npm - @fgv/ts-extras - Versions diffs - 5.1.0-3 → 5.1.0-31 - Mend

@fgv/ts-extras 5.1.0-3 → 5.1.0-31

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (334) hide show

package/dist/packlets/crypto-utils/keystore/keyStore.js CHANGED Viewed

@@ -20,6 +20,7 @@
 import { captureResult, fail, succeed } from '@fgv/ts-utils';
 import * as Constants from '../constants';
 import { createEncryptedFile } from '../encryptedFile';
+import { ARGON2ID_OWASP_MIN } from '../model';
 import { DEFAULT_KEYSTORE_ITERATIONS, DEFAULT_SECRET_ITERATIONS, KEYSTORE_FORMAT, MIN_SALT_LENGTH } from './model';
 import { keystoreFile, keystoreVaultContents } from './converters';
 /**
@@ -63,8 +64,9 @@ function getCurrentTimestamp() {
  * @public
  */
 export class KeyStore {
-    constructor(cryptoProvider, iterations, keystoreFile, isNew = true) {
+    constructor(cryptoProvider, iterations, keystoreFile, isNew, privateKeyStorage) {
         this._cryptoProvider = cryptoProvider;
+        this._privateKeyStorage = privateKeyStorage;
         this._iterations = iterations;
         this._keystoreFile = keystoreFile;
         this._state = 'locked';
@@ -87,7 +89,7 @@ export class KeyStore {
         if (iterations < 1) {
             return fail('Iterations must be at least 1');
         }
-        return succeed(new KeyStore(params.cryptoProvider, iterations, undefined, true));
+        return succeed(new KeyStore(params.cryptoProvider, iterations, undefined, true, params.privateKeyStorage));
     }
     /**
      * Opens an existing encrypted key store.
@@ -103,7 +105,7 @@ export class KeyStore {
             return fail(`Invalid key store file: ${fileResult.message}`);
         }
         const iterations = fileResult.value.keyDerivation.iterations;
-        return succeed(new KeyStore(params.cryptoProvider, iterations, fileResult.value, false));
+        return succeed(new KeyStore(params.cryptoProvider, iterations, fileResult.value, false, params.privateKeyStorage));
     }
     // ============================================================================
     // Lifecycle Methods
@@ -146,7 +148,6 @@ export class KeyStore {
      * @public
      */
     async unlock(password) {
-        var _a;
         if (this._isNew) {
             return fail('Cannot unlock a new key store - use initialize() instead');
         }
@@ -170,57 +171,37 @@ export class KeyStore {
         if (keyResult.isFailure()) {
             return fail(`Key derivation failed: ${keyResult.message}`);
         }
-        // Decrypt the vault
-        const ivResult = this._cryptoProvider.fromBase64(this._keystoreFile.iv);
-        const authTagResult = this._cryptoProvider.fromBase64(this._keystoreFile.authTag);
-        const encryptedDataResult = this._cryptoProvider.fromBase64(this._keystoreFile.encryptedData);
-        /* c8 ignore next 9 - base64 decode errors tested but coverage intermittently missed */
-        if (ivResult.isFailure()) {
-            return fail(`Invalid IV in key store file: ${ivResult.message}`);
-        }
-        if (authTagResult.isFailure()) {
-            return fail(`Invalid auth tag in key store file: ${authTagResult.message}`);
-        }
-        if (encryptedDataResult.isFailure()) {
-            return fail(`Invalid encrypted data in key store file: ${encryptedDataResult.message}`);
-        }
-        const decryptResult = await this._cryptoProvider.decrypt(encryptedDataResult.value, keyResult.value, ivResult.value, authTagResult.value);
-        if (decryptResult.isFailure()) {
-            return fail('Incorrect password or corrupted key store');
+        return this._decryptVault(keyResult.value);
+    }
+    /**
+     * Unlocks an existing key store with a pre-derived key, bypassing
+     * PBKDF2 key derivation. Use this when the derived key has been
+     * stored externally (e.g., in another key store) and the original
+     * password is no longer available.
+     *
+     * The supplied key must have been derived from the correct password
+     * using the key store file's own PBKDF2 parameters (salt and
+     * iteration count).
