@mysten/seal 0.2.0 → 0.3.1

package/dist/cjs/utils.js

@@ -19,21 +19,33 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var utils_exports = {};
 __export(utils_exports, {
   createFullId: () => createFullId,
-  xor: () => xor
+  xor: () => xor,
+  xorUnchecked: () => xorUnchecked
 });
 module.exports = __toCommonJS(utils_exports);
+var import_bcs = require("@mysten/bcs");
+var import_utils = require("@mysten/sui/utils");
+var import_error = require("./error.js");
 function xor(a, b) {
   if (a.length !== b.length) {
     throw new Error("Invalid input");
   }
+  return xorUnchecked(a, b);
+}
+function xorUnchecked(a, b) {
   return a.map((ai, i) => ai ^ b[i]);
 }
 function createFullId(dst, packageId, innerId) {
-  const fullId = new Uint8Array(1 + dst.length + packageId.length + innerId.length);
+  if (!(0, import_utils.isValidSuiObjectId)(packageId)) {
+    throw new import_error.UserError(`Invalid package ID ${packageId}`);
+  }
+  const packageIdBytes = (0, import_bcs.fromHex)(packageId);
+  const innerIdBytes = (0, import_bcs.fromHex)(innerId);
+  const fullId = new Uint8Array(1 + dst.length + packageIdBytes.length + innerIdBytes.length);
   fullId.set([dst.length], 0);
   fullId.set(dst, 1);
-  fullId.set(packageId, 1 + dst.length);
-  fullId.set(innerId, 1 + dst.length + packageId.length);
-  return fullId;
+  fullId.set(packageIdBytes, 1 + dst.length);
+  fullId.set(innerIdBytes, 1 + dst.length + packageIdBytes.length);
+  return (0, import_bcs.toHex)(fullId);
 }
 //# sourceMappingURL=utils.js.map

