@mysten/seal 0.2.0 → 0.3.0

package/dist/esm/error.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/error.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport class SealError extends Error {}\n\nexport class UserError extends SealError {}\n\n// Errors returned by the Seal server\nexport class SealAPIError extends SealError {\n\tconstructor(\n\t\tmessage: string,\n\t\tpublic requestId?: string,\n\t\tpublic status?: number,\n\t) {\n\t\tsuper(message);\n\t}\n\n\tstatic #generate(message: string, requestId: string, status?: number) {\n\t\tswitch (message) {\n\t\t\tcase 'InvalidPTB':\n\t\t\t\treturn new InvalidPTBError(requestId);\n\t\t\tcase 'InvalidPackage':\n\t\t\t\treturn new InvalidPackageError(requestId);\n\t\t\tcase 'NoAccess':\n\t\t\t\treturn new NoAccessError(requestId);\n\t\t\tcase 'InvalidCertificate':\n\t\t\t\treturn new ExpiredSessionKeyError(requestId);\n\t\t\tcase 'OldPackageVersion':\n\t\t\t\treturn new OldPackageError(requestId);\n\t\t\tcase 'InvalidSignature':\n\t\t\t\treturn new InvalidUserSignatureError(requestId);\n\t\t\tcase 'InvalidSessionSignature':\n\t\t\t\treturn new InvalidSessionKeySignatureError(requestId);\n\t\t\tcase 'Failure':\n\t\t\t\treturn new InternalError(requestId);\n\t\t\tdefault:\n\t\t\t\treturn new GeneralError(message, requestId, status);\n\t\t}\n\t}\n\n\tstatic async assertResponse(response: Response, requestId: string) {\n\t\tif (response.ok) {\n\t\t\treturn;\n\t\t}\n\t\tlet errorInstance: SealAPIError;\n\t\ttry {\n\t\t\tconst text = await response.text();\n\t\t\tconst error = JSON.parse(text)['error'];\n\t\t\terrorInstance = SealAPIError.#generate(error, requestId);\n\t\t} catch (e) {\n\t\t\t// If we can't parse the response as JSON or if it doesn't have the expected format,\n\t\t\t// fall back to using the status text\n\t\t\terrorInstance = new GeneralError(response.statusText, requestId, response.status);\n\t\t}\n\t\tthrow errorInstance;\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the PTB is invalid\n\nexport class InvalidPTBError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('PTB does not conform to the expected format', requestId);\n\t}\n}\n\nexport class InvalidPackageError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Package ID used in PTB is invalid', requestId);\n\t}\n}\n\nexport class OldPackageError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('PTB must call the latest version of the package', requestId);\n\t}\n}\n\n// Errors returned by the Seal server that indicate that the user's signature is invalid\n\nexport class InvalidUserSignatureError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('User signature on the session key is invalid', requestId);\n\t}\n}\n\nexport class InvalidSessionKeySignatureError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Session key signature is invalid', requestId);\n\t}\n}\n\n/** Server error indicating that the user does not have access to one or more of the requested keys */\nexport class NoAccessError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('User does not have access to one or more of the requested keys', requestId);\n\t}\n}\n\n/** Server error indicating that the session key has expired */\nexport class ExpiredSessionKeyError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Session key has expired', requestId);\n\t}\n}\n\n/** Internal server error, caller should retry */\nexport class InternalError extends SealAPIError {\n\tconstructor(requestId?: string) {\n\t\tsuper('Internal server error, caller should retry', requestId);\n\t}\n}\n\n/** General server errors that are not specific to the Seal API (e.g., 404 \"Not Found\") */\nexport class GeneralError extends SealAPIError {}\n\n// Errors returned by the SDK\nexport class InvalidPersonalMessageSignatureError extends UserError {}\nexport class InvalidGetObjectError extends UserError {}\nexport class UnsupportedFeatureError extends UserError {}\nexport class UnsupportedNetworkError extends UserError {}\nexport class InvalidKeyServerError extends UserError {}\nexport class InvalidCiphertextError extends UserError {}\nexport class InvalidThresholdError extends UserError {}\nexport class InconsistentKeyServersError extends UserError {}\n\nexport function toMajorityError(errors: Error[]): Error {\n\tlet maxCount = 0;\n\tlet majorityError = errors[0];\n\tconst counts = new Map<string, number>();\n\tfor (const error of errors) {\n\t\tconst errorName = error.constructor.name;\n\t\tconst newCount = (counts.get(errorName) || 0) + 1;\n\t\tcounts.set(errorName, newCount);\n\n\t\tif (newCount > maxCount) {\n\t\t\tmaxCount = newCount;\n\t\t\tmajorityError = error;\n\t\t}\n\t}\n\n\treturn majorityError;\n}\n"],
+  "mappings": ";;;;;;AAAA;AAGO,MAAM,kBAAkB,MAAM;AAAC;AAE/B,MAAM,kBAAkB,UAAU;AAAC;AAGnC,MAAM,gBAAN,MAAM,sBAAqB,UAAU;AAAA,EAC3C,YACC,SACO,WACA,QACN;AACD,UAAM,OAAO;AAHN;AACA;AAAA,EAGR;AAAA,EAyBA,aAAa,eAAe,UAAoB,WAAmB;AAxCpE;AAyCE,QAAI,SAAS,IAAI;AAChB;AAAA,IACD;AACA,QAAI;AACJ,QAAI;AACH,YAAM,OAAO,MAAM,SAAS,KAAK;AACjC,YAAM,QAAQ,KAAK,MAAM,IAAI,EAAE,OAAO;AACtC,sBAAgB,oCAAa,mCAAb,SAAuB,OAAO;AAAA,IAC/C,SAAS,GAAG;AAGX,sBAAgB,IAAI,aAAa,SAAS,YAAY,WAAW,SAAS,MAAM;AAAA,IACjF;AACA,UAAM;AAAA,EACP;AACD;AAhDO;AASC,cAAS,SAAC,SAAiB,WAAmB,QAAiB;AACrE,UAAQ,SAAS;AAAA,IAChB,KAAK;AACJ,aAAO,IAAI,gBAAgB,SAAS;AAAA,IACrC,KAAK;AACJ,aAAO,IAAI,oBAAoB,SAAS;AAAA,IACzC,KAAK;AACJ,aAAO,IAAI,cAAc,SAAS;AAAA,IACnC,KAAK;AACJ,aAAO,IAAI,uBAAuB,SAAS;AAAA,IAC5C,KAAK;AACJ,aAAO,IAAI,gBAAgB,SAAS;AAAA,IACrC,KAAK;AACJ,aAAO,IAAI,0BAA0B,SAAS;AAAA,IAC/C,KAAK;AACJ,aAAO,IAAI,gCAAgC,SAAS;AAAA,IACrD,KAAK;AACJ,aAAO,IAAI,cAAc,SAAS;AAAA,IACnC;AACC,aAAO,IAAI,aAAa,SAAS,WAAW,MAAM;AAAA,EACpD;AACD;AA9BM,aAAM,eAAN;AAAA,IAAM,eAAN;AAoDA,MAAM,wBAAwB,aAAa;AAAA,EACjD,YAAY,WAAoB;AAC/B,UAAM,+CAA+C,SAAS;AAAA,EAC/D;AACD;AAEO,MAAM,4BAA4B,aAAa;AAAA,EACrD,YAAY,WAAoB;AAC/B,UAAM,qCAAqC,SAAS;AAAA,EACrD;AACD;AAEO,MAAM,wBAAwB,aAAa;AAAA,EACjD,YAAY,WAAoB;AAC/B,UAAM,mDAAmD,SAAS;AAAA,EACnE;AACD;AAIO,MAAM,kCAAkC,aAAa;AAAA,EAC3D,YAAY,WAAoB;AAC/B,UAAM,gDAAgD,SAAS;AAAA,EAChE;AACD;AAEO,MAAM,wCAAwC,aAAa;AAAA,EACjE,YAAY,WAAoB;AAC/B,UAAM,oCAAoC,SAAS;AAAA,EACpD;AACD;AAGO,MAAM,sBAAsB,aAAa;AAAA,EAC/C,YAAY,WAAoB;AAC/B,UAAM,kEAAkE,SAAS;AAAA,EAClF;AACD;AAGO,MAAM,+BAA+B,aAAa;AAAA,EACxD,YAAY,WAAoB;AAC/B,UAAM,2BAA2B,SAAS;AAAA,EAC3C;AACD;AAGO,MAAM,sBAAsB,aAAa;AAAA,EAC/C,YAAY,WAAoB;AAC/B,UAAM,8CAA8C,SAAS;AAAA,EAC9D;AACD;AAGO,MAAM,qBAAqB,aAAa;AAAC;AAGzC,MAAM,6CAA6C,UAAU;AAAC;AAC9D,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,gCAAgC,UAAU;AAAC;AACjD,MAAM,gCAAgC,UAAU;AAAC;AACjD,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,+BAA+B,UAAU;AAAC;AAChD,MAAM,8BAA8B,UAAU;AAAC;AAC/C,MAAM,oCAAoC,UAAU;AAAC;AAErD,SAAS,gBAAgB,QAAwB;AACvD,MAAI,WAAW;AACf,MAAI,gBAAgB,OAAO,CAAC;AAC5B,QAAM,SAAS,oBAAI,IAAoB;AACvC,aAAW,SAAS,QAAQ;AAC3B,UAAM,YAAY,MAAM,YAAY;AACpC,UAAM,YAAY,OAAO,IAAI,SAAS,KAAK,KAAK;AAChD,WAAO,IAAI,WAAW,QAAQ;AAE9B,QAAI,WAAW,UAAU;AACxB,iBAAW;AACX,sBAAgB;AAAA,IACjB;AAAA,EACD;AAEA,SAAO;AACR;",
+  "names": []
+}

