npm - @cubist-labs/cubesigner-sdk-key-import - Versions diffs - 0.4.68-0 - Mend

@cubist-labs/cubesigner-sdk-key-import 0.4.68-0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/mnemonic.js ADDED Viewed

@@ -0,0 +1,93 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.newMnemonicKeyPackage = newMnemonicKeyPackage;
+exports.parseDerivationPath = parseDerivationPath;
+const msgpackr_1 = require("msgpackr");
+const english_1 = require("@scure/bip39/wordlists/english");
+const bip39 = __importStar(require("@scure/bip39"));
+/**
+ * Create a new MnemonicKeyPackage value
+ *
+ * @param { MnemonicToImport } mne A BIP39 mnemonic and optional BIP39 password and BIP32 derivation path
+ * @return { Uint8Array } A serialized key package for import to CubeSigner
+ */
+function newMnemonicKeyPackage(mne) {
+    const entropy = bip39.mnemonicToEntropy(mne.mnemonic, english_1.wordlist);
+    const path = !mne.derivationPath ? [] : parseDerivationPath(mne.derivationPath);
+    const password = mne.password ?? "";
+    const mnePkg = {
+        EnglishMnemonic: {
+            mnemonic: {
+                entropy,
+            },
+            der_path: {
+                path,
+            },
+            password,
+        },
+    };
+    return (0, msgpackr_1.encode)(mnePkg);
+}
+// constants for derivation path parsing
+const DER_HARDENED = 1n << 31n;
+const DER_MAX = 1n << 32n;
+/**
+ * Parse a derivation path into a sequence of 32-bit integers
+ *
+ * @param { string } derp The derivation path to parse; must start with 'm/'
+ * @return { number[] } The parsed path
+ */
+function parseDerivationPath(derp) {
+    derp = derp.toLowerCase();
+    if (derp === "m") {
+        return [];
+    }
+    if (!derp.startsWith("m/")) {
+        throw new Error('Derivation path must start with "m/"');
+    }
+    const parts = derp.slice(2).split("/");
+    const ret = [];
+    for (let part of parts) {
+        let hardened = false;
+        if (part.endsWith("'") || part.endsWith("h")) {
+            hardened = true;
+            part = part.slice(0, part.length - 1);
+        }
+        if (part === "") {
+            throw new Error("Invalid derivation path: empty element");
+        }
+        let value = BigInt(part);
+        if (value >= DER_MAX) {
+            throw new Error("Derivation path element greater than 2^32 is invalid");
+        }
+        if (hardened) {
+            value = value | DER_HARDENED;
+        }
+        ret.push(Number(value));
+    }
+    return ret;
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibW5lbW9uaWMuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvbW5lbW9uaWMudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztBQWlDQSxzREFnQkM7QUFZRCxrREE2QkM7QUExRkQsdUNBQThDO0FBQzlDLDREQUEwRDtBQUMxRCxvREFBc0M7QUF5QnRDOzs7OztHQUtHO0FBQ0gsU0FBZ0IscUJBQXFCLENBQUMsR0FBcUI7SUFDekQsTUFBTSxPQUFPLEdBQUcsS0FBSyxDQUFDLGlCQUFpQixDQUFDLEdBQUcsQ0FBQyxRQUFRLEVBQUUsa0JBQVEsQ0FBQyxDQUFDO0lBQ2hFLE1BQU0sSUFBSSxHQUFHLENBQUMsR0FBRyxDQUFDLGNBQWMsQ0FBQyxDQUFDLENBQUMsRUFBRSxDQUFDLENBQUMsQ0FBQyxtQkFBbUIsQ0FBQyxHQUFHLENBQUMsY0FBYyxDQUFDLENBQUM7SUFDaEYsTUFBTSxRQUFRLEdBQUcsR0FBRyxDQUFDLFFBQVEsSUFBSSxFQUFFLENBQUM7SUFDcEMsTUFBTSxNQUFNLEdBQUc7UUFDYixlQUFlLEVBQUU7WUFDZixRQUFRLEVBQUU7Z0JBQ1IsT0FBTzthQUNSO1lBQ0QsUUFBUSxFQUFFO2dCQUNSLElBQUk7YUFDTDtZQUNELFFBQVE7U0FDVDtLQUNGLENBQUM7SUFDRixPQUFPLElBQUEsaUJBQVEsRUFBQyxNQUFNLENBQUMsQ0FBQztBQUMxQixDQUFDO0FBRUQsd0NBQXdDO0FBQ3hDLE1BQU0sWUFBWSxHQUFHLEVBQUUsSUFBSSxHQUFHLENBQUM7QUFDL0IsTUFBTSxPQUFPLEdBQUcsRUFBRSxJQUFJLEdBQUcsQ0FBQztBQUUxQjs7Ozs7R0FLRztBQUNILFNBQWdCLG1CQUFtQixDQUFDLElBQVk7SUFDOUMsSUFBSSxHQUFHLElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztJQUMxQixJQUFJLElBQUksS0FBSyxHQUFHLEVBQUUsQ0FBQztRQUNqQixPQUFPLEVBQUUsQ0FBQztJQUNaLENBQUM7SUFDRCxJQUFJLENBQUMsSUFBSSxDQUFDLFVBQVUsQ0FBQyxJQUFJLENBQUMsRUFBRSxDQUFDO1FBQzNCLE1BQU0sSUFBSSxLQUFLLENBQUMsc0NBQXNDLENBQUMsQ0FBQztJQUMxRCxDQUFDO0lBQ0QsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDdkMsTUFBTSxHQUFHLEdBQUcsRUFBRSxDQUFDO0lBQ2YsS0FBSyxJQUFJLElBQUksSUFBSSxLQUFLLEVBQUUsQ0FBQztRQUN2QixJQUFJLFFBQVEsR0FBRyxLQUFLLENBQUM7UUFDckIsSUFBSSxJQUFJLENBQUMsUUFBUSxDQUFDLEdBQUcsQ0FBQyxJQUFJLElBQUksQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUM3QyxRQUFRLEdBQUcsSUFBSSxDQUFDO1lBQ2hCLElBQUksR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsRUFBRSxJQUFJLENBQUMsTUFBTSxHQUFHLENBQUMsQ0FBQyxDQUFDO1FBQ3hDLENBQUM7UUFDRCxJQUFJLElBQUksS0FBSyxFQUFFLEVBQUUsQ0FBQztZQUNoQixNQUFNLElBQUksS0FBSyxDQUFDLHdDQUF3QyxDQUFDLENBQUM7UUFDNUQsQ0FBQztRQUNELElBQUksS0FBSyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsQ0FBQztRQUN6QixJQUFJLEtBQUssSUFBSSxPQUFPLEVBQUUsQ0FBQztZQUNyQixNQUFNLElBQUksS0FBSyxDQUFDLHNEQUFzRCxDQUFDLENBQUM7UUFDMUUsQ0FBQztRQUNELElBQUksUUFBUSxFQUFFLENBQUM7WUFDYixLQUFLLEdBQUcsS0FBSyxHQUFHLFlBQVksQ0FBQztRQUMvQixDQUFDO1FBQ0QsR0FBRyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQztJQUMxQixDQUFDO0lBQ0QsT0FBTyxHQUFHLENBQUM7QUFDYixDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiaW1wb3J0IHsgZW5jb2RlIGFzIG1wRW5jb2RlIH0gZnJvbSBcIm1zZ3BhY2tyXCI7XG5pbXBvcnQgeyB3b3JkbGlzdCB9IGZyb20gXCJAc2N1cmUvYmlwMzkvd29yZGxpc3RzL2VuZ2xpc2hcIjtcbmltcG9ydCAqIGFzIGJpcDM5IGZyb20gXCJAc2N1cmUvYmlwMzlcIjtcblxuLy8gVGhlIEtleVBhY2thZ2UgdHlwZSBmcm9tIEN1YmVTaWduZXJcbmV4cG9ydCB0eXBlIE1uZW1vbmljS2V5UGFja2FnZSA9IHtcbiAgRW5nbGlzaE1uZW1vbmljOiB7XG4gICAgbW5lbW9uaWM6IHtcbiAgICAgIGVudHJvcHk6IFVpbnQ4QXJyYXk7XG4gICAgfTtcbiAgICBkZXJfcGF0aDoge1xuICAgICAgcGF0aDogbnVtYmVyW107XG4gICAgfTtcbiAgICBwYXNzd29yZDogc3RyaW5nO1xuICB9O1xufTtcblxuLyoqXG4gKiBBIEJJUDM5IG1uZW1vbmljIHRvIGJlIGltcG9ydGVkLCBwbHVzIG9wdGlvbmFsIEJJUDM5IHBhc3N3b3JkXG4gKiBhbmQgQklQMzIgZGVyaXZhdGlvbiBwYXRoLlxuICovXG5leHBvcnQgdHlwZSBNbmVtb25pY1RvSW1wb3J0ID0ge1xuICBtbmVtb25pYzogc3RyaW5nO1xuICBkZXJpdmF0aW9uUGF0aD86IHN0cmluZztcbiAgcGFzc3dvcmQ/OiBzdHJpbmc7XG59O1xuXG4vKipcbiAqIENyZWF0ZSBhIG5ldyBNbmVtb25pY0tleVBhY2thZ2UgdmFsdWVcbiAqXG4gKiBAcGFyYW0geyBNbmVtb25pY1RvSW1wb3J0IH0gbW5lIEEgQklQMzkgbW5lbW9uaWMgYW5kIG9wdGlvbmFsIEJJUDM5IHBhc3N3b3JkIGFuZCBCSVAzMiBkZXJpdmF0aW9uIHBhdGhcbiAqIEByZXR1cm4geyBVaW50OEFycmF5IH0gQSBzZXJpYWxpemVkIGtleSBwYWNrYWdlIGZvciBpbXBvcnQgdG8gQ3ViZVNpZ25lclxuICovXG5leHBvcnQgZnVuY3Rpb24gbmV3TW5lbW9uaWNLZXlQYWNrYWdlKG1uZTogTW5lbW9uaWNUb0ltcG9ydCk6IFVpbnQ4QXJyYXkge1xuICBjb25zdCBlbnRyb3B5ID0gYmlwMzkubW5lbW9uaWNUb0VudHJvcHkobW5lLm1uZW1vbmljLCB3b3JkbGlzdCk7XG4gIGNvbnN0IHBhdGggPSAhbW5lLmRlcml2YXRpb25QYXRoID8gW10gOiBwYXJzZURlcml2YXRpb25QYXRoKG1uZS5kZXJpdmF0aW9uUGF0aCk7XG4gIGNvbnN0IHBhc3N3b3JkID0gbW5lLnBhc3N3b3JkID8/IFwiXCI7XG4gIGNvbnN0IG1uZVBrZyA9IHtcbiAgICBFbmdsaXNoTW5lbW9uaWM6IHtcbiAgICAgIG1uZW1vbmljOiB7XG4gICAgICAgIGVudHJvcHksXG4gICAgICB9LFxuICAgICAgZGVyX3BhdGg6IHtcbiAgICAgICAgcGF0aCxcbiAgICAgIH0sXG4gICAgICBwYXNzd29yZCxcbiAgICB9LFxuICB9O1xuICByZXR1cm4gbXBFbmNvZGUobW5lUGtnKTtcbn1cblxuLy8gY29uc3RhbnRzIGZvciBkZXJpdmF0aW9uIHBhdGggcGFyc2luZ1xuY29uc3QgREVSX0hBUkRFTkVEID0gMW4gPDwgMzFuO1xuY29uc3QgREVSX01BWCA9IDFuIDw8IDMybjtcblxuLyoqXG4gKiBQYXJzZSBhIGRlcml2YXRpb24gcGF0aCBpbnRvIGEgc2VxdWVuY2Ugb2YgMzItYml0IGludGVnZXJzXG4gKlxuICogQHBhcmFtIHsgc3RyaW5nIH0gZGVycCBUaGUgZGVyaXZhdGlvbiBwYXRoIHRvIHBhcnNlOyBtdXN0IHN0YXJ0IHdpdGggJ20vJ1xuICogQHJldHVybiB7IG51bWJlcltdIH0gVGhlIHBhcnNlZCBwYXRoXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBwYXJzZURlcml2YXRpb25QYXRoKGRlcnA6IHN0cmluZyk6IG51bWJlcltdIHtcbiAgZGVycCA9IGRlcnAudG9Mb3dlckNhc2UoKTtcbiAgaWYgKGRlcnAgPT09IFwibVwiKSB7XG4gICAgcmV0dXJuIFtdO1xuICB9XG4gIGlmICghZGVycC5zdGFydHNXaXRoKFwibS9cIikpIHtcbiAgICB0aHJvdyBuZXcgRXJyb3IoJ0Rlcml2YXRpb24gcGF0aCBtdXN0IHN0YXJ0IHdpdGggXCJtL1wiJyk7XG4gIH1cbiAgY29uc3QgcGFydHMgPSBkZXJwLnNsaWNlKDIpLnNwbGl0KFwiL1wiKTtcbiAgY29uc3QgcmV0ID0gW107XG4gIGZvciAobGV0IHBhcnQgb2YgcGFydHMpIHtcbiAgICBsZXQgaGFyZGVuZWQgPSBmYWxzZTtcbiAgICBpZiAocGFydC5lbmRzV2l0aChcIidcIikgfHwgcGFydC5lbmRzV2l0aChcImhcIikpIHtcbiAgICAgIGhhcmRlbmVkID0gdHJ1ZTtcbiAgICAgIHBhcnQgPSBwYXJ0LnNsaWNlKDAsIHBhcnQubGVuZ3RoIC0gMSk7XG4gICAgfVxuICAgIGlmIChwYXJ0ID09PSBcIlwiKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoXCJJbnZhbGlkIGRlcml2YXRpb24gcGF0aDogZW1wdHkgZWxlbWVudFwiKTtcbiAgICB9XG4gICAgbGV0IHZhbHVlID0gQmlnSW50KHBhcnQpO1xuICAgIGlmICh2YWx1ZSA+PSBERVJfTUFYKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoXCJEZXJpdmF0aW9uIHBhdGggZWxlbWVudCBncmVhdGVyIHRoYW4gMl4zMiBpcyBpbnZhbGlkXCIpO1xuICAgIH1cbiAgICBpZiAoaGFyZGVuZWQpIHtcbiAgICAgIHZhbHVlID0gdmFsdWUgfCBERVJfSEFSREVORUQ7XG4gICAgfVxuICAgIHJldC5wdXNoKE51bWJlcih2YWx1ZSkpO1xuICB9XG4gIHJldHVybiByZXQ7XG59XG4iXX0=

package/dist/util.d.ts ADDED Viewed

@@ -0,0 +1,22 @@
+/**
+ * Converts a bigint to a big-endian Uint8Array of a specified length
+ *
+ * @param { bigint } n The value to convert
+ * @param { number } l The length in bytes
+ * @return { Uint8Array } The big-endian bytes
+ */
+export declare function toBigEndian(n: bigint, l: number): Uint8Array;
+/**
+ * Concatenates an array of Uint8Arrays into a single array
+ *
+ * @param { Uint8Array[] } parts The parts to be concatenated
+ * @return { Uint8Array } The concatenated array
+ */
+export declare function concatArrays(parts: Uint8Array[]): Uint8Array;
+/**
+ * Get the current time in seconds since UNIX epoch
+ *
+ * @return { BigInt } Seconds since UNIX epoch
+ */
+export declare function nowEpochMillis(): bigint;
+//# sourceMappingURL=util.d.ts.map

package/dist/util.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"util.d.ts","sourceRoot":"","sources":["../src/util.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,UAAU,CAW5D;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,GAAG,UAAU,CAW5D;AAED;;;;GAIG;AACH,wBAAgB,cAAc,IAAI,MAAM,CAEvC"}

package/dist/util.js ADDED Viewed

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.toBigEndian = toBigEndian;
+exports.concatArrays = concatArrays;
+exports.nowEpochMillis = nowEpochMillis;
+/**
+ * Converts a bigint to a big-endian Uint8Array of a specified length
+ *
+ * @param { bigint } n The value to convert
+ * @param { number } l The length in bytes
+ * @return { Uint8Array } The big-endian bytes
+ */
+function toBigEndian(n, l) {
+    if (n >= 1n << (8n * BigInt(l))) {
+        throw new Error(`Cannot convert ${n} to ${l} big-endian bytes (overflow)`);
+    }
+    let nn = n;
+    const ret = new Uint8Array(l);
+    for (let i = l - 1; i >= 0; --i) {
+        ret[i] = Number(nn % 256n);
+        nn = nn >> 8n;
+    }
+    return ret;
+}
+/**
+ * Concatenates an array of Uint8Arrays into a single array
+ *
+ * @param { Uint8Array[] } parts The parts to be concatenated
+ * @return { Uint8Array } The concatenated array
+ */
+function concatArrays(parts) {
+    const totalLen = parts.reduce((len, part) => len + part.length, 0);
+    let lenSoFar = 0;
+    const ret = new Uint8Array(totalLen);
+    parts.forEach((part) => {
+        ret.set(part, lenSoFar);
+        lenSoFar += part.length;
+    });
+    return ret;
+}
+/**
+ * Get the current time in seconds since UNIX epoch
+ *
