@interop/minimal-cipher 7.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +27 -0
- package/README.md +220 -0
- package/dist/Cipher.d.ts +210 -0
- package/dist/Cipher.d.ts.map +1 -0
- package/dist/Cipher.js +313 -0
- package/dist/Cipher.js.map +1 -0
- package/dist/DecryptTransformer.d.ts +14 -0
- package/dist/DecryptTransformer.d.ts.map +1 -0
- package/dist/DecryptTransformer.js +125 -0
- package/dist/DecryptTransformer.js.map +1 -0
- package/dist/EncryptTransformer.d.ts +28 -0
- package/dist/EncryptTransformer.d.ts.map +1 -0
- package/dist/EncryptTransformer.js +94 -0
- package/dist/EncryptTransformer.js.map +1 -0
- package/dist/algorithms/a256gcm.d.ts +39 -0
- package/dist/algorithms/a256gcm.d.ts.map +1 -0
- package/dist/algorithms/a256gcm.js +101 -0
- package/dist/algorithms/a256gcm.js.map +1 -0
- package/dist/algorithms/aeskw.d.ts +5 -0
- package/dist/algorithms/aeskw.d.ts.map +1 -0
- package/dist/algorithms/aeskw.js +68 -0
- package/dist/algorithms/aeskw.js.map +1 -0
- package/dist/algorithms/c20p-browser.d.ts +51 -0
- package/dist/algorithms/c20p-browser.d.ts.map +1 -0
- package/dist/algorithms/c20p-browser.js +106 -0
- package/dist/algorithms/c20p-browser.js.map +1 -0
- package/dist/algorithms/c20p.d.ts +51 -0
- package/dist/algorithms/c20p.d.ts.map +1 -0
- package/dist/algorithms/c20p.js +110 -0
- package/dist/algorithms/c20p.js.map +1 -0
- package/dist/algorithms/ecdhkdf.d.ts +24 -0
- package/dist/algorithms/ecdhkdf.d.ts.map +1 -0
- package/dist/algorithms/ecdhkdf.js +76 -0
- package/dist/algorithms/ecdhkdf.js.map +1 -0
- package/dist/algorithms/fips.d.ts +8 -0
- package/dist/algorithms/fips.d.ts.map +1 -0
- package/dist/algorithms/fips.js +8 -0
- package/dist/algorithms/fips.js.map +1 -0
- package/dist/algorithms/p256.d.ts +24 -0
- package/dist/algorithms/p256.d.ts.map +1 -0
- package/dist/algorithms/p256.js +106 -0
- package/dist/algorithms/p256.js.map +1 -0
- package/dist/algorithms/recommended.d.ts +8 -0
- package/dist/algorithms/recommended.d.ts.map +1 -0
- package/dist/algorithms/recommended.js +8 -0
- package/dist/algorithms/recommended.js.map +1 -0
- package/dist/algorithms/x25519-helper-browser.d.ts +7 -0
- package/dist/algorithms/x25519-helper-browser.d.ts.map +1 -0
- package/dist/algorithms/x25519-helper-browser.js +25 -0
- package/dist/algorithms/x25519-helper-browser.js.map +1 -0
- package/dist/algorithms/x25519-helper.d.ts +7 -0
- package/dist/algorithms/x25519-helper.d.ts.map +1 -0
- package/dist/algorithms/x25519-helper.js +51 -0
- package/dist/algorithms/x25519-helper.js.map +1 -0
- package/dist/algorithms/x25519.d.ts +44 -0
- package/dist/algorithms/x25519.d.ts.map +1 -0
- package/dist/algorithms/x25519.js +112 -0
- package/dist/algorithms/x25519.js.map +1 -0
- package/dist/algorithms/xc20p.d.ts +40 -0
- package/dist/algorithms/xc20p.d.ts.map +1 -0
- package/dist/algorithms/xc20p.js +160 -0
- package/dist/algorithms/xc20p.js.map +1 -0
- package/dist/baseX.d.ts +7 -0
- package/dist/baseX.d.ts.map +1 -0
- package/dist/baseX.js +11 -0
- package/dist/baseX.js.map +1 -0
- package/dist/crypto.d.ts +3 -0
- package/dist/crypto.d.ts.map +1 -0
- package/dist/crypto.js +3 -0
- package/dist/crypto.js.map +1 -0
- package/dist/index.d.ts +5 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +5 -0
- package/dist/index.js.map +1 -0
- package/dist/types.d.ts +119 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +5 -0
- package/dist/types.js.map +1 -0
- package/dist/util.d.ts +2 -0
- package/dist/util.d.ts.map +1 -0
- package/dist/util.js +11 -0
- package/dist/util.js.map +1 -0
- package/package.json +99 -0
package/LICENSE
ADDED
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
Copyright (c) 2019-2020, Digital Bazaar, Inc.