+     *
+     * @param derivedKey - The pre-derived master key (32 bytes for AES-256)
+     * @returns Success with this instance when unlocked, Failure if key is incorrect
+     * @public
+     */
+    async unlockWithKey(derivedKey) {
+        if (this._isNew) {
+            return fail('Cannot unlock a new key store - use initialize() instead');
         }
-        // Parse the vault contents
-        const parseResult = captureResult(() => JSON.parse(decryptResult.value));
-        /* c8 ignore next 3 - error path tested but coverage intermittently missed */
-        if (parseResult.isFailure()) {
-            return fail(`Failed to parse vault contents: ${parseResult.message}`);
+        if (this._state === 'unlocked') {
+            return fail('Key store is already unlocked');
         }
-        const vaultResult = keystoreVaultContents.convert(parseResult.value);
-        /* c8 ignore next 3 - error path tested but coverage intermittently missed */
-        if (vaultResult.isFailure()) {
-            return fail(`Invalid vault format: ${vaultResult.message}`);
+        if (derivedKey.length !== Constants.AES_256_KEY_SIZE) {
+            return fail(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${derivedKey.length}`);
         }
-        // Load secrets into memory
-        this._salt = salt;
-        this._secrets = new Map();
-        for (const [name, jsonEntry] of Object.entries(vaultResult.value.secrets)) {
-            const keyBytesResult = this._cryptoProvider.fromBase64(jsonEntry.key);
-            /* c8 ignore next 3 - error path tested but coverage intermittently missed */
-            if (keyBytesResult.isFailure()) {
-                return fail(`Invalid key for secret '${name}': ${keyBytesResult.message}`);
-            }
-            const entry = {
-                name,
-                /* c8 ignore next 1 - backwards compatibility: old vaults may lack type field */
-                type: (_a = jsonEntry.type) !== null && _a !== void 0 ? _a : 'encryption-key',
-                key: keyBytesResult.value,
-                description: jsonEntry.description,
-                createdAt: jsonEntry.createdAt
-            };
-            this._secrets.set(name, entry);
+        /* c8 ignore next 3 - defensive coding: unreachable via public API (open sets file, create sets isNew) */
+        if (!this._keystoreFile) {
+            return fail('No key store file to unlock');
         }
-        this._state = 'unlocked';
-        this._dirty = false;
-        return succeed(this);
+        return this._decryptVault(derivedKey);
     }
     /**
      * Locks the key store, clearing all secrets from memory.
@@ -238,7 +219,9 @@ export class KeyStore {
         // Clear secrets from memory (overwrite for security)
         if (this._secrets) {
             for (const entry of this._secrets.values()) {
-                entry.key.fill(0);
+                if (entry.type !== 'asymmetric-keypair') {
+                    entry.key.fill(0);
+                }
             }
             this._secrets.clear();
             this._secrets = undefined;
@@ -300,7 +283,9 @@ export class KeyStore {
         return succeed(Array.from(this._secrets.keys()));
     }
     /**
-     * Gets a secret by name.
+     * Gets a secret by name. Returns the {@link CryptoUtils.KeyStore.IKeyStoreEntry | discriminated union}
+     * — callers must check `entry.type` before accessing `key`/`id` since asymmetric
+     * entries carry no raw key material.
      * @param name - Name of the secret
      * @returns Success with secret entry, Failure if not found or locked
      * @public
@@ -315,6 +300,27 @@ export class KeyStore {
         }
         return succeed(entry);
     }
+    /**
+     * Returns the public-key JWK for an asymmetric-keypair entry.
+     * Available without {@link CryptoUtils.KeyStore.IPrivateKeyStorage} since the
+     * public key lives in the vault metadata directly.
+     * @param name - Name of the entry
+     * @returns Success with the JWK, Failure if not found, locked, or wrong type
+     * @public
+     */
+    getPublicKeyJwk(name) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return fail(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'asymmetric-keypair') {
+            return fail(`Secret '${name}' is not an asymmetric keypair (type: ${entry.type})`);
+        }
+        return succeed(entry.publicKeyJwk);
+    }
     /**
      * Checks if a secret exists.
      * @param name - Name of the secret
@@ -341,7 +347,6 @@ export class KeyStore {
         if (!name || name.length === 0) {
             return fail('Secret name cannot be empty');
         }
-        const replaced = this._secrets.has(name);
         // Generate a new random key
         const keyResult = await this._cryptoProvider.generateKey();
         /* c8 ignore next 3 - crypto provider errors tested but coverage intermittently missed */
@@ -355,19 +360,28 @@ export class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const existing = this._secrets.get(name);
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return succeed({ entry, replaced });
+        return succeed({ entry, replaced: existing !== undefined, warning });
     }
     /**
-     * Imports an existing secret key.
+     * Imports raw 32-byte key material into the vault.
+     *
+     * Always validates that the key is exactly 32 bytes (AES-256). The optional
+     * `type` field is a classification label stored with the entry; it does not
+     * change the validation rules.  For importing UTF-8 API key strings (variable
+     * length), use {@link KeyStore.importApiKey} instead.
