@agentunion/fastaun 0.2.20 → 0.3.0

package/dist/v2/crypto/ecdh.js

@@ -0,0 +1,122 @@
+/**
+ * ECDH P-256 — AUN E2EE V2 协议要求所有 SDK 的 ECDH 输出字节级一致。
+ *
+ * 共享秘密为 P-256 曲线点乘后的 X 坐标（32 字节，big-endian）。
+ *
+ * 实现选型：
+ * - 使用 Node `crypto` 模块（非 WebCrypto，TS SDK 目标为 Node 环境）
+ * - `createECDH('prime256v1')` 计算 X 坐标
+ * - 公钥使用 DER SubjectPublicKeyInfo 编码（与 Python/Go SDK 对齐）
+ * - 通过 JWK 中转完成 DER ↔ 未压缩点（0x04 || X || Y）的转换
+ */
+import { createECDH, createPublicKey } from 'node:crypto';
+/**
+ * 把 base64url 字符串解码为 32 字节大端序无前导零填充的字节数组。
+ * 解决 JWK x/y 可能因高位为 0 而被截短的问题。
+ */
+function b64uToFixed32(b64url) {
+    const buf = Buffer.from(b64url, 'base64url');
+    if (buf.length === 32)
+        return buf;
+    if (buf.length < 32) {
+        const padded = Buffer.alloc(32);
+        buf.copy(padded, 32 - buf.length);
+        return padded;
+    }
+    // 长度 > 32：去掉前导 0x00 填充
+    const start = buf.length - 32;
+    for (let i = 0; i < start; i++) {
+        if (buf[i] !== 0) {
+            throw new Error(`invalid EC coordinate: length=${buf.length}, leading non-zero byte`);
+        }
+    }
+    return buf.subarray(start, buf.length);
+}
+/**
+ * 把未压缩点（0x04 || X(32) || Y(32)）的 X/Y 坐标转换为 SPKI DER 公钥。
+ */
+function uncompressedPointToDer(uncompressed) {
+    if (uncompressed.length !== 65 || uncompressed[0] !== 0x04) {
+        throw new Error('invalid uncompressed P-256 point');
+    }
+    const x = uncompressed.subarray(1, 33);
+    const y = uncompressed.subarray(33, 65);
+    const pubKey = createPublicKey({
+        key: {
+            kty: 'EC',
+            crv: 'P-256',
+            x: x.toString('base64url'),
+            y: y.toString('base64url'),
+        },
+        format: 'jwk',
+    });
+    return pubKey.export({ format: 'der', type: 'spki' });
+}
+/**
+ * 计算 ECDH 共享秘密（P-256 X 坐标，32 字节）。
+ *
+ * @param privateKeyScalar 32 字节 P-256 私钥标量（big-endian）
+ * @param peerPublicKeyDer DER SubjectPublicKeyInfo 编码的对端公钥
+ * @returns 32 字节共享秘密（X 坐标 big-endian）
+ */
+export function ecdhComputeShared(privateKeyScalar, peerPublicKeyDer) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    const ecdh = createECDH('prime256v1');
+    ecdh.setPrivateKey(Buffer.from(privateKeyScalar));
+    // 解析 DER SPKI 公钥 → 提取未压缩点（0x04 || X || Y）
+    const peerPubKey = createPublicKey({
+        key: Buffer.from(peerPublicKeyDer),
+        format: 'der',
+        type: 'spki',
+    });
+    const jwk = peerPubKey.export({ format: 'jwk' });
+    if (jwk.kty !== 'EC' || jwk.crv !== 'P-256' || !jwk.x || !jwk.y) {
+        throw new Error('peer public key is not a P-256 EC key');
+    }
+    const x = b64uToFixed32(jwk.x);
+    const y = b64uToFixed32(jwk.y);
+    const uncompressed = Buffer.concat([Buffer.from([0x04]), x, y]);
+    // ECDH.computeSecret 默认返回 X 坐标（32 字节大端序）
+    const shared = ecdh.computeSecret(uncompressed);
+    return new Uint8Array(shared);
+}
+/**
+ * 生成 P-256 密钥对。
+ *
+ * @returns [privateKeyScalar 32B, publicKeyDer SPKI]
+ */
+export function generateP256Keypair() {
+    const ecdh = createECDH('prime256v1');
+    const pubUncompressed = ecdh.generateKeys();
+    const priv = ecdh.getPrivateKey();
+    // setPrivateKey/generateKeys 返回的 priv 可能少于 32 字节（高位为 0），左零填充
+    let privPadded;
+    if (priv.length === 32) {
+        privPadded = priv;
+    }
+    else if (priv.length < 32) {
+        privPadded = Buffer.alloc(32);
+        priv.copy(privPadded, 32 - priv.length);
+    }
+    else {
+        throw new Error(`unexpected P-256 private key length: ${priv.length}`);
+    }
+    const pubDer = uncompressedPointToDer(pubUncompressed);
+    return [new Uint8Array(privPadded), new Uint8Array(pubDer)];
+}
+/**
+ * 从私钥标量导出公钥 DER（SPKI 编码）。
+ */
+export function privateToPublicDer(privateKeyScalar) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    const ecdh = createECDH('prime256v1');
+    ecdh.setPrivateKey(Buffer.from(privateKeyScalar));
+    const pubUncompressed = ecdh.getPublicKey();
+    const pubDer = uncompressedPointToDer(pubUncompressed);
+    return new Uint8Array(pubDer);
+}
+//# sourceMappingURL=ecdh.js.map