|
|
2
|
+
All rights reserved.
|
|
3
|
+
|
|
4
|
+
Redistribution and use in source and binary forms, with or without
|
|
5
|
+
modification, are permitted provided that the following conditions are met:
|
|
6
|
+
|
|
7
|
+
* Redistributions of source code must retain the above copyright notice, this
|
|
8
|
+
list of conditions and the following disclaimer.
|
|
9
|
+
|
|
10
|
+
* Redistributions in binary form must reproduce the above copyright notice,
|
|
11
|
+
this list of conditions and the following disclaimer in the documentation
|
|
12
|
+
and/or other materials provided with the distribution.
|
|
13
|
+
|
|
14
|
+
* Neither the name of the copyright holder nor the names of its
|
|
15
|
+
contributors may be used to endorse or promote products derived from
|
|
16
|
+
this software without specific prior written permission.
|
|
17
|
+
|
|
18
|
+
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
19
|
+
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
20
|
+
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
21
|
+
DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
|
|
22
|
+
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
23
|
+
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
24
|
+
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
|
|
25
|
+
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
|
26
|
+
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
27
|
+
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
package/README.md
ADDED
|
@@ -0,0 +1,220 @@
|
|
|
1
|
+
# Minimal Cipher _(@interop/minimal-cipher)_
|
|
2
|
+
|
|
3
|
+
Minimal encryption/decryption [JWE](https://tools.ietf.org/html/rfc7516)
|
|
4
|
+
library, secure algs only, browser-compatible.
|
|
5
|
+
|
|
6
|
+
## Table of Contents
|
|
7
|
+
|
|
8
|
+
- [Security](#security)
|
|
9
|
+
- [Background](#background)
|
|
10
|
+
- [Install](#install)
|
|
11
|
+
- [Usage](#usage)
|
|
12
|
+
- [Contribute](#contribute)
|
|
13
|
+
- [Commercial Support](#commercial-support)
|
|
14
|
+
- [License](#license)
|
|
15
|
+
|
|
16
|
+
## Security
|
|
17
|
+
|
|
18
|
+
TBD
|
|
19
|
+
|
|
20
|
+
## Background
|
|
21
|
+
|
|
22
|
+
Every version of this library will only offer at most two algorithms for
|
|
23
|
+
encryption/decryption: a recommended algorithm and a FIPS-compliant algorithm.
|
|
24
|
+
The encryption API will expect the user to specify "recommended" or "fips" as
|
|
25
|
+
the version of the algorithm to use, defaulting to "recommended".
|
|
26
|
+
|
|
27
|
+
In the event that the FIPS-compliant algorithm is the same as the recommended
|
|
28
|
+
one in a given version of this library, then that particular version will use
|
|
29
|
+
the same algorithm regardless of the user specified "version".
|
|
30
|
+
|
|
31
|
+
This version of the library will use "XChaCha20-Poly1305" as the "recommended"
|
|
32
|
+
version and 256-bit "AES-GCM" as the FIPS-compliant version.
|
|
33
|
+
|
|
34
|
+
Note: XSalsa20-Poly1305 is an AE (Authenticated Encryption) algorithm, not an
|
|
35
|
+
AEAD (Authenticated Encryption and Associated Data) algorithm, making it
|
|
36
|
+
incompatible with the current requirements for a
|
|
37
|
+
[JWE (JOSE Web Encryption)](https://tools.ietf.org/html/rfc7516) `protected`
|
|
38
|
+
clear text header.
|
|
39
|
+
|
|
40
|
+
This library's API requires an interface for Key Encryption Key (KEKs). This
|
|
41
|
+
enables key material that is protected from exfiltration to be used via HSM/SSM
|
|
42
|
+
APIs, including Web KMS (TODO: citation needed).
|
|
43
|
+
|
|
44
|
+
## Install
|
|
45
|
+
|
|
46
|
+
This software requires and supports maintained recent versions of Node.js and
|
|
47
|
+
browsers. Updates may remove support for older unmaintained platform versions.
