@metamask-previews/passkey-controller 0.0.0-preview-4c0846313

package/dist/types.d.mts

@@ -0,0 +1,92 @@
+export type Base64String = string;
+export type Base64URLString = string;
+export type AuthenticatorTransportFuture = 'ble' | 'cable' | 'hybrid' | 'internal' | 'nfc' | 'smart-card' | 'usb';
+/**
+ * WebAuthn credential metadata used to identify the passkey and verify
+ * subsequent assertions.
+ */
+export type PasskeyCredentialInfo = {
+    /** WebAuthn credential ID (base64url). */
+    id: Base64URLString;
+    /** COSE-encoded credential public key (base64url) used to verify assertions. */
+    publicKey: Base64URLString;
+    /** Authenticator signature counter for replay/clone detection. */
+    counter: number;
+    /** Authenticator transports hint for `allowCredentials`. */
+    transports?: AuthenticatorTransportFuture[];
+};
+/**
+ * Vault key wrapped under the passkey-derived AES-256-GCM key.
+ */
+export type EncryptedVaultKey = {
+    /** Base64-encoded AES-256-GCM ciphertext of the vault key. */
+    ciphertext: Base64String;
+    /** Base64-encoded AES-GCM IV used during encryption. */
+    iv: Base64String;
+};
+/**
+ * Parameters needed to reproduce the AES-256 wrapping key at unlock time.
+ *
+ * Encoded as a discriminated union so PRF-only fields (e.g. `prfSalt`) can
+ * only exist on the PRF branch, removing the "optional but actually
+ * required" footgun.
+ */
+export type PasskeyKeyDerivation = {
+    method: 'prf';
+    /**
+     * PRF salt sent in `get()` extension options to reproduce the same PRF
+     * output that was generated at registration.
+     */
+    prfSalt: Base64URLString;
+} | {
+    method: 'userHandle';
+};
+/** Discriminator value for {@link PasskeyKeyDerivation}. */
+export type PasskeyDerivationMethod = PasskeyKeyDerivation['method'];
+export type PasskeyRecord = {
+    /** WebAuthn credential metadata used for assertion verification & re-discovery. */
+    credential: PasskeyCredentialInfo;
+    /** Vault key wrapped under the passkey-derived key. */
+    encryptedVaultKey: EncryptedVaultKey;
+    /** How the wrapping key is reconstructed at unlock time. */
+    keyDerivation: PasskeyKeyDerivation;
+};
+/**
+ * In-memory state for one **in-flight** WebAuthn **registration** ceremony
+ * (from `create()` options until `protectVaultKeyWithPasskey` completes). This is
+ * not a user login session; it is keyed by challenge and distinct from the full
+ * spec ceremony (which includes the authenticator round-trip).
+ */
+export type PasskeyRegistrationCeremony = {
+    userHandle: Base64URLString;
+    prfSalt: Base64URLString;
+    challenge: Base64URLString;
+    /** When this ceremony was started (ms since epoch); used for TTL pruning. */
+    createdAt: number;
+};
+/**
+ * In-memory state for one **in-flight** WebAuthn **authentication** ceremony
+ * (`get()` options until the assertion is verified). Not a user login session.
+ */
+export type PasskeyAuthenticationCeremony = {
+    challenge: Base64URLString;
+    /** When this ceremony was started (ms since epoch); used for TTL pruning. */
+    createdAt: number;
+};
+/**
+ * PRF extension types not covered by DOM typings.
+ */
+export type PrfEvalExtension = {
+    eval: {
+        first: Base64URLString;
+    };
+};
+export type PrfClientExtensionResults = {
+    prf?: {
+        enabled?: boolean;
+        results?: {
+            first?: Base64URLString;
+        };
+    };
+};
+//# sourceMappingURL=types.d.mts.map

package/dist/types.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.mts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC;AAElC,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC,MAAM,MAAM,4BAA4B,GACpC,KAAK,GACL,OAAO,GACP,QAAQ,GACR,UAAU,GACV,KAAK,GACL,YAAY,GACZ,KAAK,CAAC;AAEV;;;GAGG;AACH,MAAM,MAAM,qBAAqB,GAAG;IAClC,0CAA0C;IAC1C,EAAE,EAAE,eAAe,CAAC;IACpB,gFAAgF;IAChF,SAAS,EAAE,eAAe,CAAC;IAC3B,kEAAkE;IAClE,OAAO,EAAE,MAAM,CAAC;IAChB,4DAA4D;IAC5D,UAAU,CAAC,EAAE,4BAA4B,EAAE,CAAC;CAC7C,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG;IAC9B,8DAA8D;IAC9D,UAAU,EAAE,YAAY,CAAC;IACzB,wDAAwD;IACxD,EAAE,EAAE,YAAY,CAAC;CAClB,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,oBAAoB,GAC5B;IACE,MAAM,EAAE,KAAK,CAAC;IACd;;;OAGG;IACH,OAAO,EAAE,eAAe,CAAC;CAC1B,GACD;IAAE,MAAM,EAAE,YAAY,CAAA;CAAE,CAAC;AAE7B,4DAA4D;AAC5D,MAAM,MAAM,uBAAuB,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;AAErE,MAAM,MAAM,aAAa,GAAG;IAC1B,mFAAmF;IACnF,UAAU,EAAE,qBAAqB,CAAC;IAClC,uDAAuD;IACvD,iBAAiB,EAAE,iBAAiB,CAAC;IACrC,4DAA4D;IAC5D,aAAa,EAAE,oBAAoB,CAAC;CACrC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,MAAM,2BAA2B,GAAG;IACxC,UAAU,EAAE,eAAe,CAAC;IAC5B,OAAO,EAAE,eAAe,CAAC;IACzB,SAAS,EAAE,eAAe,CAAC;IAC3B,6EAA6E;IAC7E,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,6BAA6B,GAAG;IAC1C,SAAS,EAAE,eAAe,CAAC;IAC3B,6EAA6E;IAC7E,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAEF;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B,IAAI,EAAE;QACJ,KAAK,EAAE,eAAe,CAAC;KACxB,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,yBAAyB,GAAG;IACtC,GAAG,CAAC,EAAE;QACJ,OAAO,CAAC,EAAE,OAAO,CAAC;QAClB,OAAO,CAAC,EAAE;YAAE,KAAK,CAAC,EAAE,eAAe,CAAA;SAAE,CAAC;KACvC,CAAC;CACH,CAAC"}

