@mysten/seal 0.1.0 → 0.3.0

package/dist/cjs/key-server.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/key-server.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { fromBase64, fromHex, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\nimport type { SuiClient } from '@mysten/sui/client';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { DST_POP } from './ibe.js';\n\nexport type KeyServer = {\n\tobjectId: Uint8Array;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\n// The Move struct for the KeyServer object.\nconst KeyServerMove = bcs.struct('KeyServer', {\n\tid: bcs.Address,\n\tname: bcs.string(),\n\turl: bcs.string(),\n\tkey_type: bcs.u8(),\n\tpk: bcs.vector(bcs.u8()),\n});\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): Uint8Array[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\tfromHex('0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8'),\n\t\t\tfromHex('0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06'),\n\t\t];\n\t} else {\n\t\tthrow new Error('Network not supported');\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: Uint8Array[];\n\tclient: SuiClient;\n}): Promise<KeyServer[]> {\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\tconst res = await client.getObject({\n\t\t\t\tid: toHex(objectId),\n\t\t\t\toptions: {\n\t\t\t\t\tshowBcs: true,\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!res || res.error || !res.data) {\n\t\t\t\tthrow new Error(`KeyServer ${objectId} not found; ${res.error}`);\n\t\t\t}\n\n\t\t\tif (!res.data.bcs || !('bcsBytes' in res.data.bcs)) {\n\t\t\t\tthrow new Error(`Invalid KeyServer query: ${objectId}, expected object, got package`);\n\t\t\t}\n\n\t\t\tlet ks = KeyServerMove.parse(fromBase64(res.data.bcs!.bcsBytes));\n\t\t\tif (ks.key_type !== 0) {\n\t\t\t\tthrow new Error('Unsupported key type');\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ks.name,\n\t\t\t\turl: ks.url,\n\t\t\t\tkeyType: KeyServerType.BonehFranklinBLS12381,\n\t\t\t\tpk: new Uint8Array(ks.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possesion (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(server: KeyServer): Promise<boolean> {\n\tconst response = await fetch(server.url! + '/v1/service', {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t},\n\t});\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = new Uint8Array([...DST_POP, ...server.pk, ...server.objectId]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,iBAA2C;AAC3C,IAAAA,cAAoB;AAEpB,uBAA0B;AAE1B,iBAAwB;AAUjB,IAAK,gBAAL,kBAAKC,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AAKZ,MAAM,gBAAgB,gBAAI,OAAO,aAAa;AAAA,EAC7C,IAAI,gBAAI;AAAA,EACR,MAAM,gBAAI,OAAO;AAAA,EACjB,KAAK,gBAAI,OAAO;AAAA,EAChB,UAAU,gBAAI,GAAG;AAAA,EACjB,IAAI,gBAAI,OAAO,gBAAI,GAAG,CAAC;AACxB,CAAC;AAOM,SAAS,yBAAyB,SAA8C;AACtF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,UACN,oBAAQ,oEAAoE;AAAA,UAC5E,oBAAQ,oEAAoE;AAAA,IAC7E;AAAA,EACD,OAAO;AACN,UAAM,IAAI,MAAM,uBAAuB;AAAA,EACxC;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AACxB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AACjC,YAAM,MAAM,MAAM,OAAO,UAAU;AAAA,QAClC,QAAI,kBAAM,QAAQ;AAAA,QAClB,SAAS;AAAA,UACR,SAAS;AAAA,QACV;AAAA,MACD,CAAC;AACD,UAAI,CAAC,OAAO,IAAI,SAAS,CAAC,IAAI,MAAM;AACnC,cAAM,IAAI,MAAM,aAAa,QAAQ,eAAe,IAAI,KAAK,EAAE;AAAA,MAChE;AAEA,UAAI,CAAC,IAAI,KAAK,OAAO,EAAE,cAAc,IAAI,KAAK,MAAM;AACnD,cAAM,IAAI,MAAM,4BAA4B,QAAQ,gCAAgC;AAAA,MACrF;AAEA,UAAI,KAAK,cAAc,UAAM,uBAAW,IAAI,KAAK,IAAK,QAAQ,CAAC;AAC/D,UAAI,GAAG,aAAa,GAAG;AACtB,cAAM,IAAI,MAAM,sBAAsB;AAAA,MACvC;AAEA,aAAO;AAAA,QACN;AAAA,QACA,MAAM,GAAG;AAAA,QACT,KAAK,GAAG;AAAA,QACR,SAAS;AAAA,QACT,IAAI,IAAI,WAAW,GAAG,EAAE;AAAA,MACzB;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBAAgB,QAAqC;AAC1E,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,eAAe;AAAA,IACzD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,IACjB;AAAA,EACD,CAAC;AACD,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,UAAU,IAAI,WAAW,CAAC,GAAG,oBAAS,GAAG,OAAO,IAAI,GAAG,OAAO,QAAQ,CAAC;AAC7E,SAAO,2BAAU,yBAAqB,uBAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { fromBase64, fromHex } from '@mysten/bcs';\nimport type { SuiClient } from '@mysten/sui/client';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { KeyServerMove } from './bcs.js';\nimport {\n\tInvalidGetObjectError,\n\tSealAPIError,\n\tUnsupportedFeatureError,\n\tUnsupportedNetworkError,\n} from './error.js';\nimport { DST_POP } from './ibe.js';\nimport { PACKAGE_VERSION } from './version.js';\n\nexport type KeyServer = {\n\tobjectId: string;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): string[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\t'0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8',\n\t\t\t'0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06',\n\t\t];\n\t} else {\n\t\tthrow new UnsupportedNetworkError(`Unsupported network ${network}`);\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: string[];\n\tclient: SuiClient;\n}): Promise<KeyServer[]> {\n\t// todo: do not fetch the same object ID if this is fetched before.\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\tconst res = await client.getObject({\n\t\t\t\tid: objectId,\n\t\t\t\toptions: {\n\t\t\t\t\tshowBcs: true,\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!res || res.error || !res.data) {\n\t\t\t\tthrow new InvalidGetObjectError(`KeyServer ${objectId} not found; ${res.error}`);\n\t\t\t}\n\n\t\t\tif (!res.data.bcs || !('bcsBytes' in res.data.bcs)) {\n\t\t\t\tthrow new InvalidGetObjectError(\n\t\t\t\t\t`Invalid KeyServer query: ${objectId}, expected object, got package`,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tlet ks = KeyServerMove.parse(fromBase64(res.data.bcs!.bcsBytes));\n\t\t\tif (ks.keyType !== 0) {\n\t\t\t\tthrow new UnsupportedFeatureError(`Unsupported key type ${ks.keyType}`);\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ks.name,\n\t\t\t\turl: ks.url,\n\t\t\t\tkeyType: KeyServerType.BonehFranklinBLS12381,\n\t\t\t\tpk: new Uint8Array(ks.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(server: KeyServer, timeout: number): Promise<boolean> {\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(server.url! + '/v1/service', {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t},\n\t\tsignal: AbortSignal.timeout(timeout),\n\t});\n\n\tawait SealAPIError.assertResponse(response, requestId);\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = new Uint8Array([...DST_POP, ...server.pk, ...fromHex(server.objectId)]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,iBAAoC;AAEpC,uBAA0B;AAE1B,IAAAA,cAA8B;AAC9B,mBAKO;AACP,iBAAwB;AACxB,qBAAgC;AAUzB,IAAK,gBAAL,kBAAKC,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AASL,SAAS,yBAAyB,SAA0C;AAClF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,MACN;AAAA,MACA;AAAA,IACD;AAAA,EACD,OAAO;AACN,UAAM,IAAI,qCAAwB,uBAAuB,OAAO,EAAE;AAAA,EACnE;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AAExB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AACjC,YAAM,MAAM,MAAM,OAAO,UAAU;AAAA,QAClC,IAAI;AAAA,QACJ,SAAS;AAAA,UACR,SAAS;AAAA,QACV;AAAA,MACD,CAAC;AACD,UAAI,CAAC,OAAO,IAAI,SAAS,CAAC,IAAI,MAAM;AACnC,cAAM,IAAI,mCAAsB,aAAa,QAAQ,eAAe,IAAI,KAAK,EAAE;AAAA,MAChF;AAEA,UAAI,CAAC,IAAI,KAAK,OAAO,EAAE,cAAc,IAAI,KAAK,MAAM;AACnD,cAAM,IAAI;AAAA,UACT,4BAA4B,QAAQ;AAAA,QACrC;AAAA,MACD;AAEA,UAAI,KAAK,0BAAc,UAAM,uBAAW,IAAI,KAAK,IAAK,QAAQ,CAAC;AAC/D,UAAI,GAAG,YAAY,GAAG;AACrB,cAAM,IAAI,qCAAwB,wBAAwB,GAAG,OAAO,EAAE;AAAA,MACvE;AAEA,aAAO;AAAA,QACN;AAAA,QACA,MAAM,GAAG;AAAA,QACT,KAAK,GAAG;AAAA,QACR,SAAS;AAAA,QACT,IAAI,IAAI,WAAW,GAAG,EAAE;AAAA,MACzB;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBAAgB,QAAmB,SAAmC;AAC3F,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,eAAe;AAAA,IACzD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,IACvB;AAAA,IACA,QAAQ,YAAY,QAAQ,OAAO;AAAA,EACpC,CAAC;AAED,QAAM,0BAAa,eAAe,UAAU,SAAS;AACrD,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,UAAU,IAAI,WAAW,CAAC,GAAG,oBAAS,GAAG,OAAO,IAAI,OAAG,oBAAQ,OAAO,QAAQ,CAAC,CAAC;AACtF,SAAO,2BAAU,yBAAqB,uBAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;",
   "names": ["import_bcs", "KeyServerType"]
 }

