@mysten/seal 0.4.10 → 0.4.11

package/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @mysten/seal
 
+## 0.4.11
+
+### Patch Changes
+
+- c15d220: Use versioned key server objects
+- Updated dependencies [1ff4e57]
+- Updated dependencies [550e2e3]
+- Updated dependencies [550e2e3]
+  - @mysten/sui@1.31.0
+
 ## 0.4.10
 
 ### Patch Changes

package/dist/cjs/bcs.d.ts

@@ -113,16 +113,14 @@ export declare const EncryptedObject: import("@mysten/bcs").BcsType<{
     }>;
 }>;
 /**
- * The Move struct for the KeyServer object.
+ * The Move struct for the KeyServerV1 object.
  */
-export declare const KeyServerMove: import("@mysten/bcs").BcsType<{
-    id: string;
+export declare const KeyServerMoveV1: import("@mysten/bcs").BcsType<{
     name: string;
     url: string;
     keyType: number;
     pk: number[];
 }, {
-    id: string | Uint8Array<ArrayBufferLike>;
     name: string;
     url: string;
     keyType: number;
@@ -130,3 +128,15 @@ export declare const KeyServerMove: import("@mysten/bcs").BcsType<{
         length: number;
     };
 }>;
+/**
+ * The Move struct for the parent object.
+ */
+export declare const KeyServerMove: import("@mysten/bcs").BcsType<{
+    id: string;
+    firstVersion: string;
+    lastVersion: string;
+}, {
+    id: string | Uint8Array<ArrayBufferLike>;
+    firstVersion: string | number | bigint;
+    lastVersion: string | number | bigint;
+}>;

package/dist/cjs/bcs.js

@@ -21,7 +21,8 @@ __export(bcs_exports, {
   Ciphertext: () => Ciphertext,
   EncryptedObject: () => EncryptedObject,
   IBEEncryptions: () => IBEEncryptions,
-  KeyServerMove: () => KeyServerMove
+  KeyServerMove: () => KeyServerMove,
+  KeyServerMoveV1: () => KeyServerMoveV1
 });
 module.exports = __toCommonJS(bcs_exports);
 var import_bcs = require("@mysten/bcs");
@@ -57,11 +58,17 @@ const EncryptedObject = import_bcs2.bcs.struct("EncryptedObject", {
   encryptedShares: IBEEncryptions,
   ciphertext: Ciphertext
 });
-const KeyServerMove = import_bcs2.bcs.struct("KeyServer", {
-  id: import_bcs2.bcs.Address,
+const KeyServerMoveV1 = import_bcs2.bcs.struct("KeyServerV1", {
   name: import_bcs2.bcs.string(),
   url: import_bcs2.bcs.string(),
   keyType: import_bcs2.bcs.u8(),
   pk: import_bcs2.bcs.vector(import_bcs2.bcs.u8())
 });
+const KeyServerMove = import_bcs2.bcs.struct("KeyServer", {
+  id: import_bcs2.bcs.Address,
+  firstVersion: import_bcs2.bcs.u64(),
+  // latest version
+  lastVersion: import_bcs2.bcs.u64()
+  // oldest version
+});
 //# sourceMappingURL=bcs.js.map

package/dist/cjs/bcs.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/bcs.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\n\nexport const IBEEncryptions = bcs.enum('IBEEncryptions', {\n\tBonehFranklinBLS12381: bcs.struct('BonehFranklinBLS12381', {\n\t\tnonce: bcs.bytes(96),\n\t\tencryptedShares: bcs.vector(bcs.bytes(32)),\n\t\tencryptedRandomness: bcs.bytes(32),\n\t}),\n});\n\nexport const Ciphertext = bcs.enum('Ciphertext', {\n\tAes256Gcm: bcs.struct('Aes256Gcm', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t}),\n\tHmac256Ctr: bcs.struct('Hmac256Ctr', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t\tmac: bcs.bytes(32),\n\t}),\n\tPlain: bcs.struct('Plain', {}),\n});\n\n/**\n * The encrypted object format. Should be aligned with the Rust implementation.\n */\nexport const EncryptedObject = bcs.struct('EncryptedObject', {\n\tversion: bcs.U8,\n\tpackageId: bcs.Address,\n\tid: bcs.vector(bcs.U8).transform({\n\t\toutput: (val) => toHex(new Uint8Array(val)),\n\t\tinput: (val: string) => fromHex(val),\n\t}),\n\tservices: bcs.vector(bcs.tuple([bcs.Address, bcs.U8])),\n\tthreshold: bcs.U8,\n\tencryptedShares: IBEEncryptions,\n\tciphertext: Ciphertext,\n});\n\n/**\n * The Move struct for the KeyServer object.\n */\nexport const KeyServerMove = bcs.struct('KeyServer', {\n\tid: bcs.Address,\n\tname: bcs.string(),\n\turl: bcs.string(),\n\tkeyType: bcs.u8(),\n\tpk: bcs.vector(bcs.u8()),\n});\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAA+B;AAC/B,IAAAA,cAAoB;AAEb,MAAM,iBAAiB,gBAAI,KAAK,kBAAkB;AAAA,EACxD,uBAAuB,gBAAI,OAAO,yBAAyB;AAAA,IAC1D,OAAO,gBAAI,MAAM,EAAE;AAAA,IACnB,iBAAiB,gBAAI,OAAO,gBAAI,MAAM,EAAE,CAAC;AAAA,IACzC,qBAAqB,gBAAI,MAAM,EAAE;AAAA,EAClC,CAAC;AACF,CAAC;AAEM,MAAM,aAAa,gBAAI,KAAK,cAAc;AAAA,EAChD,WAAW,gBAAI,OAAO,aAAa;AAAA,IAClC,MAAM,gBAAI,OAAO,gBAAI,EAAE;AAAA,IACvB,KAAK,gBAAI,OAAO,gBAAI,OAAO,gBAAI,EAAE,CAAC;AAAA,EACnC,CAAC;AAAA,EACD,YAAY,gBAAI,OAAO,cAAc;AAAA,IACpC,MAAM,gBAAI,OAAO,gBAAI,EAAE;AAAA,IACvB,KAAK,gBAAI,OAAO,gBAAI,OAAO,gBAAI,EAAE,CAAC;AAAA,IAClC,KAAK,gBAAI,MAAM,EAAE;AAAA,EAClB,CAAC;AAAA,EACD,OAAO,gBAAI,OAAO,SAAS,CAAC,CAAC;AAC9B,CAAC;AAKM,MAAM,kBAAkB,gBAAI,OAAO,mBAAmB;AAAA,EAC5D,SAAS,gBAAI;AAAA,EACb,WAAW,gBAAI;AAAA,EACf,IAAI,gBAAI,OAAO,gBAAI,EAAE,EAAE,UAAU;AAAA,IAChC,QAAQ,CAAC,YAAQ,kBAAM,IAAI,WAAW,GAAG,CAAC;AAAA,IAC1C,OAAO,CAAC,YAAgB,oBAAQ,GAAG;AAAA,EACpC,CAAC;AAAA,EACD,UAAU,gBAAI,OAAO,gBAAI,MAAM,CAAC,gBAAI,SAAS,gBAAI,EAAE,CAAC,CAAC;AAAA,EACrD,WAAW,gBAAI;AAAA,EACf,iBAAiB;AAAA,EACjB,YAAY;AACb,CAAC;AAKM,MAAM,gBAAgB,gBAAI,OAAO,aAAa;AAAA,EACpD,IAAI,gBAAI;AAAA,EACR,MAAM,gBAAI,OAAO;AAAA,EACjB,KAAK,gBAAI,OAAO;AAAA,EAChB,SAAS,gBAAI,GAAG;AAAA,EAChB,IAAI,gBAAI,OAAO,gBAAI,GAAG,CAAC;AACxB,CAAC;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\n\nexport const IBEEncryptions = bcs.enum('IBEEncryptions', {\n\tBonehFranklinBLS12381: bcs.struct('BonehFranklinBLS12381', {\n\t\tnonce: bcs.bytes(96),\n\t\tencryptedShares: bcs.vector(bcs.bytes(32)),\n\t\tencryptedRandomness: bcs.bytes(32),\n\t}),\n});\n\nexport const Ciphertext = bcs.enum('Ciphertext', {\n\tAes256Gcm: bcs.struct('Aes256Gcm', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t}),\n\tHmac256Ctr: bcs.struct('Hmac256Ctr', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t\tmac: bcs.bytes(32),\n\t}),\n\tPlain: bcs.struct('Plain', {}),\n});\n\n/**\n * The encrypted object format. Should be aligned with the Rust implementation.\n */\nexport const EncryptedObject = bcs.struct('EncryptedObject', {\n\tversion: bcs.U8,\n\tpackageId: bcs.Address,\n\tid: bcs.vector(bcs.U8).transform({\n\t\toutput: (val) => toHex(new Uint8Array(val)),\n\t\tinput: (val: string) => fromHex(val),\n\t}),\n\tservices: bcs.vector(bcs.tuple([bcs.Address, bcs.U8])),\n\tthreshold: bcs.U8,\n\tencryptedShares: IBEEncryptions,\n\tciphertext: Ciphertext,\n});\n\n/**\n * The Move struct for the KeyServerV1 object.\n */\nexport const KeyServerMoveV1 = bcs.struct('KeyServerV1', {\n\tname: bcs.string(),\n\turl: bcs.string(),\n\tkeyType: bcs.u8(),\n\tpk: bcs.vector(bcs.u8()),\n});\n\n/**\n * The Move struct for the parent object.\n */\nexport const KeyServerMove = bcs.struct('KeyServer', {\n\tid: bcs.Address,\n\tfirstVersion: bcs.u64(), // latest version\n\tlastVersion: bcs.u64(), // oldest version\n});\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,iBAA+B;AAC/B,IAAAA,cAAoB;AAEb,MAAM,iBAAiB,gBAAI,KAAK,kBAAkB;AAAA,EACxD,uBAAuB,gBAAI,OAAO,yBAAyB;AAAA,IAC1D,OAAO,gBAAI,MAAM,EAAE;AAAA,IACnB,iBAAiB,gBAAI,OAAO,gBAAI,MAAM,EAAE,CAAC;AAAA,IACzC,qBAAqB,gBAAI,MAAM,EAAE;AAAA,EAClC,CAAC;AACF,CAAC;AAEM,MAAM,aAAa,gBAAI,KAAK,cAAc;AAAA,EAChD,WAAW,gBAAI,OAAO,aAAa;AAAA,IAClC,MAAM,gBAAI,OAAO,gBAAI,EAAE;AAAA,IACvB,KAAK,gBAAI,OAAO,gBAAI,OAAO,gBAAI,EAAE,CAAC;AAAA,EACnC,CAAC;AAAA,EACD,YAAY,gBAAI,OAAO,cAAc;AAAA,IACpC,MAAM,gBAAI,OAAO,gBAAI,EAAE;AAAA,IACvB,KAAK,gBAAI,OAAO,gBAAI,OAAO,gBAAI,EAAE,CAAC;AAAA,IAClC,KAAK,gBAAI,MAAM,EAAE;AAAA,EAClB,CAAC;AAAA,EACD,OAAO,gBAAI,OAAO,SAAS,CAAC,CAAC;AAC9B,CAAC;AAKM,MAAM,kBAAkB,gBAAI,OAAO,mBAAmB;AAAA,EAC5D,SAAS,gBAAI;AAAA,EACb,WAAW,gBAAI;AAAA,EACf,IAAI,gBAAI,OAAO,gBAAI,EAAE,EAAE,UAAU;AAAA,IAChC,QAAQ,CAAC,YAAQ,kBAAM,IAAI,WAAW,GAAG,CAAC;AAAA,IAC1C,OAAO,CAAC,YAAgB,oBAAQ,GAAG;AAAA,EACpC,CAAC;AAAA,EACD,UAAU,gBAAI,OAAO,gBAAI,MAAM,CAAC,gBAAI,SAAS,gBAAI,EAAE,CAAC,CAAC;AAAA,EACrD,WAAW,gBAAI;AAAA,EACf,iBAAiB;AAAA,EACjB,YAAY;AACb,CAAC;AAKM,MAAM,kBAAkB,gBAAI,OAAO,eAAe;AAAA,EACxD,MAAM,gBAAI,OAAO;AAAA,EACjB,KAAK,gBAAI,OAAO;AAAA,EAChB,SAAS,gBAAI,GAAG;AAAA,EAChB,IAAI,gBAAI,OAAO,gBAAI,GAAG,CAAC;AACxB,CAAC;AAKM,MAAM,gBAAgB,gBAAI,OAAO,aAAa;AAAA,EACpD,IAAI,gBAAI;AAAA,EACR,cAAc,gBAAI,IAAI;AAAA;AAAA,EACtB,aAAa,gBAAI,IAAI;AAAA;AACtB,CAAC;",
   "names": ["import_bcs"]
 }