|
|
48
|
+
Please use dependency version lock files and testing to ensure compatibility
|
|
49
|
+
with this software.
|
|
50
|
+
|
|
51
|
+
To install from NPM:
|
|
52
|
+
|
|
53
|
+
https://www.npmjs.com/package/@interop/minimal-cipher
|
|
54
|
+
|
|
55
|
+
```sh
|
|
56
|
+
npm install @interop/minimal-cipher
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
To install locally (for development):
|
|
60
|
+
|
|
61
|
+
```sh
|
|
62
|
+
git clone https://github.com/interop-alliance/minimal-cipher.git
|
|
63
|
+
cd minimal-cipher
|
|
64
|
+
pnpm install
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
This library is written in TypeScript and built with `tsc`. Common scripts:
|
|
68
|
+
|
|
69
|
+
```sh
|
|
70
|
+
pnpm run build # type-check and build to dist/
|
|
71
|
+
pnpm run lint # lint src and test
|
|
72
|
+
pnpm run test:node # run the Node test suite (vitest)
|
|
73
|
+
pnpm run test:browser # run the browser smoke test (playwright)
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
## Usage
|
|
77
|
+
|
|
78
|
+
Pick a Cipher interface (`recommended` or `fips`) and create an instance:
|
|
79
|
+
|
|
80
|
+
```js
|
|
81
|
+
import { Cipher } from '@interop/minimal-cipher'
|
|
82
|
+
|
|
83
|
+
const cipher = new Cipher() // by default {version: 'recommended'}
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### Encrypting
|
|
87
|
+
|
|
88
|
+
To encrypt something (to create a cipher, serialized as a JWE JSON document),
|
|
89
|
+
you will need:
|
|
90
|
+
|
|
91
|
+
- Some data to encrypt (a string, an object, a stream)
|
|
92
|
+
- Keys (called Key Agreement Keys, or KAKs for short)
|
|
93
|
+
|
|
94
|
+
(You'll also need a `keyResolver`, more about that later.)
|
|
95
|
+
|
|
96
|
+
First, assemble your Key Agreement public keys (you'll be encrypting with them,
|
|
97
|
+
and the intended recipient will use the corresponding private keys to decrypt).
|
|
98
|
+
|
|
99
|
+
Put together a list of `recipients` (essentially, you're listing the `id`s of
|
|
100
|
+
public/private key pairs that will be used to encrypt/decrypt the message):
|
|
101
|
+
|
|
102
|
+
```js
|
|
103
|
+
// Retrieve them from config, a ledger, registry or back channel
|
|
104
|
+
const keyAgreementKey = await fetchFromSomewhere()
|
|
105
|
+
|
|
106
|
+
// or derive them from an existing Ed25519 signing key
|
|
107
|
+
import { X25519KeyAgreementKey2020 } from '@digitalbazaar/x25519-key-agreement-key-2020'
|
|
108
|
+
import { Ed25519VerificationKey2020 } from '@digitalbazaar/ed25519-verification-key-2020'
|
|
109
|
+
const keyPair = await Ed25519VerificationKey2020.generate()
|
|
110
|
+
|
|
111
|
+
const keyAgreementKey = X25519KeyPair.fromEd25519VerificationKey2020({
|
|
112
|
+
keyPair
|
|
113
|
+
})
|
|
114
|
+
// If the source key pair didn't have a controller set, don't forget to set one:
|
|
115
|
+
keyAgreementKey.controller = did // The controller's DID
|
|
116
|
+
keyAgreementKey.id = `${did}#${keyAgreementKey.fingerprint()}`
|
|
117
|
+
|
|
118
|
+
// or derive them from an authentication key extracted from DID Document
|
|
119
|
+
const didDoc = await veresDriver.get({ did })
|
|
120
|
+
const authnKey = didDoc.getVerificationMethod({
|
|
121
|
+
proofPurpose: 'authentication'
|
|
122
|
+
})
|
|
123
|
+
const edKeyPair = await Ed25519VerificationKey2020.from(authnKey)
|
|
124
|
+
const keyPair = X25519KeyPair.fromEd25519VerificationKey2020({ keyPair })
|
|
125
|
+
|
|
126
|
+
const recipient = {
|
|
127
|
+
header: {
|
|
128
|
+
kid: keyAgreementKey.id,
|
|
129
|
+
alg: 'ECDH-ES+A256KW'
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
|
|
133
|
+
const recipients = [recipient]
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
You'll also need a `keyResolver`. Notice that `recipients` lists only key IDs,
|
|
137
|
+
not the keys themselves. A `keyResolver` is a function that accepts a key ID and
|
|
138
|
+
resolves to the public key corresponding to it.