package/dist/cjs/keys.d.ts

@@ -0,0 +1,17 @@
+import type { Certificate } from './session-key.js';
+/**
+ * Helper function to request all keys from URL with requestSig, txBytes, ephemeral pubkey.
+ * Then decrypt the Seal key with ephemeral secret key. Returns a list decryption keys with
+ * their full IDs.
+ *
+ * @param url - The URL of the key server.
+ * @param requestSig - The Base64 string of request signature.
+ * @param txBytes - The transaction bytes.
+ * @param encKey - The ephemeral secret key.
+ * @param certificate - The certificate.
+ * @returns - A list of full ID and the decrypted key.
+ */
+export declare function fetchKeysForAllIds(url: string, requestSig: string, txBytes: Uint8Array, encKey: Uint8Array, certificate: Certificate, timeout: number, signal?: AbortSignal): Promise<{
+    fullId: string;
+    key: Uint8Array;
+}[]>;

package/dist/cjs/keys.js

@@ -0,0 +1,61 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var keys_exports = {};
+__export(keys_exports, {
+  fetchKeysForAllIds: () => fetchKeysForAllIds
+});
+module.exports = __toCommonJS(keys_exports);
+var import_bcs = require("@mysten/bcs");
+var import_elgamal = require("./elgamal.js");
+var import_error = require("./error.js");
+var import_version = require("./version.js");
+async function fetchKeysForAllIds(url, requestSig, txBytes, encKey, certificate, timeout, signal) {
+  const encKeyPk = (0, import_elgamal.toPublicKey)(encKey);
+  const encVerificationKey = (0, import_elgamal.toVerificationKey)(encKey);
+  const body = {
+    ptb: (0, import_bcs.toBase64)(txBytes.slice(1)),
+    // removes the byte of the transaction type version
+    enc_key: (0, import_bcs.toBase64)(encKeyPk),
+    enc_verification_key: (0, import_bcs.toBase64)(encVerificationKey),
+    request_signature: requestSig,
+    // already b64
+    certificate
+  };
+  const timeoutSignal = AbortSignal.timeout(timeout);
+  const combinedSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;
+  const requestId = crypto.randomUUID();
+  const response = await fetch(url + "/v1/fetch_key", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Request-Id": requestId,
+      "Client-Sdk-Type": "typescript",
+      "Client-Sdk-Version": import_version.PACKAGE_VERSION
+    },
+    body: JSON.stringify(body),
+    signal: combinedSignal
+  });
+  await import_error.SealAPIError.assertResponse(response, requestId);
+  const resp = await response.json();
+  return resp.decryption_keys.map((dk) => ({
+    fullId: (0, import_bcs.toHex)(new Uint8Array(dk.id)),
+    key: (0, import_elgamal.elgamalDecrypt)(encKey, dk.encrypted_key.map(import_bcs.fromBase64))
+  }));
+}
+//# sourceMappingURL=keys.js.map

