@omnituum/pqc-shared 0.3.1 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/crypto/index.cjs +29 -71
- package/dist/crypto/index.d.cts +38 -45
- package/dist/crypto/index.d.ts +38 -45
- package/dist/crypto/index.js +28 -72
- package/dist/crypto/safe/index.cjs +556 -0
- package/dist/crypto/safe/index.d.cts +341 -0
- package/dist/crypto/safe/index.d.ts +341 -0
- package/dist/crypto/safe/index.js +524 -0
- package/dist/fs/index.cjs +6 -34
- package/dist/fs/index.js +6 -34
- package/dist/index.cjs +29 -71
- package/dist/index.d.cts +4 -4
- package/dist/index.d.ts +4 -4
- package/dist/index.js +28 -72
- package/dist/{integrity-CCYjrap3.d.ts → integrity-BPvNsC50.d.ts} +1 -1
- package/dist/{integrity-Dx9jukMH.d.cts → integrity-ByMp24VA.d.cts} +1 -1
- package/dist/{types-61c7Q9ri.d.ts → types-Dx_AFqow.d.cts} +54 -2
- package/dist/{types-Ch0y-n7K.d.cts → types-Dx_AFqow.d.ts} +54 -2
- package/dist/utils/index.d.cts +2 -3
- package/dist/utils/index.d.ts +2 -3
- package/dist/vault/index.cjs +13 -41
- package/dist/vault/index.d.cts +2 -3
- package/dist/vault/index.d.ts +2 -3
- package/dist/vault/index.js +13 -41
- package/package.json +27 -13
- package/src/crypto/dilithium.ts +8 -4
- package/src/crypto/hybrid.ts +13 -29
- package/src/crypto/index.ts +3 -0
- package/src/crypto/kyber.ts +63 -121
- package/src/crypto/safe/adapters.ts +306 -0
- package/src/crypto/safe/dilithium.ts +74 -0
- package/src/crypto/safe/index.ts +97 -0
- package/src/crypto/safe/kyber.ts +47 -0
- package/src/crypto/safe/manifests.ts +192 -0
- package/src/crypto/safe/secretbox.ts +24 -0
- package/src/crypto/safe/types.ts +88 -0
- package/src/crypto/safe/x25519.ts +31 -0
- package/src/index.ts +7 -4
- package/src/version.ts +9 -4
- package/dist/version-BygzPVGs.d.cts +0 -55
- package/dist/version-BygzPVGs.d.ts +0 -55
package/dist/index.cjs
CHANGED
|
@@ -3,6 +3,8 @@
|
|
|
3
3
|
var nacl4 = require('tweetnacl');
|
|
4
4
|
var sha2_js = require('@noble/hashes/sha2.js');
|
|
5
5
|
var hmac_js = require('@noble/hashes/hmac.js');
|
|
6
|
+
var mlKem_js = require('@noble/post-quantum/ml-kem.js');
|
|
7
|
+
var envelopeRegistry = require('@omnituum/envelope-registry');
|
|
6
8
|
var hashWasm = require('hash-wasm');
|
|
7
9
|
var blake3_js = require('@noble/hashes/blake3.js');
|
|
8
10
|
var chacha_js = require('@noble/ciphers/chacha.js');
|
|
@@ -152,78 +154,37 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
|
|
|
152
154
|
function deriveKeyFromShared(shared, salt, info) {
|
|
153
155
|
return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
|
|
154
156
|
}
|
|
155
|
-
var
|
|
156
|
-
async function loadKyber() {
|
|
157
|
-
if (kyberModule) return kyberModule;
|
|
158
|
-
try {
|
|
159
|
-
const m = await import('kyber-crystals');
|
|
160
|
-
const k = m.default ?? m;
|
|
161
|
-
kyberModule = k.kyber ?? k;
|
|
162
|
-
return kyberModule;
|
|
163
|
-
} catch (e) {
|
|
164
|
-
console.warn("[Kyber] Failed to load kyber-crystals:", e);
|
|
165
|
-
return null;
|
|
166
|
-
}
|
|
167
|
-
}
|
|
157
|
+
var KYBER_SUITE = "ML-KEM-1024-FIPS203";
|
|
168
158
|
async function isKyberAvailable() {
|
|
169
|
-
|
|
170
|
-
return mod !== null;
|
|
159
|
+
return true;
|
|
171
160
|
}
|
|
172
161
|
async function generateKyberKeypair() {
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
}
|
|
184
|
-
const kp = await fn.call(mod);
|
|
185
|
-
const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
|
|
186
|
-
const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
|
|
187
|
-
if (!pub || !priv) {
|
|
188
|
-
console.warn("[Kyber] Invalid keypair result");
