@pengzi/kms 1.0.2 → 1.1.1

package/dist/src/client.js

@@ -0,0 +1,254 @@
+"use strict";
+/**
+ * KMS客户端主类
+ * 对外API接口
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KMSClient = void 0;
+const mongodb_1 = require("mongodb");
+const crypto_service_1 = require("./core/crypto.service");
+const project_repository_1 = require("./repositories/project.repository");
+const key_repository_1 = require("./repositories/key.repository");
+const user_repository_1 = require("./repositories/user.repository");
+const audit_repository_1 = require("./repositories/audit.repository");
+const project_service_1 = require("./services/project.service");
+const key_service_1 = require("./services/key.service");
+const auth_service_1 = require("./services/auth.service");
+const permission_service_1 = require("./services/permission.service");
+const audit_service_1 = require("./services/audit.service");
+const error_handler_1 = require("./utils/error-handler");
+const asymmetric_crypto_1 = require("./core/asymmetric-crypto");
+/**
+ * KMS客户端类
+ */
+class KMSClient {
+    constructor(options) {
+        this.options = options;
+        this.connected = false;
+        this.currentUserId = null;
+        const connectionString = this.resolveConnectionString(options);
+        this.mongoClient = new mongodb_1.MongoClient(connectionString, {
+            connectTimeoutMS: this.options.connectionOptions?.connectTimeoutMS || 10000,
+            socketTimeoutMS: this.options.connectionOptions?.socketTimeoutMS || 30000,
+            serverSelectionTimeoutMS: this.options.connectionOptions?.serverSelectionTimeoutMS || 10000,
+            maxPoolSize: this.options.connectionOptions?.maxPoolSize || 10,
+            minPoolSize: this.options.connectionOptions?.minPoolSize || 0,
+        });
+    }
+    /**
+     * 解析连接字符串（支持加密配置）
+     */
+    resolveConnectionString(options) {
+        // 如果是加密配置，先解密
+        if ('encryptedConnectionString' in options) {
+            const encrypted = JSON.parse(options.encryptedConnectionString);
+            const privateKey = options.privateKey || process.env.KMS_PRIVATE_KEY;
+            if (!privateKey) {
+                throw (0, error_handler_1.createKMSError)(error_handler_1.ErrorCode.CONNECTION_FAILED, 'Private key is required for encrypted connection string. Set KMS_PRIVATE_KEY environment variable or pass privateKey option.');
+            }
+            const passphrase = options.privateKeyPassphrase || process.env.KMS_PRIVATE_KEY_PASSPHRASE;
+            return (0, asymmetric_crypto_1.parseEncryptedConnectionStringConfig)({ encryptedConnectionString: options.encryptedConnectionString }, privateKey, passphrase);
+        }
+        // 普通配置直接返回连接字符串
+        return options.connectionString;
+    }
+    /**
+     * 连接到数据库
+     */
+    async connect() {
+        if (this.connected) {
+            return;
+        }
+        try {
+            await this.mongoClient.connect();
+            this.db = this.mongoClient.db(this.options.databaseName);
+            this.connected = true;
+            // 初始化服务和仓储
+            this.initializeServices();
+            // 创建索引
+            await this.initializeIndexes();
+        }
+        catch (error) {
+            throw (0, error_handler_1.createKMSError)(error_handler_1.ErrorCode.CONNECTION_FAILED, error instanceof Error ? error.message : 'Failed to connect to database');
+        }
+    }
+    /**
+     * 断开数据库连接
+     */
+    async disconnect() {
+        if (this.connected) {
+            await this.mongoClient.close();
+            this.connected = false;
+        }
+    }
+    /**
+     * 初始化服务
+     */
+    initializeServices() {
+        this.cryptoService = new crypto_service_1.CryptoService();
+        this.projectRepo = new project_repository_1.ProjectRepository(this.db);
+        this.keyRepo = new key_repository_1.KeyRepository(this.db);
+        this.userRepo = new user_repository_1.UserRepository(this.db);
+        this.auditRepo = new audit_repository_1.AuditRepository(this.db);
+        this.auditService = new audit_service_1.AuditService(this.auditRepo);
+        this.permissionService = new permission_service_1.PermissionService(this.userRepo, this.auditService);
+        this.projectService = new project_service_1.ProjectService(this.projectRepo, this.userRepo, this.auditService, this.cryptoService);
+        this.authService = new auth_service_1.AuthService(this.userRepo, this.auditService);
+        this.keyService = new key_service_1.KeyService(this.keyRepo, this.auditService, this.permissionService, this.cryptoService);
