@ledgerhq/hw-ledger-key-ring-protocol 0.2.1-nightly.0

package/src/StreamTreeCipher.ts

@@ -0,0 +1,207 @@
+import { Device, crypto } from ".";
+import { StreamTree } from "./StreamTree";
+
+/**
+ *
+ */
+export enum StreamTreeCipherMode {
+  AES_256_CBC = 0x00,
+  AES_256_GCM = 0x01,
+}
+
+const TAG_LENGTH = 16;
+
+interface DecodedPayload {
+  version: number;
+  ephemeralPublicKey: Uint8Array;
+  nonce: Uint8Array;
+  encrypted: Uint8Array;
+  checksum: Uint8Array;
+}
+
+/**
+ *
+ */
+export class StreamTreeCipher {
+  private _mode: StreamTreeCipherMode;
+  private _device: Device;
+
+  constructor(mode: StreamTreeCipherMode, device: Device) {
+    this._mode = mode;
+    this._device = device;
+  }
+
+  get mode(): StreamTreeCipherMode {
+    return this._mode;
+  }
+
+  /**
+   * Encrypts a message for a given path in the tree
+   * @param tree
+   * @param path
+   * @param message
+   * @param nonce optional nonce to use for the encryption (if null a random nonce will be generated)
+   * @returns the encrypted message with the nonce prepended (1 byte for the nonce length + nonce + 33 bytes ephemeral key + encrypted message + 4 bytes checksum)
+   * @throws Error if the cipher mode is not implemented
+   * @throws Error if the path is not found in the tree and can't be derived from the device
+   */
+  async encrypt(
+    tree: StreamTree,
+    path: number[],
+    message: Uint8Array,
+    nonce: Uint8Array | null = null,
+  ): Promise<Uint8Array> {
+    if (nonce === null) {
+      nonce = await crypto.randomBytes(16);
+    }
+
+    // Generate ephemeral key pair
+    const ephemeralKeyPair = await crypto.randomKeypair();
+
+    // Get the group public key
+    const groupKeypair = await this.getGroupKeypair(tree, path);
+
+    // Compute the secret via ECDH
+    const secret = await crypto.ecdh(ephemeralKeyPair, groupKeypair.publicKey);
+
+    let encrypted: Uint8Array = new Uint8Array(0);
+    switch (this._mode) {
+      case StreamTreeCipherMode.AES_256_CBC: {
+        encrypted = await crypto.encrypt(secret, nonce, message);
+        break;
+      }
+      case StreamTreeCipherMode.AES_256_GCM: {
+        encrypted = await crypto.encrypt(secret, nonce, message);
+        break;
+      }
+      default:
+        throw new Error("Unknown cipher mode");
+    }
+
+    // Serialize encrypted data
+    return this.encodeData(ephemeralKeyPair.publicKey, nonce, encrypted, message);
+  }
+
+  private async getGroupKeypair(
+    tree: StreamTree,
+    path: number[],
+  ): Promise<{ privateKey: Uint8Array; publicKey: Uint8Array }> {
+    if (!this._device.isPublicKeyAvailable()) {
+      throw new Error("Stream tree cipher is only available for software devices");
+    }
+    const member = await this._device.getPublicKey();
+    const event = await tree.getPublishKeyEvent(member.publicKey, path);
+    if (!event) {
+      throw new Error("Cannot find key in the tree for the current device");
+    }
+
+    // Compute the relative path from the event to the path parameter
+    const privateKey = (await this._device.readKey(tree, path)).slice(0, 32);
+    const publicKey = (await crypto.keypairFromSecretKey(privateKey)).publicKey;
+    return { privateKey, publicKey };
+  }
+
+  private async encodeData(
+    ephemeralPublicKey: Uint8Array,
+    nonce: Uint8Array,
+    data: Uint8Array,
+    message: Uint8Array,
+  ): Promise<Uint8Array> {
+    const result = new Uint8Array(1 + 33 + nonce.length + TAG_LENGTH + data.length);
+    let offset = 0;
+    // Version
+    result[offset] = this._mode;
+    offset += 1;
+    // Ephemeral public key
+    result.set(ephemeralPublicKey, offset);
+    offset += ephemeralPublicKey.length;
+    // Nonce/IV
+    result.set(nonce, offset);
+    offset += nonce.length;
+    // Checksum
+    if (this._mode == StreamTreeCipherMode.AES_256_CBC) {
