@freesignal/protocol 0.1.0 → 0.1.2

package/data.d.ts

@@ -104,4 +104,12 @@ declare class MessageConstructor implements Encodable, Message {
     toString(): string;
     toJSON(): string;
 }
+type LocalStorageIterator<T> = Iterable<T>;
+export interface LocalStorage<K, T> {
+    set(key: K, value: T): this;
+    get(key: K): T | undefined;
+    has(key: K): boolean;
+    delete(key: K): boolean;
+    entries(): LocalStorageIterator<[K, T]>;
+}
 export {};

package/data.js

@@ -84,7 +84,7 @@ class DatagramConstructor {
     constructor(data, receiver, protocol, payload) {
         if (!receiver && !protocol && !payload) {
             if (data instanceof Uint8Array) {
-                const obj = (0, utils_1.encodeUTF8)(data).split(',');
+                const obj = (0, utils_1.encodeUTF8)(data).split(':');
                 this.id = obj[0];
                 this.version = parseInt(obj[1]);
                 this.sender = obj[2];
@@ -125,7 +125,7 @@ class DatagramConstructor {
             this.receiver,
             Protocols.toCode(this.protocol).toString(),
             this.payload ? this.payload : undefined, this.createdAt
-        ].filter(x => x !== undefined).join(','));
+        ].filter(x => x !== undefined).join(':'));
     }
     toString() {
         return this.toJSON();
@@ -174,7 +174,7 @@ class MessageConstructor {
             this.text = "";
         }
         else if (opts instanceof Uint8Array) {
-            const arr = (0, utils_1.encodeUTF8)(opts).split(',');
+            const arr = (0, utils_1.encodeUTF8)(opts).split(':');
             this.version = arr[0];
             this.text = (_a = arr[1]) !== null && _a !== void 0 ? _a : "";
             this.group = arr[2];
@@ -215,7 +215,7 @@ class MessageConstructor {
         return this;
     }
     encode() {
-        return (0, utils_1.decodeUTF8)([this.version, this.text, this.group, JSON.stringify(this.attachments || [])].join(','));
+        return (0, utils_1.decodeUTF8)([this.version, this.text, this.group, JSON.stringify(this.attachments || [])].join(':'));
     }
     toString() {
         return this.toJSON();

package/double-ratchet.d.ts

@@ -17,23 +17,22 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>
  */
 import { Encodable } from "./data";
-/**
- * Creates a new Double Ratchet session.
- *
- * @param opts.remoteKey The public key of the remote party.
- * @param opts.preSharedKey An optional pre-shared key to initialize the session.
- *
- * @returns A new Double Ratchet session.
- */
-export declare function createSession(opts?: {
-    remoteKey?: Uint8Array;
-    preSharedKey?: Uint8Array;
-}): Session;
+type ExportedKeySession = {
+    secretKey: string;
+    remoteKey: string;
+    rootKey: string;
+    sendingChain: string;
+    receivingChain: string;
+    sendingCount: number;
+    receivingCount: number;
+    previousCount: number;
+    previousKeys: [number, Uint8Array][];
+};
 /**
  * Represents a secure Double Ratchet session.
  * Used for forward-secure encryption and decryption of messages.
  */
-export declare class Session {
+export declare class KeySession {
     private static readonly skipLimit;
     static readonly version = 1;
     static readonly rootKeyLength: number;
@@ -47,8 +46,9 @@ export declare class Session {
     private receivingCount;
     private previousKeys;
     constructor(opts?: {
+        secretKey?: Uint8Array;
         remoteKey?: Uint8Array;
-        preSharedKey?: Uint8Array;
+        rootKey?: Uint8Array;
     });
     /**
      * Whether both the sending and receiving chains are initialized.
@@ -62,11 +62,8 @@ export declare class Session {
      * The last known remote public key.
      */
     get remoteKey(): Uint8Array | undefined;
-    /**
-     * Set remote public key.
-     */
-    setRemoteKey(key: Uint8Array): this;
-    private dhRatchet;
+    private setRemoteKey;
+    private ratchetKeys;
     private getSendingKey;
     private getReceivingKey;
     /**
@@ -75,7 +72,7 @@ export declare class Session {
      * @param message - The message as a Uint8Array.
      * @returns An EncryptedPayload or undefined if encryption fails.
      */
-    encrypt(message: Uint8Array): EncryptedPayload | undefined;
+    encrypt(message: Uint8Array): EncryptedPayload;
     /**
      * Decrypts an encrypted message.
      *
@@ -86,14 +83,14 @@ export declare class Session {
     /**
      * Export the state of the session;
      */
-    export(): string;
+    export(): ExportedKeySession;
     /**
      * Import a state.
      *
      * @param json string returned by `export()` method.
      * @returns session with the state parsed.
      */
-    static import(json: string): Session;
+    static import(json: string): KeySession;
     /**
      * The fixed key length (in bytes) used throughout the Double Ratchet session.
      * Typically 32 bytes (256 bits) for symmetric keys.
@@ -134,26 +131,12 @@ export interface EncryptedPayload extends Encodable {
      * The encrypted message content.
      */
     readonly ciphertext: Uint8Array;
-    /**
-     * The payload signature.
-     */
-    /**
-     * Set the signature of the payload.
-     *
-     * @param signature signature
-     */
-    /**
-     * Return the payload without the signature.
-     */
     /**
      * Serializes the payload into a Uint8Array for transport.
      */
     encode(): Uint8Array;
     /**
-     * Decodes the payload into a readable object format.
-     */
-    /**
-     * Returns the payload as a UTF-8 string.
+     * Returns the payload as a Base64 string.
      */
     toString(): string;
     /**
@@ -170,3 +153,4 @@ export declare class EncryptedPayload {
      */
     static from(array: Uint8Array | EncryptedPayload): EncryptedPayload;
 }
+export {};