package/dist/cjs/utils.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/utils.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nexport function xor(a: Uint8Array, b: Uint8Array): Uint8Array {\n\tif (a.length !== b.length) {\n\t\tthrow new Error('Invalid input');\n\t}\n\treturn a.map((ai, i) => ai ^ b[i]);\n}\n\n/**\n * Create a full ID concatenating DST || package ID || inner ID.\n * @param dst - The domain separation tag.\n * @param packageId - The package ID.\n * @param innerId - The inner ID.\n * @returns The full ID.\n */\nexport function createFullId(\n\tdst: Uint8Array,\n\tpackageId: Uint8Array,\n\tinnerId: Uint8Array,\n): Uint8Array {\n\tconst fullId = new Uint8Array(1 + dst.length + packageId.length + innerId.length);\n\tfullId.set([dst.length], 0);\n\tfullId.set(dst, 1);\n\tfullId.set(packageId, 1 + dst.length);\n\tfullId.set(innerId, 1 + dst.length + packageId.length);\n\treturn fullId;\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGO,SAAS,IAAI,GAAe,GAA2B;AAC7D,MAAI,EAAE,WAAW,EAAE,QAAQ;AAC1B,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC;AACA,SAAO,EAAE,IAAI,CAAC,IAAI,MAAM,KAAK,EAAE,CAAC,CAAC;AAClC;AASO,SAAS,aACf,KACA,WACA,SACa;AACb,QAAM,SAAS,IAAI,WAAW,IAAI,IAAI,SAAS,UAAU,SAAS,QAAQ,MAAM;AAChF,SAAO,IAAI,CAAC,IAAI,MAAM,GAAG,CAAC;AAC1B,SAAO,IAAI,KAAK,CAAC;AACjB,SAAO,IAAI,WAAW,IAAI,IAAI,MAAM;AACpC,SAAO,IAAI,SAAS,IAAI,IAAI,SAAS,UAAU,MAAM;AACrD,SAAO;AACR;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex, toHex } from '@mysten/bcs';\nimport { isValidSuiObjectId } from '@mysten/sui/utils';\n\nimport { UserError } from './error.js';\n\nexport function xor(a: Uint8Array, b: Uint8Array): Uint8Array {\n\tif (a.length !== b.length) {\n\t\tthrow new Error('Invalid input');\n\t}\n\treturn xorUnchecked(a, b);\n}\n\nexport function xorUnchecked(a: Uint8Array, b: Uint8Array): Uint8Array {\n\treturn a.map((ai, i) => ai ^ b[i]);\n}\n\n/**\n * Create a full ID concatenating DST || package ID || inner ID.\n * @param dst - The domain separation tag.\n * @param packageId - The package ID.\n * @param innerId - The inner ID.\n * @returns The full ID.\n */\nexport function createFullId(dst: Uint8Array, packageId: string, innerId: string): string {\n\tif (!isValidSuiObjectId(packageId)) {\n\t\tthrow new UserError(`Invalid package ID ${packageId}`);\n\t}\n\tconst packageIdBytes = fromHex(packageId);\n\tconst innerIdBytes = fromHex(innerId);\n\tconst fullId = new Uint8Array(1 + dst.length + packageIdBytes.length + innerIdBytes.length);\n\tfullId.set([dst.length], 0);\n\tfullId.set(dst, 1);\n\tfullId.set(packageIdBytes, 1 + dst.length);\n\tfullId.set(innerIdBytes, 1 + dst.length + packageIdBytes.length);\n\treturn toHex(fullId);\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAA+B;AAC/B,mBAAmC;AAEnC,mBAA0B;AAEnB,SAAS,IAAI,GAAe,GAA2B;AAC7D,MAAI,EAAE,WAAW,EAAE,QAAQ;AAC1B,UAAM,IAAI,MAAM,eAAe;AAAA,EAChC;AACA,SAAO,aAAa,GAAG,CAAC;AACzB;AAEO,SAAS,aAAa,GAAe,GAA2B;AACtE,SAAO,EAAE,IAAI,CAAC,IAAI,MAAM,KAAK,EAAE,CAAC,CAAC;AAClC;AASO,SAAS,aAAa,KAAiB,WAAmB,SAAyB;AACzF,MAAI,KAAC,iCAAmB,SAAS,GAAG;AACnC,UAAM,IAAI,uBAAU,sBAAsB,SAAS,EAAE;AAAA,EACtD;AACA,QAAM,qBAAiB,oBAAQ,SAAS;AACxC,QAAM,mBAAe,oBAAQ,OAAO;AACpC,QAAM,SAAS,IAAI,WAAW,IAAI,IAAI,SAAS,eAAe,SAAS,aAAa,MAAM;AAC1F,SAAO,IAAI,CAAC,IAAI,MAAM,GAAG,CAAC;AAC1B,SAAO,IAAI,KAAK,CAAC;AACjB,SAAO,IAAI,gBAAgB,IAAI,IAAI,MAAM;AACzC,SAAO,IAAI,cAAc,IAAI,IAAI,SAAS,eAAe,MAAM;AAC/D,aAAO,kBAAM,MAAM;AACpB;",
   "names": []
 }

package/dist/cjs/version.d.ts

@@ -0,0 +1 @@
+export declare const PACKAGE_VERSION = "0.3.1";

package/dist/cjs/version.js

@@ -0,0 +1,25 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var version_exports = {};
+__export(version_exports, {
+  PACKAGE_VERSION: () => PACKAGE_VERSION
+});
+module.exports = __toCommonJS(version_exports);
+const PACKAGE_VERSION = "0.3.1";
+//# sourceMappingURL=version.js.map

package/dist/cjs/version.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/version.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.3.1';\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAKO,MAAM,kBAAkB;",
+  "names": []
+}

