@haneullabs/seal 0.1.0

package/dist/cjs/encrypt.js

@@ -0,0 +1,104 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var encrypt_exports = {};
+__export(encrypt_exports, {
+  DemType: () => DemType,
+  KemType: () => KemType,
+  encrypt: () => encrypt
+});
+module.exports = __toCommonJS(encrypt_exports);
+var import_bcs = require("@haneullabs/bcs");
+var import_bcs2 = require("./bcs.js");
+var import_error = require("./error.js");
+var import_ibe = require("./ibe.js");
+var import_kdf = require("./kdf.js");
+var import_utils = require("./utils.js");
+var import_shamir = require("./shamir.js");
+async function encrypt({
+  keyServers,
+  kemType,
+  threshold,
+  packageId,
+  id,
+  encryptionInput
+}) {
+  if (threshold <= 0 || threshold >= import_utils.MAX_U8 || keyServers.length < threshold || keyServers.length >= import_utils.MAX_U8) {
+    throw new import_error.UserError(
+      `Invalid key servers or threshold ${threshold} for ${keyServers.length} key servers for package ${packageId}`
+    );
+  }
+  const baseKey = await encryptionInput.generateKey();
+  const shares = (0, import_shamir.split)(baseKey, threshold, keyServers.length);
+  const fullId = (0, import_utils.createFullId)(packageId, id);
+  const encryptedShares = encryptBatched(
+    keyServers,
+    kemType,
+    (0, import_bcs.fromHex)(fullId),
+    shares,
+    baseKey,
+    threshold
+  );
+  const demKey = (0, import_kdf.deriveKey)(
+    import_kdf.KeyPurpose.DEM,
+    baseKey,
+    encryptedShares.BonehFranklinBLS12381.encryptedShares,
+    threshold,
+    keyServers.map(({ objectId }) => objectId)
+  );
+  const ciphertext = await encryptionInput.encrypt(demKey);
+  const services = keyServers.map(({ objectId }, i) => [
+    objectId,
+    shares[i].index
+  ]);
+  return {
+    encryptedObject: import_bcs2.EncryptedObject.serialize({
+      version: 0,
+      packageId,
+      id,
+      services,
+      threshold,
+      encryptedShares,
+      ciphertext
+    }).toBytes(),
+    key: new Uint8Array(demKey)
+  };
+}
+var KemType = /* @__PURE__ */ ((KemType2) => {
+  KemType2[KemType2["BonehFranklinBLS12381DemCCA"] = 0] = "BonehFranklinBLS12381DemCCA";
+  return KemType2;
+})(KemType || {});
+var DemType = /* @__PURE__ */ ((DemType2) => {
+  DemType2[DemType2["AesGcm256"] = 0] = "AesGcm256";
+  DemType2[DemType2["Hmac256Ctr"] = 1] = "Hmac256Ctr";
+  return DemType2;
+})(DemType || {});
+function encryptBatched(keyServers, kemType, id, shares, baseKey, threshold) {
+  switch (kemType) {
+    case 0 /* BonehFranklinBLS12381DemCCA */:
+      return new import_ibe.BonehFranklinBLS12381Services(keyServers).encryptBatched(
+        id,
+        shares,
+        baseKey,
+        threshold
+      );
+    default:
+      throw new Error(`Invalid KEM type ${kemType}`);
+  }
+}
+//# sourceMappingURL=encrypt.js.map

package/dist/cjs/encrypt.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/encrypt.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@haneullabs/bcs';\n\nimport type { IBEEncryptions } from './bcs.js';\nimport { EncryptedObject } from './bcs.js';\nimport type { EncryptionInput } from './dem.js';\nimport { UserError } from './error.js';\nimport { BonehFranklinBLS12381Services } from './ibe.js';\nimport { deriveKey, KeyPurpose } from './kdf.js';\nimport type { KeyServer } from './key-server.js';\nimport { createFullId, MAX_U8 } from './utils.js';\nimport type { Share } from './shamir.js';\nimport { split } from './shamir.js';\n\n/**\n * Given full ID and what key servers to use, return the encrypted message under the identity and return the bcs bytes of the encrypted object.\n *\n * @param keyServers - A list of KeyServers (same server can be used multiple times)\n * @param kemType - The type of KEM to use.\n * @param packageId - packageId\n * @param id - id\n * @param encryptionInput - Input to the encryption. Should be one of the EncryptionInput types, AesGcmEncryptionInput or Hmac256CtrEncryptionInput.\n * @param threshold - The threshold for the TSS encryption.\n * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.\n * Since the key can be used to decrypt, it should not be shared but can be used eg. for backup.