package/dist/cjs/key-server.js

@@ -34,6 +34,7 @@ var import_error = require("./error.js");
 var import_ibe = require("./ibe.js");
 var import_version = require("./version.js");
 var import_utils = require("./utils.js");
+const EXPECTED_SERVER_VERSION = 1;
 var KeyServerType = /* @__PURE__ */ ((KeyServerType2) => {
   KeyServerType2[KeyServerType2["BonehFranklinBLS12381"] = 0] = "BonehFranklinBLS12381";
   return KeyServerType2;
@@ -42,8 +43,8 @@ const SERVER_VERSION_REQUIREMENT = new import_utils.Version("0.4.1");
 function getAllowlistedKeyServers(network) {
   if (network === "testnet") {
     return [
-      "0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8",
-      "0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06"
+      "0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75",
+      "0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8"
     ];
   } else {
     throw new import_error.UnsupportedNetworkError(`Unsupported network ${network}`);
@@ -55,31 +56,36 @@ async function retrieveKeyServers({
 }) {
   return await Promise.all(
     objectIds.map(async (objectId) => {
-      let res;
-      try {
-        res = await client.core.getObject({
-          objectId
-        });
-      } catch (e) {
-        throw new import_error.InvalidGetObjectError(`KeyServer ${objectId} not found; ${e.message}`);
-      }
+      const res = await client.core.getObject({
+        objectId
+      });
       const ks = import_bcs2.KeyServerMove.parse(res.object.content);
-      if (ks.keyType !== 0) {
-        throw new import_error.UnsupportedFeatureError(`Unsupported key type ${ks.keyType}`);
+      if (EXPECTED_SERVER_VERSION < Number(ks.firstVersion) || EXPECTED_SERVER_VERSION > Number(ks.lastVersion)) {
+        throw new import_error.InvalidKeyServerVersionError(
+          `Key server ${objectId} supports versions between ${ks.firstVersion} and ${ks.lastVersion} (inclusive), but SDK expects version ${EXPECTED_SERVER_VERSION}`
+        );
       }
+      const resVersionedKs = await client.core.getDynamicField({
+        parentId: objectId,
+        name: {
+          type: "u64",
+          bcs: import_bcs.bcs.u64().serialize(EXPECTED_SERVER_VERSION).toBytes()
+        }
+      });
+      const ksVersioned = import_bcs2.KeyServerMoveV1.parse(resVersionedKs.dynamicField.value.bcs);
       return {
         objectId,
-        name: ks.name,
-        url: ks.url,
-        keyType: 0 /* BonehFranklinBLS12381 */,
-        pk: new Uint8Array(ks.pk)
+        name: ksVersioned.name,
+        url: ksVersioned.url,
+        keyType: ksVersioned.keyType,
+        pk: new Uint8Array(ksVersioned.pk)
       };
     })
   );
 }
 async function verifyKeyServer(server, timeout, apiKeyName, apiKey) {
   const requestId = crypto.randomUUID();
-  const response = await fetch(server.url + "/v1/service", {
+  const response = await fetch(server.url + "/v1/service?service_id=" + server.objectId, {
     method: "GET",
     headers: {
       "Content-Type": "application/json",