package/dist/esm/bcs.d.ts

@@ -0,0 +1,132 @@
+export declare const IBEEncryptions: import("@mysten/bcs").BcsType<{
+    BonehFranklinBLS12381: {
+        nonce: Uint8Array<ArrayBufferLike>;
+        encryptedShares: Uint8Array<ArrayBufferLike>[];
+        encryptedRandomness: Uint8Array<ArrayBufferLike>;
+    };
+    $kind: "BonehFranklinBLS12381";
+}, {
+    BonehFranklinBLS12381: {
+        nonce: Iterable<number>;
+        encryptedShares: Iterable<Iterable<number>> & {
+            length: number;
+        };
+        encryptedRandomness: Iterable<number>;
+    };
+}>;
+export declare const Ciphertext: import("@mysten/bcs").BcsType<import("@mysten/bcs").EnumOutputShapeWithKeys<{
+    Aes256Gcm: {
+        blob: number[];
+        aad: number[] | null;
+    };
+    Hmac256Ctr: {
+        blob: number[];
+        aad: number[] | null;
+        mac: Uint8Array<ArrayBufferLike>;
+    };
+    Plain: {};
+}, "Aes256Gcm" | "Hmac256Ctr" | "Plain">, import("@mysten/bcs").EnumInputShape<{
+    Aes256Gcm: {
+        blob: Iterable<number> & {
+            length: number;
+        };
+        aad: (Iterable<number> & {
+            length: number;
+        }) | null | undefined;
+    };
+    Hmac256Ctr: {
+        blob: Iterable<number> & {
+            length: number;
+        };
+        aad: (Iterable<number> & {
+            length: number;
+        }) | null | undefined;
+        mac: Iterable<number>;
+    };
+    Plain: {};
+}>>;
+/**
+ * The encrypted object format. Should be aligned with the Rust implementation.
+ */
+export declare const EncryptedObject: import("@mysten/bcs").BcsType<{
+    version: number;
+    packageId: string;
+    id: string;
+    services: [string, number][];
+    threshold: number;
+    encryptedShares: {
+        BonehFranklinBLS12381: {
+            nonce: Uint8Array<ArrayBufferLike>;
+            encryptedShares: Uint8Array<ArrayBufferLike>[];
+            encryptedRandomness: Uint8Array<ArrayBufferLike>;
+        };
+        $kind: "BonehFranklinBLS12381";
+    };
+    ciphertext: import("@mysten/bcs").EnumOutputShapeWithKeys<{
+        Aes256Gcm: {
+            blob: number[];
+            aad: number[] | null;
+        };
+        Hmac256Ctr: {
+            blob: number[];
+            aad: number[] | null;
+            mac: Uint8Array<ArrayBufferLike>;
+        };
+        Plain: {};
+    }, "Aes256Gcm" | "Hmac256Ctr" | "Plain">;
+}, {
+    version: number;
+    packageId: string | Uint8Array<ArrayBufferLike>;
+    id: string;
+    services: Iterable<readonly [string | Uint8Array<ArrayBufferLike>, number]> & {
+        length: number;
+    };
+    threshold: number;
+    encryptedShares: {
+        BonehFranklinBLS12381: {
+            nonce: Iterable<number>;
+            encryptedShares: Iterable<Iterable<number>> & {
+                length: number;
+            };
+            encryptedRandomness: Iterable<number>;
+        };
+    };
+    ciphertext: import("@mysten/bcs").EnumInputShape<{
+        Aes256Gcm: {
+            blob: Iterable<number> & {
+                length: number;
+            };
+            aad: (Iterable<number> & {
+                length: number;
+            }) | null | undefined;
+        };
+        Hmac256Ctr: {
+            blob: Iterable<number> & {
+                length: number;
+            };
+            aad: (Iterable<number> & {
+                length: number;
+            }) | null | undefined;
+            mac: Iterable<number>;
+        };
+        Plain: {};
+    }>;
+}>;
+/**
+ * The Move struct for the KeyServer object.
+ */
+export declare const KeyServerMove: import("@mysten/bcs").BcsType<{
+    id: string;
+    name: string;
+    url: string;
+    keyType: number;
+    pk: number[];
+}, {
+    id: string | Uint8Array<ArrayBufferLike>;
+    name: string;
+    url: string;
+    keyType: number;
+    pk: Iterable<number> & {
+        length: number;
+    };
+}>;