package/dist/v2/crypto/ecdh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdh.js","sourceRoot":"","sources":["../../../src/v2/crypto/ecdh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D;;;GAGG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,uBAAuB;IACvB,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,yBAAyB,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,YAAoB;IAClD,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,eAAe,CAAC;QAC7B,GAAG,EAAE;YACH,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,OAAO;YACZ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC1B,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;SAC3B;QACD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAC/B,gBAA4B,EAC5B,gBAA4B;IAE5B,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAElD,0CAA0C;IAC1C,MAAM,UAAU,GAAG,eAAe,CAAC;QACjC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC;QAClC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAEhE,yCAAyC;IACzC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IAChD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAElC,6DAA6D;IAC7D,IAAI,UAAkB,CAAC;IACvB,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,UAAU,GAAG,IAAI,CAAC;IACpB,CAAC;SAAM,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC5B,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,wCAAwC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,MAAM,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAC;IACvD,OAAO,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,gBAA4B;IAC7D,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAClD,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5C,MAAM,MAAM,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAC;IACvD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC"}

package/dist/v2/crypto/ecdsa.d.ts

@@ -0,0 +1,29 @@
+/**
+ * AUN E2EE V2: ECDSA-SHA256 RAW（RFC 6979 deterministic）
+ *
+ * 规范引用：§3.1
+ * - 曲线 P-256
+ * - RFC 6979 deterministic nonce（必须）
+ * - 输出 RAW 编码 r(32B)||s(32B)
+ *
+ * 实现选型：
+ * - 使用 @noble/curves/nist 提供 deterministic ECDSA
+ * - 公钥使用 DER SubjectPublicKeyInfo（与 Python/Go 对齐）
+ *   通过 Node createPublicKey 提取未压缩点（0x04||X||Y）后传给 noble
+ */
+/**
+ * ECDSA-SHA256 签名（RFC 6979 deterministic），输出 RAW 编码 r||s（64 字节）。
+ *
+ * @param privateKeyScalar P-256 私钥标量（32 字节 big-endian）
+ * @param message 待签名消息原文
+ * @returns 64 字节签名
+ */
+export declare function ecdsaSignRaw(privateKeyScalar: Uint8Array, message: Uint8Array): Uint8Array;
+/**
+ * ECDSA-SHA256 验签（RAW 64 字节签名）。
+ */
+export declare function ecdsaVerifyRaw(publicKeyDer: Uint8Array, signatureRaw: Uint8Array, message: Uint8Array): boolean;
+/**
+ * 仅用于本地校验：根据 P-256 私钥派生公钥的 DER SPKI 编码。
+ */
+export declare function privateScalarToPublicDer(privateKeyScalar: Uint8Array): Uint8Array;