package/dist/cjs/key-server.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/key-server.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { fromBase64, fromHex, toHex } from '@mysten/bcs';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { KeyServerMove } from './bcs.js';\nimport {\n\tInvalidGetObjectError,\n\tInvalidKeyServerVersionError,\n\tSealAPIError,\n\tUnsupportedFeatureError,\n\tUnsupportedNetworkError,\n} from './error.js';\nimport { DST_POP } from './ibe.js';\nimport { PACKAGE_VERSION } from './version.js';\nimport type { SealCompatibleClient } from './types.js';\nimport type { G1Element } from './bls12381.js';\nimport { flatten, Version } from './utils.js';\n\nexport type KeyServer = {\n\tobjectId: string;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\nexport const SERVER_VERSION_REQUIREMENT = new Version('0.4.1');\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): string[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\t'0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8',\n\t\t\t'0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06',\n\t\t];\n\t} else {\n\t\tthrow new UnsupportedNetworkError(`Unsupported network ${network}`);\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: string[];\n\tclient: SealCompatibleClient;\n}): Promise<KeyServer[]> {\n\t// todo: do not fetch the same object ID if this is fetched before.\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\tlet res;\n\t\t\ttry {\n\t\t\t\tres = await client.core.getObject({\n\t\t\t\t\tobjectId,\n\t\t\t\t});\n\t\t\t} catch (e) {\n\t\t\t\tthrow new InvalidGetObjectError(`KeyServer ${objectId} not found; ${(e as Error).message}`);\n\t\t\t}\n\n\t\t\tconst ks = KeyServerMove.parse(res.object.content);\n\t\t\tif (ks.keyType !== 0) {\n\t\t\t\tthrow new UnsupportedFeatureError(`Unsupported key type ${ks.keyType}`);\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ks.name,\n\t\t\t\turl: ks.url,\n\t\t\t\tkeyType: KeyServerType.BonehFranklinBLS12381,\n\t\t\t\tpk: new Uint8Array(ks.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(\n\tserver: KeyServer,\n\ttimeout: number,\n\tapiKeyName?: string,\n\tapiKey?: string,\n): Promise<boolean> {\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(server.url! + '/v1/service', {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t\t...(apiKeyName && apiKey ? { apiKeyName: apiKey } : {}),\n\t\t},\n\t\tsignal: AbortSignal.timeout(timeout),\n\t});\n\n\tawait SealAPIError.assertResponse(response, requestId);\n\tverifyKeyServerVersion(response);\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = flatten([DST_POP, server.pk, fromHex(server.objectId)]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n\n/**\n * Verify the key server version. Throws an `InvalidKeyServerError` if the version is not supported.\n *\n * @param response - The response from the key server.\n */\nexport function verifyKeyServerVersion(response: Response) {\n\tconst keyServerVersion = response.headers.get('X-KeyServer-Version');\n\tif (keyServerVersion == null) {\n\t\tthrow new InvalidKeyServerVersionError('Key server version not found');\n\t}\n\tif (new Version(keyServerVersion).older_than(SERVER_VERSION_REQUIREMENT)) {\n\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t`Key server version ${keyServerVersion} is not supported`,\n\t\t);\n\t}\n}\n\nexport interface DerivedKey {\n\ttoString(): string;\n}\n\n/**\n * A user secret key for the Boneh-Franklin BLS12381 scheme.\n * This is a wrapper around the G1Element type.\n */\nexport class BonehFranklinBLS12381DerivedKey implements DerivedKey {\n\trepresentation: string;\n\n\tconstructor(public key: G1Element) {\n\t\tthis.representation = toHex(key.toBytes());\n\t}\n\n\ttoString(): string {\n\t\treturn this.representation;\n\t}\n}\n"],
-  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,iBAA2C;AAC3C,uBAA0B;AAE1B,IAAAA,cAA8B;AAC9B,mBAMO;AACP,iBAAwB;AACxB,qBAAgC;AAGhC,mBAAiC;AAU1B,IAAK,gBAAL,kBAAKC,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AAIL,MAAM,6BAA6B,IAAI,qBAAQ,OAAO;AAOtD,SAAS,yBAAyB,SAA0C;AAClF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,MACN;AAAA,MACA;AAAA,IACD;AAAA,EACD,OAAO;AACN,UAAM,IAAI,qCAAwB,uBAAuB,OAAO,EAAE;AAAA,EACnE;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AAExB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AACjC,UAAI;AACJ,UAAI;AACH,cAAM,MAAM,OAAO,KAAK,UAAU;AAAA,UACjC;AAAA,QACD,CAAC;AAAA,MACF,SAAS,GAAG;AACX,cAAM,IAAI,mCAAsB,aAAa,QAAQ,eAAgB,EAAY,OAAO,EAAE;AAAA,MAC3F;AAEA,YAAM,KAAK,0BAAc,MAAM,IAAI,OAAO,OAAO;AACjD,UAAI,GAAG,YAAY,GAAG;AACrB,cAAM,IAAI,qCAAwB,wBAAwB,GAAG,OAAO,EAAE;AAAA,MACvE;AAEA,aAAO;AAAA,QACN;AAAA,QACA,MAAM,GAAG;AAAA,QACT,KAAK,GAAG;AAAA,QACR,SAAS;AAAA,QACT,IAAI,IAAI,WAAW,GAAG,EAAE;AAAA,MACzB;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBACrB,QACA,SACA,YACA,QACmB;AACnB,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,eAAe;AAAA,IACzD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,MACtB,GAAI,cAAc,SAAS,EAAE,YAAY,OAAO,IAAI,CAAC;AAAA,IACtD;AAAA,IACA,QAAQ,YAAY,QAAQ,OAAO;AAAA,EACpC,CAAC;AAED,QAAM,0BAAa,eAAe,UAAU,SAAS;AACrD,yBAAuB,QAAQ;AAC/B,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,cAAU,sBAAQ,CAAC,oBAAS,OAAO,QAAI,oBAAQ,OAAO,QAAQ,CAAC,CAAC;AACtE,SAAO,2BAAU,yBAAqB,uBAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;AAOO,SAAS,uBAAuB,UAAoB;AAC1D,QAAM,mBAAmB,SAAS,QAAQ,IAAI,qBAAqB;AACnE,MAAI,oBAAoB,MAAM;AAC7B,UAAM,IAAI,0CAA6B,8BAA8B;AAAA,EACtE;AACA,MAAI,IAAI,qBAAQ,gBAAgB,EAAE,WAAW,0BAA0B,GAAG;AACzE,UAAM,IAAI;AAAA,MACT,sBAAsB,gBAAgB;AAAA,IACvC;AAAA,EACD;AACD;AAUO,MAAM,gCAAsD;AAAA,EAGlE,YAAmB,KAAgB;AAAhB;AAClB,SAAK,qBAAiB,kBAAM,IAAI,QAAQ,CAAC;AAAA,EAC1C;AAAA,EAEA,WAAmB;AAClB,WAAO,KAAK;AAAA,EACb;AACD;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { bcs, fromBase64, fromHex, toHex } from '@mysten/bcs';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { KeyServerMove, KeyServerMoveV1 } from './bcs.js';\nimport { InvalidKeyServerVersionError, SealAPIError, UnsupportedNetworkError } from './error.js';\nimport { DST_POP } from './ibe.js';\nimport { PACKAGE_VERSION } from './version.js';\nimport type { SealCompatibleClient } from './types.js';\nimport type { G1Element } from './bls12381.js';\nimport { flatten, Version } from './utils.js';\n\nconst EXPECTED_SERVER_VERSION = 1;\n\nexport type KeyServer = {\n\tobjectId: string;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\nexport const SERVER_VERSION_REQUIREMENT = new Version('0.4.1');\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): string[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\t'0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75',\n\t\t\t'0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8',\n\t\t];\n\t} else {\n\t\tthrow new UnsupportedNetworkError(`Unsupported network ${network}`);\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: string[];\n\tclient: SealCompatibleClient;\n}): Promise<KeyServer[]> {\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\t// First get the KeyServer object and validate it.\n\t\t\tconst res = await client.core.getObject({\n\t\t\t\tobjectId,\n\t\t\t});\n\t\t\tconst ks = KeyServerMove.parse(res.object.content);\n\t\t\tif (\n\t\t\t\tEXPECTED_SERVER_VERSION < Number(ks.firstVersion) ||\n\t\t\t\tEXPECTED_SERVER_VERSION > Number(ks.lastVersion)\n\t\t\t) {\n\t\t\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t\t\t`Key server ${objectId} supports versions between ${ks.firstVersion} and ${ks.lastVersion} (inclusive), but SDK expects version ${EXPECTED_SERVER_VERSION}`,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\t// Then fetch the expected versioned object and parse it.\n\t\t\tconst resVersionedKs = await client.core.getDynamicField({\n\t\t\t\tparentId: objectId,\n\t\t\t\tname: {\n\t\t\t\t\ttype: 'u64',\n\t\t\t\t\tbcs: bcs.u64().serialize(EXPECTED_SERVER_VERSION).toBytes(),\n\t\t\t\t},\n\t\t\t});\n\n\t\t\tconst ksVersioned = KeyServerMoveV1.parse(resVersionedKs.dynamicField.value.bcs);\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ksVersioned.name,\n\t\t\t\turl: ksVersioned.url,\n\t\t\t\tkeyType: ksVersioned.keyType,\n\t\t\t\tpk: new Uint8Array(ksVersioned.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(\n\tserver: KeyServer,\n\ttimeout: number,\n\tapiKeyName?: string,\n\tapiKey?: string,\n): Promise<boolean> {\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(server.url! + '/v1/service?service_id=' + server.objectId, {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t\t...(apiKeyName && apiKey ? { apiKeyName: apiKey } : {}),\n\t\t},\n\t\tsignal: AbortSignal.timeout(timeout),\n\t});\n\n\tawait SealAPIError.assertResponse(response, requestId);\n\tverifyKeyServerVersion(response);\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = flatten([DST_POP, server.pk, fromHex(server.objectId)]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n\n/**\n * Verify the key server version. Throws an `InvalidKeyServerError` if the version is not supported.\n *\n * @param response - The response from the key server.\n */\nexport function verifyKeyServerVersion(response: Response) {\n\tconst keyServerVersion = response.headers.get('X-KeyServer-Version');\n\tif (keyServerVersion == null) {\n\t\tthrow new InvalidKeyServerVersionError('Key server version not found');\n\t}\n\tif (new Version(keyServerVersion).older_than(SERVER_VERSION_REQUIREMENT)) {\n\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t`Key server version ${keyServerVersion} is not supported`,\n\t\t);\n\t}\n}\n\nexport interface DerivedKey {\n\ttoString(): string;\n}\n\n/**\n * A user secret key for the Boneh-Franklin BLS12381 scheme.\n * This is a wrapper around the G1Element type.\n */\nexport class BonehFranklinBLS12381DerivedKey implements DerivedKey {\n\trepresentation: string;\n\n\tconstructor(public key: G1Element) {\n\t\tthis.representation = toHex(key.toBytes());\n\t}\n\n\ttoString(): string {\n\t\treturn this.representation;\n\t}\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAEA,iBAAgD;AAChD,uBAA0B;AAE1B,IAAAA,cAA+C;AAC/C,mBAAoF;AACpF,iBAAwB;AACxB,qBAAgC;AAGhC,mBAAiC;AAEjC,MAAM,0BAA0B;AAUzB,IAAK,gBAAL,kBAAKC,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AAIL,MAAM,6BAA6B,IAAI,qBAAQ,OAAO;AAOtD,SAAS,yBAAyB,SAA0C;AAClF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,MACN;AAAA,MACA;AAAA,IACD;AAAA,EACD,OAAO;AACN,UAAM,IAAI,qCAAwB,uBAAuB,OAAO,EAAE;AAAA,EACnE;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AACxB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AAEjC,YAAM,MAAM,MAAM,OAAO,KAAK,UAAU;AAAA,QACvC;AAAA,MACD,CAAC;AACD,YAAM,KAAK,0BAAc,MAAM,IAAI,OAAO,OAAO;AACjD,UACC,0BAA0B,OAAO,GAAG,YAAY,KAChD,0BAA0B,OAAO,GAAG,WAAW,GAC9C;AACD,cAAM,IAAI;AAAA,UACT,cAAc,QAAQ,8BAA8B,GAAG,YAAY,QAAQ,GAAG,WAAW,yCAAyC,uBAAuB;AAAA,QAC1J;AAAA,MACD;AAGA,YAAM,iBAAiB,MAAM,OAAO,KAAK,gBAAgB;AAAA,QACxD,UAAU;AAAA,QACV,MAAM;AAAA,UACL,MAAM;AAAA,UACN,KAAK,eAAI,IAAI,EAAE,UAAU,uBAAuB,EAAE,QAAQ;AAAA,QAC3D;AAAA,MACD,CAAC;AAED,YAAM,cAAc,4BAAgB,MAAM,eAAe,aAAa,MAAM,GAAG;AAE/E,aAAO;AAAA,QACN;AAAA,QACA,MAAM,YAAY;AAAA,QAClB,KAAK,YAAY;AAAA,QACjB,SAAS,YAAY;AAAA,QACrB,IAAI,IAAI,WAAW,YAAY,EAAE;AAAA,MAClC;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBACrB,QACA,SACA,YACA,QACmB;AACnB,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,4BAA4B,OAAO,UAAU;AAAA,IACvF,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,MACtB,GAAI,cAAc,SAAS,EAAE,YAAY,OAAO,IAAI,CAAC;AAAA,IACtD;AAAA,IACA,QAAQ,YAAY,QAAQ,OAAO;AAAA,EACpC,CAAC;AAED,QAAM,0BAAa,eAAe,UAAU,SAAS;AACrD,yBAAuB,QAAQ;AAC/B,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,cAAU,sBAAQ,CAAC,oBAAS,OAAO,QAAI,oBAAQ,OAAO,QAAQ,CAAC,CAAC;AACtE,SAAO,2BAAU,yBAAqB,uBAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;AAOO,SAAS,uBAAuB,UAAoB;AAC1D,QAAM,mBAAmB,SAAS,QAAQ,IAAI,qBAAqB;AACnE,MAAI,oBAAoB,MAAM;AAC7B,UAAM,IAAI,0CAA6B,8BAA8B;AAAA,EACtE;AACA,MAAI,IAAI,qBAAQ,gBAAgB,EAAE,WAAW,0BAA0B,GAAG;AACzE,UAAM,IAAI;AAAA,MACT,sBAAsB,gBAAgB;AAAA,IACvC;AAAA,EACD;AACD;AAUO,MAAM,gCAAsD;AAAA,EAGlE,YAAmB,KAAgB;AAAhB;AAClB,SAAK,qBAAiB,kBAAM,IAAI,QAAQ,CAAC;AAAA,EAC1C;AAAA,EAEA,WAAmB;AAClB,WAAO,KAAK;AAAA,EACb;AACD;",
   "names": ["import_bcs", "KeyServerType"]
 }