|
|
139
|
+
|
|
140
|
+
Some example resolvers:
|
|
141
|
+
|
|
142
|
+
```js
|
|
143
|
+
// Basic hardcoded key resolver; you already have the key material
|
|
144
|
+
const publicKeyNode = {
|
|
145
|
+
'@context': 'https://w3id.org/security/suites/x25519-2020/v1',
|
|
146
|
+
id: keyAgreementKey.id,
|
|
147
|
+
type: 'X25519KeyAgreementKey2020',
|
|
148
|
+
publicKeyMultibase: keyAgreementKey.publicKeyMultibase
|
|
149
|
+
}
|
|
150
|
+
const keyResolver = async () => publicKeyNode
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
```js
|
|
154
|
+
// A more advanced resolver based on DID doc authentication keys
|
|
155
|
+
const keyResolver = async ({ id }) => {
|
|
156
|
+
// Use veres driver to fetch the authn key directly
|
|
157
|
+
const keyPair = await Ed25519VerificationKey2020.from(
|
|
158
|
+
await veresDriver.get({ did: id })
|
|
159
|
+
)
|
|
160
|
+
// Convert authn key to key agreement key
|
|
161
|
+
return X25519KeyPair.fromEd25519VerificationKey2020({ keyPair })
|
|
162
|
+
}
|
|
163
|
+
```
|
|
164
|
+
|
|
165
|
+
```js
|
|
166
|
+
// Using did-veres-one driver as a resolver for did:v1:nym: DID keys
|
|
167
|
+
// TODO: Implement this
|
|
168
|
+
```
|
|
169
|
+
|
|
170
|
+
```js
|
|
171
|
+
// Using the did:key method driver as a key resolver
|
|
172
|
+
```
|
|
173
|
+
|
|
174
|
+
Create the JWE:
|
|
175
|
+
|
|
176
|
+
```js
|
|
177
|
+
// To encrypt a string or a Uint8Array
|
|
178
|
+
const data = 'plain text'
|
|
179
|
+
const jweDoc = await cipher.encrypt({ data, recipients, keyResolver })
|
|
180
|
+
|
|
181
|
+
// To encrypt an object
|
|
182
|
+
const obj = { key: 'value' }
|
|
183
|
+
const jweDoc = await cipher.encryptObject({ obj, recipients, keyResolver })
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
### Decrypting
|
|
187
|
+
|
|
188
|
+
Decrypt a JWE JSON Document, using a private `keyAgreementKey`:
|
|
189
|
+
|
|
190
|
+
```js
|
|
191
|
+
const data = await cipher.decrypt({ jwe, keyAgreementKey })
|
|
192
|
+
|
|
193
|
+
const object = await cipher.decryptObject({ jwe, keyAgreementKey })
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
TODO: Describe the required KEK API: // `id`, `algorithm`,
|
|
197
|
+
`wrapKey({unwrappedKey})`, and `unwrapKey({wrappedKey})`
|
|
198
|
+
|
|
199
|
+
## Contribute
|
|
200
|
+
|
|
201
|
+
See
|
|
202
|
+
[the contribute file](https://github.com/digitalbazaar/bedrock/blob/master/CONTRIBUTING.md)!
|
|
203
|
+
|
|
204
|
+
PRs accepted.
|
|
205
|
+
|
|
206
|
+
If editing the README, please conform to the
|
|
207
|
+
[standard-readme](https://github.com/RichardLitt/standard-readme) specification.
