@cloudpss/crypto 0.5.22

package/README.md

@@ -0,0 +1,3 @@
+# @cloudpss/crypto
+
+Pre-configured crypto libraries for use in CloudPSS.

package/dist/encryption/browser.d.ts

@@ -0,0 +1,5 @@
+import type { EncryptionResult } from './common.js';
+/** browser encrypt */
+export declare function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult>;
+/** browser decrypt */
+export declare function decrypt(data: EncryptionResult, passphrase: string): Promise<Uint8Array>;

package/dist/encryption/browser.js

@@ -0,0 +1,26 @@
+// eslint-disable-next-line @typescript-eslint/explicit-function-return-type
+const module = () => {
+    if (typeof crypto == 'object' &&
+        typeof crypto.getRandomValues == 'function' &&
+        typeof crypto.subtle == 'object' &&
+        typeof crypto.subtle.importKey == 'function' &&
+        typeof crypto.subtle.deriveKey == 'function' &&
+        typeof crypto.subtle.encrypt == 'function' &&
+        typeof crypto.subtle.decrypt == 'function') {
+        return import('./web.js');
+    }
+    else {
+        return import('./pure-js.js');
+    }
+};
+/** browser encrypt */
+export async function encrypt(data, passphrase) {
+    const { encrypt } = await module();
+    return await encrypt(data, passphrase);
+}
+/** browser decrypt */
+export async function decrypt(data, passphrase) {
+    const { decrypt } = await module();
+    return await decrypt(data, passphrase);
+}
+//# sourceMappingURL=browser.js.map

package/dist/encryption/browser.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser.js","sourceRoot":"","sources":["../../src/encryption/browser.ts"],"names":[],"mappings":"AAEA,4EAA4E;AAC5E,MAAM,MAAM,GAAG,GAAG,EAAE;IAChB,IACI,OAAO,MAAM,IAAI,QAAQ;QACzB,OAAO,MAAM,CAAC,eAAe,IAAI,UAAU;QAC3C,OAAO,MAAM,CAAC,MAAM,IAAI,QAAQ;QAChC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,IAAI,UAAU;QAC5C,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,IAAI,UAAU;QAC5C,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,UAAU;QAC1C,OAAO,MAAM,CAAC,MAAM,CAAC,OAAO,IAAI,UAAU,EAC5C,CAAC;QACC,OAAO,MAAM,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;SAAM,CAAC;QACJ,OAAO,MAAM,CAAC,cAAc,CAAC,CAAC;IAClC,CAAC;AACL,CAAC,CAAC;AAEF,sBAAsB;AACtB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAgB,EAAE,UAAkB;IAC9D,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;IACnC,OAAO,MAAM,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AAC3C,CAAC;AAED,sBAAsB;AACtB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAsB,EAAE,UAAkB;IACpE,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;IACnC,OAAO,MAAM,OAAO,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;AAC3C,CAAC"}

package/dist/encryption/common.d.ts

@@ -0,0 +1,21 @@
+/**
+ * PBKDF2 迭代次数
+ */
+export declare const PBKDF2_ITERATIONS = 100000;
+/**
+ * PBKDF2 盐值长度（byte）
+ */
+export declare const PBKDF2_SALT_SIZE: number;
+/** IV 长度（byte） */
+export declare const AES_IV_SIZE: number;
+/** KEY 长度（byte） */
+export declare const AES_KEY_SIZE: number;
+/** 加密结果 */
+export interface EncryptionResult {
+    /** 盐值 */
+    salt: Uint8Array;
+    /** 初始向量 */
+    iv: Uint8Array;
+    /** 加密后的数据 */
+    data: Uint8Array;
+}

package/dist/encryption/common.js

@@ -0,0 +1,13 @@
+/**
+ * PBKDF2 迭代次数
+ */
+export const PBKDF2_ITERATIONS = 100_000;
+/**
+ * PBKDF2 盐值长度（byte）
+ */
+export const PBKDF2_SALT_SIZE = 128 / 8;
+/** IV 长度（byte） */
+export const AES_IV_SIZE = 128 / 8;
+/** KEY 长度（byte） */
+export const AES_KEY_SIZE = 256 / 8;
+//# sourceMappingURL=common.js.map

package/dist/encryption/common.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"common.js","sourceRoot":"","sources":["../../src/encryption/common.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC;AACzC;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,GAAG,GAAG,CAAC,CAAC;AACxC,kBAAkB;AAClB,MAAM,CAAC,MAAM,WAAW,GAAG,GAAG,GAAG,CAAC,CAAC;AACnC,mBAAmB;AACnB,MAAM,CAAC,MAAM,YAAY,GAAG,GAAG,GAAG,CAAC,CAAC"}

package/dist/encryption/index.d.ts

@@ -0,0 +1,26 @@
+/**
+ * CloudPSS 数据加密
+ * - 密钥生成算法：PBKDF2-HMAC-SHA256，盐长度 128，迭代 100,000 次
+ * - 加密算法：AES-256-CBC
+ *
+ * - 文件格式：
+ *   - Magic Number: 0e 02 49 29 3f 07 7b 0a
+ *   - Salt: 128 bits
+ *   - IV: 128 bits
+ *   - Encrypted Data
+ */
+/** CloudPSS 数据加密 */
+export declare const MAGIC_NUMBER: Uint8Array;
+/** 检查是否为 CloudPSS 加密数据 */
+export declare function isEncrypted(data: BinaryData): boolean;
+/**
+ * 加密数据
+ * @throws {TypeError} 如果密码无效
+ */
+export declare function encrypt(data: BinaryData, passphrase: string): Promise<Uint8Array>;
+/**
+ * 解密数据
+ * @throws {TypeError} 如果数据不是有效的加密数据
+ * @throws {TypeError} 如果密码无效
+ */
+export declare function decrypt(data: BinaryData, passphrase: string): Promise<Uint8Array>;