package/dist/types.mjs

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.mjs.map

package/dist/types.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.mjs","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"","sourcesContent":["export type Base64String = string;\n\nexport type Base64URLString = string;\n\nexport type AuthenticatorTransportFuture =\n  | 'ble'\n  | 'cable'\n  | 'hybrid'\n  | 'internal'\n  | 'nfc'\n  | 'smart-card'\n  | 'usb';\n\n/**\n * WebAuthn credential metadata used to identify the passkey and verify\n * subsequent assertions.\n */\nexport type PasskeyCredentialInfo = {\n  /** WebAuthn credential ID (base64url). */\n  id: Base64URLString;\n  /** COSE-encoded credential public key (base64url) used to verify assertions. */\n  publicKey: Base64URLString;\n  /** Authenticator signature counter for replay/clone detection. */\n  counter: number;\n  /** Authenticator transports hint for `allowCredentials`. */\n  transports?: AuthenticatorTransportFuture[];\n};\n\n/**\n * Vault key wrapped under the passkey-derived AES-256-GCM key.\n */\nexport type EncryptedVaultKey = {\n  /** Base64-encoded AES-256-GCM ciphertext of the vault key. */\n  ciphertext: Base64String;\n  /** Base64-encoded AES-GCM IV used during encryption. */\n  iv: Base64String;\n};\n\n/**\n * Parameters needed to reproduce the AES-256 wrapping key at unlock time.\n *\n * Encoded as a discriminated union so PRF-only fields (e.g. `prfSalt`) can\n * only exist on the PRF branch, removing the \"optional but actually\n * required\" footgun.\n */\nexport type PasskeyKeyDerivation =\n  | {\n      method: 'prf';\n      /**\n       * PRF salt sent in `get()` extension options to reproduce the same PRF\n       * output that was generated at registration.\n       */\n      prfSalt: Base64URLString;\n    }\n  | { method: 'userHandle' };\n\n/** Discriminator value for {@link PasskeyKeyDerivation}. */\nexport type PasskeyDerivationMethod = PasskeyKeyDerivation['method'];\n\nexport type PasskeyRecord = {\n  /** WebAuthn credential metadata used for assertion verification & re-discovery. */\n  credential: PasskeyCredentialInfo;\n  /** Vault key wrapped under the passkey-derived key. */\n  encryptedVaultKey: EncryptedVaultKey;\n  /** How the wrapping key is reconstructed at unlock time. */\n  keyDerivation: PasskeyKeyDerivation;\n};\n\n/**\n * In-memory state for one **in-flight** WebAuthn **registration** ceremony\n * (from `create()` options until `protectVaultKeyWithPasskey` completes). This is\n * not a user login session; it is keyed by challenge and distinct from the full\n * spec ceremony (which includes the authenticator round-trip).\n */\nexport type PasskeyRegistrationCeremony = {\n  userHandle: Base64URLString;\n  prfSalt: Base64URLString;\n  challenge: Base64URLString;\n  /** When this ceremony was started (ms since epoch); used for TTL pruning. */\n  createdAt: number;\n};\n\n/**\n * In-memory state for one **in-flight** WebAuthn **authentication** ceremony\n * (`get()` options until the assertion is verified). Not a user login session.\n */\nexport type PasskeyAuthenticationCeremony = {\n  challenge: Base64URLString;\n  /** When this ceremony was started (ms since epoch); used for TTL pruning. */\n  createdAt: number;\n};\n\n/**\n * PRF extension types not covered by DOM typings.\n */\nexport type PrfEvalExtension = {\n  eval: {\n    first: Base64URLString;\n  };\n};\n\nexport type PrfClientExtensionResults = {\n  prf?: {\n    enabled?: boolean;\n    results?: { first?: Base64URLString };\n  };\n};\n"]}

