@agentunion/fastaun 0.2.20 → 0.3.1

package/dist/v2/crypto/canonical.js

@@ -0,0 +1,119 @@
+/**
+ * Canonical JSON 序列化 — AUN E2EE V2 协议要求所有 SDK 输出字节级一致。
+ *
+ * 规则：
+ * - 对象键递归字典序排序
+ * - UTF-8 直出（非 ASCII 字符不转义）
+ * - 数值：整数无小数点，浮点数无前导零、不用科学计数法
+ * - 字符串最小转义：仅 " \ \b \f \n \r \t，其它控制字符 \u00XX
+ * - 紧凑格式（无空格）
+ * - null / true / false 字面量
+ * - 数组顺序保留
+ */
+const encoder = new TextEncoder();
+/**
+ * 将任意 JSON 值序列化为 canonical JSON 的 UTF-8 字节。
+ */
+export function canonicalJson(obj) {
+    return encoder.encode(canonicalStringify(obj));
+}
+/**
+ * 将任意 JSON 值序列化为 canonical JSON 字符串。
+ */
+export function canonicalStringify(value) {
+    if (value === null)
+        return 'null';
+    if (value === true)
+        return 'true';
+    if (value === false)
+        return 'false';
+    if (typeof value === 'number') {
+        return formatNumber(value);
+    }
+    if (typeof value === 'string') {
+        return escapeString(value);
+    }
+    if (Array.isArray(value)) {
+        const items = value.map((item) => canonicalStringify(item));
+        return '[' + items.join(',') + ']';
+    }
+    if (typeof value === 'object') {
+        const keys = Object.keys(value).sort();
+        const pairs = keys.map((k) => escapeString(k) +
+            ':' +
+            canonicalStringify(value[k]));
+        return '{' + pairs.join(',') + '}';
+    }
+    // undefined 等不可序列化类型 — 按 JSON 规范不应出现
+    throw new Error(`canonicalJson: unsupported type ${typeof value}`);
+}
+function formatNumber(n) {
+    if (!isFinite(n)) {
+        throw new Error(`canonicalJson: cannot serialize ${n}`);
+    }
+    // 整数输出不带小数点
+    if (Number.isInteger(n)) {
+        // 用 toFixed(0) 避免科学计数法（如 1e21）
+        // 但 toFixed 对超大数会失败，改用条件判断
+        if (Math.abs(n) < 1e21) {
+            return n.toFixed(0);
+        }
+        // 超大整数：toString 可能用科学计数法，需要手动展开
+        return bigIntegerToString(n);
+    }
+    // 浮点数：使用 toString 输出（不用科学计数法的范围内）
+    return n.toString();
+}
+/**
+ * 将超大整数（>= 1e21）转为不带科学计数法的字符串。
+ */
+function bigIntegerToString(n) {
+    // 利用 BigInt 来避免科学计数法
+    return BigInt(n).toString();
+}
+/**
+ * 最小转义字符串序列化。
+ * 仅转义：" \ \b \f \n \r \t 和其它控制字符（U+0000..U+001F）用 \u00XX。
+ * 非 ASCII 字符直接 UTF-8 输出，不转义。
+ */
+function escapeString(s) {
+    let result = '"';
+    for (let i = 0; i < s.length; i++) {
+        const ch = s.charCodeAt(i);
+        switch (ch) {
+            case 0x22: // "
+                result += '\\"';
+                break;
+            case 0x5c: // \
+                result += '\\\\';
+                break;
+            case 0x08: // \b
+                result += '\\b';
+                break;
+            case 0x0c: // \f
+                result += '\\f';
+                break;
+            case 0x0a: // \n
+                result += '\\n';
+                break;
+            case 0x0d: // \r
+                result += '\\r';
+                break;
+            case 0x09: // \t
+                result += '\\t';
+                break;
+            default:
+                if (ch < 0x20) {
+                    // 其它控制字符用 \u00XX
+                    result += '\\u' + ch.toString(16).padStart(4, '0');
+                }
+                else {
+                    // 普通字符（含非 ASCII）直接输出
+                    result += s[i];
+                }
+        }
+    }
+    result += '"';
+    return result;
+}
+//# sourceMappingURL=canonical.js.map

