@h-ai/crypto 0.1.0-alpha5

package/dist/index.js

@@ -0,0 +1,820 @@
+import { core, ok, err } from '@h-ai/core';
+import smCrypto from 'sm-crypto';
+
+// src/crypto-main.ts
+
+// messages/en-US.json
+var en_US_default = {
+  $schema: "https://inlang.com/schema/inlang-message-format",
+  crypto_notInitialized: "Crypto module not initialized, call crypto.init() first",
+  crypto_initFailed: "Crypto module initialization failed: {error}",
+  crypto_sm2PublicKeyInvalid: "Invalid SM2 public key format",
+  crypto_sm2PrivateKeyInvalid: "Invalid SM2 private key format",
+  crypto_sm2EncryptEmpty: "SM2 encryption returned empty result",
+  crypto_sm2DecryptFailed: "SM2 decryption failed or returned invalid result",
+  crypto_sm2SignEmpty: "SM2 signature returned empty result",
+  crypto_sm2KeyPairGenerateFailed: "SM2 key pair generation failed: {error}",
+  crypto_sm2EncryptFailed: "SM2 encryption failed: {error}",
+  crypto_sm2DecryptFailedWithError: "SM2 decryption failed: {error}",
+  crypto_sm2SignFailed: "SM2 signing failed: {error}",
+  crypto_sm2VerifyFailed: "SM2 verification failed: {error}",
+  crypto_sm3HashEmpty: "SM3 hash returned empty result",
+  crypto_sm3HashFailed: "SM3 hash calculation failed: {error}",
+  crypto_sm3HmacFailed: "HMAC-SM3 calculation failed: {error}",
+  crypto_sm3VerifyFailed: "SM3 hash verification failed: {error}",
+  crypto_sm4KeyInvalid: "SM4 key must be 16 bytes (32 hex characters)",
+  crypto_sm4CbcNeedIv: "CBC mode requires IV",
+  crypto_sm4IvInvalid: "SM4 IV must be 16 bytes (32 hex characters)",
+  crypto_sm4EncryptEmpty: "SM4 encryption returned empty result",
+  crypto_sm4DecryptFailed: "SM4 decryption failed",
+  crypto_sm4EncryptFailed: "SM4 encryption failed: {error}",
+  crypto_sm4DecryptFailedWithError: "SM4 decryption failed: {error}",
+  crypto_passwordEmpty: "Password cannot be empty",
+  crypto_passwordHashEmpty: "Password and hash cannot be empty",
+  crypto_passwordHashFailed: "Password hashing failed",
+  crypto_hashFormatInvalid: "Invalid hash format",
+  crypto_passwordVerifyFailed: "Password verification failed"
+};
+
+// messages/zh-CN.json
+var zh_CN_default = {
+  $schema: "https://inlang.com/schema/inlang-message-format",
+  crypto_notInitialized: "\u52A0\u5BC6\u6A21\u5757\u5C1A\u672A\u521D\u59CB\u5316\uFF0C\u8BF7\u5148\u8C03\u7528 crypto.init()",
+  crypto_initFailed: "\u52A0\u5BC6\u6A21\u5757\u521D\u59CB\u5316\u5931\u8D25\uFF1A{error}",
+  crypto_sm2PublicKeyInvalid: "\u65E0\u6548\u7684 SM2 \u516C\u94A5\u683C\u5F0F",
+  crypto_sm2PrivateKeyInvalid: "\u65E0\u6548\u7684 SM2 \u79C1\u94A5\u683C\u5F0F",
+  crypto_sm2EncryptEmpty: "SM2 \u52A0\u5BC6\u8FD4\u56DE\u7A7A\u7ED3\u679C",
+  crypto_sm2DecryptFailed: "SM2 \u89E3\u5BC6\u5931\u8D25\u6216\u8FD4\u56DE\u65E0\u6548\u7ED3\u679C",
+  crypto_sm2SignEmpty: "SM2 \u7B7E\u540D\u8FD4\u56DE\u7A7A\u7ED3\u679C",
+  crypto_sm2KeyPairGenerateFailed: "SM2 \u5BC6\u94A5\u5BF9\u751F\u6210\u5931\u8D25: {error}",
+  crypto_sm2EncryptFailed: "SM2 \u52A0\u5BC6\u5931\u8D25: {error}",
+  crypto_sm2DecryptFailedWithError: "SM2 \u89E3\u5BC6\u5931\u8D25: {error}",
+  crypto_sm2SignFailed: "SM2 \u7B7E\u540D\u5931\u8D25: {error}",
+  crypto_sm2VerifyFailed: "SM2 \u9A8C\u7B7E\u5931\u8D25: {error}",
