npm - @dynamic-labs-wallet/forward-mpc-shared - Versions diffs - 0.2.0 → 0.3.0 - Mend

@dynamic-labs-wallet/forward-mpc-shared 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { either } from 'fp-ts';
-import { Type, failure, success, type, partial, number, string, union, undefined as _undefined, intersection, literal, identity, unknown } from 'io-ts';
+import { Type, failure, success, type, partial, number, string, union, undefined as _undefined, intersection, literal, identity, unknown, array } from 'io-ts';
 import { hexToBytes, bytesToHex, randomBytes } from '@noble/hashes/utils.js';
 import { SigningAlgorithm } from '@dynamic-labs-wallet/core';
 import { ml_kem768 } from '@noble/post-quantum/ml-kem.js';
@@ -82,7 +82,7 @@ var Uint32ArrayCodec = new Type(
     return bytesToHex(uint8Array);
   }
 );
-var EncryptedKeyshareCodec = type({
+var EncryptedPayloadCodec = type({
   salt: Uint8ArrayCodec,
   encryptedPayload: Uint8ArrayCodec
 });
@@ -189,7 +189,7 @@ function createSimpleMessage(config) {
       ...data
     }), "encodeData"),
     decodeData: /* @__PURE__ */ __name((decoded) => {
-      const { type: type7, version, ...data } = decoded;
+      const { type: type8, version, ...data } = decoded;
       return data;
     }, "decodeData")
   });
@@ -468,7 +468,7 @@ var Uint8ArrayOrHexCodec = new Type(
 // src/messages/SignMessageV1Request.ts
 var SignMessageRequestSchema = buildMessageSchema("signMessage", 1, {
   relayDomain: DomainCodec,
-  keyshare: EncryptedKeyshareCodec,
+  keyshare: EncryptedPayloadCodec,
   message: Uint8ArrayOrHexCodec,
   roomUuid: string,
   userId: OptionalStringCodec,
@@ -483,7 +483,7 @@ var SignMessageV1RequestMessage = createStandardMessage({
     signingAlgo: /* @__PURE__ */ __name((value) => fromDynamicSigningAlgorithm(value), "signingAlgo"),
     derivationPath: /* @__PURE__ */ __name((value) => Uint32ArrayCodec.encode(value), "derivationPath"),
     tweak: /* @__PURE__ */ __name((value) => Uint8ArrayCodec.encode(value), "tweak"),
-    keyshare: /* @__PURE__ */ __name((value) => EncryptedKeyshareCodec.encode(value), "keyshare"),
+    keyshare: /* @__PURE__ */ __name((value) => EncryptedPayloadCodec.encode(value), "keyshare"),
     message: /* @__PURE__ */ __name((value) => Uint8ArrayOrHexCodec.encode(value), "message")
   }),
   decodeData: createStandardDecoder((decoded) => ({
@@ -553,6 +553,139 @@ var ConnectionAckV1ResponseMessage = createSimpleMessage({
   version: 1,
   schema: ConnectionAckResponseSchema
 });
+var BaseKeygenParamsCodec = type({
+  relayDomain: DomainCodec,
+  roomUuid: string,
+  numParties: number,
+  threshold: number,
+  keygenInit: EncryptedPayloadCodec,
+  keygenIds: array(string),
+  userId: OptionalStringCodec,
+  environmentId: OptionalStringCodec,
+  traceContext: TraceContextCodec
+});
+var EcdsaKeygenParamsCodec = type({
+  ...BaseKeygenParamsCodec.props,
+  signingAlgo: literal("ecdsa")
+});
+var BIP340KeygenParamsCodec = type({
+  ...BaseKeygenParamsCodec.props,
+  signingAlgo: literal("bip340")
+});
+var KeygenAlgoParamsCodec = union([
+  EcdsaKeygenParamsCodec,
+  BIP340KeygenParamsCodec
+]);