package/dist/v2/crypto/canonical.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../../src/v2/crypto/canonical.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,GAAY;IACxC,OAAO,OAAO,CAAC,MAAM,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,OAAO,CAAC;IAEpC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5D,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACrC,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,KAAgC,CAAC,CAAC,IAAI,EAAE,CAAC;QAClE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CACpB,CAAC,CAAC,EAAE,EAAE,CACJ,YAAY,CAAC,CAAC,CAAC;YACf,GAAG;YACH,kBAAkB,CAAE,KAAiC,CAAC,CAAC,CAAC,CAAC,CAC5D,CAAC;QACF,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IACrC,CAAC;IAED,qCAAqC;IACrC,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,KAAK,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,YAAY;IACZ,IAAI,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;QACxB,+BAA+B;QAC/B,2BAA2B;QAC3B,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;YACvB,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACtB,CAAC;QACD,gCAAgC;QAChC,OAAO,kBAAkB,CAAC,CAAC,CAAC,CAAC;IAC/B,CAAC;IACD,kCAAkC;IAClC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,CAAS;IACnC,qBAAqB;IACrB,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC;AAC9B,CAAC;AAED;;;;GAIG;AACH,SAAS,YAAY,CAAC,CAAS;IAC7B,IAAI,MAAM,GAAG,GAAG,CAAC;IACjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC3B,QAAQ,EAAE,EAAE,CAAC;YACX,KAAK,IAAI,EAAE,IAAI;gBACb,MAAM,IAAI,KAAK,CAAC;gBAChB,MAAM;YACR,KAAK,IAAI,EAAE,IAAI;gBACb,MAAM,IAAI,MAAM,CAAC;gBACjB,MAAM;YACR,KAAK,IAAI,EAAE,KAAK;gBACd,MAAM,IAAI,KAAK,CAAC;gBAChB,MAAM;YACR,KAAK,IAAI,EAAE,KAAK;gBACd,MAAM,IAAI,KAAK,CAAC;gBAChB,MAAM;YACR,KAAK,IAAI,EAAE,KAAK;gBACd,MAAM,IAAI,KAAK,CAAC;gBAChB,MAAM;YACR,KAAK,IAAI,EAAE,KAAK;gBACd,MAAM,IAAI,KAAK,CAAC;gBAChB,MAAM;YACR,KAAK,IAAI,EAAE,KAAK;gBACd,MAAM,IAAI,KAAK,CAAC;gBAChB,MAAM;YACR;gBACE,IAAI,EAAE,GAAG,IAAI,EAAE,CAAC;oBACd,iBAAiB;oBACjB,MAAM,IAAI,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;gBACrD,CAAC;qBAAM,CAAC;oBACN,qBAAqB;oBACrB,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;gBACjB,CAAC;QACL,CAAC;IACH,CAAC;IACD,MAAM,IAAI,GAAG,CAAC;IACd,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/v2/crypto/dh-path.d.ts

@@ -0,0 +1,39 @@
+/**
+ * AUN E2EE V2: 1DH / 3DH wrap_key 派生
+ *
+ * 规范引用：§4.x
+ *
+ * 3DH（活跃会话）:
+ *   DH1 = ECDH(senderSessionPriv, recvIKPub)
+ *   DH2 = ECDH(senderMasterPriv,  recvSPKPub)
+ *   DH3 = ECDH(senderSessionPriv, recvSPKPub)
+ *   ikm = DH1 || DH2 || DH3
+ *   wrap_key = HKDF-SHA256(ikm, salt, info="AUN-V2-3DH", 32)
+ *
+ * 1DH（无 SPK 的回退路径）:
+ *   DH  = ECDH(senderSessionPriv, recvIKPub)
+ *   wrap_key = HKDF-SHA256(DH, salt, info="AUN-V2-1DH", 32)
+ */
+export declare const INFO_3DH: Uint8Array;
+export declare const INFO_1DH: Uint8Array;
+export declare const WRAP_KEY_LENGTH = 32;
+/**
+ * 计算 3DH wrap_key。
+ *
+ * @param senderSessionPriv 发送方会话私钥（32B 标量）
+ * @param senderMasterPriv  发送方 AID 长期主私钥（32B 标量）
+ * @param recvIKPub         接收方身份公钥 IK（DER SPKI）
+ * @param recvSPKPub        接收方 Signed PreKey 公钥 SPK（DER SPKI）
+ * @param salt              HKDF salt
+ * @returns 32 字节 wrap_key
+ */
+export declare function compute3DHWrap(senderSessionPriv: Uint8Array, senderMasterPriv: Uint8Array, recvIKPub: Uint8Array, recvSPKPub: Uint8Array, salt: Uint8Array): Uint8Array;
+/**
+ * 计算 1DH wrap_key（fallback）。
+ *
+ * @param senderSessionPriv 发送方会话私钥（32B 标量）
+ * @param recvIKPub         接收方身份公钥 IK（DER SPKI）
+ * @param salt              HKDF salt
+ * @returns 32 字节 wrap_key
+ */
+export declare function compute1DHWrap(senderSessionPriv: Uint8Array, recvIKPub: Uint8Array, salt: Uint8Array): Uint8Array;