+     *
      * @param name - Unique name for the secret
-     * @param key - The 32-byte AES-256 key
-     * @param options - Optional description, whether to replace existing
+     * @param key - The 32-byte AES-256 key material
+     * @param options - Optional type classification, description, whether to replace existing
      * @returns Success with entry, Failure if locked, key invalid, or exists and !replace
      * @public
      */
-    importSecret(name, key, options) {
+    async importSecret(name, key, options) {
+        var _a;
         if (!this._secrets) {
             return fail('Key store is locked');
         }
@@ -377,20 +391,21 @@ export class KeyStore {
         if (key.length !== Constants.AES_256_KEY_SIZE) {
             return fail(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const entry = {
             name,
-            type: 'encryption-key',
+            type: (_a = options === null || options === void 0 ? void 0 : options.type) !== null && _a !== void 0 ? _a : 'encryption-key',
             key: new Uint8Array(key), // Copy to prevent external modification
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return succeed({ entry, replaced: exists });
+        return succeed({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Adds a secret derived from a password using PBKDF2.
@@ -417,8 +432,8 @@ export class KeyStore {
         if (!password || password.length === 0) {
             return fail('Password cannot be empty');
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const iterations = (_a = options === null || options === void 0 ? void 0 : options.iterations) !== null && _a !== void 0 ? _a : DEFAULT_SECRET_ITERATIONS;
@@ -441,11 +456,13 @@ export class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
         return succeed({
             entry,
-            replaced: exists,
+            replaced: existing !== undefined,
+            warning,
             keyDerivation: {
                 kdf: 'pbkdf2',
                 salt: this._cryptoProvider.toBase64(saltResult.value),
@@ -454,12 +471,183 @@ export class KeyStore {
         });
     }
     /**
-     * Removes a secret by name.
+     * Verifies that a candidate password derives the same key material currently
+     * stored under `name`, using the supplied
+     * {@link CryptoUtils.IKeyDerivationParams | key derivation parameters}.
+     *
+     * The keystore does not persist per-slot key derivation parameters with the
+     * entry — callers receive them from `addSecretFromPassword` and store them
+     * alongside the encrypted artifact (or wherever else makes sense). Pass
+     * those same parameters here for verification.
+     *
+     * Re-derives a key from `password` + `keyDerivation`, then compares it to
+     * the stored key material in constant time. Restricted to entries of type
+     * `'encryption-key'` — the type produced by `addSecretFromPassword`. Other
+     * symmetric types (`'api-key'`) and asymmetric entries are rejected so
+     * the boolean result reflects "this slot accepts this password" rather
+     * than an incidental byte-equality match against unrelated material.
+     *
+     * Note: the keystore does not currently flag whether an `'encryption-key'`
+     * entry was actually password-derived (vs. random via `addSecret` or raw
+     * via `importSecret`). A `true` result therefore means "the candidate
+     * password produces the same 32 bytes currently stored", which is what
+     * the equivalent consumer-side helper (`verifyGatePassword`) already
+     * implies for entries it manages.
+     *
+     * @param name - Name of the secret to verify against
+     * @param password - Candidate password to test
+     * @param keyDerivation - The key derivation parameters returned by
+     * `addSecretFromPassword` when the secret was created. Only
+     * `kdf: 'pbkdf2'` is supported.
+     * @returns Success(true) when the candidate matches the stored key,
+     * Success(false) when it does not, Failure if locked, secret missing,
+     * wrong type, unsupported `kdf`, or key derivation fails
+     * @public
+     */
+    async verifySecretFromPassword(name, password, keyDerivation) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        if (!password || password.length === 0) {
+            return fail('Password cannot be empty');
+        }
+        if (keyDerivation.kdf !== 'pbkdf2') {
+            return fail(`Unsupported kdf '${keyDerivation.kdf}' (expected 'pbkdf2')`);
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return fail(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'encryption-key') {
+            return fail(`Secret '${name}' is not a password-verifiable encryption key (type: ${entry.type})`);
+        }
+        const saltResult = this._cryptoProvider.fromBase64(keyDerivation.salt);
+        if (saltResult.isFailure()) {
+            return fail(`Invalid salt: ${saltResult.message}`);
+        }
+        const derivedResult = await this._cryptoProvider.deriveKey(password, saltResult.value, keyDerivation.iterations);
+        /* c8 ignore next 3 - crypto provider errors covered in nodeCryptoProvider tests */
+        if (derivedResult.isFailure()) {
+            return fail(`Key derivation failed: ${derivedResult.message}`);
+        }
+        return succeed(KeyStore._timingSafeEqual(derivedResult.value, entry.key));
+    }
+    /**
+     * Adds a secret derived from a password using Argon2id (RFC 9106).
+     *
+     * The Argon2id provider must be supplied explicitly; the KeyStore does not
+     * hold one by default (consumers opt in by depending on the argon2 package).
+     *
+     * Returns the key derivation parameters so callers can store them alongside
+     * encrypted artifacts, enabling future re-derivation and verification.
