }
+
+    private static String toString(byte[] bytes) {
+        return Arrays.toString(bytes).replace("[", "").replace("]", "").replace(" ", "");
+    }
+
+    private byte[] toBytes(String s) {
+        String[] split = s.split(",");
+        byte[] decoded = new byte[split.length];
+        for (int i = 0; i < split.length; i++) {
+            decoded[i] = (byte) Integer.parseInt(split[i]);
+        }
+        return decoded;
+    }
 }
@@ -1,10 +1,22 @@
 package io.nats.nkey;
 
+import org.bouncycastle.crypto.UpdateOutputStream;
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPrivateKey;
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPublicKey;
+import org.bouncycastle.crypto.fips.FipsEdEC;
+import org.bouncycastle.crypto.fips.FipsOutputSigner;
+import org.bouncycastle.crypto.fips.FipsOutputVerifier;
 import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
 import org.jspecify.annotations.NullMarked;
 
+import java.io.IOException;
 import java.security.*;
 
+import static io.nats.nkey.NKeyConstants.ED25519_PUBLIC_KEYSIZE;
+import static io.nats.nkey.NKeyConstants.ED25519_SEED_SIZE;
+import static io.nats.nkey.NKeyProviderUtils.encodeSeed;
+import static io.nats.nkey.NKeyProviderUtils.nkeyDecode;
+
 @NullMarked
 public class FipsNKeyProvider extends NKeyProvider {
     static {
@@ -26,7 +38,14 @@ public FipsNKeyProvider() {
      */
     @Override
     public NKey createNKey(NKeyType type, byte[] seed) {
-        throw new UnsupportedOperationException("createPair not supported yet.");
+        byte[] pubBytes = FipsEdEC.computePublicData(FipsEdEC.Ed25519.getAlgorithm(), seed);
+
+        byte[] bytes = new byte[pubBytes.length + seed.length];
+        System.arraycopy(seed, 0, bytes, 0, seed.length);
+        System.arraycopy(pubBytes, 0, bytes, seed.length, pubBytes.length);
+
+        char[] encoded = encodeSeed(type, bytes);
+        return new NKey(this, type, null, encoded);
     }
 
     /**
@@ -35,22 +54,69 @@ public NKey createNKey(NKeyType type, byte[] seed) {
     @Override
     public KeyPair getKeyPair(NKey nkey) {
         nkey.ensurePair();
-        throw new UnsupportedOperationException("getKeyPair not supported yet.");
+        NKeyDecodedSeed decoded = nkey.getDecodedSeed();
+        byte[] seedBytes = new byte[ED25519_SEED_SIZE];
+        byte[] pubBytes = new byte[ED25519_PUBLIC_KEYSIZE];
+
+        System.arraycopy(decoded.bytes, 0, seedBytes, 0, seedBytes.length);
+        System.arraycopy(decoded.bytes, seedBytes.length, pubBytes, 0, pubBytes.length);
+
+        AsymmetricEdDSAPrivateKey privateKey = new AsymmetricEdDSAPrivateKey(FipsEdEC.Ed25519.getAlgorithm(), seedBytes, pubBytes);
+        AsymmetricEdDSAPublicKey publicKey = new AsymmetricEdDSAPublicKey(FipsEdEC.Ed25519.getAlgorithm(), pubBytes);
+
+        return new KeyPair(new PublicKeyWrapper(publicKey), new PrivateKeyWrapper(privateKey));
     }
 
     /**
      * {@inheritDoc}
      */
     @Override
     public byte[] sign(NKey nkey, byte[] input) {
-        throw new UnsupportedOperationException("sign not supported yet.");
+        byte[] seedBytes = nkey.getKeyPair().getPrivate().getEncoded();
+        byte[] pubBytes = nkey.getKeyPair().getPublic().getEncoded();
+        AsymmetricEdDSAPrivateKey privateKey = new AsymmetricEdDSAPrivateKey(FipsEdEC.Ed25519.getAlgorithm(), seedBytes, pubBytes);
+
+        FipsEdEC.EdDSAOperatorFactory factory = new FipsEdEC.EdDSAOperatorFactory();
+        FipsOutputSigner<FipsEdEC.Parameters> signer = factory.createSigner(privateKey, FipsEdEC.EdDSA);
+
+        try {
+            UpdateOutputStream stream = signer.getSigningStream();
+            stream.update(input, 0, input.length);
+            stream.close();
+            return signer.getSignature();
+        }
+        catch (IOException e) {
+            throw new RuntimeException(e);
+        }
     }
 
