@msssystems/mss-link-sdk 0.1.10 → 0.1.12

package/dist/client/drive-key-wrapping.contracts.d.ts

@@ -1,33 +1,60 @@
 import type { DriveItemType, DriveWrappedItemKey } from './drive-sharing.contracts';
-export type DriveRecipientWrappingKeyAlgorithm = 'AES-256-GCM';
-export type DriveWrappedItemKeyAlgorithm = 'MSS-DRIVE-AES-256-GCM-WRAPPED-ITEM-KEY-v1';
-export interface DriveRecipientWrappingKey {
-    algorithm: DriveRecipientWrappingKeyAlgorithm;
+export type DriveRecipientPublicKeyAlgorithm = 'X25519';
+export type DriveWrappedItemKeyAlgorithm = 'MSS-DRIVE-PUBLIC-KEY-WRAPPED-ITEM-KEY-v1';
+export type DriveItemKeyMaterialKind = 'content-key' | 'folder-metadata-envelope';
+export interface DriveRecipientPublicKey {
+    algorithm: DriveRecipientPublicKeyAlgorithm;
     keyId: string;
-    rawKeyBase64: string;
+    publicKeyBase64: string;
 }
 export interface DriveRecipientKeyTarget {
     accountId?: string;
     userId?: string;
     username?: string;
-    wrappingKey: DriveRecipientWrappingKey;
+    publicKey: DriveRecipientPublicKey;
 }
 export interface DriveItemContentKeyEnvelope {
     algorithm?: 'AES-256-GCM' | string | null;
+    keyMaterialKind?: DriveItemKeyMaterialKind | string | null;
     keyId?: string | null;
     nonce?: string | null;
     wrappedKey: string;
 }
+export interface DrivePublicKeyWrappingInput {
+    additionalData: string;
+    payload: DriveWrappedItemKeyPayload;
+    recipient: DriveRecipientKeyTarget;
+}
+export interface DrivePublicKeyWrappingOutput {
+    encryptedItemKey: string;
+    keyAlgorithm?: DriveWrappedItemKeyAlgorithm | string;
+    keyNonce?: string;
+    keyRecipientId?: string;
+}
+export interface DrivePublicKeyWrappingAdapter {
+    wrapDriveItemKey(input: DrivePublicKeyWrappingInput): Promise<DrivePublicKeyWrappingOutput>;
+}
 export interface CreateDriveWrappedItemKeyForRecipientInput {
     itemId: string;
     itemType: DriveItemType;
     contentKey: DriveItemContentKeyEnvelope;
     recipient: DriveRecipientKeyTarget;
+    wrappingAdapter: DrivePublicKeyWrappingAdapter;
+}
+export interface CreateDriveWrappedFolderKeyForRecipientInput {
+    encryptedFolderMetadata: {
+        encryptedName: string;
+        schema?: 'mss.link.drive-folder-metadata.v1' | string;
+    };
+    folderId: string;
+    recipient: DriveRecipientKeyTarget;
+    wrappingAdapter: DrivePublicKeyWrappingAdapter;
 }
 export interface DriveWrappedItemKeyPayload {
     contentAlgorithm: string;
     contentKey: string;
     contentKeyId?: string;
+    contentKeyMaterialKind: DriveItemKeyMaterialKind;
     contentNonce?: string;
     createdAt: string;
     itemId: string;

package/dist/client/drive-key-wrapping.d.ts

@@ -1,2 +1,3 @@
-import type { CreateDriveWrappedItemKeyForRecipientInput, DriveWrappedItemKeyForRecipientResult } from './drive-key-wrapping.contracts';
+import type { CreateDriveWrappedFolderKeyForRecipientInput, CreateDriveWrappedItemKeyForRecipientInput, DriveWrappedItemKeyForRecipientResult } from './drive-key-wrapping.contracts';
 export declare function createDriveWrappedItemKeyForRecipient(input: CreateDriveWrappedItemKeyForRecipientInput): Promise<DriveWrappedItemKeyForRecipientResult>;
+export declare function createDriveWrappedFolderKeyForRecipient(input: CreateDriveWrappedFolderKeyForRecipientInput): Promise<DriveWrappedItemKeyForRecipientResult>;