|
|
189
|
-
return null;
|
|
190
|
-
}
|
|
191
|
-
return {
|
|
192
|
-
publicB64: b64(new Uint8Array(pub)),
|
|
193
|
-
secretB64: b64(new Uint8Array(priv))
|
|
194
|
-
};
|
|
195
|
-
} catch (e) {
|
|
196
|
-
console.warn("[Kyber] Key generation failed:", e);
|
|
197
|
-
return null;
|
|
162
|
+
const seed = randN(64);
|
|
163
|
+
const kp = mlKem_js.ml_kem1024.keygen(seed);
|
|
164
|
+
return {
|
|
165
|
+
publicB64: b64(kp.publicKey),
|
|
166
|
+
secretB64: b64(kp.secretKey)
|
|
167
|
+
};
|
|
168
|
+
}
|
|
169
|
+
function generateKyberKeypairFromSeed(seed) {
|
|
170
|
+
if (seed.length !== 64) {
|
|
171
|
+
throw new Error("Kyber seed must be 64 bytes");
|
|
198
172
|
}
|
|
173
|
+
const kp = mlKem_js.ml_kem1024.keygen(seed);
|
|
174
|
+
return { publicKey: kp.publicKey, secretKey: kp.secretKey };
|
|
199
175
|
}
|
|
200
176
|
async function kyberEncapsulate(pubKeyB64) {
|
|
201
|
-
const kyber = await loadKyber();
|
|
202
|
-
if (!kyber?.encrypt) {
|
|
203
|
-
throw new Error("Kyber encrypt not available");
|
|
204
|
-
}
|
|
205
177
|
const pk = ub64(pubKeyB64);
|
|
206
|
-
const
|
|
207
|
-
const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
|
|
208
|
-
const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
|
|
209
|
-
if (!ctRaw || !ssRaw) {
|
|
210
|
-
throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
|
|
211
|
-
}
|
|
178
|
+
const enc = mlKem_js.ml_kem1024.encapsulate(pk);
|
|
212
179
|
return {
|
|
213
|
-
ciphertext:
|
|
214
|
-
sharedSecret:
|
|
180
|
+
ciphertext: enc.cipherText,
|
|
181
|
+
sharedSecret: enc.sharedSecret
|
|
215
182
|
};
|
|
216
183
|
}
|
|
217
184
|
async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
|
|
218
|
-
const kyber = await loadKyber();
|
|
219
|
-
if (!kyber?.decrypt && !kyber?.decapsulate) {
|
|
220
|
-
throw new Error("Kyber decrypt/decapsulate not available");
|
|
221
|
-
}
|
|
222
185
|
const ct = ub64(kemCiphertextB64);
|
|
223
186
|
const sk = ub64(secretKeyB64);
|
|
224
|
-
|
|
225
|
-
const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
|
|
226
|
-
return new Uint8Array(key);
|
|
187
|
+
return mlKem_js.ml_kem1024.decapsulate(ct, sk);
|
|
227
188
|
}
|
|
228
189
|
function kyberWrapKey(sharedSecret, msgKey32) {
|
|
229
190
|
if (msgKey32.length !== 32) {
|
|
@@ -232,10 +193,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
|
|
|
232
193
|
const kek = sha256(sharedSecret);
|
|
233
194
|
const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
|
|
234
195
|
const wrapped = nacl4__default.default.secretbox(msgKey32, nonce, kek);
|
|
235
|
-
return {
|
|
236
|
-
nonce: b64(nonce),
|
|
237
|
-
wrapped: b64(wrapped)
|
|
238
|
-
};
|
|
196
|
+
return { nonce: b64(nonce), wrapped: b64(wrapped) };
|
|
239
197
|
}
|
|
240
198
|
function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
241
199
|
const kek = sha256(sharedSecret);
|
|
@@ -243,10 +201,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
|
243
201
|
const wrapped = ub64(wrappedB64);
|
|
244
202
|
return nacl4__default.default.secretbox.open(wrapped, nonce, kek) || null;
|
|
245
203
|
}
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
var ENVELOPE_VERSION = "omnituum.hybrid.v1";
|
|
249
|
-
var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
|
|
204
|
+
var ENVELOPE_VERSION = envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
|
|
205
|
+
var ENVELOPE_VERSION_LEGACY = envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
250
206
|
var VAULT_VERSION = "omnituum.vault.v1";
|
|
251
207
|
var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