package/dist/v2/crypto/dh-path.js

@@ -0,0 +1,55 @@
+/**
+ * AUN E2EE V2: 1DH / 3DH wrap_key 派生
+ *
+ * 规范引用：§4.x
+ *
+ * 3DH（活跃会话）:
+ *   DH1 = ECDH(senderSessionPriv, recvIKPub)
+ *   DH2 = ECDH(senderMasterPriv,  recvSPKPub)
+ *   DH3 = ECDH(senderSessionPriv, recvSPKPub)
+ *   ikm = DH1 || DH2 || DH3
+ *   wrap_key = HKDF-SHA256(ikm, salt, info="AUN-V2-3DH", 32)
+ *
+ * 1DH（无 SPK 的回退路径）:
+ *   DH  = ECDH(senderSessionPriv, recvIKPub)
+ *   wrap_key = HKDF-SHA256(DH, salt, info="AUN-V2-1DH", 32)
+ */
+import { ecdhComputeShared } from './ecdh.js';
+import { hkdfSha256 } from './hkdf.js';
+const TEXT = new TextEncoder();
+export const INFO_3DH = TEXT.encode('AUN-V2-3DH');
+export const INFO_1DH = TEXT.encode('AUN-V2-1DH');
+export const WRAP_KEY_LENGTH = 32;
+/**
+ * 计算 3DH wrap_key。
+ *
+ * @param senderSessionPriv 发送方会话私钥（32B 标量）
+ * @param senderMasterPriv  发送方 AID 长期主私钥（32B 标量）
+ * @param recvIKPub         接收方身份公钥 IK（DER SPKI）
+ * @param recvSPKPub        接收方 Signed PreKey 公钥 SPK（DER SPKI）
+ * @param salt              HKDF salt
+ * @returns 32 字节 wrap_key
+ */
+export function compute3DHWrap(senderSessionPriv, senderMasterPriv, recvIKPub, recvSPKPub, salt) {
+    const dh1 = ecdhComputeShared(senderSessionPriv, recvIKPub);
+    const dh2 = ecdhComputeShared(senderMasterPriv, recvSPKPub);
+    const dh3 = ecdhComputeShared(senderSessionPriv, recvSPKPub);
+    const ikm = new Uint8Array(96);
+    ikm.set(dh1, 0);
+    ikm.set(dh2, 32);
+    ikm.set(dh3, 64);
+    return hkdfSha256(ikm, salt, INFO_3DH, WRAP_KEY_LENGTH);
+}
+/**
+ * 计算 1DH wrap_key（fallback）。
+ *
+ * @param senderSessionPriv 发送方会话私钥（32B 标量）
+ * @param recvIKPub         接收方身份公钥 IK（DER SPKI）
+ * @param salt              HKDF salt
+ * @returns 32 字节 wrap_key
+ */
+export function compute1DHWrap(senderSessionPriv, recvIKPub, salt) {
+    const dh = ecdhComputeShared(senderSessionPriv, recvIKPub);
+    return hkdfSha256(dh, salt, INFO_1DH, WRAP_KEY_LENGTH);
+}
+//# sourceMappingURL=dh-path.js.map

package/dist/v2/crypto/dh-path.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dh-path.js","sourceRoot":"","sources":["../../../src/v2/crypto/dh-path.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAEvC,MAAM,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;AAC/B,MAAM,CAAC,MAAM,QAAQ,GAAe,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;AAC9D,MAAM,CAAC,MAAM,QAAQ,GAAe,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;AAC9D,MAAM,CAAC,MAAM,eAAe,GAAG,EAAE,CAAC;AAElC;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAC5B,iBAA6B,EAC7B,gBAA4B,EAC5B,SAAqB,EACrB,UAAsB,EACtB,IAAgB;IAEhB,MAAM,GAAG,GAAG,iBAAiB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC5D,MAAM,GAAG,GAAG,iBAAiB,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;IAC5D,MAAM,GAAG,GAAG,iBAAiB,CAAC,iBAAiB,EAAE,UAAU,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IAC/B,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAChB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjB,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACjB,OAAO,UAAU,CAAC,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;AAC1D,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,iBAA6B,EAC7B,SAAqB,EACrB,IAAgB;IAEhB,MAAM,EAAE,GAAG,iBAAiB,CAAC,iBAAiB,EAAE,SAAS,CAAC,CAAC;IAC3D,OAAO,UAAU,CAAC,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,eAAe,CAAC,CAAC;AACzD,CAAC"}

