@gjsify/crypto 0.3.16 → 0.3.17

package/lib/esm/ecdh.js

@@ -1,438 +1 @@
-import { modPow } from "./bigint-math.js";
-import { randomBytes } from "./random.js";
-import { Buffer } from "node:buffer";
-
-//#region src/ecdh.ts
-const CURVES = {
-	secp256k1: {
-		p: 115792089237316195423570985008687907853269984665640564039457584007908834671663n,
-		a: 0n,
-		b: 7n,
-		Gx: 55066263022277343669578718895168534326250603453777594175500187360389116729240n,
-		Gy: 32670510020758816978083085130507043184471273380659243275938904335757337482424n,
-		n: 115792089237316195423570985008687907852837564279074904382605163141518161494337n,
-		byteLength: 32
-	},
-	prime256v1: {
-		p: 115792089210356248762697446949407573530086143415290314195533631308867097853951n,
-		a: 115792089210356248762697446949407573530086143415290314195533631308867097853951n - 3n,
-		b: 41058363725152142129326129780047268409114441015993725554835256314039467401291n,
-		Gx: 48439561293906451759052585252797914202762949526041747995844080717082404635286n,
-		Gy: 36134250956749795798585127919587881956611106672985015071877198253568414405109n,
-		n: 115792089210356248762697446949407573529996955224135760342422259061068512044369n,
-		byteLength: 32
-	},
-	secp384r1: {
-		p: 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319n,
-		a: 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319n - 3n,
-		b: 27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575n,
-		Gx: 26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087n,
-		Gy: 8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871n,
-		n: 39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643n,
-		byteLength: 48
-	},
-	secp521r1: {
-		p: 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151n,
-		a: 6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151n - 3n,
-		b: 1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984n,
-		Gx: 2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846n,
-		Gy: 3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784n,
-		n: 6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449n,
-		byteLength: 66
-	}
-};
-const CURVE_ALIASES = {
-	"secp256k1": "secp256k1",
-	"prime256v1": "prime256v1",
-	"secp256r1": "prime256v1",
-	"p-256": "prime256v1",
-	"p256": "prime256v1",
-	"secp384r1": "secp384r1",
-	"p-384": "secp384r1",
-	"p384": "secp384r1",
-	"secp521r1": "secp521r1",
-	"p-521": "secp521r1",
-	"p521": "secp521r1"
-};
-/**
-* Non-negative modulus: always returns a value in [0, mod).
-*/
-function mod(a, m) {
-	const r = a % m;
-	return r < 0n ? r + m : r;
-}
-/**
-* Modular multiplicative inverse using extended Euclidean algorithm.
-* Returns x such that (a * x) mod m = 1.
-* Throws if a and m are not coprime.
-*/
-function modInverse(a, m) {
-	a = mod(a, m);
-	if (a === 0n) {
-		throw new Error("No modular inverse for zero");
-	}
-	let [old_r, r] = [a, m];
-	let [old_s, s] = [1n, 0n];
-	while (r !== 0n) {
-		const q = old_r / r;
-		[old_r, r] = [r, old_r - q * r];
-		[old_s, s] = [s, old_s - q * s];
-	}
-	if (old_r !== 1n) {
-		throw new Error("Modular inverse does not exist");
-	}
-	return mod(old_s, m);
-}
-/**
-* Add two points on the curve.
-* Returns the point at infinity (null) when appropriate.
-*/
-function pointAdd(P, Q, curve) {
-	if (P === null) return Q;
-	if (Q === null) return P;
-	const { p } = curve;
-	if (P.x === Q.x) {
-		if (mod(P.y + Q.y, p) === 0n) {
-			return null;
-		}
-		return pointDouble(P, curve);
-	}
-	const dx = mod(Q.x - P.x, p);
-	const dy = mod(Q.y - P.y, p);
-	const lambda = mod(dy * modInverse(dx, p), p);
-	const x3 = mod(lambda * lambda - P.x - Q.x, p);
-	const y3 = mod(lambda * (P.x - x3) - P.y, p);
-	return {
-		x: x3,
-		y: y3
-	};
-}
-/**
-* Double a point on the curve.
