npm - @capsara/sdk - Versions diffs - 1.0.1 - Mend

@capsara/sdk 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

package/LICENSE +74 -0
package/README.md +230 -0
package/dist/builder/capsa-builder.d.ts +167 -0
package/dist/builder/capsa-builder.d.ts.map +1 -0
package/dist/builder/capsa-builder.js +489 -0
package/dist/builder/capsa-builder.js.map +1 -0
package/dist/client/capsara-client.d.ts +96 -0
package/dist/client/capsara-client.d.ts.map +1 -0
package/dist/client/capsara-client.js +266 -0
package/dist/client/capsara-client.js.map +1 -0
package/dist/errors/account-error.d.ts +73 -0
package/dist/errors/account-error.d.ts.map +1 -0
package/dist/errors/account-error.js +155 -0
package/dist/errors/account-error.js.map +1 -0
package/dist/errors/audit-error.d.ts +34 -0
package/dist/errors/audit-error.d.ts.map +1 -0
package/dist/errors/audit-error.js +93 -0
package/dist/errors/audit-error.js.map +1 -0
package/dist/errors/auth-error.d.ts +38 -0
package/dist/errors/auth-error.d.ts.map +1 -0
package/dist/errors/auth-error.js +87 -0
package/dist/errors/auth-error.js.map +1 -0
package/dist/errors/capsa-error.d.ts +64 -0
package/dist/errors/capsa-error.d.ts.map +1 -0
package/dist/errors/capsa-error.js +172 -0
package/dist/errors/capsa-error.js.map +1 -0
package/dist/errors/capsara-error.d.ts +52 -0
package/dist/errors/capsara-error.d.ts.map +1 -0
package/dist/errors/capsara-error.js +83 -0
package/dist/errors/capsara-error.js.map +1 -0
package/dist/errors/index.d.ts +8 -0
package/dist/errors/index.d.ts.map +1 -0
package/dist/errors/index.js +7 -0
package/dist/errors/index.js.map +1 -0
package/dist/index.d.ts +7 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +5 -0
package/dist/index.js.map +1 -0
package/dist/internal/capsa-cache.d.ts +49 -0
package/dist/internal/capsa-cache.d.ts.map +1 -0
package/dist/internal/capsa-cache.js +118 -0
package/dist/internal/capsa-cache.js.map +1 -0
package/dist/internal/config/http-client.d.ts +37 -0
package/dist/internal/config/http-client.d.ts.map +1 -0
package/dist/internal/config/http-client.js +63 -0
package/dist/internal/config/http-client.js.map +1 -0
package/dist/internal/config/retry-interceptor.d.ts +18 -0
package/dist/internal/config/retry-interceptor.d.ts.map +1 -0
package/dist/internal/config/retry-interceptor.js +103 -0
package/dist/internal/config/retry-interceptor.js.map +1 -0
package/dist/internal/crypto/compression.d.ts +15 -0
package/dist/internal/crypto/compression.d.ts.map +1 -0
package/dist/internal/crypto/compression.js +34 -0
package/dist/internal/crypto/compression.js.map +1 -0
package/dist/internal/crypto/key-generator.d.ts +23 -0
package/dist/internal/crypto/key-generator.d.ts.map +1 -0
package/dist/internal/crypto/key-generator.js +65 -0
package/dist/internal/crypto/key-generator.js.map +1 -0
package/dist/internal/crypto/primitives.d.ts +67 -0
package/dist/internal/crypto/primitives.d.ts.map +1 -0
package/dist/internal/crypto/primitives.js +230 -0
package/dist/internal/crypto/primitives.js.map +1 -0
package/dist/internal/crypto/signatures.d.ts +30 -0
package/dist/internal/crypto/signatures.d.ts.map +1 -0
package/dist/internal/crypto/signatures.js +153 -0
package/dist/internal/crypto/signatures.js.map +1 -0
package/dist/internal/decryptor/capsa-decryptor.d.ts +89 -0
package/dist/internal/decryptor/capsa-decryptor.d.ts.map +1 -0
package/dist/internal/decryptor/capsa-decryptor.js +263 -0
package/dist/internal/decryptor/capsa-decryptor.js.map +1 -0
package/dist/internal/http-factory.d.ts +78 -0
package/dist/internal/http-factory.d.ts.map +1 -0
package/dist/internal/http-factory.js +201 -0
package/dist/internal/http-factory.js.map +1 -0
package/dist/internal/index.d.ts +5 -0
package/dist/internal/index.d.ts.map +1 -0
package/dist/internal/index.js +5 -0
package/dist/internal/index.js.map +1 -0
package/dist/internal/retry-executor.d.ts +74 -0
package/dist/internal/retry-executor.d.ts.map +1 -0
package/dist/internal/retry-executor.js +204 -0
package/dist/internal/retry-executor.js.map +1 -0
package/dist/internal/services/account-service.d.ts +56 -0
package/dist/internal/services/account-service.d.ts.map +1 -0
package/dist/internal/services/account-service.js +114 -0
package/dist/internal/services/account-service.js.map +1 -0
package/dist/internal/services/audit-service.d.ts +25 -0
package/dist/internal/services/audit-service.d.ts.map +1 -0
package/dist/internal/services/audit-service.js +43 -0
package/dist/internal/services/audit-service.js.map +1 -0
