npm - @codesense/conseal - Versions diffs - 0.2.1 → 0.3.0 - Mend

@codesense/conseal 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -102,14 +102,14 @@ const result = await unseal(key, ciphertext, iv)
 ### IndexedDB key storage
 ```ts
-import { save, load, remove } from 'conseal/storage'
+import { saveCryptoKey, loadCryptoKey, deleteCryptoKey } from 'conseal'
 ```
 | Function | Description |
 |---|---|
-| `save(name, key)` | Persists a CryptoKey to IndexedDB. |
-| `load(name)` | Loads a CryptoKey. Returns `null` if not found. |
-| `remove(name)` | Deletes a CryptoKey. |
+| `saveCryptoKey(name, key)` | Persists a CryptoKey to IndexedDB. |
+| `loadCryptoKey(name)` | Loads a CryptoKey. Returns `null` if not found. |
+| `deleteCryptoKey(name)` | Deletes a CryptoKey. |
 ### Utilities
@@ -135,10 +135,30 @@ import { save, load, remove } from 'conseal/storage'
 ```bash
 npm install
-npm test           # run tests
+npm test           # unit tests (Vitest + happy-dom)
 npm run build      # build to dist/
 ```
+### Cross-browser tests
+SubtleCrypto behaviour is not identical across engines. The browser suite runs the full test suite in real Chromium, Firefox, and WebKit engines via Playwright.
+First-time setup — download browser binaries (~300 MB, one-off):
+```bash
+npx playwright install
+```
+Then run:
+```bash
+npm run test:browser
+```
+WebKit is the highest-value target: every browser on iOS uses WebKit under the hood regardless of brand, so this provides real Safari/iOS coverage without a device.
+Both suites run automatically on CI for every push and pull request to `main`.
 ## License
 Dual-licensed under [AGPL-3.0](LICENSE) and a [commercial license](COMMERCIAL-LICENSE.md).

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,3 @@
-export { load, remove, save } from './storage.js';
 /**
  * AES-256-GCM symmetric encryption.
  *
@@ -192,4 +190,11 @@ declare function fromBase64Url(b64url: string): Uint8Array;
 /** Returns the SHA-256 hash of the input data as an ArrayBuffer. */
 declare function digest(data: ArrayBuffer | Uint8Array): Promise<ArrayBuffer>;
-export { AEK_KEY_ID, type SealedEnvelope, combinePassphraseAndSecretKey, decodeEnvelope, digest, encodeEnvelope, exportPublicKeyAsJwk, fromBase64, fromBase64Url, generateAesKey, generateECDHKeyPair, generateECDSAKeyPair, generateMnemonic, generateSecretKey, importAesKey, importPublicKeyFromJwk, init, recoverWithMnemonic, rekey, rekeySecretKey, seal, sealEnvelope, sealMessage, sign, toBase64, toBase64Url, unseal, unsealEnvelope, unsealMessage, unwrapKey, verify, wrapKey };
+/** Persists a CryptoKey to IndexedDB under the given name. Overwrites if name exists. */
+declare function saveCryptoKey(name: string, key: CryptoKey): Promise<void>;
+/** Loads a CryptoKey from IndexedDB. Returns null if the name is not found. */
+declare function loadCryptoKey(name: string): Promise<CryptoKey | null>;
+/** Removes a CryptoKey from IndexedDB. No-op if the name does not exist. */
+declare function deleteCryptoKey(name: string): Promise<void>;
+export { AEK_KEY_ID, type SealedEnvelope, combinePassphraseAndSecretKey, decodeEnvelope, deleteCryptoKey, digest, encodeEnvelope, exportPublicKeyAsJwk, fromBase64, fromBase64Url, generateAesKey, generateECDHKeyPair, generateECDSAKeyPair, generateMnemonic, generateSecretKey, importAesKey, importPublicKeyFromJwk, init, loadCryptoKey, recoverWithMnemonic, rekey, rekeySecretKey, saveCryptoKey, seal, sealEnvelope, sealMessage, sign, toBase64, toBase64Url, unseal, unsealEnvelope, unsealMessage, unwrapKey, verify, wrapKey };

