@haex-space/vault-sdk 2.3.10 → 2.3.12

package/dist/index.d.mts

@@ -190,6 +190,67 @@ declare function hexToBytes(hex: string): ArrayBuffer;
  */
 declare function verifyExtensionSignature(files: ZipFileEntry[], manifest: ExtensionManifest): Promise<VerifyResult>;
 
+/**
+ * Crypto utilities for Vault Key Management
+ * Implements PBKDF2 + AES-GCM encryption/decryption
+ *
+ * Used for:
+ * - Encrypting/decrypting vault names with server password
+ * - Encrypting/decrypting vault keys with vault password
+ * - Encrypting/decrypting CRDT data with vault key
+ */
+/**
+ * Derives a cryptographic key from a password using PBKDF2
+ */
+declare function deriveKeyFromPassword(password: string, salt: Uint8Array): Promise<CryptoKey>;
+/**
+ * Generates a random vault key (32 bytes)
+ */
+declare function generateVaultKey(): Uint8Array;
+/**
+ * Encrypts a string (like vault name) with a password-derived key
+ * Returns: { encryptedData, nonce } as Base64 strings
+ */
+declare function encryptString(data: string, derivedKey: CryptoKey): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts a string (like vault name) with a password-derived key
+ */
+declare function decryptString(encryptedData: string, nonce: string, derivedKey: CryptoKey): Promise<string>;
+/**
+ * Encrypts the vault key with a password-derived key
+ * Returns: { encryptedVaultKey, salt, vaultKeyNonce } all as Base64 strings
+ */
+declare function encryptVaultKey(vaultKey: Uint8Array, password: string): Promise<{
+    encryptedVaultKey: string;
+    salt: string;
+    vaultKeyNonce: string;
+}>;
+/**
+ * Decrypts the vault key using the password
+ */
+declare function decryptVaultKey(encryptedVaultKey: string, salt: string, vaultKeyNonce: string, password: string): Promise<Uint8Array>;
+/**
+ * Decrypts a vault name using the server password
+ * Convenience function that combines key derivation and decryption
+ */
+declare function decryptVaultName(encryptedVaultName: string, vaultNameNonce: string, vaultNameSalt: string, password: string): Promise<string>;
+/**
+ * Encrypts CRDT log data with the vault key
+ */
+declare function encryptCrdtData(data: object, vaultKey: Uint8Array): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts CRDT log data with the vault key
+ */
+declare function decryptCrdtData<T = object>(encryptedData: string, nonce: string, vaultKey: Uint8Array): Promise<T>;
+declare function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
+declare function base64ToArrayBuffer(base64: string): Uint8Array;
+
 declare function createHaexVaultClient(config?: HaexHubConfig): HaexVaultClient;
 
-export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, createHaexVaultClient, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };
+export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultClient, decryptCrdtData, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptString, encryptVaultKey, generateVaultKey, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };

package/dist/index.d.ts

@@ -190,6 +190,67 @@ declare function hexToBytes(hex: string): ArrayBuffer;
  */
 declare function verifyExtensionSignature(files: ZipFileEntry[], manifest: ExtensionManifest): Promise<VerifyResult>;
 
+/**
+ * Crypto utilities for Vault Key Management
+ * Implements PBKDF2 + AES-GCM encryption/decryption
+ *
+ * Used for:
+ * - Encrypting/decrypting vault names with server password
+ * - Encrypting/decrypting vault keys with vault password
+ * - Encrypting/decrypting CRDT data with vault key
+ */
+/**
+ * Derives a cryptographic key from a password using PBKDF2
+ */
+declare function deriveKeyFromPassword(password: string, salt: Uint8Array): Promise<CryptoKey>;
+/**
+ * Generates a random vault key (32 bytes)
+ */
+declare function generateVaultKey(): Uint8Array;
+/**
+ * Encrypts a string (like vault name) with a password-derived key
+ * Returns: { encryptedData, nonce } as Base64 strings
+ */
+declare function encryptString(data: string, derivedKey: CryptoKey): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts a string (like vault name) with a password-derived key
+ */
+declare function decryptString(encryptedData: string, nonce: string, derivedKey: CryptoKey): Promise<string>;
+/**
+ * Encrypts the vault key with a password-derived key
+ * Returns: { encryptedVaultKey, salt, vaultKeyNonce } all as Base64 strings
+ */
+declare function encryptVaultKey(vaultKey: Uint8Array, password: string): Promise<{
+    encryptedVaultKey: string;
+    salt: string;
+    vaultKeyNonce: string;
+}>;
+/**
+ * Decrypts the vault key using the password
+ */
+declare function decryptVaultKey(encryptedVaultKey: string, salt: string, vaultKeyNonce: string, password: string): Promise<Uint8Array>;
+/**
+ * Decrypts a vault name using the server password
+ * Convenience function that combines key derivation and decryption
+ */
+declare function decryptVaultName(encryptedVaultName: string, vaultNameNonce: string, vaultNameSalt: string, password: string): Promise<string>;
+/**
+ * Encrypts CRDT log data with the vault key
+ */
+declare function encryptCrdtData(data: object, vaultKey: Uint8Array): Promise<{
+    encryptedData: string;
+    nonce: string;
+}>;
+/**
+ * Decrypts CRDT log data with the vault key
+ */
+declare function decryptCrdtData<T = object>(encryptedData: string, nonce: string, vaultKey: Uint8Array): Promise<T>;
+declare function arrayBufferToBase64(buffer: ArrayBuffer | Uint8Array): string;
+declare function base64ToArrayBuffer(base64: string): Uint8Array;
+
 declare function createHaexVaultClient(config?: HaexHubConfig): HaexVaultClient;
 
