@cardanowall/sdk-ts 0.2.0 → 0.3.0

package/dist/identity/index.cjs

@@ -879,6 +879,15 @@ function hkdfSha2562(opts2) {
 }
 var MLKEM768X25519_ENC_LENGTH = 1120;
 var MLKEM768X25519_SEED_LENGTH2 = 32;
+function mlkem768x25519Keygen2(seed) {
+  if (seed.length !== MLKEM768X25519_SEED_LENGTH2) {
+    throw new Error(
+      `mlkem768x25519 seed must be ${MLKEM768X25519_SEED_LENGTH2} bytes, got ${seed.length}`
+    );
+  }
+  const { secretKey, publicKey } = XWing.keygen(seed);
+  return { secretSeed: secretKey, publicKey };
+}
 function mlkem768x25519Decapsulate(opts2) {
   if (opts2.secretSeed.length !== MLKEM768X25519_SEED_LENGTH2) {
     throw new Error(
@@ -921,14 +930,6 @@ var EciesSealedPoeError = class extends Error {
     this.code = code;
   }
 };
-function encodeCanonicalCbor(value) {
-  return cbor2.encode(value, {
-    cde: true,
-    collapseBigInts: true,
-    rejectDuplicateKeys: true,
-    sortKeys: sorts.sortCoreDeterministic
-  });
-}
 var CHUNK_MAX_BYTES = 64;
 function chunkKemCt(value) {
   if (value.length === 0) {
@@ -951,27 +952,114 @@ function joinKemCt(chunks) {
   }
   return out;
 }
-function slotsToMacCbor(slots, kem) {
-  let value;
+function canonicalizeSlots(slots, kem) {
   if (kem === "x25519") {
-    value = slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
-  } else {
-    value = slots.map((s) => ({
-      // Canonicalize the chunk boundaries before the MAC commits to them:
-      // reassemble the logical ciphertext and re-split into canonical ≤ 64-byte
-      // chunks. The on-wire `kem_ct` array is a transport detail (the Cardano
-      // ledger's 64-byte metadatum cap), and a hostile or non-canonical chunking
-      // ([1, 63, …] instead of [64, …]) reassembles to the SAME bytes — so the
-      // MAC must be invariant to it. Committing to the verbatim wire chunks would
-      // let an attacker re-chunk an honest envelope and break the slots_mac match
-      // for an honest recipient. Honest (already-64B-chunked) records are
-      // unchanged; a real byte flip still changes the reassembled bytes and is
-      // still rejected.
-      kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
-      wrap: s.wrap
-    }));
+    return slots.map((s) => ({ epk: s.epk, wrap: s.wrap }));
   }
-  return encodeCanonicalCbor(value);
+  return slots.map((s) => ({
+    kem_ct: chunkKemCt(joinKemCt(s.kem_ct)),
+    wrap: s.wrap
+  }));
+}
+function encodeCanonicalCbor(value) {
+  return cbor2.encode(value, {
+    cde: true,
+    collapseBigInts: true,
+    rejectDuplicateKeys: true,
+    sortKeys: sorts.sortCoreDeterministic
+  });
+}
+var CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-slots-transcript-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD = new TextEncoder().encode(
+  "cardano-poe-payload-v1"
+);
+var CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE = new TextEncoder().encode(
+  "cardano-poe-payload-passphrase-v1"
+);
+var CARDANO_POE_XWING_KEK_SALT_PREFIX = new TextEncoder().encode(
+  "cardano-poe-xwing-kek-salt-v1"
+);
+if (CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length !== 31) {
+  throw new Error(
+    "CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX byte-length invariant violated (expected 31)"
+  );
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD.length !== 22) {
+  throw new Error("CARDANO_POE_HKDF_INFO_PAYLOAD byte-length invariant violated (expected 22)");
+}
+if (CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE.length !== 33) {
+  throw new Error(
+    "CARDANO_POE_HKDF_INFO_PAYLOAD_PASSPHRASE byte-length invariant violated (expected 33)"
+  );
+}
+if (CARDANO_POE_XWING_KEK_SALT_PREFIX.length !== 29) {
+  throw new Error("CARDANO_POE_XWING_KEK_SALT_PREFIX byte-length invariant violated (expected 29)");
+}
+var MAX_SLOTS = 1024;
+var MAX_DECODED_ENVELOPE_BYTES = 65536;
+var MAX_SEALED_PLAINTEXT = 274877906880;
+var MAX_SEALED_CIPHERTEXT = MAX_SEALED_PLAINTEXT + 16;
+function assertCiphertextWithinBound(ciphertextLength) {
+  if (ciphertextLength >= MAX_SEALED_CIPHERTEXT) {
+    throw new SealedPayloadTooLargeError(
+      `ciphertext length ${ciphertextLength} is at or above the maximum sealed ciphertext size ${MAX_SEALED_CIPHERTEXT}`
