npm - @byearlybird/crypto - Versions diffs - 0.0.1 → 0.1.0 - Mend

@byearlybird/crypto 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.mts CHANGED Viewed

@@ -1,25 +1,47 @@
-//#region src/encryption.d.ts
-declare function encryptData(data: string, masterKey: CryptoKey): Promise<string>;
-declare function decryptData(encryptedData: string, masterKey: CryptoKey): Promise<string>;
+import * as crypto0 from "crypto";
+//#region src/eb-auth.d.ts
+type AuthPayload = {
+  scheme: string;
+  nonce: string;
+  vaultId: string;
+  method: string;
+  pathWithQuery: string;
+  timestamp: number;
+  bodyHash?: string;
+};
+declare function deriveVaultId(publicKeyB64: string): Promise<string>;
+declare function generateAuthPayload(args: {
+  vaultId: string;
+  method: "GET" | "PUT" | "POST" | "PATCH" | "DELETE";
+  pathWithQuery: string;
+  serializedBody?: string;
+}): Promise<AuthPayload>;
+declare function makeCanonicalString(payload: AuthPayload): string;
+declare function makeAuthHeader(payload: AuthPayload, signature: string): string;
+declare function parseAuthHeader(header: string): AuthPayload & {
+  signature: string;
+};
 //#endregion
-//#region src/hash.d.ts
-declare function hash(data: string): Promise<string>;
-declare function hashObject(obj: unknown): Promise<string>;
+//#region src/encryption-keys.d.ts
+declare function generateEncryptionKey(extractable?: boolean): Promise<crypto0.webcrypto.CryptoKey>;
+declare function exportEncryptionKey(key: CryptoKey): Promise<string>;
+declare function importEncryptionKey(base64: string, extractable?: boolean): Promise<crypto0.webcrypto.CryptoKey>;
+declare function encrypt(plaintext: string, key: CryptoKey): Promise<string>;
+declare function decrypt(encoded: string, key: CryptoKey): Promise<string>;
 //#endregion
-//#region src/keys.d.ts
-type DerivedKeyResult = {
-  key: CryptoKey;
-  salt: Uint8Array;
-};
-declare function generateVaultKey(): string;
-declare function generateMasterKey(): Promise<CryptoKey>;
-declare function deriveEncryptionKey(vaultKey: string, salt?: Uint8Array): Promise<DerivedKeyResult>;
-declare function encryptMasterKey(masterKey: CryptoKey, vaultKey: string): Promise<string>;
-declare function decryptMasterKey(encryptedMasterKey: string, vaultKey: string): Promise<CryptoKey>;
-declare function generateKeys(): Promise<{
-  vaultKey: string;
-  masterKey: CryptoKey;
-  encryptedMasterKey: string;
-}>;
+//#region src/signing-keys.d.ts
+declare function generateSigningKeyPair(extractable?: boolean): Promise<CryptoKeyPair>;
+declare function exportPublicKey(key: CryptoKey): Promise<string>;
+declare function importPublicKey(spkiB64: string, extractable?: boolean): Promise<CryptoKey>;
+declare function exportPrivateKey(key: CryptoKey): Promise<string>;
+declare function importPrivateKey(pkcs8B64: string, extractable?: boolean): Promise<CryptoKey>;
+declare function sign(message: string, privateKey: CryptoKey): Promise<string>;
+declare function verify(message: string, signatureB64: string, publicKey: CryptoKey): Promise<boolean>;
+//#endregion
+//#region src/utils.d.ts
+declare function bytesToBase64(bytes: Uint8Array): string;
+declare function base64ToBytes(base64: string): Uint8Array;
+declare function hashString(value: string): Promise<string>;
 //#endregion
-export { decryptData, decryptMasterKey, deriveEncryptionKey, encryptData, encryptMasterKey, generateKeys, generateMasterKey, generateVaultKey, hash, hashObject };
+export { AuthPayload, base64ToBytes, bytesToBase64, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateAuthPayload, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, makeAuthHeader, makeCanonicalString, parseAuthHeader, sign, verify };

