@omnituum/pqc-shared 0.3.1 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/crypto/index.cjs +39 -71
- package/dist/crypto/index.d.cts +48 -45
- package/dist/crypto/index.d.ts +48 -45
- package/dist/crypto/index.js +33 -72
- package/dist/crypto/safe/index.cjs +556 -0
- package/dist/crypto/safe/index.d.cts +341 -0
- package/dist/crypto/safe/index.d.ts +341 -0
- package/dist/crypto/safe/index.js +524 -0
- package/dist/fs/index.cjs +6 -34
- package/dist/fs/index.js +6 -34
- package/dist/index.cjs +39 -71
- package/dist/index.d.cts +4 -4
- package/dist/index.d.ts +4 -4
- package/dist/index.js +33 -72
- package/dist/{integrity-Dx9jukMH.d.cts → integrity-BenoFsmP.d.cts} +1 -1
- package/dist/{integrity-CCYjrap3.d.ts → integrity-D9J98Bty.d.ts} +1 -1
- package/dist/{types-61c7Q9ri.d.ts → types-CRka8PC7.d.cts} +54 -2
- package/dist/{types-Ch0y-n7K.d.cts → types-CRka8PC7.d.ts} +54 -2
- package/dist/utils/index.d.cts +2 -3
- package/dist/utils/index.d.ts +2 -3
- package/dist/vault/index.cjs +13 -41
- package/dist/vault/index.d.cts +2 -3
- package/dist/vault/index.d.ts +2 -3
- package/dist/vault/index.js +13 -41
- package/package.json +13 -5
- package/src/crypto/dilithium.ts +8 -4
- package/src/crypto/hybrid.ts +13 -29
- package/src/crypto/index.ts +9 -1
- package/src/crypto/kyber.ts +80 -118
- package/src/crypto/safe/adapters.ts +306 -0
- package/src/crypto/safe/dilithium.ts +74 -0
- package/src/crypto/safe/index.ts +97 -0
- package/src/crypto/safe/kyber.ts +47 -0
- package/src/crypto/safe/manifests.ts +192 -0
- package/src/crypto/safe/secretbox.ts +24 -0
- package/src/crypto/safe/types.ts +88 -0
- package/src/crypto/safe/x25519.ts +31 -0
- package/src/index.ts +12 -4
- package/src/version.ts +9 -4
- package/dist/version-BygzPVGs.d.cts +0 -55
- package/dist/version-BygzPVGs.d.ts +0 -55
package/dist/index.cjs
CHANGED
|
@@ -3,6 +3,8 @@
|
|
|
3
3
|
var nacl4 = require('tweetnacl');
|
|
4
4
|
var sha2_js = require('@noble/hashes/sha2.js');
|
|
5
5
|
var hmac_js = require('@noble/hashes/hmac.js');
|
|
6
|
+
var mlKem_js = require('@noble/post-quantum/ml-kem.js');
|
|
7
|
+
var envelopeRegistry = require('@omnituum/envelope-registry');
|
|
6
8
|
var hashWasm = require('hash-wasm');
|
|
7
9
|
var blake3_js = require('@noble/hashes/blake3.js');
|
|
8
10
|
var chacha_js = require('@noble/ciphers/chacha.js');
|
|
@@ -152,78 +154,42 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
|
|
|
152
154
|
function deriveKeyFromShared(shared, salt, info) {
|
|
153
155
|
return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
|
|
154
156
|
}
|
|
155
|
-
var
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
kyberModule = k.kyber ?? k;
|
|
162
|
-
return kyberModule;
|
|
163
|
-
} catch (e) {
|
|
164
|
-
console.warn("[Kyber] Failed to load kyber-crystals:", e);
|
|
165
|
-
return null;
|
|
166
|
-
}
|
|
167
|
-
}
|
|
157
|
+
var KYBER_SUITE = "ML-KEM-1024-FIPS203";
|
|
158
|
+
var KYBER_PUBLIC_KEY_SIZE = 1568;
|
|
159
|
+
var KYBER_SECRET_KEY_SIZE = 3168;
|
|
160
|
+
var KYBER_CIPHERTEXT_SIZE = 1568;
|
|
161
|
+
var KYBER_SHARED_SECRET_SIZE = 32;
|
|
162
|
+
var KYBER_SEED_SIZE = 64;
|
|
168
163
|
async function isKyberAvailable() {
|
|
169
|
-
|
|
170
|
-
return mod !== null;
|
|
164
|
+
return true;
|
|
171
165
|
}
|
|
172
166
|
async function generateKyberKeypair() {
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
}
|
|
184
|
-
const kp = await fn.call(mod);
|
|
185
|
-
const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
|
|
186
|
-
const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
|
|
187
|
-
if (!pub || !priv) {
|
|
188
|
-
console.warn("[Kyber] Invalid keypair result");
|
|
189
|
-
return null;