package/dist/cjs/keys.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/keys.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromBase64, toBase64, toHex } from '@mysten/bcs';\n\nimport { elgamalDecrypt, toPublicKey, toVerificationKey } from './elgamal.js';\nimport { SealAPIError } from './error.js';\nimport type { Certificate } from './session-key.js';\nimport { PACKAGE_VERSION } from './version.js';\n\n/**\n * Helper function to request all keys from URL with requestSig, txBytes, ephemeral pubkey.\n * Then decrypt the Seal key with ephemeral secret key. Returns a list decryption keys with\n * their full IDs.\n *\n * @param url - The URL of the key server.\n * @param requestSig - The Base64 string of request signature.\n * @param txBytes - The transaction bytes.\n * @param encKey - The ephemeral secret key.\n * @param certificate - The certificate.\n * @returns - A list of full ID and the decrypted key.\n */\nexport async function fetchKeysForAllIds(\n\turl: string,\n\trequestSig: string,\n\ttxBytes: Uint8Array,\n\tencKey: Uint8Array,\n\tcertificate: Certificate,\n\ttimeout: number,\n\tsignal?: AbortSignal,\n): Promise<{ fullId: string; key: Uint8Array }[]> {\n\tconst encKeyPk = toPublicKey(encKey);\n\tconst encVerificationKey = toVerificationKey(encKey);\n\tconst body = {\n\t\tptb: toBase64(txBytes.slice(1)), // removes the byte of the transaction type version\n\t\tenc_key: toBase64(encKeyPk),\n\t\tenc_verification_key: toBase64(encVerificationKey),\n\t\trequest_signature: requestSig, // already b64\n\t\tcertificate,\n\t};\n\n\tconst timeoutSignal = AbortSignal.timeout(timeout);\n\tconst combinedSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;\n\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(url + '/v1/fetch_key', {\n\t\tmethod: 'POST',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t},\n\t\tbody: JSON.stringify(body),\n\t\tsignal: combinedSignal,\n\t});\n\tawait SealAPIError.assertResponse(response, requestId);\n\n\tconst resp = await response.json();\n\treturn resp.decryption_keys.map((dk: { id: Uint8Array; encrypted_key: [string, string] }) => ({\n\t\tfullId: toHex(new Uint8Array(dk.id)),\n\t\tkey: elgamalDecrypt(encKey, dk.encrypted_key.map(fromBase64) as [Uint8Array, Uint8Array]),\n\t}));\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAA4C;AAE5C,qBAA+D;AAC/D,mBAA6B;AAE7B,qBAAgC;AAchC,eAAsB,mBACrB,KACA,YACA,SACA,QACA,aACA,SACA,QACiD;AACjD,QAAM,eAAW,4BAAY,MAAM;AACnC,QAAM,yBAAqB,kCAAkB,MAAM;AACnD,QAAM,OAAO;AAAA,IACZ,SAAK,qBAAS,QAAQ,MAAM,CAAC,CAAC;AAAA;AAAA,IAC9B,aAAS,qBAAS,QAAQ;AAAA,IAC1B,0BAAsB,qBAAS,kBAAkB;AAAA,IACjD,mBAAmB;AAAA;AAAA,IACnB;AAAA,EACD;AAEA,QAAM,gBAAgB,YAAY,QAAQ,OAAO;AACjD,QAAM,iBAAiB,SAAS,YAAY,IAAI,CAAC,QAAQ,aAAa,CAAC,IAAI;AAE3E,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,MAAM,iBAAiB;AAAA,IACnD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,IACvB;AAAA,IACA,MAAM,KAAK,UAAU,IAAI;AAAA,IACzB,QAAQ;AAAA,EACT,CAAC;AACD,QAAM,0BAAa,eAAe,UAAU,SAAS;AAErD,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,SAAO,KAAK,gBAAgB,IAAI,CAAC,QAA6D;AAAA,IAC7F,YAAQ,kBAAM,IAAI,WAAW,GAAG,EAAE,CAAC;AAAA,IACnC,SAAK,+BAAe,QAAQ,GAAG,cAAc,IAAI,qBAAU,CAA6B;AAAA,EACzF,EAAE;AACH;",
+  "names": []
+}

package/dist/cjs/session-key.d.ts

@@ -1,36 +1,42 @@
+import type { Signer } from '@mysten/sui/cryptography';
 export declare const RequestFormat: import("@mysten/bcs").BcsType<{
     ptb: number[];
-    enc_key: number[];
-    enc_verification_key: number[];
+    encKey: number[];
+    encVerificationKey: number[];
 }, {
     ptb: Iterable<number> & {
         length: number;
     };
-    enc_key: Iterable<number> & {
+    encKey: Iterable<number> & {
         length: number;
     };
-    enc_verification_key: Iterable<number> & {
+    encVerificationKey: Iterable<number> & {
         length: number;
     };
 }>;
 export type Certificate = {
+    user: string;
     session_vk: string;
     creation_time: number;
     ttl_min: number;
     signature: string;
 };
 export declare class SessionKey {
-    private packageId;
-    private creationTime;
-    private ttlMin;
-    private session_key;
-    private personalMessageSignature;
-    constructor(packageId: Uint8Array, ttlMin: number);
+    #private;
+    constructor({ address, packageId, ttlMin, signer, }: {
+        address: string;
+        packageId: string;
+        ttlMin: number;
+        signer?: Signer;
+    });
+    isExpired(): boolean;
+    getAddress(): string;
+    getPackageId(): string;
     getPersonalMessage(): Uint8Array;
-    setPersonalMessageSignature(personalMessageSignature: string): void;
-    getCertificate(): Certificate;
+    setPersonalMessageSignature(personalMessageSignature: string): Promise<void>;
+    getCertificate(): Promise<Certificate>;
     createRequestParams(txBytes: Uint8Array): Promise<{
-        decryption_key: Uint8Array;
-        request_signature: string;
+        decryptionKey: Uint8Array;
+        requestSignature: string;
     }>;
 }

