@haneullabs/seal 0.1.0

package/dist/esm/error.d.ts

@@ -0,0 +1,86 @@
+export declare class SealError extends Error {
+}
+export declare class UserError extends SealError {
+}
+export declare class SealAPIError extends SealError {
+    #private;
+    requestId?: string | undefined;
+    status?: number | undefined;
+    constructor(message: string, requestId?: string | undefined, status?: number | undefined);
+    static assertResponse(response: Response, requestId: string): Promise<void>;
+}
+export declare class InvalidPTBError extends SealAPIError {
+    constructor(requestId?: string, message?: string);
+}
+export declare class InvalidPackageError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidParameterError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidUserSignatureError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidSessionKeySignatureError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidMVRNameError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the requested key server object id is invalid */
+export declare class InvalidKeyServerObjectIdError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the requested package id is not supported (i.e., key server is running in Permissioned mode) */
+export declare class UnsupportedPackageIdError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidSDKVersionError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidSDKTypeError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class DeprecatedSDKVersionError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the user does not have access to one or more of the requested keys */
+export declare class NoAccessError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the session key has expired */
+export declare class ExpiredSessionKeyError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Internal server error, caller should retry */
+export declare class InternalError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** General server errors that are not specific to the Seal API (e.g., 404 "Not Found") */
+export declare class GeneralError extends SealAPIError {
+}
+export declare class InvalidPersonalMessageSignatureError extends UserError {
+}
+export declare class InvalidGetObjectError extends UserError {
+}
+export declare class UnsupportedFeatureError extends UserError {
+}
+export declare class UnsupportedNetworkError extends UserError {
+}
+export declare class InvalidKeyServerError extends UserError {
+}
+export declare class InvalidKeyServerVersionError extends UserError {
+}
+export declare class InvalidCiphertextError extends UserError {
+}
+export declare class InvalidThresholdError extends UserError {
+}
+export declare class InconsistentKeyServersError extends UserError {
+}
+export declare class DecryptionError extends UserError {
+}
+export declare class InvalidClientOptionsError extends UserError {
+}
+export declare class TooManyFailedFetchKeyRequestsError extends UserError {
+}
+export declare function toMajorityError(errors: Error[]): Error;

package/dist/esm/error.js

@@ -0,0 +1,219 @@
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
+var _SealAPIError_static, generate_fn;
+class SealError extends Error {
+}
+class UserError extends SealError {
+}
+const _SealAPIError = class _SealAPIError extends SealError {
+  constructor(message, requestId, status) {
+    super(message);
+    this.requestId = requestId;
+    this.status = status;
+  }
+  static async assertResponse(response, requestId) {
+    var _a;
+    if (response.ok) {
+      return;
+    }
+    let errorInstance;
+    try {
+      const text = await response.text();
+      const error = JSON.parse(text)["error"];
+      const message = JSON.parse(text)["message"];
+      errorInstance = __privateMethod(_a = _SealAPIError, _SealAPIError_static, generate_fn).call(_a, error, message, requestId);
+    } catch {
+      errorInstance = new GeneralError(response.statusText, requestId, response.status);
+    }
+    throw errorInstance;
+  }
+};
+_SealAPIError_static = new WeakSet();
+generate_fn = function(error, message, requestId, status) {
+  switch (error) {
+    case "InvalidPTB":
+      return new InvalidPTBError(requestId, message);
+    case "InvalidPackage":
+      return new InvalidPackageError(requestId);
+    case "NoAccess":
+      return new NoAccessError(requestId);
+    case "InvalidSignature":
+      return new InvalidUserSignatureError(requestId);
+    case "InvalidSessionSignature":
+      return new InvalidSessionKeySignatureError(requestId);
+    case "InvalidCertificate":
+      return new ExpiredSessionKeyError(requestId);
+    case "InvalidSDKVersion":
+      return new InvalidSDKVersionError(requestId);
+    case "InvalidSDKType":
+      return new InvalidSDKTypeError(requestId);
+    case "DeprecatedSDKVersion":
+      return new DeprecatedSDKVersionError(requestId);
+    case "InvalidParameter":
+      return new InvalidParameterError(requestId);
+    case "InvalidMVRName":
+      return new InvalidMVRNameError(requestId);
+    case "InvalidServiceId":
+      return new InvalidKeyServerObjectIdError(requestId);
+    case "UnsupportedPackageId":
+      return new UnsupportedPackageIdError(requestId);
+    case "Failure":
+      return new InternalError(requestId);
+    default:
+      return new GeneralError(message, requestId, status);
+  }
+};
+__privateAdd(_SealAPIError, _SealAPIError_static);
+let SealAPIError = _SealAPIError;
+class InvalidPTBError extends SealAPIError {
+  constructor(requestId, message) {
+    super("PTB does not conform to the expected format " + message, requestId);
+  }
+}
+class InvalidPackageError extends SealAPIError {
+  constructor(requestId) {
+    super("Package ID used in PTB is invalid", requestId);
+  }
+}
+class InvalidParameterError extends SealAPIError {
+  constructor(requestId) {
+    super(
+      "PTB contains an invalid parameter, possibly a newly created object that the FN has not yet seen",
+      requestId
+    );
+  }
+}
+class InvalidUserSignatureError extends SealAPIError {
+  constructor(requestId) {
+    super("User signature on the session key is invalid", requestId);
+  }
+}
+class InvalidSessionKeySignatureError extends SealAPIError {
+  constructor(requestId) {
+    super("Session key signature is invalid", requestId);
+  }
+}
+class InvalidMVRNameError extends SealAPIError {
+  constructor(requestId) {
+    super("MVR name is invalid or not consistent with the first version of the package", requestId);
+  }
+}
+class InvalidKeyServerObjectIdError extends SealAPIError {
+  constructor(requestId) {
+    super("Key server object ID is invalid", requestId);
+  }
+}
+class UnsupportedPackageIdError extends SealAPIError {
+  constructor(requestId) {
+    super("Requested package is not supported", requestId);
+  }
+}
+class InvalidSDKVersionError extends SealAPIError {
+  constructor(requestId) {
+    super("SDK version is invalid", requestId);
+  }
+}
+class InvalidSDKTypeError extends SealAPIError {
+  constructor(requestId) {
+    super("SDK type is invalid", requestId);
+  }
+}
+class DeprecatedSDKVersionError extends SealAPIError {
+  constructor(requestId) {
+    super("SDK version is deprecated", requestId);
+  }
+}
+class NoAccessError extends SealAPIError {
+  constructor(requestId) {
+    super("User does not have access to one or more of the requested keys", requestId);
+  }
+}
+class ExpiredSessionKeyError extends SealAPIError {
+  constructor(requestId) {
+    super("Session key has expired", requestId);
+  }
+}
+class InternalError extends SealAPIError {
+  constructor(requestId) {
+    super("Internal server error, caller should retry", requestId);
+  }
+}
+class GeneralError extends SealAPIError {
+}
+class InvalidPersonalMessageSignatureError extends UserError {
+}
+class InvalidGetObjectError extends UserError {
+}
+class UnsupportedFeatureError extends UserError {
+}
+class UnsupportedNetworkError extends UserError {
+}
+class InvalidKeyServerError extends UserError {
+}
+class InvalidKeyServerVersionError extends UserError {
+}
+class InvalidCiphertextError extends UserError {
+}
+class InvalidThresholdError extends UserError {
+}
+class InconsistentKeyServersError extends UserError {
+}
+class DecryptionError extends UserError {
+}
+class InvalidClientOptionsError extends UserError {
+}
+class TooManyFailedFetchKeyRequestsError extends UserError {
+}
+function toMajorityError(errors) {
+  let maxCount = 0;
+  let majorityError = errors[0];
+  const counts = /* @__PURE__ */ new Map();
+  for (const error of errors) {
+    const errorName = error.constructor.name;
+    const newCount = (counts.get(errorName) || 0) + 1;
+    counts.set(errorName, newCount);
+    if (newCount > maxCount) {
+      maxCount = newCount;
+      majorityError = error;
+    }
+  }
+  return majorityError;
+}
+export {
+  DecryptionError,
+  DeprecatedSDKVersionError,
+  ExpiredSessionKeyError,
+  GeneralError,
+  InconsistentKeyServersError,
+  InternalError,
+  InvalidCiphertextError,
+  InvalidClientOptionsError,
+  InvalidGetObjectError,
+  InvalidKeyServerError,
+  InvalidKeyServerObjectIdError,
+  InvalidKeyServerVersionError,
+  InvalidMVRNameError,
+  InvalidPTBError,
+  InvalidPackageError,
+  InvalidParameterError,
+  InvalidPersonalMessageSignatureError,
+  InvalidSDKTypeError,
+  InvalidSDKVersionError,
+  InvalidSessionKeySignatureError,
+  InvalidThresholdError,
+  InvalidUserSignatureError,
+  NoAccessError,
+  SealAPIError,
+  SealError,
+  TooManyFailedFetchKeyRequestsError,
+  UnsupportedFeatureError,
+  UnsupportedNetworkError,
+  UnsupportedPackageIdError,
+  UserError,
+  toMajorityError
+};
+//# sourceMappingURL=error.js.map

