@omnituum/pqc-shared 0.4.1 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/crypto/index.cjs +81 -54
- package/dist/crypto/index.d.cts +33 -11
- package/dist/crypto/index.d.ts +33 -11
- package/dist/crypto/index.js +81 -54
- package/dist/{decrypt-eSHlbh1j.d.cts → decrypt-O1iqFIDL.d.cts} +80 -6
- package/dist/{decrypt-eSHlbh1j.d.ts → decrypt-O1iqFIDL.d.ts} +80 -6
- package/dist/fs/index.cjs +286 -147
- package/dist/fs/index.d.cts +28 -7
- package/dist/fs/index.d.ts +28 -7
- package/dist/fs/index.js +277 -147
- package/dist/index.cjs +358 -229
- package/dist/index.d.cts +4 -4
- package/dist/index.d.ts +4 -4
- package/dist/index.js +357 -230
- package/dist/{integrity-BenoFsmP.d.cts → integrity-BkBDrHA-.d.cts} +12 -4
- package/dist/{integrity-D9J98Bty.d.ts → integrity-DsFJv5c-.d.ts} +12 -4
- package/dist/{types-CRka8PC7.d.cts → types-DmnVueAY.d.cts} +14 -4
- package/dist/{types-CRka8PC7.d.ts → types-DmnVueAY.d.ts} +14 -4
- package/dist/utils/index.cjs +7 -10
- package/dist/utils/index.d.cts +2 -2
- package/dist/utils/index.d.ts +2 -2
- package/dist/utils/index.js +7 -10
- package/dist/vault/index.cjs +8 -11
- package/dist/vault/index.d.cts +2 -2
- package/dist/vault/index.d.ts +2 -2
- package/dist/vault/index.js +8 -11
- package/package.json +7 -7
- package/src/crypto/dilithium.ts +4 -4
- package/src/crypto/hybrid.ts +182 -80
- package/src/crypto/index.ts +2 -0
- package/src/fs/decrypt.ts +145 -68
- package/src/fs/encrypt.ts +161 -112
- package/src/fs/format.ts +110 -15
- package/src/fs/index.ts +4 -0
- package/src/fs/types.ts +77 -6
- package/src/index.ts +4 -0
- package/src/utils/integrity.ts +16 -15
- package/src/vault/manager.ts +1 -1
- package/src/version.ts +29 -7
|
@@ -1,14 +1,22 @@
|
|
|
1
|
-
import { H as HybridIdentityRecord } from './types-
|
|
1
|
+
import { H as HybridIdentityRecord } from './types-DmnVueAY.cjs';
|
|
2
2
|
|
|
3
3
|
/**
|
|
4
4
|
* Omnituum PQC Shared - Integrity Verification
|
|
5
5
|
*
|
|
6
|
-
* SHA-256
|
|
6
|
+
* SHA-256 checksum over a vault's public identity records.
|
|
7
|
+
*
|
|
8
|
+
* SCOPE: this is an UNKEYED integrity checksum — it detects accidental
|
|
9
|
+
* corruption or field mix-ups, not malicious tampering. An attacker who edits
|
|
10
|
+
* the decrypted vault can simply recompute this value. Tamper *resistance* for
|
|
11
|
+
* a stored vault comes from the AES-256-GCM authentication tag on the encrypted
|
|
12
|
+
* file (see vault/encrypt.ts), not from this hash. Do not treat a matching
|
|
13
|
+
* integrity hash as authentication.
|
|
7
14
|
*/
|
|
8
15
|
|
|
9
16
|
/**
|
|
10
|
-
* Compute SHA-256
|
|
11
|
-
* Uses only the public keys and metadata
|
|
17
|
+
* Compute a SHA-256 checksum for a list of identities.
|
|
18
|
+
* Uses only the public keys and metadata (never secret keys). Deterministic:
|
|
19
|
+
* the canonical objects carry a fixed key order, which JSON.stringify preserves.