+var KeygenRequestSchema = buildMessageSchema("keygen", 1, {
+  relayDomain: DomainCodec,
+  roomUuid: string,
+  numParties: number,
+  threshold: number,
+  keygenInit: EncryptedPayloadCodec,
+  keygenIds: array(string),
+  userId: OptionalStringCodec,
+  environmentId: OptionalStringCodec,
+  traceContext: TraceContextCodec
+}, KeygenAlgoParamsCodec);
+var KeygenV1RequestMessage = createStandardMessage({
+  messageType: "keygen",
+  version: 1,
+  schema: KeygenRequestSchema,
+  encodeData: createComplexEncoder("keygen", 1, {
+    signingAlgo: /* @__PURE__ */ __name((value) => fromDynamicSigningAlgorithm(value), "signingAlgo"),
+    keygenInit: /* @__PURE__ */ __name((value) => EncryptedPayloadCodec.encode(value), "keygenInit")
+  }),
+  decodeData: createStandardDecoder((decoded) => ({
+    relayDomain: decoded.relayDomain,
+    signingAlgo: decoded.signingAlgo,
+    roomUuid: decoded.roomUuid,
+    numParties: decoded.numParties,
+    threshold: decoded.threshold,
+    keygenInit: decoded.keygenInit,
+    keygenIds: decoded.keygenIds,
+    userId: decoded.userId,
+    environmentId: decoded.environmentId,
+    traceContext: decoded.traceContext
+  }))
+});
+var KeygenResponseSchema = buildMessageSchema("keygen_response", 1, {
+  keygenResult: union([
+    EncryptedPayloadCodec,
+    _undefined
+  ]),
+  error: union([
+    WebSocketErrorCodec,
+    _undefined
+  ])
+});
+var KeygenV1ResponseMessage = createStandardMessage({
+  messageType: "keygen_response",
+  version: 1,
+  schema: KeygenResponseSchema,
+  encodeData: createComplexEncoder("keygen_response", 1, {
+    keygenResult: /* @__PURE__ */ __name((value) => EncryptedPayloadCodec.encode(value), "keygenResult")
+  }),
+  decodeData: createStandardDecoder((decoded) => ({
+    keygenResult: decoded.keygenResult,
+    error: decoded.error
+  }))
+});
+var ReceiveKeyRequestSchema = buildMessageSchema("receiveKey", 1, {
+  relayDomain: DomainCodec,
+  signingAlgo: literal("ed25519"),
+  roomUuid: string,
+  numParties: number,
+  threshold: number,
+  keygenInit: EncryptedPayloadCodec,
+  keygenIds: array(string),
+  userId: OptionalStringCodec,
+  environmentId: OptionalStringCodec,
+  traceContext: TraceContextCodec
+});
+var ReceiveKeyV1RequestMessage = createStandardMessage({
+  messageType: "receiveKey",
+  version: 1,
+  schema: ReceiveKeyRequestSchema,
+  encodeData: /* @__PURE__ */ __name((data) => ReceiveKeyRequestSchema.encode({
+    type: "receiveKey",
+    version: 1,
+    ...data
+  }), "encodeData"),
+  decodeData: createStandardDecoder((decoded) => ({
+    relayDomain: decoded.relayDomain,
+    signingAlgo: decoded.signingAlgo,
+    roomUuid: decoded.roomUuid,
+    numParties: decoded.numParties,
+    threshold: decoded.threshold,
+    keygenInit: decoded.keygenInit,
+    keygenIds: decoded.keygenIds,
+    userId: decoded.userId,
+    environmentId: decoded.environmentId,
+    traceContext: decoded.traceContext
+  }))
+});
+var ReceiveKeyResponseSchema = buildMessageSchema("receiveKey_response", 1, {
+  keygenResult: union([
+    EncryptedPayloadCodec,
+    _undefined
+  ]),
+  error: union([
+    WebSocketErrorCodec,
+    _undefined
+  ])