|
|
252
208
|
var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
|
|
@@ -587,7 +543,7 @@ async function dilithiumSign(message, secretKeyB64) {
|
|
|
587
543
|
}
|
|
588
544
|
const sk = fromB64(secretKeyB64);
|
|
589
545
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
590
|
-
const signature = mod.sign(
|
|
546
|
+
const signature = mod.sign(msg, sk);
|
|
591
547
|
return {
|
|
592
548
|
signature: toB64(signature),
|
|
593
549
|
algorithm: "ML-DSA-65"
|
|
@@ -598,7 +554,7 @@ async function dilithiumSignRaw(message, secretKey) {
|
|
|
598
554
|
if (!mod) {
|
|
599
555
|
throw new Error("Dilithium library not available");
|
|
600
556
|
}
|
|
601
|
-
return mod.sign(
|
|
557
|
+
return mod.sign(message, secretKey);
|
|
602
558
|
}
|
|
603
559
|
async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
604
560
|
const mod = await loadDilithium();
|
|
@@ -609,7 +565,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
|
609
565
|
const sig = fromB64(signatureB64);
|
|
610
566
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
611
567
|
try {
|
|
612
|
-
return mod.verify(
|
|
568
|
+
return mod.verify(sig, msg, pk);
|
|
613
569
|
} catch {
|
|
614
570
|
return false;
|
|
615
571
|
}
|
|
@@ -620,7 +576,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
|
|
|
620
576
|
throw new Error("Dilithium library not available");
|
|
621
577
|
}
|
|
622
578
|
try {
|
|
623
|
-
return mod.verify(
|
|
579
|
+
return mod.verify(signature, message, publicKey);
|
|
624
580
|
} catch {
|
|
625
581
|
return false;
|
|
626
582
|
}
|
|
@@ -2046,6 +2002,7 @@ exports.ENVELOPE_SUITE = ENVELOPE_SUITE;
|
|
|
2046
2002
|
exports.ENVELOPE_VERSION = ENVELOPE_VERSION;
|
|
2047
2003
|
exports.KDF_CONFIG_ARGON2ID = KDF_CONFIG_ARGON2ID;
|
|
2048
2004
|
exports.KDF_CONFIG_PBKDF2 = KDF_CONFIG_PBKDF2;
|
|
2005
|
+
exports.KYBER_SUITE = KYBER_SUITE;
|
|
2049
2006
|
exports.POLY1305_TAG_SIZE = POLY1305_TAG_SIZE;
|
|
2050
2007
|
exports.SECRETBOX_KEY_SIZE = SECRETBOX_KEY_SIZE;
|
|
2051
2008
|
exports.SECRETBOX_NONCE_SIZE = SECRETBOX_NONCE_SIZE;
|
|
@@ -2101,6 +2058,7 @@ exports.generateDilithiumKeypair = generateDilithiumKeypair;
|
|
|
2101
2058
|
exports.generateDilithiumKeypairFromSeed = generateDilithiumKeypairFromSeed;
|
|
2102
2059
|
exports.generateHybridIdentity = generateHybridIdentity;
|
|
2103
2060
|
exports.generateKyberKeypair = generateKyberKeypair;
|
|
2061
|
+
exports.generateKyberKeypairFromSeed = generateKyberKeypairFromSeed;
|
|
2104
2062
|
exports.generateSalt = generateSalt;
|
|
2105
2063
|
exports.generateX25519Keypair = generateX25519Keypair;
|
|
2106
2064
|
exports.generateX25519KeypairFromSeed = generateX25519KeypairFromSeed;
|
package/dist/index.d.cts
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
|
|
2
|
-
export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-
|
|
1
|
+
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
|
|
2
|
+
export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-Dx_AFqow.cjs';
|
|
3
3
|
export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.cjs';
|
|
4
|
-
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-
|
|
5
|
-
export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.cjs';
|
|
4
|
+
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-ByMp24VA.cjs';
|
|
6
5
|
export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.cjs';
|
|
6
|
+
import '@omnituum/envelope-registry';
|
|
7
7
|
import '@noble/ciphers/utils.js';
|
|
8
8
|
|
|
9
9
|
/**
|
package/dist/index.d.ts
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
|
|
2
|
-