|
|
12
20
|
*/
|
|
13
21
|
declare function computeIntegrityHash(identities: HybridIdentityRecord[]): string;
|
|
14
22
|
/**
|
|
@@ -1,14 +1,22 @@
|
|
|
1
|
-
import { H as HybridIdentityRecord } from './types-
|
|
1
|
+
import { H as HybridIdentityRecord } from './types-DmnVueAY.js';
|
|
2
2
|
|
|
3
3
|
/**
|
|
4
4
|
* Omnituum PQC Shared - Integrity Verification
|
|
5
5
|
*
|
|
6
|
-
* SHA-256
|
|
6
|
+
* SHA-256 checksum over a vault's public identity records.
|
|
7
|
+
*
|
|
8
|
+
* SCOPE: this is an UNKEYED integrity checksum — it detects accidental
|
|
9
|
+
* corruption or field mix-ups, not malicious tampering. An attacker who edits
|
|
10
|
+
* the decrypted vault can simply recompute this value. Tamper *resistance* for
|
|
11
|
+
* a stored vault comes from the AES-256-GCM authentication tag on the encrypted
|
|
12
|
+
* file (see vault/encrypt.ts), not from this hash. Do not treat a matching
|
|
13
|
+
* integrity hash as authentication.
|
|
7
14
|
*/
|
|
8
15
|
|
|
9
16
|
/**
|
|
10
|
-
* Compute SHA-256
|
|
11
|
-
* Uses only the public keys and metadata
|
|
17
|
+
* Compute a SHA-256 checksum for a list of identities.
|
|
18
|
+
* Uses only the public keys and metadata (never secret keys). Deterministic:
|
|
19
|
+
* the canonical objects carry a fixed key order, which JSON.stringify preserves.
|
|
12
20
|
*/
|
|
13
21
|
declare function computeIntegrityHash(identities: HybridIdentityRecord[]): string;
|
|
14
22
|
/**
|
|
@@ -8,16 +8,24 @@
|
|
|
8
8
|
* @see pqc-docs/specs/vault.v1.md
|
|
9
9
|
* @see pqc-docs/specs/identity.v1.md
|
|
10
10
|
*/
|
|
11
|
-
/** HybridEnvelope
|
|
11
|
+
/** HybridEnvelope v1 - independent X25519/Kyber wraps (read-only legacy; see v2) */
|
|
12
12
|
declare const ENVELOPE_VERSION: any;
|
|
13
|
+
/**
|
|
14
|
+
* HybridEnvelope v2 - AND-combined KEK (single wrap under
|
|
15
|
+
* HKDF(ss_mlkem || ss_x25519) with transcript binding). The version new
|
|
16
|
+
* envelopes are written in.
|
|
17
|
+
*/
|
|
18
|
+
declare const ENVELOPE_VERSION_V2: any;
|
|
13
19
|
/** OmnituumVault version - decrypted vault format */
|
|
14
20
|
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
21
|
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
22
|
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
23
|
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
24
|
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
-
/** Algorithm suite for hybrid encryption */
|
|
25
|
+
/** Algorithm suite for hybrid encryption (v1 label — kept for wire compat) */
|
|
20
26
|
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
27
|
+
/** Algorithm suite for hybrid v2 (matches the actual ML-KEM-1024 backend) */
|
|
28
|
+
declare const ENVELOPE_SUITE_V2: "x25519+mlkem1024";
|
|
21
29
|
/** AEAD algorithm for envelope content */
|
|
22
30
|
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
31
|
/** KDF for vault encryption (v1) */
|
|
@@ -27,7 +35,9 @@ declare const VAULT_KDF_V2: "Argon2id";
|
|
|
27
35
|
/** Encryption algorithm for vault */
|
|
28
36
|
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
37
|
/**
|
|
30
|
-
* Validate envelope structure and version.
|
|
38
|
+
* Validate envelope structure and version. Dispatches per-version since v1
|
|
39
|
+
* and v2 have different wire shapes (independent dual wraps vs. a single
|
|
40
|
+
* AND-combined wrap) — see hybrid.ts for the security rationale.
|
|
31
41
|
* Returns detailed validation result.