package/dist/cjs/version.d.ts

@@ -1 +1 @@
-export declare const PACKAGE_VERSION = "0.4.10";
+export declare const PACKAGE_VERSION = "0.4.11";

package/dist/cjs/version.js

@@ -21,5 +21,5 @@ __export(version_exports, {
   PACKAGE_VERSION: () => PACKAGE_VERSION
 });
 module.exports = __toCommonJS(version_exports);
-const PACKAGE_VERSION = "0.4.10";
+const PACKAGE_VERSION = "0.4.11";
 //# sourceMappingURL=version.js.map

package/dist/cjs/version.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/version.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.4.10';\n"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.4.11';\n"],
   "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAKO,MAAM,kBAAkB;",
   "names": []
 }

package/dist/esm/bcs.d.ts

@@ -113,16 +113,14 @@ export declare const EncryptedObject: import("@mysten/bcs").BcsType<{
     }>;
 }>;
 /**
- * The Move struct for the KeyServer object.
+ * The Move struct for the KeyServerV1 object.
  */
-export declare const KeyServerMove: import("@mysten/bcs").BcsType<{
-    id: string;
+export declare const KeyServerMoveV1: import("@mysten/bcs").BcsType<{
     name: string;
     url: string;
     keyType: number;
     pk: number[];
 }, {
-    id: string | Uint8Array<ArrayBufferLike>;
     name: string;
     url: string;
     keyType: number;
@@ -130,3 +128,15 @@ export declare const KeyServerMove: import("@mysten/bcs").BcsType<{
         length: number;
     };
 }>;
+/**
+ * The Move struct for the parent object.
+ */
+export declare const KeyServerMove: import("@mysten/bcs").BcsType<{
+    id: string;
+    firstVersion: string;
+    lastVersion: string;
+}, {
+    id: string | Uint8Array<ArrayBufferLike>;
+    firstVersion: string | number | bigint;
+    lastVersion: string | number | bigint;
+}>;

package/dist/esm/bcs.js

@@ -31,17 +31,24 @@ const EncryptedObject = bcs.struct("EncryptedObject", {
   encryptedShares: IBEEncryptions,
   ciphertext: Ciphertext
 });
-const KeyServerMove = bcs.struct("KeyServer", {
-  id: bcs.Address,
+const KeyServerMoveV1 = bcs.struct("KeyServerV1", {
   name: bcs.string(),
   url: bcs.string(),
   keyType: bcs.u8(),
   pk: bcs.vector(bcs.u8())
 });
+const KeyServerMove = bcs.struct("KeyServer", {
+  id: bcs.Address,
+  firstVersion: bcs.u64(),
+  // latest version
+  lastVersion: bcs.u64()
+  // oldest version
+});
 export {
   Ciphertext,
   EncryptedObject,
   IBEEncryptions,
-  KeyServerMove
+  KeyServerMove,
+  KeyServerMoveV1
 };
 //# sourceMappingURL=bcs.js.map