package/dist/esm/bcs.js

@@ -0,0 +1,47 @@
+import { fromHex, toHex } from "@mysten/bcs";
+import { bcs } from "@mysten/sui/bcs";
+const IBEEncryptions = bcs.enum("IBEEncryptions", {
+  BonehFranklinBLS12381: bcs.struct("BonehFranklinBLS12381", {
+    nonce: bcs.bytes(96),
+    encryptedShares: bcs.vector(bcs.bytes(32)),
+    encryptedRandomness: bcs.bytes(32)
+  })
+});
+const Ciphertext = bcs.enum("Ciphertext", {
+  Aes256Gcm: bcs.struct("Aes256Gcm", {
+    blob: bcs.vector(bcs.U8),
+    aad: bcs.option(bcs.vector(bcs.U8))
+  }),
+  Hmac256Ctr: bcs.struct("Hmac256Ctr", {
+    blob: bcs.vector(bcs.U8),
+    aad: bcs.option(bcs.vector(bcs.U8)),
+    mac: bcs.bytes(32)
+  }),
+  Plain: bcs.struct("Plain", {})
+});
+const EncryptedObject = bcs.struct("EncryptedObject", {
+  version: bcs.U8,
+  packageId: bcs.Address,
+  id: bcs.vector(bcs.U8).transform({
+    output: (val) => toHex(new Uint8Array(val)),
+    input: (val) => fromHex(val)
+  }),
+  services: bcs.vector(bcs.tuple([bcs.Address, bcs.U8])),
+  threshold: bcs.U8,
+  encryptedShares: IBEEncryptions,
+  ciphertext: Ciphertext
+});
+const KeyServerMove = bcs.struct("KeyServer", {
+  id: bcs.Address,
+  name: bcs.string(),
+  url: bcs.string(),
+  keyType: bcs.u8(),
+  pk: bcs.vector(bcs.u8())
+});
+export {
+  Ciphertext,
+  EncryptedObject,
+  IBEEncryptions,
+  KeyServerMove
+};
+//# sourceMappingURL=bcs.js.map

package/dist/esm/bcs.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../src/bcs.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\n\nexport const IBEEncryptions = bcs.enum('IBEEncryptions', {\n\tBonehFranklinBLS12381: bcs.struct('BonehFranklinBLS12381', {\n\t\tnonce: bcs.bytes(96),\n\t\tencryptedShares: bcs.vector(bcs.bytes(32)),\n\t\tencryptedRandomness: bcs.bytes(32),\n\t}),\n});\n\nexport const Ciphertext = bcs.enum('Ciphertext', {\n\tAes256Gcm: bcs.struct('Aes256Gcm', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t}),\n\tHmac256Ctr: bcs.struct('Hmac256Ctr', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t\tmac: bcs.bytes(32),\n\t}),\n\tPlain: bcs.struct('Plain', {}),\n});\n\n/**\n * The encrypted object format. Should be aligned with the Rust implementation.