|
|
190
|
-
}
|
|
191
|
-
return {
|
|
192
|
-
publicB64: b64(new Uint8Array(pub)),
|
|
193
|
-
secretB64: b64(new Uint8Array(priv))
|
|
194
|
-
};
|
|
195
|
-
} catch (e) {
|
|
196
|
-
console.warn("[Kyber] Key generation failed:", e);
|
|
197
|
-
return null;
|
|
167
|
+
const seed = randN(64);
|
|
168
|
+
const kp = mlKem_js.ml_kem1024.keygen(seed);
|
|
169
|
+
return {
|
|
170
|
+
publicB64: b64(kp.publicKey),
|
|
171
|
+
secretB64: b64(kp.secretKey)
|
|
172
|
+
};
|
|
173
|
+
}
|
|
174
|
+
function generateKyberKeypairFromSeed(seed) {
|
|
175
|
+
if (seed.length !== 64) {
|
|
176
|
+
throw new Error("Kyber seed must be 64 bytes");
|
|
198
177
|
}
|
|
178
|
+
const kp = mlKem_js.ml_kem1024.keygen(seed);
|
|
179
|
+
return { publicKey: kp.publicKey, secretKey: kp.secretKey };
|
|
199
180
|
}
|
|
200
181
|
async function kyberEncapsulate(pubKeyB64) {
|
|
201
|
-
const kyber = await loadKyber();
|
|
202
|
-
if (!kyber?.encrypt) {
|
|
203
|
-
throw new Error("Kyber encrypt not available");
|
|
204
|
-
}
|
|
205
182
|
const pk = ub64(pubKeyB64);
|
|
206
|
-
const
|
|
207
|
-
const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
|
|
208
|
-
const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
|
|
209
|
-
if (!ctRaw || !ssRaw) {
|
|
210
|
-
throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
|
|
211
|
-
}
|
|
183
|
+
const enc = mlKem_js.ml_kem1024.encapsulate(pk);
|
|
212
184
|
return {
|
|
213
|
-
ciphertext:
|
|
214
|
-
sharedSecret:
|
|
185
|
+
ciphertext: enc.cipherText,
|
|
186
|
+
sharedSecret: enc.sharedSecret
|
|
215
187
|
};
|
|
216
188
|
}
|
|
217
189
|
async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
|
|
218
|
-
const kyber = await loadKyber();
|
|
219
|
-
if (!kyber?.decrypt && !kyber?.decapsulate) {
|
|
220
|
-
throw new Error("Kyber decrypt/decapsulate not available");
|
|
221
|
-
}
|
|
222
190
|
const ct = ub64(kemCiphertextB64);
|
|
223
191
|
const sk = ub64(secretKeyB64);
|
|
224
|
-
|
|
225
|
-
const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
|
|
226
|
-
return new Uint8Array(key);
|
|
192
|
+
return mlKem_js.ml_kem1024.decapsulate(ct, sk);
|
|
227
193
|
}
|
|
228
194
|
function kyberWrapKey(sharedSecret, msgKey32) {
|
|
229
195
|
if (msgKey32.length !== 32) {
|
|
@@ -232,10 +198,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
|
|
|
232
198
|
const kek = sha256(sharedSecret);
|
|
233
199
|
const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
|
|
234
200
|
const wrapped = nacl4__default.default.secretbox(msgKey32, nonce, kek);
|
|
235
|
-
return {
|
|
236
|
-
nonce: b64(nonce),
|
|
237
|
-
wrapped: b64(wrapped)
|
|
238
|
-
};
|
|
201
|
+
return { nonce: b64(nonce), wrapped: b64(wrapped) };
|
|
239
202
|
}
|
|
240
203
|
function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
241
204
|
const kek = sha256(sharedSecret);
|
|
@@ -243,10 +206,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
|
243
206
|
const wrapped = ub64(wrappedB64);
|
|
244
207
|
return nacl4__default.default.secretbox.open(wrapped, nonce, kek) || null;
|
|
245
208
|
}
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
var ENVELOPE_VERSION = "omnituum.hybrid.v1";
|
|
249
|
-
var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
|
|
209
|
+
var ENVELOPE_VERSION = envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
|
|
210
|
+
var ENVELOPE_VERSION_LEGACY = envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
250
211
|
var VAULT_VERSION = "omnituum.vault.v1";
|
|
251
212
|
var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
|
|
252
213
|
var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
|
|
@@ -587,7 +548,7 @@ async function dilithiumSign(message, secretKeyB64) {