package/dist/utils/crypto.cjs

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.decryptWithKey = exports.encryptWithKey = exports.deriveEncryptionKey = void 0;
+const utils_1 = require("@metamask/utils");
+const aes_1 = require("@noble/ciphers/aes");
+const webcrypto_1 = require("@noble/ciphers/webcrypto");
+const hkdf_1 = require("@noble/hashes/hkdf");
+const sha2_1 = require("@noble/hashes/sha2");
+const PASSKEY_HKDF_INFO = 'metamask:passkey:encryption-key:v1';
+const AES_GCM_IV_LENGTH = 12;
+/**
+ * Derives an AES-256 encryption key from input key material and a credential ID
+ * using HKDF-SHA256.
+ *
+ * @param ikm - Input key material (e.g. PRF output or userHandle).
+ * @param salt - HKDF salt.
+ * @returns 32-byte derived encryption key.
+ */
+function deriveEncryptionKey(ikm, salt) {
+    return (0, hkdf_1.hkdf)(sha2_1.sha256, ikm, salt, PASSKEY_HKDF_INFO, 32);
+}
+exports.deriveEncryptionKey = deriveEncryptionKey;
+/**
+ * Encrypts plaintext with an AES-256-GCM key.
+ *
+ * @param plaintext - UTF-8 string to encrypt.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Base64-encoded ciphertext and IV.
+ */
+function encryptWithKey(plaintext, key) {
+    const iv = (0, webcrypto_1.randomBytes)(AES_GCM_IV_LENGTH);
+    const encoded = new TextEncoder().encode(plaintext);
+    const ciphertextBytes = (0, aes_1.gcm)(key, iv).encrypt(encoded);
+    return {
+        ciphertext: (0, utils_1.bytesToBase64)(ciphertextBytes),
+        iv: (0, utils_1.bytesToBase64)(iv),
+    };
+}
+exports.encryptWithKey = encryptWithKey;
+/**
+ * Decrypts AES-256-GCM ciphertext with the given key.
+ *
+ * @param ciphertext - Base64-encoded ciphertext.
+ * @param iv - Base64-encoded initialization vector.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Decrypted UTF-8 string.
+ */
+function decryptWithKey(ciphertext, iv, key) {
+    const ciphertextBytes = (0, utils_1.base64ToBytes)(ciphertext);
+    const ivBytes = (0, utils_1.base64ToBytes)(iv);
+    const plaintext = (0, aes_1.gcm)(key, ivBytes).decrypt(ciphertextBytes);
+    return new TextDecoder().decode(plaintext);
+}
+exports.decryptWithKey = decryptWithKey;
+//# sourceMappingURL=crypto.cjs.map

package/dist/utils/crypto.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.cjs","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":";;;AAAA,2CAA+D;AAC/D,4CAAyC;AACzC,wDAAuD;AACvD,6CAA0C;AAC1C,6CAA4C;AAE5C,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;;;;;;GAOG;AACH,SAAgB,mBAAmB,CACjC,GAAe,EACf,IAAgB;IAEhB,OAAO,IAAA,WAAI,EAAC,aAAM,EAAE,GAAG,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;AACxD,CAAC;AALD,kDAKC;AAED;;;;;;GAMG;AACH,SAAgB,cAAc,CAC5B,SAAiB,EACjB,GAAe;IAEf,MAAM,EAAE,GAAG,IAAA,uBAAW,EAAC,iBAAiB,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,eAAe,GAAG,IAAA,SAAG,EAAC,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEtD,OAAO;QACL,UAAU,EAAE,IAAA,qBAAa,EAAC,eAAe,CAAC;QAC1C,EAAE,EAAE,IAAA,qBAAa,EAAC,EAAE,CAAC;KACtB,CAAC;AACJ,CAAC;AAZD,wCAYC;AAED;;;;;;;GAOG;AACH,SAAgB,cAAc,CAC5B,UAAkB,EAClB,EAAU,EACV,GAAe;IAEf,MAAM,eAAe,GAAG,IAAA,qBAAa,EAAC,UAAU,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,IAAA,qBAAa,EAAC,EAAE,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,IAAA,SAAG,EAAC,GAAG,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAE7D,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAVD,wCAUC","sourcesContent":["import { bytesToBase64, base64ToBytes } from '@metamask/utils';\nimport { gcm } from '@noble/ciphers/aes';\nimport { randomBytes } from '@noble/ciphers/webcrypto';\nimport { hkdf } from '@noble/hashes/hkdf';\nimport { sha256 } from '@noble/hashes/sha2';\n\nconst PASSKEY_HKDF_INFO = 'metamask:passkey:encryption-key:v1';\n\nconst AES_GCM_IV_LENGTH = 12;\n\n/**\n * Derives an AES-256 encryption key from input key material and a credential ID\n * using HKDF-SHA256.\n *\n * @param ikm - Input key material (e.g. PRF output or userHandle).\n * @param salt - HKDF salt.\n * @returns 32-byte derived encryption key.\n */\nexport function deriveEncryptionKey(\n  ikm: Uint8Array,\n  salt: Uint8Array,\n): Uint8Array {\n  return hkdf(sha256, ikm, salt, PASSKEY_HKDF_INFO, 32);\n}\n\n/**\n * Encrypts plaintext with an AES-256-GCM key.\n *\n * @param plaintext - UTF-8 string to encrypt.\n * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.\n * @returns Base64-encoded ciphertext and IV.\n */\nexport function encryptWithKey(\n  plaintext: string,\n  key: Uint8Array,\n): { ciphertext: string; iv: string } {\n  const iv = randomBytes(AES_GCM_IV_LENGTH);\n  const encoded = new TextEncoder().encode(plaintext);\n  const ciphertextBytes = gcm(key, iv).encrypt(encoded);\n\n  return {\n    ciphertext: bytesToBase64(ciphertextBytes),\n    iv: bytesToBase64(iv),\n  };\n}\n\n/**\n * Decrypts AES-256-GCM ciphertext with the given key.\n *\n * @param ciphertext - Base64-encoded ciphertext.\n * @param iv - Base64-encoded initialization vector.\n * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.\n * @returns Decrypted UTF-8 string.\n */\nexport function decryptWithKey(\n  ciphertext: string,\n  iv: string,\n  key: Uint8Array,\n): string {\n  const ciphertextBytes = base64ToBytes(ciphertext);\n  const ivBytes = base64ToBytes(iv);\n  const plaintext = gcm(key, ivBytes).decrypt(ciphertextBytes);\n\n  return new TextDecoder().decode(plaintext);\n}\n"]}