package/dist/esm/bcs.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/bcs.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\n\nexport const IBEEncryptions = bcs.enum('IBEEncryptions', {\n\tBonehFranklinBLS12381: bcs.struct('BonehFranklinBLS12381', {\n\t\tnonce: bcs.bytes(96),\n\t\tencryptedShares: bcs.vector(bcs.bytes(32)),\n\t\tencryptedRandomness: bcs.bytes(32),\n\t}),\n});\n\nexport const Ciphertext = bcs.enum('Ciphertext', {\n\tAes256Gcm: bcs.struct('Aes256Gcm', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t}),\n\tHmac256Ctr: bcs.struct('Hmac256Ctr', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t\tmac: bcs.bytes(32),\n\t}),\n\tPlain: bcs.struct('Plain', {}),\n});\n\n/**\n * The encrypted object format. Should be aligned with the Rust implementation.\n */\nexport const EncryptedObject = bcs.struct('EncryptedObject', {\n\tversion: bcs.U8,\n\tpackageId: bcs.Address,\n\tid: bcs.vector(bcs.U8).transform({\n\t\toutput: (val) => toHex(new Uint8Array(val)),\n\t\tinput: (val: string) => fromHex(val),\n\t}),\n\tservices: bcs.vector(bcs.tuple([bcs.Address, bcs.U8])),\n\tthreshold: bcs.U8,\n\tencryptedShares: IBEEncryptions,\n\tciphertext: Ciphertext,\n});\n\n/**\n * The Move struct for the KeyServer object.\n */\nexport const KeyServerMove = bcs.struct('KeyServer', {\n\tid: bcs.Address,\n\tname: bcs.string(),\n\turl: bcs.string(),\n\tkeyType: bcs.u8(),\n\tpk: bcs.vector(bcs.u8()),\n});\n"],
-  "mappings": "AAGA,SAAS,SAAS,aAAa;AAC/B,SAAS,WAAW;AAEb,MAAM,iBAAiB,IAAI,KAAK,kBAAkB;AAAA,EACxD,uBAAuB,IAAI,OAAO,yBAAyB;AAAA,IAC1D,OAAO,IAAI,MAAM,EAAE;AAAA,IACnB,iBAAiB,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;AAAA,IACzC,qBAAqB,IAAI,MAAM,EAAE;AAAA,EAClC,CAAC;AACF,CAAC;AAEM,MAAM,aAAa,IAAI,KAAK,cAAc;AAAA,EAChD,WAAW,IAAI,OAAO,aAAa;AAAA,IAClC,MAAM,IAAI,OAAO,IAAI,EAAE;AAAA,IACvB,KAAK,IAAI,OAAO,IAAI,OAAO,IAAI,EAAE,CAAC;AAAA,EACnC,CAAC;AAAA,EACD,YAAY,IAAI,OAAO,cAAc;AAAA,IACpC,MAAM,IAAI,OAAO,IAAI,EAAE;AAAA,IACvB,KAAK,IAAI,OAAO,IAAI,OAAO,IAAI,EAAE,CAAC;AAAA,IAClC,KAAK,IAAI,MAAM,EAAE;AAAA,EAClB,CAAC;AAAA,EACD,OAAO,IAAI,OAAO,SAAS,CAAC,CAAC;AAC9B,CAAC;AAKM,MAAM,kBAAkB,IAAI,OAAO,mBAAmB;AAAA,EAC5D,SAAS,IAAI;AAAA,EACb,WAAW,IAAI;AAAA,EACf,IAAI,IAAI,OAAO,IAAI,EAAE,EAAE,UAAU;AAAA,IAChC,QAAQ,CAAC,QAAQ,MAAM,IAAI,WAAW,GAAG,CAAC;AAAA,IAC1C,OAAO,CAAC,QAAgB,QAAQ,GAAG;AAAA,EACpC,CAAC;AAAA,EACD,UAAU,IAAI,OAAO,IAAI,MAAM,CAAC,IAAI,SAAS,IAAI,EAAE,CAAC,CAAC;AAAA,EACrD,WAAW,IAAI;AAAA,EACf,iBAAiB;AAAA,EACjB,YAAY;AACb,CAAC;AAKM,MAAM,gBAAgB,IAAI,OAAO,aAAa;AAAA,EACpD,IAAI,IAAI;AAAA,EACR,MAAM,IAAI,OAAO;AAAA,EACjB,KAAK,IAAI,OAAO;AAAA,EAChB,SAAS,IAAI,GAAG;AAAA,EAChB,IAAI,IAAI,OAAO,IAAI,GAAG,CAAC;AACxB,CAAC;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { fromHex, toHex } from '@mysten/bcs';\nimport { bcs } from '@mysten/sui/bcs';\n\nexport const IBEEncryptions = bcs.enum('IBEEncryptions', {\n\tBonehFranklinBLS12381: bcs.struct('BonehFranklinBLS12381', {\n\t\tnonce: bcs.bytes(96),\n\t\tencryptedShares: bcs.vector(bcs.bytes(32)),\n\t\tencryptedRandomness: bcs.bytes(32),\n\t}),\n});\n\nexport const Ciphertext = bcs.enum('Ciphertext', {\n\tAes256Gcm: bcs.struct('Aes256Gcm', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t}),\n\tHmac256Ctr: bcs.struct('Hmac256Ctr', {\n\t\tblob: bcs.vector(bcs.U8),\n\t\taad: bcs.option(bcs.vector(bcs.U8)),\n\t\tmac: bcs.bytes(32),\n\t}),\n\tPlain: bcs.struct('Plain', {}),\n});\n\n/**\n * The encrypted object format. Should be aligned with the Rust implementation.\n */\nexport const EncryptedObject = bcs.struct('EncryptedObject', {\n\tversion: bcs.U8,\n\tpackageId: bcs.Address,\n\tid: bcs.vector(bcs.U8).transform({\n\t\toutput: (val) => toHex(new Uint8Array(val)),\n\t\tinput: (val: string) => fromHex(val),\n\t}),\n\tservices: bcs.vector(bcs.tuple([bcs.Address, bcs.U8])),\n\tthreshold: bcs.U8,\n\tencryptedShares: IBEEncryptions,\n\tciphertext: Ciphertext,\n});\n\n/**\n * The Move struct for the KeyServerV1 object.\n */\nexport const KeyServerMoveV1 = bcs.struct('KeyServerV1', {\n\tname: bcs.string(),\n\turl: bcs.string(),\n\tkeyType: bcs.u8(),\n\tpk: bcs.vector(bcs.u8()),\n});\n\n/**\n * The Move struct for the parent object.\n */\nexport const KeyServerMove = bcs.struct('KeyServer', {\n\tid: bcs.Address,\n\tfirstVersion: bcs.u64(), // latest version\n\tlastVersion: bcs.u64(), // oldest version\n});\n"],
+  "mappings": "AAGA,SAAS,SAAS,aAAa;AAC/B,SAAS,WAAW;AAEb,MAAM,iBAAiB,IAAI,KAAK,kBAAkB;AAAA,EACxD,uBAAuB,IAAI,OAAO,yBAAyB;AAAA,IAC1D,OAAO,IAAI,MAAM,EAAE;AAAA,IACnB,iBAAiB,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;AAAA,IACzC,qBAAqB,IAAI,MAAM,EAAE;AAAA,EAClC,CAAC;AACF,CAAC;AAEM,MAAM,aAAa,IAAI,KAAK,cAAc;AAAA,EAChD,WAAW,IAAI,OAAO,aAAa;AAAA,IAClC,MAAM,IAAI,OAAO,IAAI,EAAE;AAAA,IACvB,KAAK,IAAI,OAAO,IAAI,OAAO,IAAI,EAAE,CAAC;AAAA,EACnC,CAAC;AAAA,EACD,YAAY,IAAI,OAAO,cAAc;AAAA,IACpC,MAAM,IAAI,OAAO,IAAI,EAAE;AAAA,IACvB,KAAK,IAAI,OAAO,IAAI,OAAO,IAAI,EAAE,CAAC;AAAA,IAClC,KAAK,IAAI,MAAM,EAAE;AAAA,EAClB,CAAC;AAAA,EACD,OAAO,IAAI,OAAO,SAAS,CAAC,CAAC;AAC9B,CAAC;AAKM,MAAM,kBAAkB,IAAI,OAAO,mBAAmB;AAAA,EAC5D,SAAS,IAAI;AAAA,EACb,WAAW,IAAI;AAAA,EACf,IAAI,IAAI,OAAO,IAAI,EAAE,EAAE,UAAU;AAAA,IAChC,QAAQ,CAAC,QAAQ,MAAM,IAAI,WAAW,GAAG,CAAC;AAAA,IAC1C,OAAO,CAAC,QAAgB,QAAQ,GAAG;AAAA,EACpC,CAAC;AAAA,EACD,UAAU,IAAI,OAAO,IAAI,MAAM,CAAC,IAAI,SAAS,IAAI,EAAE,CAAC,CAAC;AAAA,EACrD,WAAW,IAAI;AAAA,EACf,iBAAiB;AAAA,EACjB,YAAY;AACb,CAAC;AAKM,MAAM,kBAAkB,IAAI,OAAO,eAAe;AAAA,EACxD,MAAM,IAAI,OAAO;AAAA,EACjB,KAAK,IAAI,OAAO;AAAA,EAChB,SAAS,IAAI,GAAG;AAAA,EAChB,IAAI,IAAI,OAAO,IAAI,GAAG,CAAC;AACxB,CAAC;AAKM,MAAM,gBAAgB,IAAI,OAAO,aAAa;AAAA,EACpD,IAAI,IAAI;AAAA,EACR,cAAc,IAAI,IAAI;AAAA;AAAA,EACtB,aAAa,IAAI,IAAI;AAAA;AACtB,CAAC;",
   "names": []
 }