|
|
|
587
548
|
}
|
|
588
549
|
const sk = fromB64(secretKeyB64);
|
|
589
550
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
590
|
-
const signature = mod.sign(
|
|
551
|
+
const signature = mod.sign(msg, sk);
|
|
591
552
|
return {
|
|
592
553
|
signature: toB64(signature),
|
|
593
554
|
algorithm: "ML-DSA-65"
|
|
@@ -598,7 +559,7 @@ async function dilithiumSignRaw(message, secretKey) {
|
|
|
598
559
|
if (!mod) {
|
|
599
560
|
throw new Error("Dilithium library not available");
|
|
600
561
|
}
|
|
601
|
-
return mod.sign(
|
|
562
|
+
return mod.sign(message, secretKey);
|
|
602
563
|
}
|
|
603
564
|
async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
604
565
|
const mod = await loadDilithium();
|
|
@@ -609,7 +570,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
|
609
570
|
const sig = fromB64(signatureB64);
|
|
610
571
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
611
572
|
try {
|
|
612
|
-
return mod.verify(
|
|
573
|
+
return mod.verify(sig, msg, pk);
|
|
613
574
|
} catch {
|
|
614
575
|
return false;
|
|
615
576
|
}
|
|
@@ -620,7 +581,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
|
|
|
620
581
|
throw new Error("Dilithium library not available");
|
|
621
582
|
}
|
|
622
583
|
try {
|
|
623
|
-
return mod.verify(
|
|
584
|
+
return mod.verify(signature, message, publicKey);
|
|
624
585
|
} catch {
|
|
625
586
|
return false;
|
|
626
587
|
}
|
|
@@ -2046,6 +2007,12 @@ exports.ENVELOPE_SUITE = ENVELOPE_SUITE;
|
|
|
2046
2007
|
exports.ENVELOPE_VERSION = ENVELOPE_VERSION;
|
|
2047
2008
|
exports.KDF_CONFIG_ARGON2ID = KDF_CONFIG_ARGON2ID;
|
|
2048
2009
|
exports.KDF_CONFIG_PBKDF2 = KDF_CONFIG_PBKDF2;
|
|
2010
|
+
exports.KYBER_CIPHERTEXT_SIZE = KYBER_CIPHERTEXT_SIZE;
|
|
2011
|
+
exports.KYBER_PUBLIC_KEY_SIZE = KYBER_PUBLIC_KEY_SIZE;
|
|
2012
|
+
exports.KYBER_SECRET_KEY_SIZE = KYBER_SECRET_KEY_SIZE;
|
|
2013
|
+
exports.KYBER_SEED_SIZE = KYBER_SEED_SIZE;
|
|
2014
|
+
exports.KYBER_SHARED_SECRET_SIZE = KYBER_SHARED_SECRET_SIZE;
|
|
2015
|
+
exports.KYBER_SUITE = KYBER_SUITE;
|
|
2049
2016
|
exports.POLY1305_TAG_SIZE = POLY1305_TAG_SIZE;
|
|
2050
2017
|
exports.SECRETBOX_KEY_SIZE = SECRETBOX_KEY_SIZE;
|
|
2051
2018
|
exports.SECRETBOX_NONCE_SIZE = SECRETBOX_NONCE_SIZE;
|
|
@@ -2101,6 +2068,7 @@ exports.generateDilithiumKeypair = generateDilithiumKeypair;
|
|
|
2101
2068
|
exports.generateDilithiumKeypairFromSeed = generateDilithiumKeypairFromSeed;
|
|
2102
2069
|
exports.generateHybridIdentity = generateHybridIdentity;
|
|
2103
2070
|
exports.generateKyberKeypair = generateKyberKeypair;
|
|
2071
|
+
exports.generateKyberKeypairFromSeed = generateKyberKeypairFromSeed;
|
|
2104
2072
|
exports.generateSalt = generateSalt;
|
|
2105
2073
|
exports.generateX25519Keypair = generateX25519Keypair;
|
|
2106
2074
|
exports.generateX25519KeypairFromSeed = generateX25519KeypairFromSeed;
|
package/dist/index.d.cts
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
|
|
2
|
-
export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-
|
|
1
|
+
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_CIPHERTEXT_SIZE, KYBER_PUBLIC_KEY_SIZE, KYBER_SECRET_KEY_SIZE, KYBER_SEED_SIZE, KYBER_SHARED_SECRET_SIZE, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.cjs';
|
|
2
|
+
export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-CRka8PC7.cjs';
|
|
3
3
|
export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.cjs';
|
|
4
|
-
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-
|
|
5
|
-
export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.cjs';
|
|
4
|
+
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-BenoFsmP.cjs';
|
|
6
5
|