package/dist/esm/ibe.d.ts

@@ -1,6 +1,6 @@
+import type { IBEEncryptions } from './bcs.js';
 import { G1Element, G2Element } from './bls12381.js';
 import type { KeyServer } from './key-server.js';
-import type { IBEEncryptionsType } from './types.js';
 /**
  * The domain separation tag for the hash-to-group function.
  */
@@ -13,12 +13,8 @@ export declare const DST_POP: Uint8Array;
  * The interface for the key servers.
  */
 export declare abstract class IBEServers {
-    protected readonly object_ids: Uint8Array[];
-    protected constructor(object_ids: Uint8Array[]);
-    /**
-     * The object IDs of the key servers.
-     */
-    getObjectIds(): Uint8Array[];
+    objectIds: string[];
+    constructor(objectIds: string[]);
     /**
      * The number of key servers.
      */
@@ -27,25 +23,25 @@ export declare abstract class IBEServers {
      * Encrypt a batch of messages for the given identity.
      *
      * @param id The identity.
-     * @param msg_and_infos The messages and an additional info parameter which will be included in the KDF.
+     * @param msgAndInfos The messages and an additional info parameter which will be included in the KDF.
      * @returns The encrypted messages.
      */
-    abstract encryptBatched(id: Uint8Array, msg_and_infos: {
+    abstract encryptBatched(id: Uint8Array, msgAndInfos: {
         msg: Uint8Array;
         info: Uint8Array;
-    }[]): IBEEncryptionsType;
+    }[], randomnessKey: Uint8Array): typeof IBEEncryptions.$inferType;
 }
 /**
  * Identity-based encryption based on the Boneh-Franklin IBE scheme.
  * This object represents a set of key servers that can be used to encrypt messages for a given identity.
  */
 export declare class BonehFranklinBLS12381Services extends IBEServers {
-    readonly public_keys: G2Element[];
+    readonly publicKeys: G2Element[];
     constructor(services: KeyServer[]);
-    encryptBatched(id: Uint8Array, msg_and_infos: {
+    encryptBatched(id: Uint8Array, msgAndInfos: {
         msg: Uint8Array;
         info: Uint8Array;
-    }[]): IBEEncryptionsType;
+    }[], randomnessKey: Uint8Array): typeof IBEEncryptions.$inferType;
     /**
      * Returns true if the user secret key is valid for the given public key and id.
      * @param user_secret_key - The user secret key.
@@ -53,7 +49,7 @@ export declare class BonehFranklinBLS12381Services extends IBEServers {
      * @param public_key - The public key.
      * @returns True if the user secret key is valid for the given public key and id.
      */
-    static verifyUserSecretKey(user_secret_key: G1Element, id: Uint8Array, public_key: G2Element): boolean;
+    static verifyUserSecretKey(userSecretKey: G1Element, id: string, publicKey: G2Element): boolean;
     /**
      * Identity-based decryption.
      *

package/dist/esm/ibe.js

@@ -1,42 +1,39 @@
+import { fromHex } from "@mysten/bcs";
 import { G1Element, G2Element, Scalar } from "./bls12381.js";
 import { kdf } from "./kdf.js";
 import { xor } from "./utils.js";
 const DST = new TextEncoder().encode("SUI-SEAL-IBE-BLS12381-00");
-const DST_POP = new TextEncoder().encode("SUI-SEAL-IBE-BLS12381-00-POP");
+const DST_POP = new TextEncoder().encode("SUI-SEAL-IBE-BLS12381-POP-00");
 class IBEServers {
-  constructor(object_ids) {
-    this.object_ids = object_ids;
-  }
-  /**
-   * The object IDs of the key servers.
-   */
-  getObjectIds() {
-    return this.object_ids;
+  constructor(objectIds) {
+    this.objectIds = objectIds;
   }
   /**
    * The number of key servers.
    */
   size() {
-    return this.object_ids.length;
+    return this.objectIds.length;
   }
 }
 class BonehFranklinBLS12381Services extends IBEServers {
   constructor(services) {
     super(services.map((service) => service.objectId));
-    this.public_keys = services.map((service) => G2Element.fromBytes(service.pk));
+    this.publicKeys = services.map((service) => G2Element.fromBytes(service.pk));
   }
-  encryptBatched(id, msg_and_infos) {
-    if (this.public_keys.length === 0 || this.public_keys.length !== msg_and_infos.length) {
-      throw new Error("Invalid input");
+  encryptBatched(id, msgAndInfos, randomnessKey) {
+    if (this.publicKeys.length === 0 || this.publicKeys.length !== msgAndInfos.length) {
+      throw new Error("Invalid public keys");
     }
-    const [nonce, keys] = encapBatched(this.public_keys, id);
-    const encrypted_msgs = msg_and_infos.map(
-      (msg_and_info, i) => xor(msg_and_info.msg, kdf(keys[i], msg_and_info.info))
+    const [r, nonce, keys] = encapBatched(this.publicKeys, id);
+    const encryptedShares = msgAndInfos.map(
+      (msgAndInfo, i) => xor(msgAndInfo.msg, kdf(keys[i], msgAndInfo.info))
     );
+    const encryptedRandomness = xor(randomnessKey, r.toBytes());
     return {
       BonehFranklinBLS12381: {
-        encapsulation: nonce.toBytes(),
-        shares: encrypted_msgs
+        nonce: nonce.toBytes(),
+        encryptedShares,
+        encryptedRandomness
       },
       $kind: "BonehFranklinBLS12381"
     };
@@ -48,9 +45,9 @@ class BonehFranklinBLS12381Services extends IBEServers {
    * @param public_key - The public key.
    * @returns True if the user secret key is valid for the given public key and id.
    */
-  static verifyUserSecretKey(user_secret_key, id, public_key) {
-    const lhs = user_secret_key.pairing(G2Element.generator()).toBytes();
-    const rhs = G1Element.hashToCurve(id).pairing(public_key).toBytes();
+  static verifyUserSecretKey(userSecretKey, id, publicKey) {
+    const lhs = userSecretKey.pairing(G2Element.generator()).toBytes();
+    const rhs = G1Element.hashToCurve(fromHex(id)).pairing(publicKey).toBytes();
     return lhs.length === rhs.length && lhs.every((value, index) => value === rhs[index]);
   }
   /**
@@ -66,14 +63,14 @@ class BonehFranklinBLS12381Services extends IBEServers {
     return xor(ciphertext, kdf(decap(nonce, sk), info));
   }
 }
-function encapBatched(public_keys, id) {
-  if (public_keys.length === 0) {
-    throw new Error("Invalid input");
+function encapBatched(publicKeys, id) {
+  if (publicKeys.length === 0) {
+    throw new Error("No public keys provided");
   }
   const r = Scalar.random();
   const nonce = G2Element.generator().multiply(r);
   const gid = G1Element.hashToCurve(id).multiply(r);
-  return [nonce, public_keys.map((public_key) => gid.pairing(public_key))];
+  return [r, nonce, publicKeys.map((public_key) => gid.pairing(public_key))];
 }
 function decap(nonce, usk) {
   return usk.pairing(nonce);

