npm - @fgv/ts-web-extras - Versions diffs - 5.1.0-18 → 5.1.0-19 - Mend

@fgv/ts-web-extras 5.1.0-18 → 5.1.0-19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (64) hide show

package/dist/test/unit/browserCryptoProvider.wrapBytes.test.js ADDED Viewed

@@ -0,0 +1,221 @@
+/*
+ * Copyright (c) 2026 Erik Fortune
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+import '@fgv/ts-utils-jest';
+import { BrowserCryptoProvider } from '../../packlets/crypto-utils';
+const provider = new BrowserCryptoProvider();
+const subtle = globalThis.crypto.subtle;
+async function generateEcdhPair(curve = 'P-256') {
+    return (await subtle.generateKey({ name: 'ECDH', namedCurve: curve }, true, [
+        'deriveKey',
+        'deriveBits'
+    ]));
+}
+async function generateEcdsaPair() {
+    return (await subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-256' }, true, [
+        'sign',
+        'verify'
+    ]));
+}
+describe('BrowserCryptoProvider — wrapBytes/unwrapBytes', () => {
+    const defaultOptions = {
+        salt: new TextEncoder().encode('test-salt'),
+        info: new TextEncoder().encode('test-info')
+    };
+    describe('round-trip', () => {
+        test.each([
+            ['32-byte plaintext (AES-256 key shape)', globalThis.crypto.getRandomValues(new Uint8Array(32))],
+            ['1-byte plaintext', new Uint8Array([0x42])],
+            ['1KB plaintext', globalThis.crypto.getRandomValues(new Uint8Array(1024))],
+            ['empty plaintext', new Uint8Array(0)],
+            ['high-bit-set bytes', new Uint8Array(64).fill(0xff)]
+        ])('round-trips %s', async (__label, plaintext) => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();
+            expect(wrapped.ephemeralPublicKey.kty).toBe('EC');
+            expect(wrapped.ephemeralPublicKey.crv).toBe('P-256');
+            const recovered = (await provider.unwrapBytes(wrapped, pair.privateKey, defaultOptions)).orThrow();
+            expect(new Uint8Array(recovered)).toEqual(plaintext);
+        });
+    });
+    describe('determinism / freshness', () => {
+        test('two wraps of identical inputs produce different ephemeral keys and ciphertexts', async () => {
+            const pair = await generateEcdhPair();
+            const plaintext = new TextEncoder().encode('same payload');
+            const w1 = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();
+            const w2 = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();
+            expect(w1.ephemeralPublicKey).not.toEqual(w2.ephemeralPublicKey);
+            expect(w1.ciphertext).not.toEqual(w2.ciphertext);
+            expect(w1.nonce).not.toEqual(w2.nonce);
+        });
+    });
+    describe('tampering', () => {
+        test('flipping a bit in the nonce fails GCM authentication', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const nonce = provider.fromBase64(wrapped.nonce).orThrow();
+            nonce[0] ^= 0xff;
+            const tampered = Object.assign(Object.assign({}, wrapped), { nonce: provider.toBase64(nonce) });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('flipping a bit in the ciphertext fails GCM authentication', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const ct = provider.fromBase64(wrapped.ciphertext).orThrow();
+            ct[0] ^= 0x01;
+            const tampered = Object.assign(Object.assign({}, wrapped), { ciphertext: provider.toBase64(ct) });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('truncating ciphertext by one byte fails GCM authentication (still ≥ 16 bytes)', async () => {
+            const pair = await generateEcdhPair();
+            // 16-byte plaintext → 32-byte ciphertext (16 ct + 16 tag); truncate by 1 → 31 bytes ≥ 16
+            const wrapped = (await provider.wrapBytes(new Uint8Array(16).fill(0xab), pair.publicKey, defaultOptions)).orThrow();
+            const ct = provider.fromBase64(wrapped.ciphertext).orThrow();
+            const truncated = ct.slice(0, ct.length - 1);
+            const tampered = Object.assign(Object.assign({}, wrapped), { ciphertext: provider.toBase64(truncated) });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('substituting a different ephemeral public key fails authentication', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const other = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const tampered = Object.assign(Object.assign({}, wrapped), { ephemeralPublicKey: other.ephemeralPublicKey });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed/i);
+        });
+    });
+    describe('wrong-key / wrong-options', () => {
+        test('unwrap with a different recipient private key fails', async () => {
+            const pair = await generateEcdhPair();
+            const other = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            expect(await provider.unwrapBytes(wrapped, other.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('unwrap with a different HKDF salt fails authentication', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const wrongSalt = {
+                salt: new TextEncoder().encode('different-salt'),
+                info: defaultOptions.info
+            };
+            expect(await provider.unwrapBytes(wrapped, pair.privateKey, wrongSalt)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('unwrap with a different HKDF info fails authentication', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const wrongInfo = {
+                salt: defaultOptions.salt,
+                info: new TextEncoder().encode('different-info')
+            };
+            expect(await provider.unwrapBytes(wrapped, pair.privateKey, wrongInfo)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('empty salt and info round-trip when both sides agree', async () => {