export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.cjs';
|
|
6
|
+
import '@omnituum/envelope-registry';
|
|
7
7
|
import '@noble/ciphers/utils.js';
|
|
8
8
|
|
|
9
9
|
/**
|
package/dist/index.d.ts
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
|
-
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KyberEncapsulation, KyberKeypair, KyberKeypairB64, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
|
|
2
|
-
export { E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault } from './types-
|
|
1
|
+
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, BoxPayload, CHACHA20_KEY_SIZE, ClassicalWrap, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, DilithiumKeypair, DilithiumKeypairB64, DilithiumSignature, HybridEnvelope, HybridIdentity, HybridPublicKeys, HybridSecretKeys, KYBER_CIPHERTEXT_SIZE, KYBER_PUBLIC_KEY_SIZE, KYBER_SECRET_KEY_SIZE, KYBER_SEED_SIZE, KYBER_SHARED_SECRET_SIZE, KYBER_SUITE, KyberEncapsulation, KyberKeypair, KyberKeypairB64, KyberSuite, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecretboxPayload, X25519Keypair, X25519KeypairHex, XCHACHA20_NONCE_SIZE, assertLen, b64, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, createChaCha20Poly1305, createXChaCha20Poly1305, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getSecretKeys, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt } from './crypto/index.js';
|
|
2
|
+
export { e as ENVELOPE_AEAD, d as ENVELOPE_SUITE, c as ENVELOPE_VERSION, E as EncryptedVaultFile, H as HybridIdentityRecord, O as OmnituumVault, h as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, b as VAULT_ENCRYPTED_VERSION_V2, f as VAULT_KDF, g as VAULT_KDF_V2, V as VAULT_VERSION, j as validateEncryptedVault, i as validateEnvelope, v as validateVault } from './types-CRka8PC7.js';
|
|
3
3
|
export { MigrationOptions, MigrationResult, addIdentity, createEmptyVault, createIdentity, decryptVault, encryptVault, getVaultKdfInfo, isV2Vault, migrateEncryptedVault, needsMigration } from './vault/index.js';
|
|
4
|
-
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-
|
|
5
|
-
export { g as ENVELOPE_AEAD, f as ENVELOPE_SUITE, E as ENVELOPE_VERSION, c as VAULT_ALGORITHM, a as VAULT_ENCRYPTED_VERSION, d as VAULT_ENCRYPTED_VERSION_V2, b as VAULT_KDF, e as VAULT_KDF_V2, V as VAULT_VERSION, i as validateEncryptedVault, h as validateEnvelope, v as validateVault } from './version-BygzPVGs.js';
|
|
4
|
+
export { c as computeIntegrityHash, b as computeKeyFingerprint } from './integrity-D9J98Bty.js';
|
|
6
5
|
export { D as DecryptOptions, E as EncryptOptions, c as OQEDecryptResult, O as OQEEncryptResult, d as decryptFile, b as decryptFileWithPassword, e as encryptFile, a as encryptFileWithPassword } from './decrypt-eSHlbh1j.js';
|
|
6
|
+
import '@omnituum/envelope-registry';
|
|
7
7
|
import '@noble/ciphers/utils.js';
|
|
8
8
|
|
|
9
9
|
/**
|
package/dist/index.js
CHANGED
|
@@ -1,6 +1,8 @@
|
|
|
1
1
|
import nacl4 from 'tweetnacl';
|
|
2
2
|
import { sha256 as sha256$1, sha512 } from '@noble/hashes/sha2.js';
|
|
3
3
|
import { hmac } from '@noble/hashes/hmac.js';
|
|
4
|
+
import { ml_kem1024 } from '@noble/post-quantum/ml-kem.js';
|
|
5
|
+
import { OMNI_VERSIONS, DEPRECATED_VERSIONS } from '@omnituum/envelope-registry';
|
|
4
6
|
import { argon2id } from 'hash-wasm';
|
|
5
7
|
import { blake3 as blake3$1 } from '@noble/hashes/blake3.js';
|
|
6
8
|
import { chacha20poly1305, xchacha20poly1305 } from '@noble/ciphers/chacha.js';
|
|
@@ -146,78 +148,42 @@ function x25519SharedSecret(ourSecretKey, theirPublicKey) {
|
|
|
146
148
|
function deriveKeyFromShared(shared, salt, info) {
|
|
147
149
|
return hkdfSha256(shared, { salt: u8(salt), info: u8(info), length: 32 });