package/dist/esm/error.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/error.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport class SealError extends Error {}\n\nexport class UserError extends SealError {}\n\n// Errors returned by the Seal server\nexport class SealAPIError extends SealError {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic requestId?: string,\n\t\tpublic status?: number,\n\t) {\n\t\tsuper(message);\n\t}\n\n\tstatic #generate(error: string, message: string, requestId: string, status?: number) {\n\t\tswitch (error) {\n\t\t\tcase 'InvalidPTB':\n\t\t\t\treturn new InvalidPTBError(requestId, message);\n\t\t\tcase 'InvalidPackage':\n\t\t\t\treturn new InvalidPackageError(requestId);\n\t\t\tcase 'NoAccess':\n\t\t\t\treturn new NoAccessError(requestId);\n\t\t\tcase 'InvalidSignature':\n\t\t\t\treturn new InvalidUserSignatureError(requestId);\n\t\t\tcase 'InvalidSessionSignature':\n\t\t\t\treturn new InvalidSessionKeySignatureError(requestId);\n\t\t\tcase 'InvalidCertificate':\n\t\t\t\treturn new ExpiredSessionKeyError(requestId);\n\t\t\tcase 'InvalidSDKVersion':\n\t\t\t\treturn new InvalidSDKVersionError(requestId);\n\t\t\tcase 'InvalidSDKType':\n\t\t\t\treturn new InvalidSDKTypeError(requestId);\n\t\t\tcase 'DeprecatedSDKVersion':\n\t\t\t\treturn new DeprecatedSDKVersionError(requestId);\n\t\t\tcase 'InvalidParameter':\n\t\t\t\treturn new InvalidParameterError(requestId);\n\t\t\tcase 'InvalidMVRName':\n\t\t\t\treturn new InvalidMVRNameError(requestId);\n\t\t\tcase 'InvalidServiceId':\n\t\t\t\treturn new InvalidKeyServerObjectIdError(requestId);\n\t\t\tcase 'UnsupportedPackageId':\n\t\t\t\treturn new UnsupportedPackageIdError(requestId);\n\t\t\tcase 'Failure':\n\t\t\t\treturn new InternalError(requestId);\n\t\t\tdefault:\n\t\t\t\treturn new GeneralError(message, requestId, status);\n\t\t}\n\t}\n\n\tstatic async assertResponse(response: Response, requestId: string) {\n\t\tif (response.ok) {\n\t\t\treturn;\n\t\t}\n\t\tlet errorInstance: SealAPIError;\n\t\ttry {\n\t\t\tconst text = await response.text();\n\t\t\tconst error = JSON.parse(text)['error'];\n\t\t\tconst message = JSON.parse(text)['message'];\n\t\t\terrorInstance = SealAPIError.#generate(error, message, requestId);\n\t\t} catch {\n\t\t\t// If we can't parse the response as JSON or if it doesn't have the expected format,\n\t\t\t// fall back to using the status text\n\t\t\terrorInstance = new GeneralError(response.statusText, requestId, response.status);\n\t\t}\n\t\tthrow errorInstance;\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the PTB is invalid\n\nexport class InvalidPTBError extends SealAPIError {\n\tconstructor(requestId?: string, message?: string) {\n\t\tsuper('PTB does not conform to the expected format ' + message, requestId);\n\t}\n}\n\nexport class InvalidPackageError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Package ID used in PTB is invalid', requestId);\n\t}\n}\n\nexport class InvalidParameterError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper(\n\t\t\t'PTB contains an invalid parameter, possibly a newly created object that the FN has not yet seen',\n\t\t\trequestId,\n\t\t);\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the user's signature is invalid\n\nexport class InvalidUserSignatureError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('User signature on the session key is invalid', requestId);\n\t}\n}\n\nexport class InvalidSessionKeySignatureError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Session key signature is invalid', requestId);\n\t}\n}\n\nexport class InvalidMVRNameError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('MVR name is invalid or not consistent with the first version of the package', requestId);\n\t}\n}\n\n/** Server error indicating that the requested key server object id is invalid */\nexport class InvalidKeyServerObjectIdError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Key server object ID is invalid', requestId);\n\t}\n}\n\n/** Server error indicating that the requested package id is not supported (i.e., key server is running in Permissioned mode) */\nexport class UnsupportedPackageIdError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Requested package is not supported', requestId);\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the SDK version is invalid (implying that HTTP headers used by the SDK are being removed) or deprecated (implying that the SDK should be upgraded).