@de-otio/trellis 0.4.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/lib/crypto/voting/hash-utils.d.ts +3 -49
- package/dist/lib/crypto/voting/hash-utils.d.ts.map +1 -1
- package/dist/lib/crypto/voting/hash-utils.js +12 -54
- package/dist/lib/crypto/voting/hash-utils.js.map +1 -1
- package/dist/lib/email-privacy.d.ts +6 -44
- package/dist/lib/email-privacy.d.ts.map +1 -1
- package/dist/lib/email-privacy.js +10 -50
- package/dist/lib/email-privacy.js.map +1 -1
- package/package.json +6 -6
- package/prisma/migrations/20260412075058_init_redesign_schema/migration.sql +1547 -0
- package/prisma/migrations/20260412080000_seed_role_metadata/migration.sql +15 -0
- package/prisma/migrations/migration_lock.toml +3 -0
- package/prisma/schema.prisma +1408 -0
- package/dist/lib/crypto/encryption-service.d.ts +0 -100
- package/dist/lib/crypto/encryption-service.d.ts.map +0 -1
- package/dist/lib/crypto/encryption-service.js +0 -293
- package/dist/lib/crypto/encryption-service.js.map +0 -1
- package/dist/lib/crypto/index.d.ts +0 -22
- package/dist/lib/crypto/index.d.ts.map +0 -1
- package/dist/lib/crypto/index.js +0 -28
- package/dist/lib/crypto/index.js.map +0 -1
- package/dist/lib/crypto/types.d.ts +0 -71
- package/dist/lib/crypto/types.d.ts.map +0 -1
- package/dist/lib/crypto/types.js +0 -3
- package/dist/lib/crypto/types.js.map +0 -1
- package/dist/lib/crypto/versioning.d.ts +0 -112
- package/dist/lib/crypto/versioning.d.ts.map +0 -1
- package/dist/lib/crypto/versioning.js +0 -148
- package/dist/lib/crypto/versioning.js.map +0 -1
- package/dist/lib/encryption-key-service.d.ts +0 -115
- package/dist/lib/encryption-key-service.d.ts.map +0 -1
- package/dist/lib/encryption-key-service.js +0 -272
- package/dist/lib/encryption-key-service.js.map +0 -1
- package/dist/lib/followers-handler.d.ts +0 -21
- package/dist/lib/followers-handler.d.ts.map +0 -1
- package/dist/lib/followers-handler.js +0 -35
- package/dist/lib/followers-handler.js.map +0 -1
- package/dist/lib/routes/followers.d.ts +0 -6
- package/dist/lib/routes/followers.d.ts.map +0 -1
- package/dist/lib/routes/followers.js +0 -405
- package/dist/lib/routes/followers.js.map +0 -1
|
@@ -1,100 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* EncryptionService
|
|
3
|
-
*
|
|
4
|
-
* Provides shared cryptographic operations for Trellis:
|
|
5
|
-
* - AES-256-GCM encryption/decryption with AAD support
|
|
6
|
-
* - Key derivation (PBKDF2, with Argon2id support when available)
|
|
7
|
-
* - Hash functions (SHA-256)
|
|
8
|
-
* - Email hashing with pepper (HMAC-SHA-256)
|
|
9
|
-
*
|
|
10
|
-
* This service is used by:
|
|
11
|
-
* - Border Safety Mode
|
|
12
|
-
* - Encrypted DM
|
|
13
|
-
* - Secure Voting (hash functions only)
|
|
14
|
-
*/
|
|
15
|
-
import type { AAD, KDFParams } from "./types.js";
|
|
16
|
-
/**
|
|
17
|
-
* EncryptionService class for cryptographic operations
|
|
18
|
-
*/
|
|
19
|
-
export declare class EncryptionService {
|
|
20
|
-
/**
|
|
21
|
-
* Encrypt data using AES-256-GCM
|
|
22
|
-
*
|
|
23
|
-
* @param data - Data to encrypt (will be JSON stringified if not a string)
|
|
24
|
-
* @param key - CryptoKey for AES-256-GCM (256-bit)
|
|
25
|
-
* @param aad - Optional Additional Authenticated Data to bind to encryption
|
|
26
|
-
* @returns Base64-encoded encrypted data with IV and tag
|
|
27
|
-
* @throws Error if encryption fails
|
|
28
|
-
*/
|
|
29
|
-
static encrypt(data: string | object, key: CryptoKey, aad?: AAD): Promise<string>;
|
|
30
|
-
/**
|
|
31
|
-
* Decrypt data using AES-256-GCM
|
|
32
|
-
*
|
|
33
|
-
* @param encryptedData - Base64-encoded encrypted data with IV and tag
|
|
34
|
-
* @param key - CryptoKey for AES-256-GCM (256-bit)
|
|
35
|
-
* @param aad - Optional Additional Authenticated Data (must match encryption)
|
|
36
|
-
* @returns Decrypted data as string
|
|
37
|
-
* @throws Error if decryption fails (invalid key, tampered data, etc.)
|
|
38
|
-
*/
|
|
39
|
-
static decrypt(encryptedData: string, key: CryptoKey, aad?: AAD): Promise<string>;
|
|
40
|
-
/**
|
|
41
|
-
* Derive encryption key from password using PBKDF2 or Argon2id
|
|
42
|
-
*
|
|
43
|
-
* Note: Argon2id requires a library (not available in WebCrypto API).
|
|
44
|
-
* This implementation supports PBKDF2. For Argon2id, use a library like
|
|
45
|
-
* 'argon2-browser' or 'argon2-wasm' and call this method with algorithm='pbkdf2'
|
|
46
|
-
* as fallback, or implement Argon2id separately.