package/double-ratchet.js

@@ -21,37 +21,25 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.EncryptedPayload = exports.Session = void 0;
-exports.createSession = createSession;
+exports.EncryptedPayload = exports.KeySession = void 0;
 const crypto_1 = __importDefault(require("./crypto"));
 const utils_1 = require("./utils");
-/**
- * Creates a new Double Ratchet session.
- *
- * @param opts.remoteKey The public key of the remote party.
- * @param opts.preSharedKey An optional pre-shared key to initialize the session.
- *
- * @returns A new Double Ratchet session.
- */
-function createSession(opts) {
-    return new Session(opts);
-}
 /**
  * Represents a secure Double Ratchet session.
  * Used for forward-secure encryption and decryption of messages.
  */
-class Session {
+class KeySession {
     constructor(opts = {}) {
-        this.keyPair = crypto_1.default.ECDH.keyPair();
         this.sendingCount = 0;
         this.previousCount = 0;
         this.receivingCount = 0;
         this.previousKeys = new KeyMap();
-        if (opts.preSharedKey)
-            this.rootKey = opts.preSharedKey;
+        this.keyPair = crypto_1.default.ECDH.keyPair(opts.secretKey);
+        if (opts.rootKey)
+            this.rootKey = opts.rootKey;
         if (opts.remoteKey) {
             this._remoteKey = opts.remoteKey;
-            this.sendingChain = this.dhRatchet();
+            this.sendingChain = this.ratchetKeys();
         }
     }
     /**
@@ -66,46 +54,43 @@ class Session {
      * The last known remote public key.
      */
     get remoteKey() { return this._remoteKey; }
-    /**
-     * Set remote public key.
-     */
     setRemoteKey(key) {
         this._remoteKey = key;
-        this.receivingChain = this.dhRatchet();
-        if (this.receivingCount > (EncryptedPayloadConstructor.maxCount - Session.skipLimit * 2))
+        this.receivingChain = this.ratchetKeys();
+        if (this.receivingCount > (EncryptedPayloadConstructor.maxCount - KeySession.skipLimit * 2))
             this.receivingCount = 0;
         this.previousCount = this.sendingCount;
         this.keyPair = crypto_1.default.ECDH.keyPair();
-        this.sendingChain = this.dhRatchet();
-        if (this.sendingCount > (EncryptedPayloadConstructor.maxCount - Session.skipLimit * 2))
+        this.sendingChain = this.ratchetKeys();
+        if (this.sendingCount > (EncryptedPayloadConstructor.maxCount - KeySession.skipLimit * 2))
             this.sendingCount = 0;
         return this;
     }
-    dhRatchet(info) {
+    ratchetKeys(info) {
         if (!this._remoteKey)
             throw new Error();
         const sharedKey = crypto_1.default.scalarMult(this.keyPair.secretKey, this._remoteKey);
         if (!this.rootKey)
             this.rootKey = crypto_1.default.hash(sharedKey);
-        const hashkey = crypto_1.default.hkdf(sharedKey, this.rootKey, info, Session.keyLength * 2);
-        this.rootKey = hashkey.slice(0, Session.keyLength);
-        return hashkey.slice(Session.keyLength);
+        const hashkey = crypto_1.default.hkdf(sharedKey, this.rootKey, info, KeySession.keyLength * 2);
+        this.rootKey = hashkey.slice(0, KeySession.keyLength);
+        return hashkey.slice(KeySession.keyLength);
     }
     getSendingKey() {
         if (!this.sendingChain)
             throw new Error;
-        const out = Session.symmetricRatchet(this.sendingChain);
-        this.sendingChain = out[0];
+        const { chainKey, sharedKey } = KeySession.symmetricRatchet(this.sendingChain);
+        this.sendingChain = chainKey;
         this.sendingCount++;
-        return out[1];
+        return sharedKey;
     }
     getReceivingKey() {
         if (!this.receivingChain)
             throw new Error();
-        const out = Session.symmetricRatchet(this.receivingChain);
-        this.receivingChain = out[0];
+        const { chainKey, sharedKey } = KeySession.symmetricRatchet(this.receivingChain);
+        this.receivingChain = chainKey;
         this.receivingCount++;
-        return out[1];
+        return sharedKey;
     }
     /**
      * Encrypts a message payload using the current sending chain.
@@ -114,17 +99,12 @@ class Session {
      * @returns An EncryptedPayload or undefined if encryption fails.
      */
     encrypt(message) {
-        try {
-            const key = this.getSendingKey();
-            if (this.sendingCount >= EncryptedPayloadConstructor.maxCount || this.previousCount >= EncryptedPayloadConstructor.maxCount)
-                throw new Error();
-            const nonce = crypto_1.default.randomBytes(EncryptedPayloadConstructor.nonceLength);
-            const ciphertext = crypto_1.default.box.encrypt(message, nonce, key);
-            return new EncryptedPayloadConstructor(this.sendingCount, this.previousCount, this.keyPair.publicKey, nonce, ciphertext);
-        }
-        catch (error) {
-            return undefined;
-        }
+        const key = this.getSendingKey();
+        if (this.sendingCount >= EncryptedPayloadConstructor.maxCount || this.previousCount >= EncryptedPayloadConstructor.maxCount)