+            const pair = await generateEcdhPair();
+            const empty = { salt: new Uint8Array(0), info: new Uint8Array(0) };
+            const plaintext = globalThis.crypto.getRandomValues(new Uint8Array(16));
+            const wrapped = (await provider.wrapBytes(plaintext, pair.publicKey, empty)).orThrow();
+            const recovered = (await provider.unwrapBytes(wrapped, pair.privateKey, empty)).orThrow();
+            expect(new Uint8Array(recovered)).toEqual(plaintext);
+        });
+    });
+    describe('malformed input', () => {
+        test('malformed ephemeralPublicKey JWK fails', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const bogus = Object.assign(Object.assign({}, wrapped), { ephemeralPublicKey: { kty: 'EC', crv: 'P-256' } });
+            expect(await provider.unwrapBytes(bogus, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('ephemeralPublicKey on the wrong curve (P-384) fails', async () => {
+            const pair = await generateEcdhPair();
+            const wrongCurve = await generateEcdhPair('P-384');
+            const wrongJwk = await subtle.exportKey('jwk', wrongCurve.publicKey);
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const tampered = Object.assign(Object.assign({}, wrapped), { ephemeralPublicKey: wrongJwk });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed/i);
+        });
+        test('non-base64 nonce fails with a clean error', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const tampered = Object.assign(Object.assign({}, wrapped), { nonce: 'not!base64!' });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed: nonce/i);
+        });
+        test('non-base64 ciphertext fails with a clean error', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const tampered = Object.assign(Object.assign({}, wrapped), { ciphertext: 'not!base64!' });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed: ciphertext/i);
+        });
+        test('wrong-length nonce (after base64 decode) fails before reaching AES-GCM', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const shortNonce = new Uint8Array(8);
+            const tampered = Object.assign(Object.assign({}, wrapped), { nonce: provider.toBase64(shortNonce) });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed: nonce must be 12 bytes \(got 8\)/i);
+        });
+        test('ciphertext shorter than the GCM auth tag fails before reaching AES-GCM', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)).orThrow();
+            const shortCt = new Uint8Array(8);
+            const tampered = Object.assign(Object.assign({}, wrapped), { ciphertext: provider.toBase64(shortCt) });
+            expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(/unwrapBytes failed: ciphertext must be at least 16 bytes \(got 8\)/i);
+        });
+    });
+    describe('algorithm / type mismatch on recipient key', () => {
+        test('wrap fails when recipient public key is RSA-OAEP, not ECDH', async () => {
+            const rsa = (await subtle.generateKey({
+                name: 'RSA-OAEP',
+                modulusLength: 2048,
+                publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+                hash: 'SHA-256'
+            }, true, ['encrypt', 'decrypt']));
+            const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), rsa.publicKey, defaultOptions);
+            expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*RSA-OAEP/i);
+        });
+        test('wrap fails when recipient public key is ECDSA P-256, not ECDH', async () => {
+            const ecdsa = await generateEcdsaPair();
+            const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), ecdsa.publicKey, defaultOptions);
+            expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*ECDSA/i);
+        });
+        test('wrap fails when recipient public key is ECDH P-384, not P-256', async () => {
+            const wrongCurve = await generateEcdhPair('P-384');
+            const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), wrongCurve.publicKey, defaultOptions);
+            expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*P-384/i);
+        });
+        test('unwrap fails when recipient private key is ECDH P-384, not P-256', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.publicKey, defaultOptions)).orThrow();
+            const wrongCurve = await generateEcdhPair('P-384');
+            const result = await provider.unwrapBytes(wrapped, wrongCurve.privateKey, defaultOptions);
+            expect(result).toFailWith(/unwrapBytes failed: recipient private key must be ECDH P-256.*P-384/i);
+        });
+        test('wrap fails when recipient is an ECDH private key (not public)', async () => {
+            const pair = await generateEcdhPair();
+            const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.privateKey, defaultOptions);
+            expect(result).toFailWith(/wrapBytes failed: recipient public key must be a public CryptoKey \(got 'private'\)/i);
+        });
+        test('unwrap fails when recipient is an ECDH public key (not private)', async () => {
+            const pair = await generateEcdhPair();
+            const wrapped = (await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.publicKey, defaultOptions)).orThrow();
+            const result = await provider.unwrapBytes(wrapped, pair.publicKey, defaultOptions);
+            expect(result).toFailWith(/unwrapBytes failed: recipient private key must be a private CryptoKey \(got 'public'\)/i);
+        });
+    });
+});
+//# sourceMappingURL=browserCryptoProvider.wrapBytes.test.js.map