package/dist/client/drive-key-wrapping.js

@@ -1,40 +1,54 @@
+import { normalizeEncryptedDriveFolderMetadataInput } from './storage-metadata-crypto';
 const CONTENT_KEY_SCHEMA = 'mss.link.drive.item-key.v1';
-const WRAPPED_ITEM_KEY_ALGORITHM = 'MSS-DRIVE-AES-256-GCM-WRAPPED-ITEM-KEY-v1';
-const AES_GCM_NONCE_LENGTH = 12;
-const AES_256_KEY_LENGTH = 32;
+const WRAPPED_ITEM_KEY_ALGORITHM = 'MSS-DRIVE-PUBLIC-KEY-WRAPPED-ITEM-KEY-v1';
+const FOLDER_METADATA_KEY_ID_PREFIX = 'drive-folder-metadata';
 export async function createDriveWrappedItemKeyForRecipient(input) {
     const itemId = normalizeRequiredText(input.itemId, 'Drive item id is required for key wrapping.');
     const itemType = input.itemType;
     const recipient = normalizeRecipient(input.recipient);
     const contentKey = normalizeContentKey(input.contentKey);
-    const wrappingKey = await importRecipientWrappingKey(recipient.wrappingKey);
-    const nonce = globalThis.crypto.getRandomValues(new Uint8Array(AES_GCM_NONCE_LENGTH));
+    const wrappingAdapter = normalizeWrappingAdapter(input.wrappingAdapter);
     const payload = buildWrappedItemKeyPayload({
         contentKey,
         itemId,
         itemType,
     });
-    const plaintext = new TextEncoder().encode(JSON.stringify(payload));
     const additionalData = buildWrappingAdditionalData({
         itemId,
         itemType,
-        recipientId: recipient.wrappingKey.keyId,
+        recipientPublicKeyId: recipient.publicKey.keyId,
+    });
+    const wrapped = await wrappingAdapter.wrapDriveItemKey({
+        additionalData,
+        payload,
+        recipient,
     });
-    const encrypted = await globalThis.crypto.subtle.encrypt({
-        additionalData: toArrayBuffer(additionalData),
-        iv: nonce,
-        name: 'AES-GCM',
-    }, wrappingKey, toArrayBuffer(plaintext));
     return {
         payload,
-        wrappedItemKey: {
-            encryptedItemKey: encodeBase64Url(new Uint8Array(encrypted)),
-            keyAlgorithm: WRAPPED_ITEM_KEY_ALGORITHM,
-            keyNonce: encodeBase64Url(nonce),
-            keyRecipientId: recipient.wrappingKey.keyId,
-        },
+        wrappedItemKey: normalizeWrappedItemKeyOutput({
+            output: wrapped,
+            recipientPublicKeyId: recipient.publicKey.keyId,
+        }),
     };
 }
+export function createDriveWrappedFolderKeyForRecipient(input) {
+    const folderId = normalizeRequiredText(input.folderId, 'Drive folder id is required for key wrapping.');
+    const metadata = normalizeEncryptedDriveFolderMetadataInput({
+        encryptedName: input.encryptedFolderMetadata.encryptedName,
+    });
+    return createDriveWrappedItemKeyForRecipient({
+        contentKey: {
+            algorithm: 'AES-256-GCM',
+            keyId: `${FOLDER_METADATA_KEY_ID_PREFIX}:${folderId}`,
+            keyMaterialKind: 'folder-metadata-envelope',
+            wrappedKey: metadata.encryptedName,
+        },
+        itemId: folderId,
+        itemType: 'folder',
+        recipient: input.recipient,
+        wrappingAdapter: input.wrappingAdapter,
+    });
+}
 function buildWrappedItemKeyPayload({ contentKey, itemId, itemType, }) {
     return {
         schema: CONTENT_KEY_SCHEMA,
@@ -42,6 +56,7 @@ function buildWrappedItemKeyPayload({ contentKey, itemId, itemType, }) {
         itemType,
         contentAlgorithm: contentKey.algorithm,
         contentKey: contentKey.wrappedKey,
+        contentKeyMaterialKind: contentKey.keyMaterialKind,
         createdAt: new Date().toISOString(),
         ...(contentKey.keyId ? { contentKeyId: contentKey.keyId } : {}),
         ...(contentKey.nonce ? { contentNonce: contentKey.nonce } : {}),
@@ -51,7 +66,7 @@ function normalizeRecipient(recipient) {
     const accountId = normalizeOptionalText(recipient.accountId) ?? '';
     const userId = normalizeOptionalText(recipient.userId) ?? '';
     const username = normalizeOptionalText(recipient.username)?.replace(/^@/, '') ?? '';
-    const wrappingKey = normalizeRecipientWrappingKey(recipient.wrappingKey);
+    const publicKey = normalizeRecipientPublicKey(recipient.publicKey);
     if (!accountId && !userId && !username) {
         throw new Error('Drive share recipient must include accountId, userId or username.');
     }
@@ -59,17 +74,17 @@ function normalizeRecipient(recipient) {
         accountId,
         userId,
         username,
-        wrappingKey,