package/dist/encryption/index.js

@@ -0,0 +1,69 @@
+import * as impl from '#encryption';
+import { toUint8Array } from '../utils.js';
+import { AES_IV_SIZE, PBKDF2_SALT_SIZE } from './common.js';
+/**
+ * CloudPSS 数据加密
+ * - 密钥生成算法：PBKDF2-HMAC-SHA256，盐长度 128，迭代 100,000 次
+ * - 加密算法：AES-256-CBC
+ *
+ * - 文件格式：
+ *   - Magic Number: 0e 02 49 29 3f 07 7b 0a
+ *   - Salt: 128 bits
+ *   - IV: 128 bits
+ *   - Encrypted Data
+ */
+/** CloudPSS 数据加密 */
+export const MAGIC_NUMBER = Uint8Array.from([0x0e, 0x02, 0x49, 0x29, 0x3f, 0x07, 0x7b, 0x0a]);
+/** 检查是否为 CloudPSS 加密数据 */
+function isEncryptedImpl(data) {
+    return (data.length > MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE &&
+        MAGIC_NUMBER.every((v, i) => data[i] === v));
+}
+/** 检查是否为 CloudPSS 加密数据 */
+export function isEncrypted(data) {
+    const buffer = toUint8Array(data);
+    return isEncryptedImpl(buffer);
+}
+/** 检查密码 */
+function assertPassphrase(passphrase) {
+    if (typeof passphrase !== 'string') {
+        throw new TypeError('Invalid passphrase, must be a string');
+    }
+    if (passphrase.length === 0) {
+        throw new TypeError('Invalid passphrase, must not be empty');
+    }
+}
+/**
+ * 加密数据
+ * @throws {TypeError} 如果密码无效
+ */
+export async function encrypt(data, passphrase) {
+    assertPassphrase(passphrase);
+    const buffer = toUint8Array(data);
+    const encrypted = await impl.encrypt(buffer, passphrase);
+    const result = new Uint8Array(MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE + encrypted.data.length);
+    result.set(MAGIC_NUMBER);
+    result.set(encrypted.salt, MAGIC_NUMBER.length);
+    result.set(encrypted.iv, MAGIC_NUMBER.length + PBKDF2_SALT_SIZE);
+    result.set(encrypted.data, MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE);
+    return result;
+}
+/**
+ * 解密数据
+ * @throws {TypeError} 如果数据不是有效的加密数据
+ * @throws {TypeError} 如果密码无效
+ */
+export async function decrypt(data, passphrase) {
+    assertPassphrase(passphrase);
+    const buffer = toUint8Array(data);
+    if (!isEncryptedImpl(buffer)) {
+        throw new TypeError('Invalid encrypted data');
+    }
+    const encrypted = {
+        salt: buffer.subarray(MAGIC_NUMBER.length, MAGIC_NUMBER.length + PBKDF2_SALT_SIZE),
+        iv: buffer.subarray(MAGIC_NUMBER.length + PBKDF2_SALT_SIZE, MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE),
+        data: buffer.subarray(MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE),
+    };
+    return await impl.decrypt(encrypted, passphrase);
+}
+//# sourceMappingURL=index.js.map

package/dist/encryption/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/encryption/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,aAAa,CAAC;AACpC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,EAAE,WAAW,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE5D;;;;;;;;;;GAUG;AAEH,oBAAoB;AACpB,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;AAE9F,0BAA0B;AAC1B,SAAS,eAAe,CAAC,IAAgB;IACrC,OAAO,CACH,IAAI,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,GAAG,gBAAgB,GAAG,WAAW;QAClE,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAC9C,CAAC;AACN,CAAC;AAED,0BAA0B;AAC1B,MAAM,UAAU,WAAW,CAAC,IAAgB;IACxC,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,OAAO,eAAe,CAAC,MAAM,CAAC,CAAC;AACnC,CAAC;AAED,WAAW;AACX,SAAS,gBAAgB,CAAC,UAAkB;IACxC,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAC;IAChE,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;IACjE,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAgB,EAAE,UAAkB;IAC9D,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,YAAY,CAAC,MAAM,GAAG,gBAAgB,GAAG,WAAW,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5G,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,YAAY,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,EAAE,YAAY,CAAC,MAAM,GAAG,gBAAgB,CAAC,CAAC;IACjE,MAAM,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,YAAY,CAAC,MAAM,GAAG,gBAAgB,GAAG,WAAW,CAAC,CAAC;IACjF,OAAO,MAAM,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAgB,EAAE,UAAkB;IAC9D,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC7B,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,SAAS,CAAC,wBAAwB,CAAC,CAAC;IAClD,CAAC;IACD,MAAM,SAAS,GAAG;QACd,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,EAAE,YAAY,CAAC,MAAM,GAAG,gBAAgB,CAAC;QAClF,EAAE,EAAE,MAAM,CAAC,QAAQ,CACf,YAAY,CAAC,MAAM,GAAG,gBAAgB,EACtC,YAAY,CAAC,MAAM,GAAG,gBAAgB,GAAG,WAAW,CACvD;QACD,IAAI,EAAE,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,MAAM,GAAG,gBAAgB,GAAG,WAAW,CAAC;KAC9E,CAAC;IACF,OAAO,MAAM,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;AACrD,CAAC"}

