@mysten/seal 0.10.0 → 1.0.1

package/dist/key-server.d.mts

@@ -0,0 +1,22 @@
+import "./session-key.mjs";
+import "./types.mjs";
+
+//#region src/key-server.d.ts
+type ServerType = 'Independent' | 'Committee';
+type KeyServer = {
+  objectId: string;
+  name: string;
+  url: string;
+  keyType: KeyType;
+  pk: Uint8Array<ArrayBuffer>;
+  serverType: ServerType;
+};
+declare enum KeyType {
+  BonehFranklinBLS12381 = 0,
+}
+interface DerivedKey {
+  toString(): string;
+}
+//#endregion
+export { DerivedKey, KeyServer };
+//# sourceMappingURL=key-server.d.mts.map

package/dist/key-server.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-server.d.mts","names":[],"sources":["../src/key-server.ts"],"sourcesContent":[],"mappings":";;;;AAsBY,KAAA,UAAA,GAAU,aAAA,GAAA,WAAA;AAEV,KAAA,SAAA,GAAS;EAIX,QAAA,EAAA,MAAA;EACM,IAAA,EAAA,MAAA;EAAX,GAAA,EAAA,MAAA;EACQ,OAAA,EAFH,OAEG;EAAU,EAAA,EADlB,UACkB,CADP,WACO,CAAA;EAGX,UAAO,EAHN,UAGM;AAkMnB,CAAA;aAlMY,OAAA;;;UAkMK,UAAA"}

package/dist/key-server.mjs

@@ -0,0 +1,195 @@
+import { KeyServerMove, KeyServerMoveV1, KeyServerMoveV2 } from "./bcs.mjs";
+import { InvalidClientOptionsError, InvalidKeyServerError, InvalidKeyServerVersionError, SealAPIError } from "./error.mjs";
+import { Version, flatten } from "./utils.mjs";
+import { DST_POP } from "./ibe.mjs";
+import { PACKAGE_VERSION } from "./version.mjs";
+import { elgamalDecrypt } from "./elgamal.mjs";
+import { bcs, fromBase64, fromHex, toBase64, toHex } from "@mysten/bcs";
+import { bls12_381 } from "@noble/curves/bls12-381.js";
+
+//#region src/key-server.ts
+const SUPPORTED_SERVER_VERSIONS = [2, 1];
+let KeyType = /* @__PURE__ */ function(KeyType$1) {
+	KeyType$1[KeyType$1["BonehFranklinBLS12381"] = 0] = "BonehFranklinBLS12381";
+	return KeyType$1;
+}({});
+const SERVER_VERSION_REQUIREMENT = new Version("0.4.1");
+/**
+* Given a list of key server object IDs, returns a list of SealKeyServer
+* from onchain state containing name, objectId, URL and pk.
+*
+* Supports both V1 (independent servers) and V2 (independent + committee servers).
+* For V2 committee servers, returns the aggregator URL from the config.
+*
+* @param objectIds - The key server object IDs.
+* @param client - The Sui client to use (SuiGrpcClient, SuiGraphQLClient, or SuiJsonRpcClient).
+* @param configs - The key server configurations containing aggregator URLs.
+* @returns - An array of SealKeyServer.
+*/
+async function retrieveKeyServers({ objectIds, client, configs }) {
+	return await Promise.all(objectIds.map(async (objectId) => {
+		const res = await client.core.getObject({
+			objectId,
+			include: { content: true }
+		});
+		const ks = KeyServerMove.parse(res.object.content);
+		const firstVersion = Number(ks.firstVersion);
+		const lastVersion = Number(ks.lastVersion);
+		const version = SUPPORTED_SERVER_VERSIONS.find((v) => v >= firstVersion && v <= lastVersion);
+		if (version === void 0) throw new InvalidKeyServerVersionError(`Key server ${objectId} supports versions between ${ks.firstVersion} and ${ks.lastVersion} (inclusive), but SDK expects one of ${SUPPORTED_SERVER_VERSIONS.join(", ")}`);
+		const versionedKeyServer = await client.core.getDynamicField({
+			parentId: objectId,
+			name: {
+				type: "u64",
+				bcs: bcs.u64().serialize(version).toBytes()
+			}
+		});
+		switch (version) {
+			case 2: {
+				const ksV2 = KeyServerMoveV2.parse(versionedKeyServer.dynamicField.value.bcs);
+				if (ksV2.keyType !== KeyType.BonehFranklinBLS12381) throw new InvalidKeyServerError(`Server ${objectId} has invalid key type: ${ksV2.keyType}`);
+				switch (ksV2.serverType.$kind) {
+					case "Independent":
+						if (configs.get(objectId)?.aggregatorUrl) throw new InvalidClientOptionsError(`Independent server ${objectId} should not have aggregatorUrl in config`);
+						return {
+							objectId,
+							name: ksV2.name,
+							url: ksV2.serverType.Independent.url,
+							keyType: ksV2.keyType,
+							pk: new Uint8Array(ksV2.pk),
+							serverType: "Independent"
+						};
+					case "Committee": {
+						const config = configs.get(objectId);
+						if (!config?.aggregatorUrl) throw new InvalidClientOptionsError(`Committee server ${objectId} requires aggregatorUrl in config`);
+						return {
+							objectId,
+							name: ksV2.name,
+							url: config.aggregatorUrl,
+							keyType: ksV2.keyType,
+							pk: new Uint8Array(ksV2.pk),
+							serverType: "Committee"
+						};
+					}
+					default: throw new InvalidKeyServerError(`Unknown server type for ${objectId}`);
+				}
+			}
+			case 1: {
+				const ksV1 = KeyServerMoveV1.parse(versionedKeyServer.dynamicField.value.bcs);
+				if (ksV1.keyType !== KeyType.BonehFranklinBLS12381) throw new InvalidKeyServerError(`Server ${objectId} has invalid key type: ${ksV1.keyType}`);
+				if (configs.get(objectId)?.aggregatorUrl) throw new InvalidClientOptionsError(`V1 server ${objectId} is always Independent and should not have aggregatorUrl in config`);
+				return {
+					objectId,
+					name: ksV1.name,
+					url: ksV1.url,
+					keyType: ksV1.keyType,
+					pk: new Uint8Array(ksV1.pk),
+					serverType: "Independent"
+				};
+			}
+			default: throw new InvalidKeyServerVersionError(`Unsupported key server version: ${version}`);
+		}
+	}));
+}
+/**
+* Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it
+* against the pubkey. This should be used only rarely when the dapp uses a dynamic
+* set of key servers.
+*
+* @param server - The KeyServer to verify.
+* @returns - True if the key server is valid, false otherwise.
+*/
+async function verifyKeyServer(server, timeout, apiKeyName, apiKey) {
+	const requestId = crypto.randomUUID();
+	const response = await fetch(server.url + "/v1/service?service_id=" + server.objectId, {
+		method: "GET",
+		headers: {
+			"Content-Type": "application/json",
+			"Request-Id": requestId,
+			"Client-Sdk-Type": "typescript",
+			"Client-Sdk-Version": PACKAGE_VERSION,
+			...apiKeyName && apiKey ? { [apiKeyName]: apiKey } : {}
+		},
+		signal: AbortSignal.timeout(timeout)
+	});
+	await SealAPIError.assertResponse(response, requestId);
+	verifyKeyServerVersion(response);
+	const serviceResponse = await response.json();
+	if (serviceResponse.service_id !== server.objectId) return false;
+	const fullMsg = flatten([
+		DST_POP,
+		server.pk,
+		fromHex(server.objectId)
+	]);
+	return bls12_381.shortSignatures.verify(fromBase64(serviceResponse.pop), bls12_381.shortSignatures.hash(fullMsg), server.pk);
+}
+/**
+* Verify the key server version. Throws an `InvalidKeyServerError` if the version is not supported.