\n */\nexport async function encrypt({\n\tkeyServers,\n\tkemType,\n\tthreshold,\n\tpackageId,\n\tid,\n\tencryptionInput,\n}: {\n\tkeyServers: KeyServer[];\n\tkemType: KemType;\n\tthreshold: number;\n\tpackageId: string;\n\tid: string;\n\tencryptionInput: EncryptionInput;\n}): Promise<{\n\tencryptedObject: Uint8Array<ArrayBuffer>;\n\tkey: Uint8Array<ArrayBuffer>;\n}> {\n\t// Check inputs\n\tif (\n\t\tthreshold <= 0 ||\n\t\tthreshold >= MAX_U8 ||\n\t\tkeyServers.length < threshold ||\n\t\tkeyServers.length >= MAX_U8\n\t) {\n\t\tthrow new UserError(\n\t\t\t`Invalid key servers or threshold ${threshold} for ${keyServers.length} key servers for package ${packageId}`,\n\t\t);\n\t}\n\n\t// Generate a random base key.\n\tconst baseKey = await encryptionInput.generateKey();\n\n\t// Split the key into shares and encrypt each share with the public keys of the key servers.\n\tconst shares = split(baseKey, threshold, keyServers.length);\n\n\t// Encrypt the shares with the public keys of the key servers.\n\tconst fullId = createFullId(packageId, id);\n\tconst encryptedShares = encryptBatched(\n\t\tkeyServers,\n\t\tkemType,\n\t\tfromHex(fullId),\n\t\tshares,\n\t\tbaseKey,\n\t\tthreshold,\n\t);\n\n\t// Encrypt the object with the derived DEM key.\n\tconst demKey = deriveKey(\n\t\tKeyPurpose.DEM,\n\t\tbaseKey,\n\t\tencryptedShares.BonehFranklinBLS12381.encryptedShares,\n\t\tthreshold,\n\t\tkeyServers.map(({ objectId }) => objectId),\n\t);\n\tconst ciphertext = await encryptionInput.encrypt(demKey);\n\n\t// Services and indices of their shares are stored as a tuple\n\tconst services: [string, number][] = keyServers.map(({ objectId }, i) => [\n\t\tobjectId,\n\t\tshares[i].index,\n\t]);\n\n\treturn {\n\t\tencryptedObject: EncryptedObject.serialize({\n\t\t\tversion: 0,\n\t\t\tpackageId,\n\t\t\tid,\n\t\t\tservices,\n\t\t\tthreshold,\n\t\t\tencryptedShares,\n\t\t\tciphertext,\n\t\t}).toBytes(),\n\t\tkey: new Uint8Array(demKey),\n\t};\n}\n\nexport enum KemType {\n\tBonehFranklinBLS12381DemCCA = 0,\n}\n\nexport enum DemType {\n\tAesGcm256 = 0,\n\tHmac256Ctr = 1,\n}\n\nfunction encryptBatched(\n\tkeyServers: KeyServer[],\n\tkemType: KemType,\n\tid: Uint8Array,\n\tshares: Share[],\n\tbaseKey: Uint8Array,\n\tthreshold: number,\n): typeof IBEEncryptions.$inferType {\n\tswitch (kemType) {\n\t\tcase KemType.BonehFranklinBLS12381DemCCA:\n\t\t\treturn new BonehFranklinBLS12381Services(keyServers).encryptBatched(\n\t\t\t\tid,\n\t\t\t\tshares,\n\t\t\t\tbaseKey,\n\t\t\t\tthreshold,\n\t\t\t);\n\t\tdefault:\n\t\t\tthrow new Error(`Invalid KEM type ${kemType}`);\n\t}\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAAwB;AAGxB,IAAAA,cAAgC;AAEhC,mBAA0B;AAC1B,iBAA8C;AAC9C,iBAAsC;AAEtC,mBAAqC;AAErC,oBAAsB;AActB,eAAsB,QAAQ;AAAA,EAC7B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACD,GAUG;AAEF,MACC,aAAa,KACb,aAAa,uBACb,WAAW,SAAS,aACpB,WAAW,UAAU,qBACpB;AACD,UAAM,IAAI;AAAA,MACT,oCAAoC,SAAS,QAAQ,WAAW,MAAM,4BAA4B,SAAS;AAAA,IAC5G;AAAA,EACD;AAGA,QAAM,UAAU,MAAM,gBAAgB,YAAY;AAGlD,QAAM,aAAS,qBAAM,SAAS,WAAW,WAAW,MAAM;AAG1D,QAAM,aAAS,2BAAa,WAAW,EAAE;AACzC,QAAM,kBAAkB;AAAA,IACvB;AAAA,IACA;AAAA,QACA,oBAAQ,MAAM;AAAA,IACd;AAAA,IACA;AAAA,IACA;AAAA,EACD;AAGA,QAAM,aAAS;AAAA,IACd,sBAAW;AAAA,IACX;AAAA,IACA,gBAAgB,sBAAsB;AAAA,IACtC;AAAA,IACA,WAAW,IAAI,CAAC,EAAE,SAAS,MAAM,QAAQ;AAAA,EAC1C;AACA,QAAM,aAAa,MAAM,gBAAgB,QAAQ,MAAM;AAGvD,QAAM,WAA+B,WAAW,IAAI,CAAC,EAAE,SAAS,GAAG,MAAM;AAAA,IACxE;AAAA,IACA,OAAO,CAAC,EAAE;AAAA,EACX,CAAC;AAED,SAAO;AAAA,IACN,iBAAiB,4BAAgB,UAAU;AAAA,MAC1C,SAAS;AAAA,MACT;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACD,CAAC,EAAE,QAAQ;AAAA,IACX,KAAK,IAAI,WAAW,MAAM;AAAA,EAC3B;AACD;AAEO,IAAK,UAAL,kBAAKC,aAAL;AACN,EAAAA,kBAAA,iCAA8B,KAA9B;AADW,SAAAA;AAAA,GAAA;AAIL,IAAK,UAAL,kBAAKC,aAAL;AACN,EAAAA,kBAAA,eAAY,KAAZ;AACA,EAAAA,kBAAA,gBAAa,KAAb;AAFW,SAAAA;AAAA,GAAA;AAKZ,SAAS,eACR,YACA,SACA,IACA,QACA,SACA,WACmC;AACnC,UAAQ,SAAS;AAAA,IAChB,KAAK;AACJ,aAAO,IAAI,yCAA8B,UAAU,EAAE;AAAA,QACpD;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACD;AAAA,IACD;AACC,YAAM,IAAI,MAAM,oBAAoB,OAAO,EAAE;AAAA,EAC/C;AACD;",
+  "names": ["import_bcs", "KemType", "DemType"]
+}

package/dist/cjs/error.d.ts

@@ -0,0 +1,86 @@
+export declare class SealError extends Error {
+}
+export declare class UserError extends SealError {
+}