+});
+var ReceiveKeyV1ResponseMessage = createStandardMessage({
+  messageType: "receiveKey_response",
+  version: 1,
+  schema: ReceiveKeyResponseSchema,
+  encodeData: createComplexEncoder("receiveKey_response", 1, {
+    keygenResult: /* @__PURE__ */ __name((value) => EncryptedPayloadCodec.encode(value), "keygenResult")
+  }),
+  decodeData: createStandardDecoder((decoded) => ({
+    keygenResult: decoded.keygenResult,
+    error: decoded.error
+  }))
+});
 // src/messages/allMessages.ts
 var ALL_MESSAGE_CLASSES = {
@@ -561,37 +694,41 @@ var ALL_MESSAGE_CLASSES = {
   "signMessage@1": SignMessageV1RequestMessage,
   "signMessage_response@1": SignMessageV1ResponseMessage,
   "connection_ack@1": ConnectionAckV1RequestMessage,
-  "connection_ack_response@1": ConnectionAckV1ResponseMessage
+  "connection_ack_response@1": ConnectionAckV1ResponseMessage,
+  "keygen@1": KeygenV1RequestMessage,
+  "keygen_response@1": KeygenV1ResponseMessage,
+  "receiveKey@1": ReceiveKeyV1RequestMessage,
+  "receiveKey_response@1": ReceiveKeyV1ResponseMessage
 };
 var ALL_MESSAGE_KEYS = Object.keys(ALL_MESSAGE_CLASSES);
-function getMessageClass(type7, version) {
-  const key = `${type7}@${version}`;
+function getMessageClass(type8, version) {
+  const key = `${type8}@${version}`;
   const MessageClass = ALL_MESSAGE_CLASSES[key];
   if (!MessageClass) {
-    throw new Error(`Unknown message type: ${type7} version ${version}`);
+    throw new Error(`Unknown message type: ${type8} version ${version}`);
   }
   return MessageClass;
 }
 __name(getMessageClass, "getMessageClass");
-function isValidMessageType(type7, version) {
-  const key = `${type7}@${version}`;
+function isValidMessageType(type8, version) {
+  const key = `${type8}@${version}`;
   return key in ALL_MESSAGE_CLASSES;
 }
 __name(isValidMessageType, "isValidMessageType");
 function getAllSupportedMessages() {
   return ALL_MESSAGE_KEYS.map((key) => {
-    const [type7, versionStr] = key.split("@");
+    const [type8, versionStr] = key.split("@");
     return {
-      type: type7,
+      type: type8,
       version: parseInt(versionStr, 10)
     };
   });
 }
 __name(getAllSupportedMessages, "getAllSupportedMessages");
 function parseMessageKey(key) {
-  const [type7, versionStr] = key.split("@");
+  const [type8, versionStr] = key.split("@");
   return {
-    type: type7,
+    type: type8,
     version: parseInt(versionStr, 10)
   };
 }
@@ -614,9 +751,9 @@ var MessageRegistry = class _MessageRegistry {
   /**
   * Get a message class by type and version (derived from single source)
   */
-  getMessageClass(type7, version) {
+  getMessageClass(type8, version) {
     try {
-      return getMessageClass(type7, version);
+      return getMessageClass(type8, version);
     } catch {
       return void 0;
     }
@@ -631,18 +768,18 @@ var MessageRegistry = class _MessageRegistry {
         left: "Invalid wire data: must be an object"
       };
     }
-    const { type: type7, version } = wireData;
-    if (!type7 || !version) {
+    const { type: type8, version } = wireData;
+    if (!type8 || !version) {
       return {
         _tag: "Left",