+ * @return { BigInt } Seconds since UNIX epoch
+ */
+function nowEpochMillis() {
+    return BigInt(Date.now());
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidXRpbC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uL3NyYy91dGlsLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7O0FBT0Esa0NBV0M7QUFRRCxvQ0FXQztBQU9ELHdDQUVDO0FBOUNEOzs7Ozs7R0FNRztBQUNILFNBQWdCLFdBQVcsQ0FBQyxDQUFTLEVBQUUsQ0FBUztJQUM5QyxJQUFJLENBQUMsSUFBSSxFQUFFLElBQUksQ0FBQyxFQUFFLEdBQUcsTUFBTSxDQUFDLENBQUMsQ0FBQyxDQUFDLEVBQUUsQ0FBQztRQUNoQyxNQUFNLElBQUksS0FBSyxDQUFDLGtCQUFrQixDQUFDLE9BQU8sQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO0lBQzdFLENBQUM7SUFDRCxJQUFJLEVBQUUsR0FBRyxDQUFDLENBQUM7SUFDWCxNQUFNLEdBQUcsR0FBRyxJQUFJLFVBQVUsQ0FBQyxDQUFDLENBQUMsQ0FBQztJQUM5QixLQUFLLElBQUksQ0FBQyxHQUFHLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsRUFBRSxFQUFFLENBQUMsRUFBRSxDQUFDO1FBQ2hDLEdBQUcsQ0FBQyxDQUFDLENBQUMsR0FBRyxNQUFNLENBQUMsRUFBRSxHQUFHLElBQUksQ0FBQyxDQUFDO1FBQzNCLEVBQUUsR0FBRyxFQUFFLElBQUksRUFBRSxDQUFDO0lBQ2hCLENBQUM7SUFDRCxPQUFPLEdBQUcsQ0FBQztBQUNiLENBQUM7QUFFRDs7Ozs7R0FLRztBQUNILFNBQWdCLFlBQVksQ0FBQyxLQUFtQjtJQUM5QyxNQUFNLFFBQVEsR0FBRyxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUMsR0FBRyxFQUFFLElBQUksRUFBRSxFQUFFLENBQUMsR0FBRyxHQUFHLElBQUksQ0FBQyxNQUFNLEVBQUUsQ0FBQyxDQUFDLENBQUM7SUFFbkUsSUFBSSxRQUFRLEdBQUcsQ0FBQyxDQUFDO0lBQ2pCLE1BQU0sR0FBRyxHQUFHLElBQUksVUFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDO0lBQ3JDLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQyxJQUFJLEVBQUUsRUFBRTtRQUNyQixHQUFHLENBQUMsR0FBRyxDQUFDLElBQUksRUFBRSxRQUFRLENBQUMsQ0FBQztRQUN4QixRQUFRLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQztJQUMxQixDQUFDLENBQUMsQ0FBQztJQUVILE9BQU8sR0FBRyxDQUFDO0FBQ2IsQ0FBQztBQUVEOzs7O0dBSUc7QUFDSCxTQUFnQixjQUFjO0lBQzVCLE9BQU8sTUFBTSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDO0FBQzVCLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIENvbnZlcnRzIGEgYmlnaW50IHRvIGEgYmlnLWVuZGlhbiBVaW50OEFycmF5IG9mIGEgc3BlY2lmaWVkIGxlbmd0aFxuICpcbiAqIEBwYXJhbSB7IGJpZ2ludCB9IG4gVGhlIHZhbHVlIHRvIGNvbnZlcnRcbiAqIEBwYXJhbSB7IG51bWJlciB9IGwgVGhlIGxlbmd0aCBpbiBieXRlc1xuICogQHJldHVybiB7IFVpbnQ4QXJyYXkgfSBUaGUgYmlnLWVuZGlhbiBieXRlc1xuICovXG5leHBvcnQgZnVuY3Rpb24gdG9CaWdFbmRpYW4objogYmlnaW50LCBsOiBudW1iZXIpOiBVaW50OEFycmF5IHtcbiAgaWYgKG4gPj0gMW4gPDwgKDhuICogQmlnSW50KGwpKSkge1xuICAgIHRocm93IG5ldyBFcnJvcihgQ2Fubm90IGNvbnZlcnQgJHtufSB0byAke2x9IGJpZy1lbmRpYW4gYnl0ZXMgKG92ZXJmbG93KWApO1xuICB9XG4gIGxldCBubiA9IG47XG4gIGNvbnN0IHJldCA9IG5ldyBVaW50OEFycmF5KGwpO1xuICBmb3IgKGxldCBpID0gbCAtIDE7IGkgPj0gMDsgLS1pKSB7XG4gICAgcmV0W2ldID0gTnVtYmVyKG5uICUgMjU2bik7XG4gICAgbm4gPSBubiA+PiA4bjtcbiAgfVxuICByZXR1cm4gcmV0O1xufVxuXG4vKipcbiAqIENvbmNhdGVuYXRlcyBhbiBhcnJheSBvZiBVaW50OEFycmF5cyBpbnRvIGEgc2luZ2xlIGFycmF5XG4gKlxuICogQHBhcmFtIHsgVWludDhBcnJheVtdIH0gcGFydHMgVGhlIHBhcnRzIHRvIGJlIGNvbmNhdGVuYXRlZFxuICogQHJldHVybiB7IFVpbnQ4QXJyYXkgfSBUaGUgY29uY2F0ZW5hdGVkIGFycmF5XG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBjb25jYXRBcnJheXMocGFydHM6IFVpbnQ4QXJyYXlbXSk6IFVpbnQ4QXJyYXkge1xuICBjb25zdCB0b3RhbExlbiA9IHBhcnRzLnJlZHVjZSgobGVuLCBwYXJ0KSA9PiBsZW4gKyBwYXJ0Lmxlbmd0aCwgMCk7XG5cbiAgbGV0IGxlblNvRmFyID0gMDtcbiAgY29uc3QgcmV0ID0gbmV3IFVpbnQ4QXJyYXkodG90YWxMZW4pO1xuICBwYXJ0cy5mb3JFYWNoKChwYXJ0KSA9PiB7XG4gICAgcmV0LnNldChwYXJ0LCBsZW5Tb0Zhcik7XG4gICAgbGVuU29GYXIgKz0gcGFydC5sZW5ndGg7XG4gIH0pO1xuXG4gIHJldHVybiByZXQ7XG59XG5cbi8qKlxuICogR2V0IHRoZSBjdXJyZW50IHRpbWUgaW4gc2Vjb25kcyBzaW5jZSBVTklYIGVwb2NoXG4gKlxuICogQHJldHVybiB7IEJpZ0ludCB9IFNlY29uZHMgc2luY2UgVU5JWCBlcG9jaFxuICovXG5leHBvcnQgZnVuY3Rpb24gbm93RXBvY2hNaWxsaXMoKTogYmlnaW50IHtcbiAgcmV0dXJuIEJpZ0ludChEYXRlLm5vdygpKTtcbn1cbiJdfQ==