+            throw new Error();
+        const nonce = crypto_1.default.randomBytes(EncryptedPayloadConstructor.nonceLength);
+        const ciphertext = crypto_1.default.box.encrypt(message, nonce, key);
+        return new EncryptedPayloadConstructor(this.sendingCount, this.previousCount, this.keyPair.publicKey, nonce, ciphertext);
     }
     /**
      * Decrypts an encrypted message.
@@ -134,47 +114,44 @@ class Session {
      */
     decrypt(payload) {
         var _a;
-        try {
-            const encrypted = EncryptedPayload.from(payload);
-            const publicKey = encrypted.publicKey;
-            if (!(0, utils_1.verifyUint8Array)(publicKey, this._remoteKey)) {
-                while (this.receivingCount < encrypted.previous)
-                    this.previousKeys.set(this.receivingCount, this.getReceivingKey());
-                this.setRemoteKey(publicKey);
-            }
-            let key;
-            const count = encrypted.count;
-            if (this.receivingCount < count) {
-                let i = 0;
-                while (this.receivingCount < count - 1 && i < Session.skipLimit) {
-                    this.previousKeys.set(this.receivingCount, this.getReceivingKey());
-                }
-                key = this.getReceivingKey();
-            }
-            else {
-                key = this.previousKeys.get(count);
+        const encrypted = EncryptedPayload.from(payload);
+        const publicKey = encrypted.publicKey;
+        if (!(0, utils_1.verifyUint8Array)(publicKey, this._remoteKey)) {
+            while (this.receivingCount < encrypted.previous)
+                this.previousKeys.set(this.receivingCount, this.getReceivingKey());
+            this.setRemoteKey(publicKey);
+        }
+        let key;
+        const count = encrypted.count;
+        if (this.receivingCount < count) {
+            let i = 0;
+            while (this.receivingCount < count - 1 && i < KeySession.skipLimit) {
+                this.previousKeys.set(this.receivingCount, this.getReceivingKey());
             }
-            if (!key)
-                return undefined;
-            return (_a = crypto_1.default.box.decrypt(encrypted.ciphertext, encrypted.nonce, key)) !== null && _a !== void 0 ? _a : undefined;
+            key = this.getReceivingKey();
         }
-        catch (error) {
-            return undefined;
+        else {
+            key = this.previousKeys.get(count);
         }
+        if (!key)
+            return undefined;
+        return (_a = crypto_1.default.box.decrypt(encrypted.ciphertext, encrypted.nonce, key)) !== null && _a !== void 0 ? _a : undefined;
     }
     /**
      * Export the state of the session;
      */
     export() {
-        return JSON.stringify({
+        return {
+            secretKey: (0, utils_1.encodeBase64)((0, utils_1.concatUint8Array)(this.keyPair.secretKey)),
             remoteKey: (0, utils_1.encodeBase64)(this._remoteKey),
             rootKey: (0, utils_1.encodeBase64)(this.rootKey),
             sendingChain: (0, utils_1.encodeBase64)(this.sendingChain),
             receivingChain: (0, utils_1.encodeBase64)(this.receivingChain),
             sendingCount: this.sendingCount,
             receivingCount: this.receivingCount,
-            //previousCount: this.previousCount
-        });
+            previousCount: this.previousCount,
+            previousKeys: Array.from(this.previousKeys.entries())
+        };
     }
     /**
      * Import a state.
@@ -184,27 +161,33 @@ class Session {
      */
     static import(json) {
         const data = JSON.parse(json);
-        const session = new Session({ remoteKey: (0, utils_1.decodeBase64)(data.remoteKey), preSharedKey: (0, utils_1.decodeBase64)(data.rootKey) });
+        const session = new KeySession({ secretKey: (0, utils_1.decodeBase64)(data.secretKey), rootKey: (0, utils_1.decodeBase64)(data.rootKey) });
+        session._remoteKey = (0, utils_1.decodeBase64)(data.remoteKey);
         session.sendingChain = (0, utils_1.decodeBase64)(data.sendingChain);
         session.receivingChain = (0, utils_1.decodeBase64)(data.receivingChain);
         session.sendingCount = data.sendingCount;
         session.receivingCount = data.receivingCount;
+        session.previousCount = data.previousCount;
+        session.previousKeys = new KeyMap(data.previousKeys);
         return session;
     }
     static symmetricRatchet(chain, salt, info) {
-        const hash = crypto_1.default.hkdf(chain, salt !== null && salt !== void 0 ? salt : new Uint8Array(), info, Session.keyLength * 2);
-        return [new Uint8Array(hash.buffer, 0, Session.keyLength), new Uint8Array(hash.buffer, Session.keyLength)];
+        const hash = crypto_1.default.hkdf(chain, salt !== null && salt !== void 0 ? salt : new Uint8Array(), info, KeySession.keyLength * 2);
+        return {
+            chainKey: new Uint8Array(hash.buffer, 0, KeySession.keyLength),
+            sharedKey: new Uint8Array(hash.buffer, KeySession.keyLength)
+        };
     }
 }
-exports.Session = Session;
-Session.skipLimit = 1000;