package/dist/test/unit/browserCryptoProvider.wrapBytes.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"browserCryptoProvider.wrapBytes.test.js","sourceRoot":"","sources":["../../../src/test/unit/browserCryptoProvider.wrapBytes.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,oBAAoB,CAAC;AAG5B,OAAO,EAAE,qBAAqB,EAAE,MAAM,6BAA6B,CAAC;AAEpE,MAAM,QAAQ,GAAG,IAAI,qBAAqB,EAAE,CAAC;AAC7C,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC;AAExC,KAAK,UAAU,gBAAgB,CAAC,QAA2B,OAAO;IAChE,OAAO,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE;QAC1E,WAAW;QACX,YAAY;KACb,CAAC,CAAkB,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,iBAAiB;IAC9B,OAAO,CAAC,MAAM,MAAM,CAAC,WAAW,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE;QAC7E,MAAM;QACN,QAAQ;KACT,CAAC,CAAkB,CAAC;AACvB,CAAC;AAED,QAAQ,CAAC,+CAA+C,EAAE,GAAG,EAAE;IAC7D,MAAM,cAAc,GAAkC;QACpD,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;QAC3C,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,WAAW,CAAC;KAC5C,CAAC;IAEF,QAAQ,CAAC,YAAY,EAAE,GAAG,EAAE;QAC1B,IAAI,CAAC,IAAI,CAAuB;YAC9B,CAAC,uCAAuC,EAAE,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;YAChG,CAAC,kBAAkB,EAAE,IAAI,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;YAC5C,CAAC,eAAe,EAAE,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;YAC1E,CAAC,iBAAiB,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;YACtC,CAAC,oBAAoB,EAAE,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;SACtD,CAAC,CAAC,gBAAgB,EAAE,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE;YAChD,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YAChG,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAClD,MAAM,CAAC,OAAO,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrD,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YACnG,MAAM,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,IAAI,CAAC,gFAAgF,EAAE,KAAK,IAAI,EAAE;YAChG,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;YAC3D,MAAM,EAAE,GAAG,CAAC,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3F,MAAM,EAAE,GAAG,CAAC,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3F,MAAM,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC;YACjE,MAAM,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC;YACjD,MAAM,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC;QACzC,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;QACzB,IAAI,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACtE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,KAAK,GAAG,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;YAC3D,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YACjB,MAAM,QAAQ,mCAAmC,OAAO,KAAE,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAE,CAAC;YAC5F,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;YAC3E,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,EAAE,GAAG,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;YAC7D,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;YACd,MAAM,QAAQ,mCAAmC,OAAO,KAAE,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAE,CAAC;YAC9F,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,+EAA+E,EAAE,KAAK,IAAI,EAAE;YAC/F,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,yFAAyF;YACzF,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CACxF,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,EAAE,GAAG,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,CAAC;YAC7D,MAAM,SAAS,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAC7C,MAAM,QAAQ,mCAAmC,OAAO,KAAE,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAE,CAAC;YACrG,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;YACpF,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,KAAK,GAAG,CACZ,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,mCACT,OAAO,KACV,kBAAkB,EAAE,KAAK,CAAC,kBAAkB,GAC7C,CAAC;YACF,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,2BAA2B,EAAE,GAAG,EAAE;QACzC,IAAI,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACrE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,KAAK,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,KAAK,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,SAAS,GAAkC;gBAC/C,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC;gBAChD,IAAI,EAAE,cAAc,CAAC,IAAI;aAC1B,CAAC;YACF,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,CAChF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,wDAAwD,EAAE,KAAK,IAAI,EAAE;YACxE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,SAAS,GAAkC;gBAC/C,IAAI,EAAE,cAAc,CAAC,IAAI;gBACzB,IAAI,EAAE,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,gBAAgB,CAAC;aACjD,CAAC;YACF,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC,UAAU,CAChF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;YACtE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,KAAK,GAAkC,EAAE,IAAI,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YAClG,MAAM,SAAS,GAAG,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC;YACxE,MAAM,OAAO,GAAG,CAAC,MAAM,QAAQ,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YACvF,MAAM,SAAS,GAAG,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;YAC1F,MAAM,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,IAAI,CAAC,wCAAwC,EAAE,KAAK,IAAI,EAAE;YACxD,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,KAAK,mCACN,OAAO,KACV,kBAAkB,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,EAAgB,GAC9D,CAAC;YACF,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,KAAK,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACnF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;YACrE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;YACnD,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,CAAC,SAAS,CAAC,CAAC;YACrE,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,mCAAmC,OAAO,KAAE,kBAAkB,EAAE,QAAQ,GAAE,CAAC;YACzF,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,qBAAqB,CACtB,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;YAC3D,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,mCAAmC,OAAO,KAAE,KAAK,EAAE,aAAa,GAAE,CAAC;YACjF,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,4BAA4B,CAC7B,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;YAChE,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,QAAQ,mCAAmC,OAAO,KAAE,UAAU,EAAE,aAAa,GAAE,CAAC;YACtF,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,iCAAiC,CAClC,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;YACxF,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;YACrC,MAAM,QAAQ,mCAAmC,OAAO,KAAE,KAAK,EAAE,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAE,CAAC;YACjG,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,uDAAuD,CACxD,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,wEAAwE,EAAE,KAAK,IAAI,EAAE;YACxF,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAC9F,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;YAClC,MAAM,QAAQ,mCAAmC,OAAO,KAAE,UAAU,EAAE,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAE,CAAC;YACnG,MAAM,CAAC,MAAM,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,UAAU,CACtF,qEAAqE,CACtE,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,4CAA4C,EAAE,GAAG,EAAE;QAC1D,IAAI,CAAC,4DAA4D,EAAE,KAAK,IAAI,EAAE;YAC5E,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,WAAW,CACnC;gBACE,IAAI,EAAE,UAAU;gBAChB,aAAa,EAAE,IAAI;gBACnB,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;gBAClD,IAAI,EAAE,SAAS;aAChB,EACD,IAAI,EACJ,CAAC,SAAS,EAAE,SAAS,CAAC,CACvB,CAAkB,CAAC;YACpB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;YAClG,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,sEAAsE,CAAC,CAAC;QACpG,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;YAC/E,MAAM,KAAK,GAAG,MAAM,iBAAiB,EAAE,CAAC;YACxC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;YACpG,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,mEAAmE,CAAC,CAAC;QACjG,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;YAC/E,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,CACrC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EACzB,UAAU,CAAC,SAAS,EACpB,cAAc,CACf,CAAC;YACF,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,mEAAmE,CAAC,CAAC;QACjG,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;YAClF,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CACpF,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,UAAU,GAAG,MAAM,gBAAgB,CAAC,OAAO,CAAC,CAAC;YACnD,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,UAAU,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAC1F,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,sEAAsE,CAAC,CAAC;QACpG,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,+DAA+D,EAAE,KAAK,IAAI,EAAE;YAC/E,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YACpG,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,CACvB,sFAAsF,CACvF,CAAC;QACJ,CAAC,CAAC,CAAC;QAEH,IAAI,CAAC,iEAAiE,EAAE,KAAK,IAAI,EAAE;YACjF,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,CACd,MAAM,QAAQ,CAAC,SAAS,CAAC,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CACpF,CAAC,OAAO,EAAE,CAAC;YACZ,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;YACnF,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,CACvB,yFAAyF,CAC1F,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC","sourcesContent":["/*\n * Copyright (c) 2026 Erik Fortune\n *\n * Permission is hereby granted, free of charge, to any person obtaining a copy\n * of this software and associated documentation files (the \"Software\"), to deal\n * in the Software without restriction, including without limitation the rights\n * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell\n * copies of the Software, and to permit persons to whom the Software is\n * furnished to do so, subject to the following conditions:\n *\n * The above copyright notice and this permission notice shall be included in all\n * copies or substantial portions of the Software.\n *\n * THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\n * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\n * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\n * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\n * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\n * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\n * SOFTWARE.\n */\n\nimport '@fgv/ts-utils-jest';\n\nimport { CryptoUtils } from '@fgv/ts-extras';\nimport { BrowserCryptoProvider } from '../../packlets/crypto-utils';\n\nconst provider = new BrowserCryptoProvider();\nconst subtle = globalThis.crypto.subtle;\n\nasync function generateEcdhPair(curve: 'P-256' | 'P-384' = 'P-256'): Promise<CryptoKeyPair> {\n return (await subtle.generateKey({ name: 'ECDH', namedCurve: curve }, true, [\n 'deriveKey',\n 'deriveBits'\n ])) as CryptoKeyPair;\n}\n\nasync function generateEcdsaPair(): Promise<CryptoKeyPair> {\n return (await subtle.generateKey({ name: 'ECDSA', namedCurve: 'P-256' }, true, [\n 'sign',\n 'verify'\n ])) as CryptoKeyPair;\n}\n\ndescribe('BrowserCryptoProvider — wrapBytes/unwrapBytes', () => {\n const defaultOptions: CryptoUtils.IWrapBytesOptions = {\n salt: new TextEncoder().encode('test-salt'),\n info: new TextEncoder().encode('test-info')\n };\n\n describe('round-trip', () => {\n test.each<[string, Uint8Array]>([\n ['32-byte plaintext (AES-256 key shape)', globalThis.crypto.getRandomValues(new Uint8Array(32))],\n ['1-byte plaintext', new Uint8Array([0x42])],\n ['1KB plaintext', globalThis.crypto.getRandomValues(new Uint8Array(1024))],\n ['empty plaintext', new Uint8Array(0)],\n ['high-bit-set bytes', new Uint8Array(64).fill(0xff)]\n ])('round-trips %s', async (__label, plaintext) => {\n const pair = await generateEcdhPair();\n const wrapped = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();\n expect(wrapped.ephemeralPublicKey.kty).toBe('EC');\n expect(wrapped.ephemeralPublicKey.crv).toBe('P-256');\n const recovered = (await provider.unwrapBytes(wrapped, pair.privateKey, defaultOptions)).orThrow();\n expect(new Uint8Array(recovered)).toEqual(plaintext);\n });\n });\n\n describe('determinism / freshness', () => {\n test('two wraps of identical inputs produce different ephemeral keys and ciphertexts', async () => {\n const pair = await generateEcdhPair();\n const plaintext = new TextEncoder().encode('same payload');\n const w1 = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();\n const w2 = (await provider.wrapBytes(plaintext, pair.publicKey, defaultOptions)).orThrow();\n expect(w1.ephemeralPublicKey).not.toEqual(w2.ephemeralPublicKey);\n expect(w1.ciphertext).not.toEqual(w2.ciphertext);\n expect(w1.nonce).not.toEqual(w2.nonce);\n });\n });\n\n describe('tampering', () => {\n test('flipping a bit in the nonce fails GCM authentication', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const nonce = provider.fromBase64(wrapped.nonce).orThrow();\n nonce[0] ^= 0xff;\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, nonce: provider.toBase64(nonce) };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('flipping a bit in the ciphertext fails GCM authentication', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const ct = provider.fromBase64(wrapped.ciphertext).orThrow();\n ct[0] ^= 0x01;\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: provider.toBase64(ct) };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('truncating ciphertext by one byte fails GCM authentication (still ≥ 16 bytes)', async () => {\n const pair = await generateEcdhPair();\n // 16-byte plaintext → 32-byte ciphertext (16 ct + 16 tag); truncate by 1 → 31 bytes ≥ 16\n const wrapped = (\n await provider.wrapBytes(new Uint8Array(16).fill(0xab), pair.publicKey, defaultOptions)\n ).orThrow();\n const ct = provider.fromBase64(wrapped.ciphertext).orThrow();\n const truncated = ct.slice(0, ct.length - 1);\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: provider.toBase64(truncated) };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('substituting a different ephemeral public key fails authentication', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const other = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const tampered: CryptoUtils.IWrappedBytes = {\n ...wrapped,\n ephemeralPublicKey: other.ephemeralPublicKey\n };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n });\n\n describe('wrong-key / wrong-options', () => {\n test('unwrap with a different recipient private key fails', async () => {\n const pair = await generateEcdhPair();\n const other = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n expect(await provider.unwrapBytes(wrapped, other.