package/dist/internal/services/auth-service.d.ts +44 -0
package/dist/internal/services/auth-service.d.ts.map +1 -0
package/dist/internal/services/auth-service.js +170 -0
package/dist/internal/services/auth-service.js.map +1 -0
package/dist/internal/services/capsa-service.d.ts +40 -0
package/dist/internal/services/capsa-service.d.ts.map +1 -0
package/dist/internal/services/capsa-service.js +82 -0
package/dist/internal/services/capsa-service.js.map +1 -0
package/dist/internal/services/download-service.d.ts +62 -0
package/dist/internal/services/download-service.d.ts.map +1 -0
package/dist/internal/services/download-service.js +114 -0
package/dist/internal/services/download-service.js.map +1 -0
package/dist/internal/services/key-service.d.ts +28 -0
package/dist/internal/services/key-service.d.ts.map +1 -0
package/dist/internal/services/key-service.js +45 -0
package/dist/internal/services/key-service.js.map +1 -0
package/dist/internal/services/limits-service.d.ts +30 -0
package/dist/internal/services/limits-service.d.ts.map +1 -0
package/dist/internal/services/limits-service.js +73 -0
package/dist/internal/services/limits-service.js.map +1 -0
package/dist/internal/services/upload-service.d.ts +61 -0
package/dist/internal/services/upload-service.d.ts.map +1 -0
package/dist/internal/services/upload-service.js +258 -0
package/dist/internal/services/upload-service.js.map +1 -0
package/dist/internal/types.d.ts +74 -0
package/dist/internal/types.d.ts.map +1 -0
package/dist/internal/types.js +3 -0
package/dist/internal/types.js.map +1 -0
package/dist/internal/upload/multipart-builder.d.ts +57 -0
package/dist/internal/upload/multipart-builder.d.ts.map +1 -0
package/dist/internal/upload/multipart-builder.js +139 -0
package/dist/internal/upload/multipart-builder.js.map +1 -0
package/dist/internal/utils/id-generator.d.ts +8 -0
package/dist/internal/utils/id-generator.d.ts.map +1 -0
package/dist/internal/utils/id-generator.js +20 -0
package/dist/internal/utils/id-generator.js.map +1 -0
package/dist/internal/utils/mimetype-lookup.d.ts +8 -0
package/dist/internal/utils/mimetype-lookup.d.ts.map +1 -0
package/dist/internal/utils/mimetype-lookup.js +118 -0
package/dist/internal/utils/mimetype-lookup.js.map +1 -0
package/dist/internal/version.d.ts +20 -0
package/dist/internal/version.d.ts.map +1 -0
package/dist/internal/version.js +25 -0
package/dist/internal/version.js.map +1 -0
package/dist/types/index.d.ts +143 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/index.js +20 -0
package/dist/types/index.js.map +1 -0
package/package.json +61 -0

package/dist/internal/crypto/primitives.js ADDED Viewed

@@ -0,0 +1,230 @@
+/** AES-256-GCM, RSA-4096-OAEP-SHA256, and SHA-256 cryptographic primitives. */
+import * as crypto from 'crypto';
+/**
+ * @throws Error if key size is below minBits or cannot be determined
+ */
+function validateRSAKeySize(keyObject, minBits = 4096) {
+    const keyDetails = keyObject.asymmetricKeyDetails;
+    if (!keyDetails) {
+        throw new Error('Unable to extract key details');
+    }
+    const modulusLength = keyDetails.modulusLength;
+    if (!modulusLength || modulusLength < minBits) {
+        throw new Error(`RSA key size too small: expected at least ${minBits} bits, got ${modulusLength || 'unknown'} bits`);
+    }
+}
+/** Generate a 256-bit AES master key. */
+export function generateMasterKey() {
+    return crypto.randomBytes(32); // 256 bits
+}
+/**
+ * Generate a 96-bit initialization vector for AES-GCM.
+ * Used for optional fields (subject, body, metadata) that need separate IVs.
+ * encryptAES() generates its own IV automatically for file content.
+ */
+export function generateIV() {
+    const iv = crypto.randomBytes(12); // 96 bits for GCM
+    return iv.toString('base64url');
+}
+/**
+ * Encrypt data using AES-256-GCM.
+ * @param key - 256-bit AES key (32 bytes)
+ * @returns Encrypted data with IV and authentication tag, all base64url-encoded
+ * @throws Error if key is not 32 bytes
+ */
+export function encryptAES(data, key) {
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes (AES-256), got ${key.length} bytes`);
+    }
+    const iv = crypto.randomBytes(12); // 96 bits for GCM
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return {
+        encryptedData: encrypted.toString('base64url'),
+        iv: iv.toString('base64url'),
+        authTag: authTag.toString('base64url'),
+    };
+}
+/**
+ * Decrypt data using AES-256-GCM.