-*/
-function pointDouble(P, curve) {
-	if (P === null) return null;
-	const { a, p } = curve;
-	if (P.y === 0n) return null;
-	const num = mod(3n * P.x * P.x + a, p);
-	const den = mod(2n * P.y, p);
-	const lambda = mod(num * modInverse(den, p), p);
-	const x3 = mod(lambda * lambda - 2n * P.x, p);
-	const y3 = mod(lambda * (P.x - x3) - P.y, p);
-	return {
-		x: x3,
-		y: y3
-	};
-}
-/**
-* Scalar multiplication using the double-and-add method (constant-time-ish
-* with respect to the bit length of the scalar, but not fully
-* constant-time — acceptable since we are not a production crypto library
-* and match the behaviour of refs/create-ecdh which uses elliptic.js).
-*
-* Uses a fixed-window approach of width 1 (Montgomery ladder variant) to
-* avoid the most trivial timing leaks.
-*/
-function scalarMul(k, P, curve) {
-	if (P === null) return null;
-	if (k === 0n) return null;
-	const { n } = curve;
-	k = mod(k, n);
-	if (k === 0n) return null;
-	let R0 = null;
-	let R1 = P;
-	const bits = k.toString(2);
-	for (let i = 0; i < bits.length; i++) {
-		if (bits[i] === "1") {
-			R0 = pointAdd(R0, R1, curve);
-			R1 = pointDouble(R1, curve);
-		} else {
-			R1 = pointAdd(R0, R1, curve);
-			R0 = pointDouble(R0, curve);
-		}
-	}
-	return R0;
-}
-/**
-* Convert a BigInt to a Buffer of exactly `len` bytes (big-endian,
-* zero-padded on the left).
-*/
-function bigintToBuffer(n, len) {
-	const hex = n.toString(16).padStart(len * 2, "0");
-	return Buffer.from(hex, "hex");
-}
-/**
-* Convert a Buffer (big-endian unsigned) to a BigInt.
-*/
-function bufferToBigint(buf) {
-	const hex = Buffer.from(buf).toString("hex");
-	if (hex.length === 0) return 0n;
-	return BigInt("0x" + hex);
-}
-/**
-* Encode a public key point to a Buffer.
-*
-* Formats:
-*   'uncompressed' (default) — 0x04 || x || y
-*   'compressed'             — 0x02 (even y) or 0x03 (odd y) || x
-*   'hybrid'                 — 0x06 (even y) or 0x07 (odd y) || x || y
-*/
-function encodePublicKey(point, byteLength, format = "uncompressed") {
-	if (point === null) {
-		throw new Error("Cannot encode the point at infinity");
-	}
-	const xBuf = bigintToBuffer(point.x, byteLength);
-	if (format === "compressed") {
-		const prefix = point.y % 2n === 0n ? 2 : 3;
-		return Buffer.concat([Buffer.from([prefix]), xBuf]);
-	}
-	const yBuf = bigintToBuffer(point.y, byteLength);
-	if (format === "hybrid") {
-		const prefix = point.y % 2n === 0n ? 6 : 7;
-		return Buffer.concat([
-			Buffer.from([prefix]),
-			xBuf,
-			yBuf
-		]);
-	}
-	return Buffer.concat([
-		Buffer.from([4]),
-		xBuf,
-		yBuf
-	]);
-}
-/**
-* Decode a public key from a Buffer to an ECPoint.
-*
-* Supports uncompressed (0x04), compressed (0x02/0x03), and hybrid (0x06/0x07).
-*/
-function decodePublicKey(buf, curve) {
-	const data = Buffer.from(buf);
-	if (data.length === 0) {
-		throw new Error("Invalid public key: empty buffer");
-	}
-	const prefix = data[0];
-	const { p, a, b, byteLength } = curve;
-	if (prefix === 4 || prefix === 6 || prefix === 7) {
-		if (data.length !== 1 + 2 * byteLength) {
-			throw new Error(`Invalid public key length: expected ${1 + 2 * byteLength} bytes, got ${data.length}`);
-		}
-		const x = bufferToBigint(data.subarray(1, 1 + byteLength));
-		const y = bufferToBigint(data.subarray(1 + byteLength));
-		const lhs = mod(y * y, p);
-		const rhs = mod(x * x * x + a * x + b, p);
-		if (lhs !== rhs) {
-			throw new Error("Invalid public key: point is not on the curve");
-		}
-		return {
-			x,
-			y
-		};
-	}
-	if (prefix === 2 || prefix === 3) {
-		if (data.length !== 1 + byteLength) {
-			throw new Error(`Invalid public key length: expected ${1 + byteLength} bytes, got ${data.length}`);
-		}
-		const x = bufferToBigint(data.subarray(1, 1 + byteLength));
-		const ySquared = mod(x * x * x + a * x + b, p);
-		const y = sqrtMod(ySquared, p);
-		if (y === null) {
-			throw new Error("Invalid public key: no valid y coordinate for the given x");
-		}
-		const isOdd = prefix === 3;
-		const finalY = y % 2n !== 0n === isOdd ? y : mod(p - y, p);
-		return {
-			x,
-			y: finalY
-		};
-	}
-	throw new Error(`Invalid public key prefix: 0x${prefix.toString(16).padStart(2, "0")}`);
-}
-/**
-* Compute the modular square root of a modulo p (Tonelli-Shanks algorithm).