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('unwrap with a different HKDF salt fails authentication', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const wrongSalt: CryptoUtils.IWrapBytesOptions = {\n salt: new TextEncoder().encode('different-salt'),\n info: defaultOptions.info\n };\n expect(await provider.unwrapBytes(wrapped, pair.privateKey, wrongSalt)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('unwrap with a different HKDF info fails authentication', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const wrongInfo: CryptoUtils.IWrapBytesOptions = {\n salt: defaultOptions.salt,\n info: new TextEncoder().encode('different-info')\n };\n expect(await provider.unwrapBytes(wrapped, pair.privateKey, wrongInfo)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('empty salt and info round-trip when both sides agree', async () => {\n const pair = await generateEcdhPair();\n const empty: CryptoUtils.IWrapBytesOptions = { salt: new Uint8Array(0), info: new Uint8Array(0) };\n const plaintext = globalThis.crypto.getRandomValues(new Uint8Array(16));\n const wrapped = (await provider.wrapBytes(plaintext, pair.publicKey, empty)).orThrow();\n const recovered = (await provider.unwrapBytes(wrapped, pair.privateKey, empty)).orThrow();\n expect(new Uint8Array(recovered)).toEqual(plaintext);\n });\n });\n\n describe('malformed input', () => {\n test('malformed ephemeralPublicKey JWK fails', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const bogus: CryptoUtils.IWrappedBytes = {\n ...wrapped,\n ephemeralPublicKey: { kty: 'EC', crv: 'P-256' } as JsonWebKey\n };\n expect(await provider.unwrapBytes(bogus, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('ephemeralPublicKey on the wrong curve (P-384) fails', async () => {\n const pair = await generateEcdhPair();\n const wrongCurve = await generateEcdhPair('P-384');\n const wrongJwk = await subtle.exportKey('jwk', wrongCurve.publicKey);\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ephemeralPublicKey: wrongJwk };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed/i\n );\n });\n\n test('non-base64 nonce fails with a clean error', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, nonce: 'not!base64!' };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed: nonce/i\n );\n });\n\n test('non-base64 ciphertext fails with a clean error', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: 'not!base64!' };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed: ciphertext/i\n );\n });\n\n test('wrong-length nonce (after base64 decode) fails before reaching AES-GCM', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const shortNonce = new Uint8Array(8);\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, nonce: provider.toBase64(shortNonce) };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed: nonce must be 12 bytes \\(got 8\\)/i\n );\n });\n\n test('ciphertext shorter than the GCM auth tag fails before reaching AES-GCM', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new TextEncoder().encode('payload'), pair.publicKey, defaultOptions)\n ).orThrow();\n const shortCt = new Uint8Array(8);\n const tampered: CryptoUtils.IWrappedBytes = { ...wrapped, ciphertext: provider.toBase64(shortCt) };\n expect(await provider.unwrapBytes(tampered, pair.privateKey, defaultOptions)).toFailWith(\n /unwrapBytes failed: ciphertext must be at least 16 bytes \\(got 8\\)/i\n );\n });\n });\n\n describe('algorithm / type mismatch on recipient key', () => {\n test('wrap fails when recipient public key is RSA-OAEP, not ECDH', async () => {\n const rsa = (await subtle.generateKey(\n {\n name: 'RSA-OAEP',\n modulusLength: 2048,\n publicExponent: new Uint8Array([0x01, 0x00, 0x01]),\n hash: 'SHA-256'\n },\n true,\n ['encrypt', 'decrypt']\n )) as CryptoKeyPair;\n const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), rsa.publicKey, defaultOptions);\n expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*RSA-OAEP/i);\n });\n\n test('wrap fails when recipient public key is ECDSA P-256, not ECDH', async () => {\n const ecdsa = await generateEcdsaPair();\n const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), ecdsa.publicKey, defaultOptions);\n expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*ECDSA/i);\n });\n\n test('wrap fails when recipient public key is ECDH P-384, not P-256', async () => {\n const wrongCurve = await generateEcdhPair('P-384');\n const result = await provider.wrapBytes(\n new Uint8Array([1, 2, 3]),\n wrongCurve.publicKey,\n defaultOptions\n );\n expect(result).toFailWith(/wrapBytes failed: recipient public key must be ECDH P-256.*P-384/i);\n });\n\n test('unwrap fails when recipient private key is ECDH P-384, not P-256', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.publicKey, defaultOptions)\n ).orThrow();\n const wrongCurve = await generateEcdhPair('P-384');\n const result = await provider.unwrapBytes(wrapped, wrongCurve.privateKey, defaultOptions);\n expect(result).toFailWith(/unwrapBytes failed: recipient private key must be ECDH P-256.*P-384/i);\n });\n\n test('wrap fails when recipient is an ECDH private key (not public)', async () => {\n const pair = await generateEcdhPair();\n const result = await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.privateKey, defaultOptions);\n expect(result).toFailWith(\n /wrapBytes failed: recipient public key must be a public CryptoKey \\(got 'private'\\)/i\n );\n });\n\n test('unwrap fails when recipient is an ECDH public key (not private)', async () => {\n const pair = await generateEcdhPair();\n const wrapped = (\n await provider.wrapBytes(new Uint8Array([1, 2, 3]), pair.publicKey, defaultOptions)\n ).orThrow();\n const result = await provider.unwrapBytes(wrapped, pair.publicKey, defaultOptions);\n expect(result).toFailWith(\n /unwrapBytes failed: recipient private key must be a private CryptoKey \\(got 'public'\\)/i\n );\n });\n });\n});\n"]}