\n */\nexport const EncryptedObject = bcs.struct('EncryptedObject', {\n\tversion: bcs.U8,\n\tpackageId: bcs.Address,\n\tid: bcs.vector(bcs.U8).transform({\n\t\toutput: (val) => toHex(new Uint8Array(val)),\n\t\tinput: (val: string) => fromHex(val),\n\t}),\n\tservices: bcs.vector(bcs.tuple([bcs.Address, bcs.U8])),\n\tthreshold: bcs.U8,\n\tencryptedShares: IBEEncryptions,\n\tciphertext: Ciphertext,\n});\n\n/**\n * The Move struct for the KeyServer object.\n */\nexport const KeyServerMove = bcs.struct('KeyServer', {\n\tid: bcs.Address,\n\tname: bcs.string(),\n\turl: bcs.string(),\n\tkeyType: bcs.u8(),\n\tpk: bcs.vector(bcs.u8()),\n});\n"],
+  "mappings": "AAGA,SAAS,SAAS,aAAa;AAC/B,SAAS,WAAW;AAEb,MAAM,iBAAiB,IAAI,KAAK,kBAAkB;AAAA,EACxD,uBAAuB,IAAI,OAAO,yBAAyB;AAAA,IAC1D,OAAO,IAAI,MAAM,EAAE;AAAA,IACnB,iBAAiB,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;AAAA,IACzC,qBAAqB,IAAI,MAAM,EAAE;AAAA,EAClC,CAAC;AACF,CAAC;AAEM,MAAM,aAAa,IAAI,KAAK,cAAc;AAAA,EAChD,WAAW,IAAI,OAAO,aAAa;AAAA,IAClC,MAAM,IAAI,OAAO,IAAI,EAAE;AAAA,IACvB,KAAK,IAAI,OAAO,IAAI,OAAO,IAAI,EAAE,CAAC;AAAA,EACnC,CAAC;AAAA,EACD,YAAY,IAAI,OAAO,cAAc;AAAA,IACpC,MAAM,IAAI,OAAO,IAAI,EAAE;AAAA,IACvB,KAAK,IAAI,OAAO,IAAI,OAAO,IAAI,EAAE,CAAC;AAAA,IAClC,KAAK,IAAI,MAAM,EAAE;AAAA,EAClB,CAAC;AAAA,EACD,OAAO,IAAI,OAAO,SAAS,CAAC,CAAC;AAC9B,CAAC;AAKM,MAAM,kBAAkB,IAAI,OAAO,mBAAmB;AAAA,EAC5D,SAAS,IAAI;AAAA,EACb,WAAW,IAAI;AAAA,EACf,IAAI,IAAI,OAAO,IAAI,EAAE,EAAE,UAAU;AAAA,IAChC,QAAQ,CAAC,QAAQ,MAAM,IAAI,WAAW,GAAG,CAAC;AAAA,IAC1C,OAAO,CAAC,QAAgB,QAAQ,GAAG;AAAA,EACpC,CAAC;AAAA,EACD,UAAU,IAAI,OAAO,IAAI,MAAM,CAAC,IAAI,SAAS,IAAI,EAAE,CAAC,CAAC;AAAA,EACrD,WAAW,IAAI;AAAA,EACf,iBAAiB;AAAA,EACjB,YAAY;AACb,CAAC;AAKM,MAAM,gBAAgB,IAAI,OAAO,aAAa;AAAA,EACpD,IAAI,IAAI;AAAA,EACR,MAAM,IAAI,OAAO;AAAA,EACjB,KAAK,IAAI,OAAO;AAAA,EAChB,SAAS,IAAI,GAAG;AAAA,EAChB,IAAI,IAAI,OAAO,IAAI,GAAG,CAAC;AACxB,CAAC;",
+  "names": []
+}