package/dist/esm/key-server.js

@@ -1,16 +1,11 @@
-import { fromBase64, fromHex, toHex } from "@mysten/bcs";
+import { bcs, fromBase64, fromHex, toHex } from "@mysten/bcs";
 import { bls12_381 } from "@noble/curves/bls12-381";
-import { KeyServerMove } from "./bcs.js";
-import {
-  InvalidGetObjectError,
-  InvalidKeyServerVersionError,
-  SealAPIError,
-  UnsupportedFeatureError,
-  UnsupportedNetworkError
-} from "./error.js";
+import { KeyServerMove, KeyServerMoveV1 } from "./bcs.js";
+import { InvalidKeyServerVersionError, SealAPIError, UnsupportedNetworkError } from "./error.js";
 import { DST_POP } from "./ibe.js";
 import { PACKAGE_VERSION } from "./version.js";
 import { flatten, Version } from "./utils.js";
+const EXPECTED_SERVER_VERSION = 1;
 var KeyServerType = /* @__PURE__ */ ((KeyServerType2) => {
   KeyServerType2[KeyServerType2["BonehFranklinBLS12381"] = 0] = "BonehFranklinBLS12381";
   return KeyServerType2;
@@ -19,8 +14,8 @@ const SERVER_VERSION_REQUIREMENT = new Version("0.4.1");
 function getAllowlistedKeyServers(network) {
   if (network === "testnet") {
     return [
-      "0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8",
-      "0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06"
+      "0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75",
+      "0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8"
     ];
   } else {
     throw new UnsupportedNetworkError(`Unsupported network ${network}`);
@@ -32,31 +27,36 @@ async function retrieveKeyServers({
 }) {
   return await Promise.all(
     objectIds.map(async (objectId) => {
-      let res;
-      try {
-        res = await client.core.getObject({
-          objectId
-        });
-      } catch (e) {
-        throw new InvalidGetObjectError(`KeyServer ${objectId} not found; ${e.message}`);
-      }
+      const res = await client.core.getObject({
+        objectId
+      });
       const ks = KeyServerMove.parse(res.object.content);
-      if (ks.keyType !== 0) {
-        throw new UnsupportedFeatureError(`Unsupported key type ${ks.keyType}`);
+      if (EXPECTED_SERVER_VERSION < Number(ks.firstVersion) || EXPECTED_SERVER_VERSION > Number(ks.lastVersion)) {
+        throw new InvalidKeyServerVersionError(
+          `Key server ${objectId} supports versions between ${ks.firstVersion} and ${ks.lastVersion} (inclusive), but SDK expects version ${EXPECTED_SERVER_VERSION}`
+        );
       }
+      const resVersionedKs = await client.core.getDynamicField({
+        parentId: objectId,
+        name: {
+          type: "u64",
+          bcs: bcs.u64().serialize(EXPECTED_SERVER_VERSION).toBytes()
+        }
+      });
+      const ksVersioned = KeyServerMoveV1.parse(resVersionedKs.dynamicField.value.bcs);
       return {
         objectId,
-        name: ks.name,
-        url: ks.url,
-        keyType: 0 /* BonehFranklinBLS12381 */,
-        pk: new Uint8Array(ks.pk)
+        name: ksVersioned.name,
+        url: ksVersioned.url,
+        keyType: ksVersioned.keyType,
+        pk: new Uint8Array(ksVersioned.pk)
       };
     })
   );
 }
 async function verifyKeyServer(server, timeout, apiKeyName, apiKey) {
   const requestId = crypto.randomUUID();
-  const response = await fetch(server.url + "/v1/service", {
+  const response = await fetch(server.url + "/v1/service?service_id=" + server.objectId, {
     method: "GET",
     headers: {
       "Content-Type": "application/json",