|
|
208
|
+
|
|
209
|
+
## Commercial Support
|
|
210
|
+
|
|
211
|
+
Commercial support for this library is available upon request from Digital
|
|
212
|
+
Bazaar: support@digitalbazaar.com
|
|
213
|
+
|
|
214
|
+
## License
|
|
215
|
+
|
|
216
|
+
[New BSD License (3-clause)](LICENSE) © Digital Bazaar
|
|
217
|
+
|
|
218
|
+
[Streams API]: https://developer.mozilla.org/en-US/docs/Web/API/Streams_API
|
|
219
|
+
[Web Crypto API]:
|
|
220
|
+
https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API
|
package/dist/Cipher.d.ts
ADDED
|
@@ -0,0 +1,210 @@
|
|
|
1
|
+
import { DecryptTransformer } from './DecryptTransformer.js';
|
|
2
|
+
import { EncryptTransformer } from './EncryptTransformer.js';
|
|
3
|
+
import type { CipherAlgorithm, EphemeralKeyPair, JWE, KeyAgreementAlgorithm, KeyAgreementKey, KeyResolver, Recipient } from './types.js';
|
|
4
|
+
interface EncryptOptions {
|
|
5
|
+
data?: Uint8Array | string;
|
|
6
|
+
recipients: Recipient[];
|
|
7
|
+
keyResolver: KeyResolver;
|
|
8
|
+
}
|
|
9
|
+
interface EncryptObjectOptions {
|
|
10
|
+
obj: object;
|
|
11
|
+
recipients: Recipient[];
|
|
12
|
+
keyResolver: KeyResolver;
|
|
13
|
+
}
|
|
14
|
+
interface CreateEncryptOptions {
|
|
15
|
+
recipients: Recipient[];
|
|
16
|
+
keyResolver: KeyResolver;
|
|
17
|
+
chunkSize?: number;
|
|
18
|
+
}
|
|
19
|
+
export declare class Cipher {
|
|
20
|
+
version: string;
|
|
21
|
+
cipher: CipherAlgorithm;
|
|
22
|
+
keyAgreement: KeyAgreementAlgorithm;
|
|
23
|
+
/**
|
|
24
|
+
* Creates a new Cipher instance that can be used to encrypt or decrypt
|
|
25
|
+
* data. A version must be supplied for encrypting data; the version
|
|
26
|
+
* indicates whether a FIPS-compliant algorithm or the latest recommended
|
|
27
|
+
* algorithm will be used.
|
|
28
|
+
*
|
|
29
|
+
* @param {string} [version='recommended'] - `fips` to use a FIPS-compliant
|
|
30
|
+
* algorithm, `recommended` to use the latest recommended algorithm when
|
|
31
|
+
* encrypting.
|
|
32
|
+
*
|
|
33
|
+
* @returns {Cipher} A Cipher used to encrypt and decrypt data.
|
|
34
|
+
*/
|
|
35
|
+
constructor({ version }?: {
|
|
36
|
+
version?: string;
|
|
37
|
+
});
|
|
38
|
+
/**
|
|
39
|
+
* Creates a TransformStream that will encrypt some data for one or more
|
|
40
|
+
* recipients and output a stream of chunks, each containing an object
|
|
41
|
+
* with the property `jwe` with a JWE value.
|
|
42
|
+
*
|
|
43
|
+
* A list of recipients must be given in the `recipients` array, identified
|
|
44
|
+
* by key agreement keys. An ephemeral ECDH key will be generated and used to
|
|
45
|
+
* derive shared KEKs that will wrap a randomly generated CEK. Each recipient
|
|
46
|
+
* in the `recipients` array will be updated to include the generated
|
|
47
|
+
* ephemeral ECDH key.
|
|
48
|
+
*
|
|
49
|
+
* @param {object} options - The options for the stream.
|
|
50
|
+
* @param {Array} options.recipients - An array of recipients for the
|
|
51
|
+
* encrypted content.
|
|
52
|
+
* @param {Function} options.keyResolver - A function that returns a Promise
|
|
53
|
+
* that resolves a key ID to a DH public key.
|
|
54
|
+
* @param {number} [options.chunkSize=1048576] - The size, in bytes,
|
|
55
|
+
* of the chunks to break the incoming data into.
|
|
56
|
+
*
|
|
57
|
+
* @returns {Promise<TransformStream>} Resolves to a TransformStream.
|
|
58
|
+
*/
|
|
59
|
+
createEncryptStream({ recipients, keyResolver, chunkSize }: CreateEncryptOptions): Promise<TransformStream>;
|
|
60
|
+
/**
|
|
61
|
+
* Creates a TransformStream that will decrypt one or more chunks, each one
|
|
62
|
+
* that is an object with a `jwe` property that has a JWE as a value. The
|
|
63
|
+
* stream will output chunks of Uint8Arrays consisting of the decrypted
|
|
64
|
+
* data from each chunk.
