@fgv/ts-extras 5.1.0-17 → 5.1.0-18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/packlets/crypto-utils/index.browser.js +2 -0
- package/dist/packlets/crypto-utils/index.js +2 -0
- package/dist/packlets/crypto-utils/keyPairAlgorithmParams.js +47 -0
- package/dist/packlets/crypto-utils/keystore/converters.js +101 -9
- package/dist/packlets/crypto-utils/keystore/index.js +1 -0
- package/dist/packlets/crypto-utils/keystore/keyStore.js +271 -46
- package/dist/packlets/crypto-utils/keystore/model.js +22 -1
- package/dist/packlets/crypto-utils/keystore/privateKeyStorage.js +21 -0
- package/dist/packlets/crypto-utils/model.js +5 -0
- package/dist/packlets/crypto-utils/nodeCryptoProvider.js +44 -1
- package/dist/test/unit/crypto/keystore/inMemoryPrivateKeyStorage.js +78 -0
- package/dist/ts-extras.d.ts +577 -32
- package/lib/packlets/crypto-utils/index.browser.d.ts +1 -0
- package/lib/packlets/crypto-utils/index.browser.js +4 -1
- package/lib/packlets/crypto-utils/index.d.ts +1 -0
- package/lib/packlets/crypto-utils/index.js +4 -1
- package/lib/packlets/crypto-utils/keyPairAlgorithmParams.d.ts +39 -0
- package/lib/packlets/crypto-utils/keyPairAlgorithmParams.js +50 -0
- package/lib/packlets/crypto-utils/keystore/converters.d.ts +68 -6
- package/lib/packlets/crypto-utils/keystore/converters.js +100 -8
- package/lib/packlets/crypto-utils/keystore/index.d.ts +1 -0
- package/lib/packlets/crypto-utils/keystore/index.js +1 -0
- package/lib/packlets/crypto-utils/keystore/keyStore.d.ts +77 -9
- package/lib/packlets/crypto-utils/keystore/keyStore.js +271 -46
- package/lib/packlets/crypto-utils/keystore/model.d.ts +238 -19
- package/lib/packlets/crypto-utils/keystore/model.js +24 -2
- package/lib/packlets/crypto-utils/keystore/privateKeyStorage.d.ts +50 -0
- package/lib/packlets/crypto-utils/keystore/privateKeyStorage.js +22 -0
- package/lib/packlets/crypto-utils/model.d.ts +38 -0
- package/lib/packlets/crypto-utils/model.js +6 -1
- package/lib/packlets/crypto-utils/nodeCryptoProvider.d.ts +26 -1
- package/lib/packlets/crypto-utils/nodeCryptoProvider.js +43 -0
- package/package.json +7 -7
|
@@ -34,6 +34,8 @@ import * as Converters from './converters';
|
|
|
34
34
|
export { Converters };
|
|
35
35
|
// Direct encryption provider
|
|
36
36
|
export { DirectEncryptionProvider } from './directEncryptionProvider';
|
|
37
|
+
// WebCrypto parameter table for asymmetric keypair algorithms
|
|
38
|
+
export { keyPairAlgorithmParams } from './keyPairAlgorithmParams';
|
|
37
39
|
// Note: NodeCryptoProvider is NOT exported in browser version
|
|
38
40
|
// Use BrowserCryptoProvider from @fgv/ts-web-extras instead
|
|
39
41
|
// Encrypted file helpers
|
|
@@ -34,6 +34,8 @@ import * as Converters from './converters';
|
|
|
34
34
|
export { Converters };
|
|
35
35
|
// Direct encryption provider
|
|
36
36
|
export { DirectEncryptionProvider } from './directEncryptionProvider';
|
|
37
|
+
// WebCrypto parameter table for asymmetric keypair algorithms
|
|
38
|
+
export { keyPairAlgorithmParams } from './keyPairAlgorithmParams';
|
|
37
39
|
// Node.js crypto provider (Node.js environment only)
|
|
38
40
|
export { NodeCryptoProvider, nodeCryptoProvider } from './nodeCryptoProvider';
|
|
39
41
|
// Encrypted file helpers
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
// Copyright (c) 2026 Erik Fortune
|
|
2
|
+
//
|
|
3
|
+
// Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
4
|
+
// of this software and associated documentation files (the "Software"), to deal
|
|
5
|
+
// in the Software without restriction, including without limitation the rights
|
|
6
|
+
// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
7
|
+
// copies of the Software, and to permit persons to whom the Software is
|
|
8
|
+
// furnished to do so, subject to the following conditions:
|
|
9
|
+
//
|
|
10
|
+
// The above copyright notice and this permission notice shall be included in all
|
|
11
|
+
// copies or substantial portions of the Software.