-export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, createHaexVaultClient, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };
+export { ExtensionManifest, HAEXSPACE_MESSAGE_TYPES, HAEXTENSION_METHODS, HaexHubConfig, HaexVaultClient, type HaexspaceMessageType, type HaextensionMethod, type VerifyResult, type ZipFileEntry, arrayBufferToBase64, base64ToArrayBuffer, createHaexVaultClient, decryptCrdtData, decryptString, decryptVaultKey, decryptVaultName, deriveKeyFromPassword, encryptCrdtData, encryptString, encryptVaultKey, generateVaultKey, hexToBytes, installBaseTag, installCookiePolyfill, installHistoryPolyfill, installLocalStoragePolyfill, installPolyfills, installSessionStoragePolyfill, sortObjectKeysRecursively, verifyExtensionSignature };

package/dist/index.js

@@ -1618,6 +1618,188 @@ async function verifyExtensionSignature(files, manifest) {
   }
 }
 
+// src/crypto/vaultKey.ts
+var PBKDF2_ITERATIONS = 6e5;
+var KEY_LENGTH = 256;
+var ALGORITHM = "AES-GCM";
+async function deriveKeyFromPassword(password, salt) {
+  const encoder = new TextEncoder();
+  const passwordBuffer = encoder.encode(password);
+  const saltBuffer = new Uint8Array(salt);
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    passwordBuffer,
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return await crypto.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: saltBuffer,
+      iterations: PBKDF2_ITERATIONS,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: ALGORITHM, length: KEY_LENGTH },
+    false,
+    // not extractable
+    ["encrypt", "decrypt"]
+  );
+}
+function generateVaultKey() {
+  return crypto.getRandomValues(new Uint8Array(32));
+}
+async function encryptString(data, derivedKey) {
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const encoder = new TextEncoder();
+  const dataBuffer = encoder.encode(data);
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    {
+      name: ALGORITHM,
+      iv: nonce
+    },
+    derivedKey,
+    dataBuffer
+  );
+  return {
+    encryptedData: arrayBufferToBase64(encryptedBuffer),
+    nonce: arrayBufferToBase64(nonce)
+  };
+}
+async function decryptString(encryptedData, nonce, derivedKey) {
+  const encryptedBuffer = base64ToArrayBuffer(encryptedData);
+  const nonceBuffer = base64ToArrayBuffer(nonce);
+  const encryptedDataBuffer = new Uint8Array(encryptedBuffer);
+  const iv = new Uint8Array(nonceBuffer);
+  const decryptedBuffer = await crypto.subtle.decrypt(
+    {
+      name: ALGORITHM,
+      iv
+    },
+    derivedKey,
+    encryptedDataBuffer
+  );
+  const decoder = new TextDecoder();
+  return decoder.decode(decryptedBuffer);
+}
+async function encryptVaultKey(vaultKey, password) {
+  const salt = crypto.getRandomValues(new Uint8Array(32));
+  const derivedKey = await deriveKeyFromPassword(password, salt);
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const vaultKeyBuffer = new Uint8Array(vaultKey);
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    {
+      name: ALGORITHM,
+      iv: nonce
+    },
+    derivedKey,
+    vaultKeyBuffer
+  );
+  return {
+    encryptedVaultKey: arrayBufferToBase64(encryptedBuffer),
+    salt: arrayBufferToBase64(salt),
+    vaultKeyNonce: arrayBufferToBase64(nonce)
+  };
+}
+async function decryptVaultKey(encryptedVaultKey, salt, vaultKeyNonce, password) {
+  const encryptedBuffer = base64ToArrayBuffer(encryptedVaultKey);
+  const saltBuffer = base64ToArrayBuffer(salt);
+  const nonceBuffer = base64ToArrayBuffer(vaultKeyNonce);
+  const derivedKey = await deriveKeyFromPassword(password, saltBuffer);
