@libp2p/pnet 1.0.0-01e9a5fe4

package/dist/src/crypto.js

@@ -0,0 +1,56 @@
+import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string';
+import { toString as uint8ArrayToString } from 'uint8arrays/to-string';
+import xsalsa20 from 'xsalsa20';
+import * as Errors from './errors.js';
+import { KEY_LENGTH } from './key-generator.js';
+/**
+ * Creates a stream iterable to encrypt messages in a private network
+ */
+export function createBoxStream(nonce, psk) {
+    const xor = xsalsa20(nonce, psk);
+    return (source) => (async function* () {
+        for await (const chunk of source) {
+            yield Uint8Array.from(xor.update(chunk.subarray()));
+        }
+    })();
+}
+/**
+ * Creates a stream iterable to decrypt messages in a private network
+ */
+export function createUnboxStream(nonce, psk) {
+    return (source) => (async function* () {
+        const xor = xsalsa20(nonce, psk);
+        for await (const chunk of source) {
+            yield Uint8Array.from(xor.update(chunk.subarray()));
+        }
+    })();
+}
+/**
+ * Decode the version 1 psk from the given Uint8Array
+ */
+export function decodeV1PSK(pskBuffer) {
+    try {
+        // This should pull from multibase/multicodec to allow for
+        // more encoding flexibility. Ideally we'd consume the codecs
+        // from the buffer line by line to evaluate the next line
+        // programmatically instead of making assumptions about the
+        // encodings of each line.
+        const metadata = uint8ArrayToString(pskBuffer).split(/(?:\r\n|\r|\n)/g);
+        const pskTag = metadata.shift();
+        const codec = metadata.shift();
+        const pskString = metadata.shift();
+        const psk = uint8ArrayFromString(pskString ?? '', 'base16');
+        if (psk.byteLength !== KEY_LENGTH) {
+            throw new Error(Errors.INVALID_PSK);
+        }
+        return {
+            tag: pskTag,
+            codecName: codec,
+            psk
+        };
+    }
+    catch (err) {
+        throw new Error(Errors.INVALID_PSK);
+    }
+}
+//# sourceMappingURL=crypto.js.map

package/dist/src/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAA;AAC5E,OAAO,EAAE,QAAQ,IAAI,kBAAkB,EAAE,MAAM,uBAAuB,CAAA;AACtE,OAAO,QAAQ,MAAM,UAAU,CAAA;AAC/B,OAAO,KAAK,MAAM,MAAM,aAAa,CAAA;AACrC,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAA;AAI/C;;GAEG;AACH,MAAM,UAAU,eAAe,CAAE,KAAiB,EAAE,GAAe;IACjE,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IAEhC,OAAO,CAAC,MAA2C,EAAE,EAAE,CAAC,CAAC,KAAK,SAAU,CAAC;QACvE,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YACjC,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;QACrD,CAAC;IACH,CAAC,CAAC,EAAE,CAAA;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAE,KAAiB,EAAE,GAAe;IACnE,OAAO,CAAC,MAA0B,EAAE,EAAE,CAAC,CAAC,KAAK,SAAU,CAAC;QACtD,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;QAEhC,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YACjC,MAAM,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAA;QACrD,CAAC;IACH,CAAC,CAAC,EAAE,CAAA;AACN,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAE,SAAqB;IAChD,IAAI,CAAC;QACH,0DAA0D;QAC1D,6DAA6D;QAC7D,yDAAyD;QACzD,2DAA2D;QAC3D,0BAA0B;QAC1B,MAAM,QAAQ,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAA;QACvE,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAA;QAC/B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAA;QAC9B,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAA;QAClC,MAAM,GAAG,GAAG,oBAAoB,CAAC,SAAS,IAAI,EAAE,EAAE,QAAQ,CAAC,CAAA;QAE3D,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;QACrC,CAAC;QAED,OAAO;YACL,GAAG,EAAE,MAAM;YACX,SAAS,EAAE,KAAK;YAChB,GAAG;SACJ,CAAA;IACH,CAAC;IAAC,OAAO,GAAQ,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,CAAA;IACrC,CAAC;AACH,CAAC"}