+      const checksum = await this.computeChecksum(message);
+      result.set(checksum, offset);
+      offset += checksum.length;
+    }
+    // Encrypted data
+    result.set(data, offset);
+    return result;
+  }
+
+  private decodeData(payload: Uint8Array): DecodedPayload {
+    const version = payload[0];
+    let offset = 1;
+    const ephemeralPublicKey = payload.slice(offset, offset + 33);
+    offset += 33;
+    const nonce = payload.slice(offset, offset + 16);
+    offset += 16;
+    const checksum = payload.slice(payload.length - 16, payload.length);
+    const encrypted = payload.slice(offset, payload.length - 16);
+    return {
+      version,
+      ephemeralPublicKey,
+      nonce,
+      encrypted,
+      checksum,
+    };
+  }
+
+  /**
+   * Decrypts a message for a given path in the tree
+   * @param tree
+   * @param path
+   * @param encrytedPayload
+   * @returns the decrypted message
+   * @throws Error if the cipher mode is not implemented
+   * @throws Error if the path is not found in the tree and can't be derived from the device
+   * @throws Error if the checksum is invalid
+   */
+  async decrypt(
+    tree: StreamTree,
+    path: number[],
+    encrytedPayload: Uint8Array,
+  ): Promise<Uint8Array> {
+    const decodedPayload = this.decodeData(encrytedPayload);
+
+    const ephemeralKey = decodedPayload.ephemeralPublicKey;
+    const nonce = decodedPayload.nonce;
+    const encryptedMessage = decodedPayload.encrypted;
+    const checksum = decodedPayload.checksum;
+
+    const sharedKeyPair = await this.getGroupKeypair(tree, path);
+    const secret = await crypto.ecdh(sharedKeyPair, ephemeralKey);
+
+    let decrypted = new Uint8Array(0);
+    switch (this._mode) {
+      case StreamTreeCipherMode.AES_256_CBC: {
+        decrypted = await crypto.decrypt(secret, nonce, encryptedMessage);
+        const computedChecksum = await this.computeChecksum(decrypted);
+        if (crypto.to_hex(computedChecksum) !== crypto.to_hex(checksum)) {
+          throw new Error("Invalid checksum");
+        }
+        break;
+      }
+      case StreamTreeCipherMode.AES_256_GCM: {
+        decrypted = await crypto.decrypt(secret, nonce, encryptedMessage);
+        break;
+      }
+      default:
+        throw new Error("Unknown cipher mode");
+    }
+
+    return decrypted;
+  }
+
+  private async computeChecksum(message: Uint8Array): Promise<Uint8Array> {
+    const hash = await crypto.hash(message);
+    return hash.slice(0, 16);
+  }
+
+  static create(
+    device: Device,
+    mode: StreamTreeCipherMode = StreamTreeCipherMode.AES_256_GCM,
+  ): StreamTreeCipher {
+    return new StreamTreeCipher(mode, device);
+  }
+}

package/src/__tests__/codec.ts

@@ -0,0 +1,146 @@
+import {
+  AddMember,
+  createCommandBlock,
+  Permissions,
+  PublishKey,
+  Seed,
+  signCommandBlock,
+} from "../CommandBlock";
+import { TLV } from "../tlv";
+import { CommandStreamDecoder } from "../CommandStreamDecoder";
+import { CommandStreamEncoder } from "../CommandStreamEncoder";
+import { crypto } from "../Crypto";
+import { CommandStream } from "..";
+
+describe("Encode/Decode command stream tester", () => {
+  it("should encode and decode a byte", async () => {
+    const byte = 42;
+    let buffer = new Uint8Array();
+    buffer = TLV.pushByte(buffer, 42);
+    const decoded = TLV.readVarInt(TLV.readTLV(buffer, 0));
+    expect(decoded.value).toBe(byte);
+  });
+
+  it("should encode and decode a Int32", async () => {
+    const varint = 0xdeadbeef;
+    let buffer = new Uint8Array();
+    buffer = TLV.pushInt32(buffer, varint);
+    const decoded = TLV.readVarInt(TLV.readTLV(buffer, 0));
+    expect(decoded.value).toBe(varint);
+  });
+
+  it("should encode and decode a string", async () => {
+    const str = "Hello World";
+    let buffer = new Uint8Array();
+    buffer = TLV.pushString(buffer, str);