|
|
12
|
+
//
|
|
13
|
+
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
14
|
+
// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
15
|
+
// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
16
|
+
// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
17
|
+
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
18
|
+
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
19
|
+
// SOFTWARE.
|
|
20
|
+
/**
|
|
21
|
+
* Lookup table from {@link CryptoUtils.KeyPairAlgorithm} to the WebCrypto
|
|
22
|
+
* parameters needed to drive `crypto.subtle`. Shared between every
|
|
23
|
+
* {@link CryptoUtils.ICryptoProvider} implementation since both Node and
|
|
24
|
+
* browser providers speak the same WebCrypto API. Exposed for downstream
|
|
25
|
+
* provider implementations (e.g. browser-side providers in `@fgv/ts-web-extras`).
|
|
26
|
+
* @public
|
|
27
|
+
*/
|
|
28
|
+
export const keyPairAlgorithmParams = {
|
|
29
|
+
'ecdsa-p256': {
|
|
30
|
+
generateKey: { name: 'ECDSA', namedCurve: 'P-256' },
|
|
31
|
+
importPublicKey: { name: 'ECDSA', namedCurve: 'P-256' },
|
|
32
|
+
keyPairUsages: ['sign', 'verify'],
|
|
33
|
+
publicKeyUsages: ['verify']
|
|
34
|
+
},
|
|
35
|
+
'rsa-oaep-2048': {
|
|
36
|
+
generateKey: {
|
|
37
|
+
name: 'RSA-OAEP',
|
|
38
|
+
modulusLength: 2048,
|
|
39
|
+
publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
|
|
40
|
+
hash: 'SHA-256'
|
|
41
|
+
},
|
|
42
|
+
importPublicKey: { name: 'RSA-OAEP', hash: 'SHA-256' },
|
|
43
|
+
keyPairUsages: ['encrypt', 'decrypt'],
|
|
44
|
+
publicKeyUsages: ['encrypt']
|
|
45
|
+
}
|
|
46
|
+
};
|
|
47
|
+
//# sourceMappingURL=keyPairAlgorithmParams.js.map
|
|
@@ -17,9 +17,9 @@
|
|
|
17
17
|
// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
18
18
|
// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
19
19
|
// SOFTWARE.
|
|
20
|
-
import { Converters } from '@fgv/ts-utils';
|
|
20
|
+
import { Converters, succeed, Validators } from '@fgv/ts-utils';
|
|
21
21
|
import { base64String, encryptionAlgorithm, keyDerivationParams } from '../converters';
|
|
22
|
-
import { allKeyStoreSecretTypes, KEYSTORE_FORMAT } from './model';
|
|
22
|
+
import { allKeyPairAlgorithms, allKeyStoreSecretTypes, allKeyStoreSymmetricSecretTypes, KEYSTORE_FORMAT, allKeyStoreAsymmetricSecretTypes } from './model';
|
|
23
23
|
// ============================================================================
|
|
24
24
|
// Key Store Format Converter
|
|
25
25
|
// ============================================================================
|
|
@@ -31,31 +31,123 @@ export const keystoreFormat = Converters.enumeratedValue([
|
|
|
31
31
|
KEYSTORE_FORMAT
|
|
32
32
|
]);
|
|
33
33
|
// ============================================================================
|
|
34
|
-
// Secret Type
|
|
34
|
+
// Secret Type Converters
|
|
35
35
|
// ============================================================================
|
|
36
36
|
/**
|
|
37
|
-
* Converter for {@link CryptoUtils.KeyStore.KeyStoreSecretType | key store secret type} discriminator.