package/dist/v2/crypto/ecdh.d.ts

@@ -0,0 +1,29 @@
+/**
+ * ECDH P-256 — AUN E2EE V2 协议要求所有 SDK 的 ECDH 输出字节级一致。
+ *
+ * 共享秘密为 P-256 曲线点乘后的 X 坐标（32 字节，big-endian）。
+ *
+ * 实现选型：
+ * - 使用 Node `crypto` 模块（非 WebCrypto，TS SDK 目标为 Node 环境）
+ * - `createECDH('prime256v1')` 计算 X 坐标
+ * - 公钥使用 DER SubjectPublicKeyInfo 编码（与 Python/Go SDK 对齐）
+ * - 通过 JWK 中转完成 DER ↔ 未压缩点（0x04 || X || Y）的转换
+ */
+/**
+ * 计算 ECDH 共享秘密（P-256 X 坐标，32 字节）。
+ *
+ * @param privateKeyScalar 32 字节 P-256 私钥标量（big-endian）
+ * @param peerPublicKeyDer DER SubjectPublicKeyInfo 编码的对端公钥
+ * @returns 32 字节共享秘密（X 坐标 big-endian）
+ */
+export declare function ecdhComputeShared(privateKeyScalar: Uint8Array, peerPublicKeyDer: Uint8Array): Uint8Array;
+/**
+ * 生成 P-256 密钥对。
+ *
+ * @returns [privateKeyScalar 32B, publicKeyDer SPKI]
+ */
+export declare function generateP256Keypair(): [Uint8Array, Uint8Array];
+/**
+ * 从私钥标量导出公钥 DER（SPKI 编码）。
+ */
+export declare function privateToPublicDer(privateKeyScalar: Uint8Array): Uint8Array;

package/dist/v2/crypto/ecdh.js

@@ -0,0 +1,122 @@
+/**
+ * ECDH P-256 — AUN E2EE V2 协议要求所有 SDK 的 ECDH 输出字节级一致。
+ *
+ * 共享秘密为 P-256 曲线点乘后的 X 坐标（32 字节，big-endian）。
+ *
+ * 实现选型：
+ * - 使用 Node `crypto` 模块（非 WebCrypto，TS SDK 目标为 Node 环境）
+ * - `createECDH('prime256v1')` 计算 X 坐标
+ * - 公钥使用 DER SubjectPublicKeyInfo 编码（与 Python/Go SDK 对齐）
+ * - 通过 JWK 中转完成 DER ↔ 未压缩点（0x04 || X || Y）的转换
+ */
+import { createECDH, createPublicKey } from 'node:crypto';
+/**
+ * 把 base64url 字符串解码为 32 字节大端序无前导零填充的字节数组。
+ * 解决 JWK x/y 可能因高位为 0 而被截短的问题。
+ */
+function b64uToFixed32(b64url) {
+    const buf = Buffer.from(b64url, 'base64url');
+    if (buf.length === 32)
+        return buf;
+    if (buf.length < 32) {
+        const padded = Buffer.alloc(32);
+        buf.copy(padded, 32 - buf.length);
+        return padded;
+    }
+    // 长度 > 32：去掉前导 0x00 填充
+    const start = buf.length - 32;
+    for (let i = 0; i < start; i++) {
+        if (buf[i] !== 0) {
+            throw new Error(`invalid EC coordinate: length=${buf.length}, leading non-zero byte`);
+        }
+    }
+    return buf.subarray(start, buf.length);
+}
+/**
+ * 把未压缩点（0x04 || X(32) || Y(32)）的 X/Y 坐标转换为 SPKI DER 公钥。
+ */
+function uncompressedPointToDer(uncompressed) {
+    if (uncompressed.length !== 65 || uncompressed[0] !== 0x04) {
+        throw new Error('invalid uncompressed P-256 point');
+    }
+    const x = uncompressed.subarray(1, 33);
+    const y = uncompressed.subarray(33, 65);
+    const pubKey = createPublicKey({
+        key: {
+            kty: 'EC',
+            crv: 'P-256',
+            x: x.toString('base64url'),
+            y: y.toString('base64url'),
+        },
+        format: 'jwk',
+    });
+    return pubKey.export({ format: 'der', type: 'spki' });
+}
+/**
+ * 计算 ECDH 共享秘密（P-256 X 坐标，32 字节）。
+ *
+ * @param privateKeyScalar 32 字节 P-256 私钥标量（big-endian）
+ * @param peerPublicKeyDer DER SubjectPublicKeyInfo 编码的对端公钥
+ * @returns 32 字节共享秘密（X 坐标 big-endian）
+ */
+export function ecdhComputeShared(privateKeyScalar, peerPublicKeyDer) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    const ecdh = createECDH('prime256v1');
+    ecdh.setPrivateKey(Buffer.from(privateKeyScalar));
+    // 解析 DER SPKI 公钥 → 提取未压缩点（0x04 || X || Y）
+    const peerPubKey = createPublicKey({
+        key: Buffer.from(peerPublicKeyDer),
+        format: 'der',
+        type: 'spki',
+    });
+    const jwk = peerPubKey.export({ format: 'jwk' });
+    if (jwk.kty !== 'EC' || jwk.crv !== 'P-256' || !jwk.x || !jwk.y) {
+        throw new Error('peer public key is not a P-256 EC key');
+    }
+    const x = b64uToFixed32(jwk.x);
+    const y = b64uToFixed32(jwk.y);
+    const uncompressed = Buffer.concat([Buffer.from([0x04]), x, y]);
+    // ECDH.computeSecret 默认返回 X 坐标（32 字节大端序）
+    const shared = ecdh.computeSecret(uncompressed);
+    return new Uint8Array(shared);
+}
+/**
+ * 生成 P-256 密钥对。
+ *
+ * @returns [privateKeyScalar 32B, publicKeyDer SPKI]
+ */
+export function generateP256Keypair() {
+    const ecdh = createECDH('prime256v1');
+    const pubUncompressed = ecdh.generateKeys();
+    const priv = ecdh.getPrivateKey();
+    // setPrivateKey/generateKeys 返回的 priv 可能少于 32 字节（高位为 0），左零填充
+    let privPadded;
+    if (priv.length === 32) {
+        privPadded = priv;
+    }
+    else if (priv.length < 32) {
+        privPadded = Buffer.alloc(32);
+        priv.copy(privPadded, 32 - priv.length);
+    }
+    else {
+        throw new Error(`unexpected P-256 private key length: ${priv.length}`);
+    }
+    const pubDer = uncompressedPointToDer(pubUncompressed);
+    return [new Uint8Array(privPadded), new Uint8Array(pubDer)];
+}
+/**
+ * 从私钥标量导出公钥 DER（SPKI 编码）。
+ */
+export function privateToPublicDer(privateKeyScalar) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    const ecdh = createECDH('prime256v1');
+    ecdh.setPrivateKey(Buffer.from(privateKeyScalar));
+    const pubUncompressed = ecdh.getPublicKey();
+    const pubDer = uncompressedPointToDer(pubUncompressed);
+    return new Uint8Array(pubDer);
+}
+//# sourceMappingURL=ecdh.js.map