package/dist/v2/crypto/ecdsa.js

@@ -0,0 +1,120 @@
+/**
+ * AUN E2EE V2: ECDSA-SHA256 RAW（RFC 6979 deterministic）
+ *
+ * 规范引用：§3.1
+ * - 曲线 P-256
+ * - RFC 6979 deterministic nonce（必须）
+ * - 输出 RAW 编码 r(32B)||s(32B)
+ *
+ * 实现选型：
+ * - 使用 @noble/curves/nist 提供 deterministic ECDSA
+ * - 公钥使用 DER SubjectPublicKeyInfo（与 Python/Go 对齐）
+ *   通过 Node createPublicKey 提取未压缩点（0x04||X||Y）后传给 noble
+ */
+import { p256 } from '@noble/curves/nist.js';
+import { createPublicKey } from 'node:crypto';
+/**
+ * 把 base64url 字符串解码为 32 字节大端序无前导零填充的字节数组。
+ */
+function b64uToFixed32(b64url) {
+    const buf = Buffer.from(b64url, 'base64url');
+    if (buf.length === 32)
+        return buf;
+    if (buf.length < 32) {
+        const padded = Buffer.alloc(32);
+        buf.copy(padded, 32 - buf.length);
+        return padded;
+    }
+    const start = buf.length - 32;
+    for (let i = 0; i < start; i++) {
+        if (buf[i] !== 0) {
+            throw new Error(`invalid EC coordinate: length=${buf.length}, leading non-zero byte`);
+        }
+    }
+    return buf.subarray(start, buf.length);
+}
+/**
+ * 从 DER SPKI 编码公钥提取未压缩点（0x04||X||Y），共 65 字节。
+ */
+function derSpkiToUncompressed(publicKeyDer) {
+    const pub = createPublicKey({
+        key: Buffer.from(publicKeyDer),
+        format: 'der',
+        type: 'spki',
+    });
+    const jwk = pub.export({ format: 'jwk' });
+    if (jwk.kty !== 'EC' || jwk.crv !== 'P-256' || !jwk.x || !jwk.y) {
+        throw new Error('public key is not a P-256 EC key');
+    }
+    const x = b64uToFixed32(jwk.x);
+    const y = b64uToFixed32(jwk.y);
+    return Buffer.concat([Buffer.from([0x04]), x, y]);
+}
+/**
+ * ECDSA-SHA256 签名（RFC 6979 deterministic），输出 RAW 编码 r||s（64 字节）。
+ *
+ * @param privateKeyScalar P-256 私钥标量（32 字节 big-endian）
+ * @param message 待签名消息原文
+ * @returns 64 字节签名
+ */
+export function ecdsaSignRaw(privateKeyScalar, message) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    // 显式 prehash=true（默认值），noble 会用 SHA-256 摘要。
+    // lowS=false 与 Python/Go SDK 行为对齐（不强制低 S）。
+    // format='compact' 是默认值，输出 64B = r||s。
+    const sig = p256.sign(message, privateKeyScalar, {
+        prehash: true,
+        lowS: false,
+        format: 'compact',
+    });
+    if (sig.length !== 64) {
+        throw new Error(`unexpected signature length: ${sig.length}`);
+    }
+    return sig;
+}
+/**
+ * ECDSA-SHA256 验签（RAW 64 字节签名）。
+ */
+export function ecdsaVerifyRaw(publicKeyDer, signatureRaw, message) {
+    if (signatureRaw.length !== 64)
+        return false;
+    try {
+        const uncompressed = derSpkiToUncompressed(publicKeyDer);
+        return p256.verify(signatureRaw, message, uncompressed, {
+            prehash: true,
+            lowS: false,
+            format: 'compact',
+        });
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * 仅用于本地校验：根据 P-256 私钥派生公钥的 DER SPKI 编码。
+ */
+export function privateScalarToPublicDer(privateKeyScalar) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    // noble 返回未压缩 65 字节
+    const uncompressed = p256.getPublicKey(privateKeyScalar, false);
+    if (uncompressed.length !== 65 || uncompressed[0] !== 0x04) {
+        throw new Error('failed to derive uncompressed P-256 public key');
+    }
+    const x = uncompressed.subarray(1, 33);
+    const y = uncompressed.subarray(33, 65);
+    const pubKey = createPublicKey({
+        key: {
+            kty: 'EC',
+            crv: 'P-256',
+            x: Buffer.from(x).toString('base64url'),
+            y: Buffer.from(y).toString('base64url'),
+        },
+        format: 'jwk',
+    });
+    return new Uint8Array(pubKey.export({ format: 'der', type: 'spki' }));
+}
+//# sourceMappingURL=ecdsa.js.map