package/package.json ADDED Viewed

@@ -0,0 +1,39 @@
+{
+  "name": "@cubist-labs/cubesigner-sdk-key-import",
+  "version": "0.4.68-0",
+  "description": "Client-side key-import machinery for CubeSigner",
+  "license": "MIT OR Apache-2.0",
+  "author": "Cubist, Inc.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "tsconfig.json",
+    "src/**",
+    "dist/**",
+    "../../NOTICE",
+    "../../LICENSE-APACHE",
+    "../../LICENSE_MIT"
+  ],
+  "scripts": {
+    "build": "npx tsc",
+    "prepack": "npx tsc",
+    "repl": "npx node --import tsx",
+    "test": "npx --node-options='--experimental-vm-modules' jest --maxWorkers=1"
+  },
+  "peerDependencies": {
+    "@cubist-labs/cubesigner-sdk": "^0.4.68-0"
+  },
+  "devDependencies": {
+    "tsx": "^4.19.0"
+  },
+  "dependencies": {
+    "@auth0/cose": "^1.0.2",
+    "@hpke/core": "^1.3.1",
+    "@peculiar/asn1-ecc": "^2.3.13",
+    "@peculiar/asn1-schema": "^2.3.13",
+    "@peculiar/x509": "^1.12.1",
+    "@scure/bip39": "^1.4.0",
+    "cbor-x": "^1.6.0",
+    "msgpackr": "^1.11.0"
+  }
+}

package/src/import.ts ADDED Viewed

@@ -0,0 +1,426 @@
+import type {
+  CreateKeyImportKeyResponse,
+  ImportKeyRequest,
+  ImportKeyRequestMaterial,
+  Key,
+  KeyType,
+  Org,
+} from "@cubist-labs/cubesigner-sdk";
+import { loadCrypto, loadSubtleCrypto } from "@cubist-labs/cubesigner-sdk";
+import { CipherSuite, Aes256Gcm, HkdfSha384, DhkemP384HkdfSha384 } from "@hpke/core";
+import { ECParameters } from "@peculiar/asn1-ecc";
+import { AsnParser } from "@peculiar/asn1-schema";
+import {
+  AlgorithmProvider,
+  X509Certificate,
+  cryptoProvider as x509CryptoProvider,
+} from "@peculiar/x509";
+import type { MnemonicToImport } from "./mnemonic";
+import { newMnemonicKeyPackage } from "./mnemonic";
+import { toBigEndian, concatArrays, nowEpochMillis } from "./util";
+// domain-separation tag used when generating signing hash for import key
+const IMPORT_KEY_SIGNING_DST = new TextEncoder().encode("CUBESIGNER_EPHEMERAL_IMPORT_P384");
+// attestation document slack times
+const MAX_ATTESTATION_AGE_MINUTES = 15n;
+const MAX_ATTESTATION_FUTURE_MINUTES = 5n;
+const WIK_REFRESH_EARLY_MILLIS = 60_000n;
+// OIDs for elliptic curve X509 certs
+const EC_PUBLIC_KEY = "1.2.840.10045.2.1";
+const NIST_P384 = "1.3.132.0.34";
+// Maximum number of keys to import in a single API call
+const MAX_IMPORTS_PER_API_CALL = 32n;
+// AWS Nitro Enclaves root CA certificate
+// https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip
+//
+// See the documentation about AWS Nitro Enclaves verification:
+// https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html
+const AWS_CA_CERT =
+  "MIICETCCAZagAwIBAgIRAPkxdWgbkK/hHUbMtOTn+FYwCgYIKoZIzj0EAwMwSTELMAkGA1UEBhMCVVMxDzANBgNVBAoMBkFtYXpvbjEMMAoGA1UECwwDQVdTMRswGQYDVQQDDBJhd3Mubml0cm8tZW5jbGF2ZXMwHhcNMTkxMDI4MTMyODA1WhcNNDkxMDI4MTQyODA1WjBJMQswCQYDVQQGEwJVUzEPMA0GA1UECgwGQW1hem9uMQwwCgYDVQQLDANBV1MxGzAZBgNVBAMMEmF3cy5uaXRyby1lbmNsYXZlczB2MBAGByqGSM49AgEGBSuBBAAiA2IABPwCVOumCMHzaHDimtqQvkY4MpJzbolL//Zy2YlES1BR5TSksfbb48C8WBoyt7F2Bw7eEtaaP+ohG2bnUs990d0JX28TcPQXCEPZ3BABIeTPYwEoCWZEh8l5YoQwTcU/9KNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUkCW1DdkFR+eWw5b6cp3PmanfS5YwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2kAMGYCMQCjfy+Rocm9Xue4YnwWmNJVA44fA0P5W2OpYow9OYCVRaEevL8uO1XYru5xtMPWrfMCMQCi85sWBbJwKKXdS6BptQFuZbT73o/gBh1qUxl/nNr12UO8Yfwr6wPLb+6NIwLz3/Y=";
+/**
+ * The result of deserializing a CreateKeyImportKeyResponse
+ */
+class WrappedImportKey {
+  readonly verifiedHash: Uint8Array;
+  readonly publicKey: Uint8Array;