package/dist/v2/crypto/ecdh.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdh.js","sourceRoot":"","sources":["../../../src/v2/crypto/ecdh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,UAAU,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D;;;GAGG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,uBAAuB;IACvB,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,yBAAyB,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,YAAoB;IAClD,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,eAAe,CAAC;QAC7B,GAAG,EAAE;YACH,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,OAAO;YACZ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC1B,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;SAC3B;QACD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAC/B,gBAA4B,EAC5B,gBAA4B;IAE5B,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IAED,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAElD,0CAA0C;IAC1C,MAAM,UAAU,GAAG,eAAe,CAAC;QACjC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC;QAClC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAEhE,yCAAyC;IACzC,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;IAChD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;IAElC,6DAA6D;IAC7D,IAAI,UAAkB,CAAC;IACvB,IAAI,IAAI,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACvB,UAAU,GAAG,IAAI,CAAC;IACpB,CAAC;SAAM,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC5B,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,wCAAwC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,MAAM,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAC;IACvD,OAAO,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAC9D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,gBAA4B;IAC7D,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,MAAM,IAAI,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAClD,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;IAC5C,MAAM,MAAM,GAAG,sBAAsB,CAAC,eAAe,CAAC,CAAC;IACvD,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC"}

package/dist/v2/crypto/ecdsa.d.ts

@@ -0,0 +1,29 @@
+/**
+ * AUN E2EE V2: ECDSA-SHA256 RAW（RFC 6979 deterministic）
+ *
+ * 规范引用：§3.1
+ * - 曲线 P-256
+ * - RFC 6979 deterministic nonce（必须）
+ * - 输出 RAW 编码 r(32B)||s(32B)
+ *
+ * 实现选型：
+ * - 使用 @noble/curves/nist 提供 deterministic ECDSA
+ * - 公钥使用 DER SubjectPublicKeyInfo（与 Python/Go 对齐）
+ *   通过 Node createPublicKey 提取未压缩点（0x04||X||Y）后传给 noble
+ */
+/**
+ * ECDSA-SHA256 签名（RFC 6979 deterministic），输出 RAW 编码 r||s（64 字节）。
+ *
+ * @param privateKeyScalar P-256 私钥标量（32 字节 big-endian）
+ * @param message 待签名消息原文
+ * @returns 64 字节签名
+ */
+export declare function ecdsaSignRaw(privateKeyScalar: Uint8Array, message: Uint8Array): Uint8Array;
+/**
+ * ECDSA-SHA256 验签（RAW 64 字节签名）。
+ */
+export declare function ecdsaVerifyRaw(publicKeyDer: Uint8Array, signatureRaw: Uint8Array, message: Uint8Array): boolean;
+/**
+ * 仅用于本地校验：根据 P-256 私钥派生公钥的 DER SPKI 编码。
+ */
+export declare function privateScalarToPublicDer(privateKeyScalar: Uint8Array): Uint8Array;