+    const decoded = TLV.readString(TLV.readTLV(buffer, 0));
+    expect(decoded.value).toBe(str);
+  });
+
+  it("should encode and decode a hash", async () => {
+    const hash = await crypto.hash(new Uint8Array([0, 1, 2, 3, 4, 5, 6, 7, 8, 9]));
+    let buffer = new Uint8Array();
+    buffer = TLV.pushHash(buffer, hash);
+    const decoded = TLV.readHash(TLV.readTLV(buffer, 0));
+    expect(crypto.to_hex(decoded.value)).toEqual(crypto.to_hex(hash));
+  });
+
+  it("should encode and decode bytes", async () => {
+    const bytes = new Uint8Array([0, 1, 2, 3, 4, 5, 6, 7, 8, 9]);
+    let buffer = new Uint8Array();
+    buffer = TLV.pushBytes(buffer, bytes);
+    const decoded = TLV.readBytes(TLV.readTLV(buffer, 0));
+    expect(decoded.value).toEqual(bytes);
+  });
+
+  it("should encode and decode a signature", async () => {
+    const alice = await crypto.randomKeypair();
+    const block = await signCommandBlock(
+      await createCommandBlock(alice.publicKey, []),
+      alice.publicKey,
+      alice.privateKey,
+    );
+    let buffer = new Uint8Array();
+    buffer = TLV.pushSignature(buffer, block.signature);
+    const decoded = TLV.readSignature(TLV.readTLV(buffer, 0));
+    expect(decoded.value).toEqual(block.signature);
+  });
+
+  it("should encode and decode a public key", async () => {
+    const alice = await crypto.randomKeypair();
+    let buffer = new Uint8Array();
+    buffer = TLV.pushPublicKey(buffer, alice.publicKey);
+    const decoded = TLV.readPublicKey(TLV.readTLV(buffer, 0));
+    expect(decoded.value).toEqual(alice.publicKey);
+  });
+
+  it("should encode and decode a stream. Encoding/Decoding should not alter the stream", async () => {
+    const alice = await crypto.randomKeypair();
+    const groupPk = await crypto.randomKeypair();
+    const groupChainCode = await crypto.randomBytes(32);
+    const xpriv = new Uint8Array(64);
+    const initializationVector = await crypto.randomBytes(16);
+    xpriv.set(groupPk.privateKey);
+    xpriv.set(groupChainCode, 32);
+    const ephemeralPk = await crypto.randomKeypair();
+
+    const block1 = await signCommandBlock(
+      await createCommandBlock(alice.publicKey, [
+        new Seed(
+          await crypto.randomBytes(16),
+          0,
+          groupPk.publicKey,
+          initializationVector,
+          xpriv,
+          ephemeralPk.publicKey,
+        ),
+      ]),
+      alice.publicKey,
+      alice.privateKey,
+    );
+
+    const block2 = await signCommandBlock(
+      await createCommandBlock(alice.publicKey, [
+        new AddMember("Alice", await crypto.randomBytes(32), Permissions.OWNER),
+        new PublishKey(
+          await crypto.randomBytes(16),
+          await crypto.randomBytes(32),
+          await crypto.randomBytes(32),
+          await crypto.randomBytes(32),
+        ),
+      ]),
+      alice.publicKey,
+      alice.privateKey,
+    );
+    const block3 = await signCommandBlock(
+      await createCommandBlock(alice.publicKey, []),
+      alice.publicKey,
+      alice.privateKey,
+    );
+
+    const stream = [block1, block2, block3];
+
+    const encoded = CommandStreamEncoder.encode(stream);
+    const digestEncoded = await crypto.hash(encoded);
+
+    const decoded = CommandStreamDecoder.decode(encoded);
+    const reencoded = CommandStreamEncoder.encode(decoded);
+    const digestReencoded = await crypto.hash(reencoded);
+    expect(digestEncoded).toEqual(digestReencoded);
+  });
+
+  it("decodes a specific command stream", async () => {
+    const tlv =