+        // 设置 KeyService 的 ProjectService 引用（避免循环依赖）
+        this.keyService.setProjectService(this.projectService);
+    }
+    /**
+     * 初始化数据库索引
+     */
+    async initializeIndexes() {
+        // 索引在Repository的构造函数中自动创建
+    }
+    /**
+     * 设置当前用户（用于权限验证）
+     */
+    setCurrentUser(userId) {
+        this.currentUserId = userId;
+    }
+    /**
+     * 获取当前用户ID
+     */
+    getCurrentUserId() {
+        if (!this.currentUserId) {
+            throw (0, error_handler_1.createKMSError)(error_handler_1.ErrorCode.AUTHENTICATION_FAILED, 'No user context set');
+        }
+        return this.currentUserId;
+    }
+    // ============ 项目管理 ============
+    /**
+     * 创建项目
+     */
+    async createProject(projectName, masterPassword, metadata) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        return await this.projectService.createProject({ projectName, masterPassword, metadata }, userId);
+    }
+    /**
+     * 获取项目
+     */
+    async getProject(projectId) {
+        await this.ensureConnected();
+        return await this.projectService.getProject(projectId);
+    }
+    /**
+     * 列出所有项目
+     */
+    async listProjects() {
+        await this.ensureConnected();
+        return await this.projectService.listProjects();
+    }
+    /**
+     * 删除项目
+     */
+    async deleteProject(projectId) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        await this.projectService.deleteProject(projectId, userId);
+    }
+    // ============ 密钥管理 ============
+    /**
+     * 创建密钥
+     */
+    async createKey(projectId, masterPassword, keyData) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        return await this.keyService.createKey(projectId, userId, masterPassword, keyData);
+    }
+    /**
+     * 获取密钥（解密）
+     */
+    async getKey(projectId, masterPassword, keyId) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        return await this.keyService.getKey(projectId, userId, masterPassword, keyId);
+    }
+    /**
+     * 列出密钥
+     */
+    async listKeys(projectId, filters, options) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        return await this.keyService.listKeys(projectId, userId, filters, options);
+    }
+    /**
+     * 更新密钥
+     */
+    async updateKey(projectId, masterPassword, keyId, updates) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        return await this.keyService.updateKey(projectId, userId, masterPassword, keyId, updates);
+    }
+    /**
+     * 删除密钥
+     */
+    async deleteKey(projectId, keyId) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        await this.keyService.deleteKey(projectId, userId, keyId);
+    }
+    // ============ 用户管理 ============
+    /**
+     * 创建用户
+     */
+    async createUser(projectId, userData) {
+        await this.ensureConnected();
+        const userId = this.getCurrentUserId();
+        return await this.authService.createUser(projectId, userId, userData);
+    }
+    /**
+     * 用户登录
+     */
+    async login(projectId, username, password) {
+        await this.ensureConnected();
+        const result = await this.authService.login(projectId, { username, password });
+        if (result.success && result.user) {
+            this.setCurrentUser(result.user.userId);
+        }
+        return result.success;
+    }
+    /**
+     * 授予角色
+     */
+    async grantRole(projectId, userId, role) {
+        await this.ensureConnected();
+        const currentUserId = this.getCurrentUserId();
+        await this.permissionService.grantRole(projectId, currentUserId, userId, role);
+    }
+    /**
+     * 撤销角色
+     */
+    async revokeRole(projectId, userId, role) {
+        await this.ensureConnected();
+        const currentUserId = this.getCurrentUserId();
+        await this.permissionService.revokeRole(projectId, currentUserId, userId, role);
+    }
+    // ============ 审计日志 ============
+    /**
+     * 获取审计日志
+     */
+    async getAuditLogs(projectId, query) {
+        await this.ensureConnected();
+        return await this.auditService.getAuditLogs(projectId, query);
+    }
+    /**
+     * 获取最近的审计日志
+     */
+    async getRecentLogs(projectId, limit = 100) {
+        await this.ensureConnected();
+        return await this.auditService.getRecentLogs(projectId, limit);
+    }
+    /**
+     * 确保已连接
+     */
+    async ensureConnected() {
+        if (!this.connected) {
+            throw (0, error_handler_1.createKMSError)(error_handler_1.ErrorCode.CONNECTION_FAILED, 'Client not connected. Call connect() first.');
+        }
+    }
+}
+exports.KMSClient = KMSClient;