package/dist/esm/key-server.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/key-server.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { fromBase64, fromHex, toHex } from '@mysten/bcs';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { KeyServerMove } from './bcs.js';\nimport {\n\tInvalidGetObjectError,\n\tInvalidKeyServerVersionError,\n\tSealAPIError,\n\tUnsupportedFeatureError,\n\tUnsupportedNetworkError,\n} from './error.js';\nimport { DST_POP } from './ibe.js';\nimport { PACKAGE_VERSION } from './version.js';\nimport type { SealCompatibleClient } from './types.js';\nimport type { G1Element } from './bls12381.js';\nimport { flatten, Version } from './utils.js';\n\nexport type KeyServer = {\n\tobjectId: string;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\nexport const SERVER_VERSION_REQUIREMENT = new Version('0.4.1');\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): string[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\t'0xb35a7228d8cf224ad1e828c0217c95a5153bafc2906d6f9c178197dce26fbcf8',\n\t\t\t'0x2d6cde8a9d9a65bde3b0a346566945a63b4bfb70e9a06c41bdb70807e2502b06',\n\t\t];\n\t} else {\n\t\tthrow new UnsupportedNetworkError(`Unsupported network ${network}`);\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: string[];\n\tclient: SealCompatibleClient;\n}): Promise<KeyServer[]> {\n\t// todo: do not fetch the same object ID if this is fetched before.\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\tlet res;\n\t\t\ttry {\n\t\t\t\tres = await client.core.getObject({\n\t\t\t\t\tobjectId,\n\t\t\t\t});\n\t\t\t} catch (e) {\n\t\t\t\tthrow new InvalidGetObjectError(`KeyServer ${objectId} not found; ${(e as Error).message}`);\n\t\t\t}\n\n\t\t\tconst ks = KeyServerMove.parse(res.object.content);\n\t\t\tif (ks.keyType !== 0) {\n\t\t\t\tthrow new UnsupportedFeatureError(`Unsupported key type ${ks.keyType}`);\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ks.name,\n\t\t\t\turl: ks.url,\n\t\t\t\tkeyType: KeyServerType.BonehFranklinBLS12381,\n\t\t\t\tpk: new Uint8Array(ks.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(\n\tserver: KeyServer,\n\ttimeout: number,\n\tapiKeyName?: string,\n\tapiKey?: string,\n): Promise<boolean> {\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(server.url! + '/v1/service', {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t\t...(apiKeyName && apiKey ? { apiKeyName: apiKey } : {}),\n\t\t},\n\t\tsignal: AbortSignal.timeout(timeout),\n\t});\n\n\tawait SealAPIError.assertResponse(response, requestId);\n\tverifyKeyServerVersion(response);\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = flatten([DST_POP, server.pk, fromHex(server.objectId)]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n\n/**\n * Verify the key server version. Throws an `InvalidKeyServerError` if the version is not supported.\n *\n * @param response - The response from the key server.\n */\nexport function verifyKeyServerVersion(response: Response) {\n\tconst keyServerVersion = response.headers.get('X-KeyServer-Version');\n\tif (keyServerVersion == null) {\n\t\tthrow new InvalidKeyServerVersionError('Key server version not found');\n\t}\n\tif (new Version(keyServerVersion).older_than(SERVER_VERSION_REQUIREMENT)) {\n\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t`Key server version ${keyServerVersion} is not supported`,\n\t\t);\n\t}\n}\n\nexport interface DerivedKey {\n\ttoString(): string;\n}\n\n/**\n * A user secret key for the Boneh-Franklin BLS12381 scheme.\n * This is a wrapper around the G1Element type.\n */\nexport class BonehFranklinBLS12381DerivedKey implements DerivedKey {\n\trepresentation: string;\n\n\tconstructor(public key: G1Element) {\n\t\tthis.representation = toHex(key.toBytes());\n\t}\n\n\ttoString(): string {\n\t\treturn this.representation;\n\t}\n}\n"],
-  "mappings": "AAEA,SAAS,YAAY,SAAS,aAAa;AAC3C,SAAS,iBAAiB;AAE1B,SAAS,qBAAqB;AAC9B;AAAA,EACC;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACM;AACP,SAAS,eAAe;AACxB,SAAS,uBAAuB;AAGhC,SAAS,SAAS,eAAe;AAU1B,IAAK,gBAAL,kBAAKA,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AAIL,MAAM,6BAA6B,IAAI,QAAQ,OAAO;AAOtD,SAAS,yBAAyB,SAA0C;AAClF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,MACN;AAAA,MACA;AAAA,IACD;AAAA,EACD,OAAO;AACN,UAAM,IAAI,wBAAwB,uBAAuB,OAAO,EAAE;AAAA,EACnE;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AAExB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AACjC,UAAI;AACJ,UAAI;AACH,cAAM,MAAM,OAAO,KAAK,UAAU;AAAA,UACjC;AAAA,QACD,CAAC;AAAA,MACF,SAAS,GAAG;AACX,cAAM,IAAI,sBAAsB,aAAa,QAAQ,eAAgB,EAAY,OAAO,EAAE;AAAA,MAC3F;AAEA,YAAM,KAAK,cAAc,MAAM,IAAI,OAAO,OAAO;AACjD,UAAI,GAAG,YAAY,GAAG;AACrB,cAAM,IAAI,wBAAwB,wBAAwB,GAAG,OAAO,EAAE;AAAA,MACvE;AAEA,aAAO;AAAA,QACN;AAAA,QACA,MAAM,GAAG;AAAA,QACT,KAAK,GAAG;AAAA,QACR,SAAS;AAAA,QACT,IAAI,IAAI,WAAW,GAAG,EAAE;AAAA,MACzB;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBACrB,QACA,SACA,YACA,QACmB;AACnB,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,eAAe;AAAA,IACzD,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,MACtB,GAAI,cAAc,SAAS,EAAE,YAAY,OAAO,IAAI,CAAC;AAAA,IACtD;AAAA,IACA,QAAQ,YAAY,QAAQ,OAAO;AAAA,EACpC,CAAC;AAED,QAAM,aAAa,eAAe,UAAU,SAAS;AACrD,yBAAuB,QAAQ;AAC/B,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,UAAU,QAAQ,CAAC,SAAS,OAAO,IAAI,QAAQ,OAAO,QAAQ,CAAC,CAAC;AACtE,SAAO,UAAU,qBAAqB,WAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;AAOO,SAAS,uBAAuB,UAAoB;AAC1D,QAAM,mBAAmB,SAAS,QAAQ,IAAI,qBAAqB;AACnE,MAAI,oBAAoB,MAAM;AAC7B,UAAM,IAAI,6BAA6B,8BAA8B;AAAA,EACtE;AACA,MAAI,IAAI,QAAQ,gBAAgB,EAAE,WAAW,0BAA0B,GAAG;AACzE,UAAM,IAAI;AAAA,MACT,sBAAsB,gBAAgB;AAAA,IACvC;AAAA,EACD;AACD;AAUO,MAAM,gCAAsD;AAAA,EAGlE,YAAmB,KAAgB;AAAhB;AAClB,SAAK,iBAAiB,MAAM,IAAI,QAAQ,CAAC;AAAA,EAC1C;AAAA,EAEA,WAAmB;AAClB,WAAO,KAAK;AAAA,EACb;AACD;",
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport { bcs, fromBase64, fromHex, toHex } from '@mysten/bcs';\nimport { bls12_381 } from '@noble/curves/bls12-381';\n\nimport { KeyServerMove, KeyServerMoveV1 } from './bcs.js';\nimport { InvalidKeyServerVersionError, SealAPIError, UnsupportedNetworkError } from './error.js';\nimport { DST_POP } from './ibe.js';\nimport { PACKAGE_VERSION } from './version.js';\nimport type { SealCompatibleClient } from './types.js';\nimport type { G1Element } from './bls12381.js';\nimport { flatten, Version } from './utils.js';\n\nconst EXPECTED_SERVER_VERSION = 1;\n\nexport type KeyServer = {\n\tobjectId: string;\n\tname: string;\n\turl: string;\n\tkeyType: KeyServerType;\n\tpk: Uint8Array;\n};\n\nexport enum KeyServerType {\n\tBonehFranklinBLS12381 = 0,\n}\n\nexport const SERVER_VERSION_REQUIREMENT = new Version('0.4.1');\n\n/**\n * Returns a static list of Seal key server object ids that the dapp can choose to use.\n * @param network - The network to use.\n * @returns The object id's of the key servers.\n */\nexport function getAllowlistedKeyServers(network: 'testnet' | 'mainnet'): string[] {\n\tif (network === 'testnet') {\n\t\treturn [\n\t\t\t'0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75',\n\t\t\t'0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8',\n\t\t];\n\t} else {\n\t\tthrow new UnsupportedNetworkError(`Unsupported network ${network}`);\n\t}\n}\n\n/**\n * Given a list of key server object IDs, returns a list of SealKeyServer\n * from onchain state containing name, objectId, URL and pk.