package/dist/encryption/node.d.ts

@@ -0,0 +1,5 @@
+import { type EncryptionResult } from './common.js';
+/** nodejs encrypt */
+export declare function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult>;
+/** nodejs decrypt */
+export declare function decrypt({ data, iv, salt }: EncryptionResult, passphrase: string): Promise<Uint8Array>;

package/dist/encryption/node.js

@@ -0,0 +1,28 @@
+import { pbkdf2 as _pbkdf2, createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import { PBKDF2_ITERATIONS, PBKDF2_SALT_SIZE, AES_IV_SIZE, AES_KEY_SIZE } from './common.js';
+import { promisify } from 'node:util';
+import { toUint8Array } from '../utils.js';
+const aesKdf = (passphrase, salt) => {
+    return promisify(_pbkdf2)(passphrase, salt, PBKDF2_ITERATIONS, AES_KEY_SIZE, 'sha256');
+};
+/** nodejs encrypt */
+export async function encrypt(data, passphrase) {
+    const salt = randomBytes(PBKDF2_SALT_SIZE);
+    const key = await aesKdf(passphrase, salt);
+    const iv = randomBytes(AES_IV_SIZE);
+    const cipher = createCipheriv('aes-256-cbc', key, iv);
+    const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+    return {
+        salt: toUint8Array(salt),
+        iv: toUint8Array(iv),
+        data: toUint8Array(encrypted),
+    };
+}
+/** nodejs decrypt */
+export async function decrypt({ data, iv, salt }, passphrase) {
+    const key = await aesKdf(passphrase, salt);
+    const decipher = createDecipheriv('aes-256-cbc', key, iv);
+    const decrypted = Buffer.concat([decipher.update(data), decipher.final()]);
+    return toUint8Array(decrypted);
+}
+//# sourceMappingURL=node.js.map

package/dist/encryption/node.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"node.js","sourceRoot":"","sources":["../../src/encryption/node.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC/F,OAAO,EAAE,iBAAiB,EAAE,gBAAgB,EAAyB,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACpH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,MAAM,GAAG,CAAC,UAAkB,EAAE,IAAgB,EAAmB,EAAE;IACrE,OAAO,SAAS,CAAC,OAAO,CAAC,CAAC,UAAU,EAAE,IAAI,EAAE,iBAAiB,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;AAC3F,CAAC,CAAC;AAEF,qBAAqB;AACrB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAgB,EAAE,UAAkB;IAC9D,MAAM,IAAI,GAAG,WAAW,CAAC,gBAAgB,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC3C,MAAM,EAAE,GAAG,WAAW,CAAC,WAAW,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACvE,OAAO;QACH,IAAI,EAAE,YAAY,CAAC,IAAI,CAAC;QACxB,EAAE,EAAE,YAAY,CAAC,EAAE,CAAC;QACpB,IAAI,EAAE,YAAY,CAAC,SAAS,CAAC;KAChC,CAAC;AACN,CAAC;AAED,qBAAqB;AACrB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAoB,EAAE,UAAkB;IAClF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC3E,OAAO,YAAY,CAAC,SAAS,CAAC,CAAC;AACnC,CAAC"}

package/dist/encryption/pure-js.d.ts

@@ -0,0 +1,5 @@
+import { type EncryptionResult } from './common.js';
+/** crypto-js encrypt */
+export declare function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult>;
+/** crypto-js decrypt */
+export declare function decrypt({ data, iv, salt }: EncryptionResult, passphrase: string): Promise<Uint8Array>;

package/dist/encryption/pure-js.js

@@ -0,0 +1,52 @@
+import { pbkdf2, createSHA256 } from 'hash-wasm';
+import AES from 'crypto-js/aes.js';
+import WordArray from 'crypto-js/lib-typedarrays.js';
+import { AES_IV_SIZE, AES_KEY_SIZE, PBKDF2_SALT_SIZE, PBKDF2_ITERATIONS } from './common.js';
+/** Convert word array to buffer data */
+function wordArrayToBuffer(wordArray) {
+    const { sigBytes, words } = wordArray;
+    const result = new Uint8Array(sigBytes);
+    for (let i = 0; i < sigBytes; i++) {
+        result[i] = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;
+    }
+    return result;
+}
+/** Convert buffer data to word array */
+function bufferToWordArray(buffer) {
+    return WordArray.create(buffer);
+}
+/** Create aes params */
+async function aesKdfJs(passphrase, salt) {
+    const result = await pbkdf2({
+        password: passphrase,
+        salt: salt,
+        iterations: PBKDF2_ITERATIONS,
+        hashLength: AES_KEY_SIZE,
+        hashFunction: createSHA256(),
+        outputType: 'binary',
+    });
+    return WordArray.create(result);
+}
+/** crypto-js encrypt */
+export async function encrypt(data, passphrase) {
+    const salt = wordArrayToBuffer(WordArray.random(PBKDF2_SALT_SIZE));
+    const key = await aesKdfJs(passphrase, salt);
+    const iv = WordArray.random(AES_IV_SIZE);
+    const encrypted = AES.encrypt(bufferToWordArray(data), key, { iv });
+    return {
+        salt: salt,
+        iv: wordArrayToBuffer(iv),
+        data: wordArrayToBuffer(encrypted.ciphertext),
+    };
+}
+/** crypto-js decrypt */
+export async function decrypt({ data, iv, salt }, passphrase) {
+    const key = await aesKdfJs(passphrase, salt);
+    const decrypted = AES.decrypt({
+        ciphertext: bufferToWordArray(data),
+    }, key, {
+        iv: bufferToWordArray(iv),
+    });
+    return wordArrayToBuffer(decrypted);
+}
+//# sourceMappingURL=pure-js.js.map