+  readonly publicKeyBase64: string;
+  readonly skEnc: Uint8Array;
+  readonly skEncBase64: string;
+  readonly dkEnc: Uint8Array;
+  readonly dkEncBase64: string;
+  readonly expEpochSeconds: bigint;
+  readonly #enclaveAttestation: Uint8Array;
+  readonly #enclaveSignature: Uint8Array;
+  /**
+   * Constructor. This is only called from `WrappedImportKey.createAndVerify()`.
+   *
+   * @param { CreateKeyImportKeyResponse } resp The response from CubeSigner
+   */
+  private constructor(resp: CreateKeyImportKeyResponse) {
+    if (!resp.enclave_attestation || !resp.enclave_signature) {
+      throw new Error("No attestation found in CreateKeyImportKeyResponse");
+    }
+    // parse the response
+    this.publicKey = new Uint8Array(Buffer.from(resp.public_key, "base64"));
+    this.publicKeyBase64 = resp.public_key;
+    this.skEnc = new Uint8Array(Buffer.from(resp.sk_enc, "base64"));
+    this.skEncBase64 = resp.sk_enc;
+    this.dkEnc = new Uint8Array(Buffer.from(resp.dk_enc, "base64"));
+    this.dkEncBase64 = resp.dk_enc;
+    this.#enclaveAttestation = new Uint8Array(Buffer.from(resp.enclave_attestation, "base64"));
+    this.#enclaveSignature = new Uint8Array(Buffer.from(resp.enclave_signature, "base64"));
+    this.expEpochSeconds = BigInt(resp.expires);
+    // this array is updated in createAndVerify once verification succeeds
+    this.verifiedHash = new Uint8Array(32);
+  }
+  /**
+   * Create and verify an instance of this type
+   *
+   * @param { CreateKeyImportKeyResponse } resp The response from CubeSigner
+   * @param { SubtleCrypto } subtle An instance of SubtleCrypto used for verification
+   * @return { Promise<WrappedImportKey> } A newly constructed instance
+   */
+  public static async createAndVerify(
+    resp: CreateKeyImportKeyResponse,
+    subtle: SubtleCrypto,
+  ): Promise<WrappedImportKey> {
+    const ret = new WrappedImportKey(resp);
+    const hash = await ret.#verifyImportKey(subtle);
+    ret.verifiedHash.set(hash);
+    return ret;
+  }
+  /**
+   * Verify this wrapped import key.
+   *
+   * @param { SubtleCrypto } subtle An instance of SubtleCrypto used for verification
+   * @return { Promise<Uint8Array> } The hash of the successfully verified wrapped import key
+   */
+  async #verifyImportKey(subtle: SubtleCrypto): Promise<Uint8Array> {
+    // check expiration date
+    if (nowEpochMillis() > this.expEpochSeconds * 1000n) {
+      throw new Error("Import key is expired");
+    }
+    // make sure that there is an attestation
+    if (!this.#enclaveSignature || !this.#enclaveAttestation) {
+      throw new Error("No attestation found");
+    }
+    const signing_key = await verifyAttestationKey(this.#enclaveAttestation);
+    // we use subtlecrypto's impl of RSA-PSS verification
+    const rsaPssKeyParams = {
+      name: "RSA-PSS",
+      hash: "SHA-256",
+    };
+    const pubkey = await subtle.importKey("spki", signing_key, rsaPssKeyParams, true, ["verify"]);
+    const pubkeyAlg = pubkey.algorithm as unknown as { modulusLength: number };
+    // compute the signing hash and verify the signature
+    const message = this.#signedData();
+    const mlen = Number(BigInt(pubkeyAlg.modulusLength) / 8n);
+    const rsaPssParams = {
+      name: "RSA-PSS",
+      saltLength: mlen - 2 - 32,
+    };
+    if (await subtle.verify(rsaPssParams, pubkey, this.#enclaveSignature, message)) {
+      return new Uint8Array(await subtle.digest("SHA-256", message));
+    }
+    throw new Error("Import key signature verification failed");
+  }
+  /**
+   * Returns `true` if this WrappedImportKey needs to be refreshed.