+*
+* @param response - The response from the key server.
+*/
+function verifyKeyServerVersion(response) {
+	const keyServerVersion = response.headers.get("X-KeyServer-Version");
+	if (keyServerVersion == null) throw new InvalidKeyServerVersionError("Key server version not found");
+	if (new Version(keyServerVersion).older_than(SERVER_VERSION_REQUIREMENT)) throw new InvalidKeyServerVersionError(`Key server version ${keyServerVersion} is not supported`);
+}
+/**
+* A user secret key for the Boneh-Franklin BLS12381 scheme.
+* This is a wrapper around the G1Element type.
+*/
+var BonehFranklinBLS12381DerivedKey = class {
+	constructor(key) {
+		this.key = key;
+		this.representation = toHex(key.toBytes());
+	}
+	toString() {
+		return this.representation;
+	}
+};
+/**
+* Helper function to request all keys from URL with requestSig, txBytes, ephemeral pubkey.
+* Then decrypt the Seal key with ephemeral secret key. Returns a list decryption keys with
+* their full IDs.
+*
+* @param url - The URL of the key server.
+* @param requestSig - The Base64 string of request signature.
+* @param txBytes - The transaction bytes.
+* @param encKey - The ephemeral secret key.
+* @param certificate - The certificate.
+* @returns - A list of full ID and the decrypted key.
+*/
+async function fetchKeysForAllIds({ url, requestSignature, transactionBytes, encKey, encKeyPk, encVerificationKey, certificate, timeout, apiKeyName, apiKey, signal }) {
+	const body = {
+		ptb: toBase64(transactionBytes.slice(1)),
+		enc_key: toBase64(encKeyPk),
+		enc_verification_key: toBase64(encVerificationKey),
+		request_signature: requestSignature,
+		certificate
+	};
+	const timeoutSignal = AbortSignal.timeout(timeout);
+	const combinedSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;
+	const requestId = crypto.randomUUID();
+	const response = await fetch(url + "/v1/fetch_key", {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			"Request-Id": requestId,
+			"Client-Sdk-Type": "typescript",
+			"Client-Sdk-Version": PACKAGE_VERSION,
+			...apiKeyName && apiKey ? { [apiKeyName]: apiKey } : {}
+		},
+		body: JSON.stringify(body),
+		signal: combinedSignal
+	});
+	await SealAPIError.assertResponse(response, requestId);
+	const resp = await response.json();
+	verifyKeyServerVersion(response);
+	return resp.decryption_keys.map((dk) => ({
+		fullId: toHex(dk.id),
+		key: elgamalDecrypt(encKey, dk.encrypted_key.map(fromBase64))
+	}));
+}
+
+//#endregion
+export { BonehFranklinBLS12381DerivedKey, fetchKeysForAllIds, retrieveKeyServers, verifyKeyServer };
+//# sourceMappingURL=key-server.mjs.map

package/dist/key-server.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-server.mjs","names":[],"sources":["../src/key-server.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { bcs, fromBase64, fromHex, toBase64, toHex } from '@mysten/bcs';\nimport { bls12_381 } from '@noble/curves/bls12-381.js';\n\nimport { KeyServerMove, KeyServerMoveV1, KeyServerMoveV2 } from './bcs.js';\nimport {\n\tInvalidClientOptionsError,\n\tInvalidKeyServerError,\n\tInvalidKeyServerVersionError,\n\tSealAPIError,\n} from './error.js';\nimport { DST_POP } from './ibe.js';\nimport { PACKAGE_VERSION } from './version.js';\nimport type { KeyServerConfig, SealCompatibleClient } from './types.js';\nimport type { G1Element } from './bls12381.js';\nimport { flatten, Version } from './utils.js';\nimport { elgamalDecrypt } from './elgamal.js';\nimport type { Certificate } from './session-key.js';\n\nconst SUPPORTED_SERVER_VERSIONS = [2, 1]; // Must be configured in descending order.\n\nexport type ServerType = 'Independent' | 'Committee';\n\nexport type KeyServer = {\n\tobjectId: string;\n\tname: string;\n\turl: string;\n\tkeyType: KeyType;\n\tpk: Uint8Array<ArrayBuffer>;\n\tserverType: ServerType;\n};\n\nexport enum KeyType {\n\tBonehFranklinBLS12381 = 0,\n}\n\nexport const SERVER_VERSION_REQUIREMENT = new Version('0.4.1');\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * Supports both V1 (independent servers) and V2 (independent + committee servers).\n * For V2 committee servers, returns the aggregator URL from the config.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The Sui client to use (SuiGrpcClient, SuiGraphQLClient, or SuiJsonRpcClient).\n * @param configs - The key server configurations containing aggregator URLs.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n\tconfigs,\n}: {\n\tobjectIds: string[];\n\tclient: SealCompatibleClient;\n\tconfigs: Map<string, KeyServerConfig>;\n}): Promise<KeyServer[]> {\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\t// First get the KeyServer object and validate it.\n\t\t\tconst res = await client.core.getObject({\n\t\t\t\tobjectId,\n\t\t\t\tinclude: { content: true },\n\t\t\t});\n\t\t\tconst ks = KeyServerMove.parse(res.object.content);\n\n\t\t\t// Find the highest supported version.\n\t\t\tconst firstVersion = Number(ks.firstVersion);\n\t\t\tconst lastVersion = Number(ks.lastVersion);\n\t\t\tconst version = SUPPORTED_SERVER_VERSIONS.find((v) => v >= firstVersion && v <= lastVersion);\n\n\t\t\tif (version === undefined) {\n\t\t\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t\t\t`Key server ${objectId} supports versions between ${ks.firstVersion} and ${ks.lastVersion} (inclusive), but SDK expects one of ${SUPPORTED_SERVER_VERSIONS.join(', ')}`,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\t// Fetch the versioned object.\n\t\t\tconst versionedKeyServer = await client.core.getDynamicField({\n\t\t\t\tparentId: objectId,\n\t\t\t\tname: {\n\t\t\t\t\ttype: 'u64',\n\t\t\t\t\tbcs: bcs.u64().serialize(version).toBytes(),\n\t\t\t\t},\n\t\t\t});\n\n\t\t\t// Parse based on version.