package/dist/v2/crypto/ecdsa.js

@@ -0,0 +1,120 @@
+/**
+ * AUN E2EE V2: ECDSA-SHA256 RAW（RFC 6979 deterministic）
+ *
+ * 规范引用：§3.1
+ * - 曲线 P-256
+ * - RFC 6979 deterministic nonce（必须）
+ * - 输出 RAW 编码 r(32B)||s(32B)
+ *
+ * 实现选型：
+ * - 使用 @noble/curves/nist 提供 deterministic ECDSA
+ * - 公钥使用 DER SubjectPublicKeyInfo（与 Python/Go 对齐）
+ *   通过 Node createPublicKey 提取未压缩点（0x04||X||Y）后传给 noble
+ */
+import { p256 } from '@noble/curves/nist.js';
+import { createPublicKey } from 'node:crypto';
+/**
+ * 把 base64url 字符串解码为 32 字节大端序无前导零填充的字节数组。
+ */
+function b64uToFixed32(b64url) {
+    const buf = Buffer.from(b64url, 'base64url');
+    if (buf.length === 32)
+        return buf;
+    if (buf.length < 32) {
+        const padded = Buffer.alloc(32);
+        buf.copy(padded, 32 - buf.length);
+        return padded;
+    }
+    const start = buf.length - 32;
+    for (let i = 0; i < start; i++) {
+        if (buf[i] !== 0) {
+            throw new Error(`invalid EC coordinate: length=${buf.length}, leading non-zero byte`);
+        }
+    }
+    return buf.subarray(start, buf.length);
+}
+/**
+ * 从 DER SPKI 编码公钥提取未压缩点（0x04||X||Y），共 65 字节。
+ */
+function derSpkiToUncompressed(publicKeyDer) {
+    const pub = createPublicKey({
+        key: Buffer.from(publicKeyDer),
+        format: 'der',
+        type: 'spki',
+    });
+    const jwk = pub.export({ format: 'jwk' });
+    if (jwk.kty !== 'EC' || jwk.crv !== 'P-256' || !jwk.x || !jwk.y) {
+        throw new Error('public key is not a P-256 EC key');
+    }
+    const x = b64uToFixed32(jwk.x);
+    const y = b64uToFixed32(jwk.y);
+    return Buffer.concat([Buffer.from([0x04]), x, y]);
+}
+/**
+ * ECDSA-SHA256 签名（RFC 6979 deterministic），输出 RAW 编码 r||s（64 字节）。
+ *
+ * @param privateKeyScalar P-256 私钥标量（32 字节 big-endian）
+ * @param message 待签名消息原文
+ * @returns 64 字节签名
+ */
+export function ecdsaSignRaw(privateKeyScalar, message) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    // 显式 prehash=true（默认值），noble 会用 SHA-256 摘要。
+    // lowS=false 与 Python/Go SDK 行为对齐（不强制低 S）。
+    // format='compact' 是默认值，输出 64B = r||s。
+    const sig = p256.sign(message, privateKeyScalar, {
+        prehash: true,
+        lowS: false,
+        format: 'compact',
+    });
+    if (sig.length !== 64) {
+        throw new Error(`unexpected signature length: ${sig.length}`);
+    }
+    return sig;
+}
+/**
+ * ECDSA-SHA256 验签（RAW 64 字节签名）。
+ */
+export function ecdsaVerifyRaw(publicKeyDer, signatureRaw, message) {
+    if (signatureRaw.length !== 64)
+        return false;
+    try {
+        const uncompressed = derSpkiToUncompressed(publicKeyDer);
+        return p256.verify(signatureRaw, message, uncompressed, {
+            prehash: true,
+            lowS: false,
+            format: 'compact',
+        });
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * 仅用于本地校验：根据 P-256 私钥派生公钥的 DER SPKI 编码。
+ */
+export function privateScalarToPublicDer(privateKeyScalar) {
+    if (privateKeyScalar.length !== 32) {
+        throw new Error(`expected 32-byte P-256 private scalar, got ${privateKeyScalar.length}`);
+    }
+    // noble 返回未压缩 65 字节
+    const uncompressed = p256.getPublicKey(privateKeyScalar, false);
+    if (uncompressed.length !== 65 || uncompressed[0] !== 0x04) {
+        throw new Error('failed to derive uncompressed P-256 public key');
+    }
+    const x = uncompressed.subarray(1, 33);
+    const y = uncompressed.subarray(33, 65);
+    const pubKey = createPublicKey({
+        key: {
+            kty: 'EC',
+            crv: 'P-256',
+            x: Buffer.from(x).toString('base64url'),
+            y: Buffer.from(y).toString('base64url'),
+        },
+        format: 'jwk',
+    });
+    return new Uint8Array(pubKey.export({ format: 'der', type: 'spki' }));
+}
+//# sourceMappingURL=ecdsa.js.map

