npm - @continuonai/rcan-ts - Versions diffs - 1.1.0 → 1.2.1 - Mend

@continuonai/rcan-ts 1.1.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/index.mjs CHANGED Viewed

@@ -96,8 +96,8 @@ var RobotURI = class _RobotURI {
 };
 // src/version.ts
-var SPEC_VERSION = "2.1.0";
-var SDK_VERSION = "1.1.0";
+var SPEC_VERSION = "2.2.0";
+var SDK_VERSION = "1.2.1";
 function validateVersionCompat(incomingVersion, localVersion = SPEC_VERSION) {
   const parseParts = (v) => {
     const parts = v.split(".");
@@ -195,6 +195,8 @@ var RCANMessage = class _RCANMessage {
   firmwareHash;
   /** v2.1: URI to sender's SBOM attestation endpoint */
   attestationRef;
+  /** v2.2: ML-DSA-65 post-quantum signature (field 16, FIPS 204). Hybrid alongside Ed25519. */
+  pqSig;
   constructor(data) {
     if (!data.cmd || data.cmd.trim() === "") {
       throw new RCANMessageError("'cmd' is required");
@@ -225,6 +227,7 @@ var RCANMessage = class _RCANMessage {
     this.mediaChunks = data.mediaChunks;
     this.firmwareHash = data.firmwareHash;
     this.attestationRef = data.attestationRef;
+    this.pqSig = data.pqSig;
     if (this.signature !== void 0 && this.signature["sig"] === "pending") {
       throw new RCANMessageError(
         "signature.sig:'pending' is not valid in RCAN v2.1. Sign the message before sending."
@@ -317,7 +320,8 @@ var RCANMessage = class _RCANMessage {
       transportEncoding: obj.transportEncoding,
       mediaChunks: obj.mediaChunks,
       firmwareHash: obj.firmwareHash,
-      attestationRef: obj.attestationRef
+      attestationRef: obj.attestationRef,
+      pqSig: obj.pqSig
     });
   }
 };
@@ -3084,6 +3088,136 @@ async function verifyM2mTrustedToken(token, targetRrn, options) {
   return claims;
 }
+// src/pqSigning.ts
+function toBase64url(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i]);
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function fromBase64url(b64) {
+  const padded = b64.replace(/-/g, "+").replace(/_/g, "/");
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+async function sha256hex(data) {
+  if (typeof crypto !== "undefined" && crypto.subtle) {
+    const buf = await crypto.subtle.digest("SHA-256", data.buffer);
+    return Array.from(new Uint8Array(buf)).map((b) => b.toString(16).padStart(2, "0")).join("").slice(0, 8);
+  }
+  const { createHash } = __require("crypto");
+  return createHash("sha256").update(data).digest("hex").slice(0, 8);
+}
+var _mlDsaModule;
+async function requireMlDsa() {
+  if (_mlDsaModule) return _mlDsaModule;
+  if (typeof __require !== "undefined") {
+    try {
+      _mlDsaModule = __require("@noble/post-quantum/ml-dsa.js");
+      return _mlDsaModule;
+    } catch {
+    }
+  }
+  try {
+    _mlDsaModule = await import("@noble/post-quantum/ml-dsa.js");
+    return _mlDsaModule;
+  } catch {
+    throw new Error(
+      "ML-DSA-65 signing requires @noble/post-quantum. Install with: npm install @noble/post-quantum"
+    );
+  }
+}
+var MLDSAKeyPair = class _MLDSAKeyPair {
+  keyId;
+  publicKey;
+  secretKey;
+  constructor(data) {
+    this.keyId = data.keyId;
+    this.publicKey = data.publicKey;
+    this.secretKey = data.secretKey;
+  }
+  static async generate() {
+    const m = await requireMlDsa();
+    const kp = m.ml_dsa65.keygen();
+    const keyId = await sha256hex(kp.publicKey);
+    return new _MLDSAKeyPair({ publicKey: kp.publicKey, secretKey: kp.secretKey, keyId });