package/dist/esm/client.d.ts

@@ -0,0 +1,83 @@
+import type { SuiClient } from '@mysten/sui/client';
+import { DemType, KemType } from './encrypt.js';
+import type { KeyServer } from './key-server.js';
+import type { SessionKey } from './session-key.js';
+/**
+ * Configuration options for initializing a SealClient
+ * @property serverObjectIds: Array of object IDs for the key servers to use.
+ * @property verifyKeyServers: Whether to verify the key servers' authenticity.
+ * 	 Should be false if servers are pre-verified (e.g., getAllowlistedKeyServers).
+ * 	 Defaults to true.
+ * @property timeout: Timeout in milliseconds for network requests. Defaults to 10 seconds.
+ */
+export interface SealClientOptions {
+    suiClient: SuiClient;
+    serverObjectIds: string[];
+    verifyKeyServers?: boolean;
+    timeout?: number;
+}
+export declare class SealClient {
+    #private;
+    constructor(options: SealClientOptions);
+    /**
+     * Return an encrypted message under the identity.
+     *
+     * @param kemType - The type of KEM to use.
+     * @param demType - The type of DEM to use.
+     * @param threshold - The threshold for the TSS encryption.
+     * @param packageId - the packageId namespace.
+     * @param id - the identity to use.
+     * @param data - the data to encrypt.
+     * @param aad - optional additional authenticated data.
+     * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.
+     * 	Since the symmetric key can be used to decrypt, it should not be shared but can be used e.g. for backup.
+     */
+    encrypt({ kemType, demType, threshold, packageId, id, data, aad, }: {
+        kemType?: KemType;
+        demType?: DemType;
+        threshold: number;
+        packageId: string;
+        id: string;
+        data: Uint8Array;
+        aad?: Uint8Array;
+    }): Promise<{
+        encryptedObject: Uint8Array;
+        key: Uint8Array;
+    }>;
+    /**
+     * Decrypt the given encrypted bytes using cached keys.
+     * Calls fetchKeys in case one or more of the required keys is not cached yet.
+     * The function throws an error if the client's key servers are not a subset of
+     * the encrypted object's key servers (including the same weights) or if the
+     * threshold cannot be met.
+     *
+     * @param data - The encrypted bytes to decrypt.
+     * @param sessionKey - The session key to use.
+     * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+     * @returns - The decrypted plaintext corresponding to ciphertext.
+     */
+    decrypt({ data, sessionKey, txBytes, }: {
+        data: Uint8Array;
+        sessionKey: SessionKey;
+        txBytes: Uint8Array;
+    }): Promise<Uint8Array<ArrayBufferLike>>;
+    getKeyServers(): Promise<KeyServer[]>;
+    /**
+     * Fetch keys from the key servers and update the cache.
+     *
+     * It is recommended to call this function once for all ids of all encrypted obejcts if
+     * there are multiple, then call decrypt for each object. This avoids calling fetchKey
+     * individually for each decrypt.
+     *
+     * @param ids - The ids of the encrypted objects.
+     * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+     * @param sessionKey - The session key to use.
+     * @param threshold - The threshold for the TSS encryptions. The function returns when a threshold of key servers had returned keys for all ids.
+     */
+    fetchKeys({ ids, txBytes, sessionKey, threshold, }: {
+        ids: string[];
+        txBytes: Uint8Array;
+        sessionKey: SessionKey;
+        threshold: number;
+    }): Promise<void>;
+}