+     *
+     * @param name - Unique name for the secret
+     * @param password - Password or passphrase
+     * @param argon2idProvider - Argon2id provider (Node or Browser implementation)
+     * @param options - Optional: Argon2id params (defaults to ARGON2ID_OWASP_MIN), description, replace flag
+     * @returns Success with entry and keyDerivation params, Failure if locked or invalid
+     * @public
+     */
+    async addSecretFromPasswordArgon2id(name, password, argon2idProvider, options) {
+        var _a;
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        if (!name || name.length === 0) {
+            return fail('Secret name cannot be empty');
+        }
+        if (!password || password.length === 0) {
+            return fail('Password cannot be empty');
+        }
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
+            return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
+        }
+        const params = (_a = options === null || options === void 0 ? void 0 : options.params) !== null && _a !== void 0 ? _a : ARGON2ID_OWASP_MIN;
+        const saltResult = this._cryptoProvider.generateRandomBytes(MIN_SALT_LENGTH);
+        /* c8 ignore next 3 - crypto provider errors tested but coverage intermittently missed */
+        if (saltResult.isFailure()) {
+            return fail(`Failed to generate salt: ${saltResult.message}`);
+        }
+        const keyResult = await argon2idProvider.argon2id(password, saltResult.value, params);
+        if (keyResult.isFailure()) {
+            return fail(`Argon2id key derivation failed: ${keyResult.message}`);
+        }
+        if (keyResult.value.length !== Constants.AES_256_KEY_SIZE) {
+            return fail(`Argon2id outputBytes must be ${Constants.AES_256_KEY_SIZE} for KeyStore secrets, got ${keyResult.value.length}`);
+        }
+        const entry = {
+            name,
+            type: 'encryption-key',
+            key: keyResult.value,
+            description: options === null || options === void 0 ? void 0 : options.description,
+            createdAt: getCurrentTimestamp()
+        };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
+        this._secrets.set(name, entry);
+        this._dirty = true;
+        const keyDerivation = {
+            kdf: 'argon2id',
+            salt: this._cryptoProvider.toBase64(saltResult.value),
+            memoryKiB: params.memoryKiB,
+            iterations: params.iterations,
+            parallelism: params.parallelism
+        };
+        return succeed({ entry, replaced: existing !== undefined, warning, keyDerivation });
+    }
+    /**
+     * Verifies a candidate password against an Argon2id-derived entry using the
+     * supplied key derivation parameters. Constant-time comparison.
+     *
+     * @param name - Name of the secret to verify against
+     * @param password - Candidate password to test
+     * @param argon2idProvider - Argon2id provider (must produce bit-identical output for identical inputs)
+     * @param keyDerivation - The Argon2id key derivation parameters returned by `addSecretFromPasswordArgon2id`
+     * @returns Success(true) if candidate matches stored key, Success(false) if not,
+     * Failure if locked, secret missing, wrong type, or derivation fails
+     * @public
+     */
+    async verifySecretFromPasswordArgon2id(name, password, argon2idProvider, keyDerivation) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        if (!password || password.length === 0) {
+            return fail('Password cannot be empty');
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return fail(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'encryption-key') {
+            return fail(`Secret '${name}' is not a password-verifiable encryption key (type: ${entry.type})`);
+        }
+        const saltResult = this._cryptoProvider.fromBase64(keyDerivation.salt);
+        if (saltResult.isFailure()) {
+            return fail(`Invalid salt: ${saltResult.message}`);
+        }
+        const params = {
+            memoryKiB: keyDerivation.memoryKiB,
+            iterations: keyDerivation.iterations,
+            parallelism: keyDerivation.parallelism,
+            outputBytes: entry.key.length
+        };
+        const derivedResult = await argon2idProvider.argon2id(password, saltResult.value, params);
+        if (derivedResult.isFailure()) {
+            return fail(`Argon2id key derivation failed: ${derivedResult.message}`);
+        }
+        return succeed(KeyStore._timingSafeEqual(derivedResult.value, entry.key));
+    }
+    /**
+     * Removes a secret by name. Vault-first: the in-memory vault entry is dropped
+     * before any storage cleanup runs. For asymmetric-keypair entries, best-effort
+     * calls {@link CryptoUtils.KeyStore.IPrivateKeyStorage}.delete on the entry's
+     * `id`; a failure is reported via `warning` on the result but does not roll
+     * back the vault removal.
      * @param name - Name of the secret to remove
-     * @returns Success with removed entry, Failure if not found or locked
+     * @returns Success with removed entry (and optional warning), Failure if not found or locked
      * @public
      */
-    removeSecret(name) {
+    async removeSecret(name) {
         if (!this._secrets) {
             return fail('Key store is locked');
         }
@@ -467,11 +655,12 @@ export class KeyStore {
         if (!entry) {
             return fail(`Secret '${name}' not found`);
         }
-        // Clear the key before removing (security)
-        entry.key.fill(0);
+        // Vault-first: drop the in-memory entry before touching storage so a
+        // storage failure cannot block removal.
         this._secrets.delete(name);
         this._dirty = true;
-        return succeed(entry);
+        const warning = await this._releaseEntryResources(entry);
+        return succeed({ entry, warning });
     }
     /**
      * Imports an API key string into the vault.