export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-
|
|
1
|
+
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
|
|
2
|
+
export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-Dx_AFqow.js';
|
|
3
3
|
export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.js';
|
|
4
|
-
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-
|
|
5
|
-
export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.js';
|
|
4
|
+
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-BPvNsC50.js';
|
|
6
5
|
export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.js';
|
|
6
|
+
import '@omnituum/envelope-registry';
|
|
7
7
|
import '@noble/ciphers/utils.js';
|
|
8
8
|
|
|
9
9
|
/**
|
package/dist/index.js
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
import nacl4 from 'tweetnacl';
|
|
2
2
|
import { sha256 as sha256$1, sha512 } from '@noble/hashes/sha2.js';
|
|
3
3
|
import { hmac } from '@noble/hashes/hmac.js';
|
|
4
|
+
import { ml_kem1024 } from '@noble/post-quantum/ml-kem.js';
|
|
5
|
+
import { OMNI_VERSIONS, DEPRECATED_VERSIONS } from '@omnituum/envelope-registry';
|
|
4
6
|
import { argon2id } from 'hash-wasm';
|
|
5
7
|
import { blake3 as blake3$1 } from '@noble/hashes/blake3.js';
|
|
6
8
|
import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha.js';
|
|
@@ -146,78 +148,37 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
|
|
|
146
148
|
function deriveKeyFromShared(shared, salt, info) {
|
|
147
149
|
return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
|
|
148
150
|
}
|
|
149
|
-
var
|
|
150
|
-
async function loadKyber() {
|
|
151
|
-
if (kyberModule) return kyberModule;
|
|
152
|
-
try {
|
|
153
|
-
const m = await import('kyber-crystals');
|
|
154
|
-
const k = m.default ?? m;
|
|
155
|
-
kyberModule = k.kyber ?? k;
|
|
156
|
-
return kyberModule;
|
|
157
|
-
} catch (e) {
|
|
158
|
-
console.warn("[Kyber] Failed to load kyber-crystals:", e);
|
|
159
|
-
return null;
|
|
160
|
-
}
|
|
161
|
-
}
|
|
151
|
+
var KYBER_SUITE = "ML-KEM-1024-FIPS203";
|
|
162
152
|
async function isKyberAvailable() {
|
|
163
|
-
|
|
164
|
-
return mod !== null;
|
|
153
|
+
return true;
|
|
165
154
|
}
|
|
166
155
|
async function generateKyberKeypair() {
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
}
|
|
178
|
-
const kp = await fn.call(mod);
|
|
179
|
-
const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
|
|
180
|
-
const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
|
|
181
|
-
if (!pub || !priv) {
|
|
182
|
-
console.warn("[Kyber] Invalid keypair result");
|
|
183
|
-
return null;
|
|
184
|
-
}
|
|
185
|
-
return {
|
|
186
|
-
publicB64: b64(new Uint8Array(pub)),
|
|
187
|
-
secretB64: b64(new Uint8Array(priv))
|
|
188
|
-
};
|
|
189
|
-
} catch (e) {
|
|
190
|
-
console.warn("[Kyber] Key generation failed:", e);
|
|
191
|
-
return null;
|
|
156
|
+
const seed = randN(64);
|
|
157
|
+
const kp = ml_kem1024.keygen(seed);
|
|
158
|
+
return {
|
|
159
|
+
publicB64: b64(kp.publicKey),
|
|
160
|
+
secretB64: b64(kp.secretKey)
|
|
161
|
+
};
|
|
162
|
+
}
|
|
163
|
+
function generateKyberKeypairFromSeed(seed) {
|
|
164
|
+
if (seed.length !== 64) {
|
|
165
|
+
throw new Error("Kyber seed must be 64 bytes");
|
|
192
166
|
}
|
|
167
|
+
const kp = ml_kem1024.keygen(seed);
|
|
168
|
+
return { publicKey: kp.publicKey, secretKey: kp.secretKey };
|
|
193
169
|
}
|
|
194
170
|
async function kyberEncapsulate(pubKeyB64) {
|
|
195
|
-
const kyber = await loadKyber();
|
|
196
|
-
if (!kyber?.encrypt) {
|
|
197
|
-
throw new Error("Kyber encrypt not available");
|
|
198
|
-
}
|
|
199
171
|