+export declare class SealAPIError extends SealError {
+    #private;
+    requestId?: string | undefined;
+    status?: number | undefined;
+    constructor(message: string, requestId?: string | undefined, status?: number | undefined);
+    static assertResponse(response: Response, requestId: string): Promise<void>;
+}
+export declare class InvalidPTBError extends SealAPIError {
+    constructor(requestId?: string, message?: string);
+}
+export declare class InvalidPackageError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidParameterError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidUserSignatureError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidSessionKeySignatureError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidMVRNameError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the requested key server object id is invalid */
+export declare class InvalidKeyServerObjectIdError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the requested package id is not supported (i.e., key server is running in Permissioned mode) */
+export declare class UnsupportedPackageIdError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidSDKVersionError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class InvalidSDKTypeError extends SealAPIError {
+    constructor(requestId?: string);
+}
+export declare class DeprecatedSDKVersionError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the user does not have access to one or more of the requested keys */
+export declare class NoAccessError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Server error indicating that the session key has expired */
+export declare class ExpiredSessionKeyError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** Internal server error, caller should retry */
+export declare class InternalError extends SealAPIError {
+    constructor(requestId?: string);
+}
+/** General server errors that are not specific to the Seal API (e.g., 404 "Not Found") */
+export declare class GeneralError extends SealAPIError {
+}
+export declare class InvalidPersonalMessageSignatureError extends UserError {
+}
+export declare class InvalidGetObjectError extends UserError {
+}
+export declare class UnsupportedFeatureError extends UserError {
+}
+export declare class UnsupportedNetworkError extends UserError {
+}
+export declare class InvalidKeyServerError extends UserError {
+}
+export declare class InvalidKeyServerVersionError extends UserError {
+}
+export declare class InvalidCiphertextError extends UserError {
+}
+export declare class InvalidThresholdError extends UserError {
+}
+export declare class InconsistentKeyServersError extends UserError {
+}
+export declare class DecryptionError extends UserError {
+}
+export declare class InvalidClientOptionsError extends UserError {
+}
+export declare class TooManyFailedFetchKeyRequestsError extends UserError {
+}
+export declare function toMajorityError(errors: Error[]): Error;

package/dist/cjs/error.js

@@ -0,0 +1,239 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
+var error_exports = {};
+__export(error_exports, {
+  DecryptionError: () => DecryptionError,
+  DeprecatedSDKVersionError: () => DeprecatedSDKVersionError,
+  ExpiredSessionKeyError: () => ExpiredSessionKeyError,
+  GeneralError: () => GeneralError,
+  InconsistentKeyServersError: () => InconsistentKeyServersError,
+  InternalError: () => InternalError,
+  InvalidCiphertextError: () => InvalidCiphertextError,
+  InvalidClientOptionsError: () => InvalidClientOptionsError,
+  InvalidGetObjectError: () => InvalidGetObjectError,
+  InvalidKeyServerError: () => InvalidKeyServerError,
+  InvalidKeyServerObjectIdError: () => InvalidKeyServerObjectIdError,
+  InvalidKeyServerVersionError: () => InvalidKeyServerVersionError,
+  InvalidMVRNameError: () => InvalidMVRNameError,
+  InvalidPTBError: () => InvalidPTBError,
+  InvalidPackageError: () => InvalidPackageError,
+  InvalidParameterError: () => InvalidParameterError,
+  InvalidPersonalMessageSignatureError: () => InvalidPersonalMessageSignatureError,
+  InvalidSDKTypeError: () => InvalidSDKTypeError,
+  InvalidSDKVersionError: () => InvalidSDKVersionError,
+  InvalidSessionKeySignatureError: () => InvalidSessionKeySignatureError,