package/dist/v2/crypto/ecdsa.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ecdsa.js","sourceRoot":"","sources":["../../../src/v2/crypto/ecdsa.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,uBAAuB,CAAC;AAC7C,OAAO,EAAc,eAAe,EAAE,MAAM,aAAa,CAAC;AAE1D;;GAEG;AACH,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAC7C,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,GAAG,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,EAAE,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;QAClC,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,IAAI,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,CAAC,MAAM,yBAAyB,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,YAAwB;IACrD,MAAM,GAAG,GAAG,eAAe,CAAC;QAC1B,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC;QAC9B,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,MAAM,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1C,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IAC/B,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,YAAY,CAC1B,gBAA4B,EAC5B,OAAmB;IAEnB,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,4CAA4C;IAC5C,2CAA2C;IAC3C,uCAAuC;IACvC,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,gBAAgB,EAAE;QAC/C,OAAO,EAAE,IAAI;QACb,IAAI,EAAE,KAAK;QACX,MAAM,EAAE,SAAS;KAClB,CAAC,CAAC;IACH,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAC5B,YAAwB,EACxB,YAAwB,EACxB,OAAmB;IAEnB,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC7C,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,qBAAqB,CAAC,YAAY,CAAC,CAAC;QACzD,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,OAAO,EAAE,YAAY,EAAE;YACtD,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,KAAK;YACX,MAAM,EAAE,SAAS;SAClB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,gBAA4B;IACnE,IAAI,gBAAgB,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,8CAA8C,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3F,CAAC;IACD,oBAAoB;IACpB,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,gBAAgB,EAAE,KAAK,CAAC,CAAC;IAChE,IAAI,YAAY,CAAC,MAAM,KAAK,EAAE,IAAI,YAAY,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IACxC,MAAM,MAAM,GAAG,eAAe,CAAC;QAC7B,GAAG,EAAE;YACH,GAAG,EAAE,IAAI;YACT,GAAG,EAAE,OAAO;YACZ,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;YACvC,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;SACxC;QACD,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IACH,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;AACxE,CAAC"}

package/dist/v2/crypto/hkdf.d.ts

@@ -0,0 +1,19 @@
+/**
+ * AUN E2EE V2: HKDF-SHA256（RFC 5869）
+ *
+ * 规范引用：用于 1DH/3DH wrap_key 派生（info 分别为 "AUN-V2-1DH" 和 "AUN-V2-3DH"）。
+ *
+ * 实现选型：
+ * - Node `crypto` 模块 HMAC-SHA256
+ * - 空 salt 视为 32 字节零（HashLen）
+ */
+/**
+ * HKDF-SHA256（RFC 5869）。
+ *
+ * @param ikm  Input keying material
+ * @param salt Salt（可为空，空时按规范用 HashLen 字节零填充）
+ * @param info Optional context and application specific information
+ * @param length 期望输出字节长度（不能超过 255 * HashLen）
+ * @returns OKM（output keying material）
+ */
+export declare function hkdfSha256(ikm: Uint8Array, salt: Uint8Array, info: Uint8Array, length: number): Uint8Array;