const pk = ub64(pubKeyB64);
|
|
200
|
-
const
|
|
201
|
-
const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
|
|
202
|
-
const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
|
|
203
|
-
if (!ctRaw || !ssRaw) {
|
|
204
|
-
throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
|
|
205
|
-
}
|
|
172
|
+
const enc = ml_kem1024.encapsulate(pk);
|
|
206
173
|
return {
|
|
207
|
-
ciphertext:
|
|
208
|
-
sharedSecret:
|
|
174
|
+
ciphertext: enc.cipherText,
|
|
175
|
+
sharedSecret: enc.sharedSecret
|
|
209
176
|
};
|
|
210
177
|
}
|
|
211
178
|
async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
|
|
212
|
-
const kyber = await loadKyber();
|
|
213
|
-
if (!kyber?.decrypt && !kyber?.decapsulate) {
|
|
214
|
-
throw new Error("Kyber decrypt/decapsulate not available");
|
|
215
|
-
}
|
|
216
179
|
const ct = ub64(kemCiphertextB64);
|
|
217
180
|
const sk = ub64(secretKeyB64);
|
|
218
|
-
|
|
219
|
-
const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
|
|
220
|
-
return new Uint8Array(key);
|
|
181
|
+
return ml_kem1024.decapsulate(ct, sk);
|
|
221
182
|
}
|
|
222
183
|
function kyberWrapKey(sharedSecret, msgKey32) {
|
|
223
184
|
if (msgKey32.length !== 32) {
|
|
@@ -226,10 +187,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
|
|
|
226
187
|
const kek = sha256(sharedSecret);
|
|
227
188
|
const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
|
|
228
189
|
const wrapped = nacl4.secretbox(msgKey32, nonce, kek);
|
|
229
|
-
return {
|
|
230
|
-
nonce: b64(nonce),
|
|
231
|
-
wrapped: b64(wrapped)
|
|
232
|
-
};
|
|
190
|
+
return { nonce: b64(nonce), wrapped: b64(wrapped) };
|
|
233
191
|
}
|
|
234
192
|
function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
235
193
|
const kek = sha256(sharedSecret);
|
|
@@ -237,10 +195,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
|
237
195
|
const wrapped = ub64(wrappedB64);
|
|
238
196
|
return nacl4.secretbox.open(wrapped, nonce, kek) || null;
|
|
239
197
|
}
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
var ENVELOPE_VERSION = "omnituum.hybrid.v1";
|
|
243
|
-
var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
|
|
198
|
+
var ENVELOPE_VERSION = OMNI_VERSIONS.HYBRID_V1;
|
|
199
|
+
var ENVELOPE_VERSION_LEGACY = DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
244
200
|
var VAULT_VERSION = "omnituum.vault.v1";
|
|
245
201
|
var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
|
|
246
202
|
var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
|
|
@@ -581,7 +537,7 @@ async function dilithiumSign(message, secretKeyB64) {
|
|
|
581
537
|
}
|
|
582
538
|
const sk = fromB64(secretKeyB64);
|
|
583
539
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
584
|
-
const signature = mod.sign(
|
|
540
|
+
const signature = mod.sign(msg, sk);
|
|
585
541
|
return {
|
|
586
542
|
signature: toB64(signature),
|
|
587
543
|
algorithm: "ML-DSA-65"
|
|
@@ -592,7 +548,7 @@ async function dilithiumSignRaw(message, secretKey) {
|
|
|
592
548
|
if (!mod) {
|
|
593
549
|
throw new Error("Dilithium library not available");
|
|
594
550
|
}
|
|
595
|
-
return mod.sign(
|
|
551
|
+
return mod.sign(message, secretKey);
|
|
596
552
|
}
|
|
597
553
|
async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
598
554
|
const mod = await loadDilithium();
|
|
@@ -603,7 +559,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
|
603
559
|
const sig = fromB64(signatureB64);
|
|
604
560
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
605
561
|
try {
|
|
606
|
-
return mod.verify(
|
|
562
|
+
return mod.verify(sig, msg, pk);
|
|