+        publicKey,
     };
 }
-function normalizeRecipientWrappingKey(key) {
-    if (key.algorithm !== 'AES-256-GCM') {
-        throw new Error(`Unsupported Drive recipient wrapping key algorithm: ${key.algorithm}`);
+function normalizeRecipientPublicKey(key) {
+    if (key.algorithm !== 'X25519') {
+        throw new Error(`Unsupported Drive recipient public key algorithm: ${key.algorithm}`);
     }
     return {
         algorithm: key.algorithm,
-        keyId: normalizeRequiredText(key.keyId, 'Drive recipient wrapping key id is required.'),
-        rawKeyBase64: normalizeRequiredText(key.rawKeyBase64, 'Drive recipient wrapping key material is required.'),
+        keyId: normalizeRequiredText(key.keyId, 'Drive recipient public key id is required.'),
+        publicKeyBase64: normalizeRequiredText(key.publicKeyBase64, 'Drive recipient public key material is required.'),
     };
 }
 function normalizeContentKey(contentKey) {
@@ -80,21 +95,39 @@ function normalizeContentKey(contentKey) {
     return {
         algorithm,
         keyId: normalizeOptionalText(contentKey.keyId) ?? '',
+        keyMaterialKind: normalizeKeyMaterialKind(contentKey.keyMaterialKind),
         nonce: normalizeOptionalText(contentKey.nonce) ?? '',
         wrappedKey: normalizeRequiredText(contentKey.wrappedKey, 'Drive item content key is required.'),
     };
 }
-async function importRecipientWrappingKey(key) {
-    const keyBytes = decodeBase64Url(key.rawKeyBase64);
-    if (keyBytes.byteLength !== AES_256_KEY_LENGTH) {
-        throw new Error('Drive recipient wrapping key must be 32 bytes for AES-256-GCM.');
+function normalizeKeyMaterialKind(kind) {
+    const normalized = normalizeOptionalText(kind) ?? 'content-key';
+    if (normalized !== 'content-key' &&
+        normalized !== 'folder-metadata-envelope') {
+        throw new Error(`Unsupported Drive item key material kind: ${normalized}`);
+    }
+    return normalized;
+}
+function normalizeWrappingAdapter(adapter) {
+    if (!adapter || typeof adapter.wrapDriveItemKey !== 'function') {
+        throw new Error('Drive public-key wrapping adapter is not configured.');
     }
-    return globalThis.crypto.subtle.importKey('raw', toArrayBuffer(keyBytes), {
-        name: 'AES-GCM',
-    }, false, ['encrypt']);
+    return adapter;
 }
-function buildWrappingAdditionalData({ itemId, itemType, recipientId, }) {
-    return new TextEncoder().encode(`${CONTENT_KEY_SCHEMA}:${itemType}:${itemId}:${recipientId}`);
+function normalizeWrappedItemKeyOutput({ output, recipientPublicKeyId, }) {
+    const encryptedItemKey = normalizeRequiredText(output.encryptedItemKey, 'Drive public-key wrapping adapter returned empty encrypted item key.');
+    const keyAlgorithm = normalizeOptionalText(output.keyAlgorithm) ?? WRAPPED_ITEM_KEY_ALGORITHM;
+    const keyNonce = normalizeOptionalText(output.keyNonce);
+    const keyRecipientId = normalizeOptionalText(output.keyRecipientId) ?? recipientPublicKeyId;
+    return {
+        encryptedItemKey,
+        keyAlgorithm,
+        ...(keyNonce ? { keyNonce } : {}),
+        keyRecipientId,
+    };
+}
+function buildWrappingAdditionalData({ itemId, itemType, recipientPublicKeyId, }) {
+    return `${CONTENT_KEY_SCHEMA}:${itemType}:${itemId}:${recipientPublicKeyId}`;
 }
 function normalizeRequiredText(value, message) {
     const normalized = normalizeOptionalText(value);
@@ -107,27 +140,3 @@ function normalizeOptionalText(value) {
     const normalized = value?.trim();
     return normalized ? normalized : undefined;
 }
-function decodeBase64Url(value) {
-    const normalized = value.trim().replace(/-/g, '+').replace(/_/g, '/');
-    const padded = normalized.padEnd(normalized.length + ((4 - (normalized.length % 4)) % 4), '=');
-    const decoded = globalThis.atob(padded);
-    const bytes = new Uint8Array(decoded.length);
-    for (let index = 0; index < decoded.length; index += 1) {
-        bytes[index] = decoded.charCodeAt(index);
-    }
-    return bytes;
-}
-function encodeBase64Url(bytes) {
-    let binary = '';
-    for (const byte of bytes) {
-        binary += String.fromCharCode(byte);
-    }
-    return globalThis
-        .btoa(binary)
-        .replace(/\+/g, '-')
-        .replace(/\//g, '_')
-        .replace(/=+$/g, '');
-}
-function toArrayBuffer(bytes) {
-    return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
-}