-Session.version = 1;
-Session.rootKeyLength = crypto_1.default.box.keyLength;
+exports.KeySession = KeySession;
+KeySession.skipLimit = 1000;
+KeySession.version = 1;
+KeySession.rootKeyLength = crypto_1.default.box.keyLength;
 /**
  * The fixed key length (in bytes) used throughout the Double Ratchet session.
  * Typically 32 bytes (256 bits) for symmetric keys.
  */
-Session.keyLength = 32;
+KeySession.keyLength = 32;
 class EncryptedPayload {
     /**
      * Static factory method that constructs an `EncryptedPayload` from a raw Uint8Array.
@@ -230,7 +213,7 @@ class EncryptedPayloadConstructor {
         if (typeof arrays[1] === 'number')
             arrays[1] = (0, utils_1.numberToUint8Array)(arrays[1], EncryptedPayloadConstructor.countLength);
         if (arrays.length > 1) {
-            arrays.unshift((_a = (typeof arrays[5] === 'number' ? (0, utils_1.numberToUint8Array)(arrays[5]) : arrays[5])) !== null && _a !== void 0 ? _a : (0, utils_1.numberToUint8Array)(Session.version));
+            arrays.unshift((_a = (typeof arrays[5] === 'number' ? (0, utils_1.numberToUint8Array)(arrays[5]) : arrays[5])) !== null && _a !== void 0 ? _a : (0, utils_1.numberToUint8Array)(KeySession.version));
         }
         this.raw = (0, utils_1.concatUint8Array)(...arrays);
     }
@@ -241,32 +224,6 @@ class EncryptedPayloadConstructor {
     get publicKey() { return new Uint8Array(this.raw.buffer, ...Offsets.publicKey.get); }
     get nonce() { return new Uint8Array(this.raw.buffer, ...Offsets.nonce.get); }
     get ciphertext() { return new Uint8Array(this.raw.buffer, Offsets.ciphertext.start); }
-    /*public get signature() { return this.signed ? new Uint8Array(this.raw.buffer, this.raw.length - EncryptedPayloadConstructor.signatureLength) : undefined }
-
-    public setSignature(signature: Uint8Array): this {
-        this.raw = concatUint8Array(this.raw, signature);
-        this.signed = true;
-        return this;
-    }
-
-    public encodeUnsigned(): Uint8Array {
-        return !this.signed ? this.raw : new Uint8Array(this.raw.buffer, 0, this.raw.length - EncryptedPayloadConstructor.signatureLength);
-    }
-
-    public encode(fixedLength?: number): Uint8Array {
-        if (fixedLength) {
-            var padStart = Math.floor(Math.random() * fixedLength - 2 - this.raw.length);
-            var padEnd = Math.floor(padStart + 2 + this.raw.length);
-        } else {
-            padStart = Math.floor(Math.random() * (EncryptedPayloadConstructor.maxPadLength - EncryptedPayloadConstructor.minPadLength) + 1) + EncryptedPayloadConstructor.minPadLength;
-            padEnd = Math.floor(Math.random() * (EncryptedPayloadConstructor.maxPadLength - EncryptedPayloadConstructor.minPadLength) + 1) + EncryptedPayloadConstructor.minPadLength;
-        }
-        return concatUint8Array(
-            randomBytes(padStart - 1).map((value) => value !== 255 ? value : (value - 1)),
-            new Uint8Array(1).fill(255), this.raw, new Uint8Array(1).fill(255),
-            randomBytes(padEnd).map((value) => value !== 255 ? value : (value - 1)),
-        );
-    }*/
     encode() {
         return this.raw;
     }
@@ -277,24 +234,20 @@ class EncryptedPayloadConstructor {
             previous: this.previous,
             publicKey: (0, utils_1.encodeBase64)(this.publicKey),
             nonce: (0, utils_1.encodeBase64)(this.nonce),
-            ciphertext: (0, utils_1.encodeUTF8)(this.ciphertext),
-            //signature: encodeBase64(this.signature)
+            ciphertext: (0, utils_1.encodeBase64)(this.ciphertext)
         };
     }
     toString() {
-        return (0, utils_1.encodeUTF8)(this.raw);
+        return (0, utils_1.encodeBase64)(this.raw);
     }
     toJSON() {
         return JSON.stringify(this.decode());
     }
 }
-//public static readonly signatureLength = crypto.EdDSA.signatureLength;
 EncryptedPayloadConstructor.secretKeyLength = crypto_1.default.ECDH.secretKeyLength;
 EncryptedPayloadConstructor.publicKeyLength = crypto_1.default.ECDH.publicKeyLength;
 EncryptedPayloadConstructor.keyLength = crypto_1.default.box.keyLength;
 EncryptedPayloadConstructor.nonceLength = crypto_1.default.box.nonceLength;
-//public static readonly minPadLength = 6;
-//public static readonly maxPadLength = 14;
 EncryptedPayloadConstructor.maxCount = 65536; //32768;
 EncryptedPayloadConstructor.countLength = 2;
 class Offsets {
@@ -320,15 +273,7 @@ Offsets.previous = Offsets.set(Offsets.count.end, EncryptedPayloadConstructor.co
 Offsets.publicKey = Offsets.set(Offsets.previous.end, EncryptedPayloadConstructor.publicKeyLength);
 Offsets.nonce = Offsets.set(Offsets.publicKey.end, EncryptedPayloadConstructor.nonceLength);
 Offsets.ciphertext = Offsets.set(Offsets.nonce.end, undefined);
-class KeyMap {
-    constructor(iterable) {
-        return new KeyMapConstructor(iterable);
-    }
-}
-class KeyMapConstructor extends Map {
-    constructor(iterable) {
-        super(iterable);
-    }
+class KeyMap extends Map {
     get(key) {
         const out = super.get(key);
         if (out && !super.delete(key))