package/dist/v2/crypto/ecdsa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdsa.js","sourceRoot":"","sources":["../../../src/v2/crypto/ecdsa.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAC7C,OAAO,EAAc,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D;;GAEG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,yBAAyB,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,YAAwB;IACrD,MAAM,GAAG,GAAG,eAAe,CAAC;QAC1B,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;QAC9B,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1C,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,gBAA4B,EAC5B,OAAmB;IAEnB,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,4CAA4C;IAC5C,2CAA2C;IAC3C,uCAAuC;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,gBAAgB,EAAE;QAC/C,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,KAAK;QACX,MAAM,EAAE,SAAS;KAClB,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,YAAwB,EACxB,YAAwB,EACxB,OAAmB;IAEnB,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE;YACtD,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,KAAK;YACX,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,gBAA4B;IACnE,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,oBAAoB;IACpB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;IAChE,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,eAAe,CAAC;QAC7B,GAAG,EAAE;YACH,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,OAAO;YACZ,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YACvC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;SACxC;QACD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/v2/crypto/hkdf.d.ts

@@ -0,0 +1,19 @@
+/**
+ * AUN E2EE V2: HKDF-SHA256（RFC 5869）
+ *
+ * 规范引用：用于 1DH/3DH wrap_key 派生（info 分别为 "AUN-V2-1DH" 和 "AUN-V2-3DH"）。
+ *
+ * 实现选型：
+ * - Node `crypto` 模块 HMAC-SHA256
+ * - 空 salt 视为 32 字节零（HashLen）
+ */
+/**
+ * HKDF-SHA256（RFC 5869）。
+ *
+ * @param ikm  Input keying material
+ * @param salt Salt（可为空，空时按规范用 HashLen 字节零填充）
+ * @param info Optional context and application specific information
+ * @param length 期望输出字节长度（不能超过 255 * HashLen）
+ * @returns OKM（output keying material）
+ */
+export declare function hkdfSha256(ikm: Uint8Array, salt: Uint8Array, info: Uint8Array, length: number): Uint8Array;

package/dist/v2/crypto/hkdf.js

@@ -0,0 +1,47 @@
+/**
+ * AUN E2EE V2: HKDF-SHA256（RFC 5869）
+ *
+ * 规范引用：用于 1DH/3DH wrap_key 派生（info 分别为 "AUN-V2-1DH" 和 "AUN-V2-3DH"）。
+ *
+ * 实现选型：
+ * - Node `crypto` 模块 HMAC-SHA256
+ * - 空 salt 视为 32 字节零（HashLen）
+ */
+import { createHmac } from 'node:crypto';
+const HASH_LEN = 32; // SHA-256 输出长度
+/**
+ * HKDF-SHA256（RFC 5869）。
+ *
+ * @param ikm  Input keying material
+ * @param salt Salt（可为空，空时按规范用 HashLen 字节零填充）
+ * @param info Optional context and application specific information
+ * @param length 期望输出字节长度（不能超过 255 * HashLen）
+ * @returns OKM（output keying material）
+ */
+export function hkdfSha256(ikm, salt, info, length) {
+    if (length < 0 || length > 255 * HASH_LEN) {
+        throw new Error(`HKDF length out of range: ${length}`);
+    }
+    // RFC 5869 §2.2: salt 为空时使用 HashLen 字节零
+    const realSalt = salt.length === 0 ? new Uint8Array(HASH_LEN) : salt;
+    // Extract: PRK = HMAC-SHA256(salt, IKM)
+    const prk = createHmac('sha256', realSalt).update(ikm).digest();
+    // Expand: T(i) = HMAC-SHA256(PRK, T(i-1) || info || i)
+    const out = new Uint8Array(length);
+    let t = new Uint8Array(0);
+    let pos = 0;
+    let counter = 1;
+    while (pos < length) {
+        const hmac = createHmac('sha256', prk);
+        hmac.update(t);
+        hmac.update(info);
+        hmac.update(Uint8Array.of(counter));
+        t = hmac.digest();
+        const remaining = length - pos;
+        out.set(t.subarray(0, Math.min(remaining, t.length)), pos);
+        pos += t.length;
+        counter++;
+    }
+    return out;
+}
+//# sourceMappingURL=hkdf.js.map