\n *\n * @param objectIds - The key server object IDs.\n * @param client - The SuiClient to use.\n * @returns - An array of SealKeyServer.\n */\nexport async function retrieveKeyServers({\n\tobjectIds,\n\tclient,\n}: {\n\tobjectIds: string[];\n\tclient: SealCompatibleClient;\n}): Promise<KeyServer[]> {\n\treturn await Promise.all(\n\t\tobjectIds.map(async (objectId) => {\n\t\t\t// First get the KeyServer object and validate it.\n\t\t\tconst res = await client.core.getObject({\n\t\t\t\tobjectId,\n\t\t\t});\n\t\t\tconst ks = KeyServerMove.parse(res.object.content);\n\t\t\tif (\n\t\t\t\tEXPECTED_SERVER_VERSION < Number(ks.firstVersion) ||\n\t\t\t\tEXPECTED_SERVER_VERSION > Number(ks.lastVersion)\n\t\t\t) {\n\t\t\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t\t\t`Key server ${objectId} supports versions between ${ks.firstVersion} and ${ks.lastVersion} (inclusive), but SDK expects version ${EXPECTED_SERVER_VERSION}`,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\t// Then fetch the expected versioned object and parse it.\n\t\t\tconst resVersionedKs = await client.core.getDynamicField({\n\t\t\t\tparentId: objectId,\n\t\t\t\tname: {\n\t\t\t\t\ttype: 'u64',\n\t\t\t\t\tbcs: bcs.u64().serialize(EXPECTED_SERVER_VERSION).toBytes(),\n\t\t\t\t},\n\t\t\t});\n\n\t\t\tconst ksVersioned = KeyServerMoveV1.parse(resVersionedKs.dynamicField.value.bcs);\n\n\t\t\treturn {\n\t\t\t\tobjectId,\n\t\t\t\tname: ksVersioned.name,\n\t\t\t\turl: ksVersioned.url,\n\t\t\t\tkeyType: ksVersioned.keyType,\n\t\t\t\tpk: new Uint8Array(ksVersioned.pk),\n\t\t\t};\n\t\t}),\n\t);\n}\n\n/**\n * Given a KeyServer, fetch the proof of possession (PoP) from the URL and verify it\n * against the pubkey. This should be used only rarely when the dapp uses a dynamic\n * set of key servers.\n *\n * @param server - The KeyServer to verify.\n * @returns - True if the key server is valid, false otherwise.\n */\nexport async function verifyKeyServer(\n\tserver: KeyServer,\n\ttimeout: number,\n\tapiKeyName?: string,\n\tapiKey?: string,\n): Promise<boolean> {\n\tconst requestId = crypto.randomUUID();\n\tconst response = await fetch(server.url! + '/v1/service?service_id=' + server.objectId, {\n\t\tmethod: 'GET',\n\t\theaders: {\n\t\t\t'Content-Type': 'application/json',\n\t\t\t'Request-Id': requestId,\n\t\t\t'Client-Sdk-Type': 'typescript',\n\t\t\t'Client-Sdk-Version': PACKAGE_VERSION,\n\t\t\t...(apiKeyName && apiKey ? { apiKeyName: apiKey } : {}),\n\t\t},\n\t\tsignal: AbortSignal.timeout(timeout),\n\t});\n\n\tawait SealAPIError.assertResponse(response, requestId);\n\tverifyKeyServerVersion(response);\n\tconst serviceResponse = await response.json();\n\n\tif (serviceResponse.service_id !== server.objectId) {\n\t\treturn false;\n\t}\n\tconst fullMsg = flatten([DST_POP, server.pk, fromHex(server.objectId)]);\n\treturn bls12_381.verifyShortSignature(fromBase64(serviceResponse.pop), fullMsg, server.pk);\n}\n\n/**\n * Verify the key server version. Throws an `InvalidKeyServerError` if the version is not supported.\n *\n * @param response - The response from the key server.\n */\nexport function verifyKeyServerVersion(response: Response) {\n\tconst keyServerVersion = response.headers.get('X-KeyServer-Version');\n\tif (keyServerVersion == null) {\n\t\tthrow new InvalidKeyServerVersionError('Key server version not found');\n\t}\n\tif (new Version(keyServerVersion).older_than(SERVER_VERSION_REQUIREMENT)) {\n\t\tthrow new InvalidKeyServerVersionError(\n\t\t\t`Key server version ${keyServerVersion} is not supported`,\n\t\t);\n\t}\n}\n\nexport interface DerivedKey {\n\ttoString(): string;\n}\n\n/**\n * A user secret key for the Boneh-Franklin BLS12381 scheme.\n * This is a wrapper around the G1Element type.\n */\nexport class BonehFranklinBLS12381DerivedKey implements DerivedKey {\n\trepresentation: string;\n\n\tconstructor(public key: G1Element) {\n\t\tthis.representation = toHex(key.toBytes());\n\t}\n\n\ttoString(): string {\n\t\treturn this.representation;\n\t}\n}\n"],
+  "mappings": "AAEA,SAAS,KAAK,YAAY,SAAS,aAAa;AAChD,SAAS,iBAAiB;AAE1B,SAAS,eAAe,uBAAuB;AAC/C,SAAS,8BAA8B,cAAc,+BAA+B;AACpF,SAAS,eAAe;AACxB,SAAS,uBAAuB;AAGhC,SAAS,SAAS,eAAe;AAEjC,MAAM,0BAA0B;AAUzB,IAAK,gBAAL,kBAAKA,mBAAL;AACN,EAAAA,8BAAA,2BAAwB,KAAxB;AADW,SAAAA;AAAA,GAAA;AAIL,MAAM,6BAA6B,IAAI,QAAQ,OAAO;AAOtD,SAAS,yBAAyB,SAA0C;AAClF,MAAI,YAAY,WAAW;AAC1B,WAAO;AAAA,MACN;AAAA,MACA;AAAA,IACD;AAAA,EACD,OAAO;AACN,UAAM,IAAI,wBAAwB,uBAAuB,OAAO,EAAE;AAAA,EACnE;AACD;AAUA,eAAsB,mBAAmB;AAAA,EACxC;AAAA,EACA;AACD,GAGyB;AACxB,SAAO,MAAM,QAAQ;AAAA,IACpB,UAAU,IAAI,OAAO,aAAa;AAEjC,YAAM,MAAM,MAAM,OAAO,KAAK,UAAU;AAAA,QACvC;AAAA,MACD,CAAC;AACD,YAAM,KAAK,cAAc,MAAM,IAAI,OAAO,OAAO;AACjD,UACC,0BAA0B,OAAO,GAAG,YAAY,KAChD,0BAA0B,OAAO,GAAG,WAAW,GAC9C;AACD,cAAM,IAAI;AAAA,UACT,cAAc,QAAQ,8BAA8B,GAAG,YAAY,QAAQ,GAAG,WAAW,yCAAyC,uBAAuB;AAAA,QAC1J;AAAA,MACD;AAGA,YAAM,iBAAiB,MAAM,OAAO,KAAK,gBAAgB;AAAA,QACxD,UAAU;AAAA,QACV,MAAM;AAAA,UACL,MAAM;AAAA,UACN,KAAK,IAAI,IAAI,EAAE,UAAU,uBAAuB,EAAE,QAAQ;AAAA,QAC3D;AAAA,MACD,CAAC;AAED,YAAM,cAAc,gBAAgB,MAAM,eAAe,aAAa,MAAM,GAAG;AAE/E,aAAO;AAAA,QACN;AAAA,QACA,MAAM,YAAY;AAAA,QAClB,KAAK,YAAY;AAAA,QACjB,SAAS,YAAY;AAAA,QACrB,IAAI,IAAI,WAAW,YAAY,EAAE;AAAA,MAClC;AAAA,IACD,CAAC;AAAA,EACF;AACD;AAUA,eAAsB,gBACrB,QACA,SACA,YACA,QACmB;AACnB,QAAM,YAAY,OAAO,WAAW;AACpC,QAAM,WAAW,MAAM,MAAM,OAAO,MAAO,4BAA4B,OAAO,UAAU;AAAA,IACvF,QAAQ;AAAA,IACR,SAAS;AAAA,MACR,gBAAgB;AAAA,MAChB,cAAc;AAAA,MACd,mBAAmB;AAAA,MACnB,sBAAsB;AAAA,MACtB,GAAI,cAAc,SAAS,EAAE,YAAY,OAAO,IAAI,CAAC;AAAA,IACtD;AAAA,IACA,QAAQ,YAAY,QAAQ,OAAO;AAAA,EACpC,CAAC;AAED,QAAM,aAAa,eAAe,UAAU,SAAS;AACrD,yBAAuB,QAAQ;AAC/B,QAAM,kBAAkB,MAAM,SAAS,KAAK;AAE5C,MAAI,gBAAgB,eAAe,OAAO,UAAU;AACnD,WAAO;AAAA,EACR;AACA,QAAM,UAAU,QAAQ,CAAC,SAAS,OAAO,IAAI,QAAQ,OAAO,QAAQ,CAAC,CAAC;AACtE,SAAO,UAAU,qBAAqB,WAAW,gBAAgB,GAAG,GAAG,SAAS,OAAO,EAAE;AAC1F;AAOO,SAAS,uBAAuB,UAAoB;AAC1D,QAAM,mBAAmB,SAAS,QAAQ,IAAI,qBAAqB;AACnE,MAAI,oBAAoB,MAAM;AAC7B,UAAM,IAAI,6BAA6B,8BAA8B;AAAA,EACtE;AACA,MAAI,IAAI,QAAQ,gBAAgB,EAAE,WAAW,0BAA0B,GAAG;AACzE,UAAM,IAAI;AAAA,MACT,sBAAsB,gBAAgB;AAAA,IACvC;AAAA,EACD;AACD;AAUO,MAAM,gCAAsD;AAAA,EAGlE,YAAmB,KAAgB;AAAhB;AAClB,SAAK,iBAAiB,MAAM,IAAI,QAAQ,CAAC;AAAA,EAC1C;AAAA,EAEA,WAAmB;AAClB,WAAO,KAAK;AAAA,EACb;AACD;",
   "names": ["KeyServerType"]
 }

package/dist/esm/version.d.ts

@@ -1 +1 @@
-export declare const PACKAGE_VERSION = "0.4.10";
+export declare const PACKAGE_VERSION = "0.4.11";

package/dist/esm/version.js

@@ -1,4 +1,4 @@
-const PACKAGE_VERSION = "0.4.10";
+const PACKAGE_VERSION = "0.4.11";
 export {
   PACKAGE_VERSION
 };

package/dist/esm/version.js.map

@@ -1,7 +1,7 @@
 {
   "version": 3,
   "sources": ["../../src/version.ts"],
-  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.4.10';\n"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\n// This file is generated by genversion.mjs. Do not edit it directly.\n\nexport const PACKAGE_VERSION = '0.4.11';\n"],
   "mappings": "AAKO,MAAM,kBAAkB;",
   "names": []
 }