\n\nexport class InvalidSDKVersionError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('SDK version is invalid', requestId);\n\t}\n}\n\nexport class InvalidSDKTypeError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('SDK type is invalid', requestId);\n\t}\n}\n\nexport class DeprecatedSDKVersionError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('SDK version is deprecated', requestId);\n\t}\n}\n\n/** Server error indicating that the user does not have access to one or more of the requested keys */\nexport class NoAccessError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('User does not have access to one or more of the requested keys', requestId);\n\t}\n}\n\n/** Server error indicating that the session key has expired */\nexport class ExpiredSessionKeyError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Session key has expired', requestId);\n\t}\n}\n\n/** Internal server error, caller should retry */\nexport class InternalError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Internal server error, caller should retry', requestId);\n\t}\n}\n\n/** General server errors that are not specific to the Seal API (e.g., 404 \"Not Found\") */\nexport class GeneralError extends SealAPIError {}\n\n// Errors returned by the SDK\nexport class InvalidPersonalMessageSignatureError extends UserError {}\nexport class InvalidGetObjectError extends UserError {}\nexport class UnsupportedFeatureError extends UserError {}\nexport class UnsupportedNetworkError extends UserError {}\nexport class InvalidKeyServerError extends UserError {}\nexport class InvalidKeyServerVersionError extends UserError {}\nexport class InvalidCiphertextError extends UserError {}\nexport class InvalidThresholdError extends UserError {}\nexport class InconsistentKeyServersError extends UserError {}\nexport class DecryptionError extends UserError {}\nexport class InvalidClientOptionsError extends UserError {}\nexport class TooManyFailedFetchKeyRequestsError extends UserError {}\n\nexport function toMajorityError(errors: Error[]): Error {\n\tlet maxCount = 0;\n\tlet majorityError = errors[0];\n\tconst counts = new Map<string, number>();\n\tfor (const error of errors) {\n\t\tconst errorName = error.constructor.name;\n\t\tconst newCount = (counts.get(errorName) || 0) + 1;\n\t\tcounts.set(errorName, newCount);\n\n\t\tif (newCount > maxCount) {\n\t\t\tmaxCount = newCount;\n\t\t\tmajorityError = error;\n\t\t}\n\t}\n\n\treturn majorityError;\n}\n"],
+  "mappings": ";;;;;;AAAA;AAGO,MAAM,kBAAkB,MAAM;AAAC;AAE/B,MAAM,kBAAkB,UAAU;AAAC;AAGnC,MAAM,gBAAN,MAAM,sBAAqB,UAAU;AAAA,EAC3C,YACC,SACO,WACA,QACN;AACD,UAAM,OAAO;AAHN;AACA;AAAA,EAGR;AAAA,EAqCA,aAAa,eAAe,UAAoB,WAAmB;AApDpE;AAqDE,QAAI,SAAS,IAAI;AAChB;AAAA,IACD;AACA,QAAI;AACJ,QAAI;AACH,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,YAAM,QAAQ,KAAK,MAAM,IAAI,EAAE,OAAO;AACtC,YAAM,UAAU,KAAK,MAAM,IAAI,EAAE,SAAS;AAC1C,sBAAgB,oCAAa,mCAAb,SAAuB,OAAO,SAAS;AAAA,IACxD,QAAQ;AAGP,sBAAgB,IAAI,aAAa,SAAS,YAAY,WAAW,SAAS,MAAM;AAAA,IACjF;AACA,UAAM;AAAA,EACP;AACD;AA7DO;AASC,cAAS,SAAC,OAAe,SAAiB,WAAmB,QAAiB;AACpF,UAAQ,OAAO;AAAA,IACd,KAAK;AACJ,aAAO,IAAI,gBAAgB,WAAW,OAAO;AAAA,IAC9C,KAAK;AACJ,aAAO,IAAI,oBAAoB,SAAS;AAAA,IACzC,KAAK;AACJ,aAAO,IAAI,cAAc,SAAS;AAAA,IACnC,KAAK;AACJ,aAAO,IAAI,0BAA0B,SAAS;AAAA,IAC/C,KAAK;AACJ,aAAO,IAAI,gCAAgC,SAAS;AAAA,IACrD,KAAK;AACJ,aAAO,IAAI,uBAAuB,SAAS;AAAA,IAC5C,KAAK;AACJ,aAAO,IAAI,uBAAuB,SAAS;AAAA,IAC5C,KAAK;AACJ,aAAO,IAAI,oBAAoB,SAAS;AAAA,IACzC,KAAK;AACJ,aAAO,IAAI,0BAA0B,SAAS;AAAA,IAC/C,KAAK;AACJ,aAAO,IAAI,sBAAsB,SAAS;AAAA,IAC3C,KAAK;AACJ,aAAO,IAAI,oBAAoB,SAAS;AAAA,IACzC,KAAK;AACJ,aAAO,IAAI,8BAA8B,SAAS;AAAA,IACnD,KAAK;AACJ,aAAO,IAAI,0BAA0B,SAAS;AAAA,IAC/C,KAAK;AACJ,aAAO,IAAI,cAAc,SAAS;AAAA,IACnC;AACC,aAAO,IAAI,aAAa,SAAS,WAAW,MAAM;AAAA,EACpD;AACD;AA1CM,aAAM,eAAN;AAAA,IAAM,eAAN;AAiEA,MAAM,wBAAwB,aAAa;AAAA,EACjD,YAAY,WAAoB,SAAkB;AACjD,UAAM,iDAAiD,SAAS,SAAS;AAAA,EAC1E;AACD;AAEO,MAAM,4BAA4B,aAAa;AAAA,EACrD,YAAY,WAAoB;AAC/B,UAAM,qCAAqC,SAAS;AAAA,EACrD;AACD;AAEO,MAAM,8BAA8B,aAAa;AAAA,EACvD,YAAY,WAAoB;AAC/B;AAAA,MACC;AAAA,MACA;AAAA,IACD;AAAA,EACD;AACD;AAIO,MAAM,kCAAkC,aAAa;AAAA,EAC3D,YAAY,WAAoB;AAC/B,UAAM,gDAAgD,SAAS;AAAA,EAChE;AACD;AAEO,MAAM,wCAAwC,aAAa;AAAA,EACjE,YAAY,WAAoB;AAC/B,UAAM,oCAAoC,SAAS;AAAA,EACpD;AACD;AAEO,MAAM,4BAA4B,aAAa;AAAA,EACrD,YAAY,WAAoB;AAC/B,UAAM,+EAA+E,SAAS;AAAA,EAC/F;AACD;AAGO,MAAM,sCAAsC,aAAa;AAAA,EAC/D,YAAY,WAAoB;AAC/B,UAAM,mCAAmC,SAAS;AAAA,EACnD;AACD;AAGO,MAAM,kCAAkC,aAAa;AAAA,EAC3D,YAAY,WAAoB;AAC/B,UAAM,sCAAsC,SAAS;AAAA,EACtD;AACD;AAIO,MAAM,+BAA+B,aAAa;AAAA,EACxD,YAAY,WAAoB;AAC/B,UAAM,0BAA0B,SAAS;AAAA,EAC1C;AACD;AAEO,MAAM,4BAA4B,aAAa;AAAA,EACrD,YAAY,WAAoB;AAC/B,UAAM,uBAAuB,SAAS;AAAA,EACvC;AACD;AAEO,MAAM,kCAAkC,aAAa;AAAA,EAC3D,YAAY,WAAoB;AAC/B,UAAM,6BAA6B,SAAS;AAAA,EAC7C;AACD;AAGO,MAAM,sBAAsB,aAAa;AAAA,EAC/C,YAAY,WAAoB;AAC/B,UAAM,kEAAkE,SAAS;AAAA,EAClF;AACD;AAGO,MAAM,+BAA+B,aAAa;AAAA,EACxD,YAAY,WAAoB;AAC/B,UAAM,2BAA2B,SAAS;AAAA,EAC3C;AACD;AAGO,MAAM,sBAAsB,aAAa;AAAA,EAC/C,YAAY,WAAoB;AAC/B,UAAM,8CAA8C,SAAS;AAAA,EAC9D;AACD;AAGO,MAAM,qBAAqB,aAAa;AAAC;AAGzC,MAAM,6CAA6C,UAAU;AAAC;AAC9D,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,gCAAgC,UAAU;AAAC;AACjD,MAAM,gCAAgC,UAAU;AAAC;AACjD,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,qCAAqC,UAAU;AAAC;AACtD,MAAM,+BAA+B,UAAU;AAAC;AAChD,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,oCAAoC,UAAU;AAAC;AACrD,MAAM,wBAAwB,UAAU;AAAC;AACzC,MAAM,kCAAkC,UAAU;AAAC;AACnD,MAAM,2CAA2C,UAAU;AAAC;AAE5D,SAAS,gBAAgB,QAAwB;AACvD,MAAI,WAAW;AACf,MAAI,gBAAgB,OAAO,CAAC;AAC5B,QAAM,SAAS,oBAAI,IAAoB;AACvC,aAAW,SAAS,QAAQ;AAC3B,UAAM,YAAY,MAAM,YAAY;AACpC,UAAM,YAAY,OAAO,IAAI,SAAS,KAAK,KAAK;AAChD,WAAO,IAAI,WAAW,QAAQ;AAE9B,QAAI,WAAW,UAAU;AACxB,iBAAW;AACX,sBAAgB;AAAA,IACjB;AAAA,EACD;AAEA,SAAO;AACR;",
+  "names": []
+}

