@clef-sh/broker 0.1.10-beta.48 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist/envelope.d.ts +6 -2
  2. package/dist/envelope.d.ts.map +1 -1
  3. package/dist/envelope.js +23 -15
  4. package/dist/envelope.js.map +1 -1
  5. package/package.json +1 -1
package/dist/envelope.d.ts CHANGED
@@ -5,6 +5,10 @@ export interface ArtifactEnvelopeField {
5
5
  keyId: string;
6
6
  wrappedKey: string;
7
7
  algorithm: string;
8
+ /** Base64-encoded 12-byte AES-GCM initialization vector. */
9
+ iv: string;
10
+ /** Base64-encoded 16-byte AES-GCM authentication tag. */
11
+ authTag: string;
8
12
  }
9
13
  /** JSON envelope produced by the broker. Matches the runtime's expected artifact shape. */
10
14
  export interface BrokerArtifact {
@@ -39,8 +43,8 @@ export interface PackEnvelopeOptions {
39
43
  /**
40
44
  * Pack credentials into a Clef artifact envelope with KMS envelope encryption.
41
45
  *
42
- * 1. age-encrypt plaintext with an ephemeral key
43
- * 2. Wrap the ephemeral private key via KMS
46
+ * 1. AES-256-GCM encrypt plaintext with a random DEK
47
+ * 2. Wrap the DEK via KMS
44
48
  * 3. Return the complete JSON envelope string
45
49
  */
46
50
  export declare function packEnvelope(options: PackEnvelopeOptions): Promise<string>;
package/dist/envelope.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEpD,6CAA6C;AAC7C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,2FAA2F;AAC3F,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,qBAAqB,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,mBAAmB;IAClC,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,wDAAwD;IACxD,GAAG,EAAE,MAAM,CAAC;IACZ,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB,wEAAwE;IACxE,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CA8ChF"}
1
+ {"version":3,"file":"envelope.d.ts","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAEpD,6CAA6C;AAC7C,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,yDAAyD;IACzD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,2FAA2F;AAC3F,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,QAAQ,EAAE,qBAAqB,CAAC;IAChC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,kCAAkC;AAClC,MAAM,WAAW,mBAAmB;IAClC,6BAA6B;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7B,wDAAwD;IACxD,GAAG,EAAE,MAAM,CAAC;IACZ,wDAAwD;IACxD,WAAW,EAAE,WAAW,CAAC;IACzB,wEAAwE;IACxE,eAAe,EAAE,MAAM,CAAC;IACxB,mCAAmC;IACnC,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,mBAAmB,GAAG,OAAO,CAAC,MAAM,CAAC,CAqDhF"}
package/dist/envelope.js CHANGED
@@ -38,26 +38,32 @@ const crypto = __importStar(require("crypto"));
38
38
  /**
39
39
  * Pack credentials into a Clef artifact envelope with KMS envelope encryption.
40
40
  *
41
- * 1. age-encrypt plaintext with an ephemeral key
42
- * 2. Wrap the ephemeral private key via KMS
41
+ * 1. AES-256-GCM encrypt plaintext with a random DEK
42
+ * 2. Wrap the DEK via KMS
43
43
  * 3. Return the complete JSON envelope string
44
44
  */
45
45
  async function packEnvelope(options) {
46
46
  const { identity, environment, data, ttl, kmsProvider, kmsProviderName, kmsKeyId } = options;
47
47
  const plaintext = JSON.stringify(data);
48
- // Generate ephemeral age key pair
49
- const { generateIdentity, identityToRecipient, Encrypter } = await Promise.resolve(`${
50
- // eslint-disable-next-line @typescript-eslint/no-explicit-any -- dynamic ESM import of CJS-incompatible package
51
- "age-encryption"}`).then(s => __importStar(require(s)));
52
- const ephemeralPrivateKey = (await generateIdentity());
53
- const ephemeralPublicKey = (await identityToRecipient(ephemeralPrivateKey));
54
- // age-encrypt plaintext to ephemeral public key
55
- const e = new Encrypter();
56
- e.addRecipient(ephemeralPublicKey);
57
- const encrypted = await e.encrypt(plaintext);
58
- const ciphertext = Buffer.from(encrypted).toString("base64");
59
- // Wrap the ephemeral private key with KMS
60
- const wrapped = await kmsProvider.wrap(kmsKeyId, Buffer.from(ephemeralPrivateKey));
48
+ const dek = crypto.randomBytes(32);
49
+ const iv = crypto.randomBytes(12);
50
+ let ciphertext;
51
+ let authTag;
52
+ let wrapped;
53
+ try {
54
+ const cipher = crypto.createCipheriv("aes-256-gcm", dek, iv);
55
+ const ciphertextBuf = Buffer.concat([
56