+      "0101010220824b3168c79e8b61b599751c107117b5c9b647f2b6859de8a245952559707692062102a13e82cd0d2f77d1ab1434d8bd799571e54cd32e1121c5cf82217f8b0b713b6b01010315a8050c800000008000001080000000062103ccf74aa7775b3d39d6cbb0236acee7a7f980b9f6a556a4d814d44b0bd56cb77b05108c51eda6be26623ca919ed17333afcdb054019c0b60ede1692479cc04ce69eae6a0bd51941bab6f044f3dec10c11cf11e6253504d1df6b0aab7dc1996e4eaa7c6f92c29153c59534578901cd7ff4efcea1ae06210268abdb3d49ba4a274ce8660cde0d1eeaf1fea00e281218be775f6b3aefc39756113a040f7765622d746f6f6c732d6563626638062103a270456b0f95714cc61a6473e6b6d8db354a3c377281096bdd2439a5475ecbf80104ffffffff129a05100e5205b4a616b2a4d79b07b4a4932f560540669e741f38fee07956fb0dc0ea9978d55bd5d8424b0d0f66a2c5a45788f92d0ddc283138c7ba62c521de1d604ee7f847c5aed40a11536bbe742af0be8cfd4132062103a270456b0f95714cc61a6473e6b6d8db354a3c377281096bdd2439a5475ecbf80621027003755248202ea8a67d1fcdcd82d7f7022248f3af892fa5307d3ea250dc81050346304402204422a779fd08723d8cba19c0cc11ef7a24f6f1f459cb01598ff1a26f27ea8976022053a554d4f509223f2d08faa5de796fed13a9762f35da08e94884edd1f7c0d015";
+    const decoded = CommandStreamDecoder.decode(crypto.from_hex(tlv));
+    const stream = new CommandStream(decoded);
+    const resolved = await stream.resolve();
+    expect(resolved.getMembersData()).toEqual([
+      {
+        id: "03a270456b0f95714cc61a6473e6b6d8db354a3c377281096bdd2439a5475ecbf8",
+        name: "web-tools-ecbf8",
+        permissions: 4294967295,
+      },
+    ]);
+  });
+});

package/src/__tests__/crypto.ts

@@ -0,0 +1,44 @@
+import { crypto } from "../Crypto";
+
+describe("Sodium wrapper tester", () => {
+  it("should computes the same symetric key with ECDH using two parties", async () => {
+    const kp1 = await crypto.randomKeypair();
+    const kp2 = await crypto.randomKeypair();
+    const shared1 = await crypto.ecdh(kp1, kp2.publicKey);
+    const shared2 = await crypto.ecdh(kp2, kp1.publicKey);
+
+    expect(crypto.to_hex(shared1)).toBe(crypto.to_hex(shared2));
+  });
+
+  it("should encrypt a message and decrypt using the same symmetric key", async () => {
+    //const message = "Hello world!"
+    const message = await crypto.randomBytes(64);
+    const key = await crypto.randomBytes(32);
+    const nonce = await crypto.randomBytes(16);
+    const encrypted = await crypto.encrypt(key, nonce, message);
+    const decrypted = await crypto.decrypt(key, nonce, encrypted);
+    expect(crypto.to_hex(decrypted)).toBe(crypto.to_hex(message));
+  });
+
+  it("should encrypt user data", async () => {
+    const keypair = await crypto.randomKeypair();
+    const data = await crypto.randomBytes(64);
+    const encrypted = await crypto.encryptUserData(keypair.privateKey, data);
+    const decrypted = await crypto.decryptUserData(keypair.privateKey, encrypted);
+    expect(crypto.to_hex(decrypted)).toBe(crypto.to_hex(data));
+  });
+
+  it("should verify truncated signature by padding 0s from the start", async () => {
+    const hash = crypto.from_hex(
+      "19514a2e50bfad4a6de397ebde776191cbb720e8bbfcc3c165385c3664c03341",
+    );
+    const signature = crypto.from_hex(
+      // Here the "S" part of the signature is only 31 bytes long it should be padded with a 0
+      "3043022052a82876fcd4d9d8383ce12a7e4d96bb4c1d9e71e857cd087c092b87cec6baeb021f6b86b9a3bab1e7794ca6ef081c66cb6e6dff06cceddbd23e1f25089e311784",
+    );
+    const issuer = crypto.from_hex(
+      "026e7bf1e015da491674be5796b15d6fabd1f454aad478a6a223934e5a872719e0",
+    );
+    expect(await crypto.verify(hash, signature, issuer)).toBe(true);
+  });
+});

package/src/__tests__/indexed_tree.ts

@@ -0,0 +1,51 @@
+import { IndexedTree } from "../IndexedTree";
+
+describe("Indexed tree unit test suite", () => {
+  it("should create a new tree with a root", () => {
+    const tree = new IndexedTree(0);
+    expect(tree.getValue()).toBe(0);
+  });
+
+  it("should create a new tree with a root and update the root", () => {
+    let tree = new IndexedTree(0);
+    tree = tree.updateChild([], 1);
+    expect(tree.getValue()).toBe(1);
+  });
+
+  it("should create a new tree with a root and update a child", () => {
+    let tree = new IndexedTree(0);
+    tree = tree.updateChild([1], 1);