|
|
65
|
+
*
|
|
66
|
+
* The only JWEs currently supported use an `alg` of `ECDH-ES+A256KW` and
|
|
67
|
+
* `enc` of `A256GCM` or `XC20P`. These parameters refer to data that has been
|
|
68
|
+
* encrypted using a 256-bit AES-GCM or XChaCha20Poly1305 content encryption
|
|
69
|
+
* key (CEK) that has been wrapped using a 256-bit AES-KW key encryption key
|
|
70
|
+
* (KEK) generated via a shared secret between an ephemeral ECDH key and a
|
|
71
|
+
* static ECDH key (ECDH-ES).
|
|
72
|
+
*
|
|
73
|
+
* @param {object} options - Options for createDecryptStream.
|
|
74
|
+
* @param {object} options.keyAgreementKey - A key agreement key API with
|
|
75
|
+
* `id` and deriveSecret`.
|
|
76
|
+
*
|
|
77
|
+
* @returns {Promise<TransformStream>} Resolves to the TransformStream.
|
|
78
|
+
*/
|
|
79
|
+
createDecryptStream({ keyAgreementKey }: {
|
|
80
|
+
keyAgreementKey: KeyAgreementKey;
|
|
81
|
+
}): Promise<TransformStream>;
|
|
82
|
+
/**
|
|
83
|
+
* Encrypts some data for one or more recipients and outputs a JWE. The
|
|
84
|
+
* data to encrypt can be given as a Uint8Array or a string.
|
|
85
|
+
*
|
|
86
|
+
* A list of recipients must be given in the `recipients` array, identified
|
|
87
|
+
* by key agreement keys. An ephemeral ECDH key will be generated and used to
|
|
88
|
+
* derive shared KEKs that will wrap a randomly generated CEK. Each recipient
|
|
89
|
+
* in the `recipients` array will be updated to include the generated
|
|
90
|
+
* ephemeral ECDH key.
|
|
91
|
+
*
|
|
92
|
+
* @param {object} options - Options for encrypt.
|
|
93
|
+
* @param {Uint8Array|string} [options.data] - The data to encrypt.
|
|
94
|
+
* @param {Array} options.recipients - An array of recipients for the\
|
|
95
|
+
* encrypted content.
|
|
96
|
+
* @param {Function} options.keyResolver - A function that returns a Promise
|
|
97
|
+
* that resolves a key ID to a DH public key.
|
|
98
|
+
*
|
|
99
|
+
* @returns {Promise<object>} Resolves to a JWE.
|
|
100
|
+
*/
|
|
101
|
+
encrypt({ data, recipients, keyResolver }: EncryptOptions): Promise<JWE>;
|
|
102
|
+
/**
|
|
103
|
+
* Encrypts an object. The object will be serialized to JSON and passed
|
|
104
|
+
* to `encrypt`. See `encrypt` for other parameters.
|
|
105
|
+
*
|
|
106
|
+
* @param {object} options - Options to use.
|
|
107
|
+
* @param {object} options.obj - The object to encrypt.
|
|
108
|
+
* @param {object} options.rest - The other options to be passed to encrypt.
|
|
109
|
+
*
|
|
110
|
+
* @returns {Promise<object>} Resolves to a JWE.
|
|
111
|
+
*/
|
|
112
|
+
encryptObject({ obj, ...rest }: EncryptObjectOptions): Promise<JWE>;
|
|
113
|
+
/**
|
|
114
|
+
* Decrypts a single JWE.
|
|
115
|
+
*
|
|
116
|
+
* The only JWEs currently supported use an `alg` of `ECDH-ES+A256KW` and
|
|
117
|
+
* `enc` of `A256GCM` or `XC20P`. These parameters refer to data that has been
|
|
118
|
+
* encrypted using a 256-bit AES-GCM or XChaCha20Poly1305 content encryption
|
|
119
|
+
* key (CEK) that has been wrapped using a 256-bit AES-KW key encryption key
|
|
120
|
+
* (KEK) generated via a shared secret between an ephemeral ECDH key and a
|
|
121
|
+
* static ECDH key (ECDH-ES).
|
|
122
|
+
*
|
|
123
|
+
* Note: This version also supports decrypting data that was encrypted using
|
|
124
|
+
* `C20P` (ChaCha20Poly1305) for backwards compatibility.
|
|
125
|
+
*
|
|
126
|
+
* @param {object} options - Options for decrypt.
|
|
127
|
+
* @param {object} options.jwe - The JWE to decrypt.
|
|
128
|
+
* @param {object} options.keyAgreementKey - A key agreement key API with
|
|
129
|
+
* `id` and `deriveSecret`.