|
|
32
42
|
*/
|
|
33
43
|
declare function validateEnvelope(envelope: unknown): {
|
|
@@ -183,4 +193,4 @@ interface VaultSession {
|
|
|
183
193
|
declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
|
|
184
194
|
declare const PBKDF2_ITERATIONS = 600000;
|
|
185
195
|
|
|
186
|
-
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c,
|
|
196
|
+
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_VERSION_V2 as d, ENVELOPE_SUITE as e, ENVELOPE_SUITE_V2 as f, ENVELOPE_AEAD as g, VAULT_KDF as h, VAULT_KDF_V2 as i, VAULT_ALGORITHM as j, validateEnvelope as k, validateEncryptedVault as l, type EncryptedVaultFileV2 as m, type VaultSettings as n, type VaultSession as o, type EncryptedVaultFileV1 as p, type HealthStatus as q, validateVault as v };
|
|
@@ -8,16 +8,24 @@
|
|
|
8
8
|
* @see pqc-docs/specs/vault.v1.md
|
|
9
9
|
* @see pqc-docs/specs/identity.v1.md
|
|
10
10
|
*/
|
|
11
|
-
/** HybridEnvelope
|
|
11
|
+
/** HybridEnvelope v1 - independent X25519/Kyber wraps (read-only legacy; see v2) */
|
|
12
12
|
declare const ENVELOPE_VERSION: any;
|
|
13
|
+
/**
|
|
14
|
+
* HybridEnvelope v2 - AND-combined KEK (single wrap under
|
|
15
|
+
* HKDF(ss_mlkem || ss_x25519) with transcript binding). The version new
|
|
16
|
+
* envelopes are written in.
|
|
17
|
+
*/
|
|
18
|
+
declare const ENVELOPE_VERSION_V2: any;
|
|
13
19
|
/** OmnituumVault version - decrypted vault format */
|
|
14
20
|
declare const VAULT_VERSION: "omnituum.vault.v1";
|
|
15
21
|
/** EncryptedVaultFile version - encrypted vault format (PBKDF2) */
|
|
16
22
|
declare const VAULT_ENCRYPTED_VERSION: "omnituum.vault.enc.v1";
|
|
17
23
|
/** EncryptedVaultFile v2 - encrypted vault format (Argon2id) */
|
|
18
24
|
declare const VAULT_ENCRYPTED_VERSION_V2: "omnituum.vault.enc.v2";
|
|
19
|
-
/** Algorithm suite for hybrid encryption */
|
|
25
|
+
/** Algorithm suite for hybrid encryption (v1 label — kept for wire compat) */
|
|
20
26
|
declare const ENVELOPE_SUITE: "x25519+kyber768";
|
|
27
|
+
/** Algorithm suite for hybrid v2 (matches the actual ML-KEM-1024 backend) */
|
|
28
|
+
declare const ENVELOPE_SUITE_V2: "x25519+mlkem1024";
|
|
21
29
|
/** AEAD algorithm for envelope content */
|
|
22
30
|
declare const ENVELOPE_AEAD: "xsalsa20poly1305";
|
|
23
31
|
/** KDF for vault encryption (v1) */
|
|
@@ -27,7 +35,9 @@ declare const VAULT_KDF_V2: "Argon2id";
|
|
|
27
35
|
/** Encryption algorithm for vault */
|
|
28
36
|
declare const VAULT_ALGORITHM: "AES-256-GCM";
|
|
29
37
|
/**
|
|
30
|
-
* Validate envelope structure and version.
|
|
38
|
+
* Validate envelope structure and version. Dispatches per-version since v1
|
|
39
|
+
* and v2 have different wire shapes (independent dual wraps vs. a single
|
|
40
|
+
* AND-combined wrap) — see hybrid.ts for the security rationale.
|
|
31
41
|
* Returns detailed validation result.