package/dist/esm/ibe.d.ts

@@ -0,0 +1,98 @@
+import type { IBEEncryptions } from './bcs.js';
+import type { G1Element } from './bls12381.js';
+import { G2Element } from './bls12381.js';
+import type { KeyServer } from './key-server.js';
+import type { Share } from './shamir.js';
+/**
+ * The domain separation tag for the signing proof of possession.
+ */
+export declare const DST_POP: Uint8Array;
+/**
+ * The interface for the key servers.
+ */
+export declare abstract class IBEServers {
+    objectIds: string[];
+    constructor(objectIds: string[]);
+    /**
+     * Encrypt a batch of messages for the given identity.
+     *
+     * @param id The identity.
+     * @param msgAndIndices The messages and the corresponding indices of the share being encrypted.
+     * @returns The encrypted messages.
+     */
+    abstract encryptBatched(id: Uint8Array, shares: Share[], baseKey: Uint8Array, threshold: number): typeof IBEEncryptions.$inferType;
+}
+/**
+ * Identity-based encryption based on the Boneh-Franklin IBE scheme (https://eprint.iacr.org/2001/090).
+ * Note that this implementation is of the "BasicIdent" protocol which on its own is not CCA secure, so this IBE implementation should not be used on its own.
+ *
+ * This object represents a set of key servers that can be used to encrypt messages for a given identity.
+ */
+export declare class BonehFranklinBLS12381Services extends IBEServers {
+    readonly publicKeys: G2Element[];
+    constructor(services: KeyServer[]);
+    encryptBatched(id: Uint8Array, shares: Share[], baseKey: Uint8Array, threshold: number): typeof IBEEncryptions.$inferType;
+    /**
+     * Returns true if the user secret key is valid for the given public key and id.
+     * @param user_secret_key - The user secret key.
+     * @param id - The identity.
+     * @param public_key - The public key.
+     * @returns True if the user secret key is valid for the given public key and id.
+     */
+    static verifyUserSecretKey(userSecretKey: G1Element, id: string, publicKey: G2Element): boolean;
+    /**
+     * Identity-based decryption.
+     *
+     * @param nonce The encryption nonce.
+     * @param sk The user secret key.
+     * @param ciphertext The encrypted message.
+     * @param id The identity.
+     * @param [objectId, index] The object id and index of the share.
+     * @returns The decrypted message.
+     */
+    static decrypt(nonce: G2Element, sk: G1Element, ciphertext: Uint8Array, id: Uint8Array, [objectId, index]: [string, number]): Uint8Array;
+    /**
+     * Decrypt all shares and verify that the randomness was used to create the given nonce.
+     *
+     * @param randomness - The randomness.
+     * @param encryptedShares - The encrypted shares.
+     * @param services - The services.
+     * @param publicKeys - The public keys.
+     * @param nonce - The nonce.
+     * @param id - The id.
+     * @returns All decrypted shares.
+     */
+    static decryptAllSharesUsingRandomness(randomness: Uint8Array, encryptedShares: Uint8Array[], services: [string, number][], publicKeys: G2Element[], nonce: G2Element, id: Uint8Array): {
+        index: number;
+        share: Uint8Array;
+    }[];
+}
+/**
+ * Verify that the given randomness was used to crate the nonce.
+ * Throws an error if the given randomness is invalid (not a BLS scalar).
+ *
+ * @param randomness - The randomness.
+ * @param nonce - The nonce.
+ * @param useBE - Flag to indicate if BE encoding is used for the randomness. Defaults to true.
+ * @returns True if the randomness was used to create the nonce, false otherwise.
+ */
+export declare function verifyNonce(nonce: G2Element, randomness: Uint8Array, useBE?: boolean): boolean;
+/**
+ * Decrypt the randomness using a key.
+ *
+ * @param encrypted_randomness - The encrypted randomness.
+ * @param derived_key - The derived key.
+ * @returns The randomness. Returns both the scalar interpreted in big-endian and little-endian encoding.
+ */
+export declare function decryptRandomness(encryptedRandomness: Uint8Array, randomnessKey: Uint8Array): Uint8Array;
+/**
+ * Verify that the given randomness was used to crate the nonce.
+ * Check using both big-endian and little-endian encoding of the randomness.
+ *
+ * Throws an error if the nonce check doesn't pass using LE encoding _and_ the randomness is invalid as a BE encoded scalar.
+ *
+ * @param randomness - The randomness.
+ * @param nonce - The nonce.
+ * @returns True if the randomness was used to create the nonce using either LE or BE encoding, false otherwise.
+ */
+export declare function verifyNonceWithLE(nonce: G2Element, randomness: Uint8Array): boolean;