+  InvalidThresholdError: () => InvalidThresholdError,
+  InvalidUserSignatureError: () => InvalidUserSignatureError,
+  NoAccessError: () => NoAccessError,
+  SealAPIError: () => SealAPIError,
+  SealError: () => SealError,
+  TooManyFailedFetchKeyRequestsError: () => TooManyFailedFetchKeyRequestsError,
+  UnsupportedFeatureError: () => UnsupportedFeatureError,
+  UnsupportedNetworkError: () => UnsupportedNetworkError,
+  UnsupportedPackageIdError: () => UnsupportedPackageIdError,
+  UserError: () => UserError,
+  toMajorityError: () => toMajorityError
+});
+module.exports = __toCommonJS(error_exports);
+var _SealAPIError_static, generate_fn;
+class SealError extends Error {
+}
+class UserError extends SealError {
+}
+const _SealAPIError = class _SealAPIError extends SealError {
+  constructor(message, requestId, status) {
+    super(message);
+    this.requestId = requestId;
+    this.status = status;
+  }
+  static async assertResponse(response, requestId) {
+    var _a;
+    if (response.ok) {
+      return;
+    }
+    let errorInstance;
+    try {
+      const text = await response.text();
+      const error = JSON.parse(text)["error"];
+      const message = JSON.parse(text)["message"];
+      errorInstance = __privateMethod(_a = _SealAPIError, _SealAPIError_static, generate_fn).call(_a, error, message, requestId);
+    } catch {
+      errorInstance = new GeneralError(response.statusText, requestId, response.status);
+    }
+    throw errorInstance;
+  }
+};
+_SealAPIError_static = new WeakSet();
+generate_fn = function(error, message, requestId, status) {
+  switch (error) {
+    case "InvalidPTB":
+      return new InvalidPTBError(requestId, message);
+    case "InvalidPackage":
+      return new InvalidPackageError(requestId);
+    case "NoAccess":
+      return new NoAccessError(requestId);
+    case "InvalidSignature":
+      return new InvalidUserSignatureError(requestId);
+    case "InvalidSessionSignature":
+      return new InvalidSessionKeySignatureError(requestId);
+    case "InvalidCertificate":
+      return new ExpiredSessionKeyError(requestId);
+    case "InvalidSDKVersion":
+      return new InvalidSDKVersionError(requestId);
+    case "InvalidSDKType":
+      return new InvalidSDKTypeError(requestId);
+    case "DeprecatedSDKVersion":
+      return new DeprecatedSDKVersionError(requestId);
+    case "InvalidParameter":
+      return new InvalidParameterError(requestId);
+    case "InvalidMVRName":
+      return new InvalidMVRNameError(requestId);
+    case "InvalidServiceId":
+      return new InvalidKeyServerObjectIdError(requestId);
+    case "UnsupportedPackageId":
+      return new UnsupportedPackageIdError(requestId);
+    case "Failure":
+      return new InternalError(requestId);
+    default:
+      return new GeneralError(message, requestId, status);
+  }
+};
+__privateAdd(_SealAPIError, _SealAPIError_static);
+let SealAPIError = _SealAPIError;
+class InvalidPTBError extends SealAPIError {
+  constructor(requestId, message) {
+    super("PTB does not conform to the expected format " + message, requestId);
+  }
+}
+class InvalidPackageError extends SealAPIError {
+  constructor(requestId) {
+    super("Package ID used in PTB is invalid", requestId);
+  }
+}
+class InvalidParameterError extends SealAPIError {
+  constructor(requestId) {
+    super(
+      "PTB contains an invalid parameter, possibly a newly created object that the FN has not yet seen",
+      requestId
+    );
+  }
+}
+class InvalidUserSignatureError extends SealAPIError {
+  constructor(requestId) {
+    super("User signature on the session key is invalid", requestId);
+  }
+}
+class InvalidSessionKeySignatureError extends SealAPIError {
+  constructor(requestId) {
+    super("Session key signature is invalid", requestId);
+  }
+}
+class InvalidMVRNameError extends SealAPIError {
+  constructor(requestId) {
+    super("MVR name is invalid or not consistent with the first version of the package", requestId);
+  }
+}
+class InvalidKeyServerObjectIdError extends SealAPIError {
+  constructor(requestId) {
+    super("Key server object ID is invalid", requestId);
+  }
+}
+class UnsupportedPackageIdError extends SealAPIError {
+  constructor(requestId) {