package/dist/cjs/session-key.js

@@ -3,6 +3,9 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
@@ -16,6 +19,10 @@ var __copyProps = (to, from, except, desc) => {
   return to;
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
 var session_key_exports = {};
 __export(session_key_exports, {
   RequestFormat: () => RequestFormat,
@@ -24,50 +31,110 @@ __export(session_key_exports, {
 module.exports = __toCommonJS(session_key_exports);
 var import_bcs = require("@mysten/bcs");
 var import_bcs2 = require("@mysten/sui/bcs");
+var import_graphql = require("@mysten/sui/graphql");
 var import_ed25519 = require("@mysten/sui/keypairs/ed25519");
+var import_utils = require("@mysten/sui/utils");
+var import_verify = require("@mysten/sui/verify");
 var import_elgamal = require("./elgamal.js");
+var import_error = require("./error.js");
+var _address, _packageId, _creationTimeMs, _ttlMin, _sessionKey, _personalMessageSignature, _signer;
 const RequestFormat = import_bcs2.bcs.struct("RequestFormat", {
   ptb: import_bcs2.bcs.vector(import_bcs2.bcs.U8),
-  enc_key: import_bcs2.bcs.vector(import_bcs2.bcs.U8),
-  enc_verification_key: import_bcs2.bcs.vector(import_bcs2.bcs.U8)
+  encKey: import_bcs2.bcs.vector(import_bcs2.bcs.U8),
+  encVerificationKey: import_bcs2.bcs.vector(import_bcs2.bcs.U8)
 });
 class SessionKey {
-  constructor(packageId, ttlMin) {
-    this.packageId = packageId;
-    this.creationTime = Date.now();
-    this.ttlMin = ttlMin;
-    this.session_key = import_ed25519.Ed25519Keypair.generate();
-    this.personalMessageSignature = "";
+  constructor({
+    address,
+    packageId,
+    ttlMin,
+    signer
+  }) {
+    __privateAdd(this, _address);
+    __privateAdd(this, _packageId);
+    __privateAdd(this, _creationTimeMs);
+    __privateAdd(this, _ttlMin);
+    __privateAdd(this, _sessionKey);
+    __privateAdd(this, _personalMessageSignature);
+    __privateAdd(this, _signer);
+    if (!(0, import_utils.isValidSuiObjectId)(packageId) || !(0, import_utils.isValidSuiAddress)(address)) {
+      throw new import_error.UserError(`Invalid package ID ${packageId} or address ${address}`);
+    }
+    if (ttlMin > 10 || ttlMin < 1) {
+      throw new import_error.UserError(`Invalid TTL ${ttlMin}, must be between 1 and 10`);
+    }
+    __privateSet(this, _address, address);
+    __privateSet(this, _packageId, packageId);
+    __privateSet(this, _creationTimeMs, Date.now());
+    __privateSet(this, _ttlMin, ttlMin);
+    __privateSet(this, _sessionKey, import_ed25519.Ed25519Keypair.generate());
+    __privateSet(this, _signer, signer);
+  }
+  isExpired() {
+    return __privateGet(this, _creationTimeMs) + __privateGet(this, _ttlMin) * 60 * 1e3 - 1e4 < Date.now();
+  }
+  getAddress() {
+    return __privateGet(this, _address);
+  }
+  getPackageId() {
+    return __privateGet(this, _packageId);
   }
   getPersonalMessage() {
-    const message = `Requesting access to keys of package ${(0, import_bcs.toHex)(this.packageId)} for ${this.ttlMin} mins, session key ${(0, import_bcs.toBase64)(this.session_key.getPublicKey().toRawBytes())}, created at ${this.creationTime}`;
+    const creationTimeUtc = new Date(__privateGet(this, _creationTimeMs)).toISOString().slice(0, 19).replace("T", " ") + " UTC";
+    const message = `Accessing keys of package ${__privateGet(this, _packageId)} for ${__privateGet(this, _ttlMin)} mins from ${creationTimeUtc}, session key ${(0, import_bcs.toBase64)(__privateGet(this, _sessionKey).getPublicKey().toRawBytes())}`;
     return new TextEncoder().encode(message);
   }
-  setPersonalMessageSignature(personalMessageSignature) {
-    this.personalMessageSignature = personalMessageSignature;
+  async setPersonalMessageSignature(personalMessageSignature) {
+    try {
+      await (0, import_verify.verifyPersonalMessageSignature)(this.getPersonalMessage(), personalMessageSignature, {
+        address: __privateGet(this, _address),
+        client: new import_graphql.SuiGraphQLClient({
+          url: "https://sui-testnet.mystenlabs.com/graphql"
+        })
+      });
+      __privateSet(this, _personalMessageSignature, personalMessageSignature);
+    } catch (e) {
+      throw new import_error.InvalidPersonalMessageSignatureError("Not valid");
+    }
   }
-  getCertificate() {
-    if (this.personalMessageSignature === "") {
-      throw new Error("Personal message signature is not set");
+  async getCertificate() {
+    if (!__privateGet(this, _personalMessageSignature)) {
+      if (__privateGet(this, _signer)) {
+        const { signature } = await __privateGet(this, _signer).signPersonalMessage(this.getPersonalMessage());
+        __privateSet(this, _personalMessageSignature, signature);
+      } else {
+        throw new import_error.InvalidPersonalMessageSignatureError("Personal message signature is not set");
+      }
     }
     return {
-      session_vk: (0, import_bcs.toBase64)(this.session_key.getPublicKey().toRawBytes()),
-      creation_time: this.creationTime,
-      ttl_min: this.ttlMin,
-      signature: this.personalMessageSignature
+      user: __privateGet(this, _address),
+      session_vk: (0, import_bcs.toBase64)(__privateGet(this, _sessionKey).getPublicKey().toRawBytes()),
+      creation_time: __privateGet(this, _creationTimeMs),
+      ttl_min: __privateGet(this, _ttlMin),
+      signature: __privateGet(this, _personalMessageSignature)
     };
   }
   async createRequestParams(txBytes) {
-    let eg_sk = (0, import_elgamal.generateSecretKey)();
+    if (this.isExpired()) {
+      throw new import_error.ExpiredSessionKeyError();
+    }
+    const egSk = (0, import_elgamal.generateSecretKey)();
     const msgToSign = RequestFormat.serialize({
       ptb: txBytes.slice(1),
-      enc_key: (0, import_elgamal.toPublicKey)(eg_sk),
-      enc_verification_key: (0, import_elgamal.toVerificationKey)(eg_sk)
+      encKey: (0, import_elgamal.toPublicKey)(egSk),
+      encVerificationKey: (0, import_elgamal.toVerificationKey)(egSk)
     }).toBytes();
     return {
-      decryption_key: eg_sk,
-      request_signature: (0, import_bcs.toBase64)(await this.session_key.sign(msgToSign))
+      decryptionKey: egSk,
+      requestSignature: (0, import_bcs.toBase64)(await __privateGet(this, _sessionKey).sign(msgToSign))
     };
   }
 }
+_address = new WeakMap();
+_packageId = new WeakMap();
+_creationTimeMs = new WeakMap();
+_ttlMin = new WeakMap();
+_sessionKey = new WeakMap();
+_personalMessageSignature = new WeakMap();
+_signer = new WeakMap();
 //# sourceMappingURL=session-key.js.map