|
|
47
|
-
*
|
|
48
|
-
* @param password - Password to derive key from
|
|
49
|
-
* @param salt - Salt (base64-encoded, minimum 128 bits / 16 bytes)
|
|
50
|
-
* @param kdfParams - Key derivation parameters
|
|
51
|
-
* @returns CryptoKey for AES-256-GCM
|
|
52
|
-
* @throws Error if key derivation fails or parameters are invalid
|
|
53
|
-
*/
|
|
54
|
-
static deriveKey(password: string, salt: string, kdfParams: KDFParams): Promise<CryptoKey>;
|
|
55
|
-
/**
|
|
56
|
-
* Hash data using SHA-256
|
|
57
|
-
*
|
|
58
|
-
* @param data - Data to hash (string or object)
|
|
59
|
-
* @returns SHA-256 hash as hex string
|
|
60
|
-
*/
|
|
61
|
-
static hash(data: string | object): Promise<string>;
|
|
62
|
-
/**
|
|
63
|
-
* Hash email address using HMAC-SHA-256 with pepper
|
|
64
|
-
*
|
|
65
|
-
* This provides privacy-preserving email hashing for zero-knowledge lookups.
|
|
66
|
-
* The email is normalized (lowercased and trimmed) before hashing.
|
|
67
|
-
*
|
|
68
|
-
* @param email - Email address to hash
|
|
69
|
-
* @param pepper - Secret pepper value (should be stored server-side, not in code)
|
|
70
|
-
* @returns HMAC-SHA-256 hash as hex string
|
|
71
|
-
* @throws Error if email is empty or invalid after normalization
|
|
72
|
-
*/
|
|
73
|
-
static hashEmail(email: string, pepper: string): Promise<string>;
|
|
74
|
-
/**
|
|
75
|
-
* Generate a random salt (128 bits / 16 bytes)
|
|
76
|
-
*
|
|
77
|
-
* @returns Base64-encoded salt
|
|
78
|
-
*/
|
|
79
|
-
static generateSalt(): string;
|
|
80
|
-
/**
|
|
81
|
-
* Extract IV from encrypted data for reuse detection
|
|
82
|
-
*
|
|
83
|
-
* This is a utility function for server-side IV reuse detection.
|
|
84
|
-
* The server should track IVs per key to prevent reuse.
|
|
85
|
-
*
|
|
86
|
-
* @param encryptedData - Base64-encoded encrypted data
|
|
87
|
-
* @returns IV as base64 string
|
|
88
|
-
* @throws Error if encrypted data format is invalid
|
|
89
|
-
*/
|
|
90
|
-
static extractIV(encryptedData: string): string;
|
|
91
|
-
/**
|
|
92
|
-
* Convert ArrayBuffer to base64 string
|
|
93
|
-
*/
|
|
94
|
-
private static arrayBufferToBase64;
|
|
95
|
-
/**
|
|
96
|
-
* Convert base64 string to ArrayBuffer
|
|
97
|
-
*/
|
|
98
|
-
private static base64ToArrayBuffer;
|
|
99
|
-
}
|
|
100
|
-
//# sourceMappingURL=encryption-service.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"encryption-service.d.ts","sourceRoot":"","sources":["../../../src/lib/crypto/encryption-service.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,GAAG,EAAiB,SAAS,EAAE,MAAM,YAAY,CAAC;AAGhE;;GAEG;AACH,qBAAa,iBAAiB;IAC5B;;;;;;;;OAQG;WACU,OAAO,CAClB,IAAI,EAAE,MAAM,GAAG,MAAM,EACrB,GAAG,EAAE,SAAS,EACd,GAAG,CAAC,EAAE,GAAG,GACR,OAAO,CAAC,MAAM,CAAC;IAiDlB;;;;;;;;OAQG;WACU,OAAO,CAClB,aAAa,EAAE,MAAM,EACrB,GAAG,EAAE,SAAS,EACd,GAAG,CAAC,EAAE,GAAG,GACR,OAAO,CAAC,MAAM,CAAC;IAwElB;;;;;;;;;;;;;OAaG;WACU,SAAS,CACpB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,SAAS,GACnB,OAAO,CAAC,SAAS,CAAC;IA0ErB;;;;;OAKG;WACU,IAAI,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAUzD;;;;;;;;;;OAUG;WACU,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAkCtE;;;;OAIG;IACH,MAAM,CAAC,YAAY,IAAI,MAAM;IAK7B;;;;;;;;;OASG;IACH,MAAM,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,GAAG,MAAM;IAY/C;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAOlC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;CAQnC"}
|
|
@@ -1,293 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* EncryptionService
|
|
4
|
-
*
|
|
5
|
-
* Provides shared cryptographic operations for Trellis:
|
|
6
|
-
* - AES-256-GCM encryption/decryption with AAD support
|
|
7
|
-
* - Key derivation (PBKDF2, with Argon2id support when available)
|
|
8
|
-
* - Hash functions (SHA-256)
|
|
9
|
-
* - Email hashing with pepper (HMAC-SHA-256)
|
|
10
|
-
*
|
|
11
|
-
* This service is used by:
|
|
12
|
-
* - Border Safety Mode
|
|
13
|
-
* - Encrypted DM
|
|
14
|
-
* - Secure Voting (hash functions only)
|
|
15
|
-
*/
|
|
16
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
17
|
-
exports.EncryptionService = void 0;
|
|
18
|
-
const versioning_js_1 = require("./versioning.js");
|
|
19
|
-
/**
|
|
20
|
-
* EncryptionService class for cryptographic operations
|
|
21
|
-
*/
|
|
22
|
-
class EncryptionService {
|
|
23
|
-
/**
|
|
24
|
-
* Encrypt data using AES-256-GCM
|
|
25
|
-
*
|
|
26
|
-
* @param data - Data to encrypt (will be JSON stringified if not a string)
|
|
27
|
-
* @param key - CryptoKey for AES-256-GCM (256-bit)
|
|
28
|
-
* @param aad - Optional Additional Authenticated Data to bind to encryption
|
|
29
|
-
* @returns Base64-encoded encrypted data with IV and tag
|
|
30
|
-
* @throws Error if encryption fails
|
|
31
|
-
*/
|
|
32
|
-
static async encrypt(data, key, aad) {
|
|