package/dist/esm/client.js

@@ -0,0 +1,268 @@
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var __privateMethod = (obj, member, method) => (__accessCheck(obj, member, "access private method"), method);
+var _suiClient, _serverObjectIds, _verifyKeyServers, _keyServers, _cachedKeys, _timeout, _SealClient_instances, createEncryptionInput_fn, validateEncryptionServices_fn, loadKeyServers_fn;
+import { EncryptedObject } from "./bcs.js";
+import { G1Element, G2Element } from "./bls12381.js";
+import { decrypt } from "./decrypt.js";
+import { AesGcm256, Hmac256Ctr } from "./dem.js";
+import { DemType, encrypt, KemType } from "./encrypt.js";
+import {
+  InconsistentKeyServersError,
+  InvalidKeyServerError,
+  InvalidThresholdError,
+  toMajorityError
+} from "./error.js";
+import { BonehFranklinBLS12381Services, DST } from "./ibe.js";
+import { KeyServerType, retrieveKeyServers, verifyKeyServer } from "./key-server.js";
+import { fetchKeysForAllIds } from "./keys.js";
+import { createFullId } from "./utils.js";
+class SealClient {
+  constructor(options) {
+    __privateAdd(this, _SealClient_instances);
+    __privateAdd(this, _suiClient);
+    __privateAdd(this, _serverObjectIds);
+    __privateAdd(this, _verifyKeyServers);
+    __privateAdd(this, _keyServers, null);
+    // A caching map for: fullId:object_id -> partial key.
+    __privateAdd(this, _cachedKeys, /* @__PURE__ */ new Map());
+    __privateAdd(this, _timeout);
+    __privateSet(this, _suiClient, options.suiClient);
+    __privateSet(this, _serverObjectIds, options.serverObjectIds);
+    __privateSet(this, _verifyKeyServers, options.verifyKeyServers ?? true);
+    __privateSet(this, _timeout, options.timeout ?? 1e4);
+  }
+  /**
+   * Return an encrypted message under the identity.
+   *
+   * @param kemType - The type of KEM to use.
+   * @param demType - The type of DEM to use.
+   * @param threshold - The threshold for the TSS encryption.
+   * @param packageId - the packageId namespace.
+   * @param id - the identity to use.
+   * @param data - the data to encrypt.
+   * @param aad - optional additional authenticated data.
+   * @returns The bcs bytes of the encrypted object containing all metadata and the 256-bit symmetric key that was used to encrypt the object.
+   * 	Since the symmetric key can be used to decrypt, it should not be shared but can be used e.g. for backup.
+   */
+  async encrypt({
+    kemType = KemType.BonehFranklinBLS12381DemCCA,
+    demType = DemType.AesGcm256,
+    threshold,
+    packageId,
+    id,
+    data,
+    aad = new Uint8Array()
+  }) {
+    return encrypt({
+      keyServers: await this.getKeyServers(),
+      kemType,
+      threshold,
+      packageId,
+      id,
+      encryptionInput: __privateMethod(this, _SealClient_instances, createEncryptionInput_fn).call(this, demType, data, aad)
+    });
+  }
+  /**
+   * Decrypt the given encrypted bytes using cached keys.
+   * Calls fetchKeys in case one or more of the required keys is not cached yet.
+   * The function throws an error if the client's key servers are not a subset of
+   * the encrypted object's key servers (including the same weights) or if the
+   * threshold cannot be met.
+   *
+   * @param data - The encrypted bytes to decrypt.
+   * @param sessionKey - The session key to use.
+   * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+   * @returns - The decrypted plaintext corresponding to ciphertext.
+   */
+  async decrypt({
+    data,
+    sessionKey,
+    txBytes
+  }) {
+    const encryptedObject = EncryptedObject.parse(data);
+    __privateMethod(this, _SealClient_instances, validateEncryptionServices_fn).call(this, encryptedObject.services.map((s) => s[0]), encryptedObject.threshold);
+    await this.fetchKeys({
+      ids: [encryptedObject.id],
+      txBytes,
+      sessionKey,
+      threshold: encryptedObject.threshold
+    });
+    return decrypt({ encryptedObject, keys: __privateGet(this, _cachedKeys) });
+  }
+  async getKeyServers() {
+    if (!__privateGet(this, _keyServers)) {
+      __privateSet(this, _keyServers, __privateMethod(this, _SealClient_instances, loadKeyServers_fn).call(this).catch((error) => {
+        __privateSet(this, _keyServers, null);
+        throw error;
+      }));
+    }
+    return __privateGet(this, _keyServers);
+  }
+  /**
+   * Fetch keys from the key servers and update the cache.
+   *
+   * It is recommended to call this function once for all ids of all encrypted obejcts if
+   * there are multiple, then call decrypt for each object. This avoids calling fetchKey
+   * individually for each decrypt.
+   *
+   * @param ids - The ids of the encrypted objects.
+   * @param txBytes - The transaction bytes to use (that calls seal_approve* functions).
+   * @param sessionKey - The session key to use.
+   * @param threshold - The threshold for the TSS encryptions. The function returns when a threshold of key servers had returned keys for all ids.
+   */
+  async fetchKeys({
+    ids,
+    txBytes,
+    sessionKey,
+    threshold
+  }) {
+    const keyServers = await this.getKeyServers();