package/dist/cjs/session-key.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/session-key.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { toBase64, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\nimport { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';\n\nimport { generateSecretKey, toPublicKey, toVerificationKey } from './elgamal.js';\n\nexport const RequestFormat = bcs.struct('RequestFormat', {\n\tptb: bcs.vector(bcs.U8),\n\tenc_key: bcs.vector(bcs.U8),\n\tenc_verification_key: bcs.vector(bcs.U8),\n});\n\nexport type Certificate = {\n\tsession_vk: string;\n\tcreation_time: number;\n\tttl_min: number;\n\tsignature: string;\n};\n\nexport class SessionKey {\n\tprivate packageId: Uint8Array;\n\tprivate creationTime: number;\n\tprivate ttlMin: number;\n\tprivate session_key: Ed25519Keypair;\n\tprivate personalMessageSignature: string;\n\n\tconstructor(packageId: Uint8Array, ttlMin: number) {\n\t\tthis.packageId = packageId;\n\t\tthis.creationTime = Date.now();\n\t\tthis.ttlMin = ttlMin;\n\t\tthis.session_key = Ed25519Keypair.generate();\n\t\tthis.personalMessageSignature = '';\n\t}\n\n\tgetPersonalMessage(): Uint8Array {\n\t\t// TODO: decide if we want 0x on the server end\n\t\tconst message = `Requesting access to keys of package ${toHex(this.packageId)} for ${this.ttlMin} mins, session key ${toBase64(this.session_key.getPublicKey().toRawBytes())}, created at ${this.creationTime}`;\n\t\treturn new TextEncoder().encode(message);\n\t}\n\n\tsetPersonalMessageSignature(personalMessageSignature: string) {\n\t\tthis.personalMessageSignature = personalMessageSignature;\n\t}\n\n\tgetCertificate(): Certificate {\n\t\tif (this.personalMessageSignature === '') {\n\t\t\tthrow new Error('Personal message signature is not set');\n\t\t}\n\t\treturn {\n\t\t\tsession_vk: toBase64(this.session_key.getPublicKey().toRawBytes()),\n\t\t\tcreation_time: this.creationTime,\n\t\t\tttl_min: this.ttlMin,\n\t\t\tsignature: this.personalMessageSignature,\n\t\t};\n\t}\n\n\tasync createRequestParams(\n\t\ttxBytes: Uint8Array,\n\t): Promise<{ decryption_key: Uint8Array; request_signature: string }> {\n\t\tlet eg_sk = generateSecretKey();\n\t\tconst msgToSign = RequestFormat.serialize({\n\t\t\tptb: txBytes.slice(1),\n\t\t\tenc_key: toPublicKey(eg_sk),\n\t\t\tenc_verification_key: toVerificationKey(eg_sk),\n\t\t}).toBytes();\n\t\treturn {\n\t\t\tdecryption_key: eg_sk,\n\t\t\trequest_signature: toBase64(await this.session_key.sign(msgToSign)),\n\t\t};\n\t}\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAAgC;AAChC,IAAAA,cAAoB;AACpB,qBAA+B;AAE/B,qBAAkE;AAE3D,MAAM,gBAAgB,gBAAI,OAAO,iBAAiB;AAAA,EACxD,KAAK,gBAAI,OAAO,gBAAI,EAAE;AAAA,EACtB,SAAS,gBAAI,OAAO,gBAAI,EAAE;AAAA,EAC1B,sBAAsB,gBAAI,OAAO,gBAAI,EAAE;AACxC,CAAC;AASM,MAAM,WAAW;AAAA,EAOvB,YAAY,WAAuB,QAAgB;AAClD,SAAK,YAAY;AACjB,SAAK,eAAe,KAAK,IAAI;AAC7B,SAAK,SAAS;AACd,SAAK,cAAc,8BAAe,SAAS;AAC3C,SAAK,2BAA2B;AAAA,EACjC;AAAA,EAEA,qBAAiC;AAEhC,UAAM,UAAU,4CAAwC,kBAAM,KAAK,SAAS,CAAC,QAAQ,KAAK,MAAM,0BAAsB,qBAAS,KAAK,YAAY,aAAa,EAAE,WAAW,CAAC,CAAC,gBAAgB,KAAK,YAAY;AAC7M,WAAO,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EACxC;AAAA,EAEA,4BAA4B,0BAAkC;AAC7D,SAAK,2BAA2B;AAAA,EACjC;AAAA,EAEA,iBAA8B;AAC7B,QAAI,KAAK,6BAA6B,IAAI;AACzC,YAAM,IAAI,MAAM,uCAAuC;AAAA,IACxD;AACA,WAAO;AAAA,MACN,gBAAY,qBAAS,KAAK,YAAY,aAAa,EAAE,WAAW,CAAC;AAAA,MACjE,eAAe,KAAK;AAAA,MACpB,SAAS,KAAK;AAAA,MACd,WAAW,KAAK;AAAA,IACjB;AAAA,EACD;AAAA,EAEA,MAAM,oBACL,SACqE;AACrE,QAAI,YAAQ,kCAAkB;AAC9B,UAAM,YAAY,cAAc,UAAU;AAAA,MACzC,KAAK,QAAQ,MAAM,CAAC;AAAA,MACpB,aAAS,4BAAY,KAAK;AAAA,MAC1B,0BAAsB,kCAAkB,KAAK;AAAA,IAC9C,CAAC,EAAE,QAAQ;AACX,WAAO;AAAA,MACN,gBAAgB;AAAA,MAChB,uBAAmB,qBAAS,MAAM,KAAK,YAAY,KAAK,SAAS,CAAC;AAAA,IACnE;AAAA,EACD;AACD;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { toBase64 } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\nimport type { Signer } from '@mysten/sui/cryptography';\nimport { SuiGraphQLClient } from '@mysten/sui/graphql';\nimport { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';\nimport { isValidSuiAddress, isValidSuiObjectId } from '@mysten/sui/utils';\nimport { verifyPersonalMessageSignature } from '@mysten/sui/verify';\n\nimport { generateSecretKey, toPublicKey, toVerificationKey } from './elgamal.js';\nimport {\n\tExpiredSessionKeyError,\n\tInvalidPersonalMessageSignatureError,\n\tUserError,\n} from './error.js';\n\nexport const RequestFormat = bcs.struct('RequestFormat', {\n\tptb: bcs.vector(bcs.U8),\n\tencKey: bcs.vector(bcs.U8),\n\tencVerificationKey: bcs.vector(bcs.U8),\n});\n\nexport type Certificate = {\n\tuser: string;\n\tsession_vk: string;\n\tcreation_time: number;\n\tttl_min: number;\n\tsignature: string;\n};\n\nexport class SessionKey {\n\t#address: string;\n\t#packageId: string;\n\t#creationTimeMs: number;\n\t#ttlMin: number;\n\t#sessionKey: Ed25519Keypair;\n\t#personalMessageSignature?: string;\n\t#signer?: Signer;\n\n\tconstructor({\n\t\taddress,\n\t\tpackageId,\n\t\tttlMin,\n\t\tsigner,\n\t}: {\n\t\taddress: string;\n\t\tpackageId: string;\n\t\tttlMin: number;\n\t\tsigner?: Signer;\n\t}) {\n\t\tif (!isValidSuiObjectId(packageId) || !isValidSuiAddress(address)) {\n\t\t\tthrow new UserError(`Invalid package ID ${packageId} or address ${address}`);\n\t\t}\n\t\tif (ttlMin > 10 || ttlMin < 1) {\n\t\t\tthrow new UserError(`Invalid TTL ${ttlMin}, must be between 1 and 10`);\n\t\t}\n\n\t\tthis.#address = address;\n\t\tthis.#packageId = packageId;\n\t\tthis.#creationTimeMs = Date.now();\n\t\tthis.#ttlMin = ttlMin;\n\t\tthis.#sessionKey = Ed25519Keypair.generate();\n\t\tthis.#signer = signer;\n\t}\n\n\tisExpired(): boolean {\n\t\t// Allow 10 seconds for clock skew\n\t\treturn this.#creationTimeMs + this.#ttlMin * 60 * 1000 - 10_000 < Date.now();\n\t}\n\n\tgetAddress(): string {\n\t\treturn this.#address;\n\t}\n\n\tgetPackageId(): string {\n\t\treturn this.#packageId;\n\t}\n\n\tgetPersonalMessage(): Uint8Array {\n\t\tconst creationTimeUtc =\n\t\t\tnew Date(this.#creationTimeMs).toISOString().slice(0, 19).replace('T', ' ') + ' UTC';\n\t\tconst message = `Accessing keys of package ${this.#packageId} for ${this.#ttlMin} mins from ${creationTimeUtc}, session key ${toBase64(this.#sessionKey.getPublicKey().toRawBytes())}`;\n\t\treturn new TextEncoder().encode(message);\n\t}\n\n\tasync setPersonalMessageSignature(personalMessageSignature: string) {\n\t\ttry {\n\t\t\t// TODO: Fix this to work with any network\n\t\t\tawait verifyPersonalMessageSignature(this.getPersonalMessage(), personalMessageSignature, {\n\t\t\t\taddress: this.#address,\n\t\t\t\tclient: new SuiGraphQLClient({\n\t\t\t\t\turl: 'https://sui-testnet.mystenlabs.com/graphql',\n\t\t\t\t}),\n\t\t\t});\n\t\t\tthis.#personalMessageSignature = personalMessageSignature;\n\t\t} catch (e) {\n\t\t\tthrow new InvalidPersonalMessageSignatureError('Not valid');\n\t\t}\n\t}\n\n\tasync getCertificate(): Promise<Certificate> {\n\t\tif (!this.#personalMessageSignature) {\n\t\t\tif (this.#signer) {\n\t\t\t\tconst { signature } = await this.#signer.signPersonalMessage(this.getPersonalMessage());\n\t\t\t\tthis.#personalMessageSignature = signature;\n\t\t\t} else {\n\t\t\t\tthrow new InvalidPersonalMessageSignatureError('Personal message signature is not set');\n\t\t\t}\n\t\t}\n\t\treturn {\n\t\t\tuser: this.#address,\n\t\t\tsession_vk: toBase64(this.#sessionKey.getPublicKey().toRawBytes()),\n\t\t\tcreation_time: this.#creationTimeMs,\n\t\t\tttl_min: this.#ttlMin,\n\t\t\tsignature: this.#personalMessageSignature,\n\t\t};\n\t}\n\n\tasync createRequestParams(\n\t\ttxBytes: Uint8Array,\n\t): Promise<{ decryptionKey: Uint8Array; requestSignature: string }> {\n\t\tif (this.isExpired()) {\n\t\t\tthrow new ExpiredSessionKeyError();\n\t\t}\n\t\tconst egSk = generateSecretKey();\n\t\tconst msgToSign = RequestFormat.serialize({\n\t\t\tptb: txBytes.slice(1),\n\t\t\tencKey: toPublicKey(egSk),\n\t\t\tencVerificationKey: toVerificationKey(egSk),\n\t\t}).toBytes();\n\t\treturn {\n\t\t\tdecryptionKey: egSk,\n\t\t\trequestSignature: toBase64(await this.#sessionKey.sign(msgToSign)),\n\t\t};\n\t}\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAAyB;AACzB,IAAAA,cAAoB;AAEpB,qBAAiC;AACjC,qBAA+B;AAC/B,mBAAsD;AACtD,oBAA+C;AAE/C,qBAAkE;AAClE,mBAIO;AAhBP;AAkBO,MAAM,gBAAgB,gBAAI,OAAO,iBAAiB;AAAA,EACxD,KAAK,gBAAI,OAAO,gBAAI,EAAE;AAAA,EACtB,QAAQ,gBAAI,OAAO,gBAAI,EAAE;AAAA,EACzB,oBAAoB,gBAAI,OAAO,gBAAI,EAAE;AACtC,CAAC;AAUM,MAAM,WAAW;AAAA,EASvB,YAAY;AAAA,IACX;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACD,GAKG;AAlBH;AACA;AACA;AACA;AACA;AACA;AACA;AAaC,QAAI,KAAC,iCAAmB,SAAS,KAAK,KAAC,gCAAkB,OAAO,GAAG;AAClE,YAAM,IAAI,uBAAU,sBAAsB,SAAS,eAAe,OAAO,EAAE;AAAA,IAC5E;AACA,QAAI,SAAS,MAAM,SAAS,GAAG;AAC9B,YAAM,IAAI,uBAAU,eAAe,MAAM,4BAA4B;AAAA,IACtE;AAEA,uBAAK,UAAW;AAChB,uBAAK,YAAa;AAClB,uBAAK,iBAAkB,KAAK,IAAI;AAChC,uBAAK,SAAU;AACf,uBAAK,aAAc,8BAAe,SAAS;AAC3C,uBAAK,SAAU;AAAA,EAChB;AAAA,EAEA,YAAqB;AAEpB,WAAO,mBAAK,mBAAkB,mBAAK,WAAU,KAAK,MAAO,MAAS,KAAK,IAAI;AAAA,EAC5E;AAAA,EAEA,aAAqB;AACpB,WAAO,mBAAK;AAAA,EACb;AAAA,EAEA,eAAuB;AACtB,WAAO,mBAAK;AAAA,EACb;AAAA,EAEA,qBAAiC;AAChC,UAAM,kBACL,IAAI,KAAK,mBAAK,gBAAe,EAAE,YAAY,EAAE,MAAM,GAAG,EAAE,EAAE,QAAQ,KAAK,GAAG,IAAI;AAC/E,UAAM,UAAU,6BAA6B,mBAAK,WAAU,QAAQ,mBAAK,QAAO,cAAc,eAAe,qBAAiB,qBAAS,mBAAK,aAAY,aAAa,EAAE,WAAW,CAAC,CAAC;AACpL,WAAO,IAAI,YAAY,EAAE,OAAO,OAAO;AAAA,EACxC;AAAA,EAEA,MAAM,4BAA4B,0BAAkC;AACnE,QAAI;AAEH,gBAAM,8CAA+B,KAAK,mBAAmB,GAAG,0BAA0B;AAAA,QACzF,SAAS,mBAAK;AAAA,QACd,QAAQ,IAAI,gCAAiB;AAAA,UAC5B,KAAK;AAAA,QACN,CAAC;AAAA,MACF,CAAC;AACD,yBAAK,2BAA4B;AAAA,IAClC,SAAS,GAAG;AACX,YAAM,IAAI,kDAAqC,WAAW;AAAA,IAC3D;AAAA,EACD;AAAA,EAEA,MAAM,iBAAuC;AAC5C,QAAI,CAAC,mBAAK,4BAA2B;AACpC,UAAI,mBAAK,UAAS;AACjB,cAAM,EAAE,UAAU,IAAI,MAAM,mBAAK,SAAQ,oBAAoB,KAAK,mBAAmB,CAAC;AACtF,2BAAK,2BAA4B;AAAA,MAClC,OAAO;AACN,cAAM,IAAI,kDAAqC,uCAAuC;AAAA,MACvF;AAAA,IACD;AACA,WAAO;AAAA,MACN,MAAM,mBAAK;AAAA,MACX,gBAAY,qBAAS,mBAAK,aAAY,aAAa,EAAE,WAAW,CAAC;AAAA,MACjE,eAAe,mBAAK;AAAA,MACpB,SAAS,mBAAK;AAAA,MACd,WAAW,mBAAK;AAAA,IACjB;AAAA,EACD;AAAA,EAEA,MAAM,oBACL,SACmE;AACnE,QAAI,KAAK,UAAU,GAAG;AACrB,YAAM,IAAI,oCAAuB;AAAA,IAClC;AACA,UAAM,WAAO,kCAAkB;AAC/B,UAAM,YAAY,cAAc,UAAU;AAAA,MACzC,KAAK,QAAQ,MAAM,CAAC;AAAA,MACpB,YAAQ,4BAAY,IAAI;AAAA,MACxB,wBAAoB,kCAAkB,IAAI;AAAA,IAC3C,CAAC,EAAE,QAAQ;AACX,WAAO;AAAA,MACN,eAAe;AAAA,MACf,sBAAkB,qBAAS,MAAM,mBAAK,aAAY,KAAK,SAAS,CAAC;AAAA,IAClE;AAAA,EACD;AACD;AAxGC;AACA;AACA;AACA;AACA;AACA;AACA;",
   "names": ["import_bcs"]
 }

