@byearlybird/crypto 0.0.2 → 0.1.0

package/dist/index.d.mts

@@ -1,25 +1,47 @@
-//#region src/encryption.d.ts
-declare function encryptData(data: string, masterKey: CryptoKey): Promise<string>;
-declare function decryptData(encryptedData: string, masterKey: CryptoKey): Promise<string>;
+import * as crypto0 from "crypto";
+
+//#region src/eb-auth.d.ts
+type AuthPayload = {
+  scheme: string;
+  nonce: string;
+  vaultId: string;
+  method: string;
+  pathWithQuery: string;
+  timestamp: number;
+  bodyHash?: string;
+};
+declare function deriveVaultId(publicKeyB64: string): Promise<string>;
+declare function generateAuthPayload(args: {
+  vaultId: string;
+  method: "GET" | "PUT" | "POST" | "PATCH" | "DELETE";
+  pathWithQuery: string;
+  serializedBody?: string;
+}): Promise<AuthPayload>;
+declare function makeCanonicalString(payload: AuthPayload): string;
+declare function makeAuthHeader(payload: AuthPayload, signature: string): string;
+declare function parseAuthHeader(header: string): AuthPayload & {
+  signature: string;
+};
 //#endregion
-//#region src/hash.d.ts
-declare function hash(data: string): Promise<string>;
-declare function hashObject(obj: unknown): Promise<string>;
+//#region src/encryption-keys.d.ts
+declare function generateEncryptionKey(extractable?: boolean): Promise<crypto0.webcrypto.CryptoKey>;
+declare function exportEncryptionKey(key: CryptoKey): Promise<string>;
+declare function importEncryptionKey(base64: string, extractable?: boolean): Promise<crypto0.webcrypto.CryptoKey>;
+declare function encrypt(plaintext: string, key: CryptoKey): Promise<string>;
+declare function decrypt(encoded: string, key: CryptoKey): Promise<string>;
 //#endregion
-//#region src/keys.d.ts
-type DerivedKeyResult = {
-  key: CryptoKey;
-  salt: Uint8Array;
-};
-declare function generateVaultKey(): string;
-declare function generateMasterKey(): Promise<CryptoKey>;
-declare function deriveEncryptionKey(vaultKey: string, salt?: Uint8Array): Promise<DerivedKeyResult>;
-declare function encryptMasterKey(masterKey: CryptoKey, vaultKey: string): Promise<string>;
-declare function decryptMasterKey(encryptedMasterKey: string, vaultKey: string): Promise<CryptoKey>;
-declare function generateKeys(): Promise<{
-  vaultKey: string;
-  masterKey: CryptoKey;
-  encryptedMasterKey: string;
-}>;
+//#region src/signing-keys.d.ts
+declare function generateSigningKeyPair(extractable?: boolean): Promise<CryptoKeyPair>;
+declare function exportPublicKey(key: CryptoKey): Promise<string>;
+declare function importPublicKey(spkiB64: string, extractable?: boolean): Promise<CryptoKey>;
+declare function exportPrivateKey(key: CryptoKey): Promise<string>;
+declare function importPrivateKey(pkcs8B64: string, extractable?: boolean): Promise<CryptoKey>;
+declare function sign(message: string, privateKey: CryptoKey): Promise<string>;
+declare function verify(message: string, signatureB64: string, publicKey: CryptoKey): Promise<boolean>;
+//#endregion
+//#region src/utils.d.ts
+declare function bytesToBase64(bytes: Uint8Array): string;
+declare function base64ToBytes(base64: string): Uint8Array;
+declare function hashString(value: string): Promise<string>;
 //#endregion
-export { decryptData, decryptMasterKey, deriveEncryptionKey, encryptData, encryptMasterKey, generateKeys, generateMasterKey, generateVaultKey, hash, hashObject };
+export { AuthPayload, base64ToBytes, bytesToBase64, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateAuthPayload, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, makeAuthHeader, makeCanonicalString, parseAuthHeader, sign, verify };