package/dist/src/core/asymmetric-crypto.js

@@ -0,0 +1,170 @@
+"use strict";
+/**
+ * 非对称加密服务
+ * 使用 RSA-OAEP 加密敏感数据（如数据库连接字符串）
+ * 特点：
+ * - 公钥加密，私钥解密
+ * - 即使加密数据泄露，没有私钥也无法解密
+ * - 私钥可以使用密码保护
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateRSAKeyPair = generateRSAKeyPair;
+exports.encryptConnectionString = encryptConnectionString;
+exports.decryptConnectionString = decryptConnectionString;
+exports.getPrivateKeyPassphrase = getPrivateKeyPassphrase;
+exports.isValidPEMKey = isValidPEMKey;
+exports.generateKeyId = generateKeyId;
+exports.createEncryptedConnectionStringConfig = createEncryptedConnectionStringConfig;
+exports.parseEncryptedConnectionStringConfig = parseEncryptedConnectionStringConfig;
+const crypto_1 = require("crypto");
+const types_1 = require("../types");
+/**
+ * RSA 加密配置
+ */
+const RSA_CONFIG = {
+    algorithm: 'rsa',
+    modulusLength: 4096, // 4096 位密钥（更安全）
+    publicKeyEncoding: {
+        type: 'spki',
+        format: 'pem'
+    },
+    privateKeyEncoding: {
+        type: 'pkcs8',
+        format: 'pem',
+        cipher: 'aes-256-cbc', // 私钥加密算法
+        passphrase: undefined
+    },
+    padding: crypto_1.constants.RSA_PKCS1_OAEP_PADDING,
+    oaepHash: 'sha256'
+};
+/**
+ * 生成 RSA 密钥对
+ * @param passphrase 私钥密码（可选，但强烈推荐）
+ * @returns RSA 密钥对
+ */
+function generateRSAKeyPair(passphrase) {
+    try {
+        const options = {
+            ...RSA_CONFIG,
+            privateKeyEncoding: {
+                ...RSA_CONFIG.privateKeyEncoding,
+                passphrase: passphrase
+            }
+        };
+        const { publicKey, privateKey } = (0, crypto_1.generateKeyPairSync)('rsa', options);
+        return {
+            publicKey,
+            privateKey
+        };
+    }
+    catch (error) {
+        throw new types_1.CryptoError(`Failed to generate RSA key pair: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}
+/**
+ * 使用公钥加密连接字符串
+ * @param connectionString 明文连接字符串
+ * @param publicKeyPem PEM 格式公钥
+ * @returns 加密后的连接字符串
+ */
+function encryptConnectionString(connectionString, publicKeyPem) {
+    try {
+        // RSA OAEP 加密
+        const encrypted = (0, crypto_1.publicEncrypt)({
+            key: publicKeyPem,
+            padding: RSA_CONFIG.padding,
+            oaepHash: RSA_CONFIG.oaepHash
+        }, Buffer.from(connectionString, 'utf-8'));
+        return {
+            encrypted: encrypted.toString('base64'),
+            algorithm: 'RSA-OAEP-4096',
+            keyId: undefined
+        };
+    }
+    catch (error) {
+        throw new types_1.CryptoError(`Failed to encrypt connection string: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}
+/**
+ * 使用私钥解密连接字符串
+ * @param encryptedData 加密的连接字符串
+ * @param privateKeyPem PEM 格式私钥
+ * @param passphrase 私钥密码（如果私钥有密码保护）
+ * @returns 明文连接字符串
+ */
+function decryptConnectionString(encryptedData, privateKeyPem, passphrase) {
+    try {
+        const encryptedBuffer = Buffer.from(encryptedData.encrypted, 'base64');
+        // RSA OAEP 解密
+        const decrypted = (0, crypto_1.privateDecrypt)({
+            key: privateKeyPem,
+            passphrase: passphrase,
+            padding: RSA_CONFIG.padding,
+            oaepHash: RSA_CONFIG.oaepHash
+        }, encryptedBuffer);
+        return decrypted.toString('utf-8');
+    }
+    catch (error) {
+        throw new types_1.CryptoError(`Failed to decrypt connection string: ${error instanceof Error ? error.message : 'Invalid password or corrupted data'}`);
+    }
+}
+/**
+ * 从环境变量安全地获取私钥密码
+ * @returns 密码字符串
+ */
+function getPrivateKeyPassphrase() {
+    const passphrase = process.env.KMS_PRIVATE_KEY_PASSPHRASE;
+    return passphrase?.trim() || undefined;
+}
+/**
+ * 验证 PEM 格式的密钥
+ * @param pem PEM 格式密钥
+ * @returns 是否有效
+ */
+function isValidPEMKey(pem) {
+    try {
+        const trimmed = pem.trim();
+        return (trimmed.includes('-----BEGIN') &&
+            trimmed.includes('-----END') &&
+            trimmed.includes('KEY-----'));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * 生成密钥 ID（用于密钥轮换）
+ * @returns 密钥 ID
+ */
+function generateKeyId() {
+    const timestamp = Date.now().toString(36);
+    const random = (0, crypto_1.randomBytes)(4).toString('hex');
+    return `key_${timestamp}_${random}`;
+}
+/**
+ * 创建加密的连接字符串配置对象
+ * @param connectionString 明文连接字符串
+ * @param publicKeyPem 公钥
+ * @param keyId 密钥标识（可选）
+ * @returns 加密配置
+ */
+function createEncryptedConnectionStringConfig(connectionString, publicKeyPem, keyId) {
+    const encrypted = encryptConnectionString(connectionString, publicKeyPem);
+    if (keyId) {
+        encrypted.keyId = keyId;
+    }
+    return {
+        encryptedConnectionString: JSON.stringify(encrypted)
+    };
+}
+/**
+ * 从加密配置解析连接字符串
+ * @param config 配置对象
+ * @param privateKeyPem 私钥
+ * @param passphrase 私钥密码
+ * @returns 明文连接字符串
+ */
+function parseEncryptedConnectionStringConfig(config, privateKeyPem, passphrase) {
+    const encrypted = JSON.parse(config.encryptedConnectionString);
+    return decryptConnectionString(encrypted, privateKeyPem, passphrase);
+}