package/dist/v2/crypto/hkdf.js

@@ -0,0 +1,47 @@
+/**
+ * AUN E2EE V2: HKDF-SHA256（RFC 5869）
+ *
+ * 规范引用：用于 1DH/3DH wrap_key 派生（info 分别为 "AUN-V2-1DH" 和 "AUN-V2-3DH"）。
+ *
+ * 实现选型：
+ * - Node `crypto` 模块 HMAC-SHA256
+ * - 空 salt 视为 32 字节零（HashLen）
+ */
+import { createHmac } from 'node:crypto';
+const HASH_LEN = 32; // SHA-256 输出长度
+/**
+ * HKDF-SHA256（RFC 5869）。
+ *
+ * @param ikm  Input keying material
+ * @param salt Salt（可为空，空时按规范用 HashLen 字节零填充）
+ * @param info Optional context and application specific information
+ * @param length 期望输出字节长度（不能超过 255 * HashLen）
+ * @returns OKM（output keying material）
+ */
+export function hkdfSha256(ikm, salt, info, length) {
+    if (length < 0 || length > 255 * HASH_LEN) {
+        throw new Error(`HKDF length out of range: ${length}`);
+    }
+    // RFC 5869 §2.2: salt 为空时使用 HashLen 字节零
+    const realSalt = salt.length === 0 ? new Uint8Array(HASH_LEN) : salt;
+    // Extract: PRK = HMAC-SHA256(salt, IKM)
+    const prk = createHmac('sha256', realSalt).update(ikm).digest();
+    // Expand: T(i) = HMAC-SHA256(PRK, T(i-1) || info || i)
+    const out = new Uint8Array(length);
+    let t = new Uint8Array(0);
+    let pos = 0;
+    let counter = 1;
+    while (pos < length) {
+        const hmac = createHmac('sha256', prk);
+        hmac.update(t);
+        hmac.update(info);
+        hmac.update(Uint8Array.of(counter));
+        t = hmac.digest();
+        const remaining = length - pos;
+        out.set(t.subarray(0, Math.min(remaining, t.length)), pos);
+        pos += t.length;
+        counter++;
+    }
+    return out;
+}
+//# sourceMappingURL=hkdf.js.map

package/dist/v2/crypto/hkdf.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.js","sourceRoot":"","sources":["../../../src/v2/crypto/hkdf.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,MAAM,QAAQ,GAAG,EAAE,CAAC,CAAC,eAAe;AAEpC;;;;;;;;GAQG;AACH,MAAM,UAAU,UAAU,CACxB,GAAe,EACf,IAAgB,EAChB,IAAgB,EAChB,MAAc;IAEd,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,GAAG,GAAG,QAAQ,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;IACzD,CAAC;IACD,wCAAwC;IACxC,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAErE,wCAAwC;IACxC,MAAM,GAAG,GAAG,UAAU,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC;IAEhE,uDAAuD;IACvD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,CAAC,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;IAC1B,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,OAAO,GAAG,GAAG,MAAM,EAAE,CAAC;QACpB,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACvC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAClB,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QACpC,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAClB,MAAM,SAAS,GAAG,MAAM,GAAG,GAAG,CAAC;QAC/B,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC3D,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;QAChB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/v2/crypto/index.d.ts

@@ -0,0 +1,8 @@
+export { canonicalJson, canonicalStringify } from './canonical.js';
+export { ecdhComputeShared, generateP256Keypair, privateToPublicDer } from './ecdh.js';
+export { hkdfSha256 } from './hkdf.js';
+export { aesGcmEncrypt, aesGcmDecrypt } from './aead.js';
+export { ecdsaSignRaw, ecdsaVerifyRaw, privateScalarToPublicDer } from './ecdsa.js';
+export { compute1DHWrap, compute3DHWrap, INFO_1DH, INFO_3DH, WRAP_KEY_LENGTH, } from './dh-path.js';
+export { sortRecipients, computeLeafHash, computeMerkleRoot, computeMerkleProof, verifyMerkleProof, computeRecipientsDigest, } from './recipients.js';
+export type { ProofStep } from './recipients.js';

package/dist/v2/crypto/index.js

@@ -0,0 +1,8 @@
+export { canonicalJson, canonicalStringify } from './canonical.js';
+export { ecdhComputeShared, generateP256Keypair, privateToPublicDer } from './ecdh.js';
+export { hkdfSha256 } from './hkdf.js';
+export { aesGcmEncrypt, aesGcmDecrypt } from './aead.js';
+export { ecdsaSignRaw, ecdsaVerifyRaw, privateScalarToPublicDer } from './ecdsa.js';
+export { compute1DHWrap, compute3DHWrap, INFO_1DH, INFO_3DH, WRAP_KEY_LENGTH, } from './dh-path.js';
+export { sortRecipients, computeLeafHash, computeMerkleRoot, computeMerkleProof, verifyMerkleProof, computeRecipientsDigest, } from './recipients.js';
+//# sourceMappingURL=index.js.map

package/dist/v2/crypto/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/crypto/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAC;AACvF,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,YAAY,CAAC;AACpF,OAAO,EACL,cAAc,EACd,cAAc,EACd,QAAQ,EACR,QAAQ,EACR,eAAe,GAChB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,iBAAiB,CAAC"}