package/dist/esm/ibe.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/ibe.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport type { GTElement } from './bls12381.js';\nimport { G1Element, G2Element, Scalar } from './bls12381.js';\nimport { kdf } from './kdf.js';\nimport type { KeyServer } from './key-server.js';\nimport type { IBEEncryptionsType } from './types.js';\nimport { xor } from './utils.js';\n\n/**\n * The domain separation tag for the hash-to-group function.\n */\nexport const DST: Uint8Array = new TextEncoder().encode('SUI-SEAL-IBE-BLS12381-00');\n\n/**\n * The domain separation tag for the signing proof of possession.\n */\nexport const DST_POP: Uint8Array = new TextEncoder().encode('SUI-SEAL-IBE-BLS12381-00-POP');\n\n/**\n * The interface for the key servers.\n */\nexport abstract class IBEServers {\n\tprotected readonly object_ids: Uint8Array[];\n\n\tprotected constructor(object_ids: Uint8Array[]) {\n\t\tthis.object_ids = object_ids;\n\t}\n\n\t/**\n\t * The object IDs of the key servers.\n\t */\n\tgetObjectIds(): Uint8Array[] {\n\t\treturn this.object_ids;\n\t}\n\n\t/**\n\t * The number of key servers.\n\t */\n\tsize(): number {\n\t\treturn this.object_ids.length;\n\t}\n\n\t/**\n\t * Encrypt a batch of messages for the given identity.\n\t *\n\t * @param id The identity.\n\t * @param msg_and_infos The messages and an additional info parameter which will be included in the KDF.\n\t * @returns The encrypted messages.\n\t */\n\tabstract encryptBatched(\n\t\tid: Uint8Array,\n\t\tmsg_and_infos: { msg: Uint8Array; info: Uint8Array }[],\n\t): IBEEncryptionsType;\n}\n\n/**\n * Identity-based encryption based on the Boneh-Franklin IBE scheme.\n * This object represents a set of key servers that can be used to encrypt messages for a given identity.\n */\nexport class BonehFranklinBLS12381Services extends IBEServers {\n\treadonly public_keys: G2Element[];\n\n\tconstructor(services: KeyServer[]) {\n\t\tsuper(services.map((service) => service.objectId));\n\t\tthis.public_keys = services.map((service) => G2Element.fromBytes(service.pk));\n\t}\n\n\tencryptBatched(\n\t\tid: Uint8Array,\n\t\tmsg_and_infos: { msg: Uint8Array; info: Uint8Array }[],\n\t): IBEEncryptionsType {\n\t\tif (this.public_keys.length === 0 || this.public_keys.length !== msg_and_infos.length) {\n\t\t\tthrow new Error('Invalid input');\n\t\t}\n\t\tconst [nonce, keys] = encapBatched(this.public_keys, id);\n\t\tconst encrypted_msgs = msg_and_infos.map((msg_and_info, i) =>\n\t\t\txor(msg_and_info.msg, kdf(keys[i], msg_and_info.info)),\n\t\t);\n\n\t\treturn {\n\t\t\tBonehFranklinBLS12381: {\n\t\t\t\tencapsulation: nonce.toBytes(),\n\t\t\t\tshares: encrypted_msgs,\n\t\t\t},\n\t\t\t$kind: 'BonehFranklinBLS12381',\n\t\t};\n\t}\n\n\t/**\n\t * Returns true if the user secret key is valid for the given public key and id.\n\t * @param user_secret_key - The user secret key.\n\t * @param id - The identity.\n\t * @param public_key - The public key.\n\t * @returns True if the user secret key is valid for the given public key and id.\n\t */\n\tstatic verifyUserSecretKey(\n\t\tuser_secret_key: G1Element,\n\t\tid: Uint8Array,\n\t\tpublic_key: G2Element,\n\t): boolean {\n\t\tconst lhs = user_secret_key.pairing(G2Element.generator()).toBytes();\n\t\tconst rhs = G1Element.hashToCurve(id).pairing(public_key).toBytes();\n\t\treturn lhs.length === rhs.length && lhs.every((value, index) => value === rhs[index]);\n\t}\n\n\t/**\n\t * Identity-based decryption.\n\t *\n\t * @param nonce The encryption nonce.\n\t * @param sk The user secret key.\n\t * @param ciphertext The encrypted message.\n\t * @param info An info parameter also included in the KDF.\n\t * @returns The decrypted message.\n\t */\n\tstatic decrypt(\n\t\tnonce: G2Element,\n\t\tsk: G1Element,\n\t\tciphertext: Uint8Array,\n\t\tinfo: Uint8Array,\n\t): Uint8Array {\n\t\treturn xor(ciphertext, kdf(decap(nonce, sk), info));\n\t}\n}\n\n/**\n * Batched identity-based key-encapsulation mechanism: encapsulate multiple keys for given identity using different key servers.\n *\n * @param public_keys Public keys for a set of key servers.\n * @param id The identity used to encapsulate the keys.\n * @returns A common nonce of the keys and a list of keys, 32 bytes each.\n */\nfunction encapBatched(public_keys: G2Element[], id: Uint8Array): [G2Element, GTElement[]] {\n\tif (public_keys.length === 0) {\n\t\tthrow new Error('Invalid input');\n\t}\n\tconst r = Scalar.random();\n\tconst nonce = G2Element.generator().multiply(r);\n\tconst gid = G1Element.hashToCurve(id).multiply(r);\n\treturn [nonce, public_keys.map((public_key) => gid.pairing(public_key))];\n}\n\n/**\n * Decapsulate a key using a user secret key and the nonce.\n *\n * @param usk The user secret key.\n * @param nonce The nonce.\n * @returns The encapsulated key.\n */\nfunction decap(nonce: G2Element, usk: G1Element): GTElement {\n\treturn usk.pairing(nonce);\n}\n"],
-  "mappings": "AAIA,SAAS,WAAW,WAAW,cAAc;AAC7C,SAAS,WAAW;AAGpB,SAAS,WAAW;AAKb,MAAM,MAAkB,IAAI,YAAY,EAAE,OAAO,0BAA0B;AAK3E,MAAM,UAAsB,IAAI,YAAY,EAAE,OAAO,8BAA8B;AAKnF,MAAe,WAAW;AAAA,EAGtB,YAAY,YAA0B;AAC/C,SAAK,aAAa;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,eAA6B;AAC5B,WAAO,KAAK;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,OAAe;AACd,WAAO,KAAK,WAAW;AAAA,EACxB;AAaD;AAMO,MAAM,sCAAsC,WAAW;AAAA,EAG7D,YAAY,UAAuB;AAClC,UAAM,SAAS,IAAI,CAAC,YAAY,QAAQ,QAAQ,CAAC;AACjD,SAAK,cAAc,SAAS,IAAI,CAAC,YAAY,UAAU,UAAU,QAAQ,EAAE,CAAC;AAAA,EAC7E;AAAA,EAEA,eACC,IACA,eACqB;AACrB,QAAI,KAAK,YAAY,WAAW,KAAK,KAAK,YAAY,WAAW,cAAc,QAAQ;AACtF,YAAM,IAAI,MAAM,eAAe;AAAA,IAChC;AACA,UAAM,CAAC,OAAO,IAAI,IAAI,aAAa,KAAK,aAAa,EAAE;AACvD,UAAM,iBAAiB,cAAc;AAAA,MAAI,CAAC,cAAc,MACvD,IAAI,aAAa,KAAK,IAAI,KAAK,CAAC,GAAG,aAAa,IAAI,CAAC;AAAA,IACtD;AAEA,WAAO;AAAA,MACN,uBAAuB;AAAA,QACtB,eAAe,MAAM,QAAQ;AAAA,QAC7B,QAAQ;AAAA,MACT;AAAA,MACA,OAAO;AAAA,IACR;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,oBACN,iBACA,IACA,YACU;AACV,UAAM,MAAM,gBAAgB,QAAQ,UAAU,UAAU,CAAC,EAAE,QAAQ;AACnE,UAAM,MAAM,UAAU,YAAY,EAAE,EAAE,QAAQ,UAAU,EAAE,QAAQ;AAClE,WAAO,IAAI,WAAW,IAAI,UAAU,IAAI,MAAM,CAAC,OAAO,UAAU,UAAU,IAAI,KAAK,CAAC;AAAA,EACrF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,QACN,OACA,IACA,YACA,MACa;AACb,WAAO,IAAI,YAAY,IAAI,MAAM,OAAO,EAAE,GAAG,IAAI,CAAC;AAAA,EACnD;AACD;AASA,SAAS,aAAa,aAA0B,IAA0C;AACzF,MAAI,YAAY,WAAW,GAAG;AAC7B,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC;AACA,QAAM,IAAI,OAAO,OAAO;AACxB,QAAM,QAAQ,UAAU,UAAU,EAAE,SAAS,CAAC;AAC9C,QAAM,MAAM,UAAU,YAAY,EAAE,EAAE,SAAS,CAAC;AAChD,SAAO,CAAC,OAAO,YAAY,IAAI,CAAC,eAAe,IAAI,QAAQ,UAAU,CAAC,CAAC;AACxE;AASA,SAAS,MAAM,OAAkB,KAA2B;AAC3D,SAAO,IAAI,QAAQ,KAAK;AACzB;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex } from '@mysten/bcs';\n\nimport type { IBEEncryptions } from './bcs.js';\nimport type { GTElement } from './bls12381.js';\nimport { G1Element, G2Element, Scalar } from './bls12381.js';\nimport { kdf } from './kdf.js';\nimport type { KeyServer } from './key-server.js';\nimport { xor } from './utils.js';\n\n/**\n * The domain separation tag for the hash-to-group function.