-*
-* For the special case p ≡ 3 (mod 4), uses the simpler formula: a^((p+1)/4) mod p.
-* All four supported NIST curves have p ≡ 3 (mod 4), but we include
-* Tonelli-Shanks for completeness.
-*
-* Returns null if a is not a quadratic residue mod p.
-*/
-function sqrtMod(a, p) {
-	a = mod(a, p);
-	if (a === 0n) return 0n;
-	if (modPow(a, (p - 1n) / 2n, p) !== 1n) {
-		return null;
-	}
-	if (mod(p, 4n) === 3n) {
-		return modPow(a, (p + 1n) / 4n, p);
-	}
-	let S = 0n;
-	let Q = p - 1n;
-	while (mod(Q, 2n) === 0n) {
-		Q /= 2n;
-		S++;
-	}
-	let z = 2n;
-	while (modPow(z, (p - 1n) / 2n, p) !== p - 1n) {
-		z++;
-	}
-	let M = S;
-	let c = modPow(z, Q, p);
-	let t = modPow(a, Q, p);
-	let R = modPow(a, (Q + 1n) / 2n, p);
-	while (true) {
-		if (t === 0n) return 0n;
-		if (t === 1n) return R;
-		let i = 1n;
-		let temp = mod(t * t, p);
-		while (temp !== 1n) {
-			temp = mod(temp * temp, p);
-			i++;
-		}
-		const b = modPow(c, modPow(2n, M - i - 1n, p - 1n), p);
-		M = i;
-		c = mod(b * b, p);
-		t = mod(t * c, p);
-		R = mod(R * b, p);
-	}
-}
-/**
-* Coerce an input value to a Buffer. Accepts Buffer, Uint8Array, or a string
-* with an optional encoding.
-*/
-function toBuffer(value, encoding) {
-	if (Buffer.isBuffer(value)) return value;
-	if (value instanceof Uint8Array) return Buffer.from(value);
-	if (typeof value === "string") {
-		return Buffer.from(value, encoding || "utf8");
-	}
-	if (ArrayBuffer.isView(value)) {
-		return Buffer.from(value.buffer, value.byteOffset, value.byteLength);
-	}
-	throw new TypeError("The \"key\" argument must be of type string or an instance of Buffer, TypedArray, or DataView.");
-}
-/**
-* Optionally encode a Buffer to a string. If encoding is null/undefined,
-* return the raw Buffer.
-*/
-function formatReturnValue(buf, encoding) {
-	if (encoding) {
-		return buf.toString(encoding);
-	}
-	return buf;
-}
-function resolveCurve(curveName) {
-	const lower = curveName.toLowerCase();
-	const canonical = CURVE_ALIASES[lower];
-	if (!canonical) {
-		throw new Error(`Unsupported curve: ${curveName}`);
-	}
-	const params = CURVES[canonical];
-	if (!params) {
-		throw new Error(`Unsupported curve: ${curveName}`);
-	}
-	return {
-		canonical,
-		params
-	};
-}
-var ECDH = class {
-	_curve;
-	_curveName;
-	_privateKey = null;
-	_publicKey = null;
-	constructor(curveName) {
-		const resolved = resolveCurve(curveName);
-		this._curve = resolved.params;
-		this._curveName = resolved.canonical;
-	}
-	generateKeys(encoding, format) {
-		const { n, byteLength } = this._curve;
-		let k;
-		do {
-			const bytes = randomBytes(byteLength);
-			k = bufferToBigint(bytes);
-		} while (k === 0n || k >= n);
-		this._privateKey = k;
-		const G = {
-			x: this._curve.Gx,
-			y: this._curve.Gy
-		};
-		this._publicKey = scalarMul(k, G, this._curve);
-		return this.getPublicKey(encoding, format);
-	}
-	/**
-	* Compute the shared secret using the other party's public key.