+ * @param encryptedData - Base64url-encoded ciphertext
+ * @param key - 256-bit AES key (32 bytes)
+ * @param iv - Base64url-encoded 12-byte IV
+ * @param authTag - Base64url-encoded 16-byte authentication tag
+ * @throws Error if key length is invalid, authentication fails, or decryption fails
+ */
+export function decryptAES(encryptedData, key, iv, authTag) {
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes (AES-256), got ${key.length} bytes`);
+    }
+    let ivBuffer;
+    try {
+        ivBuffer = Buffer.from(iv, 'base64url');
+        if (ivBuffer.length !== 12) {
+            throw new Error('Invalid IV length');
+        }
+    }
+    catch {
+        throw new Error('Invalid IV: must be 12-byte base64url-encoded value');
+    }
+    let authTagBuffer;
+    try {
+        authTagBuffer = Buffer.from(authTag, 'base64url');
+        if (authTagBuffer.length !== 16) {
+            throw new Error('Invalid auth tag length');
+        }
+    }
+    catch {
+        throw new Error('Invalid auth tag: must be 16-byte base64url-encoded value');
+    }
+    let encryptedBuffer;
+    try {
+        encryptedBuffer = Buffer.from(encryptedData, 'base64url');
+    }
+    catch {
+        throw new Error('Invalid encrypted data: must be base64url-encoded');
+    }
+    try {
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, ivBuffer);
+        decipher.setAuthTag(authTagBuffer);
+        return Buffer.concat([
+            decipher.update(encryptedBuffer),
+            decipher.final(),
+        ]);
+    }
+    catch {
+        // Generic error message to avoid leaking information
+        throw new Error('AES-GCM decryption failed: authentication failed or corrupted ciphertext');
+    }
+}
+/**
+ * Encrypt master key for a party using their RSA-4096 public key.
+ * @param masterKey - 32-byte AES master key
+ * @param publicKeyPEM - Party's RSA public key in PEM format
+ * @returns Base64url-encoded encrypted master key
+ * @throws Error if masterKey is not 32 bytes or publicKeyPEM is invalid
+ */
+export function encryptMasterKeyForParty(masterKey, publicKeyPEM) {
+    if (masterKey.length !== 32) {
+        throw new Error(`Invalid master key length: expected 32 bytes, got ${masterKey.length} bytes`);
+    }
+    if (!publicKeyPEM || typeof publicKeyPEM !== 'string') {
+        throw new Error('publicKeyPEM must be a non-empty string');
+    }
+    if (!publicKeyPEM.includes('BEGIN PUBLIC KEY') && !publicKeyPEM.includes('BEGIN RSA PUBLIC KEY')) {
+        throw new Error('publicKeyPEM must be in PEM format');
+    }
+    let publicKeyObject;
+    try {
+        publicKeyObject = crypto.createPublicKey({
+            key: publicKeyPEM,
+            format: 'pem',
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'Unknown error';
+        throw new Error(`Invalid public key PEM: ${message}`);
+    }
+    validateRSAKeySize(publicKeyObject, 4096);
+    const encrypted = crypto.publicEncrypt({
+        key: publicKeyObject,
+        padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+        oaepHash: 'sha256',
+    }, masterKey);
+    return encrypted.toString('base64url');
+}
+/**
+ * Decrypt master key using party's RSA-4096 private key.
+ * @param encryptedKey - Base64url-encoded encrypted master key
+ * @param privateKeyPEM - Party's RSA private key in PEM format
+ * @returns Decrypted master key (32 bytes)
+ * @throws Error if privateKeyPEM is invalid or decryption fails
+ */
+export function decryptMasterKey(encryptedKey, privateKeyPEM) {
+    if (!privateKeyPEM || typeof privateKeyPEM !== 'string') {
+        throw new Error('privateKeyPEM must be a non-empty string');
+    }
+    if (!privateKeyPEM.includes('BEGIN PRIVATE KEY') && !privateKeyPEM.includes('BEGIN RSA PRIVATE KEY')) {
+        throw new Error('privateKeyPEM must be in PEM format');
+    }
+    let privateKeyObject;
+    try {
+        privateKeyObject = crypto.createPrivateKey({
+            key: privateKeyPEM,
+            format: 'pem',
+        });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : 'Unknown error';
+        throw new Error(`Invalid private key PEM: ${message}`);
+    }
+    validateRSAKeySize(privateKeyObject, 4096);
+    try {
+        const encryptedBuffer = Buffer.from(encryptedKey, 'base64url');
+        return crypto.privateDecrypt({
+            key: privateKeyObject,
+            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
+            oaepHash: 'sha256',
+        }, encryptedBuffer);
+    }
+    catch {
+        // Generic error to prevent padding oracle attacks via OpenSSL error detail leakage
+        throw new Error('RSA-OAEP decryption failed');
+    }
+}
+/**
+ * Encrypt data using AES-256-GCM, returning raw Buffers instead of base64url.