         left: "Invalid wire data: missing type or version"
       };
     }
-    const MessageClass = this.getMessageClass(type7, version);
+    const MessageClass = this.getMessageClass(type8, version);
     if (!MessageClass) {
       return {
         _tag: "Left",
-        left: `Unknown message type: ${type7}@${version}`
+        left: `Unknown message type: ${type8}@${version}`
       };
     }
     const result = MessageClass.decode(wireData);
@@ -667,7 +804,7 @@ var MessageRegistry = class _MessageRegistry {
   * Get all registered message types (derived from single source)
   */
   getRegisteredTypes() {
-    return getAllSupportedMessages().map(({ type: type7, version }) => `${type7}@${version}`);
+    return getAllSupportedMessages().map(({ type: type8, version }) => `${type8}@${version}`);
   }
 };
 var messageRegistry = MessageRegistry.getInstance();
@@ -715,6 +852,13 @@ var AES_256_GCM_KEY_SIZE = 32;
 var AES_256_GCM_NONCE_SIZE = 12;
 var AES_256_GCM_TAG_SIZE = 16;
 var HKDF_SALT_SIZE = 32;
+var EncryptionPurpose = /* @__PURE__ */ (function(EncryptionPurpose2) {
+  EncryptionPurpose2["KEYSHARE"] = "keyshare";
+  EncryptionPurpose2["KEYGEN_INIT"] = "keygen_init";
+  EncryptionPurpose2["KEYGEN_RESULT"] = "keygen_result";
+  EncryptionPurpose2["TEST"] = "test";
+  return EncryptionPurpose2;
+})({});
 function deriveAESKey(sharedSecret, salt, info) {
   const infoBytes = new TextEncoder().encode(info);
   return hkdf(sha256, sharedSecret, salt, infoBytes, AES_256_GCM_KEY_SIZE);
@@ -724,19 +868,23 @@ function createKeyDerivationInfo(purpose, connectionId, version = 1) {
   return `forward-mpc-${purpose}-v${version}-${connectionId}`;
 }
 __name(createKeyDerivationInfo, "createKeyDerivationInfo");
-async function encryptKeyshare(keyshare, sharedSecret, connectionId, signingAlgorithm) {
-  const salt = randomBytes(32);
-  const keyshareInfo = createKeyDerivationInfo("keyshare", connectionId);
-  const aesKey = deriveAESKey(sharedSecret, salt, keyshareInfo);
-  const keyshareData = {
-    keyshare,
-    signingAlgorithm,
-    timestamp: Date.now(),
-    nonce: bytesToHex(randomBytes(16))
-  };
-  const nonce = randomBytes(12);
+var HKDF_SALT_SIZE2 = 32;
+var AES_GCM_NONCE_SIZE = 12;
+var MIN_SHARED_SECRET_SIZE = 32;
+function encryptPayload(options) {
+  const { payload, sharedSecret, connectionId, purpose } = options;
+  if (!sharedSecret || sharedSecret.length < MIN_SHARED_SECRET_SIZE) {
+    throw new Error(`Invalid shared secret: must be at least ${MIN_SHARED_SECRET_SIZE} bytes`);
+  }
+  if (!connectionId || connectionId.trim().length === 0) {
+    throw new Error("Invalid connectionId: must be non-empty string");
+  }
+  const salt = randomBytes(HKDF_SALT_SIZE2);
+  const info = createKeyDerivationInfo(purpose, connectionId);
+  const aesKey = deriveAESKey(sharedSecret, salt, info);
+  const nonce = randomBytes(AES_GCM_NONCE_SIZE);
   const aes256Gcm = gcm(aesKey, nonce);
-  const plaintext = new TextEncoder().encode(JSON.stringify(keyshareData));
+  const plaintext = new TextEncoder().encode(JSON.stringify(payload));
   const ciphertext = aes256Gcm.encrypt(plaintext);