\n */\nexport const DST: Uint8Array = new TextEncoder().encode('SUI-SEAL-IBE-BLS12381-00');\n\n/**\n * The domain separation tag for the signing proof of possession.\n */\nexport const DST_POP: Uint8Array = new TextEncoder().encode('SUI-SEAL-IBE-BLS12381-POP-00');\n\n/**\n * The interface for the key servers.\n */\nexport abstract class IBEServers {\n\tobjectIds: string[];\n\n\tconstructor(objectIds: string[]) {\n\t\tthis.objectIds = objectIds;\n\t}\n\n\t/**\n\t * The number of key servers.\n\t */\n\tsize(): number {\n\t\treturn this.objectIds.length;\n\t}\n\n\t/**\n\t * Encrypt a batch of messages for the given identity.\n\t *\n\t * @param id The identity.\n\t * @param msgAndInfos The messages and an additional info parameter which will be included in the KDF.\n\t * @returns The encrypted messages.\n\t */\n\tabstract encryptBatched(\n\t\tid: Uint8Array,\n\t\tmsgAndInfos: { msg: Uint8Array; info: Uint8Array }[],\n\t\trandomnessKey: Uint8Array,\n\t): typeof IBEEncryptions.$inferType;\n}\n\n/**\n * Identity-based encryption based on the Boneh-Franklin IBE scheme.\n * This object represents a set of key servers that can be used to encrypt messages for a given identity.\n */\nexport class BonehFranklinBLS12381Services extends IBEServers {\n\treadonly publicKeys: G2Element[];\n\n\tconstructor(services: KeyServer[]) {\n\t\tsuper(services.map((service) => service.objectId));\n\t\tthis.publicKeys = services.map((service) => G2Element.fromBytes(service.pk));\n\t}\n\n\tencryptBatched(\n\t\tid: Uint8Array,\n\t\tmsgAndInfos: { msg: Uint8Array; info: Uint8Array }[],\n\t\trandomnessKey: Uint8Array,\n\t): typeof IBEEncryptions.$inferType {\n\t\tif (this.publicKeys.length === 0 || this.publicKeys.length !== msgAndInfos.length) {\n\t\t\tthrow new Error('Invalid public keys');\n\t\t}\n\t\tconst [r, nonce, keys] = encapBatched(this.publicKeys, id);\n\t\tconst encryptedShares = msgAndInfos.map((msgAndInfo, i) =>\n\t\t\txor(msgAndInfo.msg, kdf(keys[i], msgAndInfo.info)),\n\t\t);\n\t\tconst encryptedRandomness = xor(randomnessKey, r.toBytes());\n\n\t\treturn {\n\t\t\tBonehFranklinBLS12381: {\n\t\t\t\tnonce: nonce.toBytes(),\n\t\t\t\tencryptedShares,\n\t\t\t\tencryptedRandomness,\n\t\t\t},\n\t\t\t$kind: 'BonehFranklinBLS12381',\n\t\t};\n\t}\n\n\t/**\n\t * Returns true if the user secret key is valid for the given public key and id.\n\t * @param user_secret_key - The user secret key.\n\t * @param id - The identity.\n\t * @param public_key - The public key.\n\t * @returns True if the user secret key is valid for the given public key and id.\n\t */\n\tstatic verifyUserSecretKey(userSecretKey: G1Element, id: string, publicKey: G2Element): boolean {\n\t\tconst lhs = userSecretKey.pairing(G2Element.generator()).toBytes();\n\t\tconst rhs = G1Element.hashToCurve(fromHex(id)).pairing(publicKey).toBytes();\n\t\treturn lhs.length === rhs.length && lhs.every((value, index) => value === rhs[index]);\n\t}\n\n\t/**\n\t * Identity-based decryption.\n\t *\n\t * @param nonce The encryption nonce.\n\t * @param sk The user secret key.\n\t * @param ciphertext The encrypted message.\n\t * @param info An info parameter also included in the KDF.\n\t * @returns The decrypted message.\n\t */\n\tstatic decrypt(\n\t\tnonce: G2Element,\n\t\tsk: G1Element,\n\t\tciphertext: Uint8Array,\n\t\tinfo: Uint8Array,\n\t): Uint8Array {\n\t\treturn xor(ciphertext, kdf(decap(nonce, sk), info));\n\t}\n}\n\n/**\n * Batched identity-based key-encapsulation mechanism: encapsulate multiple keys for given identity using different key servers.\n *\n * @param publicKeys Public keys for a set of key servers.\n * @param id The identity used to encapsulate the keys.\n * @returns A common nonce of the keys and a list of keys, 32 bytes each.\n */\nfunction encapBatched(publicKeys: G2Element[], id: Uint8Array): [Scalar, G2Element, GTElement[]] {\n\tif (publicKeys.length === 0) {\n\t\tthrow new Error('No public keys provided');\n\t}\n\tconst r = Scalar.random();\n\tconst nonce = G2Element.generator().multiply(r);\n\tconst gid = G1Element.hashToCurve(id).multiply(r);\n\treturn [r, nonce, publicKeys.map((public_key) => gid.pairing(public_key))];\n}\n\n/**\n * Decapsulate a key using a user secret key and the nonce.\n *\n * @param usk The user secret key.\n * @param nonce The nonce.\n * @returns The encapsulated key.\n */\nfunction decap(nonce: G2Element, usk: G1Element): GTElement {\n\treturn usk.pairing(nonce);\n}\n"],
+  "mappings": "AAGA,SAAS,eAAe;AAIxB,SAAS,WAAW,WAAW,cAAc;AAC7C,SAAS,WAAW;AAEpB,SAAS,WAAW;AAKb,MAAM,MAAkB,IAAI,YAAY,EAAE,OAAO,0BAA0B;AAK3E,MAAM,UAAsB,IAAI,YAAY,EAAE,OAAO,8BAA8B;AAKnF,MAAe,WAAW;AAAA,EAGhC,YAAY,WAAqB;AAChC,SAAK,YAAY;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,OAAe;AACd,WAAO,KAAK,UAAU;AAAA,EACvB;AAcD;AAMO,MAAM,sCAAsC,WAAW;AAAA,EAG7D,YAAY,UAAuB;AAClC,UAAM,SAAS,IAAI,CAAC,YAAY,QAAQ,QAAQ,CAAC;AACjD,SAAK,aAAa,SAAS,IAAI,CAAC,YAAY,UAAU,UAAU,QAAQ,EAAE,CAAC;AAAA,EAC5E;AAAA,EAEA,eACC,IACA,aACA,eACmC;AACnC,QAAI,KAAK,WAAW,WAAW,KAAK,KAAK,WAAW,WAAW,YAAY,QAAQ;AAClF,YAAM,IAAI,MAAM,qBAAqB;AAAA,IACtC;AACA,UAAM,CAAC,GAAG,OAAO,IAAI,IAAI,aAAa,KAAK,YAAY,EAAE;AACzD,UAAM,kBAAkB,YAAY;AAAA,MAAI,CAAC,YAAY,MACpD,IAAI,WAAW,KAAK,IAAI,KAAK,CAAC,GAAG,WAAW,IAAI,CAAC;AAAA,IAClD;AACA,UAAM,sBAAsB,IAAI,eAAe,EAAE,QAAQ,CAAC;AAE1D,WAAO;AAAA,MACN,uBAAuB;AAAA,QACtB,OAAO,MAAM,QAAQ;AAAA,QACrB;AAAA,QACA;AAAA,MACD;AAAA,MACA,OAAO;AAAA,IACR;AAAA,EACD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,OAAO,oBAAoB,eAA0B,IAAY,WAA+B;AAC/F,UAAM,MAAM,cAAc,QAAQ,UAAU,UAAU,CAAC,EAAE,QAAQ;AACjE,UAAM,MAAM,UAAU,YAAY,QAAQ,EAAE,CAAC,EAAE,QAAQ,SAAS,EAAE,QAAQ;AAC1E,WAAO,IAAI,WAAW,IAAI,UAAU,IAAI,MAAM,CAAC,OAAO,UAAU,UAAU,IAAI,KAAK,CAAC;AAAA,EACrF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,OAAO,QACN,OACA,IACA,YACA,MACa;AACb,WAAO,IAAI,YAAY,IAAI,MAAM,OAAO,EAAE,GAAG,IAAI,CAAC;AAAA,EACnD;AACD;AASA,SAAS,aAAa,YAAyB,IAAkD;AAChG,MAAI,WAAW,WAAW,GAAG;AAC5B,UAAM,IAAI,MAAM,yBAAyB;AAAA,EAC1C;AACA,QAAM,IAAI,OAAO,OAAO;AACxB,QAAM,QAAQ,UAAU,UAAU,EAAE,SAAS,CAAC;AAC9C,QAAM,MAAM,UAAU,YAAY,EAAE,EAAE,SAAS,CAAC;AAChD,SAAO,CAAC,GAAG,OAAO,WAAW,IAAI,CAAC,eAAe,IAAI,QAAQ,UAAU,CAAC,CAAC;AAC1E;AASA,SAAS,MAAM,OAAkB,KAA2B;AAC3D,SAAO,IAAI,QAAQ,KAAK;AACzB;",
   "names": []
 }