+    );
+  }
+}
+var SealedPayloadTooLargeError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SealedPayloadTooLargeError";
+  }
+};
+function computeSlotsHash(args) {
+  const transcript = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots: canonicalizeSlots(args.slots, args.kem)
+  };
+  const encoded = encodeCanonicalCbor(transcript);
+  const message = new Uint8Array(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length + encoded.length);
+  message.set(CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX, 0);
+  message.set(encoded, CARDANO_POE_SLOTS_TRANSCRIPT_PREFIX.length);
+  return sha2_js.sha256(message);
+}
+function adContentSlots(args) {
+  const ad = {
+    scheme: 1,
+    path: "slots",
+    aead: "xchacha20-poly1305",
+    kem: args.kem,
+    nonce: args.nonce,
+    slots_hash: args.slotsHash,
+    slots_mac: args.slotsMac
+  };
+  return encodeCanonicalCbor(ad);
+}
+function slotsPayloadKey(args) {
+  return hkdfSha2562({
+    ikm: args.cek,
+    salt: args.nonce,
+    info: CARDANO_POE_HKDF_INFO_PAYLOAD,
+    length: 32
+  });
+}
+function xwingKekSalt(args) {
+  const message = new Uint8Array(
+    CARDANO_POE_XWING_KEK_SALT_PREFIX.length + args.kemCt.length + args.pubR.length
+  );
+  let offset = 0;
+  message.set(CARDANO_POE_XWING_KEK_SALT_PREFIX, offset);
+  offset += CARDANO_POE_XWING_KEK_SALT_PREFIX.length;
+  message.set(args.kemCt, offset);
+  offset += args.kemCt.length;
+  message.set(args.pubR, offset);
+  return sha2_js.sha256(message);
 }
 var CARDANO_POE_HKDF_INFO_KEK = new TextEncoder().encode("cardano-poe-kek-v1");
 var CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519 = new TextEncoder().encode(
@@ -1017,6 +1105,13 @@ function concat2(a, b) {
   out.set(b, a.length);
   return out;
 }
+function bytesKey(bytes) {
+  let s = "";
+  for (let i = 0; i < bytes.length; i++) {
+    s += String.fromCharCode(bytes[i]);
+  }
+  return s;
+}
 function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (envelope.scheme !== 1) {
     throw new EciesSealedPoeError(
@@ -1040,6 +1135,12 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
   if (n < 1) {
     throw new EciesSealedPoeError("ENC_SLOTS_EMPTY", `envelope.slots.length=${n} must be >= 1`);
   }
+  if (n > MAX_SLOTS) {
+    throw new EciesSealedPoeError(
+      "ENC_SLOTS_TOO_MANY",
+      `envelope.slots.length=${n} exceeds MAX_SLOTS=${MAX_SLOTS}`
+    );
+  }
   if (envelope.nonce.length !== NONCE_LENGTH2) {
     throw new EciesSealedPoeError(
       "NONCE_LENGTH_MISMATCH",
@@ -1052,6 +1153,7 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
       `envelope.slots_mac MUST be exactly ${SLOTS_MAC_LENGTH2} bytes, got ${envelope.slots_mac.length}`
     );
   }
+  const seenKemMaterial = /* @__PURE__ */ new Set();
   if (envelope.kem === "x25519") {
     for (let i = 0; i < n; i++) {
       const slot = envelope.slots[i];
@@ -1067,6 +1169,14 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(slot.epk);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].epk duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   } else {
     for (let i = 0; i < n; i++) {
@@ -1084,8 +1194,24 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
           `envelope.slots[${i}].wrap MUST be exactly ${WRAP_LENGTH2} bytes, got ${slot.wrap.length}`
         );
       }
+      const key = bytesKey(enc);
+      if (seenKemMaterial.has(key)) {
+        throw new EciesSealedPoeError(
+          "ENC_SLOTS_DUPLICATE_KEM_MATERIAL",
+          `envelope.slots[${i}].kem_ct duplicates an earlier slot \u2014 per-slot KEK uniqueness is violated`
+        );
+      }
+      seenKemMaterial.add(key);
     }
   }
+  const perSlotBytes = envelope.kem === "x25519" ? X25519_PUBLIC_KEY_LENGTH2 + WRAP_LENGTH2 : MLKEM768X25519_ENC_LENGTH + WRAP_LENGTH2;
+  const decodedEnvelopeBytes = NONCE_LENGTH2 + SLOTS_MAC_LENGTH2 + n * perSlotBytes;
+  if (decodedEnvelopeBytes > MAX_DECODED_ENVELOPE_BYTES) {
+    throw new EciesSealedPoeError(
+      "ENC_ENVELOPE_TOO_LARGE",
+      `decoded envelope size ${decodedEnvelopeBytes} exceeds MAX_DECODED_ENVELOPE_BYTES=${MAX_DECODED_ENVELOPE_BYTES}`