33
|
-
// Validate key
|
|
34
|
-
if (key.algorithm.name !== "AES-GCM" || key.extractable) {
|
|
35
|
-
throw new Error("Invalid key: must be AES-GCM key and non-extractable");
|
|
36
|
-
}
|
|
37
|
-
// Convert data to string if needed
|
|
38
|
-
const dataString = typeof data === "string" ? data : JSON.stringify(data);
|
|
39
|
-
const dataBytes = new TextEncoder().encode(dataString);
|
|
40
|
-
// Generate random IV (12 bytes for GCM)
|
|
41
|
-
const iv = crypto.getRandomValues(new Uint8Array(12));
|
|
42
|
-
// Prepare AAD if provided
|
|
43
|
-
let aadBytes;
|
|
44
|
-
if (aad) {
|
|
45
|
-
const aadString = JSON.stringify(aad);
|
|
46
|
-
aadBytes = new TextEncoder().encode(aadString).buffer;
|
|
47
|
-
}
|
|
48
|
-
// Encrypt with AAD
|
|
49
|
-
const encrypted = await crypto.subtle.encrypt({
|
|
50
|
-
name: "AES-GCM",
|
|
51
|
-
iv: iv,
|
|
52
|
-
additionalData: aadBytes,
|
|
53
|
-
tagLength: 128, // 128-bit authentication tag
|
|
54
|
-
}, key, dataBytes);
|
|
55
|
-
// Extract tag (last 16 bytes) and encrypted data
|
|
56
|
-
const encryptedArray = new Uint8Array(encrypted);
|
|
57
|
-
const tag = encryptedArray.slice(-16); // Last 16 bytes are the tag
|
|
58
|
-
const ciphertext = encryptedArray.slice(0, -16); // Rest is ciphertext
|
|
59
|
-
// Create result object with version
|
|
60
|
-
const result = {
|
|
61
|
-
iv: this.arrayBufferToBase64(iv),
|
|
62
|
-
data: this.arrayBufferToBase64(ciphertext),
|
|
63
|
-
tag: this.arrayBufferToBase64(tag),
|
|
64
|
-
version: versioning_js_1.ParameterVersionManager.getCurrentVersion(),
|
|
65
|
-
};
|
|
66
|
-
// Return base64-encoded JSON
|
|
67
|
-
return btoa(JSON.stringify(result));
|
|
68
|
-
}
|
|
69
|
-
/**
|
|
70
|
-
* Decrypt data using AES-256-GCM
|
|
71
|
-
*
|
|
72
|
-
* @param encryptedData - Base64-encoded encrypted data with IV and tag
|
|
73
|
-
* @param key - CryptoKey for AES-256-GCM (256-bit)
|
|
74
|
-
* @param aad - Optional Additional Authenticated Data (must match encryption)
|
|
75
|
-
* @returns Decrypted data as string
|
|
76
|
-
* @throws Error if decryption fails (invalid key, tampered data, etc.)
|
|
77
|
-
*/
|
|
78
|
-
static async decrypt(encryptedData, key, aad) {
|
|
79
|
-
// Validate key
|
|
80
|
-
if (key.algorithm.name !== "AES-GCM" || key.extractable) {
|
|
81
|
-
throw new Error("Invalid key: must be AES-GCM key and non-extractable");
|
|
82
|
-
}
|
|
83
|
-
// Parse encrypted data
|
|
84
|
-
let parsed;
|
|
85
|
-
try {
|
|
86
|
-
parsed = JSON.parse(atob(encryptedData));
|
|
87
|
-
}
|
|
88
|
-
catch (error) {
|
|
89
|
-
throw new Error("Invalid encrypted data format");
|
|
90
|
-
}
|
|
91
|
-
// Validate structure (data can be empty string, but fields must exist)
|
|
92
|
-
if (parsed.iv === undefined ||
|
|
93
|
-
parsed.data === undefined ||
|
|
94
|
-
parsed.tag === undefined) {
|
|
95
|
-
throw new Error("Invalid encrypted data: missing IV, data, or tag");
|
|
96
|
-
}
|
|
97
|
-
// Validate version if present
|
|
98
|
-
if (parsed.version) {
|
|
99
|
-
try {
|
|
100
|
-
versioning_js_1.ParameterVersionManager.validateAndNormalize(parsed.version);
|
|
101
|
-
}
|
|
102
|
-
catch (error) {
|
|
103
|
-
throw new Error(`Invalid or unsupported encryption version: ${parsed.version}. ${error instanceof Error ? error.message : String(error)}`);
|
|
104
|
-
}
|
|
105
|
-
}
|
|
106
|
-
// Decode IV, ciphertext, and tag
|
|
107
|
-
const iv = this.base64ToArrayBuffer(parsed.iv);
|
|
108
|
-
const ciphertext = this.base64ToArrayBuffer(parsed.data);
|
|
109
|
-
const tag = this.base64ToArrayBuffer(parsed.tag);
|
|
110
|
-
// Combine ciphertext and tag (GCM expects them together)
|
|
111
|
-
const encrypted = new Uint8Array(ciphertext.byteLength + tag.byteLength);
|
|
112
|
-
encrypted.set(new Uint8Array(ciphertext), 0);
|
|
113
|
-
encrypted.set(new Uint8Array(tag), ciphertext.byteLength);
|
|
114
|
-
// Prepare AAD if provided
|
|
115
|
-
let aadBytes;
|
|
116
|
-
if (aad) {
|
|
117
|
-
const aadString = JSON.stringify(aad);
|
|
118
|
-
aadBytes = new TextEncoder().encode(aadString).buffer;
|
|
119
|
-
}
|
|
120
|
-
// Decrypt with AAD verification
|
|
121
|
-
try {
|
|
122
|
-
const decrypted = await crypto.subtle.decrypt({
|
|
123
|
-
name: "AES-GCM",
|
|
124
|
-
iv: iv,
|
|
125
|
-
additionalData: aadBytes,
|
|
126
|
-
tagLength: 128,
|
|
127
|
-
}, key, encrypted.buffer);
|
|
128
|
-
return new TextDecoder().decode(decrypted);
|
|
129
|
-
}
|
|
130
|
-
catch (error) {
|
|
131
|
-
throw new Error("Decryption failed: invalid key, tampered data, or AAD mismatch");
|
|
132
|
-
}
|
|
133
|
-
}
|
|
134
|
-
/**
|
|
135
|
-
* Derive encryption key from password using PBKDF2 or Argon2id
|
|
136
|
-
*
|
|
137
|
-
* Note: Argon2id requires a library (not available in WebCrypto API).