package/dist/index.js CHANGED Viewed

@@ -1,9 +1,3 @@
-import {
-  load,
-  remove,
-  save
-} from "./chunk-MDWFWP7Z.js";
 // src/aes.ts
 async function seal(key, plaintext) {
   const iv = crypto.getRandomValues(new Uint8Array(12));
@@ -69,6 +63,7 @@ async function combinePassphraseAndSecretKey(passphrase, secretKey) {
 // src/pbkdf2.ts
 var ITERATIONS = 6e5;
 var SALT_LENGTH = 16;
+var IV_LENGTH = 12;
 async function deriveWrappingKey(passphrase, salt) {
   const keyMaterial = await crypto.subtle.importKey(
     "raw",
@@ -80,14 +75,21 @@ async function deriveWrappingKey(passphrase, salt) {
   return crypto.subtle.deriveKey(
     { name: "PBKDF2", salt, iterations: ITERATIONS, hash: "SHA-256" },
     keyMaterial,
-    { name: "AES-KW", length: 256 },
+    { name: "AES-GCM", length: 256 },
     false,
-    ["wrapKey", "unwrapKey"]
+    ["encrypt", "decrypt"]
   );
 }
 async function resolvePassphrase(passphrase, secretKey) {
   return secretKey ? combinePassphraseAndSecretKey(passphrase, secretKey) : passphrase;
 }
+async function decryptWrappedKey(wrappingKey, wrappedKey, extractable) {
+  const bytes = new Uint8Array(wrappedKey);
+  const iv = bytes.slice(0, IV_LENGTH);
+  const ciphertext = bytes.slice(IV_LENGTH);
+  const raw = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, wrappingKey, ciphertext);
+  return crypto.subtle.importKey("raw", raw, { name: "AES-GCM", length: 256 }, extractable, ["encrypt", "decrypt"]);
+}
 async function wrapKey(passphrase, key, secretKey) {
   if (!key.extractable) {
     throw new Error("wrapKey: key must be extractable (extractable: true)");
@@ -95,36 +97,23 @@ async function wrapKey(passphrase, key, secretKey) {
   const effective = await resolvePassphrase(passphrase, secretKey);
   const salt = crypto.getRandomValues(new Uint8Array(SALT_LENGTH));
   const wrappingKey = await deriveWrappingKey(effective, salt);
-  const wrappedKey = await crypto.subtle.wrapKey("raw", key, wrappingKey, "AES-KW");
-  return { wrappedKey, salt };
+  const raw = await crypto.subtle.exportKey("raw", key);
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+  const ciphertext = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, wrappingKey, raw);
+  const wrapped = new Uint8Array(IV_LENGTH + ciphertext.byteLength);
+  wrapped.set(iv, 0);
+  wrapped.set(new Uint8Array(ciphertext), IV_LENGTH);
+  return { wrappedKey: wrapped.buffer, salt };
 }
 async function unwrapKey(passphrase, wrappedKey, salt, secretKey) {
   const effective = await resolvePassphrase(passphrase, secretKey);
   const wrappingKey = await deriveWrappingKey(effective, salt);
-  return crypto.subtle.unwrapKey(
-    "raw",
-    wrappedKey,
-    wrappingKey,
-    "AES-KW",
-    { name: "AES-GCM", length: 256 },
-    false,
-    // extractable: false — safe for IndexedDB storage
-    ["encrypt", "decrypt"]
-  );
+  return decryptWrappedKey(wrappingKey, wrappedKey, false);
 }
 async function rekey(oldPassphrase, newPassphrase, wrappedKey, salt, secretKey) {
   const effectiveOld = await resolvePassphrase(oldPassphrase, secretKey);
   const oldWrappingKey = await deriveWrappingKey(effectiveOld, salt);
-  const aek = await crypto.subtle.unwrapKey(
-    "raw",
-    wrappedKey,
-    oldWrappingKey,
-    "AES-KW",
-    { name: "AES-GCM", length: 256 },
-    true,
-    // extractable: true — needed so wrapKey() can wrap it again
-    ["encrypt", "decrypt"]
-  );
+  const aek = await decryptWrappedKey(oldWrappingKey, wrappedKey, true);
   return wrapKey(newPassphrase, aek, secretKey);
 }
 async function rekeySecretKey(passphrase, oldSecretKey, newSecretKey, wrappedKey, salt) {
@@ -133,16 +122,7 @@ async function rekeySecretKey(passphrase, oldSecretKey, newSecretKey, wrappedKey
   }
   const effectiveOld = await resolvePassphrase(passphrase, oldSecretKey);
   const oldWrappingKey = await deriveWrappingKey(effectiveOld, salt);