607
563
|
} catch {
|
|
608
564
|
return false;
|
|
609
565
|
}
|
|
@@ -614,7 +570,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
|
|
|
614
570
|
throw new Error("Dilithium library not available");
|
|
615
571
|
}
|
|
616
572
|
try {
|
|
617
|
-
return mod.verify(
|
|
573
|
+
return mod.verify(signature, message, publicKey);
|
|
618
574
|
} catch {
|
|
619
575
|
return false;
|
|
620
576
|
}
|
|
@@ -2027,4 +1983,4 @@ function createTunnelSession(keys) {
|
|
|
2027
1983
|
};
|
|
2028
1984
|
}
|
|
2029
1985
|
|
|
2030
|
-
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
|
|
1986
|
+
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, KYBER_SUITE, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
|
|
@@ -1,4 +1,56 @@
|
|
|
1
|
-
|
|
1
|
+
/**
|
|
2
|
+
* Omnituum PQC Shared - Version Constants & Guards
|
|
3
|
+
*
|
|
4
|
+
* FROZEN CONTRACTS: These version strings define the wire format.
|
|
5
|
+
* Breaking changes require a version bump.
|
|
6
|
+
*
|
|
7
|
+
* @see pqc-docs/specs/envelope.v1.md
|
|
8
|
+
* @see pqc-docs/specs/vault.v1.md
|
|
9
|
+
* @see pqc-docs/specs/identity.v1.md
|
|
10
|
+
*/
|
|
11
|
+
/** HybridEnvelope version - hybrid encryption format (from registry) */
|
|
12
|
+
declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
|
|
13
|
+
/** OmnituumVault version - decrypted vault format */
|
|
14
|
+
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
|
+
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
|
+
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
|
+
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
|
+
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
+
/** Algorithm suite for hybrid encryption */
|
|
20
|
+
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
21
|
+
/** AEAD algorithm for envelope content */
|
|
22
|
+
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
|
+
/** KDF for vault encryption (v1) */
|
|
24
|
+
declare const VAULT_KDF: "PBKDF2-SHA256";
|
|
25
|
+
/** KDF for vault encryption (v2) */
|
|
26
|
+
declare const VAULT_KDF_V2: "Argon2id";
|
|
27
|
+
/** Encryption algorithm for vault */
|
|
28
|
+
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
|
+
/**
|
|
30
|
+
* Validate envelope structure and version.
|
|
31
|
+
* Returns detailed validation result.
|
|
32
|
+
*/
|
|
33
|
+
declare function validateEnvelope(envelope: unknown): {
|
|
34
|
+
valid: boolean;
|
|
35
|
+
version?: string;
|
|
36
|
+
errors: string[];
|
|
37
|
+
};
|
|
38
|
+
/**
|
|
39
|
+
* Validate vault structure and version.
|
|
40
|
+
*/
|
|
41
|
+
declare function validateVault(vault: unknown): {
|
|
42
|
+
valid: boolean;
|
|
43
|
+
version?: string;
|
|
44
|
+
errors: string[];
|
|
45
|
+
};
|
|
46
|
+
/**
|
|
47
|
+
* Validate encrypted vault structure and version.
|
|
48
|
+
*/
|
|
49
|
+
declare function validateEncryptedVault(encVault: unknown): {
|
|
50
|
+
valid: boolean;
|
|
51
|
+
version?: string;
|
|
52
|
+
errors: string[];
|
|
53
|
+
};
|
|
2
54
|
|
|
3
55
|
/**
|
|
4
56
|
* Omnituum PQC Shared - Vault Types
|
|
@@ -131,4 +183,4 @@ interface VaultSession {
|
|
|
131
183
|
declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
|
|
132
184
|
declare const PBKDF2_ITERATIONS = 600000;
|
|
133
185
|
|
|
134
|
-
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P,
|
|
186
|
+
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
|
|
@@ -1,4 +1,56 @@
|
|
|
1
|
-
|
|
1
|
+
/**
|
|
2
|
+
* Omnituum PQC Shared - Version Constants & Guards
|
|
3
|
+
*
|
|
4
|
+
* FROZEN CONTRACTS: These version strings define the wire format.