   const encryptedPayload = new Uint8Array(nonce.length + ciphertext.length);
   encryptedPayload.set(nonce, 0);
@@ -747,8 +895,82 @@ async function encryptKeyshare(keyshare, sharedSecret, connectionId, signingAlgo
     encryptedPayload
   };
 }
+__name(encryptPayload, "encryptPayload");
+function decryptPayload(options) {
+  const { encrypted, sharedSecret, connectionId, purpose } = options;
+  if (!sharedSecret || sharedSecret.length < MIN_SHARED_SECRET_SIZE) {
+    throw new Error(`Invalid shared secret: must be at least ${MIN_SHARED_SECRET_SIZE} bytes`);
+  }
+  if (!connectionId || connectionId.trim().length === 0) {
+    throw new Error("Invalid connectionId: must be non-empty string");
+  }
+  if (!encrypted.encryptedPayload || encrypted.encryptedPayload.length < AES_GCM_NONCE_SIZE) {
+    throw new Error(`Invalid encrypted payload: must be at least ${AES_GCM_NONCE_SIZE} bytes`);
+  }
+  const info = createKeyDerivationInfo(purpose, connectionId);
+  const aesKey = deriveAESKey(sharedSecret, encrypted.salt, info);
+  const nonce = encrypted.encryptedPayload.slice(0, AES_GCM_NONCE_SIZE);
+  const ciphertext = encrypted.encryptedPayload.slice(AES_GCM_NONCE_SIZE);
+  const aes256Gcm = gcm(aesKey, nonce);
+  const plaintext = aes256Gcm.decrypt(ciphertext);
+  const decryptedText = new TextDecoder().decode(plaintext);
+  const data = JSON.parse(decryptedText);
+  aesKey.fill(0);
+  return data;
+}
+__name(decryptPayload, "decryptPayload");
+function encryptKeyshare(keyshare, sharedSecret, connectionId, signingAlgorithm) {
+  const keyshareData = {
+    keyshare,
+    signingAlgorithm,
+    timestamp: Date.now(),
+    nonce: bytesToHex(randomBytes(16))
+  };
+  return encryptPayload({
+    payload: keyshareData,
+    sharedSecret,
+    connectionId,
+    purpose: EncryptionPurpose.KEYSHARE
+  });
+}
 __name(encryptKeyshare, "encryptKeyshare");
+// src/crypto/keygenEncryption.ts
+function encryptKeygenInit(keygenInit, sharedSecret, connectionId) {
+  if (!keygenInit.keygenId || keygenInit.keygenId.trim().length === 0) {
+    throw new Error("Invalid keygenInit: keygenId must be non-empty string");
+  }
+  if (!keygenInit.keygenSecret || keygenInit.keygenSecret.trim().length === 0) {
+    throw new Error("Invalid keygenInit: keygenSecret must be non-empty string");
+  }
+  return encryptPayload({
+    payload: keygenInit,
+    sharedSecret,
+    connectionId,
+    purpose: EncryptionPurpose.KEYGEN_INIT
+  });
+}
+__name(encryptKeygenInit, "encryptKeygenInit");
+function decryptKeygenResult(encrypted, sharedSecret, connectionId) {
+  const data = decryptPayload({
+    encrypted,
+    sharedSecret,
+    connectionId,
+    purpose: EncryptionPurpose.KEYGEN_RESULT
+  });
+  if (!data.pubkey || !Array.isArray(data.pubkey)) {
+    throw new Error("Invalid keygen result: pubkey must be an array");
+  }
+  if (!data.secretShare || typeof data.secretShare !== "string" || data.secretShare.trim().length === 0) {
+    throw new Error("Invalid keygen result: secretShare must be non-empty string");
+  }
+  return {
+    pubkey: new Uint8Array(data.pubkey),
+    secretShare: data.secretShare
+  };
+}
+__name(decryptKeygenResult, "decryptKeygenResult");