@@ -482,7 +671,7 @@ export class KeyStore {
      * @returns Success with entry, Failure if locked, empty, or exists and !replace
      * @public
      */
-    importApiKey(name, apiKey, options) {
+    async importApiKey(name, apiKey, options) {
         if (!this._secrets) {
             return fail('Key store is locked');
         }
@@ -492,8 +681,8 @@ export class KeyStore {
         if (!apiKey || apiKey.length === 0) {
             return fail('API key cannot be empty');
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const encoder = new TextEncoder();
@@ -504,9 +693,10 @@ export class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return succeed({ entry, replaced: exists });
+        return succeed({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Retrieves an API key string by name.
@@ -529,6 +719,118 @@ export class KeyStore {
         const decoder = new TextDecoder();
         return succeed(decoder.decode(entry.key));
     }
+    // ============================================================================
+    // Asymmetric Keypair Management
+    // ============================================================================
+    /**
+     * Adds a new asymmetric keypair to the vault. Storage-first: the private key
+     * is stored under a freshly-minted `id` before the public-key vault entry is
+     * committed. If the storage call fails, no vault entry is written and the
+     * operation returns Failure.
+     *
+     * When `replace: true` displaces an existing entry (asymmetric or symmetric),
+     * a fresh `id` is minted; the displaced entry's resources are released
+     * best-effort. Failure of the storage delete is reported via `warning` on the
+     * result but does not roll back the replacement.
+     *
+     * Requires a {@link CryptoUtils.KeyStore.IPrivateKeyStorage} backend
+     * supplied at construction.
+     *
+     * @param name - Unique name for the entry
+     * @param options - Algorithm, optional description, replace flag
+     * @returns Success with the new entry, Failure if locked, no provider, or storage write failed
+     * @public
+     */
+    async addKeyPair(name, options) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        if (!name || name.length === 0) {
+            return fail('Entry name cannot be empty');
+        }
+        if (!this._privateKeyStorage) {
+            return fail('No private key storage configured');
+        }
+        const existing = this._secrets.get(name);
+        if (existing && !options.replace) {
+            return fail(`Secret '${name}' already exists - use replace=true to overwrite`);
+        }
+        // Generate the keypair before touching storage. extractable=true on backends
+        // that round-trip via JWK; extractable=false on backends that hold CryptoKey
+        // refs directly.
+        const extractable = !this._privateKeyStorage.supportsNonExtractable;
+        const keyPairResult = await this._cryptoProvider.generateKeyPair(options.algorithm, extractable);
+        /* c8 ignore next 3 - crypto provider errors covered in nodeCryptoProvider tests; cannot be triggered here without mocking */
+        if (keyPairResult.isFailure()) {
+            return fail(`Failed to generate keypair for '${name}': ${keyPairResult.message}`);
+        }
+        const { publicKey, privateKey } = keyPairResult.value;
+        const jwkResult = await this._cryptoProvider.exportPublicKeyJwk(publicKey);
+        /* c8 ignore next 3 - export of an extractable freshly-generated public key is hard to fail */
+        if (jwkResult.isFailure()) {
+            return fail(`Failed to export public key for '${name}': ${jwkResult.message}`);
+        }
+        const idResult = this._generateId();
+        /* c8 ignore next 3 - random-bytes failure is hard to trigger with a healthy provider */
+        if (idResult.isFailure()) {
+            return fail(`Failed to mint storage id for '${name}': ${idResult.message}`);
+        }
+        const id = idResult.value;
+        // Storage-first: write the private key before committing the vault entry.
+        const storeResult = await this._privateKeyStorage.store(id, privateKey);
+        if (storeResult.isFailure()) {
+            return fail(`Failed to persist private key for '${name}': ${storeResult.message}`);
+        }
+        const entry = {
+            name,
+            type: 'asymmetric-keypair',
+            id,
+            algorithm: options.algorithm,
+            publicKeyJwk: jwkResult.value,
+            description: options.description,
+            createdAt: getCurrentTimestamp()
+        };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
+        this._secrets.set(name, entry);
+        this._dirty = true;
+        return succeed({ entry, replaced: existing !== undefined, warning });
+    }
+    /**
+     * Retrieves the keypair for an asymmetric-keypair entry. The private key is
+     * loaded from {@link CryptoUtils.KeyStore.IPrivateKeyStorage} on every call —
+     * the keystore never caches private `CryptoKey` references between calls.
+     * The public key is re-imported from the vault's JWK so callers always
+     * receive a `CryptoKey` rather than the JWK form.
+     * @param name - Name of the entry
+     * @returns Success with `{ publicKey, privateKey }`, Failure if not found,
+     * locked, wrong type, no provider, or storage load failed.
