npm - @msssystems/mss-link-sdk - Versions diffs - 0.1.10 → 0.1.11 - Mend

@msssystems/mss-link-sdk 0.1.10 → 0.1.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/client/drive-key-wrapping.contracts.d.ts +21 -6
package/dist/client/drive-key-wrapping.js +37 -58
package/dist/client/drive-sharing.js +1 -1
package/package.json +1 -1

package/dist/client/drive-key-wrapping.contracts.d.ts CHANGED Viewed

@@ -1,16 +1,16 @@
 import type { DriveItemType, DriveWrappedItemKey } from './drive-sharing.contracts';
-export type DriveRecipientWrappingKeyAlgorithm = 'AES-256-GCM';
-export type DriveWrappedItemKeyAlgorithm = 'MSS-DRIVE-AES-256-GCM-WRAPPED-ITEM-KEY-v1';
-export interface DriveRecipientWrappingKey {
-    algorithm: DriveRecipientWrappingKeyAlgorithm;
+export type DriveRecipientPublicKeyAlgorithm = 'X25519';
+export type DriveWrappedItemKeyAlgorithm = 'MSS-DRIVE-PUBLIC-KEY-WRAPPED-ITEM-KEY-v1';
+export interface DriveRecipientPublicKey {
+    algorithm: DriveRecipientPublicKeyAlgorithm;
     keyId: string;
-    rawKeyBase64: string;
+    publicKeyBase64: string;
 }
 export interface DriveRecipientKeyTarget {
     accountId?: string;
     userId?: string;
     username?: string;
-    wrappingKey: DriveRecipientWrappingKey;
+    publicKey: DriveRecipientPublicKey;
 }
 export interface DriveItemContentKeyEnvelope {
     algorithm?: 'AES-256-GCM' | string | null;
@@ -18,11 +18,26 @@ export interface DriveItemContentKeyEnvelope {
     nonce?: string | null;
     wrappedKey: string;
 }
+export interface DrivePublicKeyWrappingInput {
+    additionalData: string;
+    payload: DriveWrappedItemKeyPayload;
+    recipient: DriveRecipientKeyTarget;
+}
+export interface DrivePublicKeyWrappingOutput {
+    encryptedItemKey: string;
+    keyAlgorithm?: DriveWrappedItemKeyAlgorithm | string;
+    keyNonce?: string;
+    keyRecipientId?: string;
+}
+export interface DrivePublicKeyWrappingAdapter {
+    wrapDriveItemKey(input: DrivePublicKeyWrappingInput): Promise<DrivePublicKeyWrappingOutput>;
+}
 export interface CreateDriveWrappedItemKeyForRecipientInput {
     itemId: string;
     itemType: DriveItemType;
     contentKey: DriveItemContentKeyEnvelope;
     recipient: DriveRecipientKeyTarget;
+    wrappingAdapter: DrivePublicKeyWrappingAdapter;
 }
 export interface DriveWrappedItemKeyPayload {
     contentAlgorithm: string;