 // src/signing/registry.ts
 var SigningAlgorithmRegistry = class SigningAlgorithmRegistry2 {
   static {
@@ -785,6 +1007,6 @@ var SigningAlgorithmRegistry = class SigningAlgorithmRegistry2 {
 };
 var signingAlgorithmRegistry = new SigningAlgorithmRegistry();
-export { AES_256_GCM_KEY_SIZE, AES_256_GCM_NONCE_SIZE, AES_256_GCM_TAG_SIZE, ALGORITHMS, ALL_MESSAGE_CLASSES, ALL_MESSAGE_KEYS, ALL_SIGNING_ALGORITHM_NAMES, ALL_SIGNING_ALGORITHM_SCHEMA, BIP340SigningAlgorithm, BaseMessage, BaseSigningAlgorithm, ConnectionAckRequestSchema, ConnectionAckResponseSchema, ConnectionAckV1RequestMessage, ConnectionAckV1ResponseMessage, EcdsaSigningAlgorithm, Ed25519SigningAlgorithm, EncryptedKeyshareCodec, HKDF_SALT_SIZE, HandshakeRequestSchema, HandshakeResponseSchema, HandshakeV1RequestMessage, HandshakeV1ResponseMessage, MessageRegistry, OptionalStringCodec, SIGNING_ALGORITHM_CLASSES, SIGNING_ALGORITHM_INSTANCES, SignMessageRequestSchema, SignMessageResponseSchema, SignMessageV1RequestMessage, SignMessageV1ResponseMessage, SignatureAlgoSchema, TraceContextCodec, Uint32ArrayCodec, Uint8ArrayCodec, WebSocketErrorType, assertDefined, assertNotNull, createKeyDerivationInfo, createKeygenResultFromSecretShare, decapsulateMlKem768, deriveAESKey, encapsulateMlKem768, encryptKeyshare, fromDynamicSigningAlgorithm, generateMlKem768Keypair, getAllSupportedMessages, getDefined, getMessageClass, isValidMessageType, isValidSigningAlgorithm, messageRegistry, parseMessageKey, signingAlgorithmRegistry, toDynamicSigningAlgorithm };
+export { AES_256_GCM_KEY_SIZE, AES_256_GCM_NONCE_SIZE, AES_256_GCM_TAG_SIZE, ALGORITHMS, ALL_MESSAGE_CLASSES, ALL_MESSAGE_KEYS, ALL_SIGNING_ALGORITHM_NAMES, ALL_SIGNING_ALGORITHM_SCHEMA, BIP340SigningAlgorithm, BaseMessage, BaseSigningAlgorithm, ConnectionAckRequestSchema, ConnectionAckResponseSchema, ConnectionAckV1RequestMessage, ConnectionAckV1ResponseMessage, EcdsaSigningAlgorithm, Ed25519SigningAlgorithm, EncryptedPayloadCodec, EncryptionPurpose, HKDF_SALT_SIZE, HandshakeRequestSchema, HandshakeResponseSchema, HandshakeV1RequestMessage, HandshakeV1ResponseMessage, KeygenRequestSchema, KeygenResponseSchema, KeygenV1RequestMessage, KeygenV1ResponseMessage, MessageRegistry, OptionalStringCodec, ReceiveKeyRequestSchema, ReceiveKeyResponseSchema, ReceiveKeyV1RequestMessage, ReceiveKeyV1ResponseMessage, SIGNING_ALGORITHM_CLASSES, SIGNING_ALGORITHM_INSTANCES, SignMessageRequestSchema, SignMessageResponseSchema, SignMessageV1RequestMessage, SignMessageV1ResponseMessage, SignatureAlgoSchema, TraceContextCodec, Uint32ArrayCodec, Uint8ArrayCodec, WebSocketErrorType, assertDefined, assertNotNull, createKeyDerivationInfo, createKeygenResultFromSecretShare, decapsulateMlKem768, decryptKeygenResult, decryptPayload, deriveAESKey, encapsulateMlKem768, encryptKeygenInit, encryptKeyshare, encryptPayload, fromDynamicSigningAlgorithm, generateMlKem768Keypair, getAllSupportedMessages, getDefined, getMessageClass, isValidMessageType, isValidSigningAlgorithm, messageRegistry, parseMessageKey, signingAlgorithmRegistry, toDynamicSigningAlgorithm };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map