package/dist/index.mjs CHANGED Viewed

@@ -1,140 +1,162 @@
-//#region src/crypto-utils.ts
-function randomBytes(length) {
-	const bytes = new Uint8Array(length);
-	crypto.getRandomValues(bytes);
-	return bytes;
-}
-function concatBytes(...chunks) {
-	const total = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
-	const result = new Uint8Array(total);
-	let offset = 0;
-	for (const chunk of chunks) {
-		result.set(chunk, offset);
-		offset += chunk.length;
-	}
-	return result;
+//#region src/utils.ts
+function bytesToBase64(bytes) {
+	return Buffer.from(bytes).toString("base64");
 }
-function toBase64(bytes) {
-	return btoa(String.fromCharCode(...bytes));
+function base64ToBytes(base64) {
+	return new Uint8Array(Buffer.from(base64, "base64"));
 }
-function fromBase64(value) {
-	return Uint8Array.from(atob(value), (c) => c.charCodeAt(0));
+async function hashString(value) {
+	const hash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
+	return Buffer.from(hash).toString("hex");
 }
 //#endregion
-//#region src/encryption.ts
-const IV_LENGTH$1 = 12;
-async function encryptData(data, masterKey) {
-	const iv = randomBytes(IV_LENGTH$1);
-	const encrypted = await crypto.subtle.encrypt({
-		name: "AES-GCM",
-		iv
-	}, masterKey, new TextEncoder().encode(data));
-	return toBase64(concatBytes(iv, new Uint8Array(encrypted)));
-}
-async function decryptData(encryptedData, masterKey) {
-	const combined = fromBase64(encryptedData);
-	if (combined.length <= IV_LENGTH$1) throw new Error("Invalid encrypted data payload");
-	const iv = combined.slice(0, IV_LENGTH$1);
-	const encrypted = combined.slice(IV_LENGTH$1);
-	const decrypted = await crypto.subtle.decrypt({
-		name: "AES-GCM",
-		iv
-	}, masterKey, encrypted);
-	return new TextDecoder().decode(decrypted);
+//#region src/eb-auth.ts
+const CURRENT_SCHEME = "eb1";
+async function deriveVaultId(publicKeyB64) {
+	const spkiBytes = Buffer.from(publicKeyB64, "base64");
+	const hash = await crypto.subtle.digest("SHA-256", spkiBytes);
+	return Buffer.from(hash).toString("hex").slice(0, 32);
 }
-//#endregion
-//#region src/hash.ts
-async function hash(data) {
-	const dataBytes = new TextEncoder().encode(data);
-	const hashBuffer = await crypto.subtle.digest("SHA-256", dataBytes);
-	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function hashObject(obj) {
-	const canonical = JSON.stringify(normalize(obj));
-	if (canonical === void 0) throw new TypeError("hashObject only supports JSON-serializable values");
-	return hash(canonical);
-}
-function normalize(value) {
-	if (Array.isArray(value)) return value.map((item) => normalize(item));
-	if (value && typeof value === "object") {
-		const prototype = Object.getPrototypeOf(value);
-		if (prototype === Object.prototype || prototype === null) {
-			const sortedKeys = Object.keys(value).sort();
-			const result = {};
-			for (const key of sortedKeys) result[key] = normalize(value[key]);
-			return result;
-		}
+async function generateAuthPayload(args) {
+	const { serializedBody,...rest } = args;
+	const nonce = crypto.randomUUID();
+	const timestamp = Date.now();
+	const payload = {
+		...rest,
+		scheme: CURRENT_SCHEME,
+		nonce,
+		timestamp
+	};
+	if (serializedBody) payload.bodyHash = await hashString(serializedBody);
+	return payload;
+}
+function makeCanonicalString(payload) {
+	const parts = [
+		payload.scheme,
+		payload.vaultId,
+		payload.method,
+		payload.pathWithQuery,
+		payload.nonce,
+		payload.timestamp
+	];
+	if (payload.bodyHash) parts.push(payload.bodyHash);
+	return parts.join("\n");
+}
+function makeAuthHeader(payload, signature) {
+	const params = [
+		`vid=${payload.vaultId}`,
+		`n=${payload.nonce}`,