+  crypto_sm3HashEmpty: "SM3 \u54C8\u5E0C\u8FD4\u56DE\u7A7A\u7ED3\u679C",
+  crypto_sm3HashFailed: "SM3 \u54C8\u5E0C\u8BA1\u7B97\u5931\u8D25: {error}",
+  crypto_sm3HmacFailed: "HMAC-SM3 \u8BA1\u7B97\u5931\u8D25: {error}",
+  crypto_sm3VerifyFailed: "SM3 \u54C8\u5E0C\u9A8C\u8BC1\u5931\u8D25: {error}",
+  crypto_sm4KeyInvalid: "SM4 \u5BC6\u94A5\u5FC5\u987B\u4E3A 16 \u5B57\u8282\uFF0832 \u4E2A\u5341\u516D\u8FDB\u5236\u5B57\u7B26\uFF09",
+  crypto_sm4CbcNeedIv: "CBC \u6A21\u5F0F\u5FC5\u987B\u63D0\u4F9B IV",
+  crypto_sm4IvInvalid: "SM4 IV \u5FC5\u987B\u4E3A 16 \u5B57\u8282\uFF0832 \u4E2A\u5341\u516D\u8FDB\u5236\u5B57\u7B26\uFF09",
+  crypto_sm4EncryptEmpty: "SM4 \u52A0\u5BC6\u8FD4\u56DE\u7A7A\u7ED3\u679C",
+  crypto_sm4DecryptFailed: "SM4 \u89E3\u5BC6\u5931\u8D25",
+  crypto_sm4EncryptFailed: "SM4 \u52A0\u5BC6\u5931\u8D25: {error}",
+  crypto_sm4DecryptFailedWithError: "SM4 \u89E3\u5BC6\u5931\u8D25: {error}",
+  crypto_passwordEmpty: "\u5BC6\u7801\u4E0D\u80FD\u4E3A\u7A7A",
+  crypto_passwordHashEmpty: "\u5BC6\u7801\u548C\u54C8\u5E0C\u503C\u4E0D\u80FD\u4E3A\u7A7A",
+  crypto_passwordHashFailed: "\u5BC6\u7801\u54C8\u5E0C\u5931\u8D25",
+  crypto_hashFormatInvalid: "\u65E0\u6548\u7684\u54C8\u5E0C\u683C\u5F0F",
+  crypto_passwordVerifyFailed: "\u5BC6\u7801\u9A8C\u8BC1\u5931\u8D25"
+};
+
+// src/crypto-i18n.ts
+var cryptoM = core.i18n.createMessageGetter({
+  "zh-CN": zh_CN_default,
+  "en-US": en_US_default
+});
+var CryptoErrorInfo = {
+  INVALID_INPUT: "002:400",
+  INVALID_KEY: "003:400",
+  NOT_INITIALIZED: "010:500",
+  INIT_FAILED: "011:500",
+  KEY_GENERATION_FAILED: "020:500",
+  ENCRYPTION_FAILED: "021:500",
+  DECRYPTION_FAILED: "022:500",
+  SIGN_FAILED: "023:500",
+  VERIFY_FAILED: "024:500",
+  HASH_FAILED: "040:500",
+  HMAC_FAILED: "041:500",
+  INVALID_IV: "060:400"
+};
+var HaiCryptoError = core.error.buildHaiErrorsDef("crypto", CryptoErrorInfo);
+
+// src/crypto-password.ts
+function generateSalt(length) {
+  const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+  const randomBytes = new Uint8Array(length);
+  globalThis.crypto.getRandomValues(randomBytes);
+  let salt = "";
+  for (let i = 0; i < length; i++) {
+    salt += chars.charAt(randomBytes[i] % chars.length);
+  }
+  return salt;
+}
+function iterateHash(hash, data, salt, iterations) {
+  let current = salt + data;
+  for (let i = 0; i < iterations; i++) {
+    const result = hash.hash(current);
+    if (!result.success) {
+      return result;
+    }
+    current = result.data;
+  }
+  return ok(current);
+}
+function createPasswordFunctions(deps) {
+  const { hash: hashOps } = deps;
+  return {
+    /**
+     * 对密码进行迭代加盐哈希
+     *
+     * 输出格式: `$hai$<iterations>$<salt>$<hash>`
+     *
+     * @param password - 明文密码（不能为空）
+     * @param config - 可选配置（盐值长度、迭代次数）
+     * @returns 成功时返回格式化的哈希字符串；失败时返回 INVALID_INPUT 或 HASH_FAILED
+     */
+    hash(password, config = {}) {
+      const { saltLength = 16, iterations = 1e4 } = config;
+      try {
+        if (!password) {
+          return err(
+            HaiCryptoError.INVALID_INPUT,
+            cryptoM("crypto_passwordEmpty")
+          );
+        }
+        const salt = generateSalt(saltLength);