+    if (threshold > keyServers.length || threshold < 1 || keyServers.length < 1) {
+      throw new InvalidThresholdError(
+        `Invalid threshold ${threshold} for ${keyServers.length} servers`
+      );
+    }
+    let completedServerCount = 0;
+    const remainingKeyServers = /* @__PURE__ */ new Set();
+    const fullIds = ids.map((id) => createFullId(DST, sessionKey.getPackageId(), id));
+    for (const server of keyServers) {
+      let hasAllKeys = true;
+      for (const fullId of fullIds) {
+        if (!__privateGet(this, _cachedKeys).has(`${fullId}:${server.objectId}`)) {
+          hasAllKeys = false;
+          remainingKeyServers.add(server);
+          break;
+        }
+      }
+      if (hasAllKeys) {
+        completedServerCount++;
+      }
+    }
+    if (completedServerCount >= threshold) {
+      return;
+    }
+    for (const server of remainingKeyServers) {
+      if (server.keyType !== KeyServerType.BonehFranklinBLS12381) {
+        throw new InvalidKeyServerError(
+          `Server ${server.objectId} has invalid key type: ${server.keyType}`
+        );
+      }
+    }
+    const cert = await sessionKey.getCertificate();
+    const signedRequest = await sessionKey.createRequestParams(txBytes);
+    const controller = new AbortController();
+    const errors = [];
+    const keyFetches = [...remainingKeyServers].map(async (server) => {
+      try {
+        const allKeys = await fetchKeysForAllIds(
+          server.url,
+          signedRequest.requestSignature,
+          txBytes,
+          signedRequest.decryptionKey,
+          cert,
+          __privateGet(this, _timeout),
+          controller.signal
+        );
+        let receivedIds = /* @__PURE__ */ new Set();
+        for (const { fullId, key } of allKeys) {
+          const keyElement = G1Element.fromBytes(key);
+          if (!BonehFranklinBLS12381Services.verifyUserSecretKey(
+            keyElement,
+            fullId,
+            G2Element.fromBytes(server.pk)
+          )) {
+            console.warn("Received invalid key from key server " + server.objectId);
+            continue;
+          }
+          __privateGet(this, _cachedKeys).set(`${fullId}:${server.objectId}`, keyElement);
+          receivedIds.add(fullId);
+        }
+        const expectedIds = new Set(fullIds);
+        const hasAllKeys = receivedIds.size === expectedIds.size && [...receivedIds].every((id) => expectedIds.has(id));
+        if (hasAllKeys) {
+          completedServerCount++;
+          if (completedServerCount >= threshold) {
+            controller.abort();
+          }
+        }
+      } catch (error) {
+        if (!controller.signal.aborted) {
+          errors.push(error);
+        }
+        if (remainingKeyServers.size - errors.length < threshold - completedServerCount) {
+          controller.abort(error);
+        }
+      }
+    });
+    await Promise.allSettled(keyFetches);
+    if (completedServerCount < threshold) {
+      throw toMajorityError(errors);
+    }
+  }
+}
+_suiClient = new WeakMap();
+_serverObjectIds = new WeakMap();
+_verifyKeyServers = new WeakMap();
+_keyServers = new WeakMap();
+_cachedKeys = new WeakMap();
+_timeout = new WeakMap();
+_SealClient_instances = new WeakSet();
+createEncryptionInput_fn = function(type, data, aad) {
+  switch (type) {
+    case DemType.AesGcm256:
+      return new AesGcm256(data, aad);
+    case DemType.Hmac256Ctr:
+      return new Hmac256Ctr(data, aad);
+  }
+};
+validateEncryptionServices_fn = function(services, threshold) {
+  const serverObjectIdsMap = /* @__PURE__ */ new Map();
+  for (const objectId of __privateGet(this, _serverObjectIds)) {
+    serverObjectIdsMap.set(objectId, (serverObjectIdsMap.get(objectId) ?? 0) + 1);
+  }
+  const servicesMap = /* @__PURE__ */ new Map();
+  for (const service of services) {
+    servicesMap.set(service, (servicesMap.get(service) ?? 0) + 1);
+  }
+  for (const [objectId, count] of serverObjectIdsMap) {
+    if (servicesMap.get(objectId) !== count) {
+      throw new InconsistentKeyServersError(
+        `Client's key servers must be a subset of the encrypted object's key servers`
+      );
+    }
+  }
+  if (threshold > __privateGet(this, _serverObjectIds).length) {
+    throw new InvalidThresholdError(
+      `Invalid threshold ${threshold} for ${__privateGet(this, _serverObjectIds).length} servers`
+    );
+  }
+};
+loadKeyServers_fn = async function() {
+  const keyServers = await retrieveKeyServers({
+    objectIds: __privateGet(this, _serverObjectIds),
+    client: __privateGet(this, _suiClient)
+  });
+  if (keyServers.length === 0) {
+    throw new InvalidKeyServerError("No key servers found");
+  }
+  if (__privateGet(this, _verifyKeyServers)) {
+    await Promise.all(
+      keyServers.map(async (server) => {
+        if (!await verifyKeyServer(server, __privateGet(this, _timeout))) {
+          throw new InvalidKeyServerError(`Key server ${server.objectId} is not valid`);
+        }
+      })
+    );
+  }
+  return keyServers;
+};
+export {
+  SealClient
+};
+//# sourceMappingURL=client.js.map