package/index.d.ts

@@ -0,0 +1,25 @@
+import crypto from "./crypto";
+import { LocalStorage } from "./data";
+import { KeySession } from "./double-ratchet";
+import { KeyExchange } from "./x3dh";
+/**
+ * Creates a new Double Ratchet session.
+ *
+ * @param opts.remoteKey The public key of the remote party.
+ * @param opts.preSharedKey An optional pre-shared key to initialize the session.
+ *
+ * @returns A new Double Ratchet session.
+ */
+export declare function createKeySession(opts?: {
+    secretKey?: Uint8Array;
+    remoteKey?: Uint8Array;
+    rootKey?: Uint8Array;
+}): KeySession;
+/**
+ * Creates a new X3DH session.
+ *
+ * @param signKeyPair
+ * @param bundleStore
+ * @returns A new X3DH session.
+ */
+export declare function createKeyExchange(signKeyPair: crypto.KeyPair, bundleStore?: LocalStorage<string, crypto.KeyPair>): KeyExchange;

package/index.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createKeySession = createKeySession;
+exports.createKeyExchange = createKeyExchange;
+const double_ratchet_1 = require("./double-ratchet");
+const x3dh_1 = require("./x3dh");
+/**
+ * Creates a new Double Ratchet session.
+ *
+ * @param opts.remoteKey The public key of the remote party.
+ * @param opts.preSharedKey An optional pre-shared key to initialize the session.
+ *
+ * @returns A new Double Ratchet session.
+ */
+function createKeySession(opts) {
+    return new double_ratchet_1.KeySession(opts);
+}
+/**
+ * Creates a new X3DH session.
+ *
+ * @param signKeyPair
+ * @param bundleStore
+ * @returns A new X3DH session.
+ */
+function createKeyExchange(signKeyPair, bundleStore) {
+    return new x3dh_1.KeyExchange(signKeyPair, bundleStore);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@freesignal/protocol",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Signal Protocol implementation in javascript",
   "license": "GPL-3.0-or-later",
   "author": "Christian Braghette",

package/test.js

@@ -2,16 +2,24 @@
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
+var _a, _b;
 Object.defineProperty(exports, "__esModule", { value: true });
-const x3dh_1 = require("./x3dh");
+const _1 = require(".");
 const crypto_1 = __importDefault(require("./crypto"));
 const utils_1 = require("./utils");
-const bob = new x3dh_1.X3DH(crypto_1.default.EdDSA.keyPair());
-const alice = new x3dh_1.X3DH(crypto_1.default.EdDSA.keyPair());
+const bob = (0, _1.createKeyExchange)(crypto_1.default.EdDSA.keyPair());
+const alice = (0, _1.createKeyExchange)(crypto_1.default.EdDSA.keyPair());
 const bobmessage = bob.generateSyn();
-const { rootKey, ackMessage: aliceack } = alice.digestSyn(bobmessage);
-if ((0, utils_1.verifyUint8Array)(rootKey, bob.digestAck(aliceack))) {
+const { session: alicesession, ackMessage: aliceack } = alice.digestSyn(bobmessage);
+const { session: bobsession, cleartext } = (_a = bob.digestAck(aliceack)) !== null && _a !== void 0 ? _a : {};
+if (bobsession && cleartext) {
     console.log("Session established successfully between Alice and Bob.");
+    const msg = (_b = bobsession.encrypt((0, utils_1.decodeUTF8)("Hi Alice!"))) === null || _b === void 0 ? void 0 : _b.encode();
+    console.log((0, utils_1.encodeUTF8)(alicesession.decrypt(msg)));
+    if (alicesession.handshaked && bobsession.handshaked)
+        console.log("Successfully handshaked");
+    else
+        console.log("Error during handshake");
 }
 else
     console.log("Error");