package/dist/utils/crypto.d.cts

@@ -0,0 +1,30 @@
+/**
+ * Derives an AES-256 encryption key from input key material and a credential ID
+ * using HKDF-SHA256.
+ *
+ * @param ikm - Input key material (e.g. PRF output or userHandle).
+ * @param salt - HKDF salt.
+ * @returns 32-byte derived encryption key.
+ */
+export declare function deriveEncryptionKey(ikm: Uint8Array, salt: Uint8Array): Uint8Array;
+/**
+ * Encrypts plaintext with an AES-256-GCM key.
+ *
+ * @param plaintext - UTF-8 string to encrypt.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Base64-encoded ciphertext and IV.
+ */
+export declare function encryptWithKey(plaintext: string, key: Uint8Array): {
+    ciphertext: string;
+    iv: string;
+};
+/**
+ * Decrypts AES-256-GCM ciphertext with the given key.
+ *
+ * @param ciphertext - Base64-encoded ciphertext.
+ * @param iv - Base64-encoded initialization vector.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Decrypted UTF-8 string.
+ */
+export declare function decryptWithKey(ciphertext: string, iv: string, key: Uint8Array): string;
+//# sourceMappingURL=crypto.d.cts.map

package/dist/utils/crypto.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.cts","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":"AAUA;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,UAAU,EACf,IAAI,EAAE,UAAU,GACf,UAAU,CAEZ;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,UAAU,GACd;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CASpC;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,MAAM,EACV,GAAG,EAAE,UAAU,GACd,MAAM,CAMR"}

package/dist/utils/crypto.d.mts

@@ -0,0 +1,30 @@
+/**
+ * Derives an AES-256 encryption key from input key material and a credential ID
+ * using HKDF-SHA256.
+ *
+ * @param ikm - Input key material (e.g. PRF output or userHandle).
+ * @param salt - HKDF salt.
+ * @returns 32-byte derived encryption key.
+ */
+export declare function deriveEncryptionKey(ikm: Uint8Array, salt: Uint8Array): Uint8Array;
+/**
+ * Encrypts plaintext with an AES-256-GCM key.
+ *
+ * @param plaintext - UTF-8 string to encrypt.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Base64-encoded ciphertext and IV.
+ */
+export declare function encryptWithKey(plaintext: string, key: Uint8Array): {
+    ciphertext: string;
+    iv: string;
+};
+/**
+ * Decrypts AES-256-GCM ciphertext with the given key.
+ *
+ * @param ciphertext - Base64-encoded ciphertext.
+ * @param iv - Base64-encoded initialization vector.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Decrypted UTF-8 string.
+ */
+export declare function decryptWithKey(ciphertext: string, iv: string, key: Uint8Array): string;
+//# sourceMappingURL=crypto.d.mts.map

package/dist/utils/crypto.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.mts","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":"AAUA;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,GAAG,EAAE,UAAU,EACf,IAAI,EAAE,UAAU,GACf,UAAU,CAEZ;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,UAAU,GACd;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,MAAM,CAAA;CAAE,CASpC;AAED;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAC5B,UAAU,EAAE,MAAM,EAClB,EAAE,EAAE,MAAM,EACV,GAAG,EAAE,UAAU,GACd,MAAM,CAMR"}

package/dist/utils/crypto.mjs

@@ -0,0 +1,49 @@
+import { bytesToBase64, base64ToBytes } from "@metamask/utils";
+import { gcm } from "@noble/ciphers/aes";
+import { randomBytes } from "@noble/ciphers/webcrypto";
+import { hkdf } from "@noble/hashes/hkdf";
+import { sha256 } from "@noble/hashes/sha2";
+const PASSKEY_HKDF_INFO = 'metamask:passkey:encryption-key:v1';
+const AES_GCM_IV_LENGTH = 12;
+/**
+ * Derives an AES-256 encryption key from input key material and a credential ID
+ * using HKDF-SHA256.
+ *
+ * @param ikm - Input key material (e.g. PRF output or userHandle).
+ * @param salt - HKDF salt.
+ * @returns 32-byte derived encryption key.
+ */
+export function deriveEncryptionKey(ikm, salt) {
+    return hkdf(sha256, ikm, salt, PASSKEY_HKDF_INFO, 32);
+}
+/**
+ * Encrypts plaintext with an AES-256-GCM key.
+ *
+ * @param plaintext - UTF-8 string to encrypt.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Base64-encoded ciphertext and IV.
+ */
+export function encryptWithKey(plaintext, key) {
+    const iv = randomBytes(AES_GCM_IV_LENGTH);
+    const encoded = new TextEncoder().encode(plaintext);
+    const ciphertextBytes = gcm(key, iv).encrypt(encoded);
+    return {
+        ciphertext: bytesToBase64(ciphertextBytes),
+        iv: bytesToBase64(iv),
+    };
+}
+/**
+ * Decrypts AES-256-GCM ciphertext with the given key.
+ *
+ * @param ciphertext - Base64-encoded ciphertext.
+ * @param iv - Base64-encoded initialization vector.
+ * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.
+ * @returns Decrypted UTF-8 string.
+ */
+export function decryptWithKey(ciphertext, iv, key) {
+    const ciphertextBytes = base64ToBytes(ciphertext);
+    const ivBytes = base64ToBytes(iv);
+    const plaintext = gcm(key, ivBytes).decrypt(ciphertextBytes);
+    return new TextDecoder().decode(plaintext);
+}
+//# sourceMappingURL=crypto.mjs.map