package/dist/v2/crypto/hkdf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.js","sourceRoot":"","sources":["../../../src/v2/crypto/hkdf.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,QAAQ,GAAG,EAAE,CAAC,CAAC,eAAe;AAEpC;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CACxB,GAAe,EACf,IAAgB,EAChB,IAAgB,EAChB,MAAc;IAEd,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,GAAG,GAAG,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,wCAAwC;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAErE,wCAAwC;IACxC,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;IAEhE,uDAAuD;IACvD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,OAAO,GAAG,GAAG,MAAM,EAAE,CAAC;QACpB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClB,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QACpC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,MAAM,GAAG,GAAG,CAAC;QAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC3D,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;QAChB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/v2/crypto/index.d.ts

@@ -0,0 +1,8 @@
+export { canonicalJson, canonicalStringify } from './canonical.js';
+export { ecdhComputeShared, generateP256Keypair, privateToPublicDer } from './ecdh.js';
+export { hkdfSha256 } from './hkdf.js';
+export { aesGcmEncrypt, aesGcmDecrypt } from './aead.js';
+export { ecdsaSignRaw, ecdsaVerifyRaw, privateScalarToPublicDer } from './ecdsa.js';
+export { compute1DHWrap, compute3DHWrap, INFO_1DH, INFO_3DH, WRAP_KEY_LENGTH, } from './dh-path.js';
+export { sortRecipients, computeLeafHash, computeMerkleRoot, computeMerkleProof, verifyMerkleProof, computeRecipientsDigest, } from './recipients.js';
+export type { ProofStep } from './recipients.js';

package/dist/v2/crypto/index.js

@@ -0,0 +1,8 @@
+export { canonicalJson, canonicalStringify } from './canonical.js';
+export { ecdhComputeShared, generateP256Keypair, privateToPublicDer } from './ecdh.js';
+export { hkdfSha256 } from './hkdf.js';
+export { aesGcmEncrypt, aesGcmDecrypt } from './aead.js';
+export { ecdsaSignRaw, ecdsaVerifyRaw, privateScalarToPublicDer } from './ecdsa.js';
+export { compute1DHWrap, compute3DHWrap, INFO_1DH, INFO_3DH, WRAP_KEY_LENGTH, } from './dh-path.js';
+export { sortRecipients, computeLeafHash, computeMerkleRoot, computeMerkleProof, verifyMerkleProof, computeRecipientsDigest, } from './recipients.js';
+//# sourceMappingURL=index.js.map

package/dist/v2/crypto/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/crypto/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACvF,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AACpF,OAAO,EACL,cAAc,EACd,cAAc,EACd,QAAQ,EACR,QAAQ,EACR,eAAe,GAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,iBAAiB,CAAC"}

package/dist/v2/crypto/recipients.d.ts

@@ -0,0 +1,32 @@
+/**
+ * AUN E2EE V2: Recipients 排序与 Merkle Digest
+ *
+ * 规范引用：§5.3 / §10.3
+ *
+ * - 行排序：(aid asc, device_id asc, role asc) 字典序
+ * - 每行固定 8 字段：[aid, device_id, role, key_source, fp, spk_id, wrap_nonce, wrapped_key]
+ * - Digest = Merkle root（leaf/inner 各有独立前缀）
+ * - 奇数节点复制最后一个
+ */
+export interface ProofStep {
+    sibling: string;
+    position: 'L' | 'R';
+}
+/** 按 (aid, device_id, role) 字典序稳定排序 recipients。 */
+export declare function sortRecipients(rows: string[][]): string[][];
+/** 计算单个 recipient 行的 leaf hash（32 字节）。 */
+export declare function computeLeafHash(row: string[]): Uint8Array;
+/**
+ * 计算 recipients 的 Merkle root（hex）。空列表返回空字符串（与 Python 一致）。
+ */
+export declare function computeMerkleRoot(rows: string[][]): string;
+/** 兼容入口，等价 computeMerkleRoot。调用方应先调 sortRecipients。 */
+export declare function computeRecipientsDigest(rows: string[][]): string;
+/**
+ * 为 targetIndex 行生成 Merkle proof（log N 步）。
+ */
+export declare function computeMerkleProof(rows: string[][], targetIndex: number): ProofStep[];
+/**
+ * 验证 leaf + proof 重建出的 root 与期望值一致。
+ */
+export declare function verifyMerkleProof(leaf: Uint8Array, proof: ProofStep[], expectedRootHex: string): boolean;