package/dist/index.mjs

@@ -1,138 +1,162 @@
-//#region src/crypto-utils.ts
-function randomBytes(length) {
-	const bytes = new Uint8Array(length);
-	crypto.getRandomValues(bytes);
-	return bytes;
-}
-function concatBytes(...chunks) {
-	const total = chunks.reduce((sum, chunk) => sum + chunk.length, 0);
-	const result = new Uint8Array(total);
-	let offset = 0;
-	for (const chunk of chunks) {
-		result.set(chunk, offset);
-		offset += chunk.length;
-	}
-	return result;
+//#region src/utils.ts
+function bytesToBase64(bytes) {
+	return Buffer.from(bytes).toString("base64");
 }
-function toBase64(bytes) {
-	return btoa(String.fromCharCode(...bytes));
+function base64ToBytes(base64) {
+	return new Uint8Array(Buffer.from(base64, "base64"));
 }
-function fromBase64(value) {
-	return Uint8Array.from(atob(value), (c) => c.charCodeAt(0));
+async function hashString(value) {
+	const hash = await crypto.subtle.digest("SHA-256", new TextEncoder().encode(value));
+	return Buffer.from(hash).toString("hex");
 }
 
 //#endregion
-//#region src/encryption.ts
-const IV_LENGTH$1 = 12;
-async function encryptData(data, masterKey) {
-	const iv = randomBytes(IV_LENGTH$1);
-	const encrypted = await crypto.subtle.encrypt({
-		name: "AES-GCM",
-		iv
-	}, masterKey, new TextEncoder().encode(data));
-	return toBase64(concatBytes(iv, new Uint8Array(encrypted)));
-}
-async function decryptData(encryptedData, masterKey) {
-	const combined = fromBase64(encryptedData);
-	if (combined.length <= IV_LENGTH$1) throw new Error("Invalid encrypted data payload");
-	const iv = combined.slice(0, IV_LENGTH$1);
-	const encrypted = combined.slice(IV_LENGTH$1);
-	const decrypted = await crypto.subtle.decrypt({
-		name: "AES-GCM",
-		iv
-	}, masterKey, encrypted);
-	return new TextDecoder().decode(decrypted);
+//#region src/eb-auth.ts
+const CURRENT_SCHEME = "eb1";
+async function deriveVaultId(publicKeyB64) {
+	const spkiBytes = Buffer.from(publicKeyB64, "base64");
+	const hash = await crypto.subtle.digest("SHA-256", spkiBytes);
+	return Buffer.from(hash).toString("hex").slice(0, 32);
 }
-
-//#endregion
-//#region src/hash.ts
-async function hash(data) {
-	const dataBytes = new TextEncoder().encode(data);
-	const hashBuffer = await crypto.subtle.digest("SHA-256", dataBytes);
-	return Array.from(new Uint8Array(hashBuffer)).map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function hashObject(obj) {
-	const canonical = JSON.stringify(normalize(obj));
-	if (canonical === void 0) throw new TypeError("hashObject only supports JSON-serializable values");
-	return hash(canonical);
-}
-function normalize(value) {
-	if (Array.isArray(value)) return value.map((item) => normalize(item));
-	if (value && typeof value === "object") {
-		const prototype = Object.getPrototypeOf(value);
-		if (prototype === Object.prototype || prototype === null) {
-			const sortedKeys = Object.keys(value).sort();
-			const result = {};
-			for (const key of sortedKeys) result[key] = normalize(value[key]);
-			return result;
-		}
+async function generateAuthPayload(args) {
+	const { serializedBody,...rest } = args;
+	const nonce = crypto.randomUUID();
+	const timestamp = Date.now();
+	const payload = {
+		...rest,
+		scheme: CURRENT_SCHEME,
+		nonce,
+		timestamp
+	};
+	if (serializedBody) payload.bodyHash = await hashString(serializedBody);
+	return payload;
+}
+function makeCanonicalString(payload) {
+	const parts = [
+		payload.scheme,
+		payload.vaultId,
+		payload.method,
+		payload.pathWithQuery,
+		payload.nonce,
+		payload.timestamp
+	];
+	if (payload.bodyHash) parts.push(payload.bodyHash);
+	return parts.join("\n");
+}
+function makeAuthHeader(payload, signature) {
+	const params = [
+		`vid=${payload.vaultId}`,
+		`n=${payload.nonce}`,
+		`m=${payload.method}`,
+		`p=${payload.pathWithQuery}`,
+		`t=${payload.timestamp}`,
+		`sig=${signature}`
+	];
+	if (payload.bodyHash) params.push(`bh=${payload.bodyHash}`);
+	return `${payload.scheme} ${params.join(";")}`;
+}
+function parseAuthHeader(header) {
+	const spaceIdx = header.indexOf(" ");
+	if (spaceIdx === -1) throw new Error("Malformed auth header: missing scheme separator");
+	const scheme = header.slice(0, spaceIdx);
+	if (scheme !== CURRENT_SCHEME) throw new Error(`Unsupported auth scheme: ${scheme}`);
+	const paramStr = header.slice(spaceIdx + 1);
+	const params = /* @__PURE__ */ new Map();
+	for (const part of paramStr.split(";")) {
+		const eqIdx = part.indexOf("=");
+		if (eqIdx === -1) throw new Error(`Malformed auth header param: ${part}`);
+		params.set(part.slice(0, eqIdx), part.slice(eqIdx + 1));
 	}
-	return value;
+	const vid = params.get("vid");
+	const n = params.get("n");
+	const m = params.get("m");
+	const p = params.get("p");
+	const t = params.get("t");
+	const sig = params.get("sig");
+	if (!vid || !n || !m || !p || !t || !sig) throw new Error("Malformed auth header: missing required params");
+	const timestamp = Number(t);
+	if (Number.isNaN(timestamp)) throw new Error("Malformed auth header: timestamp is not a number");
+	const result = {
+		scheme,
+		vaultId: vid,
+		nonce: n,
+		method: m,
+		pathWithQuery: p,
+		timestamp,
+		signature: sig
+	};
+	const bh = params.get("bh");
+	if (bh) result.bodyHash = bh;
+	return result;
 }
 