package/dist/esm/index.d.ts

@@ -1,6 +1,3 @@
-export { AesGcm256 } from './aes.js';
-export { encrypt } from './encrypt.js';
-export { getAllowlistedKeyServers, retrieveKeyServers, verifyKeyServer, type KeyServer, } from './key-server.js';
-export { KeyStore } from './key-store.js';
+export { getAllowlistedKeyServers } from './key-server.js';
+export { SealClient, type SealClientOptions } from './client.js';
 export { SessionKey } from './session-key.js';
-export { EncryptedObject } from './types.js';

package/dist/esm/index.js

@@ -1,21 +1,9 @@
-import { AesGcm256 } from "./aes.js";
-import { encrypt } from "./encrypt.js";
-import {
-  getAllowlistedKeyServers,
-  retrieveKeyServers,
-  verifyKeyServer
-} from "./key-server.js";
-import { KeyStore } from "./key-store.js";
+import { getAllowlistedKeyServers } from "./key-server.js";
+import { SealClient } from "./client.js";
 import { SessionKey } from "./session-key.js";
-import { EncryptedObject } from "./types.js";
 export {
-  AesGcm256,
-  EncryptedObject,
-  KeyStore,
+  SealClient,
   SessionKey,
-  encrypt,
-  getAllowlistedKeyServers,
-  retrieveKeyServers,
-  verifyKeyServer
+  getAllowlistedKeyServers
 };
 //# sourceMappingURL=index.js.map

package/dist/esm/index.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/index.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport { AesGcm256 } from './aes.js';\nexport { encrypt } from './encrypt.js';\nexport {\n\tgetAllowlistedKeyServers,\n\tretrieveKeyServers,\n\tverifyKeyServer,\n\ttype KeyServer,\n} from './key-server.js';\nexport { KeyStore } from './key-store.js';\nexport { SessionKey } from './session-key.js';\nexport { EncryptedObject } from './types.js';\n"],
-  "mappings": "AAGA,SAAS,iBAAiB;AAC1B,SAAS,eAAe;AACxB;AAAA,EACC;AAAA,EACA;AAAA,EACA;AAAA,OAEM;AACP,SAAS,gBAAgB;AACzB,SAAS,kBAAkB;AAC3B,SAAS,uBAAuB;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport { getAllowlistedKeyServers } from './key-server.js';\nexport { SealClient, type SealClientOptions } from './client.js';\nexport { SessionKey } from './session-key.js';\n"],
+  "mappings": "AAGA,SAAS,gCAAgC;AACzC,SAAS,kBAA0C;AACnD,SAAS,kBAAkB;",
   "names": []
 }

package/dist/esm/kdf.d.ts

@@ -7,3 +7,8 @@ import type { GTElement } from './bls12381.js';
  * @returns The derived key.
  */
 export declare function kdf(element: GTElement, info: Uint8Array): Uint8Array;
+export declare enum KeyPurpose {
+    EncryptedRandomness = 0,
+    DEM = 1
+}
+export declare function deriveKey(purpose: KeyPurpose, baseKey: Uint8Array): Uint8Array;

package/dist/esm/kdf.js

@@ -1,9 +1,36 @@
 import { hkdf } from "@noble/hashes/hkdf";
+import { hmac } from "@noble/hashes/hmac";
 import { sha3_256 } from "@noble/hashes/sha3";
 function kdf(element, info) {
-  return hkdf(sha3_256, element.toBytes(), "", info, 32);
+  const GT_ELEMENT_BYTE_LENGTH = 576;
+  const PERMUTATION = [0, 2, 4, 1, 3, 5];
+  const COEFFICIENT_SIZE = GT_ELEMENT_BYTE_LENGTH / PERMUTATION.length;
+  const bytes = element.toBytes();
+  let permutedBytes = new Uint8Array(GT_ELEMENT_BYTE_LENGTH);
+  PERMUTATION.forEach((pi, i) => {
+    permutedBytes.set(
+      bytes.slice(i * COEFFICIENT_SIZE, (i + 1) * COEFFICIENT_SIZE),
+      pi * COEFFICIENT_SIZE
+    );
+  });
+  return hkdf(sha3_256, permutedBytes, "", info, 32);
+}
+var KeyPurpose = /* @__PURE__ */ ((KeyPurpose2) => {
+  KeyPurpose2[KeyPurpose2["EncryptedRandomness"] = 0] = "EncryptedRandomness";
+  KeyPurpose2[KeyPurpose2["DEM"] = 1] = "DEM";
+  return KeyPurpose2;
+})(KeyPurpose || {});
+function deriveKey(purpose, baseKey) {
+  switch (purpose) {
+    case 0 /* EncryptedRandomness */:
+      return hmac(sha3_256, baseKey, new Uint8Array([0]));
+    case 1 /* DEM */:
+      return hmac(sha3_256, baseKey, new Uint8Array([1]));
+  }
 }
 export {
+  KeyPurpose,
+  deriveKey,
   kdf
 };
 //# sourceMappingURL=kdf.js.map

