@phantom/indexed-db-stamper 0.1.4 → 1.0.0-beta.0

package/dist/index.d.ts

@@ -25,8 +25,8 @@ declare class IndexedDbStamper implements StamperWithKeyManagement {
     private storeName;
     private keyName;
     private db;
-    private keyInfo;
-    private cryptoKeyPair;
+    private activeKeyPairRecord;
+    private pendingKeyPairRecord;
     algorithm: Algorithm;
     type: "PKI" | "OIDC";
     idToken?: string;
@@ -66,10 +66,23 @@ declare class IndexedDbStamper implements StamperWithKeyManagement {
     clear(): Promise<void>;
     private clearStoredKeys;
     private openDB;
-    private generateAndStoreKeyPair;
-    private storeKeyPair;
-    private loadKeyPair;
-    private getStoredKeyInfo;
+    /**
+     * Generate a new keypair for rotation without making it active
+     */
+    rotateKeyPair(): Promise<StamperKeyInfo>;
+    /**
+     * Switch to the pending keypair, making it active and cleaning up the old one
+     */
+    commitRotation(authenticatorId: string): Promise<void>;
+    /**
+     * Discard the pending keypair on rotation failure
+     */
+    rollbackRotation(): Promise<void>;
+    private generateAndStoreNewKeyPair;
+    private storeKeyPairRecord;
+    private loadActiveKeyPairRecord;
+    private loadPendingKeyPairRecord;
+    private removeKeyPairRecord;
 }
 
 export { IndexedDbStamper, IndexedDbStamperConfig };

package/dist/index.js

@@ -40,8 +40,8 @@ var IndexedDbStamper = class {
   // Optional for PKI, required for OIDC
   constructor(config = {}) {
     this.db = null;
-    this.keyInfo = null;
-    this.cryptoKeyPair = null;
+    this.activeKeyPairRecord = null;
+    this.pendingKeyPairRecord = null;
     this.algorithm = import_sdk_types.Algorithm.ed25519;
     // Use Ed25519 for maximum security and performance
     // The type of stamper, can be changed at any time 
@@ -61,29 +61,27 @@ var IndexedDbStamper = class {
    */
   async init() {
     await this.openDB();
-    let keyInfo = await this.getStoredKeyInfo();
-    if (!keyInfo) {
-      keyInfo = await this.generateAndStoreKeyPair();
-    } else {
-      await this.loadKeyPair();
+    this.activeKeyPairRecord = await this.loadActiveKeyPairRecord();
+    if (!this.activeKeyPairRecord) {
+      this.activeKeyPairRecord = await this.generateAndStoreNewKeyPair("active");
     }
-    this.keyInfo = keyInfo;
-    return keyInfo;
+    this.pendingKeyPairRecord = await this.loadPendingKeyPairRecord();
+    return this.activeKeyPairRecord.keyInfo;
   }
   /**
    * Get the public key information
    */
   getKeyInfo() {
-    return this.keyInfo;
+    return this.activeKeyPairRecord?.keyInfo || null;
   }
   /**
    * Reset the key pair by generating a new one
    */
   async resetKeyPair() {
     await this.clearStoredKeys();
-    const keyInfo = await this.generateAndStoreKeyPair();
-    this.keyInfo = keyInfo;
-    return keyInfo;
+    this.activeKeyPairRecord = await this.generateAndStoreNewKeyPair("active");
+    this.pendingKeyPairRecord = null;
+    return this.activeKeyPairRecord.keyInfo;
   }
   /**
    * Create X-Phantom-Stamp header value using stored private key
@@ -92,7 +90,7 @@ var IndexedDbStamper = class {
    */
   async stamp(params) {
     const { data } = params;
-    if (!this.keyInfo || !this.cryptoKeyPair) {
+    if (!this.activeKeyPairRecord) {
       throw new Error("Stamper not initialized. Call init() first.");
     }
     const dataBytes = new Uint8Array(data);
@@ -101,7 +99,7 @@ var IndexedDbStamper = class {
         name: this.algorithm,
         hash: "SHA-256"
       },
-      this.cryptoKeyPair.privateKey,