|
|
37
|
+
* Converter for {@link CryptoUtils.KeyStore.KeyStoreSecretType | any key store secret type} discriminator.
|
|
38
|
+
* Accepts both symmetric and asymmetric type values.
|
|
38
39
|
* @public
|
|
39
40
|
*/
|
|
40
41
|
export const keystoreSecretType = Converters.enumeratedValue(allKeyStoreSecretTypes);
|
|
42
|
+
/**
|
|
43
|
+
* Converter for {@link CryptoUtils.KeyStore.KeyStoreSymmetricSecretType | symmetric secret type} discriminator.
|
|
44
|
+
* Accepts only `'encryption-key'` and `'api-key'`.
|
|
45
|
+
* @public
|
|
46
|
+
*/
|
|
47
|
+
export const keystoreSymmetricSecretType = Converters.enumeratedValue(allKeyStoreSymmetricSecretTypes);
|
|
48
|
+
/**
|
|
49
|
+
* Converter for {@link CryptoUtils.KeyStore.KeyStoreAsymmetricSecretType | asymmetric secret type} discriminator.
|
|
50
|
+
* Accepts only `'asymmetric-keypair'`.
|
|
51
|
+
* @public
|
|
52
|
+
*/
|
|
53
|
+
export const keystoreAsymmetricSecretType = Converters.enumeratedValue(allKeyStoreAsymmetricSecretTypes);
|
|
54
|
+
// ============================================================================
|
|
55
|
+
// Key Pair Algorithm Converter
|
|
56
|
+
// ============================================================================
|
|
57
|
+
/**
|
|
58
|
+
* Converter for {@link CryptoUtils.KeyStore.KeyPairAlgorithm | key pair algorithm}.
|
|
59
|
+
* @public
|
|
60
|
+
*/
|
|
61
|
+
export const keyPairAlgorithm = Converters.enumeratedValue(allKeyPairAlgorithms);
|
|
41
62
|
// ============================================================================
|
|
42
|
-
//
|
|
63
|
+
// JWK Shape Validator
|
|
43
64
|
// ============================================================================
|
|
44
65
|
/**
|
|
45
|
-
*
|
|
46
|
-
*
|
|
66
|
+
* In-place shape check for a JSON Web Key. Asserts only that the input is a
|
|
67
|
+
* non-array object whose `kty` discriminator is a string; every other JWK
|
|
68
|
+
* field passes through untouched. This is intentionally **not** a true JWK
|
|
69
|
+
* validator — per-algorithm correctness (RSA `n`/`e`, EC `crv`/`x`/`y`,
|
|
70
|
+
* key-size constraints, etc.) is delegated to `crypto.subtle.importKey` at
|
|
71
|
+
* first use, which is the authoritative checker. The "shape" suffix in the
|
|
72
|
+
* name is the warning sign for readers expecting full validation.
|
|
73
|
+
* @remarks
|
|
74
|
+
* Built with `Validators.object` (in-place, non-strict) so unknown JWK fields
|
|
75
|
+
* survive the round-trip; the cast to `FieldValidators<JsonWebKey>` is required
|
|
76
|
+
* only because TypeScript's mapped type demands an entry for every key in
|
|
77
|
+
* `JsonWebKey`. At runtime the `ObjectValidator` only inspects keys present in
|
|
78
|
+
* the field-validators map.
|
|
47
79
|
* @public
|
|
48
80
|
*/
|
|
49
|
-
export const
|
|
81
|
+
export const jsonWebKeyShape = Validators.object({
|
|
82
|
+
kty: Validators.string
|
|
83
|
+
});
|
|
84
|
+
// ============================================================================
|
|
85
|
+
// Symmetric Secret Entry Converter
|
|
86
|
+
// ============================================================================
|
|
87
|
+
/**
|
|
88
|
+
* Converter for {@link CryptoUtils.KeyStore.IKeyStoreSymmetricEntryJson | symmetric secret entry} in JSON form.