+    super("Requested package is not supported", requestId);
+  }
+}
+class InvalidSDKVersionError extends SealAPIError {
+  constructor(requestId) {
+    super("SDK version is invalid", requestId);
+  }
+}
+class InvalidSDKTypeError extends SealAPIError {
+  constructor(requestId) {
+    super("SDK type is invalid", requestId);
+  }
+}
+class DeprecatedSDKVersionError extends SealAPIError {
+  constructor(requestId) {
+    super("SDK version is deprecated", requestId);
+  }
+}
+class NoAccessError extends SealAPIError {
+  constructor(requestId) {
+    super("User does not have access to one or more of the requested keys", requestId);
+  }
+}
+class ExpiredSessionKeyError extends SealAPIError {
+  constructor(requestId) {
+    super("Session key has expired", requestId);
+  }
+}
+class InternalError extends SealAPIError {
+  constructor(requestId) {
+    super("Internal server error, caller should retry", requestId);
+  }
+}
+class GeneralError extends SealAPIError {
+}
+class InvalidPersonalMessageSignatureError extends UserError {
+}
+class InvalidGetObjectError extends UserError {
+}
+class UnsupportedFeatureError extends UserError {
+}
+class UnsupportedNetworkError extends UserError {
+}
+class InvalidKeyServerError extends UserError {
+}
+class InvalidKeyServerVersionError extends UserError {
+}
+class InvalidCiphertextError extends UserError {
+}
+class InvalidThresholdError extends UserError {
+}
+class InconsistentKeyServersError extends UserError {
+}
+class DecryptionError extends UserError {
+}
+class InvalidClientOptionsError extends UserError {
+}
+class TooManyFailedFetchKeyRequestsError extends UserError {
+}
+function toMajorityError(errors) {
+  let maxCount = 0;
+  let majorityError = errors[0];
+  const counts = /* @__PURE__ */ new Map();
+  for (const error of errors) {
+    const errorName = error.constructor.name;
+    const newCount = (counts.get(errorName) || 0) + 1;
+    counts.set(errorName, newCount);
+    if (newCount > maxCount) {
+      maxCount = newCount;
+      majorityError = error;
+    }
+  }
+  return majorityError;
+}
+//# sourceMappingURL=error.js.map

package/dist/cjs/error.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/error.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport class SealError extends Error {}\n\nexport class UserError extends SealError {}\n\n// Errors returned by the Seal server\nexport class SealAPIError extends SealError {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic requestId?: string,\n\t\tpublic status?: number,\n\t) {\n\t\tsuper(message);\n\t}\n\n\tstatic #generate(error: string, message: string, requestId: string, status?: number) {\n\t\tswitch (error) {\n\t\t\tcase 'InvalidPTB':\n\t\t\t\treturn new InvalidPTBError(requestId, message);\n\t\t\tcase 'InvalidPackage':\n\t\t\t\treturn new InvalidPackageError(requestId);\n\t\t\tcase 'NoAccess':\n\t\t\t\treturn new NoAccessError(requestId);\n\t\t\tcase 'InvalidSignature':\n\t\t\t\treturn new InvalidUserSignatureError(requestId);\n\t\t\tcase 'InvalidSessionSignature':\n\t\t\t\treturn new InvalidSessionKeySignatureError(requestId);\n\t\t\tcase 'InvalidCertificate':\n\t\t\t\treturn new ExpiredSessionKeyError(requestId);\n\t\t\tcase 'InvalidSDKVersion':\n\t\t\t\treturn new InvalidSDKVersionError(requestId);\n\t\t\tcase 'InvalidSDKType':\n\t\t\t\treturn new InvalidSDKTypeError(requestId);\n\t\t\tcase 'DeprecatedSDKVersion':\n\t\t\t\treturn new DeprecatedSDKVersionError(requestId);\n\t\t\tcase 'InvalidParameter':\n\t\t\t\treturn new InvalidParameterError(requestId);\n\t\t\tcase 'InvalidMVRName':\n\t\t\t\treturn new InvalidMVRNameError(requestId);\n\t\t\tcase 'InvalidServiceId':\n\t\t\t\treturn new InvalidKeyServerObjectIdError(requestId);\n\t\t\tcase 'UnsupportedPackageId':\n\t\t\t\treturn new UnsupportedPackageIdError(requestId);\n\t\t\tcase 'Failure':\n\t\t\t\treturn new InternalError(requestId);\n\t\t\tdefault:\n\t\t\t\treturn new GeneralError(message, requestId, status);\n\t\t}\n\t}\n\n\tstatic async assertResponse(response: Response, requestId: string) {\n\t\tif (response.ok) {\n\t\t\treturn;\n\t\t}\n\t\tlet errorInstance: SealAPIError;\n\t\ttry {\n\t\t\tconst text = await response.text();\n\t\t\tconst error = JSON.parse(text)['error'];\n\t\t\tconst message = JSON.parse(text)['message'];\n\t\t\terrorInstance = SealAPIError.