package/dist/encryption/pure-js.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pure-js.js","sourceRoot":"","sources":["../../src/encryption/pure-js.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,GAAG,MAAM,kBAAkB,CAAC;AACnC,OAAO,SAAS,MAAM,8BAA8B,CAAC;AAErD,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,gBAAgB,EAAyB,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEpH,wCAAwC;AACxC,SAAS,iBAAiB,CAAC,SAAoB;IAC3C,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,GAAG,SAAS,CAAC;IACtC,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,EAAE,CAAC,EAAE,EAAE,CAAC;QAChC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAC/D,CAAC;IACD,OAAO,MAAM,CAAC;AAClB,CAAC;AAED,wCAAwC;AACxC,SAAS,iBAAiB,CAAC,MAAkB;IACzC,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,wBAAwB;AACxB,KAAK,UAAU,QAAQ,CAAC,UAAkB,EAAE,IAAgB;IACxD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC;QACxB,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,IAAI;QACV,UAAU,EAAE,iBAAiB;QAC7B,UAAU,EAAE,YAAY;QACxB,YAAY,EAAE,YAAY,EAAE;QAC5B,UAAU,EAAE,QAAQ;KACvB,CAAC,CAAC;IACH,OAAO,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AACpC,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAgB,EAAE,UAAkB;IAC9D,MAAM,IAAI,GAAG,iBAAiB,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACnE,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC7C,MAAM,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,CAAC,CAAC;IACpE,OAAO;QACH,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,iBAAiB,CAAC,EAAE,CAAC;QACzB,IAAI,EAAE,iBAAiB,CAAC,SAAS,CAAC,UAAU,CAAC;KAChD,CAAC;AACN,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAoB,EAAE,UAAkB;IAClF,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC7C,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CACzB;QACI,UAAU,EAAE,iBAAiB,CAAC,IAAI,CAAC;KACT,EAC9B,GAAG,EACH;QACI,EAAE,EAAE,iBAAiB,CAAC,EAAE,CAAC;KAC5B,CACJ,CAAC;IACF,OAAO,iBAAiB,CAAC,SAAS,CAAC,CAAC;AACxC,CAAC"}

package/dist/encryption/web.d.ts

@@ -0,0 +1,5 @@
+import { type EncryptionResult } from './common.js';
+/** webcrypto encrypt */
+export declare function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult>;
+/** webcrypto decrypt */
+export declare function decrypt({ data, salt, iv }: EncryptionResult, passphrase: string): Promise<Uint8Array>;

package/dist/encryption/web.js

@@ -0,0 +1,41 @@
+import { AES_IV_SIZE, AES_KEY_SIZE, PBKDF2_SALT_SIZE, PBKDF2_ITERATIONS } from './common.js';
+const encoder = new TextEncoder();
+/** Create aes params */
+async function aesKdfWeb(passphrase, salt) {
+    const pass = await crypto.subtle.importKey('raw', encoder.encode(passphrase), 'PBKDF2', false, ['deriveKey']);
+    const pbkdf2Params = {
+        name: 'PBKDF2',
+        salt,
+        iterations: PBKDF2_ITERATIONS,
+        hash: 'SHA-256',
+    };
+    return await crypto.subtle.deriveKey(pbkdf2Params, pass, { name: 'AES-CBC', length: AES_KEY_SIZE * 8 }, false, [
+        'encrypt',
+        'decrypt',
+    ]);
+}
+/** webcrypto encrypt */
+export async function encrypt(data, passphrase) {
+    const salt = crypto.getRandomValues(new Uint8Array(PBKDF2_SALT_SIZE));
+    const key = await aesKdfWeb(passphrase, salt);
+    const iv = crypto.getRandomValues(new Uint8Array(AES_IV_SIZE));
+    const encrypted = await crypto.subtle.encrypt({
+        name: 'AES-CBC',
+        iv,
+    }, key, data);
+    return {
+        salt: salt,
+        iv: iv,
+        data: new Uint8Array(encrypted),
+    };
+}
+/** webcrypto decrypt */
+export async function decrypt({ data, salt, iv }, passphrase) {
+    const key = await aesKdfWeb(passphrase, salt);
+    const decrypted = await crypto.subtle.decrypt({
+        name: 'AES-CBC',
+        iv,
+    }, key, data);
+    return new Uint8Array(decrypted);
+}
+//# sourceMappingURL=web.js.map

package/dist/encryption/web.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"web.js","sourceRoot":"","sources":["../../src/encryption/web.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,gBAAgB,EAAyB,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEpH,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC;AAElC,wBAAwB;AACxB,KAAK,UAAU,SAAS,CAAC,UAAkB,EAAE,IAAgB;IACzD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,WAAW,CAAC,CAAC,CAAC;IAC9G,MAAM,YAAY,GAAiB;QAC/B,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,UAAU,EAAE,iBAAiB;QAC7B,IAAI,EAAE,SAAS;KAClB,CAAC;IACF,OAAO,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,YAAY,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,GAAG,CAAC,EAAE,EAAE,KAAK,EAAE;QAC3G,SAAS;QACT,SAAS;KACZ,CAAC,CAAC;AACP,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,IAAgB,EAAE,UAAkB;IAC9D,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACtE,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACzC;QACI,IAAI,EAAE,SAAS;QACf,EAAE;KACL,EACD,GAAG,EACH,IAAI,CACP,CAAC;IACF,OAAO;QACH,IAAI,EAAE,IAAI;QACV,EAAE,EAAE,EAAE;QACN,IAAI,EAAE,IAAI,UAAU,CAAC,SAAS,CAAC;KAClC,CAAC;AACN,CAAC;AAED,wBAAwB;AACxB,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAoB,EAAE,UAAkB;IAClF,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC;IAC9C,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACzC;QACI,IAAI,EAAE,SAAS;QACf,EAAE;KACL,EACD,GAAG,EACH,IAAI,CACP,CAAC;IACF,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;AACrC,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1 @@
+export { isEncrypted, encrypt, decrypt } from './encryption/index.js';