package/x3dh.d.ts

@@ -17,58 +17,52 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>
  */
 import crypto from "./crypto";
-type BoxKeyPair = crypto.KeyPair;
-type SignKeyPair = crypto.KeyPair;
-type ExportedX3DH = [
-    SignKeyPair,
-    [
-        Array<[string, BoxKeyPair]>,
-        Array<[string, BoxKeyPair]>
-    ]
-];
+import { LocalStorage } from "./data";
+import { KeySession } from "./double-ratchet";
 interface SynMessage {
     readonly version: number;
-    readonly PK: string;
-    readonly IK: string;
-    readonly SPK: string;
-    readonly SPKsign: string;
-    readonly OPK: string;
+    readonly publicKey: string;
+    readonly identityKey: string;
+    readonly signedPreKey: string;
+    readonly signature: string;
+    readonly onetimePreKey: string;
 }
 interface AckMessage {
     readonly version: number;
-    readonly PK: string;
-    readonly IK: string;
-    readonly EK: string;
-    readonly SPKhash: string;
-    readonly OPKhash: string;
-    readonly AD: string;
+    readonly publicKey: string;
+    readonly identityKey: string;
+    readonly ephemeralKey: string;
+    readonly signedPreKeyHash: string;
+    readonly onetimePreKeyHash: string;
+    readonly associatedData: string;
 }
 export interface Bundle {
     readonly version: number;
-    readonly PK: string;
-    readonly IK: string;
-    readonly SPK: string;
-    readonly SPKsign: string;
-    readonly OPK: string[];
+    readonly publicKey: string;
+    readonly identityKey: string;
+    readonly signedPreKey: string;
+    readonly signature: string;
+    readonly onetimePreKeyHash: string[];
 }
-export declare class X3DH {
+export declare class KeyExchange {
     static readonly version = 1;
     private static readonly hkdfInfo;
     private static readonly maxOPK;
-    private readonly PK;
-    private readonly IK;
+    private readonly publicKey;
+    private readonly identityKey;
     private readonly bundleStore;
-    constructor(signKeyPair: SignKeyPair, instance?: [Iterable<[string, BoxKeyPair]>, Iterable<[string, BoxKeyPair]>]);
+    constructor(signKeyPair: crypto.KeyPair, bundleStore?: LocalStorage<string, crypto.KeyPair>);
     private generateSPK;
     private generateOPK;
     generateBundle(length?: number): Bundle;
     generateSyn(): SynMessage;
-    digestSyn(message: SynMessage, encrypter?: (msg: Uint8Array, key: Uint8Array) => Uint8Array): {
-        rootKey: Uint8Array;
+    digestSyn(message: SynMessage): {
+        session: KeySession;
         ackMessage: AckMessage;
     };
-    digestAck(message: AckMessage, verifier?: (ciphertext: Uint8Array, key: Uint8Array) => boolean): Uint8Array | undefined;
-    export(): ExportedX3DH;
-    static import(input: ExportedX3DH): X3DH;
+    digestAck(message: AckMessage): {
+        session: KeySession;
+        cleartext: Uint8Array;
+    };
 }
 export {};