package/dist/ts-web-extras.d.ts CHANGED Viewed

@@ -109,6 +109,25 @@ declare class BrowserCryptoProvider implements CryptoUtils_2.ICryptoProvider {
      * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.
      */
     importPublicKeyJwk(jwk: JsonWebKey, algorithm: CryptoUtils_2.KeyPairAlgorithm): Promise<Result<CryptoKey>>;
+    /**
+     * Wraps `plaintext` for the holder of `recipientPublicKey` using
+     * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See
+     * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.
+     * @param plaintext - The bytes to wrap.
+     * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.
+     * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.
+     * @returns `Success` with the wrapped payload, or `Failure` with an error.
+     */
+    wrapBytes(plaintext: Uint8Array, recipientPublicKey: CryptoKey, options: CryptoUtils_2.IWrapBytesOptions): Promise<Result<CryptoUtils_2.IWrappedBytes>>;
+    /**
+     * Unwraps a payload produced by `wrapBytes` using the recipient's private
+     * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.
+     * @param wrapped - The wrapped payload.
+     * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.
+     * @param options - HKDF salt and info matching the wrap call.
+     * @returns `Success` with the original `plaintext`, or `Failure` with an error.
+     */
+    unwrapBytes(wrapped: CryptoUtils_2.IWrappedBytes, recipientPrivateKey: CryptoKey, options: CryptoUtils_2.IWrapBytesOptions): Promise<Result<Uint8Array>>;
 }
 /**

package/docs/CryptoUtils/classes/BrowserCryptoProvider.md CHANGED Viewed

@@ -199,5 +199,33 @@ Exports a public `CryptoKey` as a JSON Web Key.
 Imports a public-key JWK as a `CryptoKey` for the requested algorithm.
+</td></tr>
+<tr><td>
+[wrapBytes(plaintext, recipientPublicKey, options)](./BrowserCryptoProvider.wrapBytes.md)
+</td><td>
+</td><td>
+Wraps `plaintext` for the holder of `recipientPublicKey` using
+ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256).
+</td></tr>
+<tr><td>
+[unwrapBytes(wrapped, recipientPrivateKey, options)](./BrowserCryptoProvider.unwrapBytes.md)
+</td><td>
+</td><td>
+Unwraps a payload produced by `wrapBytes` using the recipient's private
+key.
 </td></tr>
 </tbody></table>

package/docs/CryptoUtils/classes/BrowserCryptoProvider.unwrapBytes.md ADDED Viewed

@@ -0,0 +1,27 @@
+[Home](../../README.md) > [CryptoUtils](../README.md) > [BrowserCryptoProvider](./BrowserCryptoProvider.md) > unwrapBytes
+## BrowserCryptoProvider.unwrapBytes() method
+Unwraps a payload produced by `wrapBytes` using the recipient's private
+key. See CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes.
+**Signature:**
+```typescript
+unwrapBytes(wrapped: IWrappedBytes, recipientPrivateKey: CryptoKey, options: IWrapBytesOptions): Promise<Result<Uint8Array<ArrayBufferLike>>>;
+```
+**Parameters:**
+<table><thead><tr><th>Parameter</th><th>Type</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td>wrapped</td><td>IWrappedBytes</td><td>The wrapped payload.</td></tr>
+<tr><td>recipientPrivateKey</td><td>CryptoKey</td><td>The recipient's ECDH P-256 private `CryptoKey`.</td></tr>
+<tr><td>options</td><td>IWrapBytesOptions</td><td>HKDF salt and info matching the wrap call.</td></tr>
+</tbody></table>
+**Returns:**
+Promise&lt;Result&lt;Uint8Array&lt;ArrayBufferLike&gt;&gt;&gt;
+`Success` with the original `plaintext`, or `Failure` with an error.

package/docs/CryptoUtils/classes/BrowserCryptoProvider.wrapBytes.md ADDED Viewed

@@ -0,0 +1,28 @@
+[Home](../../README.md) > [CryptoUtils](../README.md) > [BrowserCryptoProvider](./BrowserCryptoProvider.md) > wrapBytes
+## BrowserCryptoProvider.wrapBytes() method
+Wraps `plaintext` for the holder of `recipientPublicKey` using
+ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See
+CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes.
+**Signature:**
+```typescript
+wrapBytes(plaintext: Uint8Array, recipientPublicKey: CryptoKey, options: IWrapBytesOptions): Promise<Result<IWrappedBytes>>;
+```
+**Parameters:**
+<table><thead><tr><th>Parameter</th><th>Type</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td>plaintext</td><td>Uint8Array</td><td>The bytes to wrap.</td></tr>
+<tr><td>recipientPublicKey</td><td>CryptoKey</td><td>The recipient's ECDH P-256 public `CryptoKey`.</td></tr>
+<tr><td>options</td><td>IWrapBytesOptions</td><td>HKDF salt and info; see CryptoUtils.IWrapBytesOptions | IWrapBytesOptions.</td></tr>
+</tbody></table>
+**Returns:**
+Promise&lt;Result&lt;IWrappedBytes&gt;&gt;
+`Success` with the wrapped payload, or `Failure` with an error.