|
|
130
|
+
*
|
|
131
|
+
* @returns {Promise<Uint8Array>} - Resolves to the decrypted data
|
|
132
|
+
* or `null` if the decryption failed.
|
|
133
|
+
*/
|
|
134
|
+
decrypt({ jwe, keyAgreementKey }: {
|
|
135
|
+
jwe: JWE;
|
|
136
|
+
keyAgreementKey: KeyAgreementKey;
|
|
137
|
+
}): Promise<Uint8Array | null>;
|
|
138
|
+
/**
|
|
139
|
+
* Decrypts a JWE that must contain an encrypted object. This method will
|
|
140
|
+
* call `decrypt` and then `JSON.parse` the resulting decrypted UTF-8 data.
|
|
141
|
+
*
|
|
142
|
+
* @param {object} options - Options.
|
|
143
|
+
* @param {object} options.jwe - The JWE to decrypt.
|
|
144
|
+
* @param {object} options.keyAgreementKey - A key agreement key API with
|
|
145
|
+
* `id` and `deriveSecret`.
|
|
146
|
+
*
|
|
147
|
+
* @returns {Promise<object>} - Resolves to the decrypted object or `null`
|
|
148
|
+
* if the decryption failed.
|
|
149
|
+
*/
|
|
150
|
+
decryptObject({ jwe, keyAgreementKey }: {
|
|
151
|
+
jwe: JWE;
|
|
152
|
+
keyAgreementKey: KeyAgreementKey;
|
|
153
|
+
}): Promise<object | null>;
|
|
154
|
+
/**
|
|
155
|
+
* Creates an EncryptTransformer that can be used to encrypt one or more
|
|
156
|
+
* chunks of data.
|
|
157
|
+
*
|
|
158
|
+
* A list of recipients must be given in the `recipients` array, identified
|
|
159
|
+
* by key agreement keys. An ephemeral ECDH key will be generated and used to
|
|
160
|
+
* derive shared KEKs that will wrap a randomly generated CEK. Each recipient
|
|
161
|
+
* in the `recipients` array will be updated to include the generated
|
|
162
|
+
* ephemeral ECDH key.
|
|
163
|
+
*
|
|
164
|
+
* @param {object} options - Options for the transformer.
|
|
165
|
+
* @param {Array} options.recipients - An array of recipients for the
|
|
166
|
+
* encrypted content.
|
|
167
|
+
* @param {Function} options.keyResolver - A function that returns
|
|
168
|
+
* a Promise that resolves a key ID to a DH public key.
|
|
169
|
+
* @param {number} [options.chunkSize=1048576] - The size, in bytes, of the
|
|
170
|
+
* chunks to break the incoming data into (only applies if returning a
|
|
171
|
+
* stream).
|
|
172
|
+
*
|
|
173
|
+
* @returns {Promise<EncryptTransformer>} - Resolves to an EncryptTransformer.
|
|
174
|
+
*/
|
|
175
|
+
createEncryptTransformer({ recipients, keyResolver, chunkSize }: CreateEncryptOptions): Promise<EncryptTransformer>;
|
|
176
|
+
/**
|
|
177
|
+
* Creates a DecryptTransformer.
|
|
178
|
+
*
|
|
179
|
+
* @param {object} options - Options to use.
|
|
180
|
+
* @param {object} options.keyAgreementKey - A key agreement key API with
|
|
181
|
+
* `id` and `deriveSecret`.
|
|
182
|
+
*
|
|
183
|
+
* @returns {Promise<DecryptTransformer>} - Resolves to a DecryptTransformer.
|
|
184
|
+
*/
|
|
185
|
+
createDecryptTransformer({ keyAgreementKey }: {
|
|
186
|
+
keyAgreementKey: KeyAgreementKey;
|
|
187
|
+
}): Promise<DecryptTransformer>;
|
|
188
|
+
/**
|
|
189
|
+
* Creates a JWE recipient using the given inputs.
|
|
190
|
+
*
|
|
191
|
+
* @see https://tools.ietf.org/html/rfc7516#section-4
|
|
192
|
+
*
|
|
193
|
+
* @param {object} options - Options to use.
|
|
194
|
+
* @param {object} options.recipient - A recipient with a header with a
|
|
195
|
+
* kid and alg.
|
|
196
|
+
* @param {object} options.ephemeralKeyPair - An ephemeral key pair.