\n\t\t\tswitch (version) {\n\t\t\t\tcase 2: {\n\t\t\t\t\tconst ksV2 = KeyServerMoveV2.parse(versionedKeyServer.dynamicField.value.bcs);\n\t\t\t\t\tif (ksV2.keyType !== KeyType.BonehFranklinBLS12381) {\n\t\t\t\t\t\tthrow new InvalidKeyServerError(\n\t\t\t\t\t\t\t`Server ${objectId} has invalid key type: ${ksV2.keyType}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\n\t\t\t\t\t// Return based on server type.\n\t\t\t\t\tswitch (ksV2.serverType.$kind) {\n\t\t\t\t\t\tcase 'Independent': {\n\t\t\t\t\t\t\tif (configs.get(objectId)?.aggregatorUrl) {\n\t\t\t\t\t\t\t\tthrow new InvalidClientOptionsError(\n\t\t\t\t\t\t\t\t\t`Independent server ${objectId} should not have aggregatorUrl in config`,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\tobjectId,\n\t\t\t\t\t\t\t\tname: ksV2.name,\n\t\t\t\t\t\t\t\turl: ksV2.serverType.Independent.url,\n\t\t\t\t\t\t\t\tkeyType: ksV2.keyType,\n\t\t\t\t\t\t\t\tpk: new Uint8Array(ksV2.pk),\n\t\t\t\t\t\t\t\tserverType: 'Independent',\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\t\t\t\t\t\tcase 'Committee': {\n\t\t\t\t\t\t\t// For committee mode, get aggregator URL from config\n\t\t\t\t\t\t\tconst config = configs.get(objectId);\n\t\t\t\t\t\t\tif (!config?.aggregatorUrl) {\n\t\t\t\t\t\t\t\tthrow new InvalidClientOptionsError(\n\t\t\t\t\t\t\t\t\t`Committee server ${objectId} requires aggregatorUrl in config`,\n\t\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\tobjectId,\n\t\t\t\t\t\t\t\tname: ksV2.name,\n\t\t\t\t\t\t\t\turl: config.aggregatorUrl,\n\t\t\t\t\t\t\t\tkeyType: ksV2.keyType,\n\t\t\t\t\t\t\t\tpk: new Uint8Array(ksV2.pk),\n\t\t\t\t\t\t\t\tserverType: 'Committee',\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\t\t\t\t\t\tdefault:\n\t\t\t\t\t\t\tthrow new InvalidKeyServerError(`Unknown server type for ${objectId}`);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tcase 1: {\n\t\t\t\t\tconst ksV1 = KeyServerMoveV1.parse(versionedKeyServer.dynamicField.value.bcs);\n\t\t\t\t\tif (ksV1.keyType !== KeyType.BonehFranklinBLS12381) {\n\t\t\t\t\t\tthrow new InvalidKeyServerError(\n\t\t\t\t\t\t\t`Server ${objectId} has invalid key type: ${ksV1.keyType}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\n\t\t\t\t\t// V1 servers are always Independent and should not have aggregatorUrl\n\t\t\t\t\tif (configs.get(objectId)?.aggregatorUrl) {\n\t\t\t\t\t\tthrow new InvalidClientOptionsError(\n\t\t\t\t\t\t\t`V1 server ${objectId} is always Independent and should not have aggregatorUrl in config`,\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\n\t\t\t\t\treturn {\n\t\t\t\t\t\tobjectId,\n\t\t\t\t\t\tname: ksV1.name,\n\t\t\t\t\t\turl: ksV1.url,\n\t\t\t\t\t\tkeyType: ksV1.keyType,\n\t\t\t\t\t\tpk: new Uint8Array(ksV1.pk),\n\t\t\t\t\t\tserverType: 'Independent',\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t\tdefault:\n\t\t\t\t\tthrow new InvalidKeyServerVersionError(`Unsupported key server version: ${version}`);\n\t\t\t}\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(\n\tserver: KeyServer,\n\ttimeout: number,\n\tapiKeyName?: string,\n\tapiKey?: string,\n): Promise<boolean> {\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(server.url! + '/v1/service?service_id=' + server.objectId, {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t\t...(apiKeyName && apiKey ? { [apiKeyName]: apiKey } : {}),\n\t\t},\n\t\tsignal: AbortSignal.timeout(timeout),\n\t});\n\n\tawait SealAPIError.assertResponse(response, requestId);\n\tverifyKeyServerVersion(response);\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = flatten([DST_POP, server.pk, fromHex(server.objectId)]);\n\treturn bls12_381.shortSignatures.verify(\n\t\tfromBase64(serviceResponse.pop),\n\t\tbls12_381.shortSignatures.hash(fullMsg),\n\t\tserver.pk,\n\t);\n}\n\n/**\n * Verify the key server version. Throws an `InvalidKeyServerError` if the version is not supported.\n *\n * @param response - The response from the key server.\n */\nexport function verifyKeyServerVersion(response: Response) {\n\tconst keyServerVersion = response.headers.get('X-KeyServer-Version');\n\tif (keyServerVersion == null) {\n\t\tthrow new InvalidKeyServerVersionError('Key server version not found');\n\t}\n\tif (new Version(keyServerVersion).older_than(SERVER_VERSION_REQUIREMENT)) {\n\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t`Key server version ${keyServerVersion} is not supported`,\n\t\t);\n\t}\n}\n\nexport interface DerivedKey {\n\ttoString(): string;\n}\n\n/**\n * A user secret key for the Boneh-Franklin BLS12381 scheme.\n * This is a wrapper around the G1Element type.\n */\nexport class BonehFranklinBLS12381DerivedKey implements DerivedKey {\n\trepresentation: string;\n\n\tconstructor(public key: G1Element) {\n\t\tthis.representation = toHex(key.toBytes());\n\t}\n\n\ttoString(): string {\n\t\treturn this.representation;\n\t}\n}\n\n/**\n * Options for fetching keys from the key server.\n */\nexport interface FetchKeysOptions {\n\t/** The URL of the key server. */\n\turl: string;\n\t/** The Base64 string of request signature. */\n\trequestSignature: string;\n\t/** The transaction bytes. */\n\ttransactionBytes: Uint8Array;\n\t/** The ephemeral secret key. */\n\tencKey: Uint8Array<ArrayBuffer>;\n\t/** The ephemeral public key. */\n\tencKeyPk: Uint8Array<ArrayBuffer>;\n\t/** The ephemeral verification key. */\n\tencVerificationKey: Uint8Array;\n\t/** The certificate. */\n\tcertificate: Certificate;\n\t/** Request timeout in milliseconds. */\n\ttimeout: number;\n\t/** Optional API key name. */\n\tapiKeyName?: string;\n\t/** Optional API key. */\n\tapiKey?: string;\n\t/** Optional abort signal for cancellation. */\n\tsignal?: AbortSignal;\n}\n\n/**\n * Helper function to request all keys from URL with requestSig, txBytes, ephemeral pubkey.\n * Then decrypt the Seal key with ephemeral secret key. Returns a list decryption keys with\n * their full IDs.