+     * @public
+     */
+    async getKeyPair(name) {
+        if (!this._secrets) {
+            return fail('Key store is locked');
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return fail(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'asymmetric-keypair') {
+            return fail(`Secret '${name}' is not an asymmetric keypair (type: ${entry.type})`);
+        }
+        if (!this._privateKeyStorage) {
+            return fail('No private key storage configured');
+        }
+        const privateResult = await this._privateKeyStorage.load(entry.id);
+        if (privateResult.isFailure()) {
+            return fail(`Failed to load private key for '${name}': ${privateResult.message}`);
+        }
+        const publicResult = await this._cryptoProvider.importPublicKeyJwk(entry.publicKeyJwk, entry.algorithm);
+        /* c8 ignore next 3 - vault JWKs that previously exported cleanly are extremely unlikely to fail re-import */
+        if (publicResult.isFailure()) {
+            return fail(`Failed to re-import public key for '${name}': ${publicResult.message}`);
+        }
+        return succeed({ publicKey: publicResult.value, privateKey: privateResult.value });
+    }
     /**
      * Lists secret names filtered by type.
      * @param type - The secret type to filter by
@@ -568,7 +870,8 @@ export class KeyStore {
         if (oldName !== newName && this._secrets.has(newName)) {
             return fail(`Secret '${newName}' already exists`);
         }
-        // Create new entry with new name (preserve type)
+        // Create new entry with new name. For asymmetric entries the spread
+        // preserves `id` so the storage handle survives the rename.
         const newEntry = Object.assign(Object.assign({}, entry), { name: newName });
         this._secrets.delete(oldName);
         this._secrets.set(newName, newEntry);
@@ -598,49 +901,29 @@ export class KeyStore {
         if (keyResult.isFailure()) {
             return fail(`Key derivation failed: ${keyResult.message}`);
         }
-        // Build vault contents
-        const secrets = {};
-        for (const [name, entry] of this._secrets) {
-            secrets[name] = {
-                name: entry.name,
-                type: entry.type,
-                key: this._cryptoProvider.toBase64(entry.key),
-                description: entry.description,
-                createdAt: entry.createdAt
-            };
-        }
-        const vaultContents = {
-            version: KEYSTORE_FORMAT,
-            secrets
-        };
-        // Serialize and encrypt
-        const jsonResult = captureResult(() => JSON.stringify(vaultContents));
-        /* c8 ignore next 3 - error path tested but coverage intermittently missed */
-        if (jsonResult.isFailure()) {
-            return fail(`Failed to serialize vault: ${jsonResult.message}`);
+        return this._encryptVault(keyResult.value);
+    }
+    /**
+     * Saves the key store using a pre-derived key, bypassing PBKDF2 key
+     * derivation. Use this when the derived key has been stored externally
+     * (e.g., in another key store) and the original password is no longer
+     * available.
+     *
+     * The supplied key must be the same key that was (or would be) derived
+     * from the master password using the key store's PBKDF2 parameters.
+     *
+     * @param derivedKey - The pre-derived master key (32 bytes for AES-256)
+     * @returns Success with IKeyStoreFile, Failure if locked or key invalid
+     * @public
+     */
+    async saveWithKey(derivedKey) {
+        if (!this._secrets || !this._salt) {
+            return fail('Key store is locked');
         }
-        const encryptResult = await this._cryptoProvider.encrypt(jsonResult.value, keyResult.value);
-        /* c8 ignore next 3 - crypto provider errors tested but coverage intermittently missed */
-        if (encryptResult.isFailure()) {
-            return fail(`Encryption failed: ${encryptResult.message}`);
+        if (derivedKey.length !== Constants.AES_256_KEY_SIZE) {
+            return fail(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${derivedKey.length}`);
         }
-        const { iv, authTag, encryptedData } = encryptResult.value;
-        const keystoreFileData = {
-            format: KEYSTORE_FORMAT,
-            algorithm: Constants.DEFAULT_ALGORITHM,
-            iv: this._cryptoProvider.toBase64(iv),
-            authTag: this._cryptoProvider.toBase64(authTag),
-            encryptedData: this._cryptoProvider.toBase64(encryptedData),
-            keyDerivation: {
-                kdf: 'pbkdf2',
-                salt: this._cryptoProvider.toBase64(this._salt),
-                iterations: this._iterations
-            }
-        };
-        this._keystoreFile = keystoreFileData;
-        this._dirty = false;
-        this._isNew = false;
-        return succeed(keystoreFileData);
+        return this._encryptVault(derivedKey);
     }
     /**
      * Changes the master password.