|
|
148
150
|
}
|
|
149
|
-
var
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
kyberModule = k.kyber ?? k;
|
|
156
|
-
return kyberModule;
|
|
157
|
-
} catch (e) {
|
|
158
|
-
console.warn("[Kyber] Failed to load kyber-crystals:", e);
|
|
159
|
-
return null;
|
|
160
|
-
}
|
|
161
|
-
}
|
|
151
|
+
var KYBER_SUITE = "ML-KEM-1024-FIPS203";
|
|
152
|
+
var KYBER_PUBLIC_KEY_SIZE = 1568;
|
|
153
|
+
var KYBER_SECRET_KEY_SIZE = 3168;
|
|
154
|
+
var KYBER_CIPHERTEXT_SIZE = 1568;
|
|
155
|
+
var KYBER_SHARED_SECRET_SIZE = 32;
|
|
156
|
+
var KYBER_SEED_SIZE = 64;
|
|
162
157
|
async function isKyberAvailable() {
|
|
163
|
-
|
|
164
|
-
return mod !== null;
|
|
158
|
+
return true;
|
|
165
159
|
}
|
|
166
160
|
async function generateKyberKeypair() {
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
}
|
|
178
|
-
const kp = await fn.call(mod);
|
|
179
|
-
const pub = kp?.publicKey ?? kp?.public ?? kp?.pk;
|
|
180
|
-
const priv = kp?.privateKey ?? kp?.secretKey ?? kp?.secret ?? kp?.sk;
|
|
181
|
-
if (!pub || !priv) {
|
|
182
|
-
console.warn("[Kyber] Invalid keypair result");
|
|
183
|
-
return null;
|
|
184
|
-
}
|
|
185
|
-
return {
|
|
186
|
-
publicB64: b64(new Uint8Array(pub)),
|
|
187
|
-
secretB64: b64(new Uint8Array(priv))
|
|
188
|
-
};
|
|
189
|
-
} catch (e) {
|
|
190
|
-
console.warn("[Kyber] Key generation failed:", e);
|
|
191
|
-
return null;
|
|
161
|
+
const seed = randN(64);
|
|
162
|
+
const kp = ml_kem1024.keygen(seed);
|
|
163
|
+
return {
|
|
164
|
+
publicB64: b64(kp.publicKey),
|
|
165
|
+
secretB64: b64(kp.secretKey)
|
|
166
|
+
};
|
|
167
|
+
}
|
|
168
|
+
function generateKyberKeypairFromSeed(seed) {
|
|
169
|
+
if (seed.length !== 64) {
|
|
170
|
+
throw new Error("Kyber seed must be 64 bytes");
|
|
192
171
|
}
|
|
172
|
+
const kp = ml_kem1024.keygen(seed);
|
|
173
|
+
return { publicKey: kp.publicKey, secretKey: kp.secretKey };
|
|
193
174
|
}
|
|
194
175
|
async function kyberEncapsulate(pubKeyB64) {
|
|
195
|
-
const kyber = await loadKyber();
|
|
196
|
-
if (!kyber?.encrypt) {
|
|
197
|
-
throw new Error("Kyber encrypt not available");
|
|
198
|
-
}
|
|
199
176
|
const pk = ub64(pubKeyB64);
|
|
200
|
-
const
|
|
201
|
-
const ctRaw = r?.ciphertext ?? r?.cyphertext ?? r?.ct ?? r?.bytes?.ciphertext ?? r?.bytes?.cyphertext ?? r?.bytes?.ct ?? (Array.isArray(r) ? r[0] : void 0);
|
|
202
|
-
const ssRaw = r?.key ?? r?.sharedSecret ?? r?.secret ?? r?.bytes?.key ?? r?.bytes?.sharedSecret ?? (Array.isArray(r) ? r[1] : void 0);
|
|
203
|
-
if (!ctRaw || !ssRaw) {
|
|
204
|
-
throw new Error("Kyber encapsulate failed: missing ciphertext or shared secret");
|
|
205
|
-
}
|
|
177
|
+
const enc = ml_kem1024.encapsulate(pk);
|
|
206
178
|
return {
|
|
207
|
-
ciphertext:
|
|
208
|
-
sharedSecret:
|
|
179
|
+
ciphertext: enc.cipherText,
|
|
180
|
+
sharedSecret: enc.sharedSecret
|
|
209
181
|
};
|
|
210
182
|
}
|
|
211
183
|
async function kyberDecapsulate(kemCiphertextB64, secretKeyB64) {
|
|
212
|
-
const kyber = await loadKyber();
|
|
213
|
-
if (!kyber?.decrypt && !kyber?.decapsulate) {
|
|
214
|
-
throw new Error("Kyber decrypt/decapsulate not available");
|
|
215
|
-
}
|
|
216
184
|
const ct = ub64(kemCiphertextB64);
|
|
217
185
|
const sk = ub64(secretKeyB64);
|
|
218
|
-
|
|
219
|
-
const key = r && (r.key ?? r.sharedSecret) ? r.key ?? r.sharedSecret : r;
|
|
220
|
-
return new Uint8Array(key);
|
|
186
|
+
return ml_kem1024.decapsulate(ct, sk);
|
|
221
187
|
}
|
|
222
188
|
function kyberWrapKey(sharedSecret, msgKey32) {
|
|
223
189
|
if (msgKey32.length !== 32) {
|
|
@@ -226,10 +192,7 @@ function kyberWrapKey(sharedSecret, msgKey32) {
|
|
|