+ * Avoids base64 round-trip overhead for large file content.
+ * @param key - 256-bit AES key (32 bytes)
+ * @throws Error if key is not 32 bytes
+ */
+export function encryptAESRaw(data, key) {
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes (AES-256), got ${key.length} bytes`);
+    }
+    const iv = crypto.randomBytes(12); // 96 bits for GCM
+    const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
+    const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return { encryptedData: encrypted, iv, authTag };
+}
+/**
+ * Decrypt data using AES-256-GCM with raw Buffer inputs.
+ * Avoids base64 round-trip overhead for large file content.
+ * @param key - 256-bit AES key (32 bytes)
+ * @param iv - 12-byte initialization vector
+ * @param authTag - 16-byte authentication tag
+ * @throws Error if authentication fails or decryption fails
+ */
+export function decryptAESRaw(encryptedData, key, iv, authTag) {
+    if (key.length !== 32) {
+        throw new Error(`Invalid key length: expected 32 bytes (AES-256), got ${key.length} bytes`);
+    }
+    if (iv.length !== 12) {
+        throw new Error('Invalid IV: must be 12 bytes');
+    }
+    if (authTag.length !== 16) {
+        throw new Error('Invalid auth tag: must be 16 bytes');
+    }
+    try {
+        const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
+        decipher.setAuthTag(authTag);
+        return Buffer.concat([
+            decipher.update(encryptedData),
+            decipher.final(),
+        ]);
+    }
+    catch {
+        throw new Error('AES-GCM decryption failed: authentication failed or corrupted ciphertext');
+    }
+}
+/** Compute SHA-256 hash, returned as lowercase hex. */
+export function computeHash(data) {
+    return crypto.createHash('sha256').update(data).digest('hex').toLowerCase();
+}
+/** Generate a cryptographically secure random ID, returned as base64url. */
+export function generateSecureId(length = 16) {
+    return crypto.randomBytes(length).toString('base64url');
+}
+//# sourceMappingURL=primitives.js.map

package/dist/internal/crypto/primitives.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"primitives.js","sourceRoot":"","sources":["../../../src/internal/crypto/primitives.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAE/E,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAGjC;;GAEG;AACH,SAAS,kBAAkB,CAAC,SAA2B,EAAE,UAAkB,IAAI;IAC7E,MAAM,UAAU,GAAG,SAAS,CAAC,oBAAoB,CAAC;IAClD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,aAAa,GAAG,UAAU,CAAC,aAAa,CAAC;IAC/C,IAAI,CAAC,aAAa,IAAI,aAAa,GAAG,OAAO,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,6CAA6C,OAAO,cAAc,aAAa,IAAI,SAAS,OAAO,CACpG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,yCAAyC;AACzC,MAAM,UAAU,iBAAiB;IAC/B,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW;AAC5C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,UAAU;IACxB,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,kBAAkB;IACrD,OAAO,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAClC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY,EAAE,GAAW;IAClD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wDAAwD,GAAG,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,kBAAkB;IACrD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAE7D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACvE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO;QACL,aAAa,EAAE,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC9C,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;QAC5B,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;KACvC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,UAAU,CACxB,aAAqB,EACrB,GAAW,EACX,EAAU,EACV,OAAe;IAEf,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wDAAwD,GAAG,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC9F,CAAC;IAED,IAAI,QAAgB,CAAC;IACrB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;QACxC,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IAED,IAAI,aAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,aAAa,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;QAClD,IAAI,aAAa,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;IAC/E,CAAC;IAED,IAAI,eAAuB,CAAC;IAC5B,IAAI,CAAC;QACH,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,QAAQ,CAAC,CAAC;QACvE,QAAQ,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAEnC,OAAO,MAAM,CAAC,MAAM,CAAC;YACnB,QAAQ,CAAC,MAAM,CAAC,eAAe,CAAC;YAChC,QAAQ,CAAC,KAAK,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;QACrD,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CACtC,SAAiB,EACjB,YAAoB;IAEpB,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qDAAqD,SAAS,CAAC,MAAM,QAAQ,CAAC,CAAC;IACjG,CAAC;IAED,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,kBAAkB,CAAC,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;QACjG,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,eAAiC,CAAC;IACtC,IAAI,CAAC;QACH,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;YACvC,GAAG,EAAE,YAAY;YACjB,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACzE,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,kBAAkB,CAAC,eAAe,EAAE,IAAI,CAAC,CAAC;IAE1C,MAAM,SAAS,GAAG,MAAM,