package/dist/src/errors.d.ts

@@ -0,0 +1,7 @@
+export declare const INVALID_PEER = "Not a valid peer connection";
+export declare const INVALID_PSK = "Your private shared key is invalid";
+export declare const NO_LOCAL_ID = "No local private key provided";
+export declare const NO_HANDSHAKE_CONNECTION = "No connection for the handshake provided";
+export declare const STREAM_ENDED = "Stream ended prematurely";
+export declare const ERR_INVALID_PARAMETERS = "ERR_INVALID_PARAMETERS";
+//# sourceMappingURL=errors.d.ts.map

package/dist/src/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,YAAY,gCAAgC,CAAA;AACzD,eAAO,MAAM,WAAW,uCAAuC,CAAA;AAC/D,eAAO,MAAM,WAAW,kCAAkC,CAAA;AAC1D,eAAO,MAAM,uBAAuB,6CAA6C,CAAA;AACjF,eAAO,MAAM,YAAY,6BAA6B,CAAA;AACtD,eAAO,MAAM,sBAAsB,2BAA2B,CAAA"}

package/dist/src/errors.js

@@ -0,0 +1,7 @@
+export const INVALID_PEER = 'Not a valid peer connection';
+export const INVALID_PSK = 'Your private shared key is invalid';
+export const NO_LOCAL_ID = 'No local private key provided';
+export const NO_HANDSHAKE_CONNECTION = 'No connection for the handshake provided';
+export const STREAM_ENDED = 'Stream ended prematurely';
+export const ERR_INVALID_PARAMETERS = 'ERR_INVALID_PARAMETERS';
+//# sourceMappingURL=errors.js.map

package/dist/src/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/errors.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,YAAY,GAAG,6BAA6B,CAAA;AACzD,MAAM,CAAC,MAAM,WAAW,GAAG,oCAAoC,CAAA;AAC/D,MAAM,CAAC,MAAM,WAAW,GAAG,+BAA+B,CAAA;AAC1D,MAAM,CAAC,MAAM,uBAAuB,GAAG,0CAA0C,CAAA;AACjF,MAAM,CAAC,MAAM,YAAY,GAAG,0BAA0B,CAAA;AACtD,MAAM,CAAC,MAAM,sBAAsB,GAAG,wBAAwB,CAAA"}

package/dist/src/index.d.ts

@@ -0,0 +1,76 @@
+/**
+ * @packageDocumentation
+ *
+ * Connection protection management for libp2p leveraging PSK encryption via XSalsa20.
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { preSharedKey, generateKey } from '@libp2p/pnet'
+ *
+ * // Create a Uint8Array and write the swarm key to it
+ * const swarmKey = new Uint8Array(95)
+ * generateKey(swarmKey)
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionProtector: preSharedKey({
+ *     psk: swarmKey
+ *   })
+ * })
+ * ```
+ *
+ * ## Private Shared Keys
+ *
+ * Private Shared Keys are expected to be in the following format:
+ *
+ * ```
+ * /key/swarm/psk/1.0.0/
+ * /base16/
+ * dffb7e3135399a8b1612b2aaca1c36a3a8ac2cd0cca51ceeb2ced87d308cac6d
+ * ```
+ *
+ * ## PSK Generation
+ *
+ * A utility method has been created to generate a key for your private network. You can use one of the methods below to generate your key.
+ *
+ * ### From a module using libp2p
+ *
+ * If you have a module locally that depends on libp2p, you can run the following from that project, assuming the node_modules are installed.
+ *
+ * ```console
+ * node -e "import('@libp2p/pnet').then(({ generateKey }) => generateKey(process.stdout))" > swarm.key
+ * ```
+ *
+ * ### Programmatically
+ *
+ * ```js
+ * import fs from 'fs'
+ * import { generateKey } from '@libp2p/pnet'
+ *
+ * const swarmKey = new Uint8Array(95)
+ * generateKey(swarmKey)
+ *
+ * fs.writeFileSync('swarm.key', swarmKey)
+ * ```
+ */
+import type { ComponentLogger, ConnectionProtector } from '@libp2p/interface';
+export { generateKey } from './key-generator.js';
+export interface ProtectorInit {
+    /**
+     * A pre-shared key. This must be the same byte value for all peers in the
+     * swarm in order for them to communicate.
+     */
+    psk: Uint8Array;
+    /**
+     * The initial nonce exchange must complete within this many milliseconds
+     * (default: 1000)
+     */
+    timeout?: number;
+}
+export interface ProtectorComponents {
+    logger: ComponentLogger;
+}
+export declare function preSharedKey(init: ProtectorInit): (components: ProtectorComponents) => ConnectionProtector;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwDG;AAeH,OAAO,KAAK,EAAE,eAAe,EAAU,mBAAmB,EAAuB,MAAM,mBAAmB,CAAA;AAG1G,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAEhD,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,GAAG,EAAE,UAAU,CAAA;IACf;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,eAAe,CAAA;CACxB;AAyED,wBAAgB,YAAY,CAAE,IAAI,EAAE,aAAa,GAAG,CAAC,UAAU,EAAE,mBAAmB,KAAK,mBAAmB,CAE3G"}