|
|
32
42
|
*/
|
|
33
43
|
declare function validateEnvelope(envelope: unknown): {
|
|
@@ -183,4 +193,4 @@ interface VaultSession {
|
|
|
183
193
|
declare const DEFAULT_VAULT_SETTINGS: VaultSettings;
|
|
184
194
|
declare const PBKDF2_ITERATIONS = 600000;
|
|
185
195
|
|
|
186
|
-
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c,
|
|
196
|
+
export { DEFAULT_VAULT_SETTINGS as D, type EncryptedVaultFile as E, type HybridIdentityRecord as H, type IdentityHealth as I, type OmnituumVault as O, PBKDF2_ITERATIONS as P, VAULT_VERSION as V, VAULT_ENCRYPTED_VERSION as a, VAULT_ENCRYPTED_VERSION_V2 as b, ENVELOPE_VERSION as c, ENVELOPE_VERSION_V2 as d, ENVELOPE_SUITE as e, ENVELOPE_SUITE_V2 as f, ENVELOPE_AEAD as g, VAULT_KDF as h, VAULT_KDF_V2 as i, VAULT_ALGORITHM as j, validateEnvelope as k, validateEncryptedVault as l, type EncryptedVaultFileV2 as m, type VaultSettings as n, type VaultSession as o, type EncryptedVaultFileV1 as p, type HealthStatus as q, validateVault as v };
|
package/dist/utils/index.cjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
require('@noble/hashes/sha2.js');
|
|
3
|
+
var sha2_js = require('@noble/hashes/sha2.js');
|
|
4
4
|
require('@noble/hashes/hmac.js');
|
|
5
5
|
|
|
6
6
|
// src/utils/entropy.ts
|
|
@@ -61,11 +61,14 @@ function daysSinceRotation(lastRotatedAt, createdAt) {
|
|
|
61
61
|
function shouldRotate(lastRotatedAt, createdAt, maxDays = 90) {
|
|
62
62
|
return daysSinceRotation(lastRotatedAt, createdAt) >= maxDays;
|
|
63
63
|
}
|
|
64
|
-
new TextEncoder();
|
|
64
|
+
var textEncoder = new TextEncoder();
|
|
65
65
|
new TextDecoder();
|
|
66
66
|
function toHex(bytes) {
|
|
67
67
|
return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
68
68
|
}
|
|
69
|
+
function sha256(bytes) {
|
|
70
|
+
return sha2_js.sha256(bytes);
|
|
71
|
+
}
|
|
69
72
|
|
|
70
73
|
// src/utils/integrity.ts
|
|
71
74
|
function computeIntegrityHash(identities) {
|
|
@@ -77,17 +80,11 @@ function computeIntegrityHash(identities) {
|
|
|
77
80
|
createdAt: i.createdAt,
|
|
78
81
|
rotationCount: i.rotationCount
|
|
79
82
|
}));
|
|
80
|
-
const serialized = JSON.stringify(canonical
|
|
83
|
+
const serialized = JSON.stringify(canonical);
|
|
81
84
|
return computeStringHash(serialized);
|
|
82
85
|
}
|
|
83
86
|
function computeStringHash(str) {
|
|
84
|
-
|
|
85
|
-
for (let i = 0; i < str.length; i++) {
|
|
86
|
-
const char = str.charCodeAt(i);
|
|
87
|
-
hash = (hash << 5) - hash + char;
|
|
88
|
-
hash = hash & hash;
|
|
89
|
-
}
|
|
90
|
-
return Math.abs(hash).toString(16).padStart(16, "0");
|
|
87
|
+
return toHex(sha256(textEncoder.encode(str)));
|
|
91
88
|
}
|
|
92
89
|
async function computeHashAsync(data) {
|
|
93
90
|
const encoder = new TextEncoder();
|
package/dist/utils/index.d.cts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-
|
|
2
|
-
import '../types-
|
|
1
|
+
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-BkBDrHA-.cjs';
|
|
2
|
+
import '../types-DmnVueAY.cjs';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* Omnituum PQC Shared - Entropy & Randomness Utilities
|
package/dist/utils/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-
|
|
2
|
-
import '../types-
|
|
1
|
+