+   *
+   * @return { boolean } True just if this key needs to be refreshed.
+   */
+  public needsRefresh(): boolean {
+    // force refresh if we're within WIK_REFRESH_EARLY_MILLIS of the expiration
+    return nowEpochMillis() + WIK_REFRESH_EARLY_MILLIS > this.expEpochSeconds * 1000n;
+  }
+  /**
+   * Computes the signing hash for a wrapped import key
+   *
+   * @return { Uint8Array } The signing hash
+   */
+  #signedData(): Uint8Array {
+    const parts: Uint8Array[] = [
+      // domain separation tag
+      toBigEndian(BigInt(IMPORT_KEY_SIGNING_DST.length), 2),
+      IMPORT_KEY_SIGNING_DST,
+      // public key
+      toBigEndian(BigInt(this.publicKey.length), 2),
+      this.publicKey,
+      // sk_enc
+      toBigEndian(BigInt(this.skEnc.length), 2),
+      this.skEnc,
+      // dk_enc
+      toBigEndian(BigInt(this.dkEnc.length), 2),
+      this.dkEnc,
+      // 8-byte big-endian expiration time in seconds since UNIX epoch
+      toBigEndian(this.expEpochSeconds, 8),
+    ];
+    return concatArrays(parts);
+  }
+}
+/**
+ * The return value from KeyImporter.#getWrappedImportAndPubKey()
+ */
+type WrappedImportAndPubKey = {
+  wik: WrappedImportKey;
+  ipk: CryptoKey;
+};
+/**
+ * An import encryption key and the corresponding attestation document
+ */
+export class KeyImporter {
+  #wrappedImportKey: null | WrappedImportKey = null;
+  #subtleCrypto: null | SubtleCrypto = null;
+  #publicKeyHandle: null | CryptoKey = null;
+  readonly #hpkeSuite: CipherSuite;
+  readonly #cs: Org;
+  /**
+   * Construct from a CubeSigner `Org` instance
+   *
+   * @param { Org } cs A CubeSigner `Org` instance
+   */
+  constructor(cs: Org) {
+    this.#cs = cs;
+    this.#hpkeSuite = new CipherSuite({
+      kem: new DhkemP384HkdfSha384(),
+      kdf: new HkdfSha384(),
+      aead: new Aes256Gcm(),
+    });
+  }
+  /**
+   * Check that the wrapped import key is unexpired and verified. Otherwise,
+   * request a new one, verify it, and update the verified signing hash.
+   *
+   * @return { Promise<[WrappedImportKey, CryptoKey]> } The verified signing hash.
+   */
+  async #getWrappedImportAndPubKey(): Promise<WrappedImportAndPubKey> {
+    if (!this.#wrappedImportKey) {
+      // first time we load a WrappedImportKey, make sure the x509 crypto
+      // provider is set correctly.
+      x509CryptoProvider.set(await loadCrypto());
+    }
+    if (!this.#wrappedImportKey || this.#wrappedImportKey.needsRefresh()) {
+      const kikResp = await this.#cs.createKeyImportKey();
+      const subtle = await this.#getSubtleCrypto();
+      const wik = await WrappedImportKey.createAndVerify(kikResp, subtle);
+      // import the public key from the WrappedImportKey
+      const p384Params = {
+        name: "ECDH",
+        namedCurve: "P-384",
+      };
+      this.#publicKeyHandle = await subtle.importKey("raw", wik.publicKey, p384Params, true, []);
+      this.#wrappedImportKey = wik;
+    }
+    return {
+      wik: this.#wrappedImportKey,
+      ipk: this.#publicKeyHandle!,
+    };
+  }
+  /**
+   * Get or create an instance of SubtleCrypto.
+   *
+   * @return { SubtleCrypto } The instance of SubtleCrypto.
+   */
+  async #getSubtleCrypto(): Promise<SubtleCrypto> {
+    if (!this.#subtleCrypto) {
+      this.#subtleCrypto = await loadSubtleCrypto();
+    }
+    return this.#subtleCrypto;
+  }
+  /**
+   * Encrypts a set of mnemonics and imports them.
+   *
+   * @param { KeyType } keyType The type of key to import
+   * @param { MnemonicToImport[] } mnes The mnemonics to import, with optional derivation paths and passwords
+   * @return { Promise<Key[]> } `Key` objects for each imported key.