CAAC,aAAa,CACpC;QACE,GAAG,EAAE,eAAe;QACpB,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,sBAAsB;QAChD,QAAQ,EAAE,QAAQ;KACnB,EACD,SAAS,CACV,CAAC;IAEF,OAAO,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAC9B,YAAoB,EACpB,aAAqB;IAErB,IAAI,CAAC,aAAa,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IACD,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;QACrG,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,IAAI,gBAAkC,CAAC;IACvC,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;YACzC,GAAG,EAAE,aAAa;YAClB,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACzE,MAAM,IAAI,KAAK,CAAC,4BAA4B,OAAO,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,kBAAkB,CAAC,gBAAgB,EAAE,IAAI,CAAC,CAAC;IAE3C,IAAI,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,WAAW,CAAC,CAAC;QAE/D,OAAO,MAAM,CAAC,cAAc,CAC1B;YACE,GAAG,EAAE,gBAAgB;YACrB,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,sBAAsB;YAChD,QAAQ,EAAE,QAAQ;SACnB,EACD,eAAe,CAChB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,mFAAmF;QACnF,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY,EAAE,GAAW;IACrD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wDAAwD,GAAG,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC9F,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,CAAC,kBAAkB;IACrD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAE7D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACvE,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEpC,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC;AACnD,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,aAAa,CAC3B,aAAqB,EACrB,GAAW,EACX,EAAU,EACV,OAAe;IAEf,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wDAAwD,GAAG,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QACjE,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAE7B,OAAO,MAAM,CAAC,MAAM,CAAC;YACnB,QAAQ,CAAC,MAAM,CAAC,aAAa,CAAC;YAC9B,QAAQ,CAAC,KAAK,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,0EAA0E,CAAC,CAAC;IAC9F,CAAC;AACH,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;AAC9E,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,gBAAgB,CAAC,SAAiB,EAAE;IAClD,OAAO,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC1D,CAAC"}

package/dist/internal/crypto/signatures.d.ts ADDED Viewed

@@ -0,0 +1,30 @@
+/** JWS RS256 (RSA-SHA256) signature creation and verification for capsas. */
+import type { CapsaSignature, EncryptedFile } from '../../types/index.js';
+/**
+ * Build canonical string for capsa signature.
+ * Format: packageId|version|totalSize|algorithm|hashes|(file)iv[s]|filenameIV[s]|structuredIV|subjectIV|bodyIV
+ * createdAt excluded because the server sets it when the capsa is stored.
+ * @throws Error if validation fails
+ */
+export declare function buildCanonicalString(params: {
+    packageId: string;
+    version?: string;
+    totalSize: number;
+    algorithm: string;
+    files: EncryptedFile[];
+    structuredIV?: string;
+    subjectIV?: string;
+    bodyIV?: string;
+}): string;
+/**
+ * Create JWS capsa signature using RSA-SHA256.
+ * @throws Error if key is invalid or signing fails
+ */
+export declare function createCapsaSignature(canonicalString: string, privateKeyPEM: string): CapsaSignature;
+/**
+ * Verify capsa signature.
+ * @returns True if signature is valid, false if it doesn't match
+ * @throws Error if inputs are invalid or key errors occur
+ */
+export declare function verifyCapsaSignature(signature: CapsaSignature, canonicalString: string, publicKeyPEM: string): boolean;
+//# sourceMappingURL=signatures.d.ts.map

package/dist/internal/crypto/signatures.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"signatures.d.ts","sourceRoot":"","sources":["../../../src/internal/crypto/signatures.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAG7E,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAc1E;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,aAAa,EAAE,CAAC;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,GAAG,MAAM,CAgDT;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAClC,eAAe,EAAE,MAAM,EACvB,aAAa,EAAE,MAAM,GACpB,cAAc,CA8ChB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,cAAc,EACzB,eAAe,EAAE,MAAM,EACvB,YAAY,EAAE,MAAM,GACnB,OAAO,CA2DT"}

package/dist/internal/crypto/signatures.js ADDED Viewed

@@ -0,0 +1,153 @@
+/** JWS RS256 (RSA-SHA256) signature creation and verification for capsas. */
+import * as crypto from 'crypto';
+function validateEncryptedFile(file, index) {
+    if (!file.hash || typeof file.hash !== 'string') {
+        throw new Error(`File at index ${index} missing required field: hash`);
+    }
+    if (!file.iv || typeof file.iv !== 'string') {
+        throw new Error(`File at index ${index} missing required field: iv`);
+    }
+    if (!file.filenameIV || typeof file.filenameIV !== 'string') {
+        throw new Error(`File at index ${index} missing required field: filenameIV`);
+    }
+}
+/**
+ * Build canonical string for capsa signature.
+ * Format: packageId|version|totalSize|algorithm|hashes|(file)iv[s]|filenameIV[s]|structuredIV|subjectIV|bodyIV
+ * createdAt excluded because the server sets it when the capsa is stored.