+        const hashResult = iterateHash(hashOps, password, salt, iterations);
+        if (!hashResult.success) {
+          return hashResult;
+        }
+        const formatted = `$hai$${iterations}$${salt}$${hashResult.data}`;
+        return ok(formatted);
+      } catch (error) {
+        return err(
+          HaiCryptoError.HASH_FAILED,
+          cryptoM("crypto_passwordHashFailed"),
+          error
+        );
+      }
+    },
+    /**
+     * 验证密码是否匹配已存储的哈希
+     *
+     * 从哈希字符串中解析迭代次数和盐值，重新计算后比较。
+     * 格式要求: `$hai$<iterations>$<salt>$<hash>`
+     *
+     * @param password - 待验证的明文密码
+     * @param hash - 存储的哈希值
+     * @returns 成功时返回 boolean；失败时返回 INVALID_INPUT 或 VERIFY_FAILED
+     */
+    verify(password, hash) {
+      try {
+        if (!password || !hash) {
+          return err(
+            HaiCryptoError.INVALID_INPUT,
+            cryptoM("crypto_passwordHashEmpty")
+          );
+        }
+        const parts = hash.split("$");
+        if (parts.length !== 5 || parts[1] !== "hai") {
+          return err(
+            HaiCryptoError.INVALID_INPUT,
+            cryptoM("crypto_hashFormatInvalid")
+          );
+        }
+        const storedIterations = Number.parseInt(parts[2], 10);
+        const salt = parts[3];
+        const storedHash = parts[4];
+        if (Number.isNaN(storedIterations) || !salt || !storedHash) {
+          return err(
+            HaiCryptoError.INVALID_INPUT,
+            cryptoM("crypto_hashFormatInvalid")
+          );
+        }
+        const hashResult = iterateHash(hashOps, password, salt, storedIterations);
+        if (!hashResult.success) {
+          return hashResult;
+        }
+        return ok(core.string.constantTimeEqual(hashResult.data, storedHash));
+      } catch (error) {
+        return err(
+          HaiCryptoError.VERIFY_FAILED,
+          cryptoM("crypto_passwordVerifyFailed"),
+          error
+        );
+      }
+    }
+  };
+}
+
+// src/crypto-utils.ts
+function isBase64(str) {
+  return str.includes("+") || str.includes("/") || str.endsWith("=");
+}
+function hexToBase64(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = Number.parseInt(hex.slice(i, i + 2), 16);
+  }
+  return btoa(String.fromCharCode(...bytes));
+}
+function base64ToHex(base64) {
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/crypto-sm2.ts
+var { sm2 } = smCrypto;
+function createSM2() {
+  return {
+    /**
+     * 生成 SM2 密钥对
+     *
+     * @returns 成功时返回包含公钥（130 字符含 04 前缀）和私钥（64 字符）的密钥对
+     */
+    generateKeyPair() {
+      try {
+        const keyPair = sm2.generateKeyPairHex();
+        return ok({
+          publicKey: keyPair.publicKey,
+          privateKey: keyPair.privateKey
+        });
+      } catch (error) {
+        return err(
+          HaiCryptoError.KEY_GENERATION_FAILED,
+          cryptoM("crypto_sm2KeyPairGenerateFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * SM2 非对称加密
+     *
+     * 公钥自动补齐 04 前缀；支持 hex/base64 输出。
+     *
+     * @param data - 待加密明文
+     * @param publicKey - 公钥（支持带/不带 04 前缀）
+     * @param options - 加密选项（密文模式、输出格式）
+     * @returns 成功时返回密文；失败时返回 INVALID_KEY 或 ENCRYPTION_FAILED
+     */
+    encrypt(data, publicKey, options = {}) {