|
|
5
|
+
* Breaking changes require a version bump.
|
|
6
|
+
*
|
|
7
|
+
* @see pqc-docs/specs/envelope.v1.md
|
|
8
|
+
* @see pqc-docs/specs/vault.v1.md
|
|
9
|
+
* @see pqc-docs/specs/identity.v1.md
|
|
10
|
+
*/
|
|
11
|
+
/** HybridEnvelope version - hybrid encryption format (from registry) */
|
|
12
|
+
declare const ENVELOPE_VERSION: "omnituum.hybrid.v1";
|
|
13
|
+
/** OmnituumVault version - decrypted vault format */
|
|
14
|
+
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
|
+
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
|
+
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
|
+
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
|
+
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
+
/** Algorithm suite for hybrid encryption */
|
|
20
|
+
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
21
|
+
/** AEAD algorithm for envelope content */
|
|
22
|
+
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
|
+
/** KDF for vault encryption (v1) */
|
|
24
|
+
declare const VAULT_KDF: "PBKDF2-SHA256";
|
|
25
|
+
/** KDF for vault encryption (v2) */
|
|
26
|
+
declare const VAULT_KDF_V2: "Argon2id";
|
|
27
|
+
/** Encryption algorithm for vault */
|
|
28
|
+
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
|
+
/**
|
|
30
|
+
* Validate envelope structure and version.
|
|
31
|
+
* Returns detailed validation result.
|
|
32
|
+
*/
|
|
33
|
+
declare function validateEnvelope(envelope: unknown): {
|
|
34
|
+
valid: boolean;
|
|
35
|
+
version?: string;
|
|
36
|
+
errors: string[];
|
|
37
|
+
};
|
|
38
|
+
/**
|
|
39
|
+
* Validate vault structure and version.
|
|
40
|
+
*/
|
|
41
|
+
declare function validateVault(vault: unknown): {
|
|
42
|
+
valid: boolean;
|
|
43
|
+
version?: string;
|
|
44
|
+
errors: string[];
|
|
45
|
+
};
|
|
46
|
+
/**
|
|
47
|
+
* Validate encrypted vault structure and version.
|
|
48
|
+
*/
|
|
49
|
+
declare function validateEncryptedVault(encVault: unknown): {
|
|
50
|
+
valid: boolean;
|
|
51
|
+
version?: string;
|
|
52
|
+
errors: string[];
|
|
53
|
+
};
|
|
2
54
|
|
|
3
55
|
/**
|
|
4
56
|
* Omnituum PQC Shared - Vault Types
|
|
@@ -131,4 +183,4 @@ interface VaultSession {
|
|
|
131
183
|
declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
|
|
132
184
|
declare const PBKDF2_ITERATIONS = 600000;
|
|
133
185
|
|
|
134
|
-
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P,
|
|
186
|
+
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
|
package/dist/utils/index.d.cts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
|
-
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-
|
|
2
|
-
import '../types-
|
|
3
|
-
import '../version-BygzPVGs.cjs';
|
|
1
|
+
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-ByMp24VA.cjs';
|
|
2
|
+
import '../types-Dx_AFqow.cjs';
|
|
4
3
|
|
|
5
4
|
/**
|
|
6
5
|
* Omnituum PQC Shared - Entropy & Randomness Utilities
|
package/dist/utils/index.d.ts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
|
-
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-
|
|
2
|
-
import '../types-
|
|
3
|
-
import '../version-BygzPVGs.js';
|
|
1
|
+
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-BPvNsC50.js';
|
|
2
|
+
import '../types-Dx_AFqow.js';
|
|
4
3
|
|
|
5
4
|
/**
|
|
6
5
|
* Omnituum PQC Shared - Entropy & Randomness Utilities
|
package/dist/vault/index.cjs
CHANGED
|
@@ -2,8 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
require('@noble/hashes/sha2.js');
|
|
4
4
|
require('@noble/hashes/hmac.js');