#generate(error, message, requestId);\n\t\t} catch {\n\t\t\t// If we can't parse the response as JSON or if it doesn't have the expected format,\n\t\t\t// fall back to using the status text\n\t\t\terrorInstance = new GeneralError(response.statusText, requestId, response.status);\n\t\t}\n\t\tthrow errorInstance;\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the PTB is invalid\n\nexport class InvalidPTBError extends SealAPIError {\n\tconstructor(requestId?: string, message?: string) {\n\t\tsuper('PTB does not conform to the expected format ' + message, requestId);\n\t}\n}\n\nexport class InvalidPackageError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Package ID used in PTB is invalid', requestId);\n\t}\n}\n\nexport class InvalidParameterError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper(\n\t\t\t'PTB contains an invalid parameter, possibly a newly created object that the FN has not yet seen',\n\t\t\trequestId,\n\t\t);\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the user's signature is invalid\n\nexport class InvalidUserSignatureError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('User signature on the session key is invalid', requestId);\n\t}\n}\n\nexport class InvalidSessionKeySignatureError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Session key signature is invalid', requestId);\n\t}\n}\n\nexport class InvalidMVRNameError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('MVR name is invalid or not consistent with the first version of the package', requestId);\n\t}\n}\n\n/** Server error indicating that the requested key server object id is invalid */\nexport class InvalidKeyServerObjectIdError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Key server object ID is invalid', requestId);\n\t}\n}\n\n/** Server error indicating that the requested package id is not supported (i.e., key server is running in Permissioned mode) */\nexport class UnsupportedPackageIdError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Requested package is not supported', requestId);\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the SDK version is invalid (implying that HTTP headers used by the SDK are being removed) or deprecated (implying that the SDK should be upgraded).\n\nexport class InvalidSDKVersionError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('SDK version is invalid', requestId);\n\t}\n}\n\nexport class InvalidSDKTypeError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('SDK type is invalid', requestId);\n\t}\n}\n\nexport class DeprecatedSDKVersionError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('SDK version is deprecated', requestId);\n\t}\n}\n\n/** Server error indicating that the user does not have access to one or more of the requested keys */\nexport class NoAccessError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('User does not have access to one or more of the requested keys', requestId);\n\t}\n}\n\n/** Server error indicating that the session key has expired */\nexport class ExpiredSessionKeyError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Session key has expired', requestId);\n\t}\n}\n\n/** Internal server error, caller should retry */\nexport class InternalError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Internal server error, caller should retry', requestId);\n\t}\n}\n\n/** General server errors that are not specific to the Seal API (e.g., 404 \"Not Found\") */\nexport class GeneralError extends SealAPIError {}\n\n// Errors returned by the SDK\nexport class InvalidPersonalMessageSignatureError extends UserError {}\nexport class InvalidGetObjectError extends UserError {}\nexport class UnsupportedFeatureError extends UserError {}\nexport class UnsupportedNetworkError extends UserError {}\nexport class InvalidKeyServerError extends UserError {}\nexport class InvalidKeyServerVersionError extends UserError {}\nexport class InvalidCiphertextError extends UserError {}\nexport class InvalidThresholdError extends UserError {}\nexport class InconsistentKeyServersError extends UserError {}\nexport class DecryptionError