package/dist/esm/ibe.js

@@ -0,0 +1,147 @@
+import { fromHex } from "@haneullabs/bcs";
+import { G2Element, Scalar } from "./bls12381.js";
+import { deriveKey, hashToG1, kdf, KeyPurpose } from "./kdf.js";
+import { xor } from "./utils.js";
+import { InvalidCiphertextError } from "./error.js";
+const DST_POP = new TextEncoder().encode("SUI-SEAL-IBE-BLS12381-POP-00");
+class IBEServers {
+  constructor(objectIds) {
+    this.objectIds = objectIds;
+  }
+}
+class BonehFranklinBLS12381Services extends IBEServers {
+  constructor(services) {
+    super(services.map((service) => service.objectId));
+    this.publicKeys = services.map((service) => G2Element.fromBytes(service.pk));
+  }
+  encryptBatched(id, shares, baseKey, threshold) {
+    if (this.publicKeys.length === 0 || this.publicKeys.length !== shares.length) {
+      throw new Error("Invalid public keys");
+    }
+    const [r, nonce, keys] = encapBatched(this.publicKeys, id);
+    const encryptedShares = shares.map(
+      ({ share, index }, i) => xor(share, kdf(keys[i], nonce, id, this.objectIds[i], index))
+    );
+    const randomnessKey = deriveKey(
+      KeyPurpose.EncryptedRandomness,
+      baseKey,
+      encryptedShares,
+      threshold,
+      this.objectIds
+    );
+    const encryptedRandomness = xor(randomnessKey, r.toBytes());
+    return {
+      BonehFranklinBLS12381: {
+        nonce: nonce.toBytes(),
+        encryptedShares,
+        encryptedRandomness
+      },
+      $kind: "BonehFranklinBLS12381"
+    };
+  }
+  /**
+   * Returns true if the user secret key is valid for the given public key and id.
+   * @param user_secret_key - The user secret key.
+   * @param id - The identity.
+   * @param public_key - The public key.
+   * @returns True if the user secret key is valid for the given public key and id.
+   */
+  static verifyUserSecretKey(userSecretKey, id, publicKey) {
+    const lhs = userSecretKey.pairing(G2Element.generator());
+    const rhs = hashToG1(fromHex(id)).pairing(publicKey);
+    return lhs.equals(rhs);
+  }
+  /**
+   * Identity-based decryption.
+   *
+   * @param nonce The encryption nonce.
+   * @param sk The user secret key.
+   * @param ciphertext The encrypted message.
+   * @param id The identity.
+   * @param [objectId, index] The object id and index of the share.
+   * @returns The decrypted message.
+   */
+  static decrypt(nonce, sk, ciphertext, id, [objectId, index]) {
+    return xor(ciphertext, kdf(decap(nonce, sk), nonce, id, objectId, index));
+  }
+  /**
+   * Decrypt all shares and verify that the randomness was used to create the given nonce.
+   *
+   * @param randomness - The randomness.
+   * @param encryptedShares - The encrypted shares.
+   * @param services - The services.
+   * @param publicKeys - The public keys.
+   * @param nonce - The nonce.
+   * @param id - The id.
+   * @returns All decrypted shares.
+   */
+  static decryptAllSharesUsingRandomness(randomness, encryptedShares, services, publicKeys, nonce, id) {
+    if (publicKeys.length !== encryptedShares.length || publicKeys.length !== services.length) {
+      throw new Error("The number of public keys, encrypted shares and services must be the same");
+    }
+    let r;
+    try {
+      r = Scalar.fromBytes(randomness);
+    } catch {
+      throw new InvalidCiphertextError("Invalid randomness");
+    }
+    const gid_r = hashToG1(id).multiply(r);
+    return services.map(([objectId, index], i) => {
+      return {
+        index,
+        share: xor(
+          encryptedShares[i],
+          kdf(gid_r.pairing(publicKeys[i]), nonce, id, objectId, index)
+        )
+      };
+    });
+  }
+}
+function encapBatched(publicKeys, id) {
+  if (publicKeys.length === 0) {
+    throw new Error("No public keys provided");
+  }
+  const r = Scalar.random();
+  const nonce = G2Element.generator().multiply(r);
+  const gid_r = hashToG1(id).multiply(r);
+  return [r, nonce, publicKeys.map((public_key) => gid_r.pairing(public_key))];
+}
+function decap(nonce, usk) {
+  return usk.pairing(nonce);
+}
+function verifyNonce(nonce, randomness, useBE = true) {
+  try {
+    const r = decodeRandomness(randomness, useBE);
+    return G2Element.generator().multiply(r).equals(nonce);
+  } catch {
+    throw new InvalidCiphertextError("Invalid randomness");
+  }
+}
+function decodeRandomness(bytes, useBE) {
+  if (useBE) {
+    return Scalar.fromBytes(bytes);
+  } else {
+    return Scalar.fromBytesLE(bytes);
+  }
+}
+function decryptRandomness(encryptedRandomness, randomnessKey) {
+  return xor(encryptedRandomness, randomnessKey);
+}
+function verifyNonceWithLE(nonce, randomness) {
+  try {
+    if (verifyNonce(nonce, randomness, false)) {
+      return true;
+    }
+  } catch {
+  }
+  return verifyNonce(nonce, randomness, true);
+}
+export {
+  BonehFranklinBLS12381Services,
+  DST_POP,
+  IBEServers,
+  decryptRandomness,
+  verifyNonce,
+  verifyNonceWithLE
+};
+//# sourceMappingURL=ibe.js.map

package/dist/esm/ibe.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/ibe.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@haneullabs/bcs';\n\nimport type { IBEEncryptions } from './bcs.js';\nimport type { G1Element, GTElement } from './bls12381.js';\nimport { G2Element, Scalar } from './bls12381.js';\nimport { deriveKey, hashToG1, kdf, KeyPurpose } from './kdf.js';\nimport type { KeyServer } from './key-server.js';\nimport { xor } from './utils.js';\nimport type { Share } from './shamir.js';\nimport { InvalidCiphertextError } from './error.js';\n\n/**\n * The domain separation tag for the signing proof of possession.\n */\nexport const DST_POP: Uint8Array = new TextEncoder().encode('SUI-SEAL-IBE-BLS12381-POP-00');\n\n/**\n * The interface for the key servers.\n */\nexport abstract class IBEServers {\n\tobjectIds: string[];\n\n\tconstructor(objectIds: string[]) {\n\t\tthis.objectIds = objectIds;\n\t}\n\n\t/**\n\t * Encrypt a batch of messages for the given identity.\n\t *\n\t * @param id The identity.\n\t * @param msgAndIndices The messages and the corresponding indices of the share being encrypted.\n\t * @returns The encrypted messages.\n\t */\n\tabstract encryptBatched(\n\t\tid: Uint8Array,\n\t\tshares: Share[],\n\t\tbaseKey: Uint8Array,\n\t\tthreshold: number,\n\t): typeof IBEEncryptions.$inferType;\n}\n\n/**\n * Identity-based encryption based on the Boneh-Franklin IBE scheme (https://eprint.iacr.org/2001/090).\n * Note that this implementation is of the \"BasicIdent\" protocol which on its own is not CCA secure, so this IBE implementation should not be used on its own.\n *\n * This object represents a set of key servers that can be used to encrypt messages for a given identity.\n */\nexport class BonehFranklinBLS12381Services extends IBEServers {\n\treadonly publicKeys: G2Element[];\n\n\tconstructor(services: KeyServer[]) {\n\t\tsuper(services.map((service) => service.objectId));\n\t\tthis.publicKeys = services.map((service) => G2Element.fromBytes(service.pk));\n\t}\n\n\tencryptBatched(\n\t\tid: Uint8Array,\n\t\tshares: Share[],\n\t\tbaseKey: Uint8Array,\n\t\tthreshold: number,\n\t): typeof IBEEncryptions.$inferType {\n\t\tif (this.publicKeys.length === 0 || this.publicKeys.length !== shares.length) {\n\t\t\tthrow new Error('Invalid public keys');\n\t\t}\n\t\tconst [r, nonce, keys] = encapBatched(this.publicKeys, id);\n\t\tconst encryptedShares = shares.map(({ share, index }, i) =>\n\t\t\txor(share, kdf(keys[i], nonce, id, this.objectIds[i], index)),\n\t\t);\n\t\tconst randomnessKey = deriveKey(\n\t\t\tKeyPurpose.EncryptedRandomness,\n\t\t\tbaseKey,\n\t\t\tencryptedShares,\n\t\t\tthreshold,\n\t\t\tthis.objectIds,\n\t\t);\n\t\tconst encryptedRandomness = xor(randomnessKey, r.toBytes());\n\n\t\treturn {\n\t\t\tBonehFranklinBLS12381: {\n\t\t\t\tnonce: nonce.toBytes(),\n\t\t\t\tencryptedShares,\n\t\t\t\tencryptedRandomness,\n\t\t\t},\n\t\t\t$kind: 'BonehFranklinBLS12381',\n\t\t};\n\t}\n\n\t/**\n\t * Returns true if the user secret key is valid for the given public key and id.\n\t * @param user_secret_key - The user secret key.\n\t * @param id - The identity.\n\t * @param public_key - The public key.\n\t * @returns True if the user secret key is valid for the given public key and id.\n\t */\n\tstatic verifyUserSecretKey(userSecretKey: G1Element, id: string, publicKey: G2Element): boolean {\n\t\tconst lhs = userSecretKey.pairing(G2Element.generator());\n\t\tconst rhs = hashToG1(fromHex(id)).pairing(publicKey);\n\t\treturn lhs.equals(rhs);\n\t}\n\n\t/**\n\t * Identity-based decryption.\n\t *\n\t * @param nonce The encryption nonce.\n\t * @param sk The user secret key.\n\t * @param ciphertext The encrypted message.\n\t * @param id The identity.\n\t * @param [objectId, index] The object id and index of the share.\n\t * @returns The decrypted message.\n\t */\n\tstatic decrypt(\n\t\tnonce: G2Element,\n\t\tsk: G1Element,\n\t\tciphertext: Uint8Array,\n\t\tid: Uint8Array,\n\t\t[objectId, index]: [string, number],\n\t): Uint8Array {\n\t\treturn xor(ciphertext, kdf(decap(nonce, sk), nonce, id, objectId, index));\n\t}\n\n\t/**\n\t * Decrypt all shares and verify that the randomness was used to create the given nonce.\n\t *\n\t * @param randomness - The randomness.\n\t * @param encryptedShares - The encrypted shares.\n\t * @param services - The services.\n\t * @param publicKeys - The public keys.\n\t * @param nonce - The nonce.\n\t * @param id - The id.\n\t * @returns All decrypted shares.\n\t */\n\tstatic decryptAllSharesUsingRandomness(\n\t\trandomness: Uint8Array,\n\t\tencryptedShares: Uint8Array[],\n\t\tservices: [string, number][],\n\t\tpublicKeys: G2Element[],\n\t\tnonce: G2Element,\n\t\tid: Uint8Array,\n\t): { index: number; share: Uint8Array }[] {\n\t\tif (publicKeys.length !== encryptedShares.length || publicKeys.length !== services.length) {\n\t\t\tthrow new Error('The number of public keys, encrypted shares and services must be the same');\n\t\t}\n\t\tlet r;\n\t\ttry {\n\t\t\tr = Scalar.fromBytes(randomness);\n\t\t} catch {\n\t\t\tthrow new InvalidCiphertextError('Invalid randomness');\n\t\t}\n\t\tconst gid_r = hashToG1(id).multiply(r);\n\t\treturn services.map(([objectId, index], i) => {\n\t\t\treturn {\n\t\t\t\tindex,\n\t\t\t\tshare: xor(\n\t\t\t\t\tencryptedShares[i],\n\t\t\t\t\tkdf(gid_r.pairing(publicKeys[i]), nonce, id, objectId, index),\n\t\t\t\t),\n\t\t\t};\n\t\t});\n\t}\n}\n\n/**\n * Batched identity-based key-encapsulation mechanism: encapsulate multiple keys for given identity using different key servers.\n *\n * @param publicKeys Public keys for a set of key servers.\n * @param id The identity used to encapsulate the keys.\n * @returns The randomness, a common nonce of the keys and a list of keys.