226
192
|
const kek = sha256(sharedSecret);
|
|
227
193
|
const nonce = globalThis.crypto.getRandomValues(new Uint8Array(24));
|
|
228
194
|
const wrapped = nacl4.secretbox(msgKey32, nonce, kek);
|
|
229
|
-
return {
|
|
230
|
-
nonce: b64(nonce),
|
|
231
|
-
wrapped: b64(wrapped)
|
|
232
|
-
};
|
|
195
|
+
return { nonce: b64(nonce), wrapped: b64(wrapped) };
|
|
233
196
|
}
|
|
234
197
|
function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
235
198
|
const kek = sha256(sharedSecret);
|
|
@@ -237,10 +200,8 @@ function kyberUnwrapKey(sharedSecret, nonceB64, wrappedB64) {
|
|
|
237
200
|
const wrapped = ub64(wrappedB64);
|
|
238
201
|
return nacl4.secretbox.open(wrapped, nonce, kek) || null;
|
|
239
202
|
}
|
|
240
|
-
|
|
241
|
-
|
|
242
|
-
var ENVELOPE_VERSION = "omnituum.hybrid.v1";
|
|
243
|
-
var ENVELOPE_VERSION_LEGACY = "pqc-demo.hybrid.v1";
|
|
203
|
+
var ENVELOPE_VERSION = OMNI_VERSIONS.HYBRID_V1;
|
|
204
|
+
var ENVELOPE_VERSION_LEGACY = DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
244
205
|
var VAULT_VERSION = "omnituum.vault.v1";
|
|
245
206
|
var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
|
|
246
207
|
var VAULT_ENCRYPTED_VERSION_V2 = "omnituum.vault.enc.v2";
|
|
@@ -581,7 +542,7 @@ async function dilithiumSign(message, secretKeyB64) {
|
|
|
581
542
|
}
|
|
582
543
|
const sk = fromB64(secretKeyB64);
|
|
583
544
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
584
|
-
const signature = mod.sign(
|
|
545
|
+
const signature = mod.sign(msg, sk);
|
|
585
546
|
return {
|
|
586
547
|
signature: toB64(signature),
|
|
587
548
|
algorithm: "ML-DSA-65"
|
|
@@ -592,7 +553,7 @@ async function dilithiumSignRaw(message, secretKey) {
|
|
|
592
553
|
if (!mod) {
|
|
593
554
|
throw new Error("Dilithium library not available");
|
|
594
555
|
}
|
|
595
|
-
return mod.sign(
|
|
556
|
+
return mod.sign(message, secretKey);
|
|
596
557
|
}
|
|
597
558
|
async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
598
559
|
const mod = await loadDilithium();
|
|
@@ -603,7 +564,7 @@ async function dilithiumVerify(message, signatureB64, publicKeyB64) {
|
|
|
603
564
|
const sig = fromB64(signatureB64);
|
|
604
565
|
const msg = typeof message === "string" ? new TextEncoder().encode(message) : message;
|
|
605
566
|
try {
|
|
606
|
-
return mod.verify(
|
|
567
|
+
return mod.verify(sig, msg, pk);
|
|
607
568
|
} catch {
|
|
608
569
|
return false;
|
|
609
570
|
}
|
|
@@ -614,7 +575,7 @@ async function dilithiumVerifyRaw(message, signature, publicKey) {
|
|
|
614
575
|
throw new Error("Dilithium library not available");
|
|
615
576
|
}
|
|
616
577
|
try {
|
|
617
|
-
return mod.verify(
|
|
578
|
+
return mod.verify(signature, message, publicKey);
|
|
618
579
|
} catch {
|
|
619
580
|
return false;
|
|
620
581
|
}
|
|
@@ -2027,4 +1988,4 @@ function createTunnelSession(keys) {
|
|
|
2027
1988
|
};
|
|
2028
1989
|
}
|
|
2029
1990
|
|
|
2030
|
-
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
|
|
1991
|
+
export { BLAKE3_OUTPUT_LENGTH, BOX_KEY_SIZE, BOX_NONCE_SIZE, CHACHA20_KEY_SIZE, DILITHIUM_ALGORITHM, DILITHIUM_PUBLIC_KEY_SIZE, DILITHIUM_SECRET_KEY_SIZE, DILITHIUM_SIGNATURE_SIZE, ENVELOPE_AEAD, ENVELOPE_SUITE, ENVELOPE_VERSION, KDF_CONFIG_ARGON2ID, KDF_CONFIG_PBKDF2, KYBER_CIPHERTEXT_SIZE, KYBER_PUBLIC_KEY_SIZE, KYBER_SECRET_KEY_SIZE, KYBER_SEED_SIZE, KYBER_SHARED_SECRET_SIZE, KYBER_SUITE, POLY1305_TAG_SIZE, SECRETBOX_KEY_SIZE, SECRETBOX_NONCE_SIZE, SECRETBOX_OVERHEAD, SecureBuffer, TUNNEL_KEY_SIZE, TUNNEL_NONCE_SIZE, TUNNEL_VERSION, VAULT_ALGORITHM, VAULT_ENCRYPTED_VERSION, VAULT_ENCRYPTED_VERSION_V2, VAULT_KDF, VAULT_KDF_V2, VAULT_VERSION, XCHACHA20_NONCE_SIZE, addIdentity, assertLen, b64, benchmarkKDF, blake3, blake3DeriveKey, blake3Hex, blake3Mac, boxDecrypt, boxEncrypt, boxUnwrapWithX25519, boxWrapWithX25519, chaCha20Poly1305Decrypt, chaCha20Poly1305Encrypt, computeIntegrityHash, computeKeyFingerprint, constantTimeEqual, createChaCha20Poly1305, createEmptyVault, createIdentity, createSession, createTunnelSession, createXChaCha20Poly1305, decryptFile, decryptFileWithPassword, decryptVault, deriveKeyFromShared, dilithiumSign, dilithiumSignRaw, dilithiumVerify, dilithiumVerifyRaw, encryptFile, encryptFileWithPassword, encryptVault, fromB64, fromHex, generateDilithiumKeypair, generateDilithiumKeypairFromSeed, generateHybridIdentity, generateKyberKeypair, generateKyberKeypairFromSeed, generateSalt, generateX25519Keypair, generateX25519KeypairFromSeed, getPublicKeys, getRecommendedConfig, getSecretKeys, getVaultKdfInfo, hkdfDerive, hkdfExpand, hkdfExtract, hkdfSha256, hkdfSplitForNoise, hkdfTripleSplitForNoise, hybridDecrypt, hybridDecryptToString, hybridEncrypt, isDilithiumAvailable, isKyberAvailable, isSessionTimedOut, isV2Vault, kdfDeriveKey, kyberDecapsulate, kyberEncapsulate, kyberUnwrapKey, kyberWrapKey, lockSecureSession, migrateEncryptedVault, needsMigration, rand12, rand24, rand32, randN, secretboxDecrypt, secretboxDecryptString, secretboxEncrypt, secretboxEncryptString, secretboxOpenRaw, secretboxRaw, sha256, sha256String, textDecoder, textEncoder, toB64, toHex, u8, ub64, unlockSecureSession, validateEncryptedVault, validateEnvelope, validateVault, withSecureData, x25519SharedSecret, xChaCha20Poly1305Decrypt, xChaCha20Poly1305Encrypt, zeroAll, zeroMemory };
|
|
@@ -1,4 +1,56 @@
|
|
|
1
|
-
|
|
1
|
+
/**
|
|
2
|
+
* Omnituum PQC Shared - Version Constants & Guards
|
|
3
|
+
*
|
|
4
|
+
* FROZEN CONTRACTS: These version strings define the wire format.
|
|
5
|
+
* Breaking changes require a version bump.
|
|
6
|
+
*
|
|
7
|
+
* @see pqc-docs/specs/envelope.v1.md
|
|
8
|
+
* @see pqc-docs/specs/vault.v1.md
|
|
9
|
+
* @see pqc-docs/specs/identity.v1.md
|
|
10
|
+
*/
|
|
11
|
+
/** HybridEnvelope version - hybrid encryption format (from registry) */
|
|
12
|
+
declare const ENVELOPE_VERSION: any;
|
|
13
|
+
/** OmnituumVault version - decrypted vault format */
|
|
14
|
+
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
|
+
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
|
+
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
|
+
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
|
+
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
+
/** Algorithm suite for hybrid encryption */
|
|
20
|
+
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
21
|
+
/** AEAD algorithm for envelope content */
|
|
22
|
+
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
|
+
/** KDF for vault encryption (v1) */
|
|
24
|
+
declare const VAULT_KDF: "PBKDF2-SHA256";
|
|
25
|
+
/** KDF for vault encryption (v2) */
|
|
26
|
+
declare const VAULT_KDF_V2: "Argon2id";
|
|
27
|
+
/** Encryption algorithm for vault */
|
|
28
|
+
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
|
+
/**
|
|
30
|
+
* Validate envelope structure and version.
|
|
31
|
+
* Returns detailed validation result.
|
|
32
|
+
*/
|
|
33
|
+
declare function validateEnvelope(envelope: unknown): {
|
|
34
|
+
valid: boolean;
|
|
35
|
+
version?: string;
|
|
36
|
+
errors: string[];
|
|
37
|
+
};
|
|
38
|
+
/**
|
|
39
|
+
* Validate vault structure and version.
|
|
40
|
+
*/
|
|
41
|
+
declare function validateVault(vault: unknown): {
|
|
42
|
+
valid: boolean;
|
|
43
|
+
version?: string;
|
|
44
|
+
errors: string[];
|
|
45
|
+
};
|
|
46
|
+
/**
|
|
47
|
+
* Validate encrypted vault structure and version.