+    expect(tree.getChild(1)!.getValue()).toBe(1);
+  });
+
+  it("should create a tree with multiple children and update a child which had no value before", () => {
+    let tree = new IndexedTree(0);
+    tree = tree.updateChild([0, 1], 1);
+    tree = tree.updateChild([0, 2], 2);
+
+    expect(tree.findChild([0, 1])!.getValue()).toBe(1);
+    expect(tree.findChild([0, 2])!.getValue()).toBe(2);
+    expect(tree.getChild(0)?.getValue()).toBe(null);
+
+    tree = tree.updateChild([0], 42);
+    expect(tree.getChild(0)?.getValue()).toBe(42);
+  });
+
+  it("should add a subtree to the tree", () => {
+    let tree = new IndexedTree(0);
+    tree = tree.addChild([0, 1], new IndexedTree(1));
+    tree = tree.addChild([0, 2], new IndexedTree(2));
+
+    let subtree = new IndexedTree(42);
+    subtree = subtree.updateChild([0], 43);
+    subtree = subtree.updateChild([1], 44);
+
+    tree = tree.addChild([0, 3], subtree);
+
+    expect(tree.findChild([0, 1])!.getValue()).toBe(1);
+    expect(tree.findChild([0, 2])!.getValue()).toBe(2);
+    expect(tree.findChild([0, 3])!.getValue()).toBe(42);
+    expect(tree.findChild([0, 3, 0])!.getValue()).toBe(43);
+    expect(tree.findChild([0, 3, 1])!.getValue()).toBe(44);
+  });
+});

package/src/__tests__/key_exchange.ts

@@ -0,0 +1,167 @@
+import { createDevice } from "../Device";
+
+import CommandStream from "../CommandStream";
+import { Permissions } from "../CommandBlock";
+import { crypto } from "../Crypto";
+import { StreamTreeCipher } from "../StreamTreeCipher";
+import { StreamTree } from "../StreamTree";
+
+const DEFAULT_TOPIC = "c96d450545ff2836204c29af291428a5bf740304978f5dfb0b4a261474192851";
+
+describe("Symmetric key exchange scenarii", () => {
+  it("create a new group with 1 member", async () => {
+    const alice = await createDevice();
+    const topic = crypto.from_hex(DEFAULT_TOPIC);
+    let stream = new CommandStream([]);
+    stream = await stream.edit().seed(topic).issue(alice);
+    const resolved = await stream.resolve();
+    expect(resolved.isCreated()).toBe(true);
+    expect(resolved.getMembers().length).toBe(1);
+    expect(resolved.getMembersData().length).toBe(0);
+    expect(crypto.to_hex(resolved.getTopic()!)).toBe(crypto.to_hex(topic));
+    //const parsed = CommandStreamDecoder.decode(CommandStreamEncoder.encode(stream.blocks));
+    //console.log(JSON.stringify(CommandStreamJsonifier.jsonify(parsed), null, 2));
+    //const raw = CommandStreamEncoder.encode(stream.blocks);
+    //console.log(crypto.to_hex(raw));
+  });
+
+  it("create a group owned by Alice, Alice adds Bob and publish a key for Bob.", async () => {
+    const alice = await createDevice();
+    const bob = await createDevice();
+
+    let stream = new CommandStream();
+    stream = await stream.edit().seed(crypto.from_hex(DEFAULT_TOPIC)).issue(alice);
+    stream = await stream
+      .edit()
+      .addMember("Bob", (await bob.getPublicKey()).publicKey, Permissions.KEY_READER)
+      .issue(alice);
+    const tree = StreamTree.from(stream);
+
+    // Encrypt a message from Alice
+    const originalMessage = new TextEncoder().encode("Hello World!");
+    const encryptedMessage = await StreamTreeCipher.create(alice).encrypt(
+      tree,
+      [],
+      originalMessage,
+    );
+
+    // The message should be different from the original
+    expect(crypto.to_hex(encryptedMessage)).not.toEqual(crypto.to_hex(originalMessage));
+
+    // Decrypt the message from Bob
+    const decryptedMessage = await StreamTreeCipher.create(bob).decrypt(tree, [], encryptedMessage);
+    // The message should be the same as the original
+    expect(crypto.to_hex(decryptedMessage)).toBe(crypto.to_hex(originalMessage));
+  });
+
+  it("create a group owned by Alice, Alice adds Bob and publish a key for Bob, Alice adds Charlie and Bob publishes a key for Charlie", async () => {
