CODEHEAD  SYSTEMS
CODEHEAD SINCE 2005 · APACHE 2.0 / MIT

An open-source workshop, since 2005.

Run by Ned Wolpert — coding since 1981, coding for businesses since 1994. Open-source since 1998, and Codehead Systems since 2005.

§ THE CATALOGUE

Four corners of the workshop.

The most recent four projects, each with its own discipline — passkeys, password-less cryptography, a teachable identity suite, and the small Java tools in between.

PROJECT A – AUTH

pk-auth

passkeys · jvm · webauthn

A production-grade, passkeys-first authentication template for the JVM.

Ships as a reusable library set you can drop into a Spring Boot, Dropwizard, or Micronaut application. The core is framework-neutral; the host's user and credential storage is a plug-in SPI.

  • Java
  • Spring Boot
  • Dropwizard
  • Micronaut
  • WebAuthn / FIDO2
PROJECT B – CRYPTO

the Hofmann Elimination

opaque · oprf · elliptic curves

OPAQUE PAKE — a server that never sees your password.

An implementation of the OPAQUE password-authenticated key exchange, written directly from its RFC specifications. Built on OPRF and elliptic-curve cryptography. The server authenticates the client without ever receiving — or being able to derive — the password.

RFC 9380 Hash-to-Elliptic-Curve
RFC 9497 OPRF (mode 0)
RFC 9807 OPAQUE-3DH

Java implementation via Bouncy Castle, with a TypeScript client library bundled. Rust, Go, and C# implementations are next, alongside a cross-language test suite.

  • Java
  • TypeScript
  • Bouncy Castle
  • PAKE
  • Crypto Research
PROJECT C – IDENTITY

mini-auth

oauth2 · oidc · passkeys

A readable, educational family of auth & identity services.

A monorepo of six small, deployable services and two shared libraries — each one intentionally small enough to read end-to-end. Real cryptography wired into a single token plane and policy engine, runnable in a homelab.

  1. mini-kms view →

    Envelope-encryption key management.

  2. mini-idp view →

    Machine identity via OAuth2 client-credentials.

  3. mini-oidc view →

    Human SSO & OpenID Provider with passkey support.

  4. mini-gateway view →

    Forward-auth gateway for reverse proxies.

  5. mini-directory view →

    Identity source of truth.

  6. mini-ca view →

    Internal CA for mTLS workload identity.

  7. mini-token view →

    Shared token plane & JWKS management.

  8. mini-policy view →

    Authorization decision engine.

Built to teach: a concepts-first course, a code-first reading order, and labs that build and verify tokens by hand. Uses vetted, production-grade cryptographic constructions — though the project itself is unaudited.

  • Java 21
  • OAuth 2.0
  • OpenID Connect
  • WebAuthn
  • mTLS
  • Ed25519
  • Argon2id
PROJECT D – UTILS

the Libraries

java · utilities · testing

Small, sharp Java libraries — the things I keep reaching for.

A growing collection of well-scoped tools, extracted from real services so they stay practical rather than aspirational.

  1. Feature-Flag view →

    Lightweight A/B testing & feature toggles, inspired by an internal Alexa tool.

  2. Codehead Test view →

    Test utilities for Jupiter, Immutables, and Jackson. Small, easy to consume.

  3. Database Test view →

    Test helpers for Cassandra and unique-string generation.

  4. Metrics view →

    Dropwizard / Micrometer integration with Dagger support and unit-test helpers.

  5. OOP Mock view →

    Out-of-process mocking for functional tests — a spiritual successor to Amazon's Chameleon.

  6. State Machine Redux view →

    A KISS state machine. Import/export, games and services. The simpler successor.

  7. Local Queue view →

    In-process queueing primitives.

These libraries started life inside of other service, then got cleaned up enough to live on its own.

§ MAKE CONTACT

Find Ned in the wild.