export { a as computeHashAsync, c as computeIntegrityHash, b as computeKeyFingerprint, f as formatFingerprint, v as verifyIntegrity } from '../integrity-DsFJv5c-.js';
|
|
2
|
+
import '../types-DmnVueAY.js';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* Omnituum PQC Shared - Entropy & Randomness Utilities
|
package/dist/utils/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import '@noble/hashes/sha2.js';
|
|
1
|
+
import { sha256 as sha256$1 } from '@noble/hashes/sha2.js';
|
|
2
2
|
import '@noble/hashes/hmac.js';
|
|
3
3
|
|
|
4
4
|
// src/utils/entropy.ts
|
|
@@ -59,11 +59,14 @@ function daysSinceRotation(lastRotatedAt, createdAt) {
|
|
|
59
59
|
function shouldRotate(lastRotatedAt, createdAt, maxDays = 90) {
|
|
60
60
|
return daysSinceRotation(lastRotatedAt, createdAt) >= maxDays;
|
|
61
61
|
}
|
|
62
|
-
new TextEncoder();
|
|
62
|
+
var textEncoder = new TextEncoder();
|
|
63
63
|
new TextDecoder();
|
|
64
64
|
function toHex(bytes) {
|
|
65
65
|
return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
66
66
|
}
|
|
67
|
+
function sha256(bytes) {
|
|
68
|
+
return sha256$1(bytes);
|
|
69
|
+
}
|
|
67
70
|
|
|
68
71
|
// src/utils/integrity.ts
|
|
69
72
|
function computeIntegrityHash(identities) {
|
|
@@ -75,17 +78,11 @@ function computeIntegrityHash(identities) {
|
|
|
75
78
|
createdAt: i.createdAt,
|
|
76
79
|
rotationCount: i.rotationCount
|
|
77
80
|
}));
|
|
78
|
-
const serialized = JSON.stringify(canonical
|
|
81
|
+
const serialized = JSON.stringify(canonical);
|
|
79
82
|
return computeStringHash(serialized);
|
|
80
83
|
}
|
|
81
84
|
function computeStringHash(str) {
|
|
82
|
-
|
|
83
|
-
for (let i = 0; i < str.length; i++) {
|
|
84
|
-
const char = str.charCodeAt(i);
|
|
85
|
-
hash = (hash << 5) - hash + char;
|
|
86
|
-
hash = hash & hash;
|
|
87
|
-
}
|
|
88
|
-
return Math.abs(hash).toString(16).padStart(16, "0");
|
|
85
|
+
return toHex(sha256(textEncoder.encode(str)));
|
|
89
86
|
}
|
|
90
87
|
async function computeHashAsync(data) {
|
|
91
88
|
const encoder = new TextEncoder();
|
package/dist/vault/index.cjs
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
require('@noble/hashes/sha2.js');
|
|
3
|
+
var sha2_js = require('@noble/hashes/sha2.js');
|
|
4
4
|
require('@noble/hashes/hmac.js');
|
|
5
5
|
var envelopeRegistry = require('@omnituum/envelope-registry');
|
|
6
6
|
var hashWasm = require('hash-wasm');
|
|
@@ -21,7 +21,7 @@ var DEFAULT_VAULT_SETTINGS = {
|
|
|
21
21
|
showFingerprints: true
|
|
22
22
|
};
|
|
23
23
|
var PBKDF2_ITERATIONS = 6e5;
|
|
24
|
-
new TextEncoder();
|
|
24
|
+
var textEncoder = new TextEncoder();
|
|
25
25
|
new TextDecoder();
|
|
26
26
|
function toB64(bytes) {
|
|
27
27
|
let binary = "";
|
|
@@ -44,8 +44,12 @@ function toHex(bytes) {
|
|
|
44
44
|
function randN(n) {
|
|
45
45
|
return globalThis.crypto.getRandomValues(new Uint8Array(n));
|
|
46
46
|
}
|
|
47
|
+
function sha256(bytes) {
|
|
48
|
+
return sha2_js.sha256(bytes);
|
|
49
|
+
}
|
|
47
50
|
var b64 = toB64;
|
|
48
51
|
envelopeRegistry.OMNI_VERSIONS.HYBRID_V1;
|
|
52
|
+
envelopeRegistry.OMNI_VERSIONS.HYBRID_V2;
|
|
49
53
|
envelopeRegistry.DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
50
54
|
var VAULT_VERSION = "omnituum.vault.v1";
|
|
51
55
|
var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
|
|
@@ -337,17 +341,11 @@ function computeIntegrityHash(identities) {