|
|
138
|
-
* This implementation supports PBKDF2. For Argon2id, use a library like
|
|
139
|
-
* 'argon2-browser' or 'argon2-wasm' and call this method with algorithm='pbkdf2'
|
|
140
|
-
* as fallback, or implement Argon2id separately.
|
|
141
|
-
*
|
|
142
|
-
* @param password - Password to derive key from
|
|
143
|
-
* @param salt - Salt (base64-encoded, minimum 128 bits / 16 bytes)
|
|
144
|
-
* @param kdfParams - Key derivation parameters
|
|
145
|
-
* @returns CryptoKey for AES-256-GCM
|
|
146
|
-
* @throws Error if key derivation fails or parameters are invalid
|
|
147
|
-
*/
|
|
148
|
-
static async deriveKey(password, salt, kdfParams) {
|
|
149
|
-
// Validate inputs
|
|
150
|
-
if (!password || typeof password !== "string") {
|
|
151
|
-
throw new Error("Password must be a non-empty string");
|
|
152
|
-
}
|
|
153
|
-
if (!salt || typeof salt !== "string") {
|
|
154
|
-
throw new Error("Salt must be a non-empty string");
|
|
155
|
-
}
|
|
156
|
-
// Decode salt
|
|
157
|
-
let saltBuffer;
|
|
158
|
-
try {
|
|
159
|
-
saltBuffer = this.base64ToArrayBuffer(salt);
|
|
160
|
-
}
|
|
161
|
-
catch (error) {
|
|
162
|
-
throw new Error("Invalid salt format: must be base64-encoded");
|
|
163
|
-
}
|
|
164
|
-
const saltBytes = new Uint8Array(saltBuffer);
|
|
165
|
-
// Validate salt size (minimum 128 bits / 16 bytes)
|
|
166
|
-
if (saltBytes.length < 16) {
|
|
167
|
-
throw new Error("Salt must be at least 128 bits (16 bytes)");
|
|
168
|
-
}
|
|
169
|
-
// Handle Argon2id (not supported by WebCrypto API)
|
|
170
|
-
if (kdfParams.algorithm === "argon2id") {
|
|
171
|
-
throw new Error("Argon2id not supported in WebCrypto API. Use a library like argon2-browser or fallback to PBKDF2.");
|
|
172
|
-
}
|
|
173
|
-
// PBKDF2 implementation
|
|
174
|
-
if (kdfParams.algorithm !== "pbkdf2") {
|
|
175
|
-
throw new Error(`Unsupported KDF algorithm: ${kdfParams.algorithm}`);
|
|
176
|
-
}
|
|
177
|
-
// Validate and normalize version
|
|
178
|
-
const version = versioning_js_1.ParameterVersionManager.validateAndNormalize(kdfParams.version);
|
|
179
|
-
// Validate PBKDF2 parameters
|
|
180
|
-
const iterations = kdfParams.iterations ?? 600000;
|
|
181
|
-
if (iterations < 600000) {
|
|
182
|
-
throw new Error("PBKDF2 iterations must be at least 600,000 for security");
|
|
183
|
-
}
|
|
184
|
-
// Import password as key material
|
|
185
|
-
const keyMaterial = await crypto.subtle.importKey("raw", new TextEncoder().encode(password), "PBKDF2", false, ["deriveBits", "deriveKey"]);
|
|
186
|
-
// Derive 256-bit key for AES-256
|
|
187
|
-
return crypto.subtle.deriveKey({
|
|
188
|
-
name: "PBKDF2",
|
|
189
|
-
salt: saltBuffer,
|
|
190
|
-
iterations: iterations,
|
|
191
|
-
hash: "SHA-256",
|
|
192
|
-
}, keyMaterial, { name: "AES-GCM", length: 256 }, false, // Not extractable
|
|
193
|
-
["encrypt", "decrypt"]);
|
|
194
|
-
}
|
|
195
|
-
/**
|
|
196
|
-
* Hash data using SHA-256
|
|
197
|
-
*
|
|
198
|
-
* @param data - Data to hash (string or object)
|
|
199
|
-
* @returns SHA-256 hash as hex string
|
|
200
|
-
*/
|
|
201
|
-
static async hash(data) {
|
|
202
|
-
const dataString = typeof data === "string" ? data : JSON.stringify(data);
|
|
203
|
-
const dataBytes = new TextEncoder().encode(dataString);
|
|
204
|
-
const hashBuffer = await crypto.subtle.digest("SHA-256", dataBytes);
|
|
205
|
-
// Convert to hex string
|
|
206
|
-
const hashArray = Array.from(new Uint8Array(hashBuffer));
|
|
207
|
-
return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
208
|
-
}
|
|
209
|
-
/**
|
|
210
|
-
* Hash email address using HMAC-SHA-256 with pepper
|
|
211
|
-
*
|
|
212
|
-
* This provides privacy-preserving email hashing for zero-knowledge lookups.
|
|
213
|
-
* The email is normalized (lowercased and trimmed) before hashing.