+      const { cipherMode = 1, outputFormat = "hex" } = options;
+      if (!this.isValidPublicKey(publicKey)) {
+        return err(
+          HaiCryptoError.INVALID_KEY,
+          cryptoM("crypto_sm2PublicKeyInvalid")
+        );
+      }
+      try {
+        const key = publicKey.startsWith("04") ? publicKey : `04${publicKey}`;
+        const encrypted = sm2.doEncrypt(data, key, cipherMode);
+        if (!encrypted) {
+          return err(
+            HaiCryptoError.ENCRYPTION_FAILED,
+            cryptoM("crypto_sm2EncryptEmpty")
+          );
+        }
+        if (outputFormat === "base64") {
+          return ok(hexToBase64(encrypted));
+        }
+        return ok(encrypted);
+      } catch (error) {
+        return err(
+          HaiCryptoError.ENCRYPTION_FAILED,
+          cryptoM("crypto_sm2EncryptFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * SM2 非对称解密
+     *
+     * 自动检测 base64 格式输入并转换为 hex 后解密。
+     *
+     * @param ciphertext - 密文（hex 或 base64）
+     * @param privateKey - 私钥（64 字符十六进制）
+     * @param options - 解密选项（密文模式需与加密时一致）
+     * @returns 成功时返回明文；失败时返回 INVALID_KEY 或 DECRYPTION_FAILED
+     */
+    decrypt(ciphertext, privateKey, options = {}) {
+      const { cipherMode = 1 } = options;
+      if (!this.isValidPrivateKey(privateKey)) {
+        return err(
+          HaiCryptoError.INVALID_KEY,
+          cryptoM("crypto_sm2PrivateKeyInvalid")
+        );
+      }
+      try {
+        let input = ciphertext;
+        if (isBase64(ciphertext)) {
+          input = base64ToHex(ciphertext);
+        }
+        const decrypted = sm2.doDecrypt(input, privateKey, cipherMode);
+        if (decrypted === false || decrypted === null || decrypted === void 0) {
+          return err(
+            HaiCryptoError.DECRYPTION_FAILED,
+            cryptoM("crypto_sm2DecryptFailed")
+          );
+        }
+        return ok(decrypted);
+      } catch (error) {
+        return err(
+          HaiCryptoError.DECRYPTION_FAILED,
+          cryptoM("crypto_sm2DecryptFailedWithError", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * SM2 数字签名
+     *
+     * 默认对数据先做哈希（hash=true），使用 userId 作为签名附加参数。
+     *
+     * @param data - 待签名数据
+     * @param privateKey - 私钥（64 字符十六进制）
+     * @param options - 签名选项（hash 开关、userId）
+     * @returns 成功时返回签名字符串；失败时返回 INVALID_KEY 或 SIGN_FAILED
+     */
+    sign(data, privateKey, options = {}) {
+      const { hash = true, userId = "1234567812345678" } = options;
+      if (!this.isValidPrivateKey(privateKey)) {
+        return err(
+          HaiCryptoError.INVALID_KEY,
+          cryptoM("crypto_sm2PrivateKeyInvalid")
+        );
+      }
+      try {
+        const signature = sm2.doSignature(data, privateKey, { hash, userId });
+        if (!signature) {
+          return err(
+            HaiCryptoError.SIGN_FAILED,
+            cryptoM("crypto_sm2SignEmpty")
+          );
+        }
+        return ok(signature);
+      } catch (error) {
+        return err(
+          HaiCryptoError.SIGN_FAILED,
+          cryptoM("crypto_sm2SignFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * SM2 签名验证
+     *
+     * 公钥自动补齐 04 前缀；hash/userId 需与签名时一致。
+     *
+     * @param data - 原始数据