package/docs/classes/BrowserCryptoProvider.md CHANGED Viewed

@@ -199,5 +199,33 @@ Exports a public `CryptoKey` as a JSON Web Key.
 Imports a public-key JWK as a `CryptoKey` for the requested algorithm.
+</td></tr>
+<tr><td>
+[wrapBytes(plaintext, recipientPublicKey, options)](./BrowserCryptoProvider.wrapBytes.md)
+</td><td>
+</td><td>
+Wraps `plaintext` for the holder of `recipientPublicKey` using
+ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256).
+</td></tr>
+<tr><td>
+[unwrapBytes(wrapped, recipientPrivateKey, options)](./BrowserCryptoProvider.unwrapBytes.md)
+</td><td>
+</td><td>
+Unwraps a payload produced by `wrapBytes` using the recipient's private
+key.
 </td></tr>
 </tbody></table>

package/docs/classes/BrowserCryptoProvider.unwrapBytes.md ADDED Viewed

@@ -0,0 +1,27 @@
+[Home](../README.md) > [BrowserCryptoProvider](./BrowserCryptoProvider.md) > unwrapBytes
+## BrowserCryptoProvider.unwrapBytes() method
+Unwraps a payload produced by `wrapBytes` using the recipient's private
+key. See CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes.
+**Signature:**
+```typescript
+unwrapBytes(wrapped: IWrappedBytes, recipientPrivateKey: CryptoKey, options: IWrapBytesOptions): Promise<Result<Uint8Array<ArrayBufferLike>>>;
+```
+**Parameters:**
+<table><thead><tr><th>Parameter</th><th>Type</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td>wrapped</td><td>IWrappedBytes</td><td>The wrapped payload.</td></tr>
+<tr><td>recipientPrivateKey</td><td>CryptoKey</td><td>The recipient's ECDH P-256 private `CryptoKey`.</td></tr>
+<tr><td>options</td><td>IWrapBytesOptions</td><td>HKDF salt and info matching the wrap call.</td></tr>
+</tbody></table>
+**Returns:**
+Promise&lt;Result&lt;Uint8Array&lt;ArrayBufferLike&gt;&gt;&gt;
+`Success` with the original `plaintext`, or `Failure` with an error.

package/docs/classes/BrowserCryptoProvider.wrapBytes.md ADDED Viewed

@@ -0,0 +1,28 @@
+[Home](../README.md) > [BrowserCryptoProvider](./BrowserCryptoProvider.md) > wrapBytes
+## BrowserCryptoProvider.wrapBytes() method
+Wraps `plaintext` for the holder of `recipientPublicKey` using
+ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See
+CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes.
+**Signature:**
+```typescript
+wrapBytes(plaintext: Uint8Array, recipientPublicKey: CryptoKey, options: IWrapBytesOptions): Promise<Result<IWrappedBytes>>;
+```
+**Parameters:**
+<table><thead><tr><th>Parameter</th><th>Type</th><th>Description</th></tr></thead>
+<tbody>
+<tr><td>plaintext</td><td>Uint8Array</td><td>The bytes to wrap.</td></tr>
+<tr><td>recipientPublicKey</td><td>CryptoKey</td><td>The recipient's ECDH P-256 public `CryptoKey`.</td></tr>
+<tr><td>options</td><td>IWrapBytesOptions</td><td>HKDF salt and info; see CryptoUtils.IWrapBytesOptions | IWrapBytesOptions.</td></tr>
+</tbody></table>
+**Returns:**
+Promise&lt;Result&lt;IWrappedBytes&gt;&gt;
+`Success` with the wrapped payload, or `Failure` with an error.

package/etc/ts-web-extras.api.md CHANGED Viewed

@@ -25,6 +25,11 @@ class BrowserCryptoProvider implements CryptoUtils_2.ICryptoProvider {
     importPublicKeyJwk(jwk: JsonWebKey, algorithm: CryptoUtils_2.KeyPairAlgorithm): Promise<Result<CryptoKey>>;
     sha256(data: string): Promise<Result<string>>;
     toBase64(data: Uint8Array): string;
+    // Warning: (ae-unresolved-link) The @link reference could not be resolved: This type of declaration is not supported yet by the resolver
+    unwrapBytes(wrapped: CryptoUtils_2.IWrappedBytes, recipientPrivateKey: CryptoKey, options: CryptoUtils_2.IWrapBytesOptions): Promise<Result<Uint8Array>>;
+    // Warning: (ae-unresolved-link) The @link reference could not be resolved: This type of declaration is not supported yet by the resolver
+    // Warning: (ae-unresolved-link) The @link reference could not be resolved: This type of declaration is not supported yet by the resolver
+    wrapBytes(plaintext: Uint8Array, recipientPublicKey: CryptoKey, options: CryptoUtils_2.IWrapBytesOptions): Promise<Result<CryptoUtils_2.IWrappedBytes>>;
 }
 // @public