\n */\nfunction encapBatched(publicKeys: G2Element[], id: Uint8Array): [Scalar, G2Element, GTElement[]] {\n\tif (publicKeys.length === 0) {\n\t\tthrow new Error('No public keys provided');\n\t}\n\tconst r = Scalar.random();\n\tconst nonce = G2Element.generator().multiply(r);\n\tconst gid_r = hashToG1(id).multiply(r);\n\treturn [r, nonce, publicKeys.map((public_key) => gid_r.pairing(public_key))];\n}\n\n/**\n * Decapsulate a key using a user secret key and the nonce.\n *\n * @param usk The user secret key.\n * @param nonce The nonce.\n * @returns The encapsulated key.\n */\nfunction decap(nonce: G2Element, usk: G1Element): GTElement {\n\treturn usk.pairing(nonce);\n}\n\n/**\n * Verify that the given randomness was used to crate the nonce.\n * Throws an error if the given randomness is invalid (not a BLS scalar).\n *\n * @param randomness - The randomness.\n * @param nonce - The nonce.\n * @param useBE - Flag to indicate if BE encoding is used for the randomness. Defaults to true.\n * @returns True if the randomness was used to create the nonce, false otherwise.\n */\nexport function verifyNonce(\n\tnonce: G2Element,\n\trandomness: Uint8Array,\n\tuseBE: boolean = true,\n): boolean {\n\ttry {\n\t\tconst r = decodeRandomness(randomness, useBE);\n\t\treturn G2Element.generator().multiply(r).equals(nonce);\n\t} catch {\n\t\tthrow new InvalidCiphertextError('Invalid randomness');\n\t}\n}\n\nfunction decodeRandomness(bytes: Uint8Array, useBE: boolean): Scalar {\n\tif (useBE) {\n\t\treturn Scalar.fromBytes(bytes);\n\t} else {\n\t\treturn Scalar.fromBytesLE(bytes);\n\t}\n}\n\n/**\n * Decrypt the randomness using a key.\n *\n * @param encrypted_randomness - The encrypted randomness.\n * @param derived_key - The derived key.\n * @returns The randomness. Returns both the scalar interpreted in big-endian and little-endian encoding.\n */\nexport function decryptRandomness(\n\tencryptedRandomness: Uint8Array,\n\trandomnessKey: Uint8Array,\n): Uint8Array {\n\treturn xor(encryptedRandomness, randomnessKey);\n}\n\n/**\n * Verify that the given randomness was used to crate the nonce.\n * Check using both big-endian and little-endian encoding of the randomness.\n *\n * Throws an error if the nonce check doesn't pass using LE encoding _and_ the randomness is invalid as a BE encoded scalar.\n *\n * @param randomness - The randomness.\n * @param nonce - The nonce.\n * @returns True if the randomness was used to create the nonce using either LE or BE encoding, false otherwise.\n */\nexport function verifyNonceWithLE(nonce: G2Element, randomness: Uint8Array): boolean {\n\ttry {\n\t\t// First try little-endian encoding\n\t\tif (verifyNonce(nonce, randomness, false)) {\n\t\t\treturn true;\n\t\t}\n\t} catch {\n\t\t// Ignore error and try big-endian encoding\n\t}\n\treturn verifyNonce(nonce, randomness, true);\n}\n"],
+  "mappings": "AAGA,SAAS,eAAe;AAIxB,SAAS,WAAW,cAAc;AAClC,SAAS,WAAW,UAAU,KAAK,kBAAkB;AAErD,SAAS,WAAW;AAEpB,SAAS,8BAA8B;AAKhC,MAAM,UAAsB,IAAI,YAAY,EAAE,OAAO,8BAA8B;AAKnF,MAAe,WAAW;AAAA,EAGhC,YAAY,WAAqB;AAChC,SAAK,YAAY;AAAA,EAClB;AAeD;AAQO,MAAM,sCAAsC,WAAW;AAAA,EAG7D,YAAY,UAAuB;AAClC,UAAM,SAAS,IAAI,CAAC,YAAY,QAAQ,QAAQ,CAAC;AACjD,SAAK,aAAa,SAAS,IAAI,CAAC,YAAY,UAAU,UAAU,QAAQ,EAAE,CAAC;AAAA,EAC5E;AAAA,EAEA,eACC,IACA,QACA,SACA,WACmC;AACnC,QAAI,KAAK,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,OAAO,QAAQ;AAC7E,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACtC;AACA,UAAM,CAAC,GAAG,OAAO,IAAI,IAAI,aAAa,KAAK,YAAY,EAAE;AACzD,UAAM,kBAAkB,OAAO;AAAA,MAAI,CAAC,EAAE,OAAO,MAAM,GAAG,MACrD,IAAI,OAAO,IAAI,KAAK,CAAC,GAAG,OAAO,IAAI,KAAK,UAAU,CAAC,GAAG,KAAK,CAAC;AAAA,IAC7D;AACA,UAAM,gBAAgB;AAAA,MACrB,WAAW;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,KAAK;AAAA,IACN;AACA,UAAM,sBAAsB,IAAI,eAAe,EAAE,QAAQ,CAAC;AAE1D,WAAO;AAAA,MACN,uBAAuB;AAAA,QACtB,OAAO,MAAM,QAAQ;AAAA,QACrB;AAAA,QACA;AAAA,MACD;AAAA,MACA,OAAO;AAAA,IACR;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,oBAAoB,eAA0B,IAAY,WAA+B;AAC/F,UAAM,MAAM,cAAc,QAAQ,UAAU,UAAU,CAAC;AACvD,UAAM,MAAM,SAAS,QAAQ,EAAE,CAAC,EAAE,QAAQ,SAAS;AACnD,WAAO,IAAI,OAAO,GAAG;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,OAAO,QACN,OACA,IACA,YACA,IACA,CAAC,UAAU,KAAK,GACH;AACb,WAAO,IAAI,YAAY,IAAI,MAAM,OAAO,EAAE,GAAG,OAAO,IAAI,UAAU,KAAK,CAAC;AAAA,EACzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,OAAO,gCACN,YACA,iBACA,UACA,YACA,OACA,IACyC;AACzC,QAAI,WAAW,WAAW,gBAAgB,UAAU,WAAW,WAAW,SAAS,QAAQ;AAC1F,YAAM,IAAI,MAAM,2EAA2E;AAAA,IAC5F;AACA,QAAI;AACJ,QAAI;AACH,UAAI,OAAO,UAAU,UAAU;AAAA,IAChC,QAAQ;AACP,YAAM,IAAI,uBAAuB,oBAAoB;AAAA,IACtD;AACA,UAAM,QAAQ,SAAS,EAAE,EAAE,SAAS,CAAC;AACrC,WAAO,SAAS,IAAI,CAAC,CAAC,UAAU,KAAK,GAAG,MAAM;AAC7C,aAAO;AAAA,QACN;AAAA,QACA,OAAO;AAAA,UACN,gBAAgB,CAAC;AAAA,UACjB,IAAI,MAAM,QAAQ,WAAW,CAAC,CAAC,GAAG,OAAO,IAAI,UAAU,KAAK;AAAA,QAC7D;AAAA,MACD;AAAA,IACD,CAAC;AAAA,EACF;AACD;AASA,SAAS,aAAa,YAAyB,IAAkD;AAChG,MAAI,WAAW,WAAW,GAAG;AAC5B,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC1C;AACA,QAAM,IAAI,OAAO,OAAO;AACxB,QAAM,QAAQ,UAAU,UAAU,EAAE,SAAS,CAAC;AAC9C,QAAM,QAAQ,SAAS,EAAE,EAAE,SAAS,CAAC;AACrC,SAAO,CAAC,GAAG,OAAO,WAAW,IAAI,CAAC,eAAe,MAAM,QAAQ,UAAU,CAAC,CAAC;AAC5E;AASA,SAAS,MAAM,OAAkB,KAA2B;AAC3D,SAAO,IAAI,QAAQ,KAAK;AACzB;AAWO,SAAS,YACf,OACA,YACA,QAAiB,MACP;AACV,MAAI;AACH,UAAM,IAAI,iBAAiB,YAAY,KAAK;AAC5C,WAAO,UAAU,UAAU,EAAE,SAAS,CAAC,EAAE,OAAO,KAAK;AAAA,EACtD,QAAQ;AACP,UAAM,IAAI,uBAAuB,oBAAoB;AAAA,EACtD;AACD;AAEA,SAAS,iBAAiB,OAAmB,OAAwB;AACpE,MAAI,OAAO;AACV,WAAO,OAAO,UAAU,KAAK;AAAA,EAC9B,OAAO;AACN,WAAO,OAAO,YAAY,KAAK;AAAA,EAChC;AACD;AASO,SAAS,kBACf,qBACA,eACa;AACb,SAAO,IAAI,qBAAqB,aAAa;AAC9C;AAYO,SAAS,kBAAkB,OAAkB,YAAiC;AACpF,MAAI;AAEH,QAAI,YAAY,OAAO,YAAY,KAAK,GAAG;AAC1C,aAAO;AAAA,IACR;AAAA,EACD,QAAQ;AAAA,EAER;AACA,SAAO,YAAY,OAAO,YAAY,IAAI;AAC3C;",
+  "names": []
+}