+      this.activeKeyPairRecord.keyPair.privateKey,
       dataBytes
     );
     const signatureBase64url = (0, import_base64url.base64urlEncode)(new Uint8Array(signature));
@@ -110,14 +108,14 @@ var IndexedDbStamper = class {
     const salt = params.type === "OIDC" ? params.salt : this.salt;
     const stampData = stampType === "PKI" ? {
       // Decode base58 public key to bytes, then encode as base64url (consistent with ApiKeyStamper)
-      publicKey: (0, import_base64url.base64urlEncode)(import_bs58.default.decode(this.keyInfo.publicKey)),
+      publicKey: (0, import_base64url.base64urlEncode)(import_bs58.default.decode(this.activeKeyPairRecord.keyInfo.publicKey)),
       signature: signatureBase64url,
       kind: "PKI",
       algorithm: this.algorithm
     } : {
       kind: "OIDC",
       idToken,
-      publicKey: (0, import_base64url.base64urlEncode)(import_bs58.default.decode(this.keyInfo.publicKey)),
+      publicKey: (0, import_base64url.base64urlEncode)(import_bs58.default.decode(this.activeKeyPairRecord.keyInfo.publicKey)),
       salt,
       algorithm: this.algorithm,
       signature: signatureBase64url
@@ -130,8 +128,8 @@ var IndexedDbStamper = class {
    */
   async clear() {
     await this.clearStoredKeys();
-    this.keyInfo = null;
-    this.cryptoKeyPair = null;
+    this.activeKeyPairRecord = null;
+    this.pendingKeyPairRecord = null;
   }
   async clearStoredKeys() {
     if (!this.db) {
@@ -140,8 +138,8 @@ var IndexedDbStamper = class {
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readwrite");
       const store = transaction.objectStore(this.storeName);
-      const deleteKeyPair = store.delete(`${this.keyName}-keypair`);
-      const deleteKeyInfo = store.delete(`${this.keyName}-info`);
+      const deleteActiveKeyPair = store.delete(`${this.keyName}-active`);
+      const deletePendingKeyPair = store.delete(`${this.keyName}-pending`);
       let completed = 0;
       const total = 2;
       const checkComplete = () => {
@@ -150,10 +148,10 @@ var IndexedDbStamper = class {
           resolve();
         }
       };
-      deleteKeyPair.onsuccess = checkComplete;
-      deleteKeyInfo.onsuccess = checkComplete;
-      deleteKeyPair.onerror = () => reject(deleteKeyPair.error);
-      deleteKeyInfo.onerror = () => reject(deleteKeyInfo.error);
+      deleteActiveKeyPair.onsuccess = checkComplete;
+      deletePendingKeyPair.onsuccess = checkComplete;
+      deleteActiveKeyPair.onerror = () => reject(deleteActiveKeyPair.error);
+      deletePendingKeyPair.onerror = () => reject(deletePendingKeyPair.error);
     });
   }
   async openDB() {
@@ -172,8 +170,46 @@ var IndexedDbStamper = class {
       };
     });
   }
-  async generateAndStoreKeyPair() {
-    this.cryptoKeyPair = await crypto.subtle.generateKey(
+  /**
+   * Generate a new keypair for rotation without making it active
+   */
+  async rotateKeyPair() {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this.pendingKeyPairRecord = await this.generateAndStoreNewKeyPair("pending");
+    return this.pendingKeyPairRecord.keyInfo;
+  }
+  /**
+   * Switch to the pending keypair, making it active and cleaning up the old one
+   */
+  async commitRotation(authenticatorId) {
+    if (!this.pendingKeyPairRecord) {
+      throw new Error("No pending keypair to commit");
+    }
+    if (this.activeKeyPairRecord) {
+      await this.removeKeyPairRecord("active");
+    }
+    this.pendingKeyPairRecord.status = "active";
+    this.pendingKeyPairRecord.authenticatorId = authenticatorId;
+    this.pendingKeyPairRecord.keyInfo.authenticatorId = authenticatorId;