     /**
      * {@inheritDoc}
      */
     @Override
     public boolean verify(NKey nkey, byte[] input, byte[] signature) {
-        throw new UnsupportedOperationException("verify not supported yet.");
+        AsymmetricEdDSAPublicKey publicKey;
+        if (nkey.isPair()) {
+            byte[] pubBytes = nkey.getKeyPair().getPublic().getEncoded();
+            publicKey = new AsymmetricEdDSAPublicKey(FipsEdEC.Ed25519.getAlgorithm(), pubBytes);
+        }
+        else {
+            char[] encodedPublicKey = nkey.getPublicKey();
+            byte[] decodedPublicKey = nkeyDecode(nkey.getType(), encodedPublicKey);
+            publicKey = new AsymmetricEdDSAPublicKey(FipsEdEC.Ed25519.getAlgorithm(), decodedPublicKey);
+        }
+
+        FipsEdEC.EdDSAOperatorFactory factory = new FipsEdEC.EdDSAOperatorFactory();
+        FipsOutputVerifier<FipsEdEC.Parameters> verifier = factory.createVerifier(publicKey, FipsEdEC.EdDSA);
+
+        try {
+            UpdateOutputStream stream = verifier.getVerifyingStream();
+            stream.update(input, 0, input.length);
+            stream.close();
+            return verifier.isVerified(signature);
+        }
+        catch (IOException e) {
+            throw new RuntimeException(e);
+        }
     }
 }
@@ -0,0 +1,32 @@
+// Copyright 2025-2026 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package io.nats.nkey;
+
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPrivateKey;
+
+import java.security.PrivateKey;
+
+class PrivateKeyWrapper extends KeyWrapper implements PrivateKey {
+
+    final AsymmetricEdDSAPrivateKey privateKey;
+
+    public PrivateKeyWrapper(AsymmetricEdDSAPrivateKey privateKey) {
+        this.privateKey = privateKey;
+    }
+
+    @Override
+    public byte[] getEncoded() {
+        return privateKey.getSecret();
+    }
+}
@@ -0,0 +1,32 @@
+// Copyright 2025-2026 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package io.nats.nkey;
+
+import org.bouncycastle.crypto.asymmetric.AsymmetricEdDSAPublicKey;
+
+import java.security.PublicKey;
+
+class PublicKeyWrapper extends KeyWrapper implements PublicKey {
+
+    final AsymmetricEdDSAPublicKey publicKey;
+
+    public PublicKeyWrapper(AsymmetricEdDSAPublicKey publicKey) {
+        this.publicKey = publicKey;
+    }
+
+    @Override
+    public byte[] getEncoded() {
+        return publicKey.getPublicData();
+    }
+}
@@ -21,6 +21,7 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.Base64;
+import java.util.List;
 
 import static io.nats.nkey.NKeyConstants.NKEY_PROVIDER_CLASS_SYSTEM_PROPERTY;
 import static io.nats.nkey.NKeyProvider.getProvider;
@@ -463,4 +464,44 @@ private static void _testFromPublicKey(String userEncodedSeed, String userEncode
         assertArrayEquals(userEncodedPubKey.toCharArray(), fromSeed.getPublicKey());
         assertArrayEquals(userEncodedPubKey.toCharArray(), fromKey.getPublicKey());
     }
+
+    static byte[] TO_SIGN = "Synadia".getBytes(StandardCharsets.UTF_8);
+
+    @Test
+    public void testFromText() {
+        List<String> inputs = ResourceUtils.resourceAsLines("test-nkeys.txt");
+        for (int i = 0; i < inputs.size(); ) {
+            String name = inputs.get(i++);
+            int prefix = Integer.parseInt(inputs.get(i++));
+            char[] seed = inputs.get(i++).toCharArray();
+            char[] publicKey = inputs.get(i++).toCharArray();
+            char[] privateKey = inputs.get(i++).toCharArray();
+            byte[] decoded = toBytes(inputs.get(i++));
+            byte[] signed = toBytes(inputs.get(i++));
+
+            NKeyType type = NKeyType.fromPrefix(prefix);
+            assertNotNull(type);
+            assertEquals(name, type.name());
+
+            NKey fromSeed = PROVIDER.fromSeed(seed);
+            NKey fromPublicKey = PROVIDER.fromPublicKey(publicKey);
+
+            assertArrayEquals(seed, fromSeed.getSeed());
+            assertArrayEquals(publicKey, fromSeed.getPublicKey());
+            assertArrayEquals(privateKey, fromSeed.getPrivateKey());
+            assertArrayEquals(publicKey, fromPublicKey.getPublicKey());
+            assertEquals(prefix, fromSeed.getDecodedSeed().prefix);
+            assertArrayEquals(decoded, fromSeed.getDecodedSeed().bytes);
+            assertArrayEquals(signed, fromSeed.sign(TO_SIGN));
+        }
+    }
+
+    private byte[] toBytes(String s) {
+        String[] split = s.split(",");
+        byte[] decoded = new byte[split.length];
+        for (int i = 0; i < split.length; i++) {
+            decoded[i] = (byte) Integer.parseInt(split[i]);
+        }
+        return decoded;
+    }
 }