package/dist/cjs/types.d.ts

@@ -1,86 +1 @@
-export declare const IBEEncryptions: import("@mysten/sui/bcs").BcsType<{
-    BonehFranklinBLS12381: {
-        encapsulation: Uint8Array<ArrayBufferLike>;
-        shares: Uint8Array<ArrayBufferLike>[];
-    };
-    $kind: "BonehFranklinBLS12381";
-}, {
-    BonehFranklinBLS12381: {
-        encapsulation: Iterable<number>;
-        shares: Iterable<Iterable<number>> & {
-            length: number;
-        };
-    };
-}>;
-export type IBEEncryptionsType = typeof IBEEncryptions.$inferType;
-export declare const Ciphertext: import("@mysten/sui/bcs").BcsType<import("@mysten/bcs").EnumOutputShapeWithKeys<{
-    Aes256Gcm: {
-        blob: number[];
-        aad: number[] | null;
-    };
-    Plain: {};
-}, "Aes256Gcm" | "Plain">, import("@mysten/bcs").EnumInputShape<{
-    Aes256Gcm: {
-        blob: Iterable<number> & {
-            length: number;
-        };
-        aad: (Iterable<number> & {
-            length: number;
-        }) | null | undefined;
-    };
-    Plain: {};
-}>>;
-export type CiphertextType = typeof Ciphertext.$inferInput;
-/**
- * The encrypted object format. Should be aligned with the Rust implementation.
- */
-export declare const EncryptedObject: import("@mysten/sui/bcs").BcsType<{
-    version: number;
-    package_id: Uint8Array<ArrayBufferLike>;
-    id: number[];
-    services: [Uint8Array<ArrayBufferLike>, number][];
-    threshold: number;
-    encrypted_shares: {
-        BonehFranklinBLS12381: {
-            encapsulation: Uint8Array<ArrayBufferLike>;
-            shares: Uint8Array<ArrayBufferLike>[];
-        };
-        $kind: "BonehFranklinBLS12381";
-    };
-    ciphertext: import("@mysten/bcs").EnumOutputShapeWithKeys<{
-        Aes256Gcm: {
-            blob: number[];
-            aad: number[] | null;
-        };
-        Plain: {};
-    }, "Aes256Gcm" | "Plain">;
-}, {
-    version: number;
-    package_id: Iterable<number>;
-    id: Iterable<number> & {
-        length: number;
-    };
-    services: Iterable<readonly [Iterable<number>, number]> & {
-        length: number;
-    };
-    threshold: number;
-    encrypted_shares: {
-        BonehFranklinBLS12381: {
-            encapsulation: Iterable<number>;
-            shares: Iterable<Iterable<number>> & {
-                length: number;
-            };
-        };
-    };
-    ciphertext: import("@mysten/bcs").EnumInputShape<{
-        Aes256Gcm: {
-            blob: Iterable<number> & {
-                length: number;
-            };
-            aad: (Iterable<number> & {
-                length: number;
-            }) | null | undefined;
-        };
-        Plain: {};
-    }>;
-}>;
+export type KeyCacheKey = `${string}:${string}`;