package/dist/index.js

@@ -0,0 +1,2 @@
+export { isEncrypted, encrypt, decrypt } from './encryption/index.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/utils.d.ts

@@ -0,0 +1,2 @@
+/** 支持的数据转为 Uint8Array */
+export declare function toUint8Array(data: BinaryData): Uint8Array;

package/dist/utils.js

@@ -0,0 +1,11 @@
+/** 支持的数据转为 Uint8Array */
+export function toUint8Array(data) {
+    if (data == null || typeof data != 'object' || typeof data.byteLength != 'number') {
+        throw new TypeError('Invalid data');
+    }
+    if (ArrayBuffer.isView(data)) {
+        return new Uint8Array(data.buffer, data.byteOffset, data.byteLength);
+    }
+    return new Uint8Array(data, 0, data.byteLength);
+}
+//# sourceMappingURL=utils.js.map

package/dist/utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"utils.js","sourceRoot":"","sources":["../src/utils.ts"],"names":[],"mappings":"AAAA,yBAAyB;AACzB,MAAM,UAAU,YAAY,CAAC,IAAgB;IACzC,IAAI,IAAI,IAAI,IAAI,IAAI,OAAO,IAAI,IAAI,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,IAAI,QAAQ,EAAE,CAAC;QAChF,MAAM,IAAI,SAAS,CAAC,cAAc,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IACzE,CAAC;IACD,OAAO,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;AACpD,CAAC"}

package/jest.config.js

@@ -0,0 +1,3 @@
+import { config } from '../../jest.config.js';
+
+export default { ...config };

package/package.json

@@ -0,0 +1,31 @@
+{
+  "name": "@cloudpss/crypto",
+  "version": "0.5.22",
+  "author": "CloudPSS",
+  "license": "MIT",
+  "type": "module",
+  "main": "dist/index.js",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": "./dist/index.js",
+  "imports": {
+    "#encryption": {
+      "browser": "./dist/encryption/browser.js",
+      "node": "./dist/encryption/node.js",
+      "default": "./dist/encryption/browser.js"
+    }
+  },
+  "dependencies": {
+    "crypto-js": "^4.2.0",
+    "hash-wasm": "^4.11.0"
+  },
+  "devDependencies": {
+    "@types/crypto-js": "^4.2.2"
+  },
+  "scripts": {
+    "start": "pnpm clean && tsc --watch",
+    "build": "pnpm clean && tsc",
+    "test": "NODE_OPTIONS=\"${NODE_OPTIONS:-} --experimental-vm-modules\" jest",
+    "clean": "rimraf dist"
+  }
+}

package/src/encryption/browser.ts

@@ -0,0 +1,30 @@
+import type { EncryptionResult } from './common.js';
+
+// eslint-disable-next-line @typescript-eslint/explicit-function-return-type
+const module = () => {
+    if (
+        typeof crypto == 'object' &&
+        typeof crypto.getRandomValues == 'function' &&
+        typeof crypto.subtle == 'object' &&
+        typeof crypto.subtle.importKey == 'function' &&
+        typeof crypto.subtle.deriveKey == 'function' &&
+        typeof crypto.subtle.encrypt == 'function' &&
+        typeof crypto.subtle.decrypt == 'function'
+    ) {
+        return import('./web.js');
+    } else {
+        return import('./pure-js.js');
+    }
+};
+
+/** browser encrypt */
+export async function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult> {
+    const { encrypt } = await module();
+    return await encrypt(data, passphrase);
+}
+
+/** browser decrypt */
+export async function decrypt(data: EncryptionResult, passphrase: string): Promise<Uint8Array> {
+    const { decrypt } = await module();
+    return await decrypt(data, passphrase);
+}

package/src/encryption/common.ts

@@ -0,0 +1,22 @@
+/**
+ * PBKDF2 迭代次数
+ */
+export const PBKDF2_ITERATIONS = 100_000;
+/**
+ * PBKDF2 盐值长度（byte）
+ */
+export const PBKDF2_SALT_SIZE = 128 / 8;
+/** IV 长度（byte） */
+export const AES_IV_SIZE = 128 / 8;
+/** KEY 长度（byte） */
+export const AES_KEY_SIZE = 256 / 8;
+
+/** 加密结果 */
+export interface EncryptionResult {
+    /** 盐值 */
+    salt: Uint8Array;
+    /** 初始向量 */
+    iv: Uint8Array;
+    /** 加密后的数据 */
+    data: Uint8Array;
+}