+ * @throws Error if validation fails
+ */
+export function buildCanonicalString(params) {
+    if (!params.packageId || typeof params.packageId !== 'string') {
+        throw new Error('Invalid canonicalString: packageId must be a non-empty string');
+    }
+    if (typeof params.totalSize !== 'number' || params.totalSize < 0) {
+        throw new Error('Invalid canonicalString: totalSize must be a non-negative number');
+    }
+    if (!params.algorithm || typeof params.algorithm !== 'string') {
+        throw new Error('Invalid canonicalString: algorithm must be a non-empty string');
+    }
+    if (!Array.isArray(params.files)) {
+        throw new Error('Invalid canonicalString: files must be an array');
+    }
+    params.files.forEach((file, index) => validateEncryptedFile(file, index));
+    const version = params.version || '1.0.0';
+    const canonicalParts = [
+        params.packageId,
+        version,
+        String(params.totalSize), // Use String() instead of .toString()
+        params.algorithm,
+    ];
+    // Preserve file order - DO NOT SORT (for deterministic signatures)
+    if (params.files.length > 0) {
+        const hashes = params.files.map((f) => f.hash);
+        const ivs = params.files.map((f) => f.iv);
+        const filenameIVs = params.files.map((f) => f.filenameIV);
+        canonicalParts.push(...hashes);
+        canonicalParts.push(...ivs);
+        canonicalParts.push(...filenameIVs);
+    }
+    // Skip empty/undefined optional IVs
+    if (params.structuredIV) {
+        canonicalParts.push(params.structuredIV);
+    }
+    if (params.subjectIV) {
+        canonicalParts.push(params.subjectIV);
+    }
+    if (params.bodyIV) {
+        canonicalParts.push(params.bodyIV);
+    }
+    return canonicalParts.join('|');
+}
+/**
+ * Create JWS capsa signature using RSA-SHA256.
+ * @throws Error if key is invalid or signing fails
+ */
+export function createCapsaSignature(canonicalString, privateKeyPEM) {
+    if (!canonicalString || typeof canonicalString !== 'string') {
+        throw new Error('canonicalString must be a non-empty string');
+    }
+    if (!privateKeyPEM || typeof privateKeyPEM !== 'string') {
+        throw new Error('privateKeyPEM must be a non-empty string');
+    }
+    const joseHeader = {
+        alg: 'RS256',
+        typ: 'JWT',
+    };
+    const protectedHeader = Buffer.from(JSON.stringify(joseHeader)).toString('base64url');
+    const payload = Buffer.from(canonicalString, 'utf-8').toString('base64url');
+    const signingInput = `${protectedHeader}.${payload}`;
+    let privateKeyObject;
+    try {
+        privateKeyObject = crypto.createPrivateKey({
+            key: privateKeyPEM,
+            format: 'pem',
+        });
+    }
+    catch (error) {
+        throw new Error(`Invalid private key: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+    const signatureBuffer = crypto.sign('sha256', Buffer.from(signingInput, 'utf-8'), privateKeyObject);
+    const signature = signatureBuffer.toString('base64url');
+    return {
+        algorithm: 'RS256',
+        protected: protectedHeader,
+        payload,
+        signature,
+    };
+}
+/**
+ * Verify capsa signature.
+ * @returns True if signature is valid, false if it doesn't match
+ * @throws Error if inputs are invalid or key errors occur
+ */
+export function verifyCapsaSignature(signature, canonicalString, publicKeyPEM) {
+    if (!signature || typeof signature !== 'object') {
+        throw new Error('signature must be a CapsaSignature object');
+    }
+    if (!signature.payload || typeof signature.payload !== 'string') {
+        throw new Error('signature.payload must be a non-empty string');
+    }
+    if (!signature.protected || typeof signature.protected !== 'string') {
+        throw new Error('signature.protected must be a non-empty string');
+    }
+    if (!signature.signature || typeof signature.signature !== 'string') {
+        throw new Error('signature.signature must be a non-empty string');
+    }
+    if (!canonicalString || typeof canonicalString !== 'string') {
+        throw new Error('canonicalString must be a non-empty string');
+    }
+    if (!publicKeyPEM || typeof publicKeyPEM !== 'string') {
+        throw new Error('publicKeyPEM must be a non-empty string');
+    }
+    // Constant-time comparison to prevent timing attacks
+    const expectedPayload = Buffer.from(canonicalString, 'utf-8').toString('base64url');
+    const expectedPayloadBuffer = Buffer.from(expectedPayload, 'utf-8');
+    const actualPayloadBuffer = Buffer.from(signature.payload, 'utf-8');
+    // Check lengths first (length comparison is not timing-sensitive for this use case)
+    if (expectedPayloadBuffer.length !== actualPayloadBuffer.length) {
+        return false;
+    }
+    // Constant-time comparison to prevent timing side-channel attacks
+    if (!crypto.timingSafeEqual(expectedPayloadBuffer, actualPayloadBuffer)) {
+        return false;
+    }
+    const signingInput = `${signature.protected}.${signature.payload}`;
+    let publicKeyObject;
+    try {
+        publicKeyObject = crypto.createPublicKey({
+            key: publicKeyPEM,
+            format: 'pem',
+        });
+    }
+    catch (error) {
+        throw new Error(`Invalid public key: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+    try {