-  const aek = await crypto.subtle.unwrapKey(
-    "raw",
-    wrappedKey,
-    oldWrappingKey,
-    "AES-KW",
-    { name: "AES-GCM", length: 256 },
-    true,
-    // extractable: true — needed so wrapKey() can wrap it again
-    ["encrypt", "decrypt"]
-  );
+  const aek = await decryptWrappedKey(oldWrappingKey, wrappedKey, true);
   return wrapKey(passphrase, aek, newSecretKey);
 }
@@ -209,11 +189,69 @@ async function verify(publicKey, signature, data) {
   return crypto.subtle.verify({ name: "ECDSA", hash: "SHA-256" }, publicKey, signature, data);
 }
+// src/storage.ts
+var DB_NAME = "conseal-keys";
+var STORE = "keys";
+var VERSION = 1;
+function openDb() {
+  return new Promise((resolve, reject) => {
+    const req = indexedDB.open(DB_NAME, VERSION);
+    req.onupgradeneeded = () => {
+      req.result.createObjectStore(STORE);
+    };
+    req.onsuccess = () => resolve(req.result);
+    req.onerror = () => reject(req.error);
+  });
+}
+async function saveCryptoKey(name, key) {
+  const db = await openDb();
+  try {
+    return await new Promise((resolve, reject) => {
+      const tx = db.transaction(STORE, "readwrite");
+      tx.objectStore(STORE).put(key, name);
+      tx.oncomplete = () => resolve();
+      tx.onerror = () => reject(tx.error);
+    });
+  } finally {
+    db.close();
+  }
+}
+async function loadCryptoKey(name) {
+  const db = await openDb();
+  try {
+    return await new Promise((resolve, reject) => {
+      const tx = db.transaction(STORE, "readonly");
+      const req = tx.objectStore(STORE).get(name);
+      let result = null;
+      req.onsuccess = () => {
+        result = req.result ?? null;
+      };
+      tx.oncomplete = () => resolve(result);
+      tx.onerror = () => reject(tx.error);
+    });
+  } finally {
+    db.close();
+  }
+}
+async function deleteCryptoKey(name) {
+  const db = await openDb();
+  try {
+    return await new Promise((resolve, reject) => {
+      const tx = db.transaction(STORE, "readwrite");
+      tx.objectStore(STORE).delete(name);
+      tx.oncomplete = () => resolve();
+      tx.onerror = () => reject(tx.error);
+    });
+  } finally {
+    db.close();
+  }
+}
 // src/init.ts
 var AEK_KEY_ID = "aek";
 async function init(wrappedKey, salt, passphrase, secretKey) {
   const aek = await unwrapKey(passphrase, wrappedKey, salt, secretKey);
-  await save(AEK_KEY_ID, aek);
+  await saveCryptoKey(AEK_KEY_ID, aek);
 }
 // node_modules/@noble/hashes/utils.js
@@ -2997,6 +3035,7 @@ export {
   AEK_KEY_ID,
   combinePassphraseAndSecretKey,
   decodeEnvelope,
+  deleteCryptoKey,
   digest,
   encodeEnvelope,
   exportPublicKeyAsJwk,
@@ -3010,12 +3049,11 @@ export {
   importAesKey,
   importPublicKeyFromJwk,
   init,
-  load,
+  loadCryptoKey,
   recoverWithMnemonic,
   rekey,
   rekeySecretKey,
-  remove,
-  save,
+  saveCryptoKey,
   seal,
   sealEnvelope,
   sealMessage,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@codesense/conseal",
-  "version": "0.2.1",
+  "version": "0.3.0",
   "description": "Browser-side zero-knowledge cryptography library using SubtleCrypto.",
   "type": "module",
   "main": "./dist/index.js",
@@ -9,16 +9,13 @@
     ".": {
       "import": "./dist/index.js",
       "types": "./dist/index.d.ts"
-    },
-    "./storage": {
-      "import": "./dist/storage.js",
-      "types": "./dist/storage.d.ts"
     }
   },
   "scripts": {
     "build": "tsup",
     "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "test:browser": "vitest run --config vitest.browser.config.ts"
   },
   "files": [
     "dist"
@@ -28,9 +25,12 @@
   },
   "devDependencies": {
     "@scure/bip39": "^2.0.0",
+    "@vitest/browser": "^4.1.2",
+    "@vitest/browser-playwright": "^4.1.2",
     "fake-indexeddb": "^6.2.5",
     "happy-dom": "^20.0.0",
     "jsdom": "^29.0.1",
+    "playwright": "^1.51.0",
     "tsup": "^8.0.0",
     "typescript": "^6.0.0",
     "vitest": "^4.1.2"