+    const alice = await createDevice();
+    const bob = await createDevice();
+    const charlie = await createDevice();
+
+    let stream = new CommandStream();
+    stream = await stream.edit().seed(crypto.from_hex(DEFAULT_TOPIC)).issue(alice);
+    stream = await stream
+      .edit()
+      .addMember("Bob", (await bob.getPublicKey()).publicKey, Permissions.KEY_READER)
+      .issue(alice);
+    stream = await stream
+      .edit()
+      .addMember("Charlie", (await charlie.getPublicKey()).publicKey, Permissions.KEY_READER)
+      .issue(alice);
+
+    const tree = StreamTree.from(stream);
+
+    // Encrypt a message from Alice
+    const originalMessage = new TextEncoder().encode("Hello World!");
+    const encryptedMessage = await StreamTreeCipher.create(alice).encrypt(
+      tree,
+      [],
+      originalMessage,
+    );
+    // The message should be different from the original
+    expect(crypto.to_hex(encryptedMessage)).not.toBe(crypto.to_hex(originalMessage));
+
+    {
+      // Decrypt the message from Bob
+      const decryptedMessage = await StreamTreeCipher.create(bob).decrypt(
+        tree,
+        [],
+        encryptedMessage,
+      );
+      // The message should be the same as the original
+      expect(crypto.to_hex(decryptedMessage)).toBe(crypto.to_hex(originalMessage));
+    }
+
+    {
+      // Decrypt the message from Charlie
+      const decryptedMessage = await StreamTreeCipher.create(charlie).decrypt(
+        tree,
+        [],
+        encryptedMessage,
+      );
+      // The message should be the same as the original
+      expect(crypto.to_hex(decryptedMessage)).toBe(crypto.to_hex(originalMessage));
+    }
+
+    //console.log(crypto.to_hex(CommandStreamEncoder.encode(stream.blocks)));
+    //const parsed = CommandStreamDecoder.decode(CommandStreamEncoder.encode(stream.blocks));
+    //console.log(JSON.stringify(CommandStreamJsonifier.jsonify(parsed), null, 2));
+  });
+
+  it("creates group owned by Alice, Alice adds Bob as an admin, Bob adds Charlie", async () => {
+    const alice = await createDevice();
+    const bob = await createDevice();
+    const charlie = await createDevice();
+
+    let stream = new CommandStream();
+    stream = await stream.edit().seed(crypto.from_hex(DEFAULT_TOPIC)).issue(alice);
+    stream = await stream
+      .edit()
+      .addMember(
+        "Bob",
+        (await bob.getPublicKey()).publicKey,
+        Permissions.ADD_MEMBER | Permissions.KEY_READER,
+      )
+      .issue(alice);
+    stream = await stream
+      .edit()
+      .addMember("Charlie", (await charlie.getPublicKey()).publicKey, Permissions.KEY_READER)
+      .issue(bob);
+
+    const tree = StreamTree.from(stream);
+
+    // Encrypt a message from Alice
+    const originalMessage = new TextEncoder().encode("Hello World!");
+    const encryptedMessage = await StreamTreeCipher.create(alice).encrypt(
+      tree,
+      [],
+      originalMessage,
+    );
+    // The message should be different from the original
+    expect(crypto.to_hex(encryptedMessage)).not.toBe(crypto.to_hex(originalMessage));
+
+    {
+      // Decrypt the message from Bob
+      const decryptedMessage = await StreamTreeCipher.create(bob).decrypt(
+        tree,
+        [],
+        encryptedMessage,
+      );
+      // The message should be the same as the original
+      expect(crypto.to_hex(decryptedMessage)).toBe(crypto.to_hex(originalMessage));
+    }
+
+    {
+      // Decrypt the message from Charlie
+      const decryptedMessage = await StreamTreeCipher.create(charlie).decrypt(
+        tree,
+        [],
+        encryptedMessage,
+      );
+      // The message should be the same as the original
+      expect(crypto.to_hex(decryptedMessage)).toBe(crypto.to_hex(originalMessage));
+    }
+    //console.log(JSON.stringify(CommandStreamJsonifier.jsonify(stream.blocks), null, 2));
+  });
+});