|
|
197
|
+
* @param {object} options.cek - A content encryption key.
|
|
198
|
+
* @param {Function} options.keyResolver - A function that can resolve keys.
|
|
199
|
+
*
|
|
200
|
+
* @returns {Promise<object>} A JWE recipient object.
|
|
201
|
+
*/
|
|
202
|
+
_createRecipient({ recipient, ephemeralKeyPair, cek, keyResolver }: {
|
|
203
|
+
recipient: Recipient;
|
|
204
|
+
ephemeralKeyPair: EphemeralKeyPair;
|
|
205
|
+
cek: Uint8Array;
|
|
206
|
+
keyResolver: KeyResolver;
|
|
207
|
+
}): Promise<Recipient>;
|
|
208
|
+
}
|
|
209
|
+
export {};
|
|
210
|
+
//# sourceMappingURL=Cipher.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"Cipher.d.ts","sourceRoot":"","sources":["../src/Cipher.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAA;AAE5D,OAAO,KAAK,EACV,eAAe,EACf,gBAAgB,EAChB,GAAG,EACH,qBAAqB,EACrB,eAAe,EACf,WAAW,EACX,SAAS,EACV,MAAM,YAAY,CAAA;AAInB,UAAU,cAAc;IACtB,IAAI,CAAC,EAAE,UAAU,GAAG,MAAM,CAAA;IAC1B,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,WAAW,EAAE,WAAW,CAAA;CACzB;AAED,UAAU,oBAAoB;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,WAAW,EAAE,WAAW,CAAA;CACzB;AAED,UAAU,oBAAoB;IAC5B,UAAU,EAAE,SAAS,EAAE,CAAA;IACvB,WAAW,EAAE,WAAW,CAAA;IACxB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,qBAAa,MAAM;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,eAAe,CAAA;IACvB,YAAY,EAAE,qBAAqB,CAAA;IAEnC;;;;;;;;;;;OAWG;gBACS,EAAE,OAAuB,EAAE,GAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAO;IAiBlE;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,mBAAmB,CAAC,EACxB,UAAU,EACV,WAAW,EACX,SAAS,EACV,EAAE,oBAAoB,GAAG,OAAO,CAAC,eAAe,CAAC;IASlD;;;;;;;;;;;;;;;;;;OAkBG;IACG,mBAAmB,CAAC,EACxB,eAAe,EAChB,EAAE;QACD,eAAe,EAAE,eAAe,CAAA;KACjC,GAAG,OAAO,CAAC,eAAe,CAAC;IAK5B;;;;;;;;;;;;;;;;;;OAkBG;IACG,OAAO,CAAC,EACZ,IAAI,EACJ,UAAU,EACV,WAAW,EACZ,EAAE,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC;IAehC;;;;;;;;;OASG;IACG,aAAa,CAAC,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,EAAE,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC;IAOzE;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,OAAO,CAAC,EACZ,GAAG,EACH,eAAe,EAChB,EAAE;QACD,GAAG,EAAE,GAAG,CAAA;QACR,eAAe,EAAE,eAAe,CAAA;KACjC,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAK9B;;;;;;;;;;;OAWG;IACG,aAAa,CAAC,EAClB,GAAG,EACH,eAAe,EAChB,EAAE;QACD,GAAG,EAAE,GAAG,CAAA;QACR,eAAe,EAAE,eAAe,CAAA;KACjC,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAS1B;;;;;;;;;;;;;;;;;;;;OAoBG;IACG,wBAAwB,CAAC,EAC7B,UAAU,EACV,WAAW,EACX,SAAS,EACV,EAAE,oBAAoB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA4CrD;;;;;;;;OAQG;IACG,wBAAwB,CAAC,EAC7B,eAAe,EAChB,EAAE;QACD,eAAe,EAAE,eAAe,CAAA;KACjC,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAO/B;;;;;;;;;;;;;OAaG;IACG,gBAAgB,CAAC,EACrB,SAAS,EACT,gBAAgB,EAChB,GAAG,EACH,WAAW,EACZ,EAAE;QACD,SAAS,EAAE,SAAS,CAAA;QACpB,gBAAgB,EAAE,gBAAgB,CAAA;QAClC,GAAG,EAAE,UAAU,CAAA;QACf,WAAW,EAAE,WAAW,CAAA;KACzB,GAAG,OAAO,CAAC,SAAS,CAAC;CAwCvB"}
|