package/dist/cjs/types.js

@@ -3,10 +3,6 @@ var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
 var __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function") {
     for (let key of __getOwnPropNames(from))
@@ -17,33 +13,5 @@ var __copyProps = (to, from, except, desc) => {
 };
 var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
 var types_exports = {};
-__export(types_exports, {
-  Ciphertext: () => Ciphertext,
-  EncryptedObject: () => EncryptedObject,
-  IBEEncryptions: () => IBEEncryptions
-});
 module.exports = __toCommonJS(types_exports);
-var import_bcs = require("@mysten/sui/bcs");
-const IBEEncryptions = import_bcs.bcs.enum("IBEEncryptions", {
-  BonehFranklinBLS12381: import_bcs.bcs.struct("BonehFranklinBLS12381", {
-    encapsulation: import_bcs.bcs.bytes(96),
-    shares: import_bcs.bcs.vector(import_bcs.bcs.bytes(32))
-  })
-});
-const Ciphertext = import_bcs.bcs.enum("Ciphertext", {
-  Aes256Gcm: import_bcs.bcs.struct("Aes256Gcm", {
-    blob: import_bcs.bcs.vector(import_bcs.bcs.U8),
-    aad: import_bcs.bcs.option(import_bcs.bcs.vector(import_bcs.bcs.U8))
-  }),
-  Plain: import_bcs.bcs.struct("Plain", {})
-});
-const EncryptedObject = import_bcs.bcs.struct("EncryptedObject", {
-  version: import_bcs.bcs.U8,
-  package_id: import_bcs.bcs.bytes(32),
-  id: import_bcs.bcs.vector(import_bcs.bcs.U8),
-  services: import_bcs.bcs.vector(import_bcs.bcs.tuple([import_bcs.bcs.bytes(32), import_bcs.bcs.U8])),
-  threshold: import_bcs.bcs.U8,
-  encrypted_shares: IBEEncryptions,
-  ciphertext: Ciphertext
-});
 //# sourceMappingURL=types.js.map

package/dist/cjs/types.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/types.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { bcs } from '@mysten/sui/bcs';\n\nexport const IBEEncryptions = bcs.enum('IBEEncryptions', {\n\tBonehFranklinBLS12381: bcs.struct('BonehFranklinBLS12381', {\n\t\tencapsulation: bcs.bytes(96),\n\t\tshares: bcs.vector(bcs.bytes(32)),\n\t}),\n});\nexport type IBEEncryptionsType = typeof IBEEncryptions.$inferType;\n\nexport const Ciphertext = bcs.enum('Ciphertext', {\n\tAes256Gcm: bcs.struct('Aes256Gcm', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t}),\n\tPlain: bcs.struct('Plain', {}),\n});\nexport type CiphertextType = typeof Ciphertext.$inferInput;\n\n/**\n * The encrypted object format. Should be aligned with the Rust implementation.\n */\nexport const EncryptedObject = bcs.struct('EncryptedObject', {\n\tversion: bcs.U8,\n\tpackage_id: bcs.bytes(32),\n\tid: bcs.vector(bcs.U8),\n\tservices: bcs.vector(bcs.tuple([bcs.bytes(32), bcs.U8])),\n\tthreshold: bcs.U8,\n\tencrypted_shares: IBEEncryptions,\n\tciphertext: Ciphertext,\n});\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAAoB;AAEb,MAAM,iBAAiB,eAAI,KAAK,kBAAkB;AAAA,EACxD,uBAAuB,eAAI,OAAO,yBAAyB;AAAA,IAC1D,eAAe,eAAI,MAAM,EAAE;AAAA,IAC3B,QAAQ,eAAI,OAAO,eAAI,MAAM,EAAE,CAAC;AAAA,EACjC,CAAC;AACF,CAAC;AAGM,MAAM,aAAa,eAAI,KAAK,cAAc;AAAA,EAChD,WAAW,eAAI,OAAO,aAAa;AAAA,IAClC,MAAM,eAAI,OAAO,eAAI,EAAE;AAAA,IACvB,KAAK,eAAI,OAAO,eAAI,OAAO,eAAI,EAAE,CAAC;AAAA,EACnC,CAAC;AAAA,EACD,OAAO,eAAI,OAAO,SAAS,CAAC,CAAC;AAC9B,CAAC;AAMM,MAAM,kBAAkB,eAAI,OAAO,mBAAmB;AAAA,EAC5D,SAAS,eAAI;AAAA,EACb,YAAY,eAAI,MAAM,EAAE;AAAA,EACxB,IAAI,eAAI,OAAO,eAAI,EAAE;AAAA,EACrB,UAAU,eAAI,OAAO,eAAI,MAAM,CAAC,eAAI,MAAM,EAAE,GAAG,eAAI,EAAE,CAAC,CAAC;AAAA,EACvD,WAAW,eAAI;AAAA,EACf,kBAAkB;AAAA,EAClB,YAAY;AACb,CAAC;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport type KeyCacheKey = `${string}:${string}`;\n"],
+  "mappings": ";;;;;;;;;;;;;;AAAA;AAAA;",
   "names": []
 }

package/dist/cjs/utils.d.ts

@@ -1,4 +1,5 @@
 export declare function xor(a: Uint8Array, b: Uint8Array): Uint8Array;
+export declare function xorUnchecked(a: Uint8Array, b: Uint8Array): Uint8Array;
 /**
  * Create a full ID concatenating DST || package ID || inner ID.
  * @param dst - The domain separation tag.
@@ -6,4 +7,4 @@ export declare function xor(a: Uint8Array, b: Uint8Array): Uint8Array;
  * @param innerId - The inner ID.
  * @returns The full ID.
  */
-export declare function createFullId(dst: Uint8Array, packageId: Uint8Array, innerId: Uint8Array): Uint8Array;
+export declare function createFullId(dst: Uint8Array, packageId: string, innerId: string): string;