package/src/encryption/index.ts

@@ -0,0 +1,80 @@
+import * as impl from '#encryption';
+import { toUint8Array } from '../utils.js';
+import { AES_IV_SIZE, PBKDF2_SALT_SIZE } from './common.js';
+
+/**
+ * CloudPSS 数据加密
+ * - 密钥生成算法：PBKDF2-HMAC-SHA256，盐长度 128，迭代 100,000 次
+ * - 加密算法：AES-256-CBC
+ *
+ * - 文件格式：
+ *   - Magic Number: 0e 02 49 29 3f 07 7b 0a
+ *   - Salt: 128 bits
+ *   - IV: 128 bits
+ *   - Encrypted Data
+ */
+
+/** CloudPSS 数据加密 */
+export const MAGIC_NUMBER = Uint8Array.from([0x0e, 0x02, 0x49, 0x29, 0x3f, 0x07, 0x7b, 0x0a]);
+
+/** 检查是否为 CloudPSS 加密数据 */
+function isEncryptedImpl(data: Uint8Array): boolean {
+    return (
+        data.length > MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE &&
+        MAGIC_NUMBER.every((v, i) => data[i] === v)
+    );
+}
+
+/** 检查是否为 CloudPSS 加密数据 */
+export function isEncrypted(data: BinaryData): boolean {
+    const buffer = toUint8Array(data);
+    return isEncryptedImpl(buffer);
+}
+
+/** 检查密码 */
+function assertPassphrase(passphrase: string): void {
+    if (typeof passphrase !== 'string') {
+        throw new TypeError('Invalid passphrase, must be a string');
+    }
+    if (passphrase.length === 0) {
+        throw new TypeError('Invalid passphrase, must not be empty');
+    }
+}
+
+/**
+ * 加密数据
+ * @throws {TypeError} 如果密码无效
+ */
+export async function encrypt(data: BinaryData, passphrase: string): Promise<Uint8Array> {
+    assertPassphrase(passphrase);
+    const buffer = toUint8Array(data);
+    const encrypted = await impl.encrypt(buffer, passphrase);
+    const result = new Uint8Array(MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE + encrypted.data.length);
+    result.set(MAGIC_NUMBER);
+    result.set(encrypted.salt, MAGIC_NUMBER.length);
+    result.set(encrypted.iv, MAGIC_NUMBER.length + PBKDF2_SALT_SIZE);
+    result.set(encrypted.data, MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE);
+    return result;
+}
+
+/**
+ * 解密数据
+ * @throws {TypeError} 如果数据不是有效的加密数据
+ * @throws {TypeError} 如果密码无效
+ */
+export async function decrypt(data: BinaryData, passphrase: string): Promise<Uint8Array> {
+    assertPassphrase(passphrase);
+    const buffer = toUint8Array(data);
+    if (!isEncryptedImpl(buffer)) {
+        throw new TypeError('Invalid encrypted data');
+    }
+    const encrypted = {
+        salt: buffer.subarray(MAGIC_NUMBER.length, MAGIC_NUMBER.length + PBKDF2_SALT_SIZE),
+        iv: buffer.subarray(
+            MAGIC_NUMBER.length + PBKDF2_SALT_SIZE,
+            MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE,
+        ),
+        data: buffer.subarray(MAGIC_NUMBER.length + PBKDF2_SALT_SIZE + AES_IV_SIZE),
+    };
+    return await impl.decrypt(encrypted, passphrase);
+}

package/src/encryption/node.ts

@@ -0,0 +1,30 @@
+import { pbkdf2 as _pbkdf2, createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+import { PBKDF2_ITERATIONS, PBKDF2_SALT_SIZE, type EncryptionResult, AES_IV_SIZE, AES_KEY_SIZE } from './common.js';
+import { promisify } from 'node:util';
+import { toUint8Array } from '../utils.js';
+
+const aesKdf = (passphrase: string, salt: Uint8Array): Promise<Buffer> => {
+    return promisify(_pbkdf2)(passphrase, salt, PBKDF2_ITERATIONS, AES_KEY_SIZE, 'sha256');
+};
+
+/** nodejs encrypt */
+export async function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult> {
+    const salt = randomBytes(PBKDF2_SALT_SIZE);
+    const key = await aesKdf(passphrase, salt);
+    const iv = randomBytes(AES_IV_SIZE);
+    const cipher = createCipheriv('aes-256-cbc', key, iv);
+    const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+    return {
+        salt: toUint8Array(salt),
+        iv: toUint8Array(iv),
+        data: toUint8Array(encrypted),
+    };
+}
+
+/** nodejs decrypt */
+export async function decrypt({ data, iv, salt }: EncryptionResult, passphrase: string): Promise<Uint8Array> {
+    const key = await aesKdf(passphrase, salt);
+    const decipher = createDecipheriv('aes-256-cbc', key, iv);
+    const decrypted = Buffer.concat([decipher.update(data), decipher.final()]);
+    return toUint8Array(decrypted);
+}