package/dist/client/drive-sharing.js

@@ -1,4 +1,4 @@
-const DEFAULT_KEY_ALGORITHM = 'X25519-AES-256-GCM';
+const DEFAULT_KEY_ALGORITHM = 'MSS-DRIVE-PUBLIC-KEY-WRAPPED-ITEM-KEY-v1';
 export function createDriveShareGrantPayload(input) {
     return {
         ...normalizeWrappedItemKey(input.wrappedItemKey),

package/dist/client/mss-link-browser-client.d.ts

@@ -4,7 +4,7 @@ import type { DecryptMediaBlobInput, DecryptedMediaBlobResult, EncryptedMediaBlo
 import type { SendMediaMessageParams } from './media-message.contracts';
 import type { DecryptedMessage } from './message.contracts';
 import type { DecryptDriveFileMetadataInput, DecryptDriveFolderMetadataInput, DecryptedDriveFileMetadata, DecryptedDriveFolderMetadata, EncryptedDriveFileMetadata, EncryptedDriveFolderMetadata, EncryptDriveFileMetadataInput, EncryptDriveFolderMetadataInput } from './storage-metadata-crypto.contracts';
-import type { CreateDriveWrappedItemKeyForRecipientInput, DriveWrappedItemKeyForRecipientResult } from './drive-key-wrapping.contracts';
+import type { CreateDriveWrappedFolderKeyForRecipientInput, CreateDriveWrappedItemKeyForRecipientInput, DriveWrappedItemKeyForRecipientResult } from './drive-key-wrapping.contracts';
 export declare class MssLinkBrowserClient {
     private readonly userId;
     private readonly apiBaseUrl;
@@ -36,6 +36,7 @@ export declare class MssLinkBrowserClient {
     encryptDriveFileMetadata(input: EncryptDriveFileMetadataInput): Promise<EncryptedDriveFileMetadata>;
     decryptDriveFileMetadata(input: DecryptDriveFileMetadataInput): Promise<DecryptedDriveFileMetadata>;
     createDriveWrappedItemKeyForRecipient(input: CreateDriveWrappedItemKeyForRecipientInput): Promise<DriveWrappedItemKeyForRecipientResult>;
+    createDriveWrappedFolderKeyForRecipient(input: CreateDriveWrappedFolderKeyForRecipientInput): Promise<DriveWrappedItemKeyForRecipientResult>;
     syncMessages(): Promise<void>;
     getLocalMessages(chatId: string): Promise<DecryptedMessage[]>;
     reset(): void;

package/dist/client/mss-link-browser-client.js

@@ -4,7 +4,7 @@ import { checkLocalCryptoHealth } from './local-crypto-health';
 import { buildMediaMessageMetadataPayload, extractMediaAssetIds, serializeMediaMessageMetadata, } from './media-message-metadata';
 import { mapLocalSdkMessage } from './message.mapper';
 import { buildDecryptedDriveFileMetadata, buildDecryptedDriveFolderMetadata, buildEncryptedDriveFileMetadata, buildEncryptedDriveFolderMetadata, normalizeDriveFileMetadataInput, normalizeDriveFolderMetadataInput, normalizeEncryptedDriveFileMetadataInput, normalizeEncryptedDriveFolderMetadataInput, } from './storage-metadata-crypto';
-import { createDriveWrappedItemKeyForRecipient } from './drive-key-wrapping';
+import { createDriveWrappedFolderKeyForRecipient, createDriveWrappedItemKeyForRecipient, } from './drive-key-wrapping';
 import { WasmCallQueue } from './wasm-call-queue';
 const DEFAULT_DEVICE_ID = 1;
 const DEFAULT_REGISTRATION_ID = 1;
@@ -213,6 +213,9 @@ export class MssLinkBrowserClient {
     createDriveWrappedItemKeyForRecipient(input) {
         return createDriveWrappedItemKeyForRecipient(input);
     }
+    createDriveWrappedFolderKeyForRecipient(input) {
+        return createDriveWrappedFolderKeyForRecipient(input);
+    }
     async syncMessages() {
         try {
             await this.runWithClient((client) => client.syncMessages());

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@msssystems/mss-link-sdk",
-  "version": "0.1.10",
+  "version": "0.1.12",
   "description": "Official managed application SDK for MSS ecosystem",
   "type": "module",
   "main": "./dist/index.js",