\n *\n * @param url - The URL of the key server.\n * @param requestSig - The Base64 string of request signature.\n * @param txBytes - The transaction bytes.\n * @param encKey - The ephemeral secret key.\n * @param certificate - The certificate.\n * @returns - A list of full ID and the decrypted key.\n */\nexport async function fetchKeysForAllIds({\n\turl,\n\trequestSignature,\n\ttransactionBytes,\n\tencKey,\n\tencKeyPk,\n\tencVerificationKey,\n\tcertificate,\n\ttimeout,\n\tapiKeyName,\n\tapiKey,\n\tsignal,\n}: FetchKeysOptions): Promise<{ fullId: string; key: Uint8Array<ArrayBuffer> }[]> {\n\tconst body = {\n\t\tptb: toBase64(transactionBytes.slice(1)), // removes the byte of the transaction type version\n\t\tenc_key: toBase64(encKeyPk),\n\t\tenc_verification_key: toBase64(encVerificationKey),\n\t\trequest_signature: requestSignature, // already b64\n\t\tcertificate,\n\t};\n\n\tconst timeoutSignal = AbortSignal.timeout(timeout);\n\tconst combinedSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;\n\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(url + '/v1/fetch_key', {\n\t\tmethod: 'POST',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t\t...(apiKeyName && apiKey ? { [apiKeyName]: apiKey } : {}),\n\t\t},\n\t\tbody: JSON.stringify(body),\n\t\tsignal: combinedSignal,\n\t});\n\tawait SealAPIError.assertResponse(response, requestId);\n\tconst resp = await response.json();\n\tverifyKeyServerVersion(response);\n\n\treturn resp.decryption_keys.map(\n\t\t(dk: { id: Uint8Array<ArrayBuffer>; encrypted_key: [string, string] }) => ({\n\t\t\tfullId: toHex(dk.id),\n\t\t\tkey: elgamalDecrypt(encKey, dk.encrypted_key.map(fromBase64) as [Uint8Array, Uint8Array]),\n\t\t}),\n\t);\n}\n"],"mappings":";;;;;;;;;;AAoBA,MAAM,4BAA4B,CAAC,GAAG,EAAE;AAaxC,IAAY,8CAAL;AACN;;;AAGD,MAAa,6BAA6B,IAAI,QAAQ,QAAQ;;;;;;;;;;;;;AAc9D,eAAsB,mBAAmB,EACxC,WACA,QACA,WAKwB;AACxB,QAAO,MAAM,QAAQ,IACpB,UAAU,IAAI,OAAO,aAAa;EAEjC,MAAM,MAAM,MAAM,OAAO,KAAK,UAAU;GACvC;GACA,SAAS,EAAE,SAAS,MAAM;GAC1B,CAAC;EACF,MAAM,KAAK,cAAc,MAAM,IAAI,OAAO,QAAQ;EAGlD,MAAM,eAAe,OAAO,GAAG,aAAa;EAC5C,MAAM,cAAc,OAAO,GAAG,YAAY;EAC1C,MAAM,UAAU,0BAA0B,MAAM,MAAM,KAAK,gBAAgB,KAAK,YAAY;AAE5F,MAAI,YAAY,OACf,OAAM,IAAI,6BACT,cAAc,SAAS,6BAA6B,GAAG,aAAa,OAAO,GAAG,YAAY,uCAAuC,0BAA0B,KAAK,KAAK,GACrK;EAIF,MAAM,qBAAqB,MAAM,OAAO,KAAK,gBAAgB;GAC5D,UAAU;GACV,MAAM;IACL,MAAM;IACN,KAAK,IAAI,KAAK,CAAC,UAAU,QAAQ,CAAC,SAAS;IAC3C;GACD,CAAC;AAGF,UAAQ,SAAR;GACC,KAAK,GAAG;IACP,MAAM,OAAO,gBAAgB,MAAM,mBAAmB,aAAa,MAAM,IAAI;AAC7E,QAAI,KAAK,YAAY,QAAQ,sBAC5B,OAAM,IAAI,sBACT,UAAU,SAAS,yBAAyB,KAAK,UACjD;AAIF,YAAQ,KAAK,WAAW,OAAxB;KACC,KAAK;AACJ,UAAI,QAAQ,IAAI,SAAS,EAAE,cAC1B,OAAM,IAAI,0BACT,sBAAsB,SAAS,0CAC/B;AAEF,aAAO;OACN;OACA,MAAM,KAAK;OACX,KAAK,KAAK,WAAW,YAAY;OACjC,SAAS,KAAK;OACd,IAAI,IAAI,WAAW,KAAK,GAAG;OAC3B,YAAY;OACZ;KAEF,KAAK,aAAa;MAEjB,MAAM,SAAS,QAAQ,IAAI,SAAS;AACpC,UAAI,CAAC,QAAQ,cACZ,OAAM,IAAI,0BACT,oBAAoB,SAAS,mCAC7B;AAEF,aAAO;OACN;OACA,MAAM,KAAK;OACX,KAAK,OAAO;OACZ,SAAS,KAAK;OACd,IAAI,IAAI,WAAW,KAAK,GAAG;OAC3B,YAAY;OACZ;;KAEF,QACC,OAAM,IAAI,sBAAsB,2BAA2B,WAAW;;;GAGzE,KAAK,GAAG;IACP,MAAM,OAAO,gBAAgB,MAAM,mBAAmB,aAAa,MAAM,IAAI;AAC7E,QAAI,KAAK,YAAY,QAAQ,sBAC5B,OAAM,IAAI,sBACT,UAAU,SAAS,yBAAyB,KAAK,UACjD;AAIF,QAAI,QAAQ,IAAI,SAAS,EAAE,cAC1B,OAAM,IAAI,0BACT,aAAa,SAAS,oEACtB;AAGF,WAAO;KACN;KACA,MAAM,KAAK;KACX,KAAK,KAAK;KACV,SAAS,KAAK;KACd,IAAI,IAAI,WAAW,KAAK,GAAG;KAC3B,YAAY;KACZ;;GAEF,QACC,OAAM,IAAI,6BAA6B,mCAAmC,UAAU;;GAErF,CACF;;;;;;;;;;AAWF,eAAsB,gBACrB,QACA,SACA,YACA,QACmB;CACnB,MAAM,YAAY,OAAO,YAAY;CACrC,MAAM,WAAW,MAAM,MAAM,OAAO,MAAO,4BAA4B,OAAO,UAAU;EACvF,QAAQ;EACR,SAAS;GACR,gBAAgB;GAChB,cAAc;GACd,mBAAmB;GACnB,sBAAsB;GACtB,GAAI,cAAc,SAAS,GAAG,aAAa,QAAQ,GAAG,EAAE;GACxD;EACD,QAAQ,YAAY,QAAQ,QAAQ;EACpC,CAAC;AAEF,OAAM,aAAa,eAAe,UAAU,UAAU;AACtD,wBAAuB,SAAS;CAChC,MAAM,kBAAkB,MAAM,SAAS,MAAM;AAE7C,KAAI,gBAAgB,eAAe,OAAO,SACzC,QAAO;CAER,MAAM,UAAU,QAAQ;EAAC;EAAS,OAAO;EAAI,QAAQ,OAAO,SAAS;EAAC,CAAC;AACvE,QAAO,UAAU,gBAAgB,OAChC,WAAW,gBAAgB,IAAI,EAC/B,UAAU,gBAAgB,KAAK,QAAQ,EACvC,OAAO,GACP;;;;;;;AAQF,SAAgB,uBAAuB,UAAoB;CAC1D,MAAM,mBAAmB,SAAS,QAAQ,IAAI,sBAAsB;AACpE,KAAI,oBAAoB,KACvB,OAAM,IAAI,6BAA6B,+BAA+B;AAEvE,KAAI,IAAI,QAAQ,iBAAiB,CAAC,WAAW,2BAA2B,CACvE,OAAM,IAAI,6BACT,sBAAsB,iBAAiB,mBACvC;;;;;;AAYH,IAAa,kCAAb,MAAmE;CAGlE,YAAY,AAAO,KAAgB;EAAhB;AAClB,OAAK,iBAAiB,MAAM,IAAI,SAAS,CAAC;;CAG3C,WAAmB;AAClB,SAAO,KAAK;;;;;;;;;;;;;;;AA4Cd,eAAsB,mBAAmB,EACxC,KACA,kBACA,kBACA,QACA,UACA,oBACA,aACA,SACA,YACA,QACA,UACiF;CACjF,MAAM,OAAO;EACZ,KAAK,SAAS,iBAAiB,MAAM,EAAE,CAAC;EACxC,SAAS,SAAS,SAAS;EAC3B,sBAAsB,SAAS,mBAAmB;EAClD,mBAAmB;EACnB;EACA;CAED,MAAM,gBAAgB,YAAY,QAAQ,QAAQ;CAClD,MAAM,iBAAiB,SAAS,YAAY,IAAI,CAAC,QAAQ,cAAc,CAAC,GAAG;CAE3E,MAAM,YAAY,OAAO,YAAY;CACrC,MAAM,WAAW,MAAM,MAAM,MAAM,iBAAiB;EACnD,QAAQ;EACR,SAAS;GACR,gBAAgB;GAChB,cAAc;GACd,mBAAmB;GACnB,sBAAsB;GACtB,GAAI,cAAc,SAAS,GAAG,aAAa,QAAQ,GAAG,EAAE;GACxD;EACD,MAAM,KAAK,UAAU,KAAK;EAC1B,QAAQ;EACR,CAAC;AACF,OAAM,aAAa,eAAe,UAAU,UAAU;CACtD,MAAM,OAAO,MAAM,SAAS,MAAM;AAClC,wBAAuB,SAAS;AAEhC,QAAO,KAAK,gBAAgB,KAC1B,QAA0E;EAC1E,QAAQ,MAAM,GAAG,GAAG;EACpB,KAAK,eAAe,QAAQ,GAAG,cAAc,IAAI,WAAW,CAA6B;EACzF,EACD"}

package/dist/session-key.d.mts

@@ -0,0 +1,83 @@
+import { SealCompatibleClient } from "./types.mjs";
+import "@mysten/bcs";
+import { Signer } from "@mysten/sui/cryptography";
+
+//#region src/session-key.d.ts
+
+type Certificate = {
+  user: string;
+  session_vk: string;
+  creation_time: number;
+  ttl_min: number;
+  signature: string;
+  mvr_name?: string;
+};
+type ExportedSessionKey = {
+  address: string;
+  packageId: string;
+  mvrName?: string;
+  creationTimeMs: number;
+  ttlMin: number;
+  personalMessageSignature?: string;
+  sessionKey: string;
+};
+declare class SessionKey {
+  #private;
+  private constructor();
+  /**
+   * Create a new SessionKey instance.