+  const encryptedData = new Uint8Array(encryptedBuffer);
+  const iv = new Uint8Array(nonceBuffer);
+  const decryptedBuffer = await crypto.subtle.decrypt(
+    {
+      name: ALGORITHM,
+      iv
+    },
+    derivedKey,
+    encryptedData
+  );
+  return new Uint8Array(decryptedBuffer);
+}
+async function decryptVaultName(encryptedVaultName, vaultNameNonce, vaultNameSalt, password) {
+  const saltBuffer = base64ToArrayBuffer(vaultNameSalt);
+  const derivedKey = await deriveKeyFromPassword(password, saltBuffer);
+  return decryptString(encryptedVaultName, vaultNameNonce, derivedKey);
+}
+async function encryptCrdtData(data, vaultKey) {
+  const vaultKeyBuffer = new Uint8Array(vaultKey);
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    vaultKeyBuffer,
+    { name: ALGORITHM },
+    false,
+    ["encrypt"]
+  );
+  const nonce = crypto.getRandomValues(new Uint8Array(12));
+  const encoder = new TextEncoder();
+  const dataBuffer = encoder.encode(JSON.stringify(data));
+  const encryptedBuffer = await crypto.subtle.encrypt(
+    {
+      name: ALGORITHM,
+      iv: nonce
+    },
+    cryptoKey,
+    dataBuffer
+  );
+  return {
+    encryptedData: arrayBufferToBase64(encryptedBuffer),
+    nonce: arrayBufferToBase64(nonce)
+  };
+}
+async function decryptCrdtData(encryptedData, nonce, vaultKey) {
+  const vaultKeyBuffer = new Uint8Array(vaultKey);
+  const cryptoKey = await crypto.subtle.importKey(
+    "raw",
+    vaultKeyBuffer,
+    { name: ALGORITHM },
+    false,
+    ["decrypt"]
+  );
+  const encryptedBuffer = base64ToArrayBuffer(encryptedData);
+  const nonceBuffer = base64ToArrayBuffer(nonce);
+  const encryptedDataBuffer = new Uint8Array(encryptedBuffer);
+  const iv = new Uint8Array(nonceBuffer);
+  const decryptedBuffer = await crypto.subtle.decrypt(
+    {
+      name: ALGORITHM,
+      iv
+    },
+    cryptoKey,
+    encryptedDataBuffer
+  );
+  const decoder = new TextDecoder();
+  const jsonString = decoder.decode(decryptedBuffer);
+  return JSON.parse(jsonString);
+}
+function arrayBufferToBase64(buffer) {
+  const bytes = buffer instanceof Uint8Array ? buffer : new Uint8Array(buffer);
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(bytes).toString("base64");
+  }
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    const byte = bytes[i];
+    if (byte !== void 0) {
+      binary += String.fromCharCode(byte);
+    }
+  }
+  return btoa(binary);
+}
+function base64ToArrayBuffer(base64) {
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  }
+  const binary = atob(base64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+}
+
 // src/index.ts
 function createHaexVaultClient(config = {}) {
   return new HaexVaultClient(config);
@@ -1636,7 +1818,18 @@ exports.PermissionStatus = PermissionStatus;
 exports.PermissionsAPI = PermissionsAPI;
 exports.TABLE_SEPARATOR = TABLE_SEPARATOR;
 exports.WebAPI = WebAPI;
+exports.arrayBufferToBase64 = arrayBufferToBase64;
+exports.base64ToArrayBuffer = base64ToArrayBuffer;
 exports.createHaexVaultClient = createHaexVaultClient;
+exports.decryptCrdtData = decryptCrdtData;
+exports.decryptString = decryptString;
+exports.decryptVaultKey = decryptVaultKey;
+exports.decryptVaultName = decryptVaultName;
+exports.deriveKeyFromPassword = deriveKeyFromPassword;
+exports.encryptCrdtData = encryptCrdtData;
+exports.encryptString = encryptString;
+exports.encryptVaultKey = encryptVaultKey;
+exports.generateVaultKey = generateVaultKey;
 exports.getTableName = getTableName;
 exports.hexToBytes = hexToBytes;
 exports.installBaseTag = installBaseTag;