+    this.activeKeyPairRecord = this.pendingKeyPairRecord;
+    this.pendingKeyPairRecord = null;
+    await this.storeKeyPairRecord(this.activeKeyPairRecord, "active");
+    await this.removeKeyPairRecord("pending");
+  }
+  /**
+   * Discard the pending keypair on rotation failure
+   */
+  async rollbackRotation() {
+    if (!this.pendingKeyPairRecord) {
+      return;
+    }
+    await this.removeKeyPairRecord("pending");
+    this.pendingKeyPairRecord = null;
+  }
+  async generateAndStoreNewKeyPair(type) {
+    const keyPair = await crypto.subtle.generateKey(
       {
         name: "Ed25519"
       },
@@ -181,65 +217,73 @@ var IndexedDbStamper = class {
       // non-extractable - private key can never be exported
       ["sign", "verify"]
     );
-    const rawPublicKeyBuffer = await crypto.subtle.exportKey("raw", this.cryptoKeyPair.publicKey);
+    const rawPublicKeyBuffer = await crypto.subtle.exportKey("raw", keyPair.publicKey);
     const publicKeyBase58 = import_bs58.default.encode(new Uint8Array(rawPublicKeyBuffer));
     const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKeyBuffer);
     const keyId = (0, import_base64url.base64urlEncode)(new Uint8Array(keyIdBuffer)).substring(0, 16);
+    const now = Date.now();
     const keyInfo = {
       keyId,
-      publicKey: publicKeyBase58
+      publicKey: publicKeyBase58,
+      createdAt: now
     };
-    await this.storeKeyPair(this.cryptoKeyPair, keyInfo);
-    return keyInfo;
+    const record = {
+      keyPair,
+      keyInfo,
+      createdAt: now,
+      expiresAt: 0,
+      // Not used anymore, kept for backward compatibility
+      status: type
+    };
+    await this.storeKeyPairRecord(record, type);
+    return record;
   }
-  async storeKeyPair(keyPair, keyInfo) {
+  async storeKeyPairRecord(record, type) {
     if (!this.db) {
       throw new Error("Database not initialized");
     }
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readwrite");
       const store = transaction.objectStore(this.storeName);
-      const keyPairRequest = store.put(keyPair, `${this.keyName}-keypair`);
-      const keyInfoRequest = store.put(keyInfo, `${this.keyName}-info`);
-      let completed = 0;
-      const total = 2;
-      const checkComplete = () => {
-        completed++;
-        if (completed === total) {
-          resolve();
-        }
-      };
-      keyPairRequest.onsuccess = checkComplete;
-      keyInfoRequest.onsuccess = checkComplete;
-      keyPairRequest.onerror = () => reject(keyPairRequest.error);
-      keyInfoRequest.onerror = () => reject(keyInfoRequest.error);
+      const request = store.put(record, `${this.keyName}-${type}`);
+      request.onsuccess = () => resolve();
+      request.onerror = () => reject(request.error);
     });
   }
-  async loadKeyPair() {
+  async loadActiveKeyPairRecord() {
     if (!this.db) {
-      return;
+      return null;
     }
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readonly");
       const store = transaction.objectStore(this.storeName);
-      const request = store.get(`${this.keyName}-keypair`);
-      request.onsuccess = () => {
-        this.cryptoKeyPair = request.result || null;
-        resolve();
-      };
+      const request = store.get(`${this.keyName}-active`);
+      request.onsuccess = () => resolve(request.result || null);
       request.onerror = () => reject(request.error);
     });
   }
-  async getStoredKeyInfo() {
+  async loadPendingKeyPairRecord() {
     if (!this.db) {
       return null;
     }
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readonly");