package/dist/src/core/crypto.js

@@ -0,0 +1,99 @@
+"use strict";
+/**
+ * 加密/解密工具函数
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateRandomBytes = generateRandomBytes;
+exports.generateIV = generateIV;
+exports.encryptAES256GCM = encryptAES256GCM;
+exports.decryptAES256GCM = decryptAES256GCM;
+exports.timingSafeEqual = timingSafeEqual;
+exports.generateRandomKey = generateRandomKey;
+exports.hexToBuffer = hexToBuffer;
+exports.bufferToHex = bufferToHex;
+const crypto_1 = require("crypto");
+const types_1 = require("../types");
+const constants_1 = require("../utils/constants");
+/**
+ * 生成随机字节
+ */
+function generateRandomBytes(length) {
+    return (0, crypto_1.randomBytes)(length);
+}
+/**
+ * 生成随机IV
+ */
+function generateIV() {
+    return generateRandomBytes(constants_1.SECURITY_CONFIG.ENCRYPTION.IV_LENGTH);
+}
+/**
+ * 使用AES-256-GCM加密数据
+ */
+function encryptAES256GCM(plaintext, key) {
+    try {
+        const iv = generateIV();
+        const cipher = (0, crypto_1.createCipheriv)(constants_1.SECURITY_CONFIG.ENCRYPTION.ALGORITHM, key, iv);
+        let encrypted = cipher.update(plaintext, 'utf8', 'hex');
+        encrypted += cipher.final('hex');
+        const authTag = cipher.getAuthTag();
+        return {
+            encrypted,
+            iv: iv.toString('hex'),
+            authTag: authTag.toString('hex'),
+        };
+    }
+    catch (error) {
+        throw new types_1.CryptoError(`Encryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}
+/**
+ * 使用AES-256-GCM解密数据
+ */
+function decryptAES256GCM(encryptedData, iv, authTag, key) {
+    try {
+        const decipher = (0, crypto_1.createDecipheriv)(constants_1.SECURITY_CONFIG.ENCRYPTION.ALGORITHM, key, Buffer.from(iv, 'hex'));
+        decipher.setAuthTag(Buffer.from(authTag, 'hex'));
+        let decrypted = decipher.update(encryptedData, 'hex', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (error) {
+        throw new types_1.CryptoError(`Decryption failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}
+/**
+ * 比较两个恒定时间字符串（防止时序攻击）
+ */
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    const aBuffer = Buffer.from(a);
+    const bBuffer = Buffer.from(b);
+    if (aBuffer.length !== bBuffer.length) {
+        return false;
+    }
+    let result = 0;
+    for (let i = 0; i < aBuffer.length; i++) {
+        result |= aBuffer[i] ^ bBuffer[i];
+    }
+    return result === 0;
+}
+/**
+ * 生成随机密钥
+ */
+function generateRandomKey() {
+    return generateRandomBytes(constants_1.SECURITY_CONFIG.ENCRYPTION.KEY_LENGTH);
+}
+/**
+ * 从十六进制字符串转换为Buffer
+ */
+function hexToBuffer(hex) {
+    return Buffer.from(hex, 'hex');
+}
+/**
+ * 将Buffer转换为十六进制字符串
+ */
+function bufferToHex(buffer) {
+    return buffer.toString('hex');
+}