+   * @param address - The address of the user.
+   * @param packageId - The ID of the package.
+   * @param mvrName - Optional. The name of the MVR, if there is one.
+   * @param ttlMin - The TTL in minutes.
+   * @param signer - Optional. The signer instance, e.g. EnokiSigner.
+   * @param suiClient - The Sui client.
+   * @returns A new SessionKey instance.
+   */
+  static create({
+    address,
+    packageId,
+    mvrName,
+    ttlMin,
+    signer,
+    suiClient
+  }: {
+    address: string;
+    packageId: string;
+    mvrName?: string;
+    ttlMin: number;
+    signer?: Signer;
+    suiClient: SealCompatibleClient;
+  }): Promise<SessionKey>;
+  isExpired(): boolean;
+  getAddress(): string;
+  getPackageName(): string;
+  getPackageId(): string;
+  getPersonalMessage(): Uint8Array;
+  setPersonalMessageSignature(personalMessageSignature: string): Promise<void>;
+  getCertificate(): Promise<Certificate>;
+  /**
+   * Create request params for the given transaction bytes.
+   * @param txBytes - The transaction bytes.
+   * @returns The request params containing the ephemeral secret key,
+   * its public key and its verification key.
+   */
+  createRequestParams(txBytes: Uint8Array): Promise<{
+    encKey: Uint8Array<ArrayBuffer>;
+    encKeyPk: Uint8Array<ArrayBuffer>;
+    encVerificationKey: Uint8Array<ArrayBuffer>;
+    requestSignature: string;
+  }>;
+  /**
+   * Export the Session Key object from the instance. Store the object in IndexedDB to persist.
+   */
+  export(): ExportedSessionKey;
+  /**
+   * Restore a SessionKey instance for the given object.
+   * @returns A new SessionKey instance with restored state
+   */
+  static import(data: ExportedSessionKey, suiClient: SealCompatibleClient, signer?: Signer): SessionKey;
+}
+//#endregion
+export { ExportedSessionKey, SessionKey };
+//# sourceMappingURL=session-key.d.mts.map

package/dist/session-key.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-key.d.mts","names":[],"sources":["../src/session-key.ts"],"sourcesContent":[],"mappings":";;;;;;AA2Ca,KAnBD,WAAA,GAmBW;EA4DrB,IAAA,EAAA,MAAA;EACA,UAAA,EAAA,MAAA;EACA,aAAA,EAAA,MAAA;EACA,OAAA,EAAA,MAAA;EACA,SAAA,EAAA,MAAA;EACA,QAAA,CAAA,EAAA,MAAA;CAMS;AACE,KAlFD,kBAAA,GAkFC;EACA,OAAA,EAAA,MAAA;EAAR,SAAA,EAAA,MAAA;EAmCkB,OAAA,CAAA,EAAA,MAAA;EAO4C,cAAA,EAAA,MAAA;EAclC,MAAA,EAAA,MAAA;EAAR,wBAAA,CAAA,EAAA,MAAA;EAyBW,UAAA,EAAA,MAAA;CACf;AAAX,cA3JG,UAAA,CA2JH;EACa,CAAA,OAAA;EAAX,QAAA,WAAA,CAAA;EACqB;;;;;;;;;;;;;;;;;;;;;;aAtFtB;eACE;MACR,QAAQ;;;;;wBAmCU;iEAO4C;oBAc1C,QAAQ;;;;;;;+BAyBG,aAAa;YACvC,WAAW;cACT,WAAW;wBACD,WAAW;;;;;;YA0BtB;;;;;sBAyBH,+BACK,+BACF,SACP"}

package/dist/session-key.mjs

@@ -0,0 +1,171 @@
+import { ExpiredSessionKeyError, InvalidPackageError, InvalidPersonalMessageSignatureError, UserError } from "./error.mjs";
+import { generateSecretKey, toPublicKey, toVerificationKey } from "./elgamal.mjs";
+import { toBase64 } from "@mysten/bcs";
+import { bcs as bcs$1 } from "@mysten/sui/bcs";
+import { isValidNamedPackage, isValidSuiAddress, isValidSuiObjectId } from "@mysten/sui/utils";
+import { Ed25519Keypair } from "@mysten/sui/keypairs/ed25519";
+import { verifyPersonalMessageSignature } from "@mysten/sui/verify";
+
+//#region src/session-key.ts
+const RequestFormat = bcs$1.struct("RequestFormat", {
+	ptb: bcs$1.byteVector(),
+	encKey: bcs$1.byteVector(),
+	encVerificationKey: bcs$1.byteVector()
+});
+var SessionKey = class SessionKey {
+	#address;
+	#packageId;
+	#mvrName;
+	#creationTimeMs;
+	#ttlMin;
+	#sessionKey;
+	#personalMessageSignature;
+	#signer;
+	#suiClient;
+	constructor({ address, packageId, mvrName, ttlMin, signer, suiClient }) {
+		if (mvrName && !isValidNamedPackage(mvrName)) throw new UserError(`Invalid package name ${mvrName}`);
+		if (!isValidSuiObjectId(packageId) || !isValidSuiAddress(address)) throw new UserError(`Invalid package ID ${packageId} or address ${address}`);
+		if (ttlMin > 30 || ttlMin < 1) throw new UserError(`Invalid TTL ${ttlMin}, must be between 1 and 30`);
+		if (signer && signer.getPublicKey().toSuiAddress() !== address) throw new UserError("Signer address does not match session key address");
+		this.#address = address;
+		this.#packageId = packageId;
+		this.#mvrName = mvrName;
+		this.#creationTimeMs = Date.now();
+		this.#ttlMin = ttlMin;
+		this.#sessionKey = Ed25519Keypair.generate();
+		this.#signer = signer;
+		this.#suiClient = suiClient;
+	}
+	/**
+	* Create a new SessionKey instance.
+	* @param address - The address of the user.
+	* @param packageId - The ID of the package.