package/dist/v2/crypto/recipients.js

@@ -0,0 +1,183 @@
+/**
+ * AUN E2EE V2: Recipients 排序与 Merkle Digest
+ *
+ * 规范引用：§5.3 / §10.3
+ *
+ * - 行排序：(aid asc, device_id asc, role asc) 字典序
+ * - 每行固定 8 字段：[aid, device_id, role, key_source, fp, spk_id, wrap_nonce, wrapped_key]
+ * - Digest = Merkle root（leaf/inner 各有独立前缀）
+ * - 奇数节点复制最后一个
+ */
+import { createHash } from 'node:crypto';
+const TEXT = new TextEncoder();
+const LEAF_PREFIX = TEXT.encode('AUN-V2-RCPT-LEAF-v1');
+const NODE_PREFIX = TEXT.encode('AUN-V2-RCPT-NODE-v1');
+/** 按 (aid, device_id, role) 字典序稳定排序 recipients。 */
+export function sortRecipients(rows) {
+    return [...rows].sort((a, b) => {
+        const ka0 = a[0] ?? '';
+        const kb0 = b[0] ?? '';
+        if (ka0 !== kb0)
+            return ka0 < kb0 ? -1 : 1;
+        const ka1 = a[1] ?? '';
+        const kb1 = b[1] ?? '';
+        if (ka1 !== kb1)
+            return ka1 < kb1 ? -1 : 1;
+        const ka2 = a[2] ?? '';
+        const kb2 = b[2] ?? '';
+        if (ka2 !== kb2)
+            return ka2 < kb2 ? -1 : 1;
+        return 0;
+    });
+}
+/**
+ * wrap_nonce / wrapped_key 字段优先按 base64 解码，失败则按 utf-8 字节回退（与 Python 行为一致）。
+ */
+function decodeOrRaw(value) {
+    if (!value)
+        return new Uint8Array(0);
+    // Node Buffer.from(..., 'base64') 对非法字符会忽略而非抛错，
+    // 因此校验"再编码回去"是否一致来判断输入是否合法 base64。
+    // 这与 Python base64.b64decode(value) 的行为相近：
+    // 不合法时 Python 抛错 → 我们 fallback 到 utf-8。
+    // 不过 Python 默认非严格模式也容错；这里采用与 Python 完全等价的判定：
+    // 1) 仅含 base64 字符集 [A-Za-z0-9+/=]
+    // 2) 长度是 4 的倍数
+    // 否则按 utf-8 处理。
+    if (isLikelyBase64(value)) {
+        try {
+            const decoded = Buffer.from(value, 'base64');
+            // 双重校验：重编码与原值一致（忽略 padding 差异）。
+            const reencoded = decoded.toString('base64');
+            // 比较时归一化 padding：Python 会抛 binascii.Error 在 padding 不正确时。
+            if (reencoded === value || reencoded.replace(/=+$/, '') === value.replace(/=+$/, '')) {
+                return new Uint8Array(decoded);
+            }
+        }
+        catch {
+            /* fallthrough */
+        }
+    }
+    return new Uint8Array(TEXT.encode(value));
+}
+function isLikelyBase64(s) {
+    if (s.length === 0)
+        return false;
+    if (s.length % 4 !== 0)
+        return false;
+    return /^[A-Za-z0-9+/]+={0,2}$/.test(s);
+}
+/** 计算单个 recipient 行的 leaf hash（32 字节）。 */
+export function computeLeafHash(row) {
+    const aid = TEXT.encode(String(row[0] ?? ''));
+    const deviceId = TEXT.encode(String(row[1] ?? ''));
+    const role = TEXT.encode(String(row[2] ?? ''));
+    const keySource = TEXT.encode(String(row[3] ?? ''));
+    const fp = TEXT.encode(String(row[4] ?? ''));
+    const spkId = TEXT.encode(String(row[5] ?? ''));
+    const wrapNonce = decodeOrRaw(String(row[6] ?? ''));
+    const wrappedKey = decodeOrRaw(String(row[7] ?? ''));
+    const h = createHash('sha256');
+    h.update(LEAF_PREFIX);
+    h.update(aid);
+    h.update(Uint8Array.of(0));
+    h.update(deviceId);
+    h.update(Uint8Array.of(0));
+    h.update(role);
+    h.update(Uint8Array.of(0));
+    h.update(keySource);
+    h.update(Uint8Array.of(0));
+    h.update(fp);
+    h.update(Uint8Array.of(0));
+    h.update(spkId);
+    h.update(Uint8Array.of(0));
+    h.update(wrapNonce);
+    h.update(wrappedKey);
+    return new Uint8Array(h.digest());
+}
+function nodeHash(left, right) {
+    const h = createHash('sha256');
+    h.update(NODE_PREFIX);
+    h.update(left);
+    h.update(right);
+    return new Uint8Array(h.digest());
+}
+function merkleRootFromLeaves(leaves) {
+    if (leaves.length === 1)
+        return leaves[0];
+    let layer = [...leaves];
+    while (layer.length > 1) {
+        if (layer.length % 2 === 1)
+            layer.push(layer[layer.length - 1]);
+        const next = [];
+        for (let i = 0; i < layer.length; i += 2) {
+            next.push(nodeHash(layer[i], layer[i + 1]));
+        }
+        layer = next;
+    }
+    return layer[0];
+}
+/**
+ * 计算 recipients 的 Merkle root（hex）。空列表返回空字符串（与 Python 一致）。
+ */
+export function computeMerkleRoot(rows) {
+    if (rows.length === 0)
+        return '';
+    const leaves = rows.map(computeLeafHash);
+    return Buffer.from(merkleRootFromLeaves(leaves)).toString('hex');
+}
+/** 兼容入口，等价 computeMerkleRoot。调用方应先调 sortRecipients。 */
+export function computeRecipientsDigest(rows) {
+    return computeMerkleRoot(rows);
+}
+/**
+ * 为 targetIndex 行生成 Merkle proof（log N 步）。
+ */
+export function computeMerkleProof(rows, targetIndex) {
+    if (rows.length === 0 || targetIndex < 0 || targetIndex >= rows.length)
+        return [];
+    const leaves = rows.map(computeLeafHash);
+    const proof = [];
+    let layer = [...leaves];
+    let idx = targetIndex;
+    while (layer.length > 1) {
+        if (layer.length % 2 === 1)
+            layer.push(layer[layer.length - 1]);
+        const siblingIdx = idx ^ 1;
+        proof.push({
+            sibling: Buffer.from(layer[siblingIdx]).toString('hex'),
+            position: siblingIdx > idx ? 'R' : 'L',
+        });
+        const next = [];
+        for (let i = 0; i < layer.length; i += 2) {
+            next.push(nodeHash(layer[i], layer[i + 1]));
+        }
+        layer = next;
+        idx = Math.floor(idx / 2);
+    }
+    return proof;
+}
+/**
+ * 验证 leaf + proof 重建出的 root 与期望值一致。
+ */
+export function verifyMerkleProof(leaf, proof, expectedRootHex) {
+    if (!expectedRootHex)
+        return false;
+    let cur = leaf;
+    for (const step of proof) {
+        if (!/^[0-9a-fA-F]*$/.test(step.sibling) || step.sibling.length % 2 !== 0)
+            return false;
+        const sibling = Uint8Array.from(Buffer.from(step.sibling, 'hex'));
+        if (step.position === 'L') {
+            cur = nodeHash(sibling, cur);
+        }
+        else if (step.position === 'R') {
+            cur = nodeHash(cur, sibling);
+        }
+        else {
+            return false;
+        }
+    }
+    return Buffer.from(cur).toString('hex') === expectedRootHex;
+}
+//# sourceMappingURL=recipients.js.map