|
|
89
|
+
*
|
|
90
|
+
* @remarks
|
|
91
|
+
* Backwards compatibility with vaults written before asymmetric-keypair
|
|
92
|
+
* support: those entries may lack the `type` discriminator on the wire. To
|
|
93
|
+
* keep the model type honest (`type` is required on
|
|
94
|
+
* {@link CryptoUtils.KeyStore.IKeyStoreSymmetricEntryJson}, see its docs),
|
|
95
|
+
* we declare `type` in `optionalFields` so the inner `Converters.object` will
|
|
96
|
+
* accept input without it, then `.map()` injects the default
|
|
97
|
+
* `'encryption-key'` when missing. The output therefore always carries the
|
|
98
|
+
* discriminator and downstream code never sees the legacy missing-type form.
|
|
99
|
+
*
|
|
100
|
+
* @public
|
|
101
|
+
*/
|
|
102
|
+
export const keystoreSymmetricEntryJson = Converters.object({
|
|
50
103
|
name: Converters.string,
|
|
51
|
-
type:
|
|
104
|
+
type: keystoreSymmetricSecretType,
|
|
52
105
|
key: base64String,
|
|
53
106
|
description: Converters.string,
|
|
54
107
|
createdAt: Converters.string
|
|
55
108
|
}, {
|
|
109
|
+
// `type` is optional at the input layer for legacy-vault compatibility;
|
|
110
|
+
// the .map() below normalizes by injecting the default.
|
|
56
111
|
optionalFields: ['type', 'description']
|
|
112
|
+
}).map((entry) => {
|
|
113
|
+
var _a;
|
|
114
|
+
return succeed(Object.assign(Object.assign({}, entry), { type: (_a = entry.type) !== null && _a !== void 0 ? _a : 'encryption-key' }));
|
|
57
115
|
});
|
|
58
116
|
// ============================================================================
|
|
117
|
+
// Asymmetric Keypair Entry Converter
|
|
118
|
+
// ============================================================================
|
|
119
|
+
/**
|
|
120
|
+
* Converter for {@link CryptoUtils.KeyStore.IKeyStoreAsymmetricEntryJson | asymmetric keypair entry} in JSON form.
|
|
121
|
+
* The `publicKeyJwk` field passes through {@link CryptoUtils.KeyStore.Converters.jsonWebKeyShape | jsonWebKeyShape}
|
|
122
|
+
* (shape check only — see its docs); cryptographic correctness is enforced by
|
|
123
|
+
* `crypto.subtle.importKey` at use.
|
|
124
|
+
* @public
|
|
125
|
+
*/
|
|
126
|
+
export const keystoreAsymmetricEntryJson = Converters.object({
|
|
127
|
+
name: Converters.string,
|
|
128
|
+
type: keystoreAsymmetricSecretType,
|
|
129
|
+
id: Converters.string,
|
|
130
|
+
algorithm: keyPairAlgorithm,
|
|
131
|
+
publicKeyJwk: jsonWebKeyShape,
|
|
132
|
+
description: Converters.string.optional(),
|
|
133
|
+
createdAt: Converters.string
|
|
134
|
+
});
|
|
135
|
+
// ============================================================================
|
|
136
|
+
// Discriminated-Union Entry Converter
|
|
137
|
+
// ============================================================================
|
|
138
|
+
/**
|
|
139
|
+
* Discriminated-union converter for any {@link CryptoUtils.KeyStore.IKeyStoreEntryJson | key store entry} in JSON form.
|
|
140
|
+
* Routes by the `type` field: `'asymmetric-keypair'` is parsed by
|
|
141
|
+
* {@link CryptoUtils.KeyStore.Converters.keystoreAsymmetricEntryJson | keystoreAsymmetricEntryJson},
|
|
142
|
+
* anything else (including a missing `type` field for backwards compatibility) by
|
|
143
|
+
* {@link CryptoUtils.KeyStore.Converters.keystoreSymmetricEntryJson | keystoreSymmetricEntryJson}.
|
|
144
|
+
* @public
|
|
145
|
+
*/
|
|
146
|
+
export const keystoreSecretEntryJson = Converters.oneOf([
|
|
147
|
+
keystoreAsymmetricEntryJson,
|
|
148
|
+
keystoreSymmetricEntryJson
|
|
149
|
+
]);
|
|
150
|
+
// ============================================================================
|
|
59
151
|
// Vault Contents Converter
|
|
60
152
|
// ============================================================================
|
|
61
153
|
/**
|