|
|
48
|
+
*/
|
|
49
|
+
declare function validateEncryptedVault(encVault: unknown): {
|
|
50
|
+
valid: boolean;
|
|
51
|
+
version?: string;
|
|
52
|
+
errors: string[];
|
|
53
|
+
};
|
|
2
54
|
|
|
3
55
|
/**
|
|
4
56
|
* Omnituum PQC Shared - Vault Types
|
|
@@ -131,4 +183,4 @@ interface VaultSession {
|
|
|
131
183
|
declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
|
|
132
184
|
declare const PBKDF2_ITERATIONS = 600000;
|
|
133
185
|
|
|
134
|
-
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P,
|
|
186
|
+
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
|
|
@@ -1,4 +1,56 @@
|
|
|
1
|
-
|
|
1
|
+
/**
|
|
2
|
+
* Omnituum PQC Shared - Version Constants & Guards
|
|
3
|
+
*
|
|
4
|
+
* FROZEN CONTRACTS: These version strings define the wire format.
|
|
5
|
+
* Breaking changes require a version bump.
|
|
6
|
+
*
|
|
7
|
+
* @see pqc-docs/specs/envelope.v1.md
|
|
8
|
+
* @see pqc-docs/specs/vault.v1.md
|
|
9
|
+
* @see pqc-docs/specs/identity.v1.md
|
|
10
|
+
*/
|
|
11
|
+
/** HybridEnvelope version - hybrid encryption format (from registry) */
|
|
12
|
+
declare const ENVELOPE_VERSION: any;
|
|
13
|
+
/** OmnituumVault version - decrypted vault format */
|
|
14
|
+
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
|
+
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
|
+
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
|
+
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
|
+
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
+
/** Algorithm suite for hybrid encryption */
|
|
20
|
+
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
21
|
+
/** AEAD algorithm for envelope content */
|
|
22
|
+
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
|
+
/** KDF for vault encryption (v1) */
|
|
24
|
+
declare const VAULT_KDF: "PBKDF2-SHA256";
|
|
25
|
+
/** KDF for vault encryption (v2) */
|
|
26
|
+
declare const VAULT_KDF_V2: "Argon2id";
|
|
27
|
+
/** Encryption algorithm for vault */
|
|
28
|
+
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
|
+
/**
|
|
30
|
+
* Validate envelope structure and version.
|
|
31
|
+
* Returns detailed validation result.
|
|
32
|
+
*/
|
|
33
|
+
declare function validateEnvelope(envelope: unknown): {
|
|
34
|
+
valid: boolean;
|
|
35
|
+
version?: string;
|
|
36
|
+
errors: string[];
|
|
37
|
+
};
|
|
38
|
+
/**
|
|
39
|
+
* Validate vault structure and version.
|
|
40
|
+
*/
|
|
41
|
+
declare function validateVault(vault: unknown): {
|
|
42
|
+
valid: boolean;
|
|
43
|
+
version?: string;
|
|
44
|
+
errors: string[];
|
|
45
|
+
};
|
|
46
|
+
/**
|
|
47
|
+
* Validate encrypted vault structure and version.
|
|
48
|
+
*/
|
|
49
|
+
declare function validateEncryptedVault(encVault: unknown): {
|
|
50
|
+
valid: boolean;
|
|
51
|
+
version?: string;
|
|
52
|
+
errors: string[];
|
|
53
|
+
};
|
|
2
54
|
|
|
3
55
|
/**
|
|
4
56
|
* Omnituum PQC Shared - Vault Types
|
|
@@ -131,4 +183,4 @@ interface VaultSession {
|
|
|
131
183
|
declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
|
|
132
184
|
declare const PBKDF2_ITERATIONS = 600000;
|
|
133
185
|
|
|
134
|
-
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P,
|
|
186
|
+
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_SUITE as d, ENVELOPE_AEAD as e, VAULT_KDF as f, VAULT_KDF_V2 as g, VAULT_ALGORITHM as h, validateEnvelope as i, validateEncryptedVault as j, type EncryptedVaultFileV2 as k, type VaultSettings as l, type VaultSession as m, type EncryptedVaultFileV1 as n, type HealthStatus as o, validateVault as v };
|
package/dist/utils/index.d.cts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
|
-
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-
|
|
2
|
-
import '../types-
|
|
3
|
-
import '../version-BygzPVGs.cjs';
|
|
1
|
+
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-BenoFsmP.cjs';
|
|
2
|
+
import '../types-CRka8PC7.cjs';
|
|
4
3
|
|
|
5
4
|
/**
|
|
6
5
|
* Omnituum PQC Shared - Entropy & Randomness Utilities
|
package/dist/utils/index.d.ts
CHANGED
|
@@ -1,6 +1,5 @@
|
|
|
1
|
-
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-
|
|
2
|
-
import '../types-
|
|
3
|
-
import '../version-BygzPVGs.js';
|
|
1
|
+
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-D9J98Bty.js';
|
|
2
|
+
import '../types-CRka8PC7.js';
|
|
4
3
|
|
|
5
4
|
/**
|
|
6
5
|
* Omnituum PQC Shared - Entropy & Randomness Utilities
|