|
|
214
|
-
*
|
|
215
|
-
* @param email - Email address to hash
|
|
216
|
-
* @param pepper - Secret pepper value (should be stored server-side, not in code)
|
|
217
|
-
* @returns HMAC-SHA-256 hash as hex string
|
|
218
|
-
* @throws Error if email is empty or invalid after normalization
|
|
219
|
-
*/
|
|
220
|
-
static async hashEmail(email, pepper) {
|
|
221
|
-
if (!email || typeof email !== "string") {
|
|
222
|
-
throw new Error("Email must be a non-empty string");
|
|
223
|
-
}
|
|
224
|
-
if (!pepper || typeof pepper !== "string") {
|
|
225
|
-
throw new Error("Pepper must be a non-empty string");
|
|
226
|
-
}
|
|
227
|
-
// Normalize email: lowercase and trim
|
|
228
|
-
const normalizedEmail = email.toLowerCase().trim();
|
|
229
|
-
if (normalizedEmail.length === 0) {
|
|
230
|
-
throw new Error("Email cannot be empty after normalization");
|
|
231
|
-
}
|
|
232
|
-
// Import pepper as HMAC key
|
|
233
|
-
const pepperKey = await crypto.subtle.importKey("raw", new TextEncoder().encode(pepper), { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
|
|
234
|
-
// Compute HMAC
|
|
235
|
-
const emailBytes = new TextEncoder().encode(normalizedEmail);
|
|
236
|
-
const signature = await crypto.subtle.sign("HMAC", pepperKey, emailBytes);
|
|
237
|
-
// Convert to hex string
|
|
238
|
-
const hashArray = Array.from(new Uint8Array(signature));
|
|
239
|
-
return hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
240
|
-
}
|
|
241
|
-
/**
|
|
242
|
-
* Generate a random salt (128 bits / 16 bytes)
|
|
243
|
-
*
|
|
244
|
-
* @returns Base64-encoded salt
|
|
245
|
-
*/
|
|
246
|
-
static generateSalt() {
|
|
247
|
-
const salt = crypto.getRandomValues(new Uint8Array(16));
|
|
248
|
-
return this.arrayBufferToBase64(salt);
|
|
249
|
-
}
|
|
250
|
-
/**
|
|
251
|
-
* Extract IV from encrypted data for reuse detection
|
|
252
|
-
*
|
|
253
|
-
* This is a utility function for server-side IV reuse detection.
|
|
254
|
-
* The server should track IVs per key to prevent reuse.
|
|
255
|
-
*
|
|
256
|
-
* @param encryptedData - Base64-encoded encrypted data
|
|
257
|
-
* @returns IV as base64 string
|
|
258
|
-
* @throws Error if encrypted data format is invalid
|
|
259
|
-
*/
|
|
260
|
-
static extractIV(encryptedData) {
|
|
261
|
-
try {
|
|
262
|
-
const parsed = JSON.parse(atob(encryptedData));
|
|
263
|
-
if (!parsed.iv) {
|
|
264
|
-
throw new Error("Invalid encrypted data: missing IV");
|
|
265
|
-
}
|
|
266
|
-
return parsed.iv;
|
|
267
|
-
}
|
|
268
|
-
catch (error) {
|
|
269
|
-
throw new Error("Invalid encrypted data format");
|
|
270
|
-
}
|
|
271
|
-
}
|
|
272
|
-
/**
|
|
273
|
-
* Convert ArrayBuffer to base64 string
|
|
274
|
-
*/
|
|
275
|
-
static arrayBufferToBase64(buffer) {
|
|
276
|
-
const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
|
|
277
|
-
const binary = String.fromCharCode(...bytes);
|
|
278
|
-
return btoa(binary);
|
|
279
|
-
}
|
|
280
|
-
/**
|
|
281
|
-
* Convert base64 string to ArrayBuffer
|
|
282
|
-
*/
|
|
283
|
-
static base64ToArrayBuffer(base64) {
|
|
284
|
-
const binary = atob(base64);
|
|
285
|
-
const bytes = new Uint8Array(binary.length);
|
|
286
|
-
for (let i = 0; i < binary.length; i++) {
|
|
287
|
-
bytes[i] = binary.charCodeAt(i);
|
|
288
|
-
}
|
|
289
|
-
return bytes.buffer;
|
|
290
|
-
}
|
|
291
|
-
}
|
|
292
|
-
exports.EncryptionService = EncryptionService;
|
|
293
|
-
//# sourceMappingURL=encryption-service.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"encryption-service.js","sourceRoot":"","sources":["../../../src/lib/crypto/encryption-service.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAGH,mDAA0D;AAE1D;;GAEG;AACH,MAAa,iBAAiB;IAC5B;;;;;;;;OAQG;IACH,MAAM,CAAC,KAAK,CAAC,OAAO,CAClB,IAAqB,EACrB,GAAc,EACd,GAAS;QAET,eAAe;QACf,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;QAED,mCAAmC;QACnC,MAAM,UAAU,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1E,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAEvD,wCAAwC;QACxC,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QAEtD,0BAA0B;QAC1B,IAAI,QAAiC,CAAC;QACtC,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACtC,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QACxD,CAAC;QAED,mBAAmB;QACnB,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C;YACE,IAAI,EAAE,SAAS;YACf,EAAE,EAAE,EAAE;YACN,cAAc,EAAE,QAAQ;YACxB,SAAS,EAAE,GAAG,EAAE,6BAA6B;SAC9C,EACD,GAAG,EACH,SAAS,CACV,CAAC;QAEF,iDAAiD;QACjD,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,4BAA4B;QACnE,MAAM,UAAU,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,qBAAqB;QAEtE,oCAAoC;QACpC,MAAM,MAAM,GAAkB;YAC5B,EAAE,EAAE,IAAI,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAChC,IAAI,EAAE,IAAI,CAAC,mBAAmB,CAAC,UAAU,CAAC;YAC1C,GAAG,EAAE,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC;YAClC,OAAO,EAAE,uCAAuB,CAAC,iBAAiB,EAAE;SACrD,CAAC;QAEF,6BAA6B;QAC7B,OAAO,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;;;OAQG;IACH,MAAM,CAAC,KAAK,CAAC,OAAO,CAClB,aAAqB,EACrB,GAAc,EACd,GAAS;QAET,eAAe;QACf,IAAI,GAAG,CAAC,SAAS,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;QAED,uBAAuB;QACvB,IAAI,MAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;QAED,uEAAuE;QACvE,IACE,MAAM,CAAC,EAAE,KAAK,SAAS;YACvB,MAAM,CAAC,IAAI,KAAK,SAAS;YACzB,MAAM,CAAC,GAAG,KAAK,SAAS,EACxB,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,8BAA8B;QAC9B,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,uCAAuB,CAAC,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC/D,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CACb,8CAA8C,MAAM,CAAC,OAAO,KAAK,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAC1H,CAAC;YACJ,CAAC;QACH,CAAC;QAED,iCAAiC;QACjC,MAAM,EAAE,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,GAAG,GAAG,IAAI,CAAC,mBAAmB,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAEjD,yDAAyD;QACzD,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,UAAU,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC;QACzE,SAAS,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QAC7C,SAAS,CAAC,GAAG,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,EAAE,UAAU,CAAC,UAAU,CAAC,CAAC;QAE1D,0BAA0B;QAC1B,IAAI,QAAiC,CAAC;QACtC,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACtC,QAAQ,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;QACxD,CAAC;QAED,gCAAgC;QAChC,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CAC3C;gBACE,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,EAAE;gBACN,cAAc,EAAE,QAAQ;gBACxB,SAAS,EAAE,GAAG;aACf,EACD,GAAG,EACH,SAAS,CAAC,MAAM,CACjB,CAAC;YAEF,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC7C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CACb,gEAAgE,CACjE,CAAC;QACJ,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,MAAM,CAAC,KAAK,CAAC,SAAS,CACpB,QAAgB,EAChB,IAAY,EACZ,SAAoB;QAEpB,kBAAkB;QAClB,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;QACrD,CAAC;QAED,cAAc;QACd,IAAI,UAAuB,CAAC;QAC5B,IAAI,CAAC;YACH,UAAU,GAAG,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;QAC9C,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;QACjE,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;QAE7C,mDAAmD;QACnD,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,mDAAmD;QACnD,IAAI,SAAS,CAAC,SAAS,KAAK,UAAU,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,mGAAmG,CACpG,CAAC;QACJ,CAAC;QAED,wBAAwB;QACxB,IAAI,SAAS,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,8BAA8B,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC;QACvE,CAAC;QAED,iCAAiC;QACjC,MAAM,OAAO,GAAG,uCAAuB,CAAC,oBAAoB,CAC1D,SAAS,CAAC,OAAO,CAClB,CAAC;QAEF,6BAA6B;QAC7B,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,IAAI,MAAM,CAAC;QAClD,IAAI,UAAU,GAAG,MAAM,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CACb,yDAAyD,CAC1D,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC/C,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,EAClC,QAAQ,EACR,KAAK,EACL,CAAC,YAAY,EAAE,WAAW,CAAC,CAC5B,CAAC;QAEF,iCAAiC;QACjC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAC5B;YACE,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,UAAU;YAChB,UAAU,EAAE,UAAU;YACtB,IAAI,EAAE,SAAS;SAChB,EACD,WAAW,EACX,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,EAChC,KAAK,EAAE,kBAAkB;QACzB,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAqB;QACrC,MAAM,UAAU,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1E,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;QAEpE,wBAAwB;QACxB,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;QACzD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;IAED;;;;;;;;;;OAUG;IACH,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,KAAa,EAAE,MAAc;QAClD,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YACxC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;QACvD,CAAC;QAED,sCAAsC;QACtC,MAAM,eAAe,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;QAEnD,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QAED,4BAA4B;QAC5B,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAC7C,KAAK,EACL,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,EAChC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,EACjC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QAEF,eAAe;QACf,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC7D,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAE1E,wBAAwB;QACxB,MAAM,SAAS,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC;QACxD,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxE,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,YAAY;QACjB,MAAM,IAAI,GAAG,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;IAED;;;;;;;;;OASG;IACH,MAAM,CAAC,SAAS,CAAC,aAAqB;QACpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAkB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC;YAC9D,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,MAAM,CAAC,EAAE,CAAC;QACnB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,mBAAmB,CAAC,MAAgC;QACjE,MAAM,KAAK,GACT,MAAM,YAAY,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,MAAM,CAAC,YAAY,CAAC,GAAG,KAAK,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;IACtB,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,mBAAmB,CAAC,MAAc;QAC/C,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAClC,CAAC;QACD,OAAO,KAAK,CAAC,MAAM,CAAC;IACtB,CAAC;CACF;AAlWD,8CAkWC"}
|
|
@@ -1,22 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* @de-otio/trellis (inlined crypto)
|
|
3
|
-
*
|
|
4
|
-
* Shared cryptographic library for Trellis
|
|
5
|
-
*
|
|
6
|
-
* Provides:
|
|
7
|
-
* - AES-256-GCM encryption/decryption with AAD support
|
|
8
|
-
* - Key derivation (PBKDF2, with Argon2id support when available)
|
|
9
|
-
* - Hash functions (SHA-256)
|
|
10
|
-
* - Email hashing with pepper (HMAC-SHA-256)
|
|
11
|
-
*
|
|
12
|
-
* Used by:
|
|
13
|
-
* - Border Safety Mode
|
|
14
|
-
* - Encrypted DM
|
|
15
|
-
* - Secure Voting (hash functions only)
|
|
16
|
-
*/
|
|
17
|
-
export { EncryptionService } from "./encryption-service.js";
|
|
18
|
-
export type { AAD, EncryptedData, KDFParams } from "./types.js";
|
|
19
|
-
export { ParameterVersionManager } from "./versioning.js";
|
|
20
|
-
export type { ParameterVersion } from "./versioning.js";
|
|
21
|
-
export { CURRENT_VERSION, MINIMUM_VERSION, SUPPORTED_VERSIONS, } from "./versioning.js";