|
|
|
337
341
|
createdAt: i.createdAt,
|
|
338
342
|
rotationCount: i.rotationCount
|
|
339
343
|
}));
|
|
340
|
-
const serialized = JSON.stringify(canonical
|
|
344
|
+
const serialized = JSON.stringify(canonical);
|
|
341
345
|
return computeStringHash(serialized);
|
|
342
346
|
}
|
|
343
347
|
function computeStringHash(str) {
|
|
344
|
-
|
|
345
|
-
for (let i = 0; i < str.length; i++) {
|
|
346
|
-
const char = str.charCodeAt(i);
|
|
347
|
-
hash = (hash << 5) - hash + char;
|
|
348
|
-
hash = hash & hash;
|
|
349
|
-
}
|
|
350
|
-
return Math.abs(hash).toString(16).padStart(16, "0");
|
|
348
|
+
return toHex(sha256(textEncoder.encode(str)));
|
|
351
349
|
}
|
|
352
350
|
|
|
353
351
|
// src/utils/entropy.ts
|
|
@@ -398,7 +396,6 @@ async function createIdentity(name) {
|
|
|
398
396
|
const x25519 = generateX25519Keypair();
|
|
399
397
|
const kyber = await generateKyberKeypair();
|
|
400
398
|
if (!kyber) {
|
|
401
|
-
console.error("Kyber key generation failed");
|
|
402
399
|
return null;
|
|
403
400
|
}
|
|
404
401
|
const now = (/* @__PURE__ */ new Date()).toISOString();
|
package/dist/vault/index.d.cts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { O as OmnituumVault, E as EncryptedVaultFile,
|
|
2
|
-
export { D as DEFAULT_VAULT_SETTINGS,
|
|
1
|
+
import { O as OmnituumVault, E as EncryptedVaultFile, m as EncryptedVaultFileV2, H as HybridIdentityRecord, n as VaultSettings, o as VaultSession } from '../types-DmnVueAY.cjs';
|
|
2
|
+
export { D as DEFAULT_VAULT_SETTINGS, p as EncryptedVaultFileV1, q as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-DmnVueAY.cjs';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* Omnituum PQC Shared - Vault Encryption
|
package/dist/vault/index.d.ts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { O as OmnituumVault, E as EncryptedVaultFile,
|
|
2
|
-
export { D as DEFAULT_VAULT_SETTINGS,
|
|
1
|
+
import { O as OmnituumVault, E as EncryptedVaultFile, m as EncryptedVaultFileV2, H as HybridIdentityRecord, n as VaultSettings, o as VaultSession } from '../types-DmnVueAY.js';
|
|
2
|
+
export { D as DEFAULT_VAULT_SETTINGS, p as EncryptedVaultFileV1, q as HealthStatus, I as IdentityHealth, P as PBKDF2_ITERATIONS } from '../types-DmnVueAY.js';
|
|
3
3
|
|
|
4
4
|
/**
|
|
5
5
|
* Omnituum PQC Shared - Vault Encryption
|
package/dist/vault/index.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import '@noble/hashes/sha2.js';
|
|
1
|
+
import { sha256 as sha256$1 } from '@noble/hashes/sha2.js';
|
|
2
2
|
import '@noble/hashes/hmac.js';
|
|
3
3
|
import { OMNI_VERSIONS, DEPRECATED_VERSIONS } from '@omnituum/envelope-registry';
|
|
4
4
|
import { argon2id } from 'hash-wasm';
|
|
@@ -15,7 +15,7 @@ var DEFAULT_VAULT_SETTINGS = {
|
|
|
15
15
|
showFingerprints: true
|
|
16
16
|
};
|
|
17
17
|
var PBKDF2_ITERATIONS = 6e5;
|
|
18
|
-
new TextEncoder();
|
|
18
|
+
var textEncoder = new TextEncoder();
|
|
19
19
|
new TextDecoder();
|
|
20
20
|
function toB64(bytes) {
|
|
21
21
|
let binary = "";
|
|
@@ -38,8 +38,12 @@ function toHex(bytes) {
|
|
|
38
38
|
function randN(n) {
|
|
39
39
|
return globalThis.crypto.getRandomValues(new Uint8Array(n));
|
|
40
40
|
}
|
|
41
|
+
function sha256(bytes) {
|
|
42
|
+
return sha256$1(bytes);
|
|