+  }
+  static async fromPublicKey(publicKey) {
+    const keyId = await sha256hex(publicKey);
+    return new _MLDSAKeyPair({ publicKey, keyId });
+  }
+  static async fromKeyMaterial(publicKey, secretKey) {
+    const keyId = await sha256hex(publicKey);
+    return new _MLDSAKeyPair({ publicKey, secretKey, keyId });
+  }
+  get hasPrivateKey() {
+    return this.secretKey !== void 0;
+  }
+  async signBytes(data) {
+    if (!this.secretKey) throw new Error("Cannot sign: MLDSAKeyPair has no private key (verify-only)");
+    const m = await requireMlDsa();
+    return m.ml_dsa65.sign(data, this.secretKey);
+  }
+  async verifyBytes(data, signature) {
+    const m = await requireMlDsa();
+    const ok = m.ml_dsa65.verify(signature, data, this.publicKey);
+    if (!ok) throw new Error("ML-DSA-65 signature verification failed");
+  }
+  toString() {
+    return `MLDSAKeyPair(keyId=${this.keyId}, alg=ML-DSA-65, ${this.hasPrivateKey ? "private+public" : "public-only"})`;
+  }
+};
+function canonicalMessageBytes(msg) {
+  const payload = {
+    rcan: msg.rcan,
+    msg_id: msg["msgId"] ?? "",
+    timestamp: msg.timestamp,
+    cmd: msg.cmd,
+    target: msg.target,
+    params: msg.params
+  };
+  return new TextEncoder().encode(
+    JSON.stringify(Object.fromEntries(Object.entries(payload).sort()))
+  );
+}
+async function signMessage(msg, keypair) {
+  const payload = canonicalMessageBytes(msg);
+  const rawSig = await keypair.signBytes(payload);
+  msg["signature"] = {
+    alg: "ml-dsa-65",
+    kid: keypair.keyId,
+    sig: toBase64url(rawSig)
+  };
+  return msg;
+}
+async function verifyMessage(msg, trustedKeys) {
+  const sig = msg.signature;
+  if (!sig) throw new Error("Message is unsigned \u2014 signature field missing");
+  if (sig.alg !== "ml-dsa-65") {
+    throw new Error(
+      `Unsupported signature algorithm: ${sig.alg}. RCAN v2.2 requires ml-dsa-65 (Ed25519 is deprecated).`
+    );
+  }
+  const matched = trustedKeys.find((k) => k.keyId === sig.kid);
+  if (!matched) {
+    throw new Error(
+      `No trusted ML-DSA-65 key with kid=${sig.kid}. Known kids: [${trustedKeys.map((k) => k.keyId).join(", ")}]`
+    );
+  }
+  let rawSig;
+  try {
+    rawSig = fromBase64url(sig.sig);
+  } catch (e) {
+    throw new Error(`Invalid base64url sig: ${e}`);
+  }
+  await matched.verifyBytes(canonicalMessageBytes(msg), rawSig);
+}
+var addPQSignature = signMessage;
+async function verifyPQSignature(msg, trustedKeys, _requirePQ = true) {
+  return verifyMessage(msg, trustedKeys);
+}
 // src/index.ts
 var VERSION = "0.6.0";
 var RCAN_VERSION = "1.6";
@@ -3108,6 +3242,7 @@ export {
   LevelOfAssurance,
   M2MAuthError,
   M2M_TRUSTED_ISSUER,
+  MLDSAKeyPair,
   MediaEncoding,
   MessageType,
   NodeClient,
@@ -3154,6 +3289,7 @@ export {
   addDelegationHop,
   addMediaInline,
   addMediaRef,
+  addPQSignature,
   assertClockSynced,
   authorityAccessFromWire,
   authorityAccessToWire,
@@ -3207,6 +3343,7 @@ export {
   parseM2mTrustedToken,
   roleFromJwtLevel,
   selectTransport,
+  signMessage,
   validateAuthorityAccess,
   validateCompetitionScope,
   validateConfig,
@@ -3228,6 +3365,8 @@ export {
   validateURI,
   validateVersionCompat,
   verifyM2mTrustedToken,
-  verifyM2mTrustedTokenClaims
+  verifyM2mTrustedTokenClaims,
+  verifyMessage,
+  verifyPQSignature
 };
 //# sourceMappingURL=index.mjs.map