-	*/
-	computeSecret(otherPublicKey, inputEncoding, outputEncoding) {
-		if (this._privateKey === null) {
-			throw new Error("ECDH key not generated. Call generateKeys() or setPrivateKey() first.");
-		}
-		const pubBuf = toBuffer(otherPublicKey, inputEncoding);
-		const otherPoint = decodePublicKey(pubBuf, this._curve);
-		if (otherPoint === null) {
-			throw new Error("Invalid public key: point at infinity");
-		}
-		const sharedPoint = scalarMul(this._privateKey, otherPoint, this._curve);
-		if (sharedPoint === null) {
-			throw new Error("Shared secret computation resulted in the point at infinity");
-		}
-		const secret = bigintToBuffer(sharedPoint.x, this._curve.byteLength);
-		return formatReturnValue(secret, outputEncoding);
-	}
-	getPublicKey(encoding, format) {
-		if (this._publicKey === null) {
-			throw new Error("ECDH key not generated. Call generateKeys() or setPrivateKey() first.");
-		}
-		const buf = encodePublicKey(this._publicKey, this._curve.byteLength, format || "uncompressed");
-		return formatReturnValue(buf, encoding);
-	}
-	getPrivateKey(encoding) {
-		if (this._privateKey === null) {
-			throw new Error("ECDH key not generated. Call generateKeys() or setPrivateKey() first.");
-		}
-		const buf = bigintToBuffer(this._privateKey, this._curve.byteLength);
-		return formatReturnValue(buf, encoding);
-	}
-	/**
-	* Set the public key. The key can be in uncompressed, compressed, or hybrid format.
-	*/
-	setPublicKey(key, encoding) {
-		const buf = toBuffer(key, encoding);
-		this._publicKey = decodePublicKey(buf, this._curve);
-	}
-	/**
-	* Set the private key and derive the corresponding public key.
-	*/
-	setPrivateKey(key, encoding) {
-		const buf = toBuffer(key, encoding);
-		const k = bufferToBigint(buf);
-		if (k === 0n || k >= this._curve.n) {
-			throw new Error("Private key is out of range [1, n-1]");
-		}
-		this._privateKey = k;
-		const G = {
-			x: this._curve.Gx,
-			y: this._curve.Gy
-		};
-		this._publicKey = scalarMul(k, G, this._curve);
-	}
-};
-function createECDH(curveName) {
-	return new ECDH(curveName);
-}
-/**
-* Return a list of supported elliptic curve names.
-*/
-function getCurves() {
-	return [
-		"secp256k1",
-		"prime256v1",
-		"secp256r1",
-		"secp384r1",
-		"secp521r1"
-	];
-}
-
-//#endregion
-export { CURVES, CURVE_ALIASES, createECDH, getCurves, mod, modInverse, pointAdd, scalarMul };
+import{modPow as e}from"./bigint-math.js";import{randomBytes as t}from"./random.js";import{Buffer as n}from"node:buffer";const r={secp256k1:{p:115792089237316195423570985008687907853269984665640564039457584007908834671663n,a:0n,b:7n,Gx:55066263022277343669578718895168534326250603453777594175500187360389116729240n,Gy:32670510020758816978083085130507043184471273380659243275938904335757337482424n,n:115792089237316195423570985008687907852837564279074904382605163141518161494337n,byteLength:32},prime256v1:{p:115792089210356248762697446949407573530086143415290314195533631308867097853951n,a:115792089210356248762697446949407573530086143415290314195533631308867097853951n-3n,b:41058363725152142129326129780047268409114441015993725554835256314039467401291n,Gx:48439561293906451759052585252797914202762949526041747995844080717082404635286n,Gy:36134250956749795798585127919587881956611106672985015071877198253568414405109n,n:115792089210356248762697446949407573529996955224135760342422259061068512044369n,byteLength:32},secp384r1:{p:39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319n,a:39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112319n-3n,b:27580193559959705877849011840389048093056905856361568521428707301988689241309860865136260764883745107765439761230575