+     * @param signature - 签名值
+     * @param publicKey - 公钥（支持带/不带 04 前缀）
+     * @param options - 验签选项（hash 开关、userId）
+     * @returns 成功时返回 boolean；失败时返回 INVALID_KEY 或 VERIFY_FAILED
+     */
+    verify(data, signature, publicKey, options = {}) {
+      const { hash = true, userId = "1234567812345678" } = options;
+      if (!this.isValidPublicKey(publicKey)) {
+        return err(
+          HaiCryptoError.INVALID_KEY,
+          cryptoM("crypto_sm2PublicKeyInvalid")
+        );
+      }
+      try {
+        const key = publicKey.startsWith("04") ? publicKey : `04${publicKey}`;
+        const isValid = sm2.doVerifySignature(data, signature, key, { hash, userId });
+        return ok(!!isValid);
+      } catch (error) {
+        return err(
+          HaiCryptoError.VERIFY_FAILED,
+          cryptoM("crypto_sm2VerifyFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * 校验公钥格式是否合法
+     *
+     * 合法格式：128 字符十六进制（无前缀）或 130 字符（含 04 前缀）。
+     *
+     * @param key - 待校验公钥
+     * @returns 格式合法返回 true
+     */
+    isValidPublicKey(key) {
+      if (!key || typeof key !== "string")
+        return false;
+      const cleanKey = key.startsWith("04") ? key.slice(2) : key;
+      return /^[0-9a-f]{128}$/i.test(cleanKey);
+    },
+    /**
+     * 校验私钥格式是否合法
+     *
+     * 合法格式：64 字符十六进制。
+     *
+     * @param key - 待校验私钥
+     * @returns 格式合法返回 true
+     */
+    isValidPrivateKey(key) {
+      if (!key || typeof key !== "string")
+        return false;
+      return /^[0-9a-f]{64}$/i.test(key);
+    }
+  };
+}
+var { sm3 } = smCrypto;
+function createSM3() {
+  return {
+    /**
+     * 计算 SM3 哈希
+     *
+     * 支持字符串（UTF-8/Hex）和 Uint8Array 输入。
+     *
+     * @param data - 待哈希数据
+     * @param options - 输入编码与输出格式
+     * @returns 成功时返回 64 字符十六进制哈希值；失败时返回 HASH_FAILED
+     */
+    hash(data, options = {}) {
+      const { inputEncoding = "utf8" } = options;
+      try {
+        let input;
+        if (data instanceof Uint8Array) {
+          input = Array.from(data);
+        } else if (inputEncoding === "hex") {
+          input = hexToBytes(data);
+        } else {
+          input = data;
+        }
+        const result = sm3(input);
+        if (!result) {
+          return err(
+            HaiCryptoError.HASH_FAILED,
+            cryptoM("crypto_sm3HashEmpty")
+          );
+        }
+        return ok(result);
+      } catch (error) {
+        return err(
+          HaiCryptoError.HASH_FAILED,
+          cryptoM("crypto_sm3HashFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * 计算 HMAC-SM3 消息认证码
+     *
+     * 实现遵循 RFC 2104；密钥超过块大小（64 字节）时先对密钥做哈希。
+     *
+     * @param data - 待计算数据
+     * @param key - HMAC 密钥
+     * @returns 成功时返回 64 字符十六进制 HMAC 值；失败时返回 HMAC_FAILED
+     */
+    hmac(data, key) {
+      try {
+        const blockSize = 64;
+        const opad = 92;
+        const ipad = 54;
+        let keyBytes;
+        if (key.length > blockSize) {
+          const hashedKey = sm3(key);
+          keyBytes = hexToBytes(hashedKey);
+        } else {
+          keyBytes = stringToBytes(key);
+        }
+        while (keyBytes.length < blockSize) {
+          keyBytes.push(0);
+        }
+        const iKeyPad = keyBytes.map((b) => b ^ ipad);