package/dist/src/index.js

@@ -0,0 +1,124 @@
+/**
+ * @packageDocumentation
+ *
+ * Connection protection management for libp2p leveraging PSK encryption via XSalsa20.
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { preSharedKey, generateKey } from '@libp2p/pnet'
+ *
+ * // Create a Uint8Array and write the swarm key to it
+ * const swarmKey = new Uint8Array(95)
+ * generateKey(swarmKey)
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionProtector: preSharedKey({
+ *     psk: swarmKey
+ *   })
+ * })
+ * ```
+ *
+ * ## Private Shared Keys
+ *
+ * Private Shared Keys are expected to be in the following format:
+ *
+ * ```
+ * /key/swarm/psk/1.0.0/
+ * /base16/
+ * dffb7e3135399a8b1612b2aaca1c36a3a8ac2cd0cca51ceeb2ced87d308cac6d
+ * ```
+ *
+ * ## PSK Generation
+ *
+ * A utility method has been created to generate a key for your private network. You can use one of the methods below to generate your key.
+ *
+ * ### From a module using libp2p
+ *
+ * If you have a module locally that depends on libp2p, you can run the following from that project, assuming the node_modules are installed.
+ *
+ * ```console
+ * node -e "import('@libp2p/pnet').then(({ generateKey }) => generateKey(process.stdout))" > swarm.key
+ * ```
+ *
+ * ### Programmatically
+ *
+ * ```js
+ * import fs from 'fs'
+ * import { generateKey } from '@libp2p/pnet'
+ *
+ * const swarmKey = new Uint8Array(95)
+ * generateKey(swarmKey)
+ *
+ * fs.writeFileSync('swarm.key', swarmKey)
+ * ```
+ */
+import { randomBytes } from '@libp2p/crypto';
+import { CodeError } from '@libp2p/interface';
+import { byteStream } from 'it-byte-stream';
+import map from 'it-map';
+import { duplexPair } from 'it-pair/duplex';
+import { pipe } from 'it-pipe';
+import { createBoxStream, createUnboxStream, decodeV1PSK } from './crypto.js';
+import * as Errors from './errors.js';
+import { NONCE_LENGTH } from './key-generator.js';
+export { generateKey } from './key-generator.js';
+class PreSharedKeyConnectionProtector {
+    tag;
+    log;
+    psk;
+    timeout;
+    /**
+     * Takes a Private Shared Key (psk) and provides a `protect` method
+     * for wrapping existing connections in a private encryption stream.
+     */
+    constructor(components, init) {
+        this.log = components.logger.forComponent('libp2p:pnet');
+        this.timeout = init.timeout ?? 1000;
+        const decodedPSK = decodeV1PSK(init.psk);
+        this.psk = decodedPSK.psk;
+        this.tag = decodedPSK.tag ?? '';
+    }
+    /**
+     * Takes a given Connection and creates a private encryption stream
+     * between its two peers from the PSK the Protector instance was
+     * created with.
+     */
+    async protect(connection) {
+        if (connection == null) {
+            throw new CodeError(Errors.NO_HANDSHAKE_CONNECTION, Errors.ERR_INVALID_PARAMETERS);
+        }
+        // Exchange nonces
+        this.log('protecting the connection');
+        const localNonce = randomBytes(NONCE_LENGTH);
+        const signal = AbortSignal.timeout(this.timeout);
+        const bytes = byteStream(connection);
+        const [, result] = await Promise.all([
+            bytes.write(localNonce, {
+                signal
+            }),
+            bytes.read(NONCE_LENGTH, {
+                signal
+            })
+        ]);
+        const remoteNonce = result.subarray();
+        // Create the boxing/unboxing pipe
+        this.log('exchanged nonces');
+        const [internal, external] = duplexPair();
+        pipe(external, 
+        // Encrypt all outbound traffic
+        createBoxStream(localNonce, this.psk), bytes.unwrap(), (source) => map(source, (buf) => buf.subarray()), 
+        // Decrypt all inbound traffic
+        createUnboxStream(remoteNonce, this.psk), external).catch(this.log.error);
+        return {
+            ...connection,
+            ...internal
+        };
+    }
+}
+export function preSharedKey(init) {
+    return (components) => new PreSharedKeyConnectionProtector(components, init);
+}
+//# sourceMappingURL=index.js.map

