@iicp/client 0.7.36 → 0.7.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +24 -0
- package/dist/backends/base.d.ts +8 -0
- package/dist/backends/base.d.ts.map +1 -1
- package/dist/backends/base.js +144 -2
- package/dist/backends/base.js.map +1 -1
- package/dist/cli.d.ts +11 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +518 -2
- package/dist/cli.js.map +1 -1
- package/dist/delegation.d.ts +13 -0
- package/dist/delegation.d.ts.map +1 -1
- package/dist/delegation.js +19 -0
- package/dist/delegation.js.map +1 -1
- package/dist/identity.d.ts +34 -0
- package/dist/identity.d.ts.map +1 -1
- package/dist/identity.js +79 -2
- package/dist/identity.js.map +1 -1
- package/dist/iicp_tcp.d.ts +8 -0
- package/dist/iicp_tcp.d.ts.map +1 -1
- package/dist/iicp_tcp.js +9 -0
- package/dist/iicp_tcp.js.map +1 -1
- package/dist/nat_detection.d.ts.map +1 -1
- package/dist/nat_detection.js +24 -0
- package/dist/nat_detection.js.map +1 -1
- package/dist/node.d.ts +14 -0
- package/dist/node.d.ts.map +1 -1
- package/dist/node.js +0 -0
- package/dist/node.js.map +1 -1
- package/dist/operator_crypto.d.ts +32 -0
- package/dist/operator_crypto.d.ts.map +1 -0
- package/dist/operator_crypto.js +78 -0
- package/dist/operator_crypto.js.map +1 -0
- package/package.json +1 -1
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
// SPDX-License-Identifier: Apache-2.0
|
|
3
|
+
/**
|
|
4
|
+
* #460 — at-rest encryption of the operator secret (ed25519 seed) in `operator.json`.
|
|
5
|
+
*
|
|
6
|
+
* The operator_secret is the private key behind the operator_id; by default it is stored as
|
|
7
|
+
* plaintext base64 in a 0600 file. An operator may opt in to passphrase encryption: the seed
|
|
8
|
+
* is sealed with AES-256-GCM, the key derived from the passphrase with PBKDF2-HMAC-SHA256
|
|
9
|
+
* (OWASP-2023 iteration count). Both primitives are Node built-ins (`node:crypto`) — no new
|
|
10
|
+
* dependency, so this never trips the third-party due-diligence gate (TC-11).
|
|
11
|
+
*
|
|
12
|
+
* The encrypted record byte-shape is identical across the Python/TS/Rust SDKs — a file sealed
|
|
13
|
+
* by one opens in another given the passphrase (pinned by a cross-language KAT). The
|
|
14
|
+
* operator_id is bound as AES-GCM additional authenticated data (AAD): a sealed seed cannot be
|
|
15
|
+
* transplanted onto a different identity. Unlock is headless via `$IICP_OPERATOR_PASSPHRASE`.
|
|
16
|
+
*/
|
|
17
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
18
|
+
exports.ENV_PASSPHRASE = exports.PBKDF2_ITERATIONS = void 0;
|
|
19
|
+
exports.encryptSeed = encryptSeed;
|
|
20
|
+
exports.decryptSeed = decryptSeed;
|
|
21
|
+
exports.passphraseFromEnv = passphraseFromEnv;
|
|
22
|
+
const node_crypto_1 = require("node:crypto");
|
|
23
|
+
/** OWASP 2023 minimum for PBKDF2-HMAC-SHA256. Stored in the record so it can be raised later. */
|
|
24
|
+
exports.PBKDF2_ITERATIONS = 600000;
|
|
25
|
+
const KDF = "pbkdf2-hmac-sha256";
|
|
26
|
+
const VERSION = 1;
|
|
27
|
+
exports.ENV_PASSPHRASE = "IICP_OPERATOR_PASSPHRASE";
|
|
28
|
+
function deriveKey(passphrase, salt, iterations) {
|
|
29
|
+
return (0, node_crypto_1.pbkdf2Sync)(Buffer.from(passphrase, "utf8"), salt, iterations, 32, "sha256");
|
|
30
|
+
}
|
|
31
|
+
/** Seal the raw 32-byte ed25519 seed (given as base64) under `passphrase`. operator_id is AAD. */
|
|
32
|
+
function encryptSeed(passphrase, seedB64, operatorId) {
|
|
33
|
+
if (!passphrase)
|
|
34
|
+
throw new Error("passphrase must not be empty");
|
|
35
|
+
const seed = Buffer.from(seedB64, "base64");
|
|
36
|
+
const salt = (0, node_crypto_1.randomBytes)(16);
|
|
37
|
+
const nonce = (0, node_crypto_1.randomBytes)(12);
|
|
38
|
+
const key = deriveKey(passphrase, salt, exports.PBKDF2_ITERATIONS);
|
|
39
|
+
const cipher = (0, node_crypto_1.createCipheriv)("aes-256-gcm", key, nonce);
|
|
40
|
+