@@ -708,6 +991,9 @@ export class KeyStore {
         if (secretResult.isFailure()) {
             return fail(`encryptByName: ${secretResult.message}`);
         }
+        if (secretResult.value.type === 'asymmetric-keypair') {
+            return fail(`encryptByName: secret '${secretName}' is an asymmetric keypair, not symmetric key material`);
+        }
         return createEncryptedFile({
             content,
             secretName,
@@ -735,6 +1021,9 @@ export class KeyStore {
             if (!entry) {
                 return fail(`Secret '${secretName}' not found in key store`);
             }
+            if (entry.type === 'asymmetric-keypair') {
+                return fail(`Secret '${secretName}' is an asymmetric keypair, not symmetric key material`);
+            }
             return succeed(entry.key);
         };
         return succeed(provider);
@@ -754,5 +1043,216 @@ export class KeyStore {
             cryptoProvider: this._cryptoProvider
         });
     }
+    // ============================================================================
+    // Private: Vault Encryption / Decryption
+    // ============================================================================
+    /**
+     * Encrypts the vault with a derived key and returns the key store file.
+     * Shared by `save()` and `saveWithKey()`.
+     */
+    async _encryptVault(derivedKey) {
+        // _secrets and _salt are guaranteed non-undefined by callers
+        const secrets = this._secrets;
+        const salt = this._salt;
+        // Build vault contents
+        const secretEntries = {};
+        for (const [name, entry] of secrets) {
+            if (entry.type === 'asymmetric-keypair') {
+                secretEntries[name] = {
+                    name: entry.name,
+                    type: entry.type,
+                    id: entry.id,
+                    algorithm: entry.algorithm,
+                    publicKeyJwk: entry.publicKeyJwk,
+                    description: entry.description,
+                    createdAt: entry.createdAt
+                };
+            }
+            else {
+                secretEntries[name] = {
+                    name: entry.name,
+                    type: entry.type,
+                    key: this._cryptoProvider.toBase64(entry.key),
+                    description: entry.description,
+                    createdAt: entry.createdAt
+                };
+            }
+        }
+        const vaultContents = {
+            version: KEYSTORE_FORMAT,
+            secrets: secretEntries
+        };
+        // Serialize and encrypt
+        const jsonResult = captureResult(() => JSON.stringify(vaultContents));
+        /* c8 ignore next 3 - error path tested but coverage intermittently missed */
+        if (jsonResult.isFailure()) {
+            return fail(`Failed to serialize vault: ${jsonResult.message}`);
+        }
+        const encryptResult = await this._cryptoProvider.encrypt(jsonResult.value, derivedKey);
+        /* c8 ignore next 3 - crypto provider errors tested but coverage intermittently missed */
+        if (encryptResult.isFailure()) {
+            return fail(`Encryption failed: ${encryptResult.message}`);
+        }
+        const { iv, authTag, encryptedData } = encryptResult.value;
+        const keystoreFileData = {
+            format: KEYSTORE_FORMAT,
+            algorithm: Constants.DEFAULT_ALGORITHM,
+            iv: this._cryptoProvider.toBase64(iv),
+            authTag: this._cryptoProvider.toBase64(authTag),
+            encryptedData: this._cryptoProvider.toBase64(encryptedData),
+            keyDerivation: {
+                kdf: 'pbkdf2',
+                salt: this._cryptoProvider.toBase64(salt),
+                iterations: this._iterations
+            }
+        };
+        this._keystoreFile = keystoreFileData;
+        this._dirty = false;
+        this._isNew = false;
+        return succeed(keystoreFileData);
+    }
+    /**
+     * Decrypts the vault with a derived key and loads secrets into memory.
+     * Shared by `unlock()` and `unlockWithKey()`.
+     */
+    async _decryptVault(derivedKey) {
+        const keystoreFile = this._keystoreFile;
+        /* c8 ignore next 3 - defensive: _decryptVault is only called after a successful open() or create() */
+        if (keystoreFile === undefined) {
+            return fail('No key store file loaded');
+        }
+        const ivResult = this._cryptoProvider.fromBase64(keystoreFile.iv);
+        const authTagResult = this._cryptoProvider.fromBase64(keystoreFile.authTag);
+        const encryptedDataResult = this._cryptoProvider.fromBase64(keystoreFile.encryptedData);
+        /* c8 ignore next 9 - base64 decode errors tested but coverage intermittently missed */
+        if (ivResult.isFailure()) {
+            return fail(`Invalid IV in key store file: ${ivResult.message}`);
+        }
+        if (authTagResult.isFailure()) {
+            return fail(`Invalid auth tag in key store file: ${authTagResult.message}`);
+        }
+        if (encryptedDataResult.isFailure()) {
+            return fail(`Invalid encrypted data in key store file: ${encryptedDataResult.message}`);
+        }
+        const decryptResult = await this._cryptoProvider.decrypt(encryptedDataResult.value, derivedKey, ivResult.value, authTagResult.value);
+        if (decryptResult.isFailure()) {
+            return fail('Incorrect password or corrupted key store');
+        }
+        // Parse the vault contents
