@lindorm/aes 0.5.4 → 0.6.0

package/CHANGELOG.md

@@ -3,6 +3,36 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+# [0.6.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.5...@lindorm/aes@0.6.0) (2026-02-17)
+
+### Bug Fixes
+
+- **aes:** add buffer boundary validation in encoded string parser ([579e8f7](https://github.com/lindorm-io/monorepo/commit/579e8f7eb40570f978cd52d1f87f7f8570474d6d))
+- **aes:** add GCM auth tag enforcement and key-wrap input validation ([1a8fd3c](https://github.com/lindorm-io/monorepo/commit/1a8fd3cb6f83cf59a3089a777fba4c8b7f1828fb))
+- **aes:** add missing @lindorm/utils dependency ([6d0ee2a](https://github.com/lindorm-io/monorepo/commit/6d0ee2ae68f91fb9eb04529c96e05ff1d843dfd0))
+- **aes:** make CBC HMAC auth tag compliant with RFC 7518 ([7877022](https://github.com/lindorm-io/monorepo/commit/7877022bebdf902ff13996b1032a991356f3760c))
+- **aes:** make PBES2 salt compliant with RFC 7518 ([2693afa](https://github.com/lindorm-io/monorepo/commit/2693afa88db535aeaff7fd5537885dd3a45bc09a))
+- **aes:** make verify/assert work with non-string content ([aa94c66](https://github.com/lindorm-io/monorepo/commit/aa94c66511326f70fdfc0245ce12953025aa4236))
+- **aes:** remove unnecessary g flag from tokenised regex ([5a989b1](https://github.com/lindorm-io/monorepo/commit/5a989b1d96b025b3180339294e8ea072d215c7d3))
+- **aes:** replace generic Error with AesError in all locations ([ff7a08d](https://github.com/lindorm-io/monorepo/commit/ff7a08d55e9b39755e059e31e99fb45b687bdde2))
+- **aes:** use Concat KDF per RFC 7518 for ECDH-ES key agreement ([8e92b8f](https://github.com/lindorm-io/monorepo/commit/8e92b8f60ee46c99f0c66af244fd1e7648130a9c))
+- **aes:** use crypto.randomInt for PBKDF2 iterations, fix RSA test fixture ([a5457aa](https://github.com/lindorm-io/monorepo/commit/a5457aa5973e4eab662dbc6e62c9470f7d6fabf2))
+- **aes:** use oct keys directly for AES key wrap per RFC 7518 ([c65ca49](https://github.com/lindorm-io/monorepo/commit/c65ca49d758f21e868e96512a96fc8df0559947e))
+- **aes:** use timingSafeEqual for ECB key unwrap integrity check ([dd27a65](https://github.com/lindorm-io/monorepo/commit/dd27a65c84eed068d6e9e5de34d0eaca6cda67fc))
+- **aes:** use timingSafeEqual for HMAC auth tag verification ([757bef5](https://github.com/lindorm-io/monorepo/commit/757bef5657a6d1366c222c9205a8f4cfe563e77d))
+- **lint:** add missing eslint-config-prettier and fix prettier formatting ([6899e39](https://github.com/lindorm-io/monorepo/commit/6899e39ad7700e373173b0a61b429b5536c13934))
+- **lint:** resolve eslint warnings and errors ([210ef3c](https://github.com/lindorm-io/monorepo/commit/210ef3c91c82521c4cec57bc2256324ba9c3f45a))
+
+### Features
+
+- **aes:** accept optional AAD parameter for authenticated encryption ([011b67f](https://github.com/lindorm-io/monorepo/commit/011b67fb8ba18a361e2c31fd0e78298a89f89cd2))
+- **aes:** add prepareEncryption() for two-step JWE-compliant encryption ([56b3c54](https://github.com/lindorm-io/monorepo/commit/56b3c5435722b2b94f05d6483c7651ccdd5ea9dd))
+- **aes:** rewrite formats with unified model and always-on AAD ([bc1da71](https://github.com/lindorm-io/monorepo/commit/bc1da719d5ee5ee151d9220e6e738a9431e036b6))
+
+## [0.5.5](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.4...@lindorm/aes@0.5.5) (2025-09-18)
+
+**Note:** Version bump only for package @lindorm/aes
+
 ## [0.5.4](https://github.com/lindorm-io/monorepo/compare/@lindorm/aes@0.5.3...@lindorm/aes@0.5.4) (2025-07-19)
 