package/src/encryption/pure-js.ts

@@ -0,0 +1,61 @@
+import { pbkdf2, createSHA256 } from 'hash-wasm';
+import AES from 'crypto-js/aes.js';
+import WordArray from 'crypto-js/lib-typedarrays.js';
+import type CryptoJS from 'crypto-js';
+import { AES_IV_SIZE, AES_KEY_SIZE, PBKDF2_SALT_SIZE, type EncryptionResult, PBKDF2_ITERATIONS } from './common.js';
+
+/** Convert word array to buffer data */
+function wordArrayToBuffer(wordArray: WordArray): Uint8Array {
+    const { sigBytes, words } = wordArray;
+    const result = new Uint8Array(sigBytes);
+    for (let i = 0; i < sigBytes; i++) {
+        result[i] = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;
+    }
+    return result;
+}
+
+/** Convert buffer data to word array */
+function bufferToWordArray(buffer: Uint8Array): WordArray {
+    return WordArray.create(buffer);
+}
+
+/** Create aes params */
+async function aesKdfJs(passphrase: string, salt: Uint8Array): Promise<WordArray> {
+    const result = await pbkdf2({
+        password: passphrase,
+        salt: salt,
+        iterations: PBKDF2_ITERATIONS,
+        hashLength: AES_KEY_SIZE,
+        hashFunction: createSHA256(),
+        outputType: 'binary',
+    });
+    return WordArray.create(result);
+}
+
+/** crypto-js encrypt */
+export async function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult> {
+    const salt = wordArrayToBuffer(WordArray.random(PBKDF2_SALT_SIZE));
+    const key = await aesKdfJs(passphrase, salt);
+    const iv = WordArray.random(AES_IV_SIZE);
+    const encrypted = AES.encrypt(bufferToWordArray(data), key, { iv });
+    return {
+        salt: salt,
+        iv: wordArrayToBuffer(iv),
+        data: wordArrayToBuffer(encrypted.ciphertext),
+    };
+}
+
+/** crypto-js decrypt */
+export async function decrypt({ data, iv, salt }: EncryptionResult, passphrase: string): Promise<Uint8Array> {
+    const key = await aesKdfJs(passphrase, salt);
+    const decrypted = AES.decrypt(
+        {
+            ciphertext: bufferToWordArray(data),
+        } as CryptoJS.lib.CipherParams,
+        key,
+        {
+            iv: bufferToWordArray(iv),
+        },
+    );
+    return wordArrayToBuffer(decrypted);
+}

package/src/encryption/web.ts

@@ -0,0 +1,52 @@
+import { AES_IV_SIZE, AES_KEY_SIZE, PBKDF2_SALT_SIZE, type EncryptionResult, PBKDF2_ITERATIONS } from './common.js';
+
+const encoder = new TextEncoder();
+
+/** Create aes params */
+async function aesKdfWeb(passphrase: string, salt: Uint8Array): Promise<CryptoKey> {
+    const pass = await crypto.subtle.importKey('raw', encoder.encode(passphrase), 'PBKDF2', false, ['deriveKey']);
+    const pbkdf2Params: Pbkdf2Params = {
+        name: 'PBKDF2',
+        salt,
+        iterations: PBKDF2_ITERATIONS,
+        hash: 'SHA-256',
+    };
+    return await crypto.subtle.deriveKey(pbkdf2Params, pass, { name: 'AES-CBC', length: AES_KEY_SIZE * 8 }, false, [
+        'encrypt',
+        'decrypt',
+    ]);
+}
+
+/** webcrypto encrypt */
+export async function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult> {
+    const salt = crypto.getRandomValues(new Uint8Array(PBKDF2_SALT_SIZE));
+    const key = await aesKdfWeb(passphrase, salt);
+    const iv = crypto.getRandomValues(new Uint8Array(AES_IV_SIZE));
+    const encrypted = await crypto.subtle.encrypt(
+        {
+            name: 'AES-CBC',
+            iv,
+        },
+        key,
+        data,
+    );
+    return {
+        salt: salt,
+        iv: iv,
+        data: new Uint8Array(encrypted),
+    };
+}
+
+/** webcrypto decrypt */
+export async function decrypt({ data, salt, iv }: EncryptionResult, passphrase: string): Promise<Uint8Array> {
+    const key = await aesKdfWeb(passphrase, salt);
+    const decrypted = await crypto.subtle.decrypt(
+        {
+            name: 'AES-CBC',
+            iv,
+        },
+        key,
+        data,
+    );
+    return new Uint8Array(decrypted);
+}

package/src/index.ts

@@ -0,0 +1 @@
+export { isEncrypted, encrypt, decrypt } from './encryption/index.js';

package/src/utils.ts

@@ -0,0 +1,10 @@
+/** 支持的数据转为 Uint8Array */
+export function toUint8Array(data: BinaryData): Uint8Array {
+    if (data == null || typeof data != 'object' || typeof data.byteLength != 'number') {
+        throw new TypeError('Invalid data');
+    }
+    if (ArrayBuffer.isView(data)) {
+        return new Uint8Array(data.buffer, data.byteOffset, data.byteLength);
+    }
+    return new Uint8Array(data, 0, data.byteLength);
+}