extends UserError {}\nexport class InvalidClientOptionsError extends UserError {}\nexport class TooManyFailedFetchKeyRequestsError extends UserError {}\n\nexport function toMajorityError(errors: Error[]): Error {\n\tlet maxCount = 0;\n\tlet majorityError = errors[0];\n\tconst counts = new Map<string, number>();\n\tfor (const error of errors) {\n\t\tconst errorName = error.constructor.name;\n\t\tconst newCount = (counts.get(errorName) || 0) + 1;\n\t\tcounts.set(errorName, newCount);\n\n\t\tif (newCount > maxCount) {\n\t\t\tmaxCount = newCount;\n\t\t\tmajorityError = error;\n\t\t}\n\t}\n\n\treturn majorityError;\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGO,MAAM,kBAAkB,MAAM;AAAC;AAE/B,MAAM,kBAAkB,UAAU;AAAC;AAGnC,MAAM,gBAAN,MAAM,sBAAqB,UAAU;AAAA,EAC3C,YACC,SACO,WACA,QACN;AACD,UAAM,OAAO;AAHN;AACA;AAAA,EAGR;AAAA,EAqCA,aAAa,eAAe,UAAoB,WAAmB;AApDpE;AAqDE,QAAI,SAAS,IAAI;AAChB;AAAA,IACD;AACA,QAAI;AACJ,QAAI;AACH,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,YAAM,QAAQ,KAAK,MAAM,IAAI,EAAE,OAAO;AACtC,YAAM,UAAU,KAAK,MAAM,IAAI,EAAE,SAAS;AAC1C,sBAAgB,oCAAa,mCAAb,SAAuB,OAAO,SAAS;AAAA,IACxD,QAAQ;AAGP,sBAAgB,IAAI,aAAa,SAAS,YAAY,WAAW,SAAS,MAAM;AAAA,IACjF;AACA,UAAM;AAAA,EACP;AACD;AA7DO;AASC,cAAS,SAAC,OAAe,SAAiB,WAAmB,QAAiB;AACpF,UAAQ,OAAO;AAAA,IACd,KAAK;AACJ,aAAO,IAAI,gBAAgB,WAAW,OAAO;AAAA,IAC9C,KAAK;AACJ,aAAO,IAAI,oBAAoB,SAAS;AAAA,IACzC,KAAK;AACJ,aAAO,IAAI,cAAc,SAAS;AAAA,IACnC,KAAK;AACJ,aAAO,IAAI,0BAA0B,SAAS;AAAA,IAC/C,KAAK;AACJ,aAAO,IAAI,gCAAgC,SAAS;AAAA,IACrD,KAAK;AACJ,aAAO,IAAI,uBAAuB,SAAS;AAAA,IAC5C,KAAK;AACJ,aAAO,IAAI,uBAAuB,SAAS;AAAA,IAC5C,KAAK;AACJ,aAAO,IAAI,oBAAoB,SAAS;AAAA,IACzC,KAAK;AACJ,aAAO,IAAI,0BAA0B,SAAS;AAAA,IAC/C,KAAK;AACJ,aAAO,IAAI,sBAAsB,SAAS;AAAA,IAC3C,KAAK;AACJ,aAAO,IAAI,oBAAoB,SAAS;AAAA,IACzC,KAAK;AACJ,aAAO,IAAI,8BAA8B,SAAS;AAAA,IACnD,KAAK;AACJ,aAAO,IAAI,0BAA0B,SAAS;AAAA,IAC/C,KAAK;AACJ,aAAO,IAAI,cAAc,SAAS;AAAA,IACnC;AACC,aAAO,IAAI,aAAa,SAAS,WAAW,MAAM;AAAA,EACpD;AACD;AA1CM,aAAM,eAAN;AAAA,IAAM,eAAN;AAiEA,MAAM,wBAAwB,aAAa;AAAA,EACjD,YAAY,WAAoB,SAAkB;AACjD,UAAM,iDAAiD,SAAS,SAAS;AAAA,EAC1E;AACD;AAEO,MAAM,4BAA4B,aAAa;AAAA,EACrD,YAAY,WAAoB;AAC/B,UAAM,qCAAqC,SAAS;AAAA,EACrD;AACD;AAEO,MAAM,8BAA8B,aAAa;AAAA,EACvD,YAAY,WAAoB;AAC/B;AAAA,MACC;AAAA,MACA;AAAA,IACD;AAAA,EACD;AACD;AAIO,MAAM,kCAAkC,aAAa;AAAA,EAC3D,YAAY,WAAoB;AAC/B,UAAM,gDAAgD,SAAS;AAAA,EAChE;AACD;AAEO,MAAM,wCAAwC,aAAa;AAAA,EACjE,YAAY,WAAoB;AAC/B,UAAM,oCAAoC,SAAS;AAAA,EACpD;AACD;AAEO,MAAM,4BAA4B,aAAa;AAAA,EACrD,YAAY,WAAoB;AAC/B,UAAM,+EAA+E,SAAS;AAAA,EAC/F;AACD;AAGO,MAAM,sCAAsC,aAAa;AAAA,EAC/D,YAAY,WAAoB;AAC/B,UAAM,mCAAmC,SAAS;AAAA,EACnD;AACD;AAGO,MAAM,kCAAkC,aAAa;AAAA,EAC3D,YAAY,WAAoB;AAC/B,UAAM,sCAAsC,SAAS;AAAA,EACtD;AACD;AAIO,MAAM,+BAA+B,aAAa;AAAA,EACxD,YAAY,WAAoB;AAC/B,UAAM,0BAA0B,SAAS;AAAA,EAC1C;AACD;AAEO,MAAM,4BAA4B,aAAa;AAAA,EACrD,YAAY,WAAoB;AAC/B,UAAM,uBAAuB,SAAS;AAAA,EACvC;AACD;AAEO,MAAM,kCAAkC,aAAa;AAAA,EAC3D,YAAY,WAAoB;AAC/B,UAAM,6BAA6B,SAAS;AAAA,EAC7C;AACD;AAGO,MAAM,sBAAsB,aAAa;AAAA,EAC/C,YAAY,WAAoB;AAC/B,UAAM,kEAAkE,SAAS;AAAA,EAClF;AACD;AAGO,MAAM,+BAA+B,aAAa;AAAA,EACxD,YAAY,WAAoB;AAC/B,UAAM,2BAA2B,SAAS;AAAA,EAC3C;AACD;AAGO,MAAM,sBAAsB,aAAa;AAAA,EAC/C,YAAY,WAAoB;AAC/B,UAAM,8CAA8C,SAAS;AAAA,EAC9D;AACD;AAGO,MAAM,qBAAqB,aAAa;AAAC;AAGzC,MAAM,6CAA6C,UAAU;AAAC;AAC9D,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,gCAAgC,UAAU;AAAC;AACjD,MAAM,gCAAgC,UAAU;AAAC;AACjD,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,qCAAqC,UAAU;AAAC;AACtD,MAAM,+BAA+B,UAAU;AAAC;AAChD,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,oCAAoC,UAAU;AAAC;AACrD,MAAM,wBAAwB,UAAU;AAAC;AACzC,MAAM,kCAAkC,UAAU;AAAC;AACnD,MAAM,2CAA2C,UAAU;AAAC;AAE5D,SAAS,gBAAgB,QAAwB;AACvD,MAAI,WAAW;AACf,MAAI,gBAAgB,OAAO,CAAC;AAC5B,QAAM,SAAS,oBAAI,IAAoB;AACvC,aAAW,SAAS,QAAQ;AAC3B,UAAM,YAAY,MAAM,YAAY;AACpC,UAAM,YAAY,OAAO,IAAI,SAAS,KAAK,KAAK;AAChD,WAAO,IAAI,WAAW,QAAQ;AAE9B,QAAI,WAAW,UAAU;AACxB,iBAAW;AACX,sBAAgB;AAAA,IACjB;AAAA,EACD;AAEA,SAAO;AACR;",
+  "names": []
+}

package/dist/cjs/ibe.d.ts

@@ -0,0 +1,98 @@
+import type { IBEEncryptions } from './bcs.js';
+import type { G1Element } from './bls12381.js';
+import { G2Element } from './bls12381.js';
+import type { KeyServer } from './key-server.js';
+import type { Share } from './shamir.js';
+/**
+ * The domain separation tag for the signing proof of possession.