|
|
5
|
+
var envelopeRegistry = require('@omnituum/envelope-registry');
|
|
5
6
|
var hashWasm = require('hash-wasm');
|
|
6
7
|
var nacl = require('tweetnacl');
|
|
8
|
+
var mlKem_js = require('@noble/post-quantum/ml-kem.js');
|
|
7
9
|
require('@noble/hashes/blake3.js');
|
|
8
10
|
require('@noble/ciphers/chacha.js');
|
|
9
11
|
require('@noble/hashes/hkdf.js');
|
|
@@ -39,9 +41,12 @@ function fromB64(str) {
|
|
|
39
41
|
function toHex(bytes) {
|
|
40
42
|
return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
41
43
|
}
|
|
44
|
+
function randN(n) {
|
|
45
|
+
return globalThis.crypto.getRandomValues(new Uint8Array(n));
|
|
46
|
+
}
|
|
42
47
|
var b64 = toB64;
|
|
43
|
-
|
|
44
|
-
|
|
48
|
+
envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
|
|
49
|
+
envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
45
50
|
var VAULT_VERSION = "omnituum.vault.v1";
|
|
46
51
|
var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
|
|
47
52
|
var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
|
|
@@ -364,46 +369,13 @@ function generateX25519Keypair() {
|
|
|
364
369
|
secretBytes: kp.secretKey
|
|
365
370
|
};
|
|
366
371
|
}
|
|
367
|
-
var kyberModule = null;
|
|
368
|
-
async function loadKyber() {
|
|
369
|
-
if (kyberModule) return kyberModule;
|
|
370
|
-
try {
|
|
371
|
-
const m = await import('kyber-crystals');
|
|
372
|
-
const k = m.default ?? m;
|
|
373
|
-
kyberModule = k.kyber ?? k;
|
|
374
|
-
return kyberModule;
|
|
375
|
-
} catch (e) {
|
|
376
|
-
console.warn("[Kyber] Failed to load kyber-crystals:", e);
|
|
377
|
-
return null;
|
|
378
|
-
}
|
|
379
|
-
}
|
|
380
372
|
async function generateKyberKeypair() {
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
const fn = mod?.keypair ?? mod?.keyPair ?? mod?.generateKeyPair ?? null;
|
|
388
|
-
if (typeof fn !== "function") {
|
|
389
|
-
console.warn("[Kyber] No keypair function found");
|
|
390
|
-
return null;
|
|
391
|
-
}
|
|
392
|
-
const kp = await fn.call(mod);
|
|
393
|
-
const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
|
|
394
|
-
const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
|
|
395
|
-
if (!pub || !priv) {
|
|
396
|
-
console.warn("[Kyber] Invalid keypair result");
|
|
397
|
-
return null;
|
|
398
|
-
}
|
|
399
|
-
return {
|
|
400
|
-
publicB64: b64(new Uint8Array(pub)),
|
|
401
|
-
secretB64: b64(new Uint8Array(priv))
|
|
402
|
-
};
|
|
403
|
-
} catch (e) {
|
|
404
|
-
console.warn("[Kyber] Key generation failed:", e);
|
|
405
|
-
return null;
|
|
406
|
-
}
|
|
373
|
+
const seed = randN(64);
|
|
374
|
+
const kp = mlKem_js.ml_kem1024.keygen(seed);
|
|
375
|
+
return {
|
|
376
|
+
publicB64: b64(kp.publicKey),
|
|
377
|
+
secretB64: b64(kp.secretKey)
|
|
378
|
+
};
|
|
407
379
|
}
|
|
408
380
|
|
|
409
381
|
// src/vault/manager.ts
|
package/dist/vault/index.d.cts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
|
-
import { O as OmnituumVault, E as EncryptedVaultFile,
|
|
2
|
-
export { D as DEFAULT_VAULT_SETTINGS,
|
|
3
|
-
import '../version-BygzPVGs.cjs';
|
|
1
|
+
import { O as OmnituumVault, E as EncryptedVaultFile, k as EncryptedVaultFileV2, H as HybridIdentityRecord, l as VaultSettings, m as VaultSession } from '../types-Dx_AFqow.cjs';
|
|
2
|
+
export { D as DEFAULT_VAULT_SETTINGS, n as EncryptedVaultFileV1, o as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-Dx_AFqow.cjs';
|
|
4
3
|
|
|
5
4
|
/**
|
|
6
5
|
* Omnituum PQC Shared - Vault Encryption
|