 //#endregion
-//#region src/keys.ts
-const PBKDF2_ITERATIONS = 6e5;
-const PBKDF2_SALT_LENGTH = 16;
-const VAULT_KEY_LENGTH = 32;
-const IV_LENGTH = 12;
-function generateVaultKey() {
-	return [...randomBytes(VAULT_KEY_LENGTH)].map((b) => b.toString(16).padStart(2, "0")).join("");
-}
-async function generateMasterKey() {
+//#region src/encryption-keys.ts
+async function generateEncryptionKey(extractable = false) {
 	return crypto.subtle.generateKey({
 		name: "AES-GCM",
 		length: 256
-	}, true, ["encrypt", "decrypt"]);
-}
-async function deriveEncryptionKey(vaultKey, salt) {
-	const normalizedKey = vaultKey.toLowerCase();
-	const encoder = new TextEncoder();
-	const keyMaterial = await crypto.subtle.importKey("raw", encoder.encode(normalizedKey), { name: "PBKDF2" }, false, ["deriveKey"]);
-	const saltBytes = salt ? new Uint8Array(salt) : randomBytes(PBKDF2_SALT_LENGTH);
-	return {
-		key: await crypto.subtle.deriveKey({
-			name: "PBKDF2",
-			salt: saltBytes,
-			iterations: PBKDF2_ITERATIONS,
-			hash: "SHA-256"
-		}, keyMaterial, {
-			name: "AES-GCM",
-			length: 256
-		}, false, ["wrapKey", "unwrapKey"]),
-		salt: saltBytes
-	};
+	}, extractable, ["encrypt", "decrypt"]);
+}
+async function exportEncryptionKey(key) {
+	return bytesToBase64(new Uint8Array(await crypto.subtle.exportKey("raw", key)));
 }
-async function encryptMasterKey(masterKey, vaultKey) {
-	const { key: wrappingKey, salt } = await deriveEncryptionKey(vaultKey);
-	const iv = randomBytes(IV_LENGTH);
-	const wrapped = await crypto.subtle.wrapKey("raw", masterKey, wrappingKey, {
+async function importEncryptionKey(base64, extractable = false) {
+	const raw = base64ToBytes(base64);
+	return crypto.subtle.importKey("raw", raw, { name: "AES-GCM" }, extractable, ["encrypt", "decrypt"]);
+}
+async function encrypt(plaintext, key) {
+	const iv = crypto.getRandomValues(new Uint8Array(12));
+	const ciphertext = await crypto.subtle.encrypt({
 		name: "AES-GCM",
 		iv
-	});
-	return toBase64(concatBytes(salt, iv, new Uint8Array(wrapped)));
-}
-async function decryptMasterKey(encryptedMasterKey, vaultKey) {
-	const combined = fromBase64(encryptedMasterKey);
-	if (combined.length <= PBKDF2_SALT_LENGTH + IV_LENGTH) throw new Error("Invalid encrypted master key payload");
-	const salt = combined.slice(0, PBKDF2_SALT_LENGTH);
-	const iv = combined.slice(PBKDF2_SALT_LENGTH, PBKDF2_SALT_LENGTH + IV_LENGTH);
-	const wrapped = combined.slice(PBKDF2_SALT_LENGTH + IV_LENGTH);
-	const { key: unwrappingKey } = await deriveEncryptionKey(vaultKey, salt);
-	return crypto.subtle.unwrapKey("raw", wrapped, unwrappingKey, {
+	}, key, new TextEncoder().encode(plaintext));
+	const combined = new Uint8Array(iv.byteLength + ciphertext.byteLength);
+	combined.set(iv, 0);
+	combined.set(new Uint8Array(ciphertext), iv.byteLength);
+	return bytesToBase64(combined);
+}
+async function decrypt(encoded, key) {
+	const combined = base64ToBytes(encoded);
+	const iv = new Uint8Array(combined.subarray(0, 12));