+        return crypto.verify('sha256', Buffer.from(signingInput, 'utf-8'), publicKeyObject, Buffer.from(signature.signature, 'base64url'));
+    }
+    catch {
+        throw new Error('Signature verification failed');
+    }
+}
+//# sourceMappingURL=signatures.js.map

package/dist/internal/crypto/signatures.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"signatures.js","sourceRoot":"","sources":["../../../src/internal/crypto/signatures.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAE7E,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAGjC,SAAS,qBAAqB,CAAC,IAAmB,EAAE,KAAa;IAC/D,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,+BAA+B,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,OAAO,IAAI,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,6BAA6B,CAAC,CAAC;IACvE,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,iBAAiB,KAAK,qCAAqC,CAAC,CAAC;IAC/E,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,MASpC;IACC,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,IAAI,MAAM,CAAC,SAAS,GAAG,CAAC,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;IACtF,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QAC9D,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,qBAAqB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;IAE1E,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,OAAO,CAAC;IAE1C,MAAM,cAAc,GAAa;QAC/B,MAAM,CAAC,SAAS;QAChB,OAAO;QACP,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,sCAAsC;QAChE,MAAM,CAAC,SAAS;KACjB,CAAC;IAEF,mEAAmE;IACnE,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAC/C,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC1C,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QAE1D,cAAc,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,CAAC;QAC/B,cAAc,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC;QAC5B,cAAc,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;IACtC,CAAC;IAED,oCAAoC;IACpC,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClB,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAED,OAAO,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAClC,eAAuB,EACvB,aAAqB;IAErB,IAAI,CAAC,eAAe,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,CAAC,aAAa,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,UAAU,GAAG;QACjB,GAAG,EAAE,OAAO;QACZ,GAAG,EAAE,KAAK;KACX,CAAC;IAEF,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CACtE,WAAW,CACZ,CAAC;IACF,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAE5E,MAAM,YAAY,GAAG,GAAG,eAAe,IAAI,OAAO,EAAE,CAAC;IAErD,IAAI,gBAAkC,CAAC;IACvC,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,CAAC,gBAAgB,CAAC;YACzC,GAAG,EAAE,aAAa;YAClB,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,wBAAwB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACnF,CAAC;IACJ,CAAC;IAED,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CACjC,QAAQ,EACR,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,EAClC,gBAAgB,CACjB,CAAC;IAEF,MAAM,SAAS,GAAG,eAAe,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExD,OAAO;QACL,SAAS,EAAE,OAAO;QAClB,SAAS,EAAE,eAAe;QAC1B,OAAO;QACP,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,SAAyB,EACzB,eAAuB,EACvB,YAAoB;IAEpB,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,OAAO,SAAS,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,SAAS,IAAI,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,SAAS,CAAC,SAAS,IAAI,OAAO,SAAS,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,CAAC,eAAe,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,CAAC,YAAY,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,qDAAqD;IACrD,MAAM,eAAe,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACpF,MAAM,qBAAqB,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;IACpE,MAAM,mBAAmB,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAEpE,oFAAoF;IACpF,IAAI,qBAAqB,CAAC,MAAM,KAAK,mBAAmB,CAAC,MAAM,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,kEAAkE;IAClE,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC,qBAAqB,EAAE,mBAAmB,CAAC,EAAE,CAAC;QACxE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,YAAY,GAAG,GAAG,SAAS,CAAC,SAAS,IAAI,SAAS,CAAC,OAAO,EAAE,CAAC;IAEnE,IAAI,eAAiC,CAAC;IACtC,IAAI,CAAC;QACH,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;YACvC,GAAG,EAAE,YAAY;YACjB,MAAM,EAAE,KAAK;SACd,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,uBAAuB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAClF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,MAAM,CAClB,QAAQ,EACR,MAAM,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,EAClC,eAAe,EACf,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,WAAW,CAAC,CAC9C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;IACnD,CAAC;AACH,CAAC"}

package/dist/internal/decryptor/capsa-decryptor.d.ts ADDED Viewed

@@ -0,0 +1,89 @@
+/** Capsa decryption utilities for client-side decryption of API responses. */
+import type { Capsa, KeychainEntry, EncryptedFile, CapsaMetadata } from '../../types/index.js';
+export interface DecryptedCapsa {
+    id: string;
+    creator: string;
+    createdAt: string;
+    updatedAt: string;
+    status: 'active' | 'expired';
+    subject?: string;
+    body?: string;
+    structured?: Record<string, unknown>;
+    files: EncryptedFile[];
+    accessControl: {
+        expiresAt?: string;
+    };
+    /**
+     * Cached AES-256 master key, avoids repeated RSA-4096 decryption per file.
+     * Non-enumerable to prevent accidental serialization (JSON.stringify, spread, logging).