+	* @param mvrName - Optional. The name of the MVR, if there is one.
+	* @param ttlMin - The TTL in minutes.
+	* @param signer - Optional. The signer instance, e.g. EnokiSigner.
+	* @param suiClient - The Sui client.
+	* @returns A new SessionKey instance.
+	*/
+	static async create({ address, packageId, mvrName, ttlMin, signer, suiClient }) {
+		const packageObj = await suiClient.core.getObject({ objectId: packageId });
+		if (String(packageObj.object.version) !== "1") throw new InvalidPackageError(`Package ${packageId} is not the first version`);
+		return new SessionKey({
+			address,
+			packageId,
+			mvrName,
+			ttlMin,
+			signer,
+			suiClient
+		});
+	}
+	isExpired() {
+		return this.#creationTimeMs + this.#ttlMin * 60 * 1e3 - 1e4 < Date.now();
+	}
+	getAddress() {
+		return this.#address;
+	}
+	getPackageName() {
+		if (this.#mvrName) return this.#mvrName;
+		return this.#packageId;
+	}
+	getPackageId() {
+		return this.#packageId;
+	}
+	getPersonalMessage() {
+		const creationTimeUtc = new Date(this.#creationTimeMs).toISOString().slice(0, 19).replace("T", " ") + " UTC";
+		const message = `Accessing keys of package ${this.getPackageName()} for ${this.#ttlMin} mins from ${creationTimeUtc}, session key ${toBase64(this.#sessionKey.getPublicKey().toRawBytes())}`;
+		return new TextEncoder().encode(message);
+	}
+	async setPersonalMessageSignature(personalMessageSignature) {
+		if (!this.#personalMessageSignature) try {
+			await verifyPersonalMessageSignature(this.getPersonalMessage(), personalMessageSignature, {
+				address: this.#address,
+				client: this.#suiClient
+			});
+			this.#personalMessageSignature = personalMessageSignature;
+		} catch {
+			throw new InvalidPersonalMessageSignatureError("Not valid");
+		}
+	}
+	async getCertificate() {
+		if (!this.#personalMessageSignature) if (this.#signer) {
+			const { signature } = await this.#signer.signPersonalMessage(this.getPersonalMessage());
+			this.#personalMessageSignature = signature;
+		} else throw new InvalidPersonalMessageSignatureError("Personal message signature is not set");
+		return {
+			user: this.#address,
+			session_vk: toBase64(this.#sessionKey.getPublicKey().toRawBytes()),
+			creation_time: this.#creationTimeMs,
+			ttl_min: this.#ttlMin,
+			signature: this.#personalMessageSignature,
+			mvr_name: this.#mvrName
+		};
+	}
+	/**
+	* Create request params for the given transaction bytes.
+	* @param txBytes - The transaction bytes.
+	* @returns The request params containing the ephemeral secret key,
+	* its public key and its verification key.
+	*/
+	async createRequestParams(txBytes) {
+		if (this.isExpired()) throw new ExpiredSessionKeyError();
+		const encKey = generateSecretKey();
+		const encKeyPk = toPublicKey(encKey);
+		const encVerificationKey = toVerificationKey(encKey);
+		const msgToSign = RequestFormat.serialize({
+			ptb: txBytes.slice(1),
+			encKey: encKeyPk,
+			encVerificationKey
+		}).toBytes();
+		return {
+			encKey,
+			encKeyPk,
+			encVerificationKey,
+			requestSignature: toBase64(await this.#sessionKey.sign(msgToSign))
+		};
+	}
+	/**
+	* Export the Session Key object from the instance. Store the object in IndexedDB to persist.
+	*/
+	export() {
+		const obj = {
+			address: this.#address,
+			packageId: this.#packageId,
+			mvrName: this.#mvrName,
+			creationTimeMs: this.#creationTimeMs,
+			ttlMin: this.#ttlMin,
+			personalMessageSignature: this.#personalMessageSignature,
+			sessionKey: this.#sessionKey.getSecretKey()
+		};
+		Object.defineProperty(obj, "toJSON", {
+			enumerable: false,
+			value: () => {
+				throw new Error("This object is not serializable");
+			}
+		});
+		return obj;
+	}
+	/**
+	* Restore a SessionKey instance for the given object.
+	* @returns A new SessionKey instance with restored state
+	*/
+	static import(data, suiClient, signer) {
+		const instance = new SessionKey({
+			address: data.address,
+			packageId: data.packageId,
+			mvrName: data.mvrName,
+			ttlMin: data.ttlMin,
+			signer,
+			suiClient
+		});
+		instance.#creationTimeMs = data.creationTimeMs;
+		instance.#sessionKey = Ed25519Keypair.fromSecretKey(data.sessionKey);
+		instance.#personalMessageSignature = data.personalMessageSignature;
+		if (instance.isExpired()) throw new ExpiredSessionKeyError();
+		return instance;
+	}
+};
+
+//#endregion
+export { SessionKey };
+//# sourceMappingURL=session-key.mjs.map

package/dist/session-key.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"session-key.mjs","names":["bcs","#address","#packageId","#mvrName","#creationTimeMs","#ttlMin","#sessionKey","#signer","#suiClient","#personalMessageSignature"],"sources":["../src/session-key.