+        const parseResult = captureResult(() => JSON.parse(decryptResult.value));
+        /* c8 ignore next 3 - error path tested but coverage intermittently missed */
+        if (parseResult.isFailure()) {
+            return fail(`Failed to parse vault contents: ${parseResult.message}`);
+        }
+        const vaultResult = keystoreVaultContents.convert(parseResult.value);
+        /* c8 ignore next 3 - error path tested but coverage intermittently missed */
+        if (vaultResult.isFailure()) {
+            return fail(`Invalid vault format: ${vaultResult.message}`);
+        }
+        // Build secrets into local variables to avoid partial state on failure
+        const saltResult = this._cryptoProvider.fromBase64(keystoreFile.keyDerivation.salt);
+        if (saltResult.isFailure()) {
+            return fail(`Invalid salt in key store file: ${saltResult.message}`);
+        }
+        const secrets = new Map();
+        for (const [name, jsonEntry] of Object.entries(vaultResult.value.secrets)) {
+            if (jsonEntry.type === 'asymmetric-keypair') {
+                const entry = {
+                    name,
+                    type: jsonEntry.type,
+                    id: jsonEntry.id,
+                    algorithm: jsonEntry.algorithm,
+                    publicKeyJwk: jsonEntry.publicKeyJwk,
+                    description: jsonEntry.description,
+                    createdAt: jsonEntry.createdAt
+                };
+                secrets.set(name, entry);
+            }
+            else {
+                const keyBytesResult = this._cryptoProvider.fromBase64(jsonEntry.key);
+                /* c8 ignore next 3 - error path tested but coverage intermittently missed */
+                if (keyBytesResult.isFailure()) {
+                    return fail(`Invalid key for secret '${name}': ${keyBytesResult.message}`);
+                }
+                const entry = {
+                    name,
+                    type: jsonEntry.type,
+                    key: keyBytesResult.value,
+                    description: jsonEntry.description,
+                    createdAt: jsonEntry.createdAt
+                };
+                secrets.set(name, entry);
+            }
+        }
+        // All validation passed — commit state atomically
+        this._salt = saltResult.value;
+        this._secrets = secrets;
+        this._state = 'unlocked';
+        this._dirty = false;
+        return succeed(this);
+    }
+    // ============================================================================
+    // Private: Helpers for asymmetric flows
+    // ============================================================================
+    /**
+     * Releases the resources held by an entry being displaced from the vault.
+     * Symmetric entries get their key buffer zeroed in place. Asymmetric entries
+     * have their private-key blob best-effort deleted from
+     * {@link CryptoUtils.KeyStore.IPrivateKeyStorage}; if the storage call fails,
+     * a warning string is returned but the displacement still proceeds — the
+     * orphaned blob is left for consumer-side GC. Without a configured provider,
+     * asymmetric cleanup is silently skipped.
+     * @returns A warning string if storage cleanup failed, otherwise undefined.
+     */
+    async _releaseEntryResources(entry) {
+        if (entry.type === 'asymmetric-keypair') {
+            if (!this._privateKeyStorage) {
+                return undefined;
+            }
+            const deleteResult = await this._privateKeyStorage.delete(entry.id);
+            if (deleteResult.isFailure()) {
+                return `Failed to delete prior storage blob for '${entry.name}' (id ${entry.id}): ${deleteResult.message}`;
+            }
+            return undefined;
+        }
+        entry.key.fill(0);
+        return undefined;
+    }
+    /**
+     * Constant-time byte comparison. Returns false immediately for length
+     * mismatch (length is not secret); for equal-length inputs, walks the full
+     * buffer accumulating differences via XOR so the running time does not leak
+     * the position of the first differing byte.
+     */
+    static _timingSafeEqual(a, b) {
+        /* c8 ignore next 3 - defensive: callers compare equal-length 32-byte PBKDF2 keys */
+        if (a.length !== b.length) {
+            return false;
+        }
+        let diff = 0;
+        for (let i = 0; i < a.length; i++) {
+            // eslint-disable-next-line no-bitwise
+            diff |= a[i] ^ b[i];
+        }
+        return diff === 0;
+    }
+    /**
+     * Mints a fresh UUID v4 storage handle using the crypto provider's
+     * {@link CryptoUtils.ICryptoProvider.generateRandomBytes | generateRandomBytes}.
+     * Random-bytes failures propagate as Failure.
+     */
+    _generateId() {
+        return this._cryptoProvider.generateRandomBytes(16).onSuccess((bytes) => {
+            // Per RFC 4122 §4.4: set version (4) and variant (10xx) bits.
+            // eslint-disable-next-line no-bitwise
+            bytes[6] = (bytes[6] & 0x0f) | 0x40;
+            // eslint-disable-next-line no-bitwise
+            bytes[8] = (bytes[8] & 0x3f) | 0x80;
+            const hex = Array.from(bytes)
+                .map((b) => b.toString(16).padStart(2, '0'))
+                .join('');
+            return succeed(`${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`);
+        });
+    }
 }
 //# sourceMappingURL=keyStore.js.map