package/dist/utils/crypto.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.mjs","sourceRoot":"","sources":["../../src/utils/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,wBAAwB;AAC/D,OAAO,EAAE,GAAG,EAAE,2BAA2B;AACzC,OAAO,EAAE,WAAW,EAAE,iCAAiC;AACvD,OAAO,EAAE,IAAI,EAAE,2BAA2B;AAC1C,OAAO,EAAE,MAAM,EAAE,2BAA2B;AAE5C,MAAM,iBAAiB,GAAG,oCAAoC,CAAC;AAE/D,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAE7B;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,GAAe,EACf,IAAgB;IAEhB,OAAO,IAAI,CAAC,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,iBAAiB,EAAE,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAC5B,SAAiB,EACjB,GAAe;IAEf,MAAM,EAAE,GAAG,WAAW,CAAC,iBAAiB,CAAC,CAAC;IAC1C,MAAM,OAAO,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,eAAe,GAAG,GAAG,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAEtD,OAAO;QACL,UAAU,EAAE,aAAa,CAAC,eAAe,CAAC;QAC1C,EAAE,EAAE,aAAa,CAAC,EAAE,CAAC;KACtB,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAC5B,UAAkB,EAClB,EAAU,EACV,GAAe;IAEf,MAAM,eAAe,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;IAClD,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,CAAC,CAAC;IAClC,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IAE7D,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC","sourcesContent":["import { bytesToBase64, base64ToBytes } from '@metamask/utils';\nimport { gcm } from '@noble/ciphers/aes';\nimport { randomBytes } from '@noble/ciphers/webcrypto';\nimport { hkdf } from '@noble/hashes/hkdf';\nimport { sha256 } from '@noble/hashes/sha2';\n\nconst PASSKEY_HKDF_INFO = 'metamask:passkey:encryption-key:v1';\n\nconst AES_GCM_IV_LENGTH = 12;\n\n/**\n * Derives an AES-256 encryption key from input key material and a credential ID\n * using HKDF-SHA256.\n *\n * @param ikm - Input key material (e.g. PRF output or userHandle).\n * @param salt - HKDF salt.\n * @returns 32-byte derived encryption key.\n */\nexport function deriveEncryptionKey(\n  ikm: Uint8Array,\n  salt: Uint8Array,\n): Uint8Array {\n  return hkdf(sha256, ikm, salt, PASSKEY_HKDF_INFO, 32);\n}\n\n/**\n * Encrypts plaintext with an AES-256-GCM key.\n *\n * @param plaintext - UTF-8 string to encrypt.\n * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.\n * @returns Base64-encoded ciphertext and IV.\n */\nexport function encryptWithKey(\n  plaintext: string,\n  key: Uint8Array,\n): { ciphertext: string; iv: string } {\n  const iv = randomBytes(AES_GCM_IV_LENGTH);\n  const encoded = new TextEncoder().encode(plaintext);\n  const ciphertextBytes = gcm(key, iv).encrypt(encoded);\n\n  return {\n    ciphertext: bytesToBase64(ciphertextBytes),\n    iv: bytesToBase64(iv),\n  };\n}\n\n/**\n * Decrypts AES-256-GCM ciphertext with the given key.\n *\n * @param ciphertext - Base64-encoded ciphertext.\n * @param iv - Base64-encoded initialization vector.\n * @param key - 32-byte AES-256 key from {@link deriveEncryptionKey}.\n * @returns Decrypted UTF-8 string.\n */\nexport function decryptWithKey(\n  ciphertext: string,\n  iv: string,\n  key: Uint8Array,\n): string {\n  const ciphertextBytes = base64ToBytes(ciphertext);\n  const ivBytes = base64ToBytes(iv);\n  const plaintext = gcm(key, ivBytes).decrypt(ciphertextBytes);\n\n  return new TextDecoder().decode(plaintext);\n}\n"]}

package/dist/utils/encoding.cjs

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bytesToHex = exports.base64URLToBytes = exports.bytesToBase64URL = void 0;
+const utils_1 = require("@metamask/utils");
+/**
+ * Encode a byte array as a base64url string (RFC 4648 §5).
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Base64url-encoded string without padding.
+ */
+function bytesToBase64URL(bytes) {
+    return (0, utils_1.bytesToBase64)(bytes)
+        .replace(/\+/gu, '-')
+        .replace(/\//gu, '_')
+        .replace(/[=]+$/u, '');
+}
+exports.bytesToBase64URL = bytesToBase64URL;
+/**
+ * Decode a base64url string (RFC 4648 §5) into bytes.
+ *
+ * @param value - Base64url-encoded string.
+ * @returns Decoded bytes.
+ */
+function base64URLToBytes(value) {
+    const standard = value.replace(/-/gu, '+').replace(/_/gu, '/');
+    const padLength = (4 - (standard.length % 4)) % 4;
+    return Uint8Array.from((0, utils_1.base64ToBytes)(standard + '='.repeat(padLength)));
+}
+exports.base64URLToBytes = base64URLToBytes;
+/**
+ * Encode a byte array as a hexadecimal string.
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Hex-encoded string.
+ */
+function bytesToHex(bytes) {
+    return Array.from(bytes)
+        .map((byte) => byte.toString(16).padStart(2, '0'))
+        .join('');
+}
+exports.bytesToHex = bytesToHex;
+//# sourceMappingURL=encoding.cjs.map