package/dist/client/drive-key-wrapping.js CHANGED Viewed

@@ -1,38 +1,32 @@
 const CONTENT_KEY_SCHEMA = 'mss.link.drive.item-key.v1';
-const WRAPPED_ITEM_KEY_ALGORITHM = 'MSS-DRIVE-AES-256-GCM-WRAPPED-ITEM-KEY-v1';
-const AES_GCM_NONCE_LENGTH = 12;
-const AES_256_KEY_LENGTH = 32;
+const WRAPPED_ITEM_KEY_ALGORITHM = 'MSS-DRIVE-PUBLIC-KEY-WRAPPED-ITEM-KEY-v1';
 export async function createDriveWrappedItemKeyForRecipient(input) {
     const itemId = normalizeRequiredText(input.itemId, 'Drive item id is required for key wrapping.');
     const itemType = input.itemType;
     const recipient = normalizeRecipient(input.recipient);
     const contentKey = normalizeContentKey(input.contentKey);
-    const wrappingKey = await importRecipientWrappingKey(recipient.wrappingKey);
-    const nonce = globalThis.crypto.getRandomValues(new Uint8Array(AES_GCM_NONCE_LENGTH));
+    const wrappingAdapter = normalizeWrappingAdapter(input.wrappingAdapter);
     const payload = buildWrappedItemKeyPayload({
         contentKey,
         itemId,
         itemType,
     });
-    const plaintext = new TextEncoder().encode(JSON.stringify(payload));
     const additionalData = buildWrappingAdditionalData({
         itemId,
         itemType,
-        recipientId: recipient.wrappingKey.keyId,
+        recipientPublicKeyId: recipient.publicKey.keyId,
+    });
+    const wrapped = await wrappingAdapter.wrapDriveItemKey({
+        additionalData,
+        payload,
+        recipient,
     });
-    const encrypted = await globalThis.crypto.subtle.encrypt({
-        additionalData: toArrayBuffer(additionalData),
-        iv: nonce,
-        name: 'AES-GCM',
-    }, wrappingKey, toArrayBuffer(plaintext));
     return {
         payload,
-        wrappedItemKey: {
-            encryptedItemKey: encodeBase64Url(new Uint8Array(encrypted)),
-            keyAlgorithm: WRAPPED_ITEM_KEY_ALGORITHM,
-            keyNonce: encodeBase64Url(nonce),
-            keyRecipientId: recipient.wrappingKey.keyId,
-        },
+        wrappedItemKey: normalizeWrappedItemKeyOutput({
+            output: wrapped,
+            recipientPublicKeyId: recipient.publicKey.keyId,
+        }),
     };
 }
 function buildWrappedItemKeyPayload({ contentKey, itemId, itemType, }) {
@@ -51,7 +45,7 @@ function normalizeRecipient(recipient) {
     const accountId = normalizeOptionalText(recipient.accountId) ?? '';
     const userId = normalizeOptionalText(recipient.userId) ?? '';
     const username = normalizeOptionalText(recipient.username)?.replace(/^@/, '') ?? '';
-    const wrappingKey = normalizeRecipientWrappingKey(recipient.wrappingKey);
+    const publicKey = normalizeRecipientPublicKey(recipient.publicKey);
     if (!accountId && !userId && !username) {
         throw new Error('Drive share recipient must include accountId, userId or username.');
     }
@@ -59,17 +53,17 @@ function normalizeRecipient(recipient) {
         accountId,
         userId,
         username,
-        wrappingKey,
+        publicKey,
     };
 }
-function normalizeRecipientWrappingKey(key) {
-    if (key.algorithm !== 'AES-256-GCM') {
-        throw new Error(`Unsupported Drive recipient wrapping key algorithm: ${key.algorithm}`);
+function normalizeRecipientPublicKey(key) {
+    if (key.algorithm !== 'X25519') {
+        throw new Error(`Unsupported Drive recipient public key algorithm: ${key.algorithm}`);
     }
     return {
         algorithm: key.algorithm,
-        keyId: normalizeRequiredText(key.keyId, 'Drive recipient wrapping key id is required.'),
-        rawKeyBase64: normalizeRequiredText(key.rawKeyBase64, 'Drive recipient wrapping key material is required.'),
+        keyId: normalizeRequiredText(key.keyId, 'Drive recipient public key id is required.'),
+        publicKeyBase64: normalizeRequiredText(key.publicKeyBase64, 'Drive recipient public key material is required.'),
     };
 }
 function normalizeContentKey(contentKey) {
@@ -84,17 +78,26 @@ function normalizeContentKey(contentKey) {
         wrappedKey: normalizeRequiredText(contentKey.wrappedKey, 'Drive item content key is required.'),
     };
 }
-async function importRecipientWrappingKey(key) {
-    const keyBytes = decodeBase64Url(key.rawKeyBase64);
-    if (keyBytes.byteLength !== AES_256_KEY_LENGTH) {
-        throw new Error('Drive recipient wrapping key must be 32 bytes for AES-256-GCM.');
+function normalizeWrappingAdapter(adapter) {
+    if (!adapter || typeof adapter.wrapDriveItemKey !== 'function') {
+        throw new Error('Drive public-key wrapping adapter is not configured.');
     }
-    return globalThis.crypto.subtle.importKey('raw', toArrayBuffer(keyBytes), {
-        name: 'AES-GCM',
-    }, false, ['encrypt']);
+    return adapter;
+}
+function normalizeWrappedItemKeyOutput({ output, recipientPublicKeyId, }) {
+    const encryptedItemKey = normalizeRequiredText(output.encryptedItemKey, 'Drive public-key wrapping adapter returned empty encrypted item key.');
+    const keyAlgorithm = normalizeOptionalText(output.keyAlgorithm) ?? WRAPPED_ITEM_KEY_ALGORITHM;
+    const keyNonce = normalizeOptionalText(output.keyNonce);
+    const keyRecipientId = normalizeOptionalText(output.keyRecipientId) ?? recipientPublicKeyId;
+    return {
+        encryptedItemKey,
+        keyAlgorithm,
+        ...(keyNonce ? { keyNonce } : {}),
+        keyRecipientId,
+    };
 }
-function buildWrappingAdditionalData({ itemId, itemType, recipientId, }) {
-    return new TextEncoder().encode(`${CONTENT_KEY_SCHEMA}:${itemType}:${itemId}:${recipientId}`);
+function buildWrappingAdditionalData({ itemId, itemType, recipientPublicKeyId, }) {
+    return `${CONTENT_KEY_SCHEMA}:${itemType}:${itemId}:${recipientPublicKeyId}`;
 }
 function normalizeRequiredText(value, message) {
     const normalized = normalizeOptionalText(value);
@@ -107,27 +110,3 @@ function normalizeOptionalText(value) {
     const normalized = value?.trim();
     return normalized ? normalized : undefined;
 }
-function decodeBase64Url(value) {
-    const normalized = value.trim().replace(/-/g, '+').replace(/_/g, '/');
-    const padded = normalized.padEnd(normalized.length + ((4 - (normalized.length % 4)) % 4), '=');
-    const decoded = globalThis.atob(padded);
-    const bytes = new Uint8Array(decoded.length);
-    for (let index = 0; index < decoded.length; index += 1) {
-        bytes[index] = decoded.charCodeAt(index);
-    }
-    return bytes;
-}
-function encodeBase64Url(bytes) {
-    let binary = '';
-    for (const byte of bytes) {
-        binary += String.fromCharCode(byte);
-    }
-    return globalThis
-        .btoa(binary)
-        .replace(/\+/g, '-')
-        .replace(/\//g, '_')
-        .replace(/=+$/g, '');
-}
-function toArrayBuffer(bytes) {
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}

package/dist/client/drive-sharing.js CHANGED Viewed

@@ -1,4 +1,4 @@
-const DEFAULT_KEY_ALGORITHM = 'X25519-AES-256-GCM';
+const DEFAULT_KEY_ALGORITHM = 'MSS-DRIVE-PUBLIC-KEY-WRAPPED-ITEM-KEY-v1';
 export function createDriveShareGrantPayload(input) {
     return {
         ...normalizeWrappedItemKey(input.wrappedItemKey),

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@msssystems/mss-link-sdk",
-  "version": "0.1.10",
+  "version": "0.1.11",
   "description": "Official managed application SDK for MSS ecosystem",
   "type": "module",
   "main": "./dist/index.js",