+		`m=${payload.method}`,
+		`p=${payload.pathWithQuery}`,
+		`t=${payload.timestamp}`,
+		`sig=${signature}`
+	];
+	if (payload.bodyHash) params.push(`bh=${payload.bodyHash}`);
+	return `${payload.scheme} ${params.join(";")}`;
+}
+function parseAuthHeader(header) {
+	const spaceIdx = header.indexOf(" ");
+	if (spaceIdx === -1) throw new Error("Malformed auth header: missing scheme separator");
+	const scheme = header.slice(0, spaceIdx);
+	if (scheme !== CURRENT_SCHEME) throw new Error(`Unsupported auth scheme: ${scheme}`);
+	const paramStr = header.slice(spaceIdx + 1);
+	const params = /* @__PURE__ */ new Map();
+	for (const part of paramStr.split(";")) {
+		const eqIdx = part.indexOf("=");
+		if (eqIdx === -1) throw new Error(`Malformed auth header param: ${part}`);
+		params.set(part.slice(0, eqIdx), part.slice(eqIdx + 1));
 	}
-	return value;
+	const vid = params.get("vid");
+	const n = params.get("n");
+	const m = params.get("m");
+	const p = params.get("p");
+	const t = params.get("t");
+	const sig = params.get("sig");
+	if (!vid || !n || !m || !p || !t || !sig) throw new Error("Malformed auth header: missing required params");
+	const timestamp = Number(t);
+	if (Number.isNaN(timestamp)) throw new Error("Malformed auth header: timestamp is not a number");
+	const result = {
+		scheme,
+		vaultId: vid,
+		nonce: n,
+		method: m,
+		pathWithQuery: p,
+		timestamp,
+		signature: sig
+	};
+	const bh = params.get("bh");
+	if (bh) result.bodyHash = bh;
+	return result;
 }
 //#endregion
-//#region src/keys.ts
-const PBKDF2_ITERATIONS = 6e5;
-const PBKDF2_SALT_LENGTH = 16;
-const VAULT_KEY_LENGTH = 32;
-const IV_LENGTH = 12;
-function generateVaultKey() {
-	return [...randomBytes(VAULT_KEY_LENGTH)].map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function generateMasterKey() {
+//#region src/encryption-keys.ts
+async function generateEncryptionKey(extractable = false) {
 	return crypto.subtle.generateKey({
 		name: "AES-GCM",
 		length: 256
-	}, true, ["encrypt", "decrypt"]);
-}
-async function deriveEncryptionKey(vaultKey, salt) {
-	const normalizedKey = vaultKey.toLowerCase();
-	const encoder = new TextEncoder();
-	const keyMaterial = await crypto.subtle.importKey("raw", encoder.encode(normalizedKey), { name: "PBKDF2" }, false, ["deriveKey"]);
-	const saltBytes = salt ? new Uint8Array(salt) : randomBytes(PBKDF2_SALT_LENGTH);
-	return {
-		key: await crypto.subtle.deriveKey({
-			name: "PBKDF2",
-			salt: saltBytes,
-			iterations: PBKDF2_ITERATIONS,
-			hash: "SHA-256"
-		}, keyMaterial, {
-			name: "AES-GCM",
-			length: 256
-		}, true, ["encrypt", "decrypt"]),
-		salt: saltBytes
-	};
+	}, extractable, ["encrypt", "decrypt"]);
+}
+async function exportEncryptionKey(key) {
+	return bytesToBase64(new Uint8Array(await crypto.subtle.exportKey("raw", key)));
 }
-async function encryptMasterKey(masterKey, vaultKey) {
-	const masterKeyBytes = await crypto.subtle.exportKey("raw", masterKey);
-	const { key: encryptionKey, salt } = await deriveEncryptionKey(vaultKey);
-	const iv = randomBytes(IV_LENGTH);
-	const encrypted = await crypto.subtle.encrypt({
+async function importEncryptionKey(base64, extractable = false) {
+	const raw = base64ToBytes(base64);
+	return crypto.subtle.importKey("raw", raw, { name: "AES-GCM" }, extractable, ["encrypt", "decrypt"]);
+}
+async function encrypt(plaintext, key) {
+	const iv = crypto.getRandomValues(new Uint8Array(12));
+	const ciphertext = await crypto.subtle.encrypt({
 		name: "AES-GCM",
 		iv
-	}, encryptionKey, masterKeyBytes);
-	return toBase64(concatBytes(salt, iv, new Uint8Array(encrypted)));
-}
-async function decryptMasterKey(encryptedMasterKey, vaultKey) {