|
|
22
|
-
//# sourceMappingURL=index.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/crypto/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAC5D,YAAY,EAAE,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAChE,OAAO,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAC1D,YAAY,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AACxD,OAAO,EACL,eAAe,EACf,eAAe,EACf,kBAAkB,GACnB,MAAM,iBAAiB,CAAC"}
|
package/dist/lib/crypto/index.js
DELETED
|
@@ -1,28 +0,0 @@
|
|
|
1
|
-
"use strict";
|
|
2
|
-
/**
|
|
3
|
-
* @de-otio/trellis (inlined crypto)
|
|
4
|
-
*
|
|
5
|
-
* Shared cryptographic library for Trellis
|
|
6
|
-
*
|
|
7
|
-
* Provides:
|
|
8
|
-
* - AES-256-GCM encryption/decryption with AAD support
|
|
9
|
-
* - Key derivation (PBKDF2, with Argon2id support when available)
|
|
10
|
-
* - Hash functions (SHA-256)
|
|
11
|
-
* - Email hashing with pepper (HMAC-SHA-256)
|
|
12
|
-
*
|
|
13
|
-
* Used by:
|
|
14
|
-
* - Border Safety Mode
|
|
15
|
-
* - Encrypted DM
|
|
16
|
-
* - Secure Voting (hash functions only)
|
|
17
|
-
*/
|
|
18
|
-
Object.defineProperty(exports, "__esModule", { value: true });
|
|
19
|
-
exports.SUPPORTED_VERSIONS = exports.MINIMUM_VERSION = exports.CURRENT_VERSION = exports.ParameterVersionManager = exports.EncryptionService = void 0;
|
|
20
|
-
var encryption_service_js_1 = require("./encryption-service.js");
|
|
21
|
-
Object.defineProperty(exports, "EncryptionService", { enumerable: true, get: function () { return encryption_service_js_1.EncryptionService; } });
|
|
22
|
-
var versioning_js_1 = require("./versioning.js");
|
|
23
|
-
Object.defineProperty(exports, "ParameterVersionManager", { enumerable: true, get: function () { return versioning_js_1.ParameterVersionManager; } });
|
|
24
|
-
var versioning_js_2 = require("./versioning.js");
|
|
25
|
-
Object.defineProperty(exports, "CURRENT_VERSION", { enumerable: true, get: function () { return versioning_js_2.CURRENT_VERSION; } });
|
|
26
|
-
Object.defineProperty(exports, "MINIMUM_VERSION", { enumerable: true, get: function () { return versioning_js_2.MINIMUM_VERSION; } });
|
|
27
|
-
Object.defineProperty(exports, "SUPPORTED_VERSIONS", { enumerable: true, get: function () { return versioning_js_2.SUPPORTED_VERSIONS; } });
|
|
28
|
-
//# sourceMappingURL=index.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/crypto/index.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;GAeG;;;AAEH,iEAA4D;AAAnD,0HAAA,iBAAiB,OAAA;AAE1B,iDAA0D;AAAjD,wHAAA,uBAAuB,OAAA;AAEhC,iDAIyB;AAHvB,gHAAA,eAAe,OAAA;AACf,gHAAA,eAAe,OAAA;AACf,mHAAA,kBAAkB,OAAA"}
|
|
@@ -1,71 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Key Derivation Function Parameters
|
|
3
|
-
*/
|
|
4
|
-
export interface KDFParams {
|
|
5
|
-
/**
|
|
6
|
-
* Algorithm to use: 'argon2id' (preferred) or 'pbkdf2' (fallback)
|
|
7
|
-
*/
|
|
8
|
-
algorithm: "argon2id" | "pbkdf2";
|
|
9
|
-
/**
|
|
10
|
-
* Salt (128-bit minimum, 16 bytes)
|
|
11
|
-
* Stored as base64 string
|
|
12
|
-
*/
|
|
13
|
-
salt: string;
|
|
14
|
-
/**
|
|
15
|
-
* For PBKDF2: number of iterations (≥600,000 recommended)
|
|
16
|
-
* For Argon2id: time cost parameter (≥3 recommended)
|
|
17
|
-
*/
|
|
18
|
-
iterations?: number;
|
|
19
|
-
time?: number;
|
|
20
|
-
/**
|
|
21
|
-
* For Argon2id: memory cost in MB (≥64-128 MB recommended)
|
|
22
|
-
*/
|
|
23
|
-
memory?: number;
|
|
24
|
-
/**
|
|
25
|
-
* For Argon2id: parallelism parameter
|
|
26
|
-
*/
|
|
27
|
-
parallelism?: number;
|
|
28
|
-
/**
|
|
29
|
-
* Parameter version for future compatibility
|
|
30
|
-
*/
|
|
31
|
-
version?: string;
|
|
32
|
-
}
|
|
33
|
-
/**
|
|
34
|
-
* Encryption result containing IV, encrypted data, and authentication tag
|
|
35
|
-
*/
|
|
36
|
-
export interface EncryptedData {
|
|
37
|
-
/**
|
|
38
|
-
* Initialization Vector (12 bytes, 96 bits)
|
|
39
|
-
* Base64 encoded
|
|
40
|
-
*/
|
|
41
|
-
iv: string;
|
|
42
|
-
/**
|
|
43
|
-
* Encrypted data
|
|
44
|
-
* Base64 encoded
|
|
45
|
-
*/
|
|
46
|
-
data: string;
|
|
47
|
-
/**
|
|
48
|
-
* Authentication tag (16 bytes, 128 bits)
|
|
49
|
-
* Base64 encoded
|
|
50
|
-
*/
|
|
51
|
-
tag: string;
|
|
52
|
-
/**
|
|
53
|
-
* Parameter version (semantic versioning: MAJOR.MINOR.PATCH)
|
|
54
|
-
* Used for backward compatibility and parameter upgrades
|
|
55
|
-
* Example: "1.0.0"
|
|
56
|
-
*/
|
|
57
|
-
version?: string;
|
|
58
|
-
}
|
|
59
|
-
/**
|
|
60
|
-
* Additional Authenticated Data (AAD) schema
|
|
61
|
-
* Used to bind metadata to encryption
|
|
62
|
-
*/
|
|
63
|
-
export interface AAD {
|
|
64
|
-
userId?: string;
|
|
65
|
-
contextId?: string;
|
|
66
|
-
dataType?: string;
|
|
67
|
-
timestamp?: number;
|
|
68
|
-
sequence?: number;
|
|
69
|
-
[key: string]: string | number | undefined;
|
|
70
|
-
}
|
|
71
|
-
//# sourceMappingURL=types.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/lib/crypto/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,SAAS,EAAE,UAAU,GAAG,QAAQ,CAAC;IAEjC;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;IAEX;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;;OAIG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,GAAG;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;CAC5C"}
|
package/dist/lib/crypto/types.js
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/lib/crypto/types.ts"],"names":[],"mappings":""}
|
|
@@ -1,112 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Parameter Versioning
|
|
3
|
-
*
|
|
4
|
-
* Manages versioning of cryptographic parameters to enable safe upgrades
|
|
5
|
-
* and maintain backward compatibility.