+	const ciphertext = new Uint8Array(combined.subarray(12));
+	const decrypted = await crypto.subtle.decrypt({
 		name: "AES-GCM",
 		iv
-	}, { name: "AES-GCM" }, false, ["encrypt", "decrypt"]);
-}
-async function generateKeys() {
-	const vaultKey = generateVaultKey();
-	const encryptedMasterKey = await encryptMasterKey(await generateMasterKey(), vaultKey);
-	return {
-		vaultKey,
-		masterKey: await decryptMasterKey(encryptedMasterKey, vaultKey),
-		encryptedMasterKey
-	};
+	}, key, ciphertext);
+	return new TextDecoder().decode(decrypted);
+}
+
+//#endregion
+//#region src/signing-keys.ts
+async function generateSigningKeyPair(extractable = false) {
+	return crypto.subtle.generateKey("Ed25519", extractable, ["sign", "verify"]);
+}
+async function exportPublicKey(key) {
+	const spki = await crypto.subtle.exportKey("spki", key);
+	return Buffer.from(spki).toString("base64");
+}
+async function importPublicKey(spkiB64, extractable = false) {
+	const spkiDer = Buffer.from(spkiB64, "base64");
+	return await crypto.subtle.importKey("spki", spkiDer, "Ed25519", extractable, ["verify"]);
+}
+async function exportPrivateKey(key) {
+	const pkcs8 = await crypto.subtle.exportKey("pkcs8", key);
+	return Buffer.from(pkcs8).toString("base64");
+}
+async function importPrivateKey(pkcs8B64, extractable = false) {
+	return await crypto.subtle.importKey("pkcs8", Buffer.from(pkcs8B64, "base64"), "Ed25519", extractable, ["sign"]);
+}
+async function sign(message, privateKey) {
+	const data = new TextEncoder().encode(message);
+	const signature = await crypto.subtle.sign("Ed25519", privateKey, data);
+	return Buffer.from(signature).toString("base64");
+}
+async function verify(message, signatureB64, publicKey) {
+	const data = new TextEncoder().encode(message);
+	const signature = Buffer.from(signatureB64, "base64");
+	return crypto.subtle.verify("Ed25519", publicKey, signature, data);
 }
 
 //#endregion
-export { decryptData, decryptMasterKey, deriveEncryptionKey, encryptData, encryptMasterKey, generateKeys, generateMasterKey, generateVaultKey, hash, hashObject };
+export { base64ToBytes, bytesToBase64, decrypt, deriveVaultId, encrypt, exportEncryptionKey, exportPrivateKey, exportPublicKey, generateAuthPayload, generateEncryptionKey, generateSigningKeyPair, hashString, importEncryptionKey, importPrivateKey, importPublicKey, makeAuthHeader, makeCanonicalString, parseAuthHeader, sign, verify };

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@byearlybird/crypto",
-	"version": "0.0.2",
+	"version": "0.1.0",
 	"description": "Lightweight E2EE toolkit for web apps - zero dependencies + vault key security",
 	"type": "module",
 	"license": "MIT",
@@ -19,8 +19,8 @@
 	"scripts": {
 		"build": "bun run build.ts",
 		"prepublishOnly": "bun run build.ts",
-		"patch": "bun pm patch",
-		"minor": "bun pm minor",
+		"patch": "bun pm version patch",
+		"minor": "bun pm version minor",
 		"publish": "bun pm publish"
 	},
 	"devDependencies": {