package/lib/packlets/crypto-utils/browserCryptoProvider.d.ts CHANGED Viewed

@@ -94,6 +94,25 @@ export declare class BrowserCryptoProvider implements CryptoUtils.ICryptoProvide
      * @returns `Success` with the imported public `CryptoKey`, or `Failure` with an error.
      */
     importPublicKeyJwk(jwk: JsonWebKey, algorithm: CryptoUtils.KeyPairAlgorithm): Promise<Result<CryptoKey>>;
+    /**
+     * Wraps `plaintext` for the holder of `recipientPublicKey` using
+     * ECIES (ECDH P-256 + HKDF-SHA256 + AES-GCM-256). See
+     * {@link CryptoUtils.ICryptoProvider.wrapBytes | ICryptoProvider.wrapBytes}.
+     * @param plaintext - The bytes to wrap.
+     * @param recipientPublicKey - The recipient's ECDH P-256 public `CryptoKey`.
+     * @param options - HKDF salt and info; see {@link CryptoUtils.IWrapBytesOptions | IWrapBytesOptions}.
+     * @returns `Success` with the wrapped payload, or `Failure` with an error.
+     */
+    wrapBytes(plaintext: Uint8Array, recipientPublicKey: CryptoKey, options: CryptoUtils.IWrapBytesOptions): Promise<Result<CryptoUtils.IWrappedBytes>>;
+    /**
+     * Unwraps a payload produced by `wrapBytes` using the recipient's private
+     * key. See {@link CryptoUtils.ICryptoProvider.unwrapBytes | ICryptoProvider.unwrapBytes}.
+     * @param wrapped - The wrapped payload.
+     * @param recipientPrivateKey - The recipient's ECDH P-256 private `CryptoKey`.
+     * @param options - HKDF salt and info matching the wrap call.
+     * @returns `Success` with the original `plaintext`, or `Failure` with an error.
+     */
+    unwrapBytes(wrapped: CryptoUtils.IWrappedBytes, recipientPrivateKey: CryptoKey, options: CryptoUtils.IWrapBytesOptions): Promise<Result<Uint8Array>>;
 }
 /**
  * Creates a {@link CryptoUtils.BrowserCryptoProvider | BrowserCryptoProvider} if Web

package/lib/packlets/crypto-utils/browserCryptoProvider.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"browserCryptoProvider.d.ts","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":"~~AAqBA~~,OAAO,EAAoD,MAAM,EAAoB,MAAM,eAAe,CAAC;AAC3G,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;~~AAc7C~~;;;;;;;;GAQG;AACH,qBAAa,qBAAsB,YAAW,WAAW,CAAC,eAAe;IACvE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;~~IAEjC~~;;;OAGG;gBACgB,SAAS,CAAC,EAAE,MAAM;IAYrC;;;;;OAKG;IACU,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAmDxG;;;;;;;OAOG;IACU,OAAO,CAClB,aAAa,EAAE,UAAU,EACzB,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAgD1B;;;OAGG;IACU,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAWvD;;;;;;OAMG;IACU,SAAS,CACpB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAqC9B;;;;OAIG;IACU,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAoB1D;;;;OAIG;IACI,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAY9D;;;;OAIG;IACI,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM;IASzC;;;;OAIG;IACI,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAiBrD;;;;;OAKG;IACU,eAAe,CAC1B,SAAS,EAAE,WAAW,CAAC,gBAAgB,EACvC,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAQjC;;;;;;;;;OASG;IACU,kBAAkB,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAQlF;;;;;OAKG;IACU,kBAAkB,CAC7B,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,WAAW,CAAC,gBAAgB,GACtC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;~~CAO9B~~;~~AAED~~;;;;;GAKG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,CAAC,qBAAqB,CAAC,CAE3E"}
1	+ {"version":3,"file":"browserCryptoProvider.d.ts","sourceRoot":"","sources":["../../../src/packlets/crypto-utils/browserCryptoProvider.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAoD,MAAM,EAAoB,MAAM,eAAe,CAAC;AAC3G,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAkC7C;;;;;;;;GAQG;AACH,qBAAa,qBAAsB,YAAW,WAAW,CAAC,eAAe;IACvE,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IAGjC;;;OAGG;gBACgB,SAAS,CAAC,EAAE,MAAM;IAYrC;;;;;OAKG;IACU,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAmDxG;;;;;;;OAOG;IACU,OAAO,CAClB,aAAa,EAAE,UAAU,EACzB,GAAG,EAAE,UAAU,EACf,EAAE,EAAE,UAAU,EACd,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAgD1B;;;OAGG;IACU,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAWvD;;;;;;OAMG;IACU,SAAS,CACpB,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,UAAU,EAChB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAqC9B;;;;OAIG;IACU,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAoB1D;;;;OAIG;IACI,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAY9D;;;;OAIG;IACI,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,MAAM;IASzC;;;;OAIG;IACI,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAiBrD;;;;;OAKG;IACU,eAAe,CAC1B,SAAS,EAAE,WAAW,CAAC,gBAAgB,EACvC,WAAW,EAAE,OAAO,GACnB,OAAO,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;IAQjC;;;;;;;;;OASG;IACU,kBAAkB,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAQlF;;;;;OAKG;IACU,kBAAkB,CAC7B,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,WAAW,CAAC,gBAAgB,GACtC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAS7B;;;;;;;;OAQG;IACU,SAAS,CACpB,SAAS,EAAE,UAAU,EACrB,kBAAkB,EAAE,SAAS,EAC7B,OAAO,EAAE,WAAW,CAAC,iBAAiB,GACrC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;IAoC7C;;;;;;;OAOG;IACU,WAAW,CACtB,OAAO,EAAE,WAAW,CAAC,aAAa,EAClC,mBAAmB,EAAE,SAAS,EAC9B,OAAO,EAAE,WAAW,CAAC,iBAAiB,GACrC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;CAuD/B;AA+BD;;;;;GAKG;AACH,wBAAgB,2BAA2B,IAAI,MAAM,CAAC,qBAAqB,CAAC,CAE3E"}