package/dist/esm/kdf.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/kdf.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { hkdf } from '@noble/hashes/hkdf';\nimport { sha3_256 } from '@noble/hashes/sha3';\n\nimport type { GTElement } from './bls12381.js';\n\n/**\n * The default key derivation function.\n *\n * @param element The GTElement to derive the key from.\n * @param info Optional context and application specific information.\n * @returns The derived key.\n */\nexport function kdf(element: GTElement, info: Uint8Array): Uint8Array {\n\treturn hkdf(sha3_256, element.toBytes(), '', info, 32);\n}\n"],
-  "mappings": "AAGA,SAAS,YAAY;AACrB,SAAS,gBAAgB;AAWlB,SAAS,IAAI,SAAoB,MAA8B;AACrE,SAAO,KAAK,UAAU,QAAQ,QAAQ,GAAG,IAAI,MAAM,EAAE;AACtD;",
-  "names": []
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { hkdf } from '@noble/hashes/hkdf';\nimport { hmac } from '@noble/hashes/hmac';\nimport { sha3_256 } from '@noble/hashes/sha3';\n\nimport type { GTElement } from './bls12381.js';\n\n/**\n * The default key derivation function.\n *\n * @param element The GTElement to derive the key from.\n * @param info Optional context and application specific information.\n * @returns The derived key.\n */\nexport function kdf(element: GTElement, info: Uint8Array): Uint8Array {\n\t// This permutation flips the order of 6 pairs of coefficients of the GT element.\n\t// The permutation may be computed as:\n\t// for i in 0..3 {\n\t//   for j in 0..2 {\n\t//     PERMUTATION[i + j * 3] = i * 2 + j;\n\t//   }\n\t// }\n\tconst GT_ELEMENT_BYTE_LENGTH = 576;\n\tconst PERMUTATION = [0, 2, 4, 1, 3, 5];\n\tconst COEFFICIENT_SIZE = GT_ELEMENT_BYTE_LENGTH / PERMUTATION.length;\n\n\tconst bytes = element.toBytes();\n\tlet permutedBytes = new Uint8Array(GT_ELEMENT_BYTE_LENGTH);\n\tPERMUTATION.forEach((pi, i) => {\n\t\tpermutedBytes.set(\n\t\t\tbytes.slice(i * COEFFICIENT_SIZE, (i + 1) * COEFFICIENT_SIZE),\n\t\t\tpi * COEFFICIENT_SIZE,\n\t\t);\n\t});\n\treturn hkdf(sha3_256, permutedBytes, '', info, 32);\n}\n\nexport enum KeyPurpose {\n\tEncryptedRandomness,\n\tDEM,\n}\n\nexport function deriveKey(purpose: KeyPurpose, baseKey: Uint8Array): Uint8Array {\n\tswitch (purpose) {\n\t\tcase KeyPurpose.EncryptedRandomness:\n\t\t\treturn hmac(sha3_256, baseKey, new Uint8Array([0]));\n\t\tcase KeyPurpose.DEM:\n\t\t\treturn hmac(sha3_256, baseKey, new Uint8Array([1]));\n\t}\n}\n"],
+  "mappings": "AAGA,SAAS,YAAY;AACrB,SAAS,YAAY;AACrB,SAAS,gBAAgB;AAWlB,SAAS,IAAI,SAAoB,MAA8B;AAQrE,QAAM,yBAAyB;AAC/B,QAAM,cAAc,CAAC,GAAG,GAAG,GAAG,GAAG,GAAG,CAAC;AACrC,QAAM,mBAAmB,yBAAyB,YAAY;AAE9D,QAAM,QAAQ,QAAQ,QAAQ;AAC9B,MAAI,gBAAgB,IAAI,WAAW,sBAAsB;AACzD,cAAY,QAAQ,CAAC,IAAI,MAAM;AAC9B,kBAAc;AAAA,MACb,MAAM,MAAM,IAAI,mBAAmB,IAAI,KAAK,gBAAgB;AAAA,MAC5D,KAAK;AAAA,IACN;AAAA,EACD,CAAC;AACD,SAAO,KAAK,UAAU,eAAe,IAAI,MAAM,EAAE;AAClD;AAEO,IAAK,aAAL,kBAAKA,gBAAL;AACN,EAAAA,wBAAA;AACA,EAAAA,wBAAA;AAFW,SAAAA;AAAA,GAAA;AAKL,SAAS,UAAU,SAAqB,SAAiC;AAC/E,UAAQ,SAAS;AAAA,IAChB,KAAK;AACJ,aAAO,KAAK,UAAU,SAAS,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC;AAAA,IACnD,KAAK;AACJ,aAAO,KAAK,UAAU,SAAS,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC;AAAA,EACpD;AACD;",
+  "names": ["KeyPurpose"]
 }

package/dist/esm/key-server.d.ts

@@ -1,6 +1,6 @@
 import type { SuiClient } from '@mysten/sui/client';
 export type KeyServer = {
-    objectId: Uint8Array;
+    objectId: string;
     name: string;
     url: string;
     keyType: KeyServerType;
@@ -14,7 +14,7 @@ export declare enum KeyServerType {
  * @param network - The network to use.
  * @returns The object id's of the key servers.
  */
-export declare function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): Uint8Array[];
+export declare function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): string[];
 /**
  * Given a list of key server object IDs, returns a list of SealKeyServer
  * from onchain state containing name, objectId, URL and pk.
@@ -24,15 +24,15 @@ export declare function getAllowlistedKeyServers(network: 'testnet' | 'mainnet')
  * @returns - An array of SealKeyServer.
  */
 export declare function retrieveKeyServers({ objectIds, client, }: {
-    objectIds: Uint8Array[];
+    objectIds: string[];
     client: SuiClient;
 }): Promise<KeyServer[]>;
 /**
- * Given a KeyServer, fetch the proof of possesion (PoP) from the URL and verify it
+ * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it
  * against the pubkey. This should be used only rarely when the dapp uses a dynamic
  * set of key servers.
  *
  * @param server - The KeyServer to verify.
  * @returns - True if the key server is valid, false otherwise.
  */
-export declare function verifyKeyServer(server: KeyServer): Promise<boolean>;
+export declare function verifyKeyServer(server: KeyServer, timeout: number): Promise<boolean>;

package/dist/esm/key-server.js

@@ -1,26 +1,26 @@
-import { fromBase64, fromHex, toHex } from "@mysten/bcs";
-import { bcs } from "@mysten/sui/bcs";
+import { fromBase64, fromHex } from "@mysten/bcs";
 import { bls12_381 } from "@noble/curves/bls12-381";
+import { KeyServerMove } from "./bcs.js";
+import {
+  InvalidGetObjectError,
+  SealAPIError,
+  UnsupportedFeatureError,
+  UnsupportedNetworkError
+} from "./error.js";
 import { DST_POP } from "./ibe.js";
+import { PACKAGE_VERSION } from "./version.js";
 var KeyServerType = /* @__PURE__ */ ((KeyServerType2) => {
   KeyServerType2[KeyServerType2["BonehFranklinBLS12381"] = 0] = "BonehFranklinBLS12381";
   return KeyServerType2;
 })(KeyServerType || {});
-const KeyServerMove = bcs.struct("KeyServer", {
-  id: bcs.Address,
-  name: bcs.string(),
-  url: bcs.string(),
-  key_type: bcs.u8(),
-  pk: bcs.vector(bcs.u8())
-});
 function getAllowlistedKeyServers(network) {
   if (network === "testnet") {
     return [
-      fromHex("0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8"),
-      fromHex("0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06")
+      "0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8",
+      "0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06"
     ];
   } else {
-    throw new Error("Network not supported");
+    throw new UnsupportedNetworkError(`Unsupported network ${network}`);
   }
 }
 async function retrieveKeyServers({
@@ -30,20 +30,22 @@ async function retrieveKeyServers({
   return await Promise.all(
     objectIds.map(async (objectId) => {
       const res = await client.getObject({
-        id: toHex(objectId),
+        id: objectId,
         options: {
           showBcs: true
         }
       });
       if (!res || res.error || !res.data) {
-        throw new Error(`KeyServer ${objectId} not found; ${res.error}`);
+        throw new InvalidGetObjectError(`KeyServer ${objectId} not found; ${res.error}`);
       }
       if (!res.data.bcs || !("bcsBytes" in res.data.bcs)) {
-        throw new Error(`Invalid KeyServer query: ${objectId}, expected object, got package`);
+        throw new InvalidGetObjectError(
+          `Invalid KeyServer query: ${objectId}, expected object, got package`
+        );
       }
       let ks = KeyServerMove.parse(fromBase64(res.data.bcs.bcsBytes));
-      if (ks.key_type !== 0) {
-        throw new Error("Unsupported key type");
+      if (ks.keyType !== 0) {
+        throw new UnsupportedFeatureError(`Unsupported key type ${ks.keyType}`);
       }
       return {
         objectId,
@@ -55,18 +57,24 @@ async function retrieveKeyServers({
     })
   );
 }
-async function verifyKeyServer(server) {
+async function verifyKeyServer(server, timeout) {
+  const requestId = crypto.randomUUID();
   const response = await fetch(server.url + "/v1/service", {
     method: "GET",
     headers: {
-      "Content-Type": "application/json"
-    }
+      "Content-Type": "application/json",
+      "Request-Id": requestId,
+      "Client-Sdk-Type": "typescript",
+      "Client-Sdk-Version": PACKAGE_VERSION
+    },
+    signal: AbortSignal.timeout(timeout)
   });
+  await SealAPIError.assertResponse(response, requestId);
   const serviceResponse = await response.json();
   if (serviceResponse.service_id !== server.objectId) {
     return false;
   }
-  const fullMsg = new Uint8Array([...DST_POP, ...server.pk, ...server.objectId]);
+  const fullMsg = new Uint8Array([...DST_POP, ...server.pk, ...fromHex(server.objectId)]);
   return bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);
 }
 export {