       const store = transaction.objectStore(this.storeName);
-      const request = store.get(`${this.keyName}-info`);
+      const request = store.get(`${this.keyName}-pending`);
       request.onsuccess = () => resolve(request.result || null);
       request.onerror = () => reject(request.error);
     });
   }
+  async removeKeyPairRecord(type) {
+    if (!this.db) {
+      return;
+    }
+    return new Promise((resolve, reject) => {
+      const transaction = this.db.transaction([this.storeName], "readwrite");
+      const store = transaction.objectStore(this.storeName);
+      const request = store.delete(`${this.keyName}-${type}`);
+      request.onsuccess = () => resolve();
+      request.onerror = () => reject(request.error);
+    });
+  }
 };

package/dist/index.mjs

@@ -6,8 +6,8 @@ var IndexedDbStamper = class {
   // Optional for PKI, required for OIDC
   constructor(config = {}) {
     this.db = null;
-    this.keyInfo = null;
-    this.cryptoKeyPair = null;
+    this.activeKeyPairRecord = null;
+    this.pendingKeyPairRecord = null;
     this.algorithm = Algorithm.ed25519;
     // Use Ed25519 for maximum security and performance
     // The type of stamper, can be changed at any time 
@@ -27,29 +27,27 @@ var IndexedDbStamper = class {
    */
   async init() {
     await this.openDB();
-    let keyInfo = await this.getStoredKeyInfo();
-    if (!keyInfo) {
-      keyInfo = await this.generateAndStoreKeyPair();
-    } else {
-      await this.loadKeyPair();
+    this.activeKeyPairRecord = await this.loadActiveKeyPairRecord();
+    if (!this.activeKeyPairRecord) {
+      this.activeKeyPairRecord = await this.generateAndStoreNewKeyPair("active");
     }
-    this.keyInfo = keyInfo;
-    return keyInfo;
+    this.pendingKeyPairRecord = await this.loadPendingKeyPairRecord();
+    return this.activeKeyPairRecord.keyInfo;
   }
   /**
    * Get the public key information
    */
   getKeyInfo() {
-    return this.keyInfo;
+    return this.activeKeyPairRecord?.keyInfo || null;
   }
   /**
    * Reset the key pair by generating a new one
    */
   async resetKeyPair() {
     await this.clearStoredKeys();
-    const keyInfo = await this.generateAndStoreKeyPair();
-    this.keyInfo = keyInfo;
-    return keyInfo;
+    this.activeKeyPairRecord = await this.generateAndStoreNewKeyPair("active");
+    this.pendingKeyPairRecord = null;
+    return this.activeKeyPairRecord.keyInfo;
   }
   /**
    * Create X-Phantom-Stamp header value using stored private key
@@ -58,7 +56,7 @@ var IndexedDbStamper = class {
    */
   async stamp(params) {
     const { data } = params;
-    if (!this.keyInfo || !this.cryptoKeyPair) {
+    if (!this.activeKeyPairRecord) {
       throw new Error("Stamper not initialized. Call init() first.");
     }
     const dataBytes = new Uint8Array(data);
@@ -67,7 +65,7 @@ var IndexedDbStamper = class {
         name: this.algorithm,
         hash: "SHA-256"
       },
-      this.cryptoKeyPair.privateKey,
+      this.activeKeyPairRecord.keyPair.privateKey,
       dataBytes
     );
     const signatureBase64url = base64urlEncode(new Uint8Array(signature));
@@ -76,14 +74,14 @@ var IndexedDbStamper = class {
     const salt = params.type === "OIDC" ? params.salt : this.salt;
     const stampData = stampType === "PKI" ? {
       // Decode base58 public key to bytes, then encode as base64url (consistent with ApiKeyStamper)
-      publicKey: base64urlEncode(bs58.decode(this.keyInfo.publicKey)),
+      publicKey: base64urlEncode(bs58.decode(this.activeKeyPairRecord.keyInfo.publicKey)),
       signature: signatureBase64url,
       kind: "PKI",