cipher.setAAD(Buffer.from(operatorId, "utf8"));
|
|
41
|
+
const body = Buffer.concat([cipher.update(seed), cipher.final()]);
|
|
42
|
+
const tag = cipher.getAuthTag();
|
|
43
|
+
return {
|
|
44
|
+
v: VERSION,
|
|
45
|
+
kdf: KDF,
|
|
46
|
+
iter: exports.PBKDF2_ITERATIONS,
|
|
47
|
+
salt: salt.toString("base64"),
|
|
48
|
+
nonce: nonce.toString("base64"),
|
|
49
|
+
ct: Buffer.concat([body, tag]).toString("base64"),
|
|
50
|
+
};
|
|
51
|
+
}
|
|
52
|
+
/** Open an encrypted record → base64 seed. Throws on wrong passphrase / tamper / wrong AAD. */
|
|
53
|
+
function decryptSeed(passphrase, enc, operatorId) {
|
|
54
|
+
if (enc.kdf !== KDF || enc.v !== VERSION) {
|
|
55
|
+
throw new Error(`unsupported operator_secret_enc format: ${enc.kdf} v${enc.v}`);
|
|
56
|
+
}
|
|
57
|
+
const salt = Buffer.from(enc.salt, "base64");
|
|
58
|
+
const nonce = Buffer.from(enc.nonce, "base64");
|
|
59
|
+
const blob = Buffer.from(enc.ct, "base64");
|
|
60
|
+
const body = blob.subarray(0, blob.length - 16);
|
|
61
|
+
const tag = blob.subarray(blob.length - 16);
|
|
62
|
+
const key = deriveKey(passphrase, salt, enc.iter);
|
|
63
|
+
const decipher = (0, node_crypto_1.createDecipheriv)("aes-256-gcm", key, nonce);
|
|
64
|
+
decipher.setAAD(Buffer.from(operatorId, "utf8"));
|
|
65
|
+
decipher.setAuthTag(tag);
|
|
66
|
+
try {
|
|
67
|
+
const seed = Buffer.concat([decipher.update(body), decipher.final()]);
|
|
68
|
+
return seed.toString("base64");
|
|
69
|
+
}
|
|
70
|
+
catch {
|
|
71
|
+
throw new Error("operator secret decryption failed (wrong passphrase or corrupt file)");
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
/** Headless unlock source — never an interactive prompt for a serving node. */
|
|
75
|
+
function passphraseFromEnv() {
|
|
76
|
+
return process.env[exports.ENV_PASSPHRASE] || undefined;
|
|
77
|
+
}
|
|
78
|
+
//# sourceMappingURL=operator_crypto.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"operator_crypto.js","sourceRoot":"","sources":["../src/operator_crypto.ts"],"names":[],"mappings":";AAAA,sCAAsC;AACtC;;;;;;;;;;;;;GAaG;;;AAwBH,kCAkBC;AAGD,kCAmBC;AAGD,8CAEC;AAnED,6CAAwF;AAExF,iGAAiG;AACpF,QAAA,iBAAiB,GAAG,MAAM,CAAC;AACxC,MAAM,GAAG,GAAG,oBAAoB,CAAC;AACjC,MAAM,OAAO,GAAG,CAAC,CAAC;AACL,QAAA,cAAc,GAAG,0BAA0B,CAAC;AAWzD,SAAS,SAAS,CAAC,UAAkB,EAAE,IAAY,EAAE,UAAkB;IACrE,OAAO,IAAA,wBAAU,EAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AACrF,CAAC;AAED,kGAAkG;AAClG,SAAgB,WAAW,CAAC,UAAkB,EAAE,OAAe,EAAE,UAAkB;IACjF,IAAI,CAAC,UAAU;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,KAAK,GAAG,IAAA,yBAAW,EAAC,EAAE,CAAC,CAAC;IAC9B,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,yBAAiB,CAAC,CAAC;IAC3D,MAAM,MAAM,GAAG,IAAA,4BAAc,EAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IACzD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAClE,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,CAAC,EAAE,OAAO;QACV,GAAG,EAAE,GAAG;QACR,IAAI,EAAE,yBAAiB;QACvB,IAAI,EAAE,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC7B,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC/B,EAAE,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAClD,CAAC;AACJ,CAAC;AAED,+FAA+F;AAC/F,SAAgB,WAAW,CAAC,UAAkB,EAAE,GAAoB,EAAE,UAAkB;IACtF,IAAI,GAAG,CAAC,GAAG,KAAK,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,OAAO,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,2CAA2C,GAAG,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC3C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAChD,MAAM,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAC5C,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,IAAA,8BAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7D,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC;IACjD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,sEAAsE,CAAC,CAAC;IAC1F,CAAC;AACH,CAAC;AAED,+EAA+E;AAC/E,SAAgB,iBAAiB;IAC/B,OAAO,OAAO,CAAC,GAAG,CAAC,sBAAc,CAAC,IAAI,SAAS,CAAC;AAClD,CAAC"}
|