n,Gx:26247035095799689268623156744566981891852923491109213387815615900925518854738050089022388053975719786650872476732087n,Gy:8325710961489029985546751289520108179287853048861315594709205902480503199884419224438643760392947333078086511627871n,n:39402006196394479212279040100143613805079739270465446667946905279627659399113263569398956308152294913554433653942643n,byteLength:48},secp521r1:{p:6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151n,a:6864797660130609714981900799081393217269435300143305409394463459185543183397656052122559640661454554977296311391480858037121987999716643812574028291115057151n-3n,b:1093849038073734274511112390766805569936207598951683748994586394495953116150735016013708737573759623248592132296706313309438452531591012912142327488478985984n,Gx:2661740802050217063228768716723360960729859168756973147706671368418802944996427808491545080627771902352094241225065558662157113545570916814161637315895999846n,Gy:3757180025770020463545507224491183603594455134769762486694567779615544477440556316691234405012945539562144444537289428522585666729196580810124344277578376784n,n:6864797660130609714981900799081393217269435300143305409394463459185543183397655394245057746333217197532963996371363321113864768612440380340372808892707005449n,byteLength:66}},i={secp256k1:`secp256k1`,prime256v1:`prime256v1`,secp256r1:`prime256v1`,"p-256":`prime256v1`,p256:`prime256v1`,secp384r1:`secp384r1`,"p-384":`secp384r1`,p384:`secp384r1`,secp521r1:`secp521r1`,"p-521":`secp521r1`,p521:`secp521r1`};function a(e,t){let n=e%t;return n<0n?n+t:n}function o(e,t){if(e=a(e,t),e===0n)throw Error(`No modular inverse for zero`);let[n,r]=[e,t],[i,o]=[1n,0n];for(;r!==0n;){let e=n/r;[n,r]=[r,n-e*r],[i,o]=[o,i-e*o]}if(n!==1n)throw Error(`Modular inverse does not exist`);return a(i,t)}function s(e,t,n){if(e===null)return t;if(t===null)return e;let{p:r}=n;if(e.x===t.x)return a(e.y+t.y,r)===0n?null:c(e,n);let i=a(t.x-e.x,r),s=a(a(t.y-e.y,r)*o(i,r),r),l=a(s*s-e.x-t.x,r);return{x:l,y:a(s*(e.x-l)-e.y,r)}}function c(e,t){if(e===null)return null;let{a:n,p:r}=t;if(e.y===0n)return null;let i=a(a(3n*e.x*e.x+n,r)*o(a(2n*e.y,r),r),r),s=a(i*i-2n*e.x,r);return{x:s,y:a(i*(e.x-s)-e.y,r)}}function l(e,t,n){if(t===null||e===0n)return null;let{n:r}=n;if(e=a(e,r),e===0n)return null;let i=null,o=t,l=e.toString(2);for(let e=0;e<l.length;e++)l[e]===`1`?(i=s(i,o,n),o=c(o,n)):(o=s(i,o,n),i=c(i,n));return i}function u(e,t){let r=e.toString(16).padStart(t*2,`0`);return n.from(r,`hex`)}function d(e){let t=n.from(e).toString(`hex`);return t.length===0?0n:BigInt(`0x`+t)}function f(e,t,r=`uncompressed`){if(e===null)throw Error(`Cannot encode the point at infinity`);let i=u(e.x,t);if(r===`compressed`){let t=e.y%2n==0n?2:3;return n.concat([n.from([t]),i])}let a=u(e.y,t);if(r===`hybrid`){let t=e.y%2n==0n?6:7;return n.concat([n.from([t]),i,a])}return n.concat([n.from([4]),i,a])}function p(e,t){let r=n.from(e);if(r.length===0)throw Error(`Invalid public key: empty buffer`);let i=r[0],{p:o,a:s,b:c,byteLength:l}=t;if(i===4||i===6||i===7){if(r.length!==1+2*l)throw Error(`Invalid public key length: expected ${1+2*l} bytes, got ${r.length}`);let e=d(r.subarray(1,1+l)),t=d(r.subarray(1+l));if(a(t*t,o)!==a(e*e*e+s*e+c,o))throw Error(`Invalid public key: point is not on the curve`);return{x:e,y:t}}if(i===2||i===3){if(r.length!==1+l)throw Error(`Invalid public key length: expected ${1+l} bytes, got ${r.length}`);let e=d(r.subarray(1,1+l)),t=m(a(e*e*e+s*e+c,o),o);if(t===null)throw Error(`Invalid public key: no valid y coordinate for the given x`);let n=i===3;return{x:e,y:t%2n!=0n===n?t:a(o-t,o)}}throw Error(`Invalid public key prefix: 0x${i.toString(16).padStart(2,`0`)}`)}function m(t,n){if(t=a(t,n),t===0n)return 0n;if(e(t,(n-1n)/2n,n)!