package/dist/src/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwDG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAA;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAC3C,OAAO,GAAG,MAAM,QAAQ,CAAA;AACxB,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAC3C,OAAO,EAAE,IAAI,EAAE,MAAM,SAAS,CAAA;AAC9B,OAAO,EACL,eAAe,EACf,iBAAiB,EACjB,WAAW,EACZ,MAAM,aAAa,CAAA;AACpB,OAAO,KAAK,MAAM,MAAM,aAAa,CAAA;AACrC,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAIjD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAA;AAmBhD,MAAM,+BAA+B;IAC5B,GAAG,CAAQ;IACD,GAAG,CAAQ;IACX,GAAG,CAAY;IACf,OAAO,CAAQ;IAEhC;;;OAGG;IACH,YAAa,UAA+B,EAAE,IAAmB;QAC/D,IAAI,CAAC,GAAG,GAAG,UAAU,CAAC,MAAM,CAAC,YAAY,CAAC,aAAa,CAAC,CAAA;QACxD,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAA;QAEnC,MAAM,UAAU,GAAG,WAAW,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACxC,IAAI,CAAC,GAAG,GAAG,UAAU,CAAC,GAAG,CAAA;QACzB,IAAI,CAAC,GAAG,GAAG,UAAU,CAAC,GAAG,IAAI,EAAE,CAAA;IACjC,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,OAAO,CAAE,UAA+B;QAC5C,IAAI,UAAU,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,SAAS,CAAC,MAAM,CAAC,uBAAuB,EAAE,MAAM,CAAC,sBAAsB,CAAC,CAAA;QACpF,CAAC;QAED,kBAAkB;QAClB,IAAI,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;QACrC,MAAM,UAAU,GAAG,WAAW,CAAC,YAAY,CAAC,CAAA;QAE5C,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAA;QAEhD,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,CAAC,CAAA;QAEpC,MAAM,CACJ,AADK,EACH,MAAM,CACT,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACpB,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE;gBACtB,MAAM;aACP,CAAC;YACF,KAAK,CAAC,IAAI,CAAC,YAAY,EAAE;gBACvB,MAAM;aACP,CAAC;SACH,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAA;QAErC,kCAAkC;QAClC,IAAI,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAA;QAC5B,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,UAAU,EAA+B,CAAA;QACtE,IAAI,CACF,QAAQ;QACR,+BAA+B;QAC/B,eAAe,CAAC,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,EACrC,KAAK,CAAC,MAAM,EAAE,EACd,CAAC,MAAM,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QAChD,8BAA8B;QAC9B,iBAAiB,CAAC,WAAW,EAAE,IAAI,CAAC,GAAG,CAAC,EACxC,QAAQ,CACT,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;QAEvB,OAAO;YACL,GAAG,UAAU;YACb,GAAG,QAAQ;SACZ,CAAA;IACH,CAAC;CACF;AAED,MAAM,UAAU,YAAY,CAAE,IAAmB;IAC/C,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,+BAA+B,CAAC,UAAU,EAAE,IAAI,CAAC,CAAA;AAC9E,CAAC"}