package/dist/v2/crypto/recipients.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"recipients.js","sourceRoot":"","sources":["../../../src/v2/crypto/recipients.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;AAC/B,MAAM,WAAW,GAAe,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;AACnE,MAAM,WAAW,GAAe,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;AAOnE,mDAAmD;AACnD,MAAM,UAAU,cAAc,CAAC,IAAgB;IAC7C,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC7B,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,GAAG;YAAE,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,GAAG;YAAE,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3C,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,GAAG;YAAE,OAAO,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3C,OAAO,CAAC,CAAC;IACX,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,KAAa;IAChC,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IACrC,gDAAgD;IAChD,mCAAmC;IACnC,2CAA2C;IAC3C,wCAAwC;IACxC,6CAA6C;IAC7C,kCAAkC;IAClC,eAAe;IACf,gBAAgB;IAChB,IAAI,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YAC7C,gCAAgC;YAChC,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC7C,0DAA0D;YAC1D,IAAI,SAAS,KAAK,KAAK,IAAI,SAAS,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,EAAE,CAAC;gBACrF,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC,CAAC;YACjC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACjC,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,0CAA0C;AAC1C,MAAM,UAAU,eAAe,CAAC,GAAa;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9C,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACpD,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IACpD,MAAM,UAAU,GAAG,WAAW,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAErD,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACtB,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACzC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpB,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACrB,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,QAAQ,CAAC,IAAgB,EAAE,KAAiB;IACnD,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACtB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACf,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAChB,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAoB;IAChD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;IAC1C,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IACxB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;QAChE,MAAM,IAAI,GAAiB,EAAE,CAAC;QAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,CAAC;QACD,KAAK,GAAG,IAAI,CAAC;IACf,CAAC;IACD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,IAAgB;IAChD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACzC,OAAO,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACnE,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,uBAAuB,CAAC,IAAgB;IACtD,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC;AACjC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAgB,EAAE,WAAmB;IACtE,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,GAAG,CAAC,IAAI,WAAW,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,CAAC;IAClF,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACzC,MAAM,KAAK,GAAgB,EAAE,CAAC;IAC9B,IAAI,KAAK,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IACxB,IAAI,GAAG,GAAG,WAAW,CAAC;IACtB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;YAAE,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC;QAChE,MAAM,UAAU,GAAG,GAAG,GAAG,CAAC,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC;YACT,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;YACvD,QAAQ,EAAE,UAAU,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;SACvC,CAAC,CAAC;QACH,MAAM,IAAI,GAAiB,EAAE,CAAC;QAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,CAAC;QACD,KAAK,GAAG,IAAI,CAAC;QACb,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAC5B,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,IAAgB,EAChB,KAAkB,EAClB,eAAuB;IAEvB,IAAI,CAAC,eAAe;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACxF,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;QAClE,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;YAC1B,GAAG,GAAG,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC/B,CAAC;aAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;YACjC,GAAG,GAAG,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC/B,CAAC;aAAM,CAAC;YACN,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,KAAK,eAAe,CAAC;AAC9D,CAAC"}