package/dist/esm/key-server.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/key-server.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { fromBase64, fromHex, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\nimport type { SuiClient } from '@mysten/sui/client';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { DST_POP } from './ibe.js';\n\nexport type KeyServer = {\n\tobjectId: Uint8Array;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\n// The Move struct for the KeyServer object.\nconst KeyServerMove = bcs.struct('KeyServer', {\n\tid: bcs.Address,\n\tname: bcs.string(),\n\turl: bcs.string(),\n\tkey_type: bcs.u8(),\n\tpk: bcs.vector(bcs.u8()),\n});\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): Uint8Array[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\tfromHex('0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8'),\n\t\t\tfromHex('0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06'),\n\t\t];\n\t} else {\n\t\tthrow new Error('Network not supported');\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: Uint8Array[];\n\tclient: SuiClient;\n}): Promise<KeyServer[]> {\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\tconst res = await client.getObject({\n\t\t\t\tid: toHex(objectId),\n\t\t\t\toptions: {\n\t\t\t\t\tshowBcs: true,\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!res || res.error || !res.data) {\n\t\t\t\tthrow new Error(`KeyServer ${objectId} not found; ${res.error}`);\n\t\t\t}\n\n\t\t\tif (!res.data.bcs || !('bcsBytes' in res.data.bcs)) {\n\t\t\t\tthrow new Error(`Invalid KeyServer query: ${objectId}, expected object, got package`);\n\t\t\t}\n\n\t\t\tlet ks = KeyServerMove.parse(fromBase64(res.data.bcs!.bcsBytes));\n\t\t\tif (ks.key_type !== 0) {\n\t\t\t\tthrow new Error('Unsupported key type');\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ks.name,\n\t\t\t\turl: ks.url,\n\t\t\t\tkeyType: KeyServerType.BonehFranklinBLS12381,\n\t\t\t\tpk: new Uint8Array(ks.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possesion (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(server: KeyServer): Promise<boolean> {\n\tconst response = await fetch(server.url! + '/v1/service', {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t},\n\t});\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = new Uint8Array([...DST_POP, ...server.pk, ...server.objectId]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n"],
-  "mappings": "AAEA,SAAS,YAAY,SAAS,aAAa;AAC3C,SAAS,WAAW;AAEpB,SAAS,iBAAiB;AAE1B,SAAS,eAAe;AAUjB,IAAK,gBAAL,kBAAKA,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AAKZ,MAAM,gBAAgB,IAAI,OAAO,aAAa;AAAA,EAC7C,IAAI,IAAI;AAAA,EACR,MAAM,IAAI,OAAO;AAAA,EACjB,KAAK,IAAI,OAAO;AAAA,EAChB,UAAU,IAAI,GAAG;AAAA,EACjB,IAAI,IAAI,OAAO,IAAI,GAAG,CAAC;AACxB,CAAC;AAOM,SAAS,yBAAyB,SAA8C;AACtF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,MACN,QAAQ,oEAAoE;AAAA,MAC5E,QAAQ,oEAAoE;AAAA,IAC7E;AAAA,EACD,OAAO;AACN,UAAM,IAAI,MAAM,uBAAuB;AAAA,EACxC;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AACxB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AACjC,YAAM,MAAM,MAAM,OAAO,UAAU;AAAA,QAClC,IAAI,MAAM,QAAQ;AAAA,QAClB,SAAS;AAAA,UACR,SAAS;AAAA,QACV;AAAA,MACD,CAAC;AACD,UAAI,CAAC,OAAO,IAAI,SAAS,CAAC,IAAI,MAAM;AACnC,cAAM,IAAI,MAAM,aAAa,QAAQ,eAAe,IAAI,KAAK,EAAE;AAAA,MAChE;AAEA,UAAI,CAAC,IAAI,KAAK,OAAO,EAAE,cAAc,IAAI,KAAK,MAAM;AACnD,cAAM,IAAI,MAAM,4BAA4B,QAAQ,gCAAgC;AAAA,MACrF;AAEA,UAAI,KAAK,cAAc,MAAM,WAAW,IAAI,KAAK,IAAK,QAAQ,CAAC;AAC/D,UAAI,GAAG,aAAa,GAAG;AACtB,cAAM,IAAI,MAAM,sBAAsB;AAAA,MACvC;AAEA,aAAO;AAAA,QACN;AAAA,QACA,MAAM,GAAG;AAAA,QACT,KAAK,GAAG;AAAA,QACR,SAAS;AAAA,QACT,IAAI,IAAI,WAAW,GAAG,EAAE;AAAA,MACzB;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBAAgB,QAAqC;AAC1E,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,eAAe;AAAA,IACzD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,IACjB;AAAA,EACD,CAAC;AACD,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,UAAU,IAAI,WAAW,CAAC,GAAG,SAAS,GAAG,OAAO,IAAI,GAAG,OAAO,QAAQ,CAAC;AAC7E,SAAO,UAAU,qBAAqB,WAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { fromBase64, fromHex } from '@mysten/bcs';\nimport type { SuiClient } from '@mysten/sui/client';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { KeyServerMove } from './bcs.js';\nimport {\n\tInvalidGetObjectError,\n\tSealAPIError,\n\tUnsupportedFeatureError,\n\tUnsupportedNetworkError,\n} from './error.js';\nimport { DST_POP } from './ibe.js';\nimport { PACKAGE_VERSION } from './version.js';\n\nexport type KeyServer = {\n\tobjectId: string;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): string[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\t'0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8',\n\t\t\t'0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06',\n\t\t];\n\t} else {\n\t\tthrow new UnsupportedNetworkError(`Unsupported network ${network}`);\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: string[];\n\tclient: SuiClient;\n}): Promise<KeyServer[]> {\n\t// todo: do not fetch the same object ID if this is fetched before.\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\tconst res = await client.getObject({\n\t\t\t\tid: objectId,\n\t\t\t\toptions: {\n\t\t\t\t\tshowBcs: true,\n\t\t\t\t},\n\t\t\t});\n\t\t\tif (!res || res.error || !res.data) {\n\t\t\t\tthrow new InvalidGetObjectError(`KeyServer ${objectId} not found; ${res.error}`);\n\t\t\t}\n\n\t\t\tif (!res.data.bcs || !('bcsBytes' in res.data.bcs)) {\n\t\t\t\tthrow new InvalidGetObjectError(\n\t\t\t\t\t`Invalid KeyServer query: ${objectId}, expected object, got package`,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tlet ks = KeyServerMove.parse(fromBase64(res.data.bcs!.bcsBytes));\n\t\t\tif (ks.keyType !== 0) {\n\t\t\t\tthrow new UnsupportedFeatureError(`Unsupported key type ${ks.keyType}`);\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ks.name,\n\t\t\t\turl: ks.url,\n\t\t\t\tkeyType: KeyServerType.BonehFranklinBLS12381,\n\t\t\t\tpk: new Uint8Array(ks.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(server: KeyServer, timeout: number): Promise<boolean> {\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(server.url! + '/v1/service', {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t},\n\t\tsignal: AbortSignal.timeout(timeout),\n\t});\n\n\tawait SealAPIError.assertResponse(response, requestId);\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = new Uint8Array([...DST_POP, ...server.pk, ...fromHex(server.objectId)]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n"],
+  "mappings": "AAEA,SAAS,YAAY,eAAe;AAEpC,SAAS,iBAAiB;AAE1B,SAAS,qBAAqB;AAC9B;AAAA,EACC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACM;AACP,SAAS,eAAe;AACxB,SAAS,uBAAuB;AAUzB,IAAK,gBAAL,kBAAKA,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AASL,SAAS,yBAAyB,SAA0C;AAClF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,MACN;AAAA,MACA;AAAA,IACD;AAAA,EACD,OAAO;AACN,UAAM,IAAI,wBAAwB,uBAAuB,OAAO,EAAE;AAAA,EACnE;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AAExB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AACjC,YAAM,MAAM,MAAM,OAAO,UAAU;AAAA,QAClC,IAAI;AAAA,QACJ,SAAS;AAAA,UACR,SAAS;AAAA,QACV;AAAA,MACD,CAAC;AACD,UAAI,CAAC,OAAO,IAAI,SAAS,CAAC,IAAI,MAAM;AACnC,cAAM,IAAI,sBAAsB,aAAa,QAAQ,eAAe,IAAI,KAAK,EAAE;AAAA,MAChF;AAEA,UAAI,CAAC,IAAI,KAAK,OAAO,EAAE,cAAc,IAAI,KAAK,MAAM;AACnD,cAAM,IAAI;AAAA,UACT,4BAA4B,QAAQ;AAAA,QACrC;AAAA,MACD;AAEA,UAAI,KAAK,cAAc,MAAM,WAAW,IAAI,KAAK,IAAK,QAAQ,CAAC;AAC/D,UAAI,GAAG,YAAY,GAAG;AACrB,cAAM,IAAI,wBAAwB,wBAAwB,GAAG,OAAO,EAAE;AAAA,MACvE;AAEA,aAAO;AAAA,QACN;AAAA,QACA,MAAM,GAAG;AAAA,QACT,KAAK,GAAG;AAAA,QACR,SAAS;AAAA,QACT,IAAI,IAAI,WAAW,GAAG,EAAE;AAAA,MACzB;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBAAgB,QAAmB,SAAmC;AAC3F,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,eAAe;AAAA,IACzD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,IACvB;AAAA,IACA,QAAQ,YAAY,QAAQ,OAAO;AAAA,EACpC,CAAC;AAED,QAAM,aAAa,eAAe,UAAU,SAAS;AACrD,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,UAAU,IAAI,WAAW,CAAC,GAAG,SAAS,GAAG,OAAO,IAAI,GAAG,QAAQ,OAAO,QAAQ,CAAC,CAAC;AACtF,SAAO,UAAU,qBAAqB,WAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;",
   "names": ["KeyServerType"]
 }