+     * Scoped to this capsa only; does not compromise other capsas or the party's private key.
+     * Call clearMasterKey() when done with file operations.
+     */
+    _masterKey: Buffer;
+    /** Securely clears the master key from memory. */
+    clearMasterKey(): void;
+    keychain: {
+        algorithm: string;
+        keys: KeychainEntry[];
+    };
+    signature: {
+        algorithm: string;
+        protected: string;
+        payload: string;
+        signature: string;
+    };
+    metadata?: CapsaMetadata;
+    stats: {
+        totalSize: number;
+        fileCount: number;
+        lastAccessedAt?: string;
+    };
+    _encrypted: Capsa;
+}
+/**
+ * Decrypt capsa using party's private key
+ *
+ * SECURITY FEATURES:
+ * - Verifies capsa signature before decryption
+ * - Requires auth tags for all AES-GCM decryption
+ * - Validates keychain entry exists
+ *
+ * NOTE: partyId is optional. If not provided, uses the first keychain entry
+ * (which is the authenticated party's key when retrieved from API).
+ *
+ * @param capsa - Encrypted capsa from API
+ * @param privateKey - Party's RSA private key in PEM format
+ * @param partyId - Party ID (optional - auto-detected from keychain if omitted)
+ * @param creatorPublicKey - Creator's RSA public key in PEM format (for signature verification)
+ * @param verifySignature - Whether to verify signature (default: true, set false to skip)
+ * @returns Decrypted capsa data
+ * @throws Error if signature invalid, party not in keychain, or decryption fails
+ */
+export declare function decryptCapsa(capsa: Capsa, privateKey: string, partyId?: string, creatorPublicKey?: string, verifySignature?: boolean): DecryptedCapsa;
+/**
+ * Decrypt a file from a capsa
+ *
+ * SECURITY: Requires non-empty authTag for AES-GCM integrity verification
+ *
+ * @param encryptedFileData - Encrypted file data (base64url)
+ * @param masterKey - Decrypted master key
+ * @param iv - Initialization vector for file
+ * @param authTag - Authentication tag for file (REQUIRED)
+ * @returns Decrypted file buffer
+ * @throws Error if authTag is missing or decryption fails
+ */
+export declare function decryptFile(encryptedFileData: string, masterKey: Buffer, iv: string, authTag: string, compressed?: boolean): Promise<Buffer>;
+/**
+ * Decrypt filename from capsa
+ *
+ * SECURITY: Requires non-empty authTag for AES-GCM integrity verification
+ *
+ * @param encryptedFilename - Encrypted filename (base64url)
+ * @param masterKey - Decrypted master key
+ * @param iv - Initialization vector for filename
+ * @param authTag - Authentication tag for filename (REQUIRED)
+ * @returns Decrypted filename
+ * @throws Error if authTag is missing or decryption fails
+ */
+export declare function decryptFilename(encryptedFilename: string, masterKey: Buffer, iv: string, authTag: string): string;
+//# sourceMappingURL=capsa-decryptor.d.ts.map

package/dist/internal/decryptor/capsa-decryptor.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"capsa-decryptor.d.ts","sourceRoot":"","sources":["../../../src/internal/decryptor/capsa-decryptor.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAM9E,OAAO,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAE/F,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,QAAQ,GAAG,SAAS,CAAC;IAG7B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAGrC,KAAK,EAAE,aAAa,EAAE,CAAC;IAGvB,aAAa,EAAE;QACb,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;IAEF;;;;;OAKG;IACH,UAAU,EAAE,MAAM,CAAC;IAEnB,kDAAkD;IAClD,cAAc,IAAI,IAAI,CAAC;IAGvB,QAAQ,EAAE;QACR,SAAS,EAAE,MAAM,CAAC;QAClB,IAAI,EAAE,aAAa,EAAE,CAAC;KACvB,CAAC;IAGF,SAAS,EAAE;QACT,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,OAAO,EAAE,MAAM,CAAC;QAChB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;IAGF,QAAQ,CAAC,EAAE,aAAa,CAAC;IAGzB,KAAK,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,SAAS,EAAE,MAAM,CAAC;QAClB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,CAAC;IAGF,UAAU,EAAE,KAAK,CAAC;CACnB;AAoBD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,KAAK,EACZ,UAAU,EAAE,MAAM,EAClB,OAAO,CAAC,EAAE,MAAM,EAChB,gBAAgB,CAAC,EAAE,MAAM,EACzB,eAAe,UAAO,GACrB,cAAc,CAwPhB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,WAAW,CAC/B,iBAAiB,EAAE,MAAM,EACzB,SAAS,EAAE,MAAM,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EACf,UAAU,CAAC,EAAE,OAAO,GACnB,OAAO,CAAC,MAAM,CAAC,CAoBjB;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,eAAe,CAC7B,iBAAiB,EAAE,MAAM,EACzB,SAAS,EAAE,MAAM,EACjB,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,GACd,MAAM,CAeR"}