==1n)return null;if(a(n,4n)===3n)return e(t,(n+1n)/4n,n);let r=0n,i=n-1n;for(;a(i,2n)===0n;)i/=2n,r++;let o=2n;for(;e(o,(n-1n)/2n,n)!==n-1n;)o++;let s=r,c=e(o,i,n),l=e(t,i,n),u=e(t,(i+1n)/2n,n);for(;;){if(l===0n)return 0n;if(l===1n)return u;let t=1n,r=a(l*l,n);for(;r!==1n;)r=a(r*r,n),t++;let i=e(c,e(2n,s-t-1n,n-1n),n);s=t,c=a(i*i,n),l=a(l*c,n),u=a(u*i,n)}}function h(e,t){if(n.isBuffer(e))return e;if(e instanceof Uint8Array)return n.from(e);if(typeof e==`string`)return n.from(e,t||`utf8`);if(ArrayBuffer.isView(e))return n.from(e.buffer,e.byteOffset,e.byteLength);throw TypeError(`The "key" argument must be of type string or an instance of Buffer, TypedArray, or DataView.`)}function g(e,t){return t?e.toString(t):e}function _(e){let t=i[e.toLowerCase()];if(!t)throw Error(`Unsupported curve: ${e}`);let n=r[t];if(!n)throw Error(`Unsupported curve: ${e}`);return{canonical:t,params:n}}var v=class{_curve;_curveName;_privateKey=null;_publicKey=null;constructor(e){let t=_(e);this._curve=t.params,this._curveName=t.canonical}generateKeys(e,n){let{n:r,byteLength:i}=this._curve,a;do a=d(t(i));while(a===0n||a>=r);this._privateKey=a;let o={x:this._curve.Gx,y:this._curve.Gy};return this._publicKey=l(a,o,this._curve),this.getPublicKey(e,n)}computeSecret(e,t,n){if(this._privateKey===null)throw Error(`ECDH key not generated. Call generateKeys() or setPrivateKey() first.`);let r=p(h(e,t),this._curve);if(r===null)throw Error(`Invalid public key: point at infinity`);let i=l(this._privateKey,r,this._curve);if(i===null)throw Error(`Shared secret computation resulted in the point at infinity`);return g(u(i.x,this._curve.byteLength),n)}getPublicKey(e,t){if(this._publicKey===null)throw Error(`ECDH key not generated. Call generateKeys() or setPrivateKey() first.`);return g(f(this._publicKey,this._curve.byteLength,t||`uncompressed`),e)}getPrivateKey(e){if(this._privateKey===null)throw Error(`ECDH key not generated. Call generateKeys() or setPrivateKey() first.`);return g(u(this._privateKey,this._curve.byteLength),e)}setPublicKey(e,t){let n=h(e,t);this._publicKey=p(n,this._curve)}setPrivateKey(e,t){let n=d(h(e,t));if(n===0n||n>=this._curve.n)throw Error(`Private key is out of range [1, n-1]`);this._privateKey=n;let r={x:this._curve.Gx,y:this._curve.Gy};this._publicKey=l(n,r,this._curve)}};function y(e){return new v(e)}function b(){return[`secp256k1`,`prime256v1`,`secp256r1`,`secp384r1`,`secp521r1`]}export{r as CURVES,i as CURVE_ALIASES,y as createECDH,b as getCurves,a as mod,o as modInverse,s as pointAdd,l as scalarMul};

package/lib/esm/ecdsa.js

@@ -1,152 +1 @@
-import { bigIntToBytes, bytesToBigInt } from "./bigint-math.js";
-import { CURVES, CURVE_ALIASES, mod, modInverse, pointAdd, scalarMul } from "./ecdh.js";
-import { Hash } from "./hash.js";
-import { Hmac } from "./hmac.js";
-
-//#region src/ecdsa.ts
-function getCurve(curveName) {
-	const alias = CURVE_ALIASES[curveName.toLowerCase()];
-	if (!alias) throw new Error(`Unsupported curve: ${curveName}`);
-	return CURVES[alias];
-}
-/** Truncate hash to curve order bit length (FIPS 186-4 Section 6.4) */
-function truncateHash(hash, curve) {
-	const orderBits = curve.n.toString(2).length;
-	let e = bytesToBigInt(hash);
-	const hashBits = hash.length * 8;
-	if (hashBits > orderBits) {
-		e >>= BigInt(hashBits - orderBits);
-	}
-	return e;
-}
-function hmacDigest(algo, key, data) {
-	const hmac = new Hmac(algo, key);
-	hmac.update(data);
-	return new Uint8Array(hmac.digest());
-}
-/**
-* Generate deterministic k per RFC 6979 Section 3.2.
-* Uses HMAC-DRBG seeded with private key and message hash.