package/x3dh.js

@@ -21,116 +21,106 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.X3DH = void 0;
+exports.KeyExchange = void 0;
 const crypto_1 = __importDefault(require("./crypto"));
 const double_ratchet_1 = require("./double-ratchet");
 const utils_1 = require("./utils");
-class X3DH {
-    constructor(signKeyPair, instance) {
-        this.PK = signKeyPair;
-        this.IK = crypto_1.default.ECDH.keyPair(crypto_1.default.hash(signKeyPair.secretKey));
-        this.bundleStore = {
-            SPK: new Map(instance ? instance[0] : []),
-            OPK: new Map(instance ? instance[1] : [])
-        };
+class KeyExchange {
+    constructor(signKeyPair, bundleStore) {
+        this.publicKey = signKeyPair;
+        this.identityKey = crypto_1.default.ECDH.keyPair(crypto_1.default.hash(signKeyPair.secretKey));
+        this.bundleStore = bundleStore !== null && bundleStore !== void 0 ? bundleStore : new Map();
     }
     generateSPK() {
-        const SPK = crypto_1.default.ECDH.keyPair();
-        const SPKhash = crypto_1.default.hash(SPK.publicKey);
-        this.bundleStore.SPK.set((0, utils_1.encodeBase64)(SPKhash), SPK);
-        return { SPK, SPKhash };
+        const signedPreKey = crypto_1.default.ECDH.keyPair();
+        const signedPreKeyHash = crypto_1.default.hash(signedPreKey.publicKey);
+        this.bundleStore.set((0, utils_1.encodeBase64)(signedPreKeyHash), signedPreKey);
+        return { signedPreKey, signedPreKeyHash };
     }
     generateOPK(spkHash) {
-        const OPK = crypto_1.default.ECDH.keyPair();
-        const OPKhash = crypto_1.default.hash(OPK.publicKey);
-        this.bundleStore.OPK.set((0, utils_1.encodeBase64)(spkHash).concat((0, utils_1.encodeBase64)(OPKhash)), OPK);
-        return { OPK, OPKhash };
+        const onetimePreKey = crypto_1.default.ECDH.keyPair();
+        const onetimePreKeyHash = crypto_1.default.hash(onetimePreKey.publicKey);
+        this.bundleStore.set((0, utils_1.encodeBase64)(spkHash).concat((0, utils_1.encodeBase64)(onetimePreKeyHash)), onetimePreKey);
+        return { onetimePreKey, onetimePreKeyHash };
     }
     generateBundle(length) {
-        const { SPK, SPKhash } = this.generateSPK();
-        const OPK = new Array(length !== null && length !== void 0 ? length : X3DH.maxOPK).fill(0).map(() => this.generateOPK(SPKhash).OPK);
+        const { signedPreKey, signedPreKeyHash } = this.generateSPK();
+        const onetimePreKey = new Array(length !== null && length !== void 0 ? length : KeyExchange.maxOPK).fill(0).map(() => this.generateOPK(signedPreKeyHash).onetimePreKey);
         return {
-            version: X3DH.version,
-            PK: (0, utils_1.encodeBase64)(this.PK.publicKey),
-            IK: (0, utils_1.encodeBase64)(this.IK.publicKey),
-            SPK: (0, utils_1.encodeBase64)(SPK.publicKey),
-            SPKsign: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign((0, utils_1.concatUint8Array)(crypto_1.default.hash(this.IK.publicKey), SPKhash), this.PK.secretKey)),
-            OPK: OPK.map(opk => (0, utils_1.encodeBase64)(opk.publicKey))
+            version: KeyExchange.version,
+            publicKey: (0, utils_1.encodeBase64)(this.publicKey.publicKey),
+            identityKey: (0, utils_1.encodeBase64)(this.identityKey.publicKey),
+            signedPreKey: (0, utils_1.encodeBase64)(signedPreKey.publicKey),
+            signature: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign(signedPreKeyHash, this.publicKey.secretKey)),
+            onetimePreKeyHash: onetimePreKey.map(opk => (0, utils_1.encodeBase64)(opk.publicKey))
         };
     }
     generateSyn() {
-        const { SPK, SPKhash } = this.generateSPK();
-        const { OPK } = this.generateOPK(SPKhash);
+        const { signedPreKey, signedPreKeyHash } = this.generateSPK();
+        const { onetimePreKey } = this.generateOPK(signedPreKeyHash);
         return {
-            version: X3DH.version,
-            PK: (0, utils_1.encodeBase64)(this.PK.publicKey),
-            IK: (0, utils_1.encodeBase64)(this.IK.publicKey),
-            SPK: (0, utils_1.encodeBase64)(SPK.publicKey),
-            SPKsign: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign((0, utils_1.concatUint8Array)(crypto_1.default.hash(this.IK.publicKey), SPKhash), this.PK.secretKey)),
-            OPK: (0, utils_1.encodeBase64)(OPK.publicKey)
+            version: KeyExchange.version,
+            publicKey: (0, utils_1.encodeBase64)(this.publicKey.publicKey),
+            identityKey: (0, utils_1.encodeBase64)(this.identityKey.publicKey),
+            signedPreKey: (0, utils_1.encodeBase64)(signedPreKey.publicKey),
+            signature: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign(signedPreKeyHash, this.publicKey.secretKey)),
+            onetimePreKey: (0, utils_1.encodeBase64)(onetimePreKey.publicKey)
         };
     }
-    digestSyn(message, encrypter) {
-        const EK = crypto_1.default.ECDH.keyPair();
-        const SPK = (0, utils_1.decodeBase64)(message.SPK);
-        const IK = (0, utils_1.decodeBase64)(message.IK);
-        const OPK = message.OPK ? (0, utils_1.decodeBase64)(message.OPK) : undefined;
-        const spkHash = crypto_1.default.hash(SPK);
-        const opkHash = OPK ? crypto_1.default.hash(OPK) : new Uint8Array();
+    digestSyn(message) {
+        const ephemeralKey = crypto_1.default.ECDH.keyPair();
+        const signedPreKey = (0, utils_1.decodeBase64)(message.signedPreKey);
+        const identityKey = (0, utils_1.decodeBase64)(message.identityKey);
+        const onetimePreKey = message.onetimePreKey ? (0, utils_1.decodeBase64)(message.onetimePreKey) : undefined;
+        const signedPreKeyHash = crypto_1.default.hash(signedPreKey);
+        const onetimePreKeyHash = onetimePreKey ? crypto_1.default.hash(onetimePreKey) : new Uint8Array();
         const rootKey = crypto_1.default.hkdf(new Uint8Array([
-            ...crypto_1.default.scalarMult(this.IK.secretKey, SPK),