 **Note:** Version bump only for package @lindorm/aes

package/MERMAID.md

@@ -0,0 +1,155 @@
+# Mermaid Diagram
+
+```mermaid
+
+  graph TB
+      subgraph "External Dependencies"
+          KRYPTOS["@lindorm/kryptos<br/>(Key Management)"]
+          B64["@lindorm/b64<br/>(Base64 Encoding)"]
+          IS["@lindorm/is<br/>(Type Guards)"]
+          ERRORS["@lindorm/errors<br/>(Error Handling)"]
+      end
+
+      subgraph "Public API"
+          AESKIT["AesKit Class<br/>Main Entry Point"]
+          PARSE["parseAes()<br/>Parse any format"]
+          ISAES["isAesTokenised()<br/>Type checking"]
+      end
+
+      subgraph "Encryption Flow"
+          ENCRYPT["encrypt(data, mode)"]
+          GET_ENC_KEY["getEncryptionKey()"]
+
+          subgraph "Key Type Routing"
+              EC_ENC["EC Keys<br/>(Elliptic Curve)"]
+              OKP_ENC["OKP Keys<br/>(Edwards Curve)"]
+              OCT_ENC["oct Keys<br/>(Symmetric)"]
+              RSA_ENC["RSA Keys"]
+          end
+
+          subgraph "Key Derivation Methods"
+              DIR["Direct Key<br/>(dir)"]
+              ECDH["ECDH-ES<br/>(Diffie-Hellman)"]
+              KEYWRAP["Key Wrap<br/>(AES-KW/GCM)"]
+              PBKDF["PBKDF2<br/>(Password-based)"]
+          end
+
+          CEK["Content Encryption Key<br/>(Split into encKey + hashKey)"]
+          AES_CIPHER["Node crypto.createCipheriv()<br/>(AES-128/192/256-CBC/GCM)"]
+          AUTH_TAG["Generate Auth Tag<br/>(GCM or HMAC)"]
+
+          subgraph "Output Modes"
+              ENCODED["Encoded<br/>(base64 string)"]
+              RECORD["Record<br/>(Buffer objects)"]
+              SERIALISED["Serialised<br/>(JSON-safe strings)"]
+              TOKENISED["Tokenised<br/>($enc$params$content$)"]
+          end
+      end
+
+      subgraph "Decryption Flow"
+          DECRYPT["decrypt(data)"]
+          PARSE_INPUT["Parse Input<br/>(parseAes)"]
+          GET_DEC_KEY["getDecryptionKey()"]
+
+          subgraph "Key Type Decryption"
+              EC_DEC["EC Keys"]
+              OKP_DEC["OKP Keys"]
+              OCT_DEC["oct Keys"]
+              RSA_DEC["RSA Keys"]
+          end
+
+          CEK_DEC["Content Encryption Key"]
+          AES_DECIPHER["Node crypto.createDecipheriv()"]
+          VERIFY_TAG["Verify Auth Tag"]
+          PARSE_CONTENT["Parse Content<br/>(by contentType)"]
+      end
+
+      subgraph "Data Types"
+          CONTENT["AesContent<br/>string | Buffer | object | array | number"]
+          CONTENT_TYPE["AesContentType<br/>text/plain | application/json | application/octet-stream"]
+      end
+
+      subgraph "Encryption Metadata"
+          RECORD_TYPE["AesEncryptionRecord<br/>• algorithm<br/>• encryption<br/>• keyId<br/>• content<br/>•
+  authTag<br/>• IV<br/>• contentType<br/>• pbkdfSalt/Iterations<br/>• publicEncryptionKey/Jwk"]
+      end
+
+      %% Main flow connections
+      AESKIT --> ENCRYPT
+      AESKIT --> DECRYPT
+      AESKIT --> KRYPTOS
+
+      ENCRYPT --> CONTENT
+      ENCRYPT --> GET_ENC_KEY
+      GET_ENC_KEY --> KRYPTOS
+
+      GET_ENC_KEY --> EC_ENC
+      GET_ENC_KEY --> OKP_ENC
+      GET_ENC_KEY --> OCT_ENC
+      GET_ENC_KEY --> RSA_ENC
+
+      EC_ENC --> ECDH
+      EC_ENC --> KEYWRAP
+      OKP_ENC --> ECDH
+      OKP_ENC --> KEYWRAP
+      OCT_ENC --> DIR
+      OCT_ENC --> KEYWRAP
+      OCT_ENC --> PBKDF
+      RSA_ENC --> KEYWRAP
+
+      ECDH --> CEK
+      KEYWRAP --> CEK
+      PBKDF --> CEK
+      DIR --> CEK
+
+      CEK --> AES_CIPHER
+      CONTENT --> AES_CIPHER
+      AES_CIPHER --> AUTH_TAG
+
+      AUTH_TAG --> RECORD_TYPE
+
+      RECORD_TYPE --> ENCODED
+      RECORD_TYPE --> RECORD
+      RECORD_TYPE --> SERIALISED
+      RECORD_TYPE --> TOKENISED
+
+      %% Decryption flow
+      DECRYPT --> PARSE_INPUT
+      PARSE_INPUT --> ENCODED
+      PARSE_INPUT --> RECORD
+      PARSE_INPUT --> SERIALISED
+      PARSE_INPUT --> TOKENISED
+
+      PARSE_INPUT --> GET_DEC_KEY
+      GET_DEC_KEY --> KRYPTOS
+
+      GET_DEC_KEY --> EC_DEC
+      GET_DEC_KEY --> OKP_DEC
+      GET_DEC_KEY --> OCT_DEC
+      GET_DEC_KEY --> RSA_DEC
+
+      EC_DEC --> CEK_DEC
+      OKP_DEC --> CEK_DEC
+      OCT_DEC --> CEK_DEC
+      RSA_DEC --> CEK_DEC
+
+      CEK_DEC --> AES_DECIPHER
+      RECORD_TYPE --> AES_DECIPHER
+      AES_DECIPHER --> VERIFY_TAG
+      VERIFY_TAG --> PARSE_CONTENT
+      PARSE_CONTENT --> CONTENT_TYPE
+
+      %% Utility connections
+      B64 --> ENCODED
+      B64 --> TOKENISED
+      B64 --> SERIALISED
+      IS --> PARSE_INPUT
+      ERRORS --> AESKIT
+
+      style AESKIT fill:#4a90e2,stroke:#2e5c8a,color:#fff
+      style ENCRYPT fill:#50c878,stroke:#2d7a4a,color:#fff
+      style DECRYPT fill:#e27d60,stroke:#a85a43,color:#fff
+      style KRYPTOS fill:#9b59b6,stroke:#6c3a8a,color:#fff
+      style CEK fill:#f39c12,stroke:#b87a0a,color:#fff
+      style CEK_DEC fill:#f39c12,stroke:#b87a0a,color:#fff
+```