-	const combined = fromBase64(encryptedMasterKey);
-	if (combined.length <= PBKDF2_SALT_LENGTH + IV_LENGTH) throw new Error("Invalid encrypted master key payload");
-	const salt = combined.slice(0, PBKDF2_SALT_LENGTH);
-	const iv = combined.slice(PBKDF2_SALT_LENGTH, PBKDF2_SALT_LENGTH + IV_LENGTH);
-	const encrypted = combined.slice(PBKDF2_SALT_LENGTH + IV_LENGTH);
-	const { key: encryptionKey } = await deriveEncryptionKey(vaultKey, salt);
+	}, key, new TextEncoder().encode(plaintext));
+	const combined = new Uint8Array(iv.byteLength + ciphertext.byteLength);
+	combined.set(iv, 0);
+	combined.set(new Uint8Array(ciphertext), iv.byteLength);
+	return bytesToBase64(combined);
+}
+async function decrypt(encoded, key) {
+	const combined = base64ToBytes(encoded);
+	const iv = new Uint8Array(combined.subarray(0, 12));
+	const ciphertext = new Uint8Array(combined.subarray(12));
 	const decrypted = await crypto.subtle.decrypt({
 		name: "AES-GCM",
 		iv
-	}, encryptionKey, encrypted);
-	return crypto.subtle.importKey("raw", decrypted, { name: "AES-GCM" }, true, ["encrypt", "decrypt"]);
-}
-async function generateKeys() {
-	const vaultKey = generateVaultKey();
-	const masterKey = await generateMasterKey();
-	return {
-		vaultKey,
-		masterKey,
-		encryptedMasterKey: await encryptMasterKey(masterKey, vaultKey)
-	};
+	}, key, ciphertext);
+	return new TextDecoder().decode(decrypted);
+}
+//#endregion
+//#region src/signing-keys.ts
+async function generateSigningKeyPair(extractable = false) {
+	return crypto.subtle.generateKey("Ed25519", extractable, ["sign", "verify"]);
+}
+async function exportPublicKey(key) {
+	const spki = await crypto.subtle.exportKey("spki", key);
+	return Buffer.from(spki).toString("base64");
+}
+async function importPublicKey(spkiB64, extractable = false) {
+	const spkiDer = Buffer.from(spkiB64, "base64");
+	return await crypto.subtle.importKey("spki", spkiDer, "Ed25519", extractable, ["verify"]);
+}
+async function exportPrivateKey(key) {
+	const pkcs8 = await crypto.subtle.exportKey("pkcs8", key);
+	return Buffer.from(pkcs8).toString("base64");
+}
+async function importPrivateKey(pkcs8B64, extractable = false) {
+	return await crypto.subtle.importKey("pkcs8", Buffer.from(pkcs8B64, "base64"), "Ed25519", extractable, ["sign"]);
+}
+async function sign(message, privateKey) {
+	const data = new TextEncoder().encode(message);
+	const signature = await crypto.subtle.sign("Ed25519", privateKey, data);
+	return Buffer.from(signature).toString("base64");
+}
+async function verify(message, signatureB64, publicKey) {
+	const data = new TextEncoder().encode(message);
+	const signature = Buffer.from(signatureB64, "base64");
+	return crypto.subtle.verify("Ed25519", publicKey, signature, data);
 }
 //#endregion
-export { decryptData, decryptMasterKey, deriveEncryptionKey, encryptData, encryptMasterKey, generateKeys, generateMasterKey, generateVaultKey, hash, hashObject };
+export { base64ToBytes, bytesToBase64, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateAuthPayload, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, makeAuthHeader, makeCanonicalString, parseAuthHeader, sign, verify };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@byearlybird/crypto",
-	"version": "0.0.1",
+	"version": "0.1.0",
 	"description": "Lightweight E2EE toolkit for web apps - zero dependencies + vault key security",
 	"type": "module",
 	"license": "MIT",
@@ -19,8 +19,8 @@
 	"scripts": {
 		"build": "bun run build.ts",
 		"prepublishOnly": "bun run build.ts",
-		"patch": "bun pm patch",
-		"minor": "bun pm minor",
+		"patch": "bun pm version patch",
+		"minor": "bun pm version minor",
 		"publish": "bun pm publish"
 	},
 	"devDependencies": {