package/dist/chunk-MDWFWP7Z.js DELETED Viewed

@@ -1,63 +0,0 @@
-// src/storage.ts
-var DB_NAME = "conseal-keys";
-var STORE = "keys";
-var VERSION = 1;
-function openDb() {
-  return new Promise((resolve, reject) => {
-    const req = indexedDB.open(DB_NAME, VERSION);
-    req.onupgradeneeded = () => {
-      req.result.createObjectStore(STORE);
-    };
-    req.onsuccess = () => resolve(req.result);
-    req.onerror = () => reject(req.error);
-  });
-}
-async function save(name, key) {
-  const db = await openDb();
-  try {
-    return await new Promise((resolve, reject) => {
-      const tx = db.transaction(STORE, "readwrite");
-      tx.objectStore(STORE).put(key, name);
-      tx.oncomplete = () => resolve();
-      tx.onerror = () => reject(tx.error);
-    });
-  } finally {
-    db.close();
-  }
-}
-async function load(name) {
-  const db = await openDb();
-  try {
-    return await new Promise((resolve, reject) => {
-      const tx = db.transaction(STORE, "readonly");
-      const req = tx.objectStore(STORE).get(name);
-      let result = null;
-      req.onsuccess = () => {
-        result = req.result ?? null;
-      };
-      tx.oncomplete = () => resolve(result);
-      tx.onerror = () => reject(tx.error);
-    });
-  } finally {
-    db.close();
-  }
-}
-async function remove(name) {
-  const db = await openDb();
-  try {
-    return await new Promise((resolve, reject) => {
-      const tx = db.transaction(STORE, "readwrite");
-      tx.objectStore(STORE).delete(name);
-      tx.oncomplete = () => resolve();
-      tx.onerror = () => reject(tx.error);
-    });
-  } finally {
-    db.close();
-  }
-}
-export {
-  save,
-  load,
-  remove
-};

package/dist/storage.d.ts DELETED Viewed

@@ -1,8 +0,0 @@
-/** Persists a CryptoKey to IndexedDB under the given name. Overwrites if name exists. */
-declare function save(name: string, key: CryptoKey): Promise<void>;
-/** Loads a CryptoKey from IndexedDB. Returns null if the name is not found. */
-declare function load(name: string): Promise<CryptoKey | null>;
-/** Removes a CryptoKey from IndexedDB. No-op if the name does not exist. */
-declare function remove(name: string): Promise<void>;
-export { load, remove, save };

package/dist/storage.js DELETED Viewed

@@ -1,10 +0,0 @@
-import {
-  load,
-  remove,
-  save
-} from "./chunk-MDWFWP7Z.js";
-export {
-  load,
-  remove,
-  save
-};