package/dist/cjs/utils.js

@@ -19,21 +19,33 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var utils_exports = {};
 __export(utils_exports, {
   createFullId: () => createFullId,
-  xor: () => xor
+  xor: () => xor,
+  xorUnchecked: () => xorUnchecked
 });
 module.exports = __toCommonJS(utils_exports);
+var import_bcs = require("@mysten/bcs");
+var import_utils = require("@mysten/sui/utils");
+var import_error = require("./error.js");
 function xor(a, b) {
   if (a.length !== b.length) {
     throw new Error("Invalid input");
   }
+  return xorUnchecked(a, b);
+}
+function xorUnchecked(a, b) {
   return a.map((ai, i) => ai ^ b[i]);
 }
 function createFullId(dst, packageId, innerId) {
-  const fullId = new Uint8Array(1 + dst.length + packageId.length + innerId.length);
+  if (!(0, import_utils.isValidSuiObjectId)(packageId)) {
+    throw new import_error.UserError(`Invalid package ID ${packageId}`);
+  }
+  const packageIdBytes = (0, import_bcs.fromHex)(packageId);
+  const innerIdBytes = (0, import_bcs.fromHex)(innerId);
+  const fullId = new Uint8Array(1 + dst.length + packageIdBytes.length + innerIdBytes.length);
   fullId.set([dst.length], 0);
   fullId.set(dst, 1);
-  fullId.set(packageId, 1 + dst.length);
-  fullId.set(innerId, 1 + dst.length + packageId.length);
-  return fullId;
+  fullId.set(packageIdBytes, 1 + dst.length);
+  fullId.set(innerIdBytes, 1 + dst.length + packageIdBytes.length);
+  return (0, import_bcs.toHex)(fullId);
 }
 //# sourceMappingURL=utils.js.map

package/dist/cjs/utils.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/utils.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport function xor(a: Uint8Array, b: Uint8Array): Uint8Array {\n\tif (a.length !== b.length) {\n\t\tthrow new Error('Invalid input');\n\t}\n\treturn a.map((ai, i) => ai ^ b[i]);\n}\n\n/**\n * Create a full ID concatenating DST || package ID || inner ID.\n * @param dst - The domain separation tag.\n * @param packageId - The package ID.\n * @param innerId - The inner ID.\n * @returns The full ID.\n */\nexport function createFullId(\n\tdst: Uint8Array,\n\tpackageId: Uint8Array,\n\tinnerId: Uint8Array,\n): Uint8Array {\n\tconst fullId = new Uint8Array(1 + dst.length + packageId.length + innerId.length);\n\tfullId.set([dst.length], 0);\n\tfullId.set(dst, 1);\n\tfullId.set(packageId, 1 + dst.length);\n\tfullId.set(innerId, 1 + dst.length + packageId.length);\n\treturn fullId;\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGO,SAAS,IAAI,GAAe,GAA2B;AAC7D,MAAI,EAAE,WAAW,EAAE,QAAQ;AAC1B,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC;AACA,SAAO,EAAE,IAAI,CAAC,IAAI,MAAM,KAAK,EAAE,CAAC,CAAC;AAClC;AASO,SAAS,aACf,KACA,WACA,SACa;AACb,QAAM,SAAS,IAAI,WAAW,IAAI,IAAI,SAAS,UAAU,SAAS,QAAQ,MAAM;AAChF,SAAO,IAAI,CAAC,IAAI,MAAM,GAAG,CAAC;AAC1B,SAAO,IAAI,KAAK,CAAC;AACjB,SAAO,IAAI,WAAW,IAAI,IAAI,MAAM;AACpC,SAAO,IAAI,SAAS,IAAI,IAAI,SAAS,UAAU,MAAM;AACrD,SAAO;AACR;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex, toHex } from '@mysten/bcs';\nimport { isValidSuiObjectId } from '@mysten/sui/utils';\n\nimport { UserError } from './error.js';\n\nexport function xor(a: Uint8Array, b: Uint8Array): Uint8Array {\n\tif (a.length !== b.length) {\n\t\tthrow new Error('Invalid input');\n\t}\n\treturn xorUnchecked(a, b);\n}\n\nexport function xorUnchecked(a: Uint8Array, b: Uint8Array): Uint8Array {\n\treturn a.map((ai, i) => ai ^ b[i]);\n}\n\n/**\n * Create a full ID concatenating DST || package ID || inner ID.\n * @param dst - The domain separation tag.\n * @param packageId - The package ID.\n * @param innerId - The inner ID.\n * @returns The full ID.\n */\nexport function createFullId(dst: Uint8Array, packageId: string, innerId: string): string {\n\tif (!isValidSuiObjectId(packageId)) {\n\t\tthrow new UserError(`Invalid package ID ${packageId}`);\n\t}\n\tconst packageIdBytes = fromHex(packageId);\n\tconst innerIdBytes = fromHex(innerId);\n\tconst fullId = new Uint8Array(1 + dst.length + packageIdBytes.length + innerIdBytes.length);\n\tfullId.set([dst.length], 0);\n\tfullId.set(dst, 1);\n\tfullId.set(packageIdBytes, 1 + dst.length);\n\tfullId.set(innerIdBytes, 1 + dst.length + packageIdBytes.length);\n\treturn toHex(fullId);\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAA+B;AAC/B,mBAAmC;AAEnC,mBAA0B;AAEnB,SAAS,IAAI,GAAe,GAA2B;AAC7D,MAAI,EAAE,WAAW,EAAE,QAAQ;AAC1B,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC;AACA,SAAO,aAAa,GAAG,CAAC;AACzB;AAEO,SAAS,aAAa,GAAe,GAA2B;AACtE,SAAO,EAAE,IAAI,CAAC,IAAI,MAAM,KAAK,EAAE,CAAC,CAAC;AAClC;AASO,SAAS,aAAa,KAAiB,WAAmB,SAAyB;AACzF,MAAI,KAAC,iCAAmB,SAAS,GAAG;AACnC,UAAM,IAAI,uBAAU,sBAAsB,SAAS,EAAE;AAAA,EACtD;AACA,QAAM,qBAAiB,oBAAQ,SAAS;AACxC,QAAM,mBAAe,oBAAQ,OAAO;AACpC,QAAM,SAAS,IAAI,WAAW,IAAI,IAAI,SAAS,eAAe,SAAS,aAAa,MAAM;AAC1F,SAAO,IAAI,CAAC,IAAI,MAAM,GAAG,CAAC;AAC1B,SAAO,IAAI,KAAK,CAAC;AACjB,SAAO,IAAI,gBAAgB,IAAI,IAAI,MAAM;AACzC,SAAO,IAAI,cAAc,IAAI,IAAI,SAAS,eAAe,MAAM;AAC/D,aAAO,kBAAM,MAAM;AACpB;",
   "names": []
 }

package/dist/cjs/version.d.ts

@@ -0,0 +1 @@
+export declare const PACKAGE_VERSION = "0.3.0";

package/dist/cjs/version.js

@@ -0,0 +1,25 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var version_exports = {};
+__export(version_exports, {
+  PACKAGE_VERSION: () => PACKAGE_VERSION
+});
+module.exports = __toCommonJS(version_exports);
+const PACKAGE_VERSION = "0.3.0";
+//# sourceMappingURL=version.js.map

package/dist/cjs/version.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/version.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.3.0';\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAKO,MAAM,kBAAkB;",
+  "names": []
+}