+   */
+  public async importMnemonics(keyType: KeyType, mnes: MnemonicToImport[]): Promise<Key[]> {
+    const nChunks = Number(
+      (BigInt(mnes.length) + MAX_IMPORTS_PER_API_CALL - 1n) / MAX_IMPORTS_PER_API_CALL,
+    );
+    const keys = [];
+    for (let i = 0; i < nChunks; ++i) {
+      // first, make sure that the wrapped import key is valid, i.e., that
+      // we have retrieved it and that it hasn't expired. We do this here
+      // for a couple reasons:
+      //
+      // - all encryptions in a give request must use the same import key, and
+      //
+      // - when importing a huge number of keys the import pubkey might expire
+      //   during the import, so we check for expiration before each request
+      const { wik, ipk } = await this.#getWrappedImportAndPubKey();
+      // next, encrypt this chunk of mnemonics
+      const start = Number(MAX_IMPORTS_PER_API_CALL) * i;
+      const end = Number(MAX_IMPORTS_PER_API_CALL) + start;
+      const mneSlice = mnes.slice(start, end);
+      const key_material = [];
+      for (const mne of mneSlice) {
+        const keyPkg = newMnemonicKeyPackage(mne);
+        const material = await this.#encrypt(keyPkg, wik.verifiedHash, ipk);
+        key_material.push(material);
+      }
+      // construct the request
+      const req: ImportKeyRequest = {
+        public_key: wik.publicKeyBase64,
+        sk_enc: wik.skEncBase64,
+        dk_enc: wik.dkEncBase64,
+        expires: Number(wik.expEpochSeconds),
+        key_type: keyType,
+        key_material,
+      };
+      // send it and append the result to the return value
+      const resp = await this.#cs.importKeys(req);
+      keys.push(...resp);
+    }
+    return keys;
+  }
+  /**
+   * Encrypt to this wrapped import key. Stores the result in `this.encrypted_keys`
+   *
+   * @param { Uint8Array } data The data to encrypt
+   * @param { Uint8Array } verifiedHash The verified signing hash of the wrapped import key to which to encrypt
+   * @param { CryptoKey } pubkey The public key to encrypt to
+   * @return { Promise<ImportKeyRequestMaterial> } The encrypted key material
+   */
+  async #encrypt(
+    data: Uint8Array,
+    verifiedHash: Uint8Array,
+    pubkey: CryptoKey,
+  ): Promise<ImportKeyRequestMaterial> {
+    // set up the HPKE sender
+    const sender = await this.#hpkeSuite.createSenderContext({
+      recipientPublicKey: pubkey,
+      info: verifiedHash,
+    });
+    // encrypt and construct the return value
+    const senderCtext = await sender.seal(data);
+    return {
+      salt: "",
+      client_public_key: Buffer.from(sender.enc).toString("base64"),
+      ikm_enc: Buffer.from(senderCtext).toString("base64"),
+    };
+  }
+}
+/*
+ * An AWS Nitro attestation document
+ *
+ * https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/4b851f3006c6fa98f23dcffb2cba03b39de9b8af/src/api/mod.rs#L208
+ */
+type AttestationDoc = {
+  module_id: string;
+  digest: "SHA256" | "SHA384" | "SHA512";
+  timestamp: bigint;
+  pcrs: Map<number, Uint8Array>;
+  certificate: Uint8Array;
+  cabundle: Uint8Array[];
+  public_key?: Uint8Array;
+  user_data?: Uint8Array;
+  nonce?: Uint8Array;
+};
+/**
+ * Verifies the attestation key against the AWS Nitro Enclaves signing
+ * key and returns the attested signing key.
+ *
+ * @param { Uint8Array } attBytes An attestation from an AWS nitro enclave
+ * @return { Promise<Uint8Array> } The signing key that was attested, or null if verification failed
+ */
+async function verifyAttestationKey(attBytes: Uint8Array): Promise<Uint8Array> {
+  // cbor-x is being imported as ESM, so we must asynchronously import it here.
+  // Because we only use that and auth0/cose here, we import both this way.
+  const { Sign1 } = await import("@auth0/cose");
+  const { decode: cborDecode } = await import("cbor-x");
+  const att = Sign1.decode(attBytes);
+  const attDoc = cborDecode(att.payload) as AttestationDoc;
+  // check expiration date of attestation
+  const latest = nowEpochMillis() + MAX_ATTESTATION_FUTURE_MINUTES * 60n * 1000n;
+  const earliest =
+    latest - (MAX_ATTESTATION_FUTURE_MINUTES + MAX_ATTESTATION_AGE_MINUTES) * 60n * 1000n;
+  if (attDoc.timestamp < earliest || attDoc.timestamp > latest) {
+    throw new Error("Attestation is expired");
+  }
+  // if there's no public key in this attestation, give up
+  if (!attDoc.public_key) {
+    throw new Error("Attestation did not include a signing public key");
+  }
+  // Verify certificate chain starting with AWS Nitro CA cert
+  let parent = new X509Certificate(AWS_CA_CERT);
+  for (let i = 0; i < attDoc.cabundle.length; ++i) {
+    const cert = new X509Certificate(attDoc.cabundle[i]);
+    if (!(await cert.verify(parent))) {
+      throw new Error(`Attestation certificate chain failed at index ${i}`);
+    }
+    parent = cert;
+  }
+  const cert = new X509Certificate(attDoc.certificate);
+  if (!(await cert.verify(parent))) {
+    throw new Error("Attestation certificate chain failed at leaf");
+  }
+  const pubkey = cert.publicKey;
+  // make sure that we got the expected public key type
+  const alg = new AlgorithmProvider().toAsnAlgorithm(pubkey.algorithm);
+  if (alg.algorithm != EC_PUBLIC_KEY) {
+    // not the expected algorithm, i.e., elliptic curve signing
+    throw new Error("Attestation contained unexpected signature algorithm");
+  }
+  const params = AsnParser.parse(alg.parameters!, ECParameters);
+  if (!params.namedCurve || params.namedCurve !== NIST_P384) {
+    // not the expected params, i.e., NIST P384
+    throw new Error("Attestation contained unexpected signature algorithm");
+  }
+  // verify the cose signature with the key, which we verified against
+  // the AWS Nitro CA certificate above
+  await att.verify(await pubkey.export());
+  return attDoc.public_key;
+}

package/src/index.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export { KeyImporter } from "./import";
2	+ export { MnemonicToImport } from "./mnemonic";