package/dist/v2/e2ee/decrypt.d.ts

@@ -0,0 +1,29 @@
+/**
+ * AUN E2EE V2: 统一解密引擎
+ *
+ * 支持 P2P 和 Group 消息解密（按 envelope.type / 字段结构分流）。
+ * 纯计算，无 IO。
+ *
+ * 与 Python `aun_core.v2.e2ee.decrypt.decrypt_message` 对齐。
+ *
+ * 流程：
+ *  1. 验 sender_signature
+ *  2. 找自己的 row（recipients 数组或 per-device recipient + 可选 merkle_proof）
+ *  3. 计算 wrap_salt
+ *  4. 派生 wrap_key（3DH 或 1DH）
+ *  5. 解 master_key
+ *  6. 解 body
+ *  7. 解析 JSON payload
+ */
+/**
+ * 解密 V2 加密消息（P2P 或 Group）。
+ *
+ * @param envelope 完整 envelope（已 JSON.parse 的对象）
+ * @param selfAid 接收方 AID
+ * @param selfDeviceId 接收方 device_id
+ * @param selfIkPriv 接收方 IK 私钥（32B scalar）
+ * @param selfSpkPriv 接收方 SPK 私钥（32B scalar）；undefined/null 表示无 SPK（1DH）
+ * @param senderPubDer 发送方 AID 主公钥（DER），用于验签 + 3DH 接收侧 DH2
+ * @returns 解密后的 payload；null 表示在 recipients 中找不到自己的 row
+ */
+export declare function decryptMessage(envelope: Record<string, unknown>, selfAid: string, selfDeviceId: string, selfIkPriv: Uint8Array, selfSpkPriv: Uint8Array | undefined, senderPubDer: Uint8Array): Record<string, unknown> | null;