package/dist/src/core/crypto.service.js

@@ -0,0 +1,66 @@
+"use strict";
+/**
+ * 加密服务
+ * 负责所有密钥加密和解密操作
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CryptoService = void 0;
+const crypto_1 = require("./crypto");
+const key_derivation_1 = require("./key-derivation");
+const types_1 = require("../types");
+/**
+ * 加密服务类
+ */
+class CryptoService {
+    /**
+     * 加密密钥值
+     */
+    async encryptKey(plainValue, masterKey) {
+        return (0, crypto_1.encryptAES256GCM)(plainValue, masterKey);
+    }
+    /**
+     * 解密密钥值
+     */
+    async decryptKey(encryptedValue, iv, authTag, masterKey) {
+        return (0, crypto_1.decryptAES256GCM)(encryptedValue, iv, authTag, masterKey);
+    }
+    /**
+     * 从主密码派生项目主密钥
+     */
+    async deriveMasterKey(masterPassword, salt) {
+        return (0, key_derivation_1.deriveProjectMasterKey)(masterPassword, salt);
+    }
+    /**
+     * 生成主密钥哈希
+     */
+    async hashMasterKey(masterKey) {
+        return (0, key_derivation_1.hashMasterKey)(masterKey);
+    }
+    /**
+     * 验证主密钥
+     */
+    async verifyMasterKey(masterKey, storedHash) {
+        const derivedHash = await this.hashMasterKey(masterKey);
+        return derivedHash === storedHash;
+    }
+    /**
+     * 使用主密码解锁项目主密钥
+     */
+    async unlockProjectMasterKey(masterPassword, salt, masterKeyHash) {
+        const masterKey = await this.deriveMasterKey(masterPassword, salt);
+        const isValid = await this.verifyMasterKey(masterKey, masterKeyHash);
+        if (!isValid) {
+            throw new types_1.CryptoError('Invalid master password');
+        }
+        return masterKey;
+    }
+}
+exports.CryptoService = CryptoService;
+/**
+ * 简单的依赖注入装饰器（TypeScript版本）
+ */
+function Injectable() {
+    return function decorator(target) {
+        return target;
+    };
+}

package/dist/src/core/key-derivation.js

@@ -0,0 +1,95 @@
+"use strict";
+/**
+ * 密钥派生功能
+ * 使用PBKDF2从密码派生密钥
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSalt = generateSalt;
+exports.deriveKeyFromPassword = deriveKeyFromPassword;
+exports.deriveProjectMasterKey = deriveProjectMasterKey;
+exports.hashMasterKey = hashMasterKey;
+exports.verifyMasterPassword = verifyMasterPassword;
+const crypto_1 = require("crypto");
+const types_1 = require("../types");
+const constants_1 = require("../utils/constants");
+/**
+ * 生成随机盐值
+ */
+function generateSalt() {
+    return (0, crypto_1.randomBytes)(16).toString('hex');
+}
+/**
+ * 使用PBKDF2从密码派生密钥
+ */
+async function deriveKeyFromPassword(password, salt, iterations, keyLength) {
+    return new Promise((resolve, reject) => {
+        const config = constants_1.SECURITY_CONFIG.KEY_DERIVATION;
+        (0, crypto_1.pbkdf2)(password, salt, iterations || config.ITERATIONS, keyLength || config.KEY_LENGTH, config.DIGEST, (err, derivedKey) => {
+            if (err) {
+                reject(new types_1.CryptoError(`Key derivation failed: ${err.message}`));
+            }
+            else {
+                resolve(derivedKey);
+            }
+        });
+    });
+}
+/**
+ * 派生项目主密钥
+ */
+async function deriveProjectMasterKey(masterPassword, salt) {
+    return deriveKeyFromPassword(masterPassword, salt);
+}
+/**
+ * 生成主密钥哈希（用于验证密码）
+ */
+async function hashMasterKey(masterKey) {
+    const { createHash } = await Promise.resolve().then(() => __importStar(require('crypto')));
+    return createHash('sha256').update(masterKey).digest('hex');
+}
+/**
+ * 验证主密码
+ */
+async function verifyMasterPassword(masterPassword, salt, storedHash) {
+    try {
+        const derivedKey = await deriveProjectMasterKey(masterPassword, salt);
+        const derivedHash = await hashMasterKey(derivedKey);
+        return derivedHash === storedHash;
+    }
+    catch (error) {
+        return false;
+    }
+}