-*/
-function rfc6979(hashAlgo, privKey, msgHash, curve) {
-	const qLen = curve.byteLength;
-	const hLen = msgHash.length;
-	let V = new Uint8Array(hLen).fill(1);
-	let K = new Uint8Array(hLen).fill(0);
-	const x = bigIntToBytes(privKey, qLen);
-	const z = bigIntToBytes(mod(truncateHash(msgHash, curve), curve.n), qLen);
-	const concat0 = new Uint8Array(hLen + 1 + qLen + qLen);
-	concat0.set(V, 0);
-	concat0[hLen] = 0;
-	concat0.set(x, hLen + 1);
-	concat0.set(z, hLen + 1 + qLen);
-	K = hmacDigest(hashAlgo, K, concat0);
-	V = hmacDigest(hashAlgo, K, V);
-	const concat1 = new Uint8Array(hLen + 1 + qLen + qLen);
-	concat1.set(V, 0);
-	concat1[hLen] = 1;
-	concat1.set(x, hLen + 1);
-	concat1.set(z, hLen + 1 + qLen);
-	K = hmacDigest(hashAlgo, K, concat1);
-	V = hmacDigest(hashAlgo, K, V);
-	for (let attempt = 0; attempt < 100; attempt++) {
-		let T = new Uint8Array(0);
-		while (T.length < qLen) {
-			V = hmacDigest(hashAlgo, K, V);
-			const newT = new Uint8Array(T.length + V.length);
-			newT.set(T, 0);
-			newT.set(V, T.length);
-			T = newT;
-		}
-		const k = truncateHash(T.slice(0, qLen), curve);
-		if (k >= 1n && k < curve.n) {
-			return k;
-		}
-		const retryConcat = new Uint8Array(hLen + 1);
-		retryConcat.set(V, 0);
-		retryConcat[hLen] = 0;
-		K = hmacDigest(hashAlgo, K, retryConcat);
-		V = hmacDigest(hashAlgo, K, V);
-	}
-	throw new Error("RFC 6979: failed to generate valid k after 100 attempts");
-}
-/**
-* ECDSA signature generation per FIPS 186-4 Section 6.4.
-*
-* @param hashAlgo Hash algorithm name (e.g. 'sha256')
-* @param privKeyBytes Private key as big-endian bytes
-* @param data Data to sign (will be hashed)
-* @param curveName Curve name (e.g. 'P-256')
-* @returns Signature as r || s concatenated (each curve.byteLength bytes)
-*/
-function ecdsaSign(hashAlgo, privKeyBytes, data, curveName) {
-	const curve = getCurve(curveName);
-	const G = {
-		x: curve.Gx,
-		y: curve.Gy
-	};
-	const d = bytesToBigInt(privKeyBytes);
-	const hash = new Hash(hashAlgo);
-	hash.update(data);
-	const msgHash = new Uint8Array(hash.digest());
-	const e = truncateHash(msgHash, curve);
-	const k = rfc6979(hashAlgo, d, msgHash, curve);
-	const R = scalarMul(k, G, curve);
-	if (R === null) throw new Error("ECDSA: k * G is point at infinity");
-	const r = mod(R.x, curve.n);
-	if (r === 0n) throw new Error("ECDSA: r is zero");
-	const kInv = modInverse(k, curve.n);
-	const s = mod(kInv * (e + r * d), curve.n);
-	if (s === 0n) throw new Error("ECDSA: s is zero");
-	const sigLen = curve.byteLength;
-	const sig = new Uint8Array(sigLen * 2);
-	sig.set(bigIntToBytes(r, sigLen), 0);
-	sig.set(bigIntToBytes(s, sigLen), sigLen);
-	return sig;
-}
-/**
-* ECDSA signature verification per FIPS 186-4 Section 6.4.