+        const oKeyPad = keyBytes.map((b) => b ^ opad);
+        const innerInput = iKeyPad.concat(stringToBytes(data));
+        const innerHash = sm3(innerInput);
+        const outerInput = oKeyPad.concat(hexToBytes(innerHash));
+        const result = sm3(outerInput);
+        return ok(result);
+      } catch (error) {
+        return err(
+          HaiCryptoError.HMAC_FAILED,
+          cryptoM("crypto_sm3HmacFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * 验证数据的哈希是否匹配
+     *
+     * 对数据做 SM3 哈希后与期望值比较（忽略大小写）。
+     *
+     * @param data - 原始数据
+     * @param expectedHash - 期望的哈希值
+     * @returns 成功时返回 boolean；失败时返回 HASH_FAILED
+     */
+    verify(data, expectedHash) {
+      try {
+        const hashResult = sm3(data);
+        return ok(core.string.constantTimeEqual(hashResult.toLowerCase(), expectedHash.toLowerCase()));
+      } catch (error) {
+        return err(
+          HaiCryptoError.HASH_FAILED,
+          cryptoM("crypto_sm3VerifyFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    }
+  };
+}
+function hexToBytes(hex) {
+  const bytes = [];
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes.push(Number.parseInt(hex.slice(i, i + 2), 16));
+  }
+  return bytes;
+}
+function stringToBytes(str) {
+  const encoder = new TextEncoder();
+  return Array.from(encoder.encode(str));
+}
+var { sm3: sm32, sm4 } = smCrypto;
+function createSM4() {
+  return {
+    /** 生成随机密钥（16 字节 = 32 个十六进制字符） */
+    generateKey() {
+      return generateRandomHex(16);
+    },
+    /** 生成随机 IV（16 字节 = 32 个十六进制字符） */
+    generateIV() {
+      return generateRandomHex(16);
+    },
+    /**
+     * SM4 对称加密
+     *
+     * 支持 ECB（默认）和 CBC 两种模式，使用 PKCS#7 填充。
+     * CBC 模式需提供合法 IV。
+     *
+     * @param data - 待加密明文
+     * @param key - 密钥（32 字符十六进制）
+     * @param options - 加密模式/IV/输出格式
+     * @returns 成功时返回密文；失败时返回 INVALID_KEY/INVALID_IV/ENCRYPTION_FAILED
+     */
+    encrypt(data, key, options = {}) {
+      const {
+        mode = "ecb",
+        iv,
+        outputFormat = "hex"
+      } = options;
+      if (!this.isValidKey(key)) {
+        return err(
+          HaiCryptoError.INVALID_KEY,
+          cryptoM("crypto_sm4KeyInvalid")
+        );
+      }
+      if (mode === "cbc" && !iv) {
+        return err(
+          HaiCryptoError.INVALID_IV,
+          cryptoM("crypto_sm4CbcNeedIv")
+        );
+      }
+      if (mode === "cbc" && iv && !this.isValidIV(iv)) {
+        return err(
+          HaiCryptoError.INVALID_IV,
+          cryptoM("crypto_sm4IvInvalid")
+        );
+      }
+      try {
+        const sm4Options = {
+          mode,
+          padding: "pkcs#7"
+        };
+        if (mode === "cbc" && iv) {
+          sm4Options.iv = iv;
+        }
+        const encrypted = sm4.encrypt(data, key, sm4Options);
+        if (!encrypted) {
+          return err(
+            HaiCryptoError.ENCRYPTION_FAILED,
+            cryptoM("crypto_sm4EncryptEmpty")
+          );
+        }
+        if (outputFormat === "base64") {
+          return ok(hexToBase64(encrypted));
+        }
+        return ok(encrypted);
+      } catch (error) {
+        return err(
+          HaiCryptoError.ENCRYPTION_FAILED,