package/dist/esm/keys.d.ts

@@ -0,0 +1,17 @@
+import type { Certificate } from './session-key.js';
+/**
+ * Helper function to request all keys from URL with requestSig, txBytes, ephemeral pubkey.
+ * Then decrypt the Seal key with ephemeral secret key. Returns a list decryption keys with
+ * their full IDs.
+ *
+ * @param url - The URL of the key server.
+ * @param requestSig - The Base64 string of request signature.
+ * @param txBytes - The transaction bytes.
+ * @param encKey - The ephemeral secret key.
+ * @param certificate - The certificate.
+ * @returns - A list of full ID and the decrypted key.
+ */
+export declare function fetchKeysForAllIds(url: string, requestSig: string, txBytes: Uint8Array, encKey: Uint8Array, certificate: Certificate, timeout: number, signal?: AbortSignal): Promise<{
+    fullId: string;
+    key: Uint8Array;
+}[]>;

package/dist/esm/keys.js

@@ -0,0 +1,41 @@
+import { fromBase64, toBase64, toHex } from "@mysten/bcs";
+import { elgamalDecrypt, toPublicKey, toVerificationKey } from "./elgamal.js";
+import { SealAPIError } from "./error.js";
+import { PACKAGE_VERSION } from "./version.js";
+async function fetchKeysForAllIds(url, requestSig, txBytes, encKey, certificate, timeout, signal) {
+  const encKeyPk = toPublicKey(encKey);
+  const encVerificationKey = toVerificationKey(encKey);
+  const body = {
+    ptb: toBase64(txBytes.slice(1)),
+    // removes the byte of the transaction type version
+    enc_key: toBase64(encKeyPk),
+    enc_verification_key: toBase64(encVerificationKey),
+    request_signature: requestSig,
+    // already b64
+    certificate
+  };
+  const timeoutSignal = AbortSignal.timeout(timeout);
+  const combinedSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;
+  const requestId = crypto.randomUUID();
+  const response = await fetch(url + "/v1/fetch_key", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "Request-Id": requestId,
+      "Client-Sdk-Type": "typescript",
+      "Client-Sdk-Version": PACKAGE_VERSION
+    },
+    body: JSON.stringify(body),
+    signal: combinedSignal
+  });
+  await SealAPIError.assertResponse(response, requestId);
+  const resp = await response.json();
+  return resp.decryption_keys.map((dk) => ({
+    fullId: toHex(new Uint8Array(dk.id)),
+    key: elgamalDecrypt(encKey, dk.encrypted_key.map(fromBase64))
+  }));
+}
+export {
+  fetchKeysForAllIds
+};
+//# sourceMappingURL=keys.js.map

package/dist/esm/keys.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/keys.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromBase64, toBase64, toHex } from '@mysten/bcs';\n\nimport { elgamalDecrypt, toPublicKey, toVerificationKey } from './elgamal.js';\nimport { SealAPIError } from './error.js';\nimport type { Certificate } from './session-key.js';\nimport { PACKAGE_VERSION } from './version.js';\n\n/**\n * Helper function to request all keys from URL with requestSig, txBytes, ephemeral pubkey.\n * Then decrypt the Seal key with ephemeral secret key. Returns a list decryption keys with\n * their full IDs.\n *\n * @param url - The URL of the key server.\n * @param requestSig - The Base64 string of request signature.\n * @param txBytes - The transaction bytes.\n * @param encKey - The ephemeral secret key.\n * @param certificate - The certificate.\n * @returns - A list of full ID and the decrypted key.\n */\nexport async function fetchKeysForAllIds(\n\turl: string,\n\trequestSig: string,\n\ttxBytes: Uint8Array,\n\tencKey: Uint8Array,\n\tcertificate: Certificate,\n\ttimeout: number,\n\tsignal?: AbortSignal,\n): Promise<{ fullId: string; key: Uint8Array }[]> {\n\tconst encKeyPk = toPublicKey(encKey);\n\tconst encVerificationKey = toVerificationKey(encKey);\n\tconst body = {\n\t\tptb: toBase64(txBytes.slice(1)), // removes the byte of the transaction type version\n\t\tenc_key: toBase64(encKeyPk),\n\t\tenc_verification_key: toBase64(encVerificationKey),\n\t\trequest_signature: requestSig, // already b64\n\t\tcertificate,\n\t};\n\n\tconst timeoutSignal = AbortSignal.timeout(timeout);\n\tconst combinedSignal = signal ? AbortSignal.any([signal, timeoutSignal]) : timeoutSignal;\n\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(url + '/v1/fetch_key', {\n\t\tmethod: 'POST',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t},\n\t\tbody: JSON.stringify(body),\n\t\tsignal: combinedSignal,\n\t});\n\tawait SealAPIError.assertResponse(response, requestId);\n\n\tconst resp = await response.json();\n\treturn resp.decryption_keys.map((dk: { id: Uint8Array; encrypted_key: [string, string] }) => ({\n\t\tfullId: toHex(new Uint8Array(dk.id)),\n\t\tkey: elgamalDecrypt(encKey, dk.encrypted_key.map(fromBase64) as [Uint8Array, Uint8Array]),\n\t}));\n}\n"],
+  "mappings": "AAGA,SAAS,YAAY,UAAU,aAAa;AAE5C,SAAS,gBAAgB,aAAa,yBAAyB;AAC/D,SAAS,oBAAoB;AAE7B,SAAS,uBAAuB;AAchC,eAAsB,mBACrB,KACA,YACA,SACA,QACA,aACA,SACA,QACiD;AACjD,QAAM,WAAW,YAAY,MAAM;AACnC,QAAM,qBAAqB,kBAAkB,MAAM;AACnD,QAAM,OAAO;AAAA,IACZ,KAAK,SAAS,QAAQ,MAAM,CAAC,CAAC;AAAA;AAAA,IAC9B,SAAS,SAAS,QAAQ;AAAA,IAC1B,sBAAsB,SAAS,kBAAkB;AAAA,IACjD,mBAAmB;AAAA;AAAA,IACnB;AAAA,EACD;AAEA,QAAM,gBAAgB,YAAY,QAAQ,OAAO;AACjD,QAAM,iBAAiB,SAAS,YAAY,IAAI,CAAC,QAAQ,aAAa,CAAC,IAAI;AAE3E,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,MAAM,iBAAiB;AAAA,IACnD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,IACvB;AAAA,IACA,MAAM,KAAK,UAAU,IAAI;AAAA,IACzB,QAAQ;AAAA,EACT,CAAC;AACD,QAAM,aAAa,eAAe,UAAU,SAAS;AAErD,QAAM,OAAO,MAAM,SAAS,KAAK;AACjC,SAAO,KAAK,gBAAgB,IAAI,CAAC,QAA6D;AAAA,IAC7F,QAAQ,MAAM,IAAI,WAAW,GAAG,EAAE,CAAC;AAAA,IACnC,KAAK,eAAe,QAAQ,GAAG,cAAc,IAAI,UAAU,CAA6B;AAAA,EACzF,EAAE;AACH;",
+  "names": []
+}