|
|
6
|
-
*
|
|
7
|
-
* Version Format: Semantic versioning (MAJOR.MINOR.PATCH)
|
|
8
|
-
* - Major: Breaking changes (algorithm change)
|
|
9
|
-
* - Minor: Parameter changes (iteration count increase)
|
|
10
|
-
* - Patch: Bug fixes
|
|
11
|
-
*
|
|
12
|
-
* @see doc/02-technical/architecture/cryptography/08-implementation-recommendations.md
|
|
13
|
-
*/
|
|
14
|
-
/**
|
|
15
|
-
* Parameter version information
|
|
16
|
-
*/
|
|
17
|
-
export interface ParameterVersion {
|
|
18
|
-
/**
|
|
19
|
-
* Version string in semantic versioning format (MAJOR.MINOR.PATCH)
|
|
20
|
-
* Example: "1.0.0", "1.1.0", "2.0.0"
|
|
21
|
-
*/
|
|
22
|
-
version: string;
|
|
23
|
-
/**
|
|
24
|
-
* Whether this version is deprecated
|
|
25
|
-
*/
|
|
26
|
-
deprecated?: boolean;
|
|
27
|
-
/**
|
|
28
|
-
* Deprecation date (ISO 8601)
|
|
29
|
-
*/
|
|
30
|
-
deprecatedAt?: string;
|
|
31
|
-
/**
|
|
32
|
-
* Removal date (ISO 8601) - when support will be removed
|
|
33
|
-
*/
|
|
34
|
-
removedAt?: string;
|
|
35
|
-
}
|
|
36
|
-
/**
|
|
37
|
-
* Supported parameter versions
|
|
38
|
-
*/
|
|
39
|
-
export declare const SUPPORTED_VERSIONS: Record<string, ParameterVersion>;
|
|
40
|
-
/**
|
|
41
|
-
* Current default version
|
|
42
|
-
*/
|
|
43
|
-
export declare const CURRENT_VERSION = "1.0.0";
|
|
44
|
-
/**
|
|
45
|
-
* Minimum supported version (for backward compatibility)
|
|
46
|
-
*/
|
|
47
|
-
export declare const MINIMUM_VERSION = "1.0.0";
|
|
48
|
-
/**
|
|
49
|
-
* Parameter version manager
|
|
50
|
-
*/
|
|
51
|
-
export declare class ParameterVersionManager {
|
|
52
|
-
/**
|
|
53
|
-
* Validate version format
|
|
54
|
-
*
|
|
55
|
-
* @param version - Version string to validate
|
|
56
|
-
* @returns true if valid semantic version format
|
|
57
|
-
*/
|
|
58
|
-
static isValidVersion(version: string): boolean;
|
|
59
|
-
/**
|
|
60
|
-
* Compare two versions
|
|
61
|
-
*
|
|
62
|
-
* @param version1 - First version
|
|
63
|
-
* @param version2 - Second version
|
|
64
|
-
* @returns -1 if version1 < version2, 0 if equal, 1 if version1 > version2
|
|
65
|
-
*/
|
|
66
|
-
static compareVersions(version1: string, version2: string): number;
|
|
67
|
-
/**
|
|
68
|
-
* Check if version is supported
|
|
69
|
-
*
|
|
70
|
-
* @param version - Version to check
|
|
71
|
-
* @returns true if version is supported
|
|
72
|
-
*/
|
|
73
|
-
static isSupported(version: string): boolean;
|
|
74
|
-
/**
|
|
75
|
-
* Check if version is deprecated
|
|
76
|
-
*
|
|
77
|
-
* @param version - Version to check
|
|
78
|
-
* @returns true if version is deprecated
|
|
79
|
-
*/
|
|
80
|
-
static isDeprecated(version: string): boolean;
|
|
81
|
-
/**
|
|
82
|
-
* Get version information
|
|
83
|
-
*
|
|
84
|
-
* @param version - Version string
|
|
85
|
-
* @returns Version information or null if not found
|
|
86
|
-
*/
|
|
87
|
-
static getVersionInfo(version: string): ParameterVersion | null;
|
|
88
|
-
/**
|
|
89
|
-
* Get current default version
|
|
90
|
-
*
|
|
91
|
-
* @returns Current version string
|
|
92
|
-
*/
|
|
93
|
-
static getCurrentVersion(): string;
|
|
94
|
-
/**
|
|
95
|
-
* Get minimum supported version
|
|
96
|
-
*
|
|
97
|
-
* @returns Minimum version string
|
|
98
|
-
*/
|
|
99
|
-
static getMinimumVersion(): string;
|
|
100
|
-
/**
|
|
101
|
-
* Validate and normalize version
|
|
102
|
-
*
|
|
103
|
-
* If version is not provided, returns current version.
|
|
104
|
-
* If version is invalid, throws error.
|
|
105
|
-
*
|
|
106
|
-
* @param version - Optional version string
|
|
107
|
-
* @returns Validated version string
|
|
108
|
-
* @throws Error if version is invalid
|
|
109
|
-
*/
|
|
110
|
-
static validateAndNormalize(version?: string): string;
|
|
111
|
-
}
|
|
112
|
-
//# sourceMappingURL=versioning.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"versioning.d.ts","sourceRoot":"","sources":["../../../src/lib/crypto/versioning.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;;OAGG;IACH,OAAO,EAAE,MAAM,CAAC;IAEhB;;OAEG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;OAEG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,eAAO,MAAM,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,gBAAgB,CAK/D,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,eAAe,UAAU,CAAC;AAEvC;;GAEG;AACH,eAAO,MAAM,eAAe,UAAU,CAAC;AAEvC;;GAEG;AACH,qBAAa,uBAAuB;IAClC;;;;;OAKG;IACH,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAM/C;;;;;;OAMG;IACH,MAAM,CAAC,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM;IAgBlE;;;;;OAKG;IACH,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAiB5C;;;;;OAKG;IACH,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAK7C;;;;;OAKG;IACH,MAAM,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,IAAI;IAI/D;;;;OAIG;IACH,MAAM,CAAC,iBAAiB,IAAI,MAAM;IAIlC;;;;OAIG;IACH,MAAM,CAAC,iBAAiB,IAAI,MAAM;IAIlC;;;;;;;;;OASG;IACH,MAAM,CAAC,oBAAoB,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM;CAmBtD"}
|