package/dist/esm/index.d.ts

@@ -0,0 +1,6 @@
+export { EncryptedObject } from './bcs.js';
+export { SealClient } from './client.js';
+export { SessionKey, type ExportedSessionKey } from './session-key.js';
+export * from './error.js';
+export type { SealCompatibleClient, SealClientOptions, SealClientExtensionOptions, KeyServerConfig, EncryptOptions, DecryptOptions, FetchKeysOptions, GetDerivedKeysOptions, } from './types.js';
+export { DemType } from './encrypt.js';

package/dist/esm/index.js

@@ -0,0 +1,12 @@
+import { EncryptedObject } from "./bcs.js";
+import { SealClient } from "./client.js";
+import { SessionKey } from "./session-key.js";
+export * from "./error.js";
+import { DemType } from "./encrypt.js";
+export {
+  DemType,
+  EncryptedObject,
+  SealClient,
+  SessionKey
+};
+//# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/index.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport { EncryptedObject } from './bcs.js';\nexport { SealClient } from './client.js';\nexport { SessionKey, type ExportedSessionKey } from './session-key.js';\nexport * from './error.js';\nexport type {\n\tSealCompatibleClient,\n\tSealClientOptions,\n\tSealClientExtensionOptions,\n\tKeyServerConfig,\n\tEncryptOptions,\n\tDecryptOptions,\n\tFetchKeysOptions,\n\tGetDerivedKeysOptions,\n} from './types.js';\nexport { DemType } from './encrypt.js';\n"],
+  "mappings": "AAGA,SAAS,uBAAuB;AAChC,SAAS,kBAAkB;AAC3B,SAAS,kBAA2C;AACpD,cAAc;AAWd,SAAS,eAAe;",
+  "names": []
+}

package/dist/esm/kdf.d.ts

@@ -0,0 +1,30 @@
+import { G1Element } from './bls12381.js';
+import type { G2Element, GTElement } from './bls12381.js';
+/**
+ * Hash an id to a G1Element.
+ *
+ * @param id The id to hash.
+ * @returns The G1Element.
+ */
+export declare function hashToG1(id: Uint8Array): G1Element;
+/**
+ * The default key derivation function.
+ *
+ * @returns The derived key.
+ */
+export declare function kdf(element: GTElement, nonce: G2Element, id: Uint8Array, objectId: string, index: number): Uint8Array;
+export declare enum KeyPurpose {
+    EncryptedRandomness = 0,
+    DEM = 1
+}
+/**
+ * Derive a key from a base key and a list of encrypted shares.
+ *
+ * @param purpose The purpose of the key.
+ * @param baseKey The base key.
+ * @param encryptedShares The encrypted shares.
+ * @param threshold The threshold.
+ * @param keyServers The object ids of the key servers.
+ * @returns The derived key.
+ */
+export declare function deriveKey(purpose: KeyPurpose, baseKey: Uint8Array, encryptedShares: Uint8Array[], threshold: number, keyServers: string[]): Uint8Array;