package/dist/src/key-generator.d.ts

@@ -0,0 +1,11 @@
+/// <reference types="node" />
+/**
+ * Generates a PSK that can be used in a libp2p-pnet private network
+ *
+ * @param {Uint8Array | NodeJS.WriteStream} bytes - An object to write the psk into
+ * @returns {void}
+ */
+export declare function generateKey(bytes: Uint8Array | NodeJS.WriteStream): void;
+export declare const NONCE_LENGTH = 24;
+export declare const KEY_LENGTH = 32;
+//# sourceMappingURL=key-generator.d.ts.map

package/dist/src/key-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-generator.d.ts","sourceRoot":"","sources":["../../src/key-generator.ts"],"names":[],"mappings":";AAIA;;;;;GAKG;AACH,wBAAgB,WAAW,CAAE,KAAK,EAAE,UAAU,GAAG,MAAM,CAAC,WAAW,GAAG,IAAI,CASzE;AAED,eAAO,MAAM,YAAY,KAAK,CAAA;AAC9B,eAAO,MAAM,UAAU,KAAK,CAAA"}

package/dist/src/key-generator.js

@@ -0,0 +1,22 @@
+import { randomBytes } from '@libp2p/crypto';
+import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string';
+import { toString as uint8ArrayToString } from 'uint8arrays/to-string';
+/**
+ * Generates a PSK that can be used in a libp2p-pnet private network
+ *
+ * @param {Uint8Array | NodeJS.WriteStream} bytes - An object to write the psk into
+ * @returns {void}
+ */
+export function generateKey(bytes) {
+    const psk = uint8ArrayToString(randomBytes(KEY_LENGTH), 'base16');
+    const key = uint8ArrayFromString('/key/swarm/psk/1.0.0/\n/base16/\n' + psk);
+    if (bytes instanceof Uint8Array) {
+        bytes.set(key);
+    }
+    else {
+        bytes.write(key);
+    }
+}
+export const NONCE_LENGTH = 24;
+export const KEY_LENGTH = 32;
+//# sourceMappingURL=key-generator.js.map

package/dist/src/key-generator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-generator.js","sourceRoot":"","sources":["../../src/key-generator.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAA;AAC5C,OAAO,EAAE,UAAU,IAAI,oBAAoB,EAAE,MAAM,yBAAyB,CAAA;AAC5E,OAAO,EAAE,QAAQ,IAAI,kBAAkB,EAAE,MAAM,uBAAuB,CAAA;AAEtE;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAE,KAAsC;IACjE,MAAM,GAAG,GAAG,kBAAkB,CAAC,WAAW,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,CAAA;IACjE,MAAM,GAAG,GAAG,oBAAoB,CAAC,mCAAmC,GAAG,GAAG,CAAC,CAAA;IAE3E,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;QAChC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IAChB,CAAC;SAAM,CAAC;QACN,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,EAAE,CAAA;AAC9B,MAAM,CAAC,MAAM,UAAU,GAAG,EAAE,CAAA"}