package/dist/utils/encoding.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.cjs","sourceRoot":"","sources":["../../src/utils/encoding.ts"],"names":[],"mappings":";;;AAAA,2CAA+D;AAE/D;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,KAAiB;IAChD,OAAO,IAAA,qBAAa,EAAC,KAAK,CAAC;SACxB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC;AALD,4CAKC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,KAAa;IAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAClD,OAAO,UAAU,CAAC,IAAI,CAAC,IAAA,qBAAa,EAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;AAC1E,CAAC;AAJD,4CAIC;AAED;;;;;GAKG;AACH,SAAgB,UAAU,CAAC,KAAiB;IAC1C,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACjD,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAJD,gCAIC","sourcesContent":["import { bytesToBase64, base64ToBytes } from '@metamask/utils';\n\n/**\n * Encode a byte array as a base64url string (RFC 4648 §5).\n *\n * @param bytes - The bytes to encode.\n * @returns Base64url-encoded string without padding.\n */\nexport function bytesToBase64URL(bytes: Uint8Array): string {\n  return bytesToBase64(bytes)\n    .replace(/\\+/gu, '-')\n    .replace(/\\//gu, '_')\n    .replace(/[=]+$/u, '');\n}\n\n/**\n * Decode a base64url string (RFC 4648 §5) into bytes.\n *\n * @param value - Base64url-encoded string.\n * @returns Decoded bytes.\n */\nexport function base64URLToBytes(value: string): Uint8Array {\n  const standard = value.replace(/-/gu, '+').replace(/_/gu, '/');\n  const padLength = (4 - (standard.length % 4)) % 4;\n  return Uint8Array.from(base64ToBytes(standard + '='.repeat(padLength)));\n}\n\n/**\n * Encode a byte array as a hexadecimal string.\n *\n * @param bytes - The bytes to encode.\n * @returns Hex-encoded string.\n */\nexport function bytesToHex(bytes: Uint8Array): string {\n  return Array.from(bytes)\n    .map((byte) => byte.toString(16).padStart(2, '0'))\n    .join('');\n}\n"]}

package/dist/utils/encoding.d.cts

@@ -0,0 +1,22 @@
+/**
+ * Encode a byte array as a base64url string (RFC 4648 §5).
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Base64url-encoded string without padding.
+ */
+export declare function bytesToBase64URL(bytes: Uint8Array): string;
+/**
+ * Decode a base64url string (RFC 4648 §5) into bytes.
+ *
+ * @param value - Base64url-encoded string.
+ * @returns Decoded bytes.
+ */
+export declare function base64URLToBytes(value: string): Uint8Array;
+/**
+ * Encode a byte array as a hexadecimal string.
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Hex-encoded string.
+ */
+export declare function bytesToHex(bytes: Uint8Array): string;
+//# sourceMappingURL=encoding.d.cts.map

package/dist/utils/encoding.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.d.cts","sourceRoot":"","sources":["../../src/utils/encoding.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAK1D;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAI1D;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIpD"}

package/dist/utils/encoding.d.mts

@@ -0,0 +1,22 @@
+/**
+ * Encode a byte array as a base64url string (RFC 4648 §5).
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Base64url-encoded string without padding.
+ */
+export declare function bytesToBase64URL(bytes: Uint8Array): string;
+/**
+ * Decode a base64url string (RFC 4648 §5) into bytes.
+ *
+ * @param value - Base64url-encoded string.
+ * @returns Decoded bytes.
+ */
+export declare function base64URLToBytes(value: string): Uint8Array;
+/**
+ * Encode a byte array as a hexadecimal string.
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Hex-encoded string.
+ */
+export declare function bytesToHex(bytes: Uint8Array): string;
+//# sourceMappingURL=encoding.d.mts.map

package/dist/utils/encoding.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.d.mts","sourceRoot":"","sources":["../../src/utils/encoding.ts"],"names":[],"mappings":"AAEA;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAK1D;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,CAI1D;AAED;;;;;GAKG;AACH,wBAAgB,UAAU,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAIpD"}

package/dist/utils/encoding.mjs

@@ -0,0 +1,36 @@
+import { bytesToBase64, base64ToBytes } from "@metamask/utils";
+/**
+ * Encode a byte array as a base64url string (RFC 4648 §5).
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Base64url-encoded string without padding.
+ */
+export function bytesToBase64URL(bytes) {
+    return bytesToBase64(bytes)
+        .replace(/\+/gu, '-')
+        .replace(/\//gu, '_')
+        .replace(/[=]+$/u, '');
+}
+/**
+ * Decode a base64url string (RFC 4648 §5) into bytes.
+ *
+ * @param value - Base64url-encoded string.
+ * @returns Decoded bytes.
+ */
+export function base64URLToBytes(value) {
+    const standard = value.replace(/-/gu, '+').replace(/_/gu, '/');
+    const padLength = (4 - (standard.length % 4)) % 4;
+    return Uint8Array.from(base64ToBytes(standard + '='.repeat(padLength)));
+}
+/**
+ * Encode a byte array as a hexadecimal string.
+ *
+ * @param bytes - The bytes to encode.
+ * @returns Hex-encoded string.
+ */
+export function bytesToHex(bytes) {
+    return Array.from(bytes)
+        .map((byte) => byte.toString(16).padStart(2, '0'))
+        .join('');
+}
+//# sourceMappingURL=encoding.mjs.map

package/dist/utils/encoding.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.mjs","sourceRoot":"","sources":["../../src/utils/encoding.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,aAAa,EAAE,wBAAwB;AAE/D;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAiB;IAChD,OAAO,aAAa,CAAC,KAAK,CAAC;SACxB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAa;IAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,SAAS,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAClD,OAAO,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,QAAQ,GAAG,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;AAC1E,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,UAAU,CAAC,KAAiB;IAC1C,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACjD,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC","sourcesContent":["import { bytesToBase64, base64ToBytes } from '@metamask/utils';\n\n/**\n * Encode a byte array as a base64url string (RFC 4648 §5).\n *\n * @param bytes - The bytes to encode.\n * @returns Base64url-encoded string without padding.\n */\nexport function bytesToBase64URL(bytes: Uint8Array): string {\n  return bytesToBase64(bytes)\n    .replace(/\\+/gu, '-')\n    .replace(/\\//gu, '_')\n    .replace(/[=]+$/u, '');\n}\n\n/**\n * Decode a base64url string (RFC 4648 §5) into bytes.\n *\n * @param value - Base64url-encoded string.\n * @returns Decoded bytes.\n */\nexport function base64URLToBytes(value: string): Uint8Array {\n  const standard = value.replace(/-/gu, '+').replace(/_/gu, '/');\n  const padLength = (4 - (standard.length % 4)) % 4;\n  return Uint8Array.from(base64ToBytes(standard + '='.repeat(padLength)));\n}\n\n/**\n * Encode a byte array as a hexadecimal string.\n *\n * @param bytes - The bytes to encode.\n * @returns Hex-encoded string.\n */\nexport function bytesToHex(bytes: Uint8Array): string {\n  return Array.from(bytes)\n    .map((byte) => byte.toString(16).padStart(2, '0'))\n    .join('');\n}\n"]}