package/tests/encryption.js

@@ -0,0 +1,134 @@
+import { MAGIC_NUMBER } from '../dist/encryption/index.js';
+import { isEncrypted, encrypt, decrypt } from '../dist/index.js';
+import { toUint8Array } from '../dist/utils.js';
+import * as nodeImpl from '../dist/encryption/node.js';
+import * as browserImpl from '../dist/encryption/browser.js';
+import * as webImpl from '../dist/encryption/web.js';
+import * as jsImpl from '../dist/encryption/pure-js.js';
+
+describe('Encryption root export', () => {
+    it('has MAGIC_NUMBER', () => {
+        expect(MAGIC_NUMBER).toBeInstanceOf(Uint8Array);
+        expect(MAGIC_NUMBER.length).toBe(8);
+    });
+
+    it('check is encrypted', () => {
+        // @ts-expect-error bad type
+        expect(() => isEncrypted({})).toThrow('Invalid data');
+        expect(isEncrypted(Buffer.from(MAGIC_NUMBER))).toBe(false);
+        expect(isEncrypted(Buffer.concat([MAGIC_NUMBER, Buffer.alloc(32)]))).toBe(false);
+        expect(isEncrypted(Buffer.concat([MAGIC_NUMBER, Buffer.alloc(33)]))).toBe(true);
+        expect(isEncrypted(Buffer.alloc(40))).toBe(false);
+        expect(isEncrypted(Buffer.alloc(41))).toBe(false);
+    });
+
+    it('encrypt check', async () => {
+        // @ts-expect-error bad type
+        await expect(() => encrypt({}, 'xx')).rejects.toThrow('Invalid data');
+        // @ts-expect-error bad type
+        // eslint-disable-next-line unicorn/new-for-builtins
+        await expect(() => encrypt(Buffer.alloc(0), new String(1))).rejects.toThrow('Invalid passphrase');
+        await expect(() => encrypt(Buffer.alloc(0), '')).rejects.toThrow('Invalid passphrase');
+    });
+    it('decrypt check', async () => {
+        // @ts-expect-error bad type
+        await expect(() => decrypt({}, 'xx')).rejects.toThrow('Invalid data');
+        // @ts-expect-error bad type
+        // eslint-disable-next-line unicorn/new-for-builtins
+        await expect(() => decrypt(Buffer.alloc(0), new String(1))).rejects.toThrow('Invalid passphrase');
+        await expect(() => decrypt(Buffer.alloc(0), '')).rejects.toThrow('Invalid passphrase');
+        await expect(() => decrypt(Buffer.alloc(100), 'xx')).rejects.toThrow('Invalid encrypted data');
+    });
+
+    it('encrypt/decrypt', async () => {
+        const data = [
+            Buffer.from(''),
+            Buffer.from('Hello, World!'),
+            Buffer.from('Hello, World!'.repeat(100)),
+            new Uint8Array(100),
+            Buffer.from('Hello, World!'.repeat(1000)).buffer,
+        ];
+        const passphrase = 'test';
+        for (const raw of data) {
+            const encrypted = await encrypt(raw, passphrase);
+            expect(encrypted).toBeInstanceOf(Uint8Array);
+            expect(encrypted.byteLength).toBeGreaterThan(raw.byteLength);
+            expect(isEncrypted(encrypted)).toBe(true);
+            const decrypted = await decrypt(encrypted, passphrase);
+            expect(decrypted).toBeInstanceOf(Uint8Array);
+            expect(decrypted).toEqual(toUint8Array(raw));
+        }
+    });
+});
+
+/**
+ * 检查实现
+ * @param {any} impl impl module
+ */
+function checkImpl(impl) {
+    expect(impl).toMatchObject({
+        encrypt: expect.any(Function),
+        decrypt: expect.any(Function),
+    });
+    checkImplEncryption(impl.encrypt, impl.decrypt);
+}
+
+/**
+ * 检查实现
+ * @param {(arg0: Buffer, arg1: string) => any} encrypt encrypt
+ * @param {(arg0: any, arg1: string) => any} decrypt decrypt
+ */
+function checkImplEncryption(encrypt, decrypt) {
+    const data = [Buffer.alloc(0), Buffer.from('Hello, World!'), Buffer.from('Hello, World!'.repeat(100))];
+    const passphrase = 'test';
+    it.each(data.map((v) => ({ length: v.byteLength, buffer: v })))(
+        `len=$length`,
+        async ({ buffer: raw }) => {
+            const encrypted = await encrypt(raw, passphrase);
+            expect(encrypted.salt).toBeInstanceOf(Uint8Array);
+            expect(encrypted.salt.byteLength).toBe(16);
+            expect(encrypted.iv).toBeInstanceOf(Uint8Array);
+            expect(encrypted.iv.byteLength).toBe(16);
+            expect(encrypted.data).toBeInstanceOf(Uint8Array);
+
+            const decrypted = await decrypt(encrypted, passphrase);
+            expect(decrypted).toBeInstanceOf(Uint8Array);
+            expect(decrypted).toEqual(toUint8Array(raw));
+        },
+        100_000,
+    );
+}
+
+describe('Encryption impl', () => {
+    const impls = Object.entries({
+        node: nodeImpl,
+        browser: browserImpl,
+        web: webImpl,
+        js: jsImpl,
+    });
+    describe.each(impls)('impl %s', (name, impl) => {
+        checkImpl(impl);
+    });
+    describe.each(impls.slice(1))(`cross impl %s/${impls[0][0]}`, (name, impl) => {
+        describe(`${impls[0][0]} -> ${name}`, () => {
+            checkImplEncryption(impls[0][1].encrypt, impl.decrypt);
+        });
+        describe(`${name} -> ${impls[0][0]}`, () => {
+            checkImplEncryption(impl.encrypt, impls[0][1].decrypt);
+        });
+    });
+});
+
+describe('Encryption impl browser', () => {
+    describe('should work without crypto', () => {
+        const { crypto } = globalThis;
+        beforeAll(() => {
+            // @ts-expect-error remove crypto
+            globalThis.crypto = undefined;
+        });
+        afterAll(() => {
+            globalThis.crypto = crypto;
+        });
+        checkImpl(browserImpl);
+    });
+});

package/tests/tsconfig.json

@@ -0,0 +1,9 @@
+{
+  "extends": "../tsconfig",
+  "include": ["./"],
+  "compilerOptions": {
+    "checkJs": true,
+    "noEmit": true,
+    "rootDir": "."
+  }
+}

package/tsconfig.json

@@ -0,0 +1,10 @@
+{
+  "extends": "../../tsconfig",
+  "include": ["./src/"],
+  "compilerOptions": {
+    "outDir": "./dist",
+    "paths": {
+      "#encryption": ["./src/encryption/node.ts", "./src/encryption/browser.ts"]
+    }
+  }
+}