package/package.json

@@ -0,0 +1,72 @@
+{
+  "name": "@libp2p/pnet",
+  "version": "1.0.0-01e9a5fe4",
+  "description": "Implementation of Connection protection management via a shared secret",
+  "license": "Apache-2.0 OR MIT",
+  "homepage": "https://github.com/libp2p/js-libp2p/tree/main/packages/pnet#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/libp2p/js-libp2p.git"
+  },
+  "bugs": {
+    "url": "https://github.com/libp2p/js-libp2p/issues"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "type": "module",
+  "types": "./dist/src/index.d.ts",
+  "files": [
+    "src",
+    "dist",
+    "!dist/test",
+    "!**/*.tsbuildinfo"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/src/index.d.ts",
+      "import": "./dist/src/index.js"
+    }
+  },
+  "eslintConfig": {
+    "extends": "ipfs",
+    "parserOptions": {
+      "project": true,
+      "sourceType": "module"
+    }
+  },
+  "scripts": {
+    "build": "aegir build",
+    "test": "aegir test",
+    "clean": "aegir clean",
+    "lint": "aegir lint",
+    "test:chrome": "aegir test -t browser --cov",
+    "test:chrome-webworker": "aegir test -t webworker",
+    "test:firefox": "aegir test -t browser -- --browser firefox",
+    "test:firefox-webworker": "aegir test -t webworker -- --browser firefox",
+    "test:node": "aegir test -t node --cov",
+    "dep-check": "aegir dep-check"
+  },
+  "dependencies": {
+    "@libp2p/crypto": "3.0.2-01e9a5fe4",
+    "@libp2p/interface": "1.0.2-01e9a5fe4",
+    "it-byte-stream": "^1.0.5",
+    "it-map": "^3.0.4",
+    "it-pair": "^2.0.6",
+    "it-pipe": "^3.0.1",
+    "it-stream-types": "^2.0.1",
+    "uint8arraylist": "^2.4.7",
+    "uint8arrays": "^5.0.0",
+    "xsalsa20": "^1.1.0"
+  },
+  "devDependencies": {
+    "@libp2p/interface-compliance-tests": "5.0.7-01e9a5fe4",
+    "@libp2p/logger": "4.0.2-01e9a5fe4",
+    "@libp2p/peer-id-factory": "4.0.1-01e9a5fe4",
+    "@multiformats/multiaddr": "^12.1.10",
+    "@types/xsalsa20": "^1.1.0",
+    "aegir": "^41.0.2",
+    "it-all": "^3.0.3"
+  }
+}

package/src/crypto.ts

@@ -0,0 +1,63 @@
+import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
+import { toString as uint8ArrayToString } from 'uint8arrays/to-string'
+import xsalsa20 from 'xsalsa20'
+import * as Errors from './errors.js'
+import { KEY_LENGTH } from './key-generator.js'
+import type { Source } from 'it-stream-types'
+import type { Uint8ArrayList } from 'uint8arraylist'
+
+/**
+ * Creates a stream iterable to encrypt messages in a private network
+ */
+export function createBoxStream (nonce: Uint8Array, psk: Uint8Array): (source: Source<Uint8Array | Uint8ArrayList>) => AsyncGenerator<Uint8Array | Uint8ArrayList> {
+  const xor = xsalsa20(nonce, psk)
+
+  return (source: Source<Uint8Array | Uint8ArrayList>) => (async function * () {
+    for await (const chunk of source) {
+      yield Uint8Array.from(xor.update(chunk.subarray()))
+    }
+  })()
+}
+
+/**
+ * Creates a stream iterable to decrypt messages in a private network
+ */
+export function createUnboxStream (nonce: Uint8Array, psk: Uint8Array) {
+  return (source: Source<Uint8Array>) => (async function * () {
+    const xor = xsalsa20(nonce, psk)
+
+    for await (const chunk of source) {
+      yield Uint8Array.from(xor.update(chunk.subarray()))
+    }
+  })()
+}
+
+/**
+ * Decode the version 1 psk from the given Uint8Array
+ */
+export function decodeV1PSK (pskBuffer: Uint8Array): { tag: string | undefined, codecName: string | undefined, psk: Uint8Array } {
+  try {
+    // This should pull from multibase/multicodec to allow for
+    // more encoding flexibility. Ideally we'd consume the codecs
+    // from the buffer line by line to evaluate the next line
+    // programmatically instead of making assumptions about the
+    // encodings of each line.
+    const metadata = uint8ArrayToString(pskBuffer).split(/(?:\r\n|\r|\n)/g)
+    const pskTag = metadata.shift()
+    const codec = metadata.shift()
+    const pskString = metadata.shift()
+    const psk = uint8ArrayFromString(pskString ?? '', 'base16')
+
+    if (psk.byteLength !== KEY_LENGTH) {
+      throw new Error(Errors.INVALID_PSK)
+    }
+
+    return {
+      tag: pskTag,
+      codecName: codec,
+      psk
+    }
+  } catch (err: any) {
+    throw new Error(Errors.INVALID_PSK)
+  }
+}