43
|
+
}
|
|
41
44
|
var b64 = toB64;
|
|
42
45
|
OMNI_VERSIONS.HYBRID_V1;
|
|
46
|
+
OMNI_VERSIONS.HYBRID_V2;
|
|
43
47
|
DEPRECATED_VERSIONS.PQC_DEMO_HYBRID_V1;
|
|
44
48
|
var VAULT_VERSION = "omnituum.vault.v1";
|
|
45
49
|
var VAULT_ENCRYPTED_VERSION = "omnituum.vault.enc.v1";
|
|
@@ -331,17 +335,11 @@ function computeIntegrityHash(identities) {
|
|
|
331
335
|
createdAt: i.createdAt,
|
|
332
336
|
rotationCount: i.rotationCount
|
|
333
337
|
}));
|
|
334
|
-
const serialized = JSON.stringify(canonical
|
|
338
|
+
const serialized = JSON.stringify(canonical);
|
|
335
339
|
return computeStringHash(serialized);
|
|
336
340
|
}
|
|
337
341
|
function computeStringHash(str) {
|
|
338
|
-
|
|
339
|
-
for (let i = 0; i < str.length; i++) {
|
|
340
|
-
const char = str.charCodeAt(i);
|
|
341
|
-
hash = (hash << 5) - hash + char;
|
|
342
|
-
hash = hash & hash;
|
|
343
|
-
}
|
|
344
|
-
return Math.abs(hash).toString(16).padStart(16, "0");
|
|
342
|
+
return toHex(sha256(textEncoder.encode(str)));
|
|
345
343
|
}
|
|
346
344
|
|
|
347
345
|
// src/utils/entropy.ts
|
|
@@ -392,7 +390,6 @@ async function createIdentity(name) {
|
|
|
392
390
|
const x25519 = generateX25519Keypair();
|
|
393
391
|
const kyber = await generateKyberKeypair();
|
|
394
392
|
if (!kyber) {
|
|
395
|
-
console.error("Kyber key generation failed");
|
|
396
393
|
return null;
|
|
397
394
|
}
|
|
398
395
|
const now = (/* @__PURE__ */ new Date()).toISOString();
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@omnituum/pqc-shared",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.6.0",
|
|
4
4
|
"description": "Omnituum PQC Shared Library - Crypto, Vault, File Encryption, and Utilities",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.cjs",
|
|
@@ -43,12 +43,12 @@
|
|
|
43
43
|
"src"
|
|
44
44
|
],
|
|
45
45
|
"dependencies": {
|
|
46
|
-
"@noble/ciphers": "
|
|
47
|
-
"@noble/hashes": "
|
|
48
|
-
"@omnituum/envelope-registry": "github:Omnituum/envelope-registry#v0.
|
|
49
|
-
"@noble/post-quantum": "
|
|
50
|
-
"hash-wasm": "
|
|
51
|
-
"tweetnacl": "
|
|
46
|
+
"@noble/ciphers": "2.0.1",
|
|
47
|
+
"@noble/hashes": "2.0.1",
|
|
48
|
+
"@omnituum/envelope-registry": "github:Omnituum/envelope-registry#v0.2.0",
|
|
49
|
+
"@noble/post-quantum": "0.5.4",
|
|
50
|
+
"hash-wasm": "4.12.0",
|
|
51
|
+
"tweetnacl": "1.0.3"
|
|
52
52
|
},
|
|
53
53
|
"devDependencies": {
|
|
54
54
|
"@types/node": "^25.0.9",
|
package/src/crypto/dilithium.ts
CHANGED
|
@@ -44,8 +44,8 @@ async function loadDilithium(): Promise<any> {
|
|
|
44
44
|
const { ml_dsa65 } = await import('@noble/post-quantum/ml-dsa.js');
|
|
45
45
|
dilithiumModule = ml_dsa65;
|
|
46
46
|
return dilithiumModule;
|
|
47
|
-
} catch
|
|
48
|
-
|
|
47
|
+
} catch {
|
|
48
|
+
// Backend unavailable in this environment; callers handle the null return.
|
|
49
49
|
return null;
|
|
50
50
|
}
|
|
51
51
|
}
|
|
@@ -83,8 +83,8 @@ export async function generateDilithiumKeypair(): Promise<DilithiumKeypairB64 |
|
|
|
83
83
|
publicB64: toB64(kp.publicKey),
|
|
84
84
|
secretB64: toB64(kp.secretKey),
|
|
85
85
|
};
|
|
86
|
-
} catch
|
|
87
|
-
|
|
86
|
+
} catch {
|
|
87
|
+
// Never log the caught error: it can reference seed/key material.
|
|
88
88
|
return null;
|
|
89
89
|
}
|
|
90
90
|
}
|