package/dist/webauthn/constants.cjs

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.COSEKEYS = exports.COSECRV = exports.COSEKTY = exports.COSEALG = void 0;
+/**
+ * COSE Algorithms
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+var COSEALG;
+(function (COSEALG) {
+    COSEALG[COSEALG["ES256"] = -7] = "ES256";
+    COSEALG[COSEALG["EdDSA"] = -8] = "EdDSA";
+    COSEALG[COSEALG["ES384"] = -35] = "ES384";
+    COSEALG[COSEALG["ES512"] = -36] = "ES512";
+    COSEALG[COSEALG["PS256"] = -37] = "PS256";
+    COSEALG[COSEALG["PS384"] = -38] = "PS384";
+    COSEALG[COSEALG["PS512"] = -39] = "PS512";
+    COSEALG[COSEALG["ES256K"] = -47] = "ES256K";
+    COSEALG[COSEALG["RS256"] = -257] = "RS256";
+    COSEALG[COSEALG["RS384"] = -258] = "RS384";
+    COSEALG[COSEALG["RS512"] = -259] = "RS512";
+    COSEALG[COSEALG["RS1"] = -65535] = "RS1";
+})(COSEALG || (exports.COSEALG = COSEALG = {}));
+/**
+ * COSE Key Types
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#key-type
+ */
+var COSEKTY;
+(function (COSEKTY) {
+    COSEKTY[COSEKTY["OKP"] = 1] = "OKP";
+    COSEKTY[COSEKTY["EC2"] = 2] = "EC2";
+    COSEKTY[COSEKTY["RSA"] = 3] = "RSA";
+})(COSEKTY || (exports.COSEKTY = COSEKTY = {}));
+/**
+ * COSE Curves
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves
+ */
+var COSECRV;
+(function (COSECRV) {
+    COSECRV[COSECRV["P256"] = 1] = "P256";
+    COSECRV[COSECRV["P384"] = 2] = "P384";
+    COSECRV[COSECRV["P521"] = 3] = "P521";
+    COSECRV[COSECRV["ED25519"] = 6] = "ED25519";
+    COSECRV[COSECRV["SECP256K1"] = 8] = "SECP256K1";
+})(COSECRV || (exports.COSECRV = COSECRV = {}));
+/**
+ * COSE Key common and type-specific parameter labels.
+ *
+ * EC2 and RSA re-use the same numeric labels (-1, -2, -3) with different
+ * semantics, so this is a plain object instead of an enum to avoid
+ * duplicate-value violations.
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#key-common-parameters
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters
+ */
+exports.COSEKEYS = {
+    /** Key Type (common) */
+    Kty: 1,
+    /** Algorithm (common) */
+    Alg: 3,
+    /** EC2 / OKP: curve identifier */
+    Crv: -1,
+    /** EC2: x-coordinate / OKP: public key */
+    X: -2,
+    /** EC2: y-coordinate */
+    Y: -3,
+    /** RSA: modulus n (shares numeric label with Crv) */
+    N: -1,
+    /** RSA: exponent e (shares numeric label with X) */
+    E: -2,
+};
+//# sourceMappingURL=constants.cjs.map