+          cryptoM("crypto_sm4EncryptFailed", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * SM4 对称解密
+     *
+     * 自动检测 base64 格式输入并转换为 hex。
+     * 解密模式和 IV 需与加密时一致。
+     *
+     * @param ciphertext - 密文（hex 或 base64）
+     * @param key - 密钥（32 字符十六进制）
+     * @param options - 解密模式/IV
+     * @returns 成功时返回明文；失败时返回 INVALID_KEY/INVALID_IV/DECRYPTION_FAILED
+     */
+    decrypt(ciphertext, key, options = {}) {
+      const { mode = "ecb", iv } = options;
+      if (!this.isValidKey(key)) {
+        return err(
+          HaiCryptoError.INVALID_KEY,
+          cryptoM("crypto_sm4KeyInvalid")
+        );
+      }
+      if (mode === "cbc" && !iv) {
+        return err(
+          HaiCryptoError.INVALID_IV,
+          cryptoM("crypto_sm4CbcNeedIv")
+        );
+      }
+      try {
+        let input = ciphertext;
+        if (isBase64(ciphertext)) {
+          input = base64ToHex(ciphertext);
+        }
+        const sm4Options = {
+          mode,
+          padding: "pkcs#7"
+        };
+        if (mode === "cbc" && iv) {
+          sm4Options.iv = iv;
+        }
+        const decrypted = sm4.decrypt(input, key, sm4Options);
+        if (decrypted === false || decrypted === null || decrypted === void 0) {
+          return err(
+            HaiCryptoError.DECRYPTION_FAILED,
+            cryptoM("crypto_sm4DecryptFailed")
+          );
+        }
+        return ok(decrypted);
+      } catch (error) {
+        return err(
+          HaiCryptoError.DECRYPTION_FAILED,
+          cryptoM("crypto_sm4DecryptFailedWithError", { params: { error: error instanceof Error ? error.message : String(error) } }),
+          error
+        );
+      }
+    },
+    /**
+     * 带 IV 加密（CBC 模式，自动生成随机 IV）
+     *
+     * @param data - 待加密明文
+     * @param key - 密钥（32 字符十六进制）
+     * @returns 成功时返回 { ciphertext, iv }；失败时同 encrypt
+     */
+    encryptWithIV(data, key) {
+      const iv = this.generateIV();
+      const result = this.encrypt(data, key, { mode: "cbc", iv });
+      if (!result.success) {
+        return result;
+      }
+      return ok({ ciphertext: result.data, iv });
+    },
+    /**
+     * 带 IV 解密（CBC 模式）
+     *
+     * @param ciphertext - 密文
+     * @param key - 密钥
+     * @param iv - 加密时使用的 IV
+     * @returns 成功时返回明文；失败时同 decrypt
+     */
+    decryptWithIV(ciphertext, key, iv) {
+      return this.decrypt(ciphertext, key, { mode: "cbc", iv });
+    },
+    /**
+     * 从密码和盐值派生密钥
+     *
+     * 内部使用 SM3 哈希(password + salt) 取前 32 字符作为密钥。
+     * 注意：此为简单派生，不适用于高安全场景。
+     *
+     * @param password - 密码
+     * @param salt - 盐值
+     * @returns 32 字符十六进制密钥
+     */
+    deriveKey(password, salt) {
+      const combined = password + salt;
+      const hash = sm32(combined);
+      return hash.slice(0, 32);
+    },
+    /** 校验密钥格式是否合法（32 字符十六进制） */
+    isValidKey(key) {
+      return /^[0-9a-f]{32}$/i.test(key);
+    },
+    /** 校验 IV 格式是否合法（32 字符十六进制） */
+    isValidIV(iv) {
+      return /^[0-9a-f]{32}$/i.test(iv);
+    }
+  };
+}
+function generateRandomHex(byteLength) {
+  const bytes = new Uint8Array(byteLength);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+
+// src/crypto-main.ts
+var logger = core.logger.child({ module: "crypto", scope: "main" });