       algorithm: this.algorithm
     } : {
       kind: "OIDC",
       idToken,
-      publicKey: base64urlEncode(bs58.decode(this.keyInfo.publicKey)),
+      publicKey: base64urlEncode(bs58.decode(this.activeKeyPairRecord.keyInfo.publicKey)),
       salt,
       algorithm: this.algorithm,
       signature: signatureBase64url
@@ -96,8 +94,8 @@ var IndexedDbStamper = class {
    */
   async clear() {
     await this.clearStoredKeys();
-    this.keyInfo = null;
-    this.cryptoKeyPair = null;
+    this.activeKeyPairRecord = null;
+    this.pendingKeyPairRecord = null;
   }
   async clearStoredKeys() {
     if (!this.db) {
@@ -106,8 +104,8 @@ var IndexedDbStamper = class {
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readwrite");
       const store = transaction.objectStore(this.storeName);
-      const deleteKeyPair = store.delete(`${this.keyName}-keypair`);
-      const deleteKeyInfo = store.delete(`${this.keyName}-info`);
+      const deleteActiveKeyPair = store.delete(`${this.keyName}-active`);
+      const deletePendingKeyPair = store.delete(`${this.keyName}-pending`);
       let completed = 0;
       const total = 2;
       const checkComplete = () => {
@@ -116,10 +114,10 @@ var IndexedDbStamper = class {
           resolve();
         }
       };
-      deleteKeyPair.onsuccess = checkComplete;
-      deleteKeyInfo.onsuccess = checkComplete;
-      deleteKeyPair.onerror = () => reject(deleteKeyPair.error);
-      deleteKeyInfo.onerror = () => reject(deleteKeyInfo.error);
+      deleteActiveKeyPair.onsuccess = checkComplete;
+      deletePendingKeyPair.onsuccess = checkComplete;
+      deleteActiveKeyPair.onerror = () => reject(deleteActiveKeyPair.error);
+      deletePendingKeyPair.onerror = () => reject(deletePendingKeyPair.error);
     });
   }
   async openDB() {
@@ -138,8 +136,46 @@ var IndexedDbStamper = class {
       };
     });
   }
-  async generateAndStoreKeyPair() {
-    this.cryptoKeyPair = await crypto.subtle.generateKey(
+  /**
+   * Generate a new keypair for rotation without making it active
+   */
+  async rotateKeyPair() {
+    if (!this.db) {
+      await this.openDB();
+    }
+    this.pendingKeyPairRecord = await this.generateAndStoreNewKeyPair("pending");
+    return this.pendingKeyPairRecord.keyInfo;
+  }
+  /**
+   * Switch to the pending keypair, making it active and cleaning up the old one
+   */
+  async commitRotation(authenticatorId) {
+    if (!this.pendingKeyPairRecord) {
+      throw new Error("No pending keypair to commit");
+    }
+    if (this.activeKeyPairRecord) {
+      await this.removeKeyPairRecord("active");
+    }
+    this.pendingKeyPairRecord.status = "active";
+    this.pendingKeyPairRecord.authenticatorId = authenticatorId;
+    this.pendingKeyPairRecord.keyInfo.authenticatorId = authenticatorId;
+    this.activeKeyPairRecord = this.pendingKeyPairRecord;
+    this.pendingKeyPairRecord = null;
+    await this.storeKeyPairRecord(this.activeKeyPairRecord, "active");
+    await this.removeKeyPairRecord("pending");
+  }
+  /**
+   * Discard the pending keypair on rotation failure
+   */
+  async rollbackRotation() {
+    if (!this.pendingKeyPairRecord) {
+      return;
+    }
+    await this.removeKeyPairRecord("pending");
+    this.pendingKeyPairRecord = null;
+  }
+  async generateAndStoreNewKeyPair(type) {
+    const keyPair = await crypto.subtle.generateKey(
       {
         name: "Ed25519"
       },
@@ -147,67 +183,75 @@ var IndexedDbStamper = class {
       // non-extractable - private key can never be exported
       ["sign", "verify"]
     );
-    const rawPublicKeyBuffer = await crypto