package/dist/webauthn/constants.cjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.cjs","sourceRoot":"","sources":["../../src/webauthn/constants.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACH,IAAY,OAaX;AAbD,WAAY,OAAO;IACjB,wCAAU,CAAA;IACV,wCAAU,CAAA;IACV,yCAAW,CAAA;IACX,yCAAW,CAAA;IACX,yCAAW,CAAA;IACX,yCAAW,CAAA;IACX,yCAAW,CAAA;IACX,2CAAY,CAAA;IACZ,0CAAY,CAAA;IACZ,0CAAY,CAAA;IACZ,0CAAY,CAAA;IACZ,wCAAY,CAAA;AACd,CAAC,EAbW,OAAO,uBAAP,OAAO,QAalB;AAED;;;;GAIG;AACH,IAAY,OAIX;AAJD,WAAY,OAAO;IACjB,mCAAO,CAAA;IACP,mCAAO,CAAA;IACP,mCAAO,CAAA;AACT,CAAC,EAJW,OAAO,uBAAP,OAAO,QAIlB;AAED;;;;GAIG;AACH,IAAY,OAMX;AAND,WAAY,OAAO;IACjB,qCAAQ,CAAA;IACR,qCAAQ,CAAA;IACR,qCAAQ,CAAA;IACR,2CAAW,CAAA;IACX,+CAAa,CAAA;AACf,CAAC,EANW,OAAO,uBAAP,OAAO,QAMlB;AAED;;;;;;;;;GASG;AACU,QAAA,QAAQ,GAAG;IACtB,wBAAwB;IACxB,GAAG,EAAE,CAAC;IACN,yBAAyB;IACzB,GAAG,EAAE,CAAC;IAEN,kCAAkC;IAClC,GAAG,EAAE,CAAC,CAAC;IACP,0CAA0C;IAC1C,CAAC,EAAE,CAAC,CAAC;IACL,wBAAwB;IACxB,CAAC,EAAE,CAAC,CAAC;IAEL,qDAAqD;IACrD,CAAC,EAAE,CAAC,CAAC;IACL,oDAAoD;IACpD,CAAC,EAAE,CAAC,CAAC;CACG,CAAC","sourcesContent":["/**\n * COSE Algorithms\n *\n * @see https://www.iana.org/assignments/cose/cose.xhtml#algorithms\n */\nexport enum COSEALG {\n  ES256 = -7,\n  EdDSA = -8,\n  ES384 = -35,\n  ES512 = -36,\n  PS256 = -37,\n  PS384 = -38,\n  PS512 = -39,\n  ES256K = -47,\n  RS256 = -257,\n  RS384 = -258,\n  RS512 = -259,\n  RS1 = -65535,\n}\n\n/**\n * COSE Key Types\n *\n * @see https://www.iana.org/assignments/cose/cose.xhtml#key-type\n */\nexport enum COSEKTY {\n  OKP = 1,\n  EC2 = 2,\n  RSA = 3,\n}\n\n/**\n * COSE Curves\n *\n * @see https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves\n */\nexport enum COSECRV {\n  P256 = 1,\n  P384 = 2,\n  P521 = 3,\n  ED25519 = 6,\n  SECP256K1 = 8,\n}\n\n/**\n * COSE Key common and type-specific parameter labels.\n *\n * EC2 and RSA re-use the same numeric labels (-1, -2, -3) with different\n * semantics, so this is a plain object instead of an enum to avoid\n * duplicate-value violations.\n *\n * @see https://www.iana.org/assignments/cose/cose.xhtml#key-common-parameters\n * @see https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters\n */\nexport const COSEKEYS = {\n  /** Key Type (common) */\n  Kty: 1,\n  /** Algorithm (common) */\n  Alg: 3,\n\n  /** EC2 / OKP: curve identifier */\n  Crv: -1,\n  /** EC2: x-coordinate / OKP: public key */\n  X: -2,\n  /** EC2: y-coordinate */\n  Y: -3,\n\n  /** RSA: modulus n (shares numeric label with Crv) */\n  N: -1,\n  /** RSA: exponent e (shares numeric label with X) */\n  E: -2,\n} as const;\n"]}

package/dist/webauthn/constants.d.cts

@@ -0,0 +1,68 @@
+/**
+ * COSE Algorithms
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#algorithms
+ */
+export declare enum COSEALG {
+    ES256 = -7,
+    EdDSA = -8,
+    ES384 = -35,
+    ES512 = -36,
+    PS256 = -37,
+    PS384 = -38,
+    PS512 = -39,
+    ES256K = -47,
+    RS256 = -257,
+    RS384 = -258,
+    RS512 = -259,
+    RS1 = -65535
+}
+/**
+ * COSE Key Types
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#key-type
+ */
+export declare enum COSEKTY {
+    OKP = 1,
+    EC2 = 2,
+    RSA = 3
+}
+/**
+ * COSE Curves
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#elliptic-curves
+ */
+export declare enum COSECRV {
+    P256 = 1,
+    P384 = 2,
+    P521 = 3,
+    ED25519 = 6,
+    SECP256K1 = 8
+}
+/**
+ * COSE Key common and type-specific parameter labels.
+ *
+ * EC2 and RSA re-use the same numeric labels (-1, -2, -3) with different
+ * semantics, so this is a plain object instead of an enum to avoid
+ * duplicate-value violations.
+ *
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#key-common-parameters
+ * @see https://www.iana.org/assignments/cose/cose.xhtml#key-type-parameters
+ */
+export declare const COSEKEYS: {
+    /** Key Type (common) */
+    readonly Kty: 1;
+    /** Algorithm (common) */
+    readonly Alg: 3;
+    /** EC2 / OKP: curve identifier */
+    readonly Crv: -1;
+    /** EC2: x-coordinate / OKP: public key */
+    readonly X: -2;
+    /** EC2: y-coordinate */
+    readonly Y: -3;
+    /** RSA: modulus n (shares numeric label with Crv) */
+    readonly N: -1;
+    /** RSA: exponent e (shares numeric label with X) */
+    readonly E: -2;
+};
+//# sourceMappingURL=constants.d.cts.map

package/dist/webauthn/constants.d.cts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.cts","sourceRoot":"","sources":["../../src/webauthn/constants.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,oBAAY,OAAO;IACjB,KAAK,KAAK;IACV,KAAK,KAAK;IACV,KAAK,MAAM;IACX,KAAK,MAAM;IACX,KAAK,MAAM;IACX,KAAK,MAAM;IACX,KAAK,MAAM;IACX,MAAM,MAAM;IACZ,KAAK,OAAO;IACZ,KAAK,OAAO;IACZ,KAAK,OAAO;IACZ,GAAG,SAAS;CACb;AAED;;;;GAIG;AACH,oBAAY,OAAO;IACjB,GAAG,IAAI;IACP,GAAG,IAAI;IACP,GAAG,IAAI;CACR;AAED;;;;GAIG;AACH,oBAAY,OAAO;IACjB,IAAI,IAAI;IACR,IAAI,IAAI;IACR,IAAI,IAAI;IACR,OAAO,IAAI;IACX,SAAS,IAAI;CACd;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ;IACnB,wBAAwB;;IAExB,yBAAyB;;IAGzB,kCAAkC;;IAElC,0CAA0C;;IAE1C,wBAAwB;;IAGxB,qDAAqD;;IAErD,oDAAoD;;CAE5C,CAAC"}