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { toBase64 } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\nimport type { Signer } from '@mysten/sui/cryptography';\nimport { Ed25519Keypair } from '@mysten/sui/keypairs/ed25519';\nimport { isValidNamedPackage, isValidSuiAddress, isValidSuiObjectId } from '@mysten/sui/utils';\nimport { verifyPersonalMessageSignature } from '@mysten/sui/verify';\nimport { generateSecretKey, toPublicKey, toVerificationKey } from './elgamal.js';\nimport {\n\tExpiredSessionKeyError,\n\tInvalidPackageError,\n\tInvalidPersonalMessageSignatureError,\n\tUserError,\n} from './error.js';\nimport type { SealCompatibleClient } from './types.js';\n\nexport const RequestFormat = bcs.struct('RequestFormat', {\n\tptb: bcs.byteVector(),\n\tencKey: bcs.byteVector(),\n\tencVerificationKey: bcs.byteVector(),\n});\n\nexport type Certificate = {\n\tuser: string;\n\tsession_vk: string;\n\tcreation_time: number;\n\tttl_min: number;\n\tsignature: string;\n\tmvr_name?: string;\n};\n\nexport type ExportedSessionKey = {\n\taddress: string;\n\tpackageId: string;\n\tmvrName?: string;\n\tcreationTimeMs: number;\n\tttlMin: number;\n\tpersonalMessageSignature?: string;\n\tsessionKey: string;\n};\n\nexport class SessionKey {\n\t#address: string;\n\t#packageId: string;\n\t#mvrName?: string;\n\t#creationTimeMs: number;\n\t#ttlMin: number;\n\t#sessionKey: Ed25519Keypair;\n\t#personalMessageSignature?: string;\n\t#signer?: Signer;\n\t#suiClient: SealCompatibleClient;\n\n\tprivate constructor({\n\t\taddress,\n\t\tpackageId,\n\t\tmvrName,\n\t\tttlMin,\n\t\tsigner,\n\t\tsuiClient,\n\t}: {\n\t\taddress: string;\n\t\tpackageId: string;\n\t\tmvrName?: string;\n\t\tttlMin: number;\n\t\tsigner?: Signer;\n\t\tsuiClient: SealCompatibleClient;\n\t}) {\n\t\tif (mvrName && !isValidNamedPackage(mvrName)) {\n\t\t\tthrow new UserError(`Invalid package name ${mvrName}`);\n\t\t}\n\t\tif (!isValidSuiObjectId(packageId) || !isValidSuiAddress(address)) {\n\t\t\tthrow new UserError(`Invalid package ID ${packageId} or address ${address}`);\n\t\t}\n\t\tif (ttlMin > 30 || ttlMin < 1) {\n\t\t\tthrow new UserError(`Invalid TTL ${ttlMin}, must be between 1 and 30`);\n\t\t}\n\t\tif (signer && signer.getPublicKey().toSuiAddress() !== address) {\n\t\t\tthrow new UserError('Signer address does not match session key address');\n\t\t}\n\n\t\tthis.#address = address;\n\t\tthis.#packageId = packageId;\n\t\tthis.#mvrName = mvrName;\n\t\tthis.#creationTimeMs = Date.now();\n\t\tthis.#ttlMin = ttlMin;\n\t\tthis.#sessionKey = Ed25519Keypair.generate();\n\t\tthis.#signer = signer;\n\t\tthis.#suiClient = suiClient;\n\t}\n\n\t/**\n\t * Create a new SessionKey instance.\n\t * @param address - The address of the user.\n\t * @param packageId - The ID of the package.\n\t * @param mvrName - Optional. The name of the MVR, if there is one.\n\t * @param ttlMin - The TTL in minutes.\n\t * @param signer - Optional. The signer instance, e.g. EnokiSigner.\n\t * @param suiClient - The Sui client.\n\t * @returns A new SessionKey instance.\n\t */\n\tstatic async create({\n\t\taddress,\n\t\tpackageId,\n\t\tmvrName,\n\t\tttlMin,\n\t\tsigner,\n\t\tsuiClient,\n\t}: {\n\t\taddress: string;\n\t\tpackageId: string;\n\t\tmvrName?: string;\n\t\tttlMin: number;\n\t\tsigner?: Signer;\n\t\tsuiClient: SealCompatibleClient;\n\t}): Promise<SessionKey> {\n\t\tconst packageObj = await suiClient.core.getObject({ objectId: packageId });\n\t\tif (String(packageObj.object.version) !== '1') {\n\t\t\tthrow new InvalidPackageError(`Package ${packageId} is not the first version`);\n\t\t}\n\n\t\treturn new SessionKey({\n\t\t\taddress,\n\t\t\tpackageId,\n\t\t\tmvrName,\n\t\t\tttlMin,\n\t\t\tsigner,\n\t\t\tsuiClient,\n\t\t});\n\t}\n\tisExpired(): boolean {\n\t\t// Allow 10 seconds for clock skew\n\t\treturn this.#creationTimeMs + this.#ttlMin * 60 * 1000 - 10_000 < Date.now();\n\t}\n\n\tgetAddress(): string {\n\t\treturn this.#address;\n\t}\n\n\tgetPackageName(): string {\n\t\tif (this.#mvrName) {\n\t\t\treturn this.#mvrName;\n\t\t}\n\t\treturn this.#packageId;\n\t}\n\n\tgetPackageId(): string {\n\t\treturn this.#packageId;\n\t}\n\n\tgetPersonalMessage(): Uint8Array {\n\t\tconst creationTimeUtc =\n\t\t\tnew Date(this.#creationTimeMs).toISOString().slice(0, 19).replace('T', ' ') + ' UTC';\n\t\tconst message = `Accessing keys of package ${this.getPackageName()} for ${this.#ttlMin} mins from ${creationTimeUtc}, session key ${toBase64(this.#sessionKey.getPublicKey().toRawBytes())}`;\n\t\treturn new TextEncoder().encode(message);\n\t}\n\n\tasync setPersonalMessageSignature(personalMessageSignature: string) {\n\t\tif (!this.#personalMessageSignature) {\n\t\t\ttry {\n\t\t\t\tawait verifyPersonalMessageSignature(this.getPersonalMessage(), personalMessageSignature, {\n\t\t\t\t\taddress: this.#address,\n\t\t\t\t\tclient: this.#suiClient,\n\t\t\t\t});\n\t\t\t\tthis.#personalMessageSignature = personalMessageSignature;\n\t\t\t} catch {\n\t\t\t\tthrow new InvalidPersonalMessageSignatureError('Not valid');\n\t\t\t}\n\t\t}\n\t}\n\n\tasync getCertificate(): Promise<Certificate> {\n\t\tif (!this.#personalMessageSignature) {\n\t\t\tif (this.#signer) {\n\t\t\t\tconst { signature } = await this.#signer.signPersonalMessage(this.getPersonalMessage());\n\t\t\t\tthis.#personalMessageSignature = signature;\n\t\t\t} else {\n\t\t\t\tthrow new InvalidPersonalMessageSignatureError('Personal message signature is not set');\n\t\t\t}\n\t\t}\n\t\treturn {\n\t\t\tuser: this.#address,\n\t\t\tsession_vk: toBase64(this.#sessionKey.getPublicKey().toRawBytes()),\n\t\t\tcreation_time: this.#creationTimeMs,\n\t\t\tttl_min: this.#ttlMin,\n\t\t\tsignature: this.#personalMessageSignature,\n\t\t\tmvr_name: this.#mvrName,\n\t\t};\n\t}\n\n\t/**\n\t * Create request params for the given transaction bytes.