+    );
+  }
   if (multiPrivKeys !== void 0) {
     for (let i = 0; i < multiPrivKeys.length; i++) {
       if (multiPrivKeys[i].length !== X25519_SECRET_KEY_LENGTH2) {
@@ -1104,60 +1230,42 @@ function assertEnvelopeStructure(envelope, multiPrivKeys, singlePrivKey) {
     }
   }
 }
+var ZERO_IKM_32 = new Uint8Array(32);
 function tryX25519Slot(args) {
-  if (args.liveSlot) {
-    try {
-      const shared = x25519Ecdh({
-        secretKey: args.recipientSecretKey,
-        theirPublicKey: args.slot.epk
-      });
-      const kek = hkdfSha2562({
-        ikm: shared,
-        salt: concat2(args.slot.epk, args.pubRLocal),
-        info: CARDANO_POE_HKDF_INFO_KEK,
-        length: 32
-      });
-      return chacha20Poly1305Decrypt({
-        key: kek,
-        nonce: ZERO_NONCE_122,
-        aad: CARDANO_POE_HKDF_INFO_KEK,
-        ciphertext: args.slot.wrap
-      });
-    } catch (e) {
-      if (!(e instanceof AeadVerificationError) && !(e instanceof X25519LowOrderPointError)) {
-        throw e;
-      }
-      return null;
-    }
-  }
+  const salt = concat2(args.slot.epk, args.pubRLocal);
+  let shared;
   try {
-    const shared = x25519Ecdh({
+    shared = x25519Ecdh({
       secretKey: args.recipientSecretKey,
       theirPublicKey: args.slot.epk
     });
-    hkdfSha2562({
-      ikm: shared,
-      salt: concat2(args.slot.epk, args.pubRLocal),
-      info: CARDANO_POE_HKDF_INFO_KEK,
-      length: 32
-    });
   } catch (e) {
     if (!(e instanceof X25519LowOrderPointError)) throw e;
+    hkdfSha2562({ ikm: ZERO_IKM_32, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+    return null;
+  }
+  const kek = hkdfSha2562({ ikm: shared, salt, info: CARDANO_POE_HKDF_INFO_KEK, length: 32 });
+  try {
+    return chacha20Poly1305Decrypt({
+      key: kek,
+      nonce: ZERO_NONCE_122,
+      aad: CARDANO_POE_HKDF_INFO_KEK,
+      ciphertext: args.slot.wrap
+    });
+  } catch (e) {
+    if (!(e instanceof AeadVerificationError)) throw e;
+    return null;
   }
-  return null;
 }
 function tryMlkem768X25519Slot(args) {
   const enc = joinKemCt(args.slot.kem_ct);
   const ss = mlkem768x25519Decapsulate({ secretSeed: args.recipientSecretKey, enc });
   const kek = hkdfSha2562({
     ikm: ss,
-    salt: EMPTY_SALT22,
+    salt: xwingKekSalt({ kemCt: enc, pubR: args.pubR }),
     info: CARDANO_POE_HKDF_INFO_KEK_MLKEM768X25519,
     length: 32
   });
-  if (!args.liveSlot) {
-    return null;
-  }
   try {
     return chacha20Poly1305Decrypt({
       key: kek,
@@ -1174,51 +1282,43 @@ function tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN,
   const n = envelope.slots.length;
   let cek = null;
   let matchedSlotIdx = -1;
+  let cekConflict = false;
+  const recordMatch = (candidate, i) => {
+    if (candidate === null) return;
+    if (cek === null) {
+      cek = candidate;
+      matchedSlotIdx = i;
+    } else if (!compareCt(candidate, cek)) {
+      cekConflict = true;
+    }
+  };
   if (envelope.kem === "x25519") {
     const pubRLocal = x25519PublicKey2({ secretKey: recipientSecretKey });
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryX25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        pubRLocal,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
+      recordMatch(tryX25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubRLocal }), i);
       if (cek !== null && !constantTimeN) break;
     }
   } else {
+    const pubR = mlkem768x25519Keygen2(recipientSecretKey).publicKey;
     for (let i = 0; i < n; i++) {
       if (slotsAttemptedOut !== void 0) {
         slotsAttemptedOut.count = i + 1;
       }
-      const candidate = tryMlkem768X25519Slot({
-        slot: envelope.slots[i],
-        recipientSecretKey,
-        liveSlot: cek === null
-      });
-      if (cek === null && candidate !== null) {
-        cek = candidate;
-        matchedSlotIdx = i;
-      }
+      recordMatch(tryMlkem768X25519Slot({ slot: envelope.slots[i], recipientSecretKey, pubR }), i);
       if (cek !== null && !constantTimeN) break;
     }
   }
-  return cek === null ? null : { cek, slotIdx: matchedSlotIdx };