-*
-* @param hashAlgo Hash algorithm name (e.g. 'sha256')
-* @param pubKeyBytes Public key as uncompressed point (0x04 || x || y)
-* @param signature Signature as r || s concatenated
-* @param data Signed data (will be hashed)
-* @param curveName Curve name (e.g. 'P-256')
-* @returns true if signature is valid
-*/
-function ecdsaVerify(hashAlgo, pubKeyBytes, signature, data, curveName) {
-	const curve = getCurve(curveName);
-	const G = {
-		x: curve.Gx,
-		y: curve.Gy
-	};
-	const sigLen = curve.byteLength;
-	if (pubKeyBytes[0] !== 4 || pubKeyBytes.length !== 1 + sigLen * 2) {
-		return false;
-	}
-	const Qx = bytesToBigInt(pubKeyBytes.slice(1, 1 + sigLen));
-	const Qy = bytesToBigInt(pubKeyBytes.slice(1 + sigLen));
-	const Q = {
-		x: Qx,
-		y: Qy
-	};
-	if (signature.length !== sigLen * 2) return false;
-	const r = bytesToBigInt(signature.slice(0, sigLen));
-	const s = bytesToBigInt(signature.slice(sigLen));
-	if (r < 1n || r >= curve.n || s < 1n || s >= curve.n) return false;
-	const hash = new Hash(hashAlgo);
-	hash.update(data);
-	const msgHash = new Uint8Array(hash.digest());
-	const e = truncateHash(msgHash, curve);
-	const w = modInverse(s, curve.n);
-	const u1 = mod(e * w, curve.n);
-	const u2 = mod(r * w, curve.n);
-	const R1 = scalarMul(u1, G, curve);
-	const R2 = scalarMul(u2, Q, curve);
-	const R = pointAdd(R1, R2, curve);
-	if (R === null) return false;
-	return mod(R.x, curve.n) === r;
-}
-
-//#endregion
-export { ecdsaSign, ecdsaVerify };
+import{bigIntToBytes as e,bytesToBigInt as t}from"./bigint-math.js";import{CURVES as n,CURVE_ALIASES as r,mod as i,modInverse as a,pointAdd as o,scalarMul as s}from"./ecdh.js";import{Hash as c}from"./hash.js";import{Hmac as l}from"./hmac.js";function u(e){let t=r[e.toLowerCase()];if(!t)throw Error(`Unsupported curve: ${e}`);return n[t]}function d(e,n){let r=n.n.toString(2).length,i=t(e),a=e.length*8;return a>r&&(i>>=BigInt(a-r)),i}function f(e,t,n){let r=new l(e,t);return r.update(n),new Uint8Array(r.digest())}function p(t,n,r,a){let o=a.byteLength,s=r.length,c=new Uint8Array(s).fill(1),l=new Uint8Array(s).fill(0),u=e(n,o),p=e(i(d(r,a),a.n),o),m=new Uint8Array(s+1+o+o);m.set(c,0),m[s]=0,m.set(u,s+1),m.set(p,s+1+o),l=f(t,l,m),c=f(t,l,c);let h=new Uint8Array(s+1+o+o);h.set(c,0),h[s]=1,h.set(u,s+1),h.set(p,s+1+o),l=f(t,l,h),c=f(t,l,c);for(let e=0;e<100;e++){let e=new Uint8Array;for(;e.length<o;){c=f(t,l,c);let n=new Uint8Array(e.length+c.length);n.set(e,0),n.set(c,e.length),e=n}let n=d(e.slice(0,o),a);if(n>=1n&&n<a.n)return n;let r=new Uint8Array(s+1);r.set(c,0),r[s]=0,l=f(t,l,r),c=f(t,l,c)}throw Error(`RFC 6979: failed to generate valid k after 100 attempts`)}function m(n,r,o,l){let f=u(l),m={x:f.Gx,y:f.Gy},h=t(r),g=new c(n);g.update(o);let _=new Uint8Array(g.digest()),v=d(_,f),y=p(n,h,_,f),b=s(y,m,f);if(b===null)throw Error(`ECDSA: k * G is point at infinity`);let x=i(b.x,f.n);if(x===0n)throw Error(`ECDSA: r is zero`);let S=i(a(y,f.n)*(v+x*h),f.n);if(S===0n)throw Error(`ECDSA: s is zero`);let C=f.byteLength,w=new Uint8Array(C*2);return w.set(e(x,C),0),w.set(e(S,C),C),w}function h(e,n,r,l,f){let p=u(f),m={x:p.Gx,y:p.Gy},h=p.byteLength;if(n[0]!==4||n.length!==1+h*2)return!1;let g={x:t(n.slice(1,1+h)),y:t(n.slice(1+h))};if(r.length!==h*2)return!1;let _=t(r.slice(0,h)),v=t(r.slice(h));if(_<1n||_>=p.n||v<1n||v>=p.n)return!1;let y=new c(e);y.update(l);let b=d(new Uint8Array(y.digest()),p),x=a(v,p.n),S=i(b*x,p.n),C=i(_*x,p.n),w=o(s(S,m,p),s(C,g,p),p);return w===null?!1:i(w.x,p.n)===_}export{m as ecdsaSign,h as ecdsaVerify};