\n\t * @param txBytes - The transaction bytes.\n\t * @returns The request params containing the ephemeral secret key,\n\t * its public key and its verification key.\n\t */\n\tasync createRequestParams(txBytes: Uint8Array): Promise<{\n\t\tencKey: Uint8Array<ArrayBuffer>;\n\t\tencKeyPk: Uint8Array<ArrayBuffer>;\n\t\tencVerificationKey: Uint8Array<ArrayBuffer>;\n\t\trequestSignature: string;\n\t}> {\n\t\tif (this.isExpired()) {\n\t\t\tthrow new ExpiredSessionKeyError();\n\t\t}\n\t\tconst encKey = generateSecretKey();\n\t\tconst encKeyPk = toPublicKey(encKey);\n\t\tconst encVerificationKey = toVerificationKey(encKey);\n\n\t\tconst msgToSign = RequestFormat.serialize({\n\t\t\tptb: txBytes.slice(1),\n\t\t\tencKey: encKeyPk,\n\t\t\tencVerificationKey,\n\t\t}).toBytes();\n\t\treturn {\n\t\t\tencKey,\n\t\t\tencKeyPk,\n\t\t\tencVerificationKey,\n\t\t\trequestSignature: toBase64(await this.#sessionKey.sign(msgToSign)),\n\t\t};\n\t}\n\n\t/**\n\t * Export the Session Key object from the instance. Store the object in IndexedDB to persist.\n\t */\n\texport(): ExportedSessionKey {\n\t\tconst obj = {\n\t\t\taddress: this.#address,\n\t\t\tpackageId: this.#packageId,\n\t\t\tmvrName: this.#mvrName,\n\t\t\tcreationTimeMs: this.#creationTimeMs,\n\t\t\tttlMin: this.#ttlMin,\n\t\t\tpersonalMessageSignature: this.#personalMessageSignature,\n\t\t\tsessionKey: this.#sessionKey.getSecretKey(), // bech32 encoded string\n\t\t};\n\n\t\tObject.defineProperty(obj, 'toJSON', {\n\t\t\tenumerable: false,\n\t\t\tvalue: () => {\n\t\t\t\tthrow new Error('This object is not serializable');\n\t\t\t},\n\t\t});\n\t\treturn obj;\n\t}\n\n\t/**\n\t * Restore a SessionKey instance for the given object.\n\t * @returns A new SessionKey instance with restored state\n\t */\n\tstatic import(\n\t\tdata: ExportedSessionKey,\n\t\tsuiClient: SealCompatibleClient,\n\t\tsigner?: Signer,\n\t): SessionKey {\n\t\tconst instance = new SessionKey({\n\t\t\taddress: data.address,\n\t\t\tpackageId: data.packageId,\n\t\t\tmvrName: data.mvrName,\n\t\t\tttlMin: data.ttlMin,\n\t\t\tsigner,\n\t\t\tsuiClient,\n\t\t});\n\n\t\tinstance.#creationTimeMs = data.creationTimeMs;\n\t\tinstance.#sessionKey = Ed25519Keypair.fromSecretKey(data.sessionKey);\n\t\tinstance.#personalMessageSignature = data.personalMessageSignature;\n\n\t\tif (instance.isExpired()) {\n\t\t\tthrow new ExpiredSessionKeyError();\n\t\t}\n\t\treturn instance;\n\t}\n}\n"],"mappings":";;;;;;;;;AAkBA,MAAa,gBAAgBA,MAAI,OAAO,iBAAiB;CACxD,KAAKA,MAAI,YAAY;CACrB,QAAQA,MAAI,YAAY;CACxB,oBAAoBA,MAAI,YAAY;CACpC,CAAC;AAqBF,IAAa,aAAb,MAAa,WAAW;CACvB;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CAEA,AAAQ,YAAY,EACnB,SACA,WACA,SACA,QACA,QACA,aAQE;AACF,MAAI,WAAW,CAAC,oBAAoB,QAAQ,CAC3C,OAAM,IAAI,UAAU,wBAAwB,UAAU;AAEvD,MAAI,CAAC,mBAAmB,UAAU,IAAI,CAAC,kBAAkB,QAAQ,CAChE,OAAM,IAAI,UAAU,sBAAsB,UAAU,cAAc,UAAU;AAE7E,MAAI,SAAS,MAAM,SAAS,EAC3B,OAAM,IAAI,UAAU,eAAe,OAAO,4BAA4B;AAEvE,MAAI,UAAU,OAAO,cAAc,CAAC,cAAc,KAAK,QACtD,OAAM,IAAI,UAAU,oDAAoD;AAGzE,QAAKC,UAAW;AAChB,QAAKC,YAAa;AAClB,QAAKC,UAAW;AAChB,QAAKC,iBAAkB,KAAK,KAAK;AACjC,QAAKC,SAAU;AACf,QAAKC,aAAc,eAAe,UAAU;AAC5C,QAAKC,SAAU;AACf,QAAKC,YAAa;;;;;;;;;;;;CAanB,aAAa,OAAO,EACnB,SACA,WACA,SACA,QACA,QACA,aAQuB;EACvB,MAAM,aAAa,MAAM,UAAU,KAAK,UAAU,EAAE,UAAU,WAAW,CAAC;AAC1E,MAAI,OAAO,WAAW,OAAO,QAAQ,KAAK,IACzC,OAAM,IAAI,oBAAoB,WAAW,UAAU,2BAA2B;AAG/E,SAAO,IAAI,WAAW;GACrB;GACA;GACA;GACA;GACA;GACA;GACA,CAAC;;CAEH,YAAqB;AAEpB,SAAO,MAAKJ,iBAAkB,MAAKC,SAAU,KAAK,MAAO,MAAS,KAAK,KAAK;;CAG7E,aAAqB;AACpB,SAAO,MAAKJ;;CAGb,iBAAyB;AACxB,MAAI,MAAKE,QACR,QAAO,MAAKA;AAEb,SAAO,MAAKD;;CAGb,eAAuB;AACtB,SAAO,MAAKA;;CAGb,qBAAiC;EAChC,MAAM,kBACL,IAAI,KAAK,MAAKE,eAAgB,CAAC,aAAa,CAAC,MAAM,GAAG,GAAG,CAAC,QAAQ,KAAK,IAAI,GAAG;EAC/E,MAAM,UAAU,6BAA6B,KAAK,gBAAgB,CAAC,OAAO,MAAKC,OAAQ,aAAa,gBAAgB,gBAAgB,SAAS,MAAKC,WAAY,cAAc,CAAC,YAAY,CAAC;AAC1L,SAAO,IAAI,aAAa,CAAC,OAAO,QAAQ;;CAGzC,MAAM,4BAA4B,0BAAkC;AACnE,MAAI,CAAC,MAAKG,yBACT,KAAI;AACH,SAAM,+BAA+B,KAAK,oBAAoB,EAAE,0BAA0B;IACzF,SAAS,MAAKR;IACd,QAAQ,MAAKO;IACb,CAAC;AACF,SAAKC,2BAA4B;UAC1B;AACP,SAAM,IAAI,qCAAqC,YAAY;;;CAK9D,MAAM,iBAAuC;AAC5C,MAAI,CAAC,MAAKA,yBACT,KAAI,MAAKF,QAAS;GACjB,MAAM,EAAE,cAAc,MAAM,MAAKA,OAAQ,oBAAoB,KAAK,oBAAoB,CAAC;AACvF,SAAKE,2BAA4B;QAEjC,OAAM,IAAI,qCAAqC,wCAAwC;AAGzF,SAAO;GACN,MAAM,MAAKR;GACX,YAAY,SAAS,MAAKK,WAAY,cAAc,CAAC,YAAY,CAAC;GAClE,eAAe,MAAKF;GACpB,SAAS,MAAKC;GACd,WAAW,MAAKI;GAChB,UAAU,MAAKN;GACf;;;;;;;;CASF,MAAM,oBAAoB,SAKvB;AACF,MAAI,KAAK,WAAW,CACnB,OAAM,IAAI,wBAAwB;EAEnC,MAAM,SAAS,mBAAmB;EAClC,MAAM,WAAW,YAAY,OAAO;EACpC,MAAM,qBAAqB,kBAAkB,OAAO;EAEpD,MAAM,YAAY,cAAc,UAAU;GACzC,KAAK,QAAQ,MAAM,EAAE;GACrB,QAAQ;GACR;GACA,CAAC,CAAC,SAAS;AACZ,SAAO;GACN;GACA;GACA;GACA,kBAAkB,SAAS,MAAM,MAAKG,WAAY,KAAK,UAAU,CAAC;GAClE;;;;;CAMF,SAA6B;EAC5B,MAAM,MAAM;GACX,SAAS,MAAKL;GACd,WAAW,MAAKC;GAChB,SAAS,MAAKC;GACd,gBAAgB,MAAKC;GACrB,QAAQ,MAAKC;GACb,0BAA0B,MAAKI;GAC/B,YAAY,MAAKH,WAAY,cAAc;GAC3C;AAED,SAAO,eAAe,KAAK,UAAU;GACpC,YAAY;GACZ,aAAa;AACZ,UAAM,IAAI,MAAM,kCAAkC;;GAEnD,CAAC;AACF,SAAO;;;;;;CAOR,OAAO,OACN,MACA,WACA,QACa;EACb,MAAM,WAAW,IAAI,WAAW;GAC/B,SAAS,KAAK;GACd,WAAW,KAAK;GAChB,SAAS,KAAK;GACd,QAAQ,KAAK;GACb;GACA;GACA,CAAC;AAEF,YAASF,iBAAkB,KAAK;AAChC,YAASE,aAAc,eAAe,cAAc,KAAK,WAAW;AACpE,YAASG,2BAA4B,KAAK;AAE1C,MAAI,SAAS,WAAW,CACvB,OAAM,IAAI,wBAAwB;AAEnC,SAAO"}