+var initialized = false;
+var initInProgress = false;
+var currentAsymmetric = null;
+var currentHash = null;
+var currentSymmetric = null;
+var currentPassword = null;
+var notInitialized = core.module.createNotInitializedKit(
+  HaiCryptoError.NOT_INITIALIZED,
+  () => cryptoM("crypto_notInitialized")
+);
+var notInitializedAsymmetric = notInitialized.proxy("sync");
+var notInitializedHash = notInitialized.proxy("sync");
+var notInitializedSymmetric = notInitialized.proxy("sync");
+var notInitializedPassword = notInitialized.proxy("sync");
+var crypto2 = {
+  /**
+   * 初始化加密模块
+   *
+   * 创建非对称/哈希/对称/密码哈希操作实例。
+   * 重复调用会先关闭再重新初始化。
+   *
+   * @returns 成功时返回 ok(undefined)；失败时返回 INIT_FAILED
+   */
+  async init() {
+    if (initInProgress) {
+      logger.warn("Crypto init already in progress, skipping concurrent call");
+      return err(
+        HaiCryptoError.INIT_FAILED,
+        cryptoM("crypto_initFailed", { params: { error: "Concurrent initialization detected" } })
+      );
+    }
+    initInProgress = true;
+    try {
+      if (initialized) {
+        logger.warn("Crypto module is already initialized, reinitializing");
+        await crypto2.close();
+      }
+      logger.info("Initializing crypto module");
+      currentAsymmetric = createSM2();
+      currentHash = createSM3();
+      currentSymmetric = createSM4();
+      currentPassword = createPasswordFunctions({ hash: currentHash });
+      initialized = true;
+      logger.info("Crypto module initialized");
+      return ok(void 0);
+    } catch (error) {
+      currentAsymmetric = null;
+      currentHash = null;
+      currentSymmetric = null;
+      currentPassword = null;
+      initialized = false;
+      logger.error("Crypto module initialization failed", { error });
+      return err(
+        HaiCryptoError.INIT_FAILED,
+        cryptoM("crypto_initFailed", {
+          params: { error: error instanceof Error ? error.message : String(error) }
+        }),
+        error
+      );
+    } finally {
+      initInProgress = false;
+    }
+  },
+  /** 非对称加密操作（未初始化时所有方法返回 NOT_INITIALIZED） */
+  get asymmetric() {
+    return currentAsymmetric ?? notInitializedAsymmetric;
+  },
+  /** 哈希操作（未初始化时所有方法返回 NOT_INITIALIZED） */
+  get hash() {
+    return currentHash ?? notInitializedHash;
+  },
+  /** 对称加密操作（未初始化时所有方法返回 NOT_INITIALIZED） */
+  get symmetric() {
+    return currentSymmetric ?? notInitializedSymmetric;
+  },
+  /** 密码哈希操作（未初始化时所有方法返回 NOT_INITIALIZED） */
+  get password() {
+    return currentPassword ?? notInitializedPassword;
+  },
+  /** 是否已初始化 */
+  get isInitialized() {
+    return initialized;
+  },
+  /**
+   * 关闭加密模块，释放内部状态
+   *
+   * 关闭后访问 asymmetric/hash/symmetric/password 会返回 NOT_INITIALIZED 错误。
+   */
+  async close() {
+    if (!initialized) {
+      logger.info("Crypto module already closed, skipping");
+      return;
+    }
+    logger.info("Closing crypto module");
+    currentAsymmetric = null;
+    currentHash = null;
+    currentSymmetric = null;
+    currentPassword = null;
+    initialized = false;
+    logger.info("Crypto module closed");
+  }
+};
+
+export { HaiCryptoError, crypto2 as crypto };
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map