+ */
+export declare const DST_POP: Uint8Array;
+/**
+ * The interface for the key servers.
+ */
+export declare abstract class IBEServers {
+    objectIds: string[];
+    constructor(objectIds: string[]);
+    /**
+     * Encrypt a batch of messages for the given identity.
+     *
+     * @param id The identity.
+     * @param msgAndIndices The messages and the corresponding indices of the share being encrypted.
+     * @returns The encrypted messages.
+     */
+    abstract encryptBatched(id: Uint8Array, shares: Share[], baseKey: Uint8Array, threshold: number): typeof IBEEncryptions.$inferType;
+}
+/**
+ * Identity-based encryption based on the Boneh-Franklin IBE scheme (https://eprint.iacr.org/2001/090).
+ * Note that this implementation is of the "BasicIdent" protocol which on its own is not CCA secure, so this IBE implementation should not be used on its own.
+ *
+ * This object represents a set of key servers that can be used to encrypt messages for a given identity.
+ */
+export declare class BonehFranklinBLS12381Services extends IBEServers {
+    readonly publicKeys: G2Element[];
+    constructor(services: KeyServer[]);
+    encryptBatched(id: Uint8Array, shares: Share[], baseKey: Uint8Array, threshold: number): typeof IBEEncryptions.$inferType;
+    /**
+     * Returns true if the user secret key is valid for the given public key and id.
+     * @param user_secret_key - The user secret key.
+     * @param id - The identity.
+     * @param public_key - The public key.
+     * @returns True if the user secret key is valid for the given public key and id.
+     */
+    static verifyUserSecretKey(userSecretKey: G1Element, id: string, publicKey: G2Element): boolean;
+    /**
+     * Identity-based decryption.
+     *
+     * @param nonce The encryption nonce.
+     * @param sk The user secret key.
+     * @param ciphertext The encrypted message.
+     * @param id The identity.
+     * @param [objectId, index] The object id and index of the share.
+     * @returns The decrypted message.
+     */
+    static decrypt(nonce: G2Element, sk: G1Element, ciphertext: Uint8Array, id: Uint8Array, [objectId, index]: [string, number]): Uint8Array;
+    /**
+     * Decrypt all shares and verify that the randomness was used to create the given nonce.
+     *
+     * @param randomness - The randomness.
+     * @param encryptedShares - The encrypted shares.
+     * @param services - The services.
+     * @param publicKeys - The public keys.
+     * @param nonce - The nonce.
+     * @param id - The id.
+     * @returns All decrypted shares.
+     */
+    static decryptAllSharesUsingRandomness(randomness: Uint8Array, encryptedShares: Uint8Array[], services: [string, number][], publicKeys: G2Element[], nonce: G2Element, id: Uint8Array): {
+        index: number;
+        share: Uint8Array;
+    }[];
+}
+/**
+ * Verify that the given randomness was used to crate the nonce.
+ * Throws an error if the given randomness is invalid (not a BLS scalar).
+ *
+ * @param randomness - The randomness.
+ * @param nonce - The nonce.
+ * @param useBE - Flag to indicate if BE encoding is used for the randomness. Defaults to true.
+ * @returns True if the randomness was used to create the nonce, false otherwise.
+ */
+export declare function verifyNonce(nonce: G2Element, randomness: Uint8Array, useBE?: boolean): boolean;
+/**
+ * Decrypt the randomness using a key.
+ *
+ * @param encrypted_randomness - The encrypted randomness.
+ * @param derived_key - The derived key.
+ * @returns The randomness. Returns both the scalar interpreted in big-endian and little-endian encoding.
+ */
+export declare function decryptRandomness(encryptedRandomness: Uint8Array, randomnessKey: Uint8Array): Uint8Array;
+/**
+ * Verify that the given randomness was used to crate the nonce.
+ * Check using both big-endian and little-endian encoding of the randomness.
+ *
+ * Throws an error if the nonce check doesn't pass using LE encoding _and_ the randomness is invalid as a BE encoded scalar.
+ *
+ * @param randomness - The randomness.
+ * @param nonce - The nonce.
+ * @returns True if the randomness was used to create the nonce using either LE or BE encoding, false otherwise.
+ */
+export declare function verifyNonceWithLE(nonce: G2Element, randomness: Uint8Array): boolean;