package/src/errors.ts

@@ -0,0 +1,6 @@
+export const INVALID_PEER = 'Not a valid peer connection'
+export const INVALID_PSK = 'Your private shared key is invalid'
+export const NO_LOCAL_ID = 'No local private key provided'
+export const NO_HANDSHAKE_CONNECTION = 'No connection for the handshake provided'
+export const STREAM_ENDED = 'Stream ended prematurely'
+export const ERR_INVALID_PARAMETERS = 'ERR_INVALID_PARAMETERS'

package/src/index.ts

@@ -0,0 +1,167 @@
+/**
+ * @packageDocumentation
+ *
+ * Connection protection management for libp2p leveraging PSK encryption via XSalsa20.
+ *
+ * @example
+ *
+ * ```typescript
+ * import { createLibp2p } from 'libp2p'
+ * import { preSharedKey, generateKey } from '@libp2p/pnet'
+ *
+ * // Create a Uint8Array and write the swarm key to it
+ * const swarmKey = new Uint8Array(95)
+ * generateKey(swarmKey)
+ *
+ * const node = await createLibp2p({
+ *   // ...other options
+ *   connectionProtector: preSharedKey({
+ *     psk: swarmKey
+ *   })
+ * })
+ * ```
+ *
+ * ## Private Shared Keys
+ *
+ * Private Shared Keys are expected to be in the following format:
+ *
+ * ```
+ * /key/swarm/psk/1.0.0/
+ * /base16/
+ * dffb7e3135399a8b1612b2aaca1c36a3a8ac2cd0cca51ceeb2ced87d308cac6d
+ * ```
+ *
+ * ## PSK Generation
+ *
+ * A utility method has been created to generate a key for your private network. You can use one of the methods below to generate your key.
+ *
+ * ### From a module using libp2p
+ *
+ * If you have a module locally that depends on libp2p, you can run the following from that project, assuming the node_modules are installed.
+ *
+ * ```console
+ * node -e "import('@libp2p/pnet').then(({ generateKey }) => generateKey(process.stdout))" > swarm.key
+ * ```
+ *
+ * ### Programmatically
+ *
+ * ```js
+ * import fs from 'fs'
+ * import { generateKey } from '@libp2p/pnet'
+ *
+ * const swarmKey = new Uint8Array(95)
+ * generateKey(swarmKey)
+ *
+ * fs.writeFileSync('swarm.key', swarmKey)
+ * ```
+ */
+
+import { randomBytes } from '@libp2p/crypto'
+import { CodeError } from '@libp2p/interface'
+import { byteStream } from 'it-byte-stream'
+import map from 'it-map'
+import { duplexPair } from 'it-pair/duplex'
+import { pipe } from 'it-pipe'
+import {
+  createBoxStream,
+  createUnboxStream,
+  decodeV1PSK
+} from './crypto.js'
+import * as Errors from './errors.js'
+import { NONCE_LENGTH } from './key-generator.js'
+import type { ComponentLogger, Logger, ConnectionProtector, MultiaddrConnection } from '@libp2p/interface'
+import type { Uint8ArrayList } from 'uint8arraylist'
+
+export { generateKey } from './key-generator.js'
+
+export interface ProtectorInit {
+  /**
+   * A pre-shared key. This must be the same byte value for all peers in the
+   * swarm in order for them to communicate.
+   */
+  psk: Uint8Array
+  /**
+   * The initial nonce exchange must complete within this many milliseconds
+   * (default: 1000)
+   */
+  timeout?: number
+}
+
+export interface ProtectorComponents {
+  logger: ComponentLogger
+}
+