-            ...crypto_1.default.scalarMult(EK.secretKey, IK),
-            ...crypto_1.default.scalarMult(EK.secretKey, SPK),
-            ...OPK ? crypto_1.default.scalarMult(EK.secretKey, OPK) : new Uint8Array()
-        ]), new Uint8Array(double_ratchet_1.Session.rootKeyLength).fill(0), X3DH.hkdfInfo, double_ratchet_1.Session.rootKeyLength);
-        if (!encrypter)
-            encrypter = (msg, key) => crypto_1.default.box.encrypt(msg, new Uint8Array(crypto_1.default.box.nonceLength).fill(0), key);
+            ...crypto_1.default.scalarMult(this.identityKey.secretKey, signedPreKey),
+            ...crypto_1.default.scalarMult(ephemeralKey.secretKey, identityKey),
+            ...crypto_1.default.scalarMult(ephemeralKey.secretKey, signedPreKey),
+            ...onetimePreKey ? crypto_1.default.scalarMult(ephemeralKey.secretKey, onetimePreKey) : new Uint8Array()
+        ]), new Uint8Array(double_ratchet_1.KeySession.rootKeyLength).fill(0), KeyExchange.hkdfInfo, double_ratchet_1.KeySession.rootKeyLength);
+        const session = new double_ratchet_1.KeySession({ secretKey: this.identityKey.secretKey, remoteKey: identityKey, rootKey });
+        const cyphertext = session.encrypt((0, utils_1.concatUint8Array)(crypto_1.default.hash(this.identityKey.publicKey), crypto_1.default.hash(identityKey)));
+        if (!cyphertext)
+            throw new Error();
         return {
-            rootKey,
+            session,
             ackMessage: {
-                version: X3DH.version,
-                PK: (0, utils_1.encodeBase64)(this.PK.publicKey),
-                IK: (0, utils_1.encodeBase64)(this.IK.publicKey),
-                EK: (0, utils_1.encodeBase64)(EK.publicKey),
-                SPKhash: (0, utils_1.encodeBase64)(spkHash),
-                OPKhash: (0, utils_1.encodeBase64)(opkHash),
-                AD: (0, utils_1.encodeBase64)(encrypter((0, utils_1.concatUint8Array)(crypto_1.default.hash(this.IK.publicKey), crypto_1.default.hash(IK)), rootKey))
+                version: KeyExchange.version,
+                publicKey: (0, utils_1.encodeBase64)(this.publicKey.publicKey),
+                identityKey: (0, utils_1.encodeBase64)(this.identityKey.publicKey),
+                ephemeralKey: (0, utils_1.encodeBase64)(ephemeralKey.publicKey),
+                signedPreKeyHash: (0, utils_1.encodeBase64)(signedPreKeyHash),
+                onetimePreKeyHash: (0, utils_1.encodeBase64)(onetimePreKeyHash),
+                associatedData: (0, utils_1.encodeBase64)(cyphertext.encode())
             }
         };
     }
-    digestAck(message, verifier) {
-        const SPK = this.bundleStore.SPK.get(message.SPKhash);
-        const OPK = this.bundleStore.OPK.get(message.SPKhash.concat(message.OPKhash));
-        if (!SPK || !OPK || !message.IK || !message.EK)
-            return;
-        const IK = (0, utils_1.decodeBase64)(message.IK);
-        const EK = (0, utils_1.decodeBase64)(message.EK);
+    digestAck(message) {
+        const signedPreKey = this.bundleStore.get(message.signedPreKeyHash);
+        const hash = message.signedPreKeyHash.concat(message.onetimePreKeyHash);
+        const onetimePreKey = this.bundleStore.get(hash);
+        if (!signedPreKey || !onetimePreKey || !message.identityKey || !message.ephemeralKey)
+            throw new Error("ACK message malformed");
+        if (!this.bundleStore.delete(hash))
+            throw new Error("Bundle store deleting error");
+        const identityKey = (0, utils_1.decodeBase64)(message.identityKey);
+        const ephemeralKey = (0, utils_1.decodeBase64)(message.ephemeralKey);
         const rootKey = crypto_1.default.hkdf(new Uint8Array([
-            ...crypto_1.default.scalarMult(SPK.secretKey, IK),
-            ...crypto_1.default.scalarMult(this.IK.secretKey, EK),
-            ...crypto_1.default.scalarMult(SPK.secretKey, EK),
-            ...OPK ? crypto_1.default.scalarMult(OPK.secretKey, EK) : new Uint8Array()
-        ]), new Uint8Array(double_ratchet_1.Session.rootKeyLength).fill(0), X3DH.hkdfInfo, double_ratchet_1.Session.rootKeyLength);
-        if (!verifier)
-            verifier = (ciphertext, key) => (0, utils_1.verifyUint8Array)(crypto_1.default.box.decrypt(ciphertext, new Uint8Array(crypto_1.default.box.nonceLength).fill(0), key), (0, utils_1.concatUint8Array)(crypto_1.default.hash(IK), crypto_1.default.hash(this.IK.publicKey)));
-        if (!verifier((0, utils_1.decodeBase64)(message.AD), rootKey))
-            return;
-        return rootKey;
-    }
-    export() {
-        return [
-            this.IK,
-            [
-                Array.from(this.bundleStore.SPK.entries()),
-                Array.from(this.bundleStore.OPK.entries())
-            ]
-        ];
-    }
-    static import(input) {
-        return new X3DH(...input);
+            ...crypto_1.default.scalarMult(signedPreKey.secretKey, identityKey),
+            ...crypto_1.default.scalarMult(this.identityKey.secretKey, ephemeralKey),
+            ...crypto_1.default.scalarMult(signedPreKey.secretKey, ephemeralKey),
+            ...onetimePreKey ? crypto_1.default.scalarMult(onetimePreKey.secretKey, ephemeralKey) : new Uint8Array()
+        ]), new Uint8Array(double_ratchet_1.KeySession.rootKeyLength).fill(0), KeyExchange.hkdfInfo, double_ratchet_1.KeySession.rootKeyLength);
+        const session = new double_ratchet_1.KeySession({ secretKey: this.identityKey.secretKey, rootKey });
+        const cleartext = session.decrypt((0, utils_1.decodeBase64)(message.associatedData));
+        if (!cleartext)
+            throw new Error("Error decrypting ACK message");
+        return { session, cleartext };
     }
 }
-exports.X3DH = X3DH;
-X3DH.version = 1;
-X3DH.hkdfInfo = (0, utils_1.decodeUTF8)("freesignal/x3dh/" + X3DH.version);
-X3DH.maxOPK = 10;
+exports.KeyExchange = KeyExchange;
+KeyExchange.version = 1;
+KeyExchange.hkdfInfo = (0, utils_1.decodeUTF8)("freesignal/x3dh/" + KeyExchange.version);
+KeyExchange.maxOPK = 10;