+ cipher.update(Buffer.from(plaintext, "utf-8")),
57
+ cipher.final(),
58
+ ]);
59
+ authTag = cipher.getAuthTag();
60
+ ciphertext = ciphertextBuf.toString("base64");
61
+ // Wrap the DEK with KMS
62
+ wrapped = await kmsProvider.wrap(kmsKeyId, dek);
63
+ }
64
+ finally {
65
+ dek.fill(0);
66
+ }
61
67
  const revision = `${Date.now()}-${crypto.randomBytes(4).toString("hex")}`;
62
68
  const ciphertextHash = crypto.createHash("sha256").update(ciphertext).digest("hex");
63
69
  const packedAt = new Date().toISOString();
@@ -76,6 +82,8 @@ async function packEnvelope(options) {
76
82
  keyId: kmsKeyId,
77
83
  wrappedKey: wrapped.wrappedKey.toString("base64"),
78
84
  algorithm: wrapped.algorithm,
85
+ iv: iv.toString("base64"),
86
+ authTag: authTag.toString("base64"),
79
87
  },
80
88
  expiresAt,
81
89
  };
package/dist/envelope.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"envelope.js","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkDA,oCA8CC;AAhGD,+CAAiC;AA2CjC;;;;;;GAMG;AACI,KAAK,UAAU,YAAY,CAAC,OAA4B;IAC7D,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7F,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEvC,kCAAkC;IAClC,MAAM,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,SAAS,EAAE,GAAG;IAC3D,gHAAgH;IAChH,gBAAuB,uCACxB,CAAC;IACF,MAAM,mBAAmB,GAAG,CAAC,MAAM,gBAAgB,EAAE,CAAW,CAAC;IACjE,MAAM,kBAAkB,GAAG,CAAC,MAAM,mBAAmB,CAAC,mBAAmB,CAAC,CAAW,CAAC;IAEtF,gDAAgD;IAChD,MAAM,CAAC,GAAG,IAAI,SAAS,EAAE,CAAC;IAC1B,CAAC,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;IACnC,MAAM,SAAS,GAAG,MAAM,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,SAAuB,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAE3E,0CAA0C;IAC1C,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC;IAEnF,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC1E,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpF,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAElE,MAAM,QAAQ,GAAmB;QAC/B,OAAO,EAAE,CAAC;QACV,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,QAAQ;QACR,cAAc;QACd,UAAU;QACV,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;QACvB,QAAQ,EAAE;YACR,QAAQ,EAAE,eAAe;YACzB,KAAK,EAAE,QAAQ;YACf,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACjD,SAAS,EAAE,OAAO,CAAC,SAAS;SAC7B;QACD,SAAS;KACV,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC3C,CAAC"}
1
+ {"version":3,"file":"envelope.js","sourceRoot":"","sources":["../src/envelope.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsDA,oCAqDC;AA3GD,+CAAiC;AA+CjC;;;;;;GAMG;AACI,KAAK,UAAU,YAAY,CAAC,OAA4B;IAC7D,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,GAAG,EAAE,WAAW,EAAE,eAAe,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAE7F,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEvC,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IACnC,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC;IAElC,IAAI,UAAkB,CAAC;IACvB,IAAI,OAAe,CAAC;IACpB,IAAI,OAAiD,CAAC;IAEtD,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;QAC7D,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC;YAClC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;YAC9C,MAAM,CAAC,KAAK,EAAE;SACf,CAAC,CAAC;QACH,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAC9B,UAAU,GAAG,aAAa,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE9C,wBAAwB;QACxB,OAAO,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAClD,CAAC;YAAS,CAAC;QACT,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;IAC1E,MAAM,cAAc,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACpF,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAElE,MAAM,QAAQ,GAAmB;QAC/B,OAAO,EAAE,CAAC;QACV,QAAQ;QACR,WAAW;QACX,QAAQ;QACR,QAAQ;QACR,cAAc;QACd,UAAU;QACV,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC;QACvB,QAAQ,EAAE;YACR,QAAQ,EAAE,eAAe;YACzB,KAAK,EAAE,QAAQ;YACf,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACjD,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzB,OAAO,EAAE,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC;SACpC;QACD,SAAS;KACV,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC3C,CAAC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@clef-sh/broker",
3
- "version": "0.1.10-beta.48",
3
+ "version": "0.1.12",
4
4
  "description": "Runtime harness for Clef dynamic credential brokers",
5
5
  "repository": {
6
6
  "type": "git",