+  return cek === null ? null : { cek, slotIdx: matchedSlotIdx, cekConflict };
 }
-function tryRecipientUnwrap(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut) {
-  return tryRecipientUnwrapWithIdx(envelope, recipientSecretKey, constantTimeN, slotsAttemptedOut)?.cek ?? null;
-}
-function slotsMacCborBytes(envelope) {
-  return slotsToMacCbor(
-    envelope.slots,
-    envelope.kem
-  );
+function slotsHashBytes(envelope) {
+  return computeSlotsHash({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slots: envelope.slots
+  });
 }
 function eciesSealedPoeUnwrap(args) {
   const { envelope, ciphertext } = args;
@@ -1247,34 +1347,38 @@ function eciesSealedPoeUnwrap(args) {
   } else {
     assertEnvelopeStructure(envelope, void 0, args.recipientSecretKey);
   }
+  assertCiphertextWithinBound(ciphertext.length);
+  const slotsHash = slotsHashBytes(envelope);
   let matchedCek = null;
   let anyCandidateRecovered = false;
   if (hasSingle) {
     const recipientSecretKey = args.recipientSecretKey;
-    const cek = tryRecipientUnwrap(
+    const candidate = tryRecipientUnwrapWithIdx(
       envelope,
       recipientSecretKey,
       constantTimeN,
       args._slotsAttemptedOut
     );
-    if (cek === null) {
+    if (candidate === null) {
       return { matched: false, reason: "WRONG_RECIPIENT_KEY" };
     }
-    const slotsCbor = slotsMacCborBytes(envelope);
+    if (candidate.cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
     const hmacKey = hkdfSha2562({
-      ikm: cek,
+      ikm: candidate.cek,
       salt: EMPTY_SALT22,
       info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
       length: 32
     });
-    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+    const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsHash);
     if (!compareCt(slotsMacCalc, envelope.slots_mac)) {
       return { matched: false, reason: "TAMPERED_HEADER" };
     }
-    matchedCek = cek;
+    matchedCek = candidate.cek;
   } else {
-    const slotsCbor = slotsMacCborBytes(envelope);
     const recipientSecretKeys = multiPrivKeys;
+    let cekConflict = false;
     for (let k = 0; k < recipientSecretKeys.length; k++) {
       if (args._privsAttemptedOut !== void 0) {
         args._privsAttemptedOut.count = k + 1;
@@ -1282,7 +1386,7 @@ function eciesSealedPoeUnwrap(args) {
       if (args._slotsAttemptedOut !== void 0) {
         args._slotsAttemptedOut.count = 0;
       }
-      const cek = tryRecipientUnwrap(
+      const candidate = tryRecipientUnwrapWithIdx(
         envelope,
         recipientSecretKeys[k],
         constantTimeN,
@@ -1291,20 +1395,25 @@ function eciesSealedPoeUnwrap(args) {
       if (args._slotsAttemptedOut?.perPrivCounts !== void 0) {
         args._slotsAttemptedOut.perPrivCounts.push(args._slotsAttemptedOut.count);
       }
-      if (cek === null) continue;
+      if (candidate === null) continue;
+      if (candidate.cekConflict) cekConflict = true;
+      const cek = candidate.cek;
       const hmacKey = hkdfSha2562({
         ikm: cek,
         salt: EMPTY_SALT22,
         info: CARDANO_POE_HKDF_INFO_SLOTS_MAC,
         length: 32
       });
-      const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsCbor);
+      const slotsMacCalc = hmac_js.hmac(sha2_js.sha256, hmacKey, slotsHash);
       if (compareCt(slotsMacCalc, envelope.slots_mac)) {
         matchedCek = cek;
         break;
       }
       anyCandidateRecovered = true;
     }
+    if (matchedCek !== null && cekConflict) {
+      return { matched: false, reason: "TAMPERED_HEADER" };
+    }
     if (matchedCek === null) {
       return {
         matched: false,
@@ -1312,10 +1421,16 @@ function eciesSealedPoeUnwrap(args) {
       };
     }
   }
-  const adContent = concat2(envelope.nonce, envelope.slots_mac);
+  const payloadKey = slotsPayloadKey({ cek: matchedCek, nonce: envelope.nonce });
+  const adContent = adContentSlots({
+    kem: envelope.kem,
+    nonce: envelope.nonce,
+    slotsHash,
+    slotsMac: envelope.slots_mac
+  });
   try {
     const plaintext = xchacha20Poly1305Decrypt({
-      key: matchedCek,
+      key: payloadKey,
       nonce: envelope.nonce,
       aad: adContent,
       ciphertext