+class PreSharedKeyConnectionProtector implements ConnectionProtector {
+  public tag: string
+  private readonly log: Logger
+  private readonly psk: Uint8Array
+  private readonly timeout: number
+
+  /**
+   * Takes a Private Shared Key (psk) and provides a `protect` method
+   * for wrapping existing connections in a private encryption stream.
+   */
+  constructor (components: ProtectorComponents, init: ProtectorInit) {
+    this.log = components.logger.forComponent('libp2p:pnet')
+    this.timeout = init.timeout ?? 1000
+
+    const decodedPSK = decodeV1PSK(init.psk)
+    this.psk = decodedPSK.psk
+    this.tag = decodedPSK.tag ?? ''
+  }
+
+  /**
+   * Takes a given Connection and creates a private encryption stream
+   * between its two peers from the PSK the Protector instance was
+   * created with.
+   */
+  async protect (connection: MultiaddrConnection): Promise<MultiaddrConnection> {
+    if (connection == null) {
+      throw new CodeError(Errors.NO_HANDSHAKE_CONNECTION, Errors.ERR_INVALID_PARAMETERS)
+    }
+
+    // Exchange nonces
+    this.log('protecting the connection')
+    const localNonce = randomBytes(NONCE_LENGTH)
+
+    const signal = AbortSignal.timeout(this.timeout)
+
+    const bytes = byteStream(connection)
+
+    const [
+      , result
+    ] = await Promise.all([
+      bytes.write(localNonce, {
+        signal
+      }),
+      bytes.read(NONCE_LENGTH, {
+        signal
+      })
+    ])
+
+    const remoteNonce = result.subarray()
+
+    // Create the boxing/unboxing pipe
+    this.log('exchanged nonces')
+    const [internal, external] = duplexPair<Uint8Array | Uint8ArrayList>()
+    pipe(
+      external,
+      // Encrypt all outbound traffic
+      createBoxStream(localNonce, this.psk),
+      bytes.unwrap(),
+      (source) => map(source, (buf) => buf.subarray()),
+      // Decrypt all inbound traffic
+      createUnboxStream(remoteNonce, this.psk),
+      external
+    ).catch(this.log.error)
+
+    return {
+      ...connection,
+      ...internal
+    }
+  }
+}
+
+export function preSharedKey (init: ProtectorInit): (components: ProtectorComponents) => ConnectionProtector {
+  return (components) => new PreSharedKeyConnectionProtector(components, init)
+}

package/src/key-generator.ts

@@ -0,0 +1,23 @@
+import { randomBytes } from '@libp2p/crypto'
+import { fromString as uint8ArrayFromString } from 'uint8arrays/from-string'
+import { toString as uint8ArrayToString } from 'uint8arrays/to-string'
+
+/**
+ * Generates a PSK that can be used in a libp2p-pnet private network
+ *
+ * @param {Uint8Array | NodeJS.WriteStream} bytes - An object to write the psk into
+ * @returns {void}
+ */
+export function generateKey (bytes: Uint8Array | NodeJS.WriteStream): void {
+  const psk = uint8ArrayToString(randomBytes(KEY_LENGTH), 'base16')
+  const key = uint8ArrayFromString('/key/swarm/psk/1.0.0/\n/base16/\n' + psk)
+
+  if (bytes instanceof Uint8Array) {
+    bytes.set(key)
+  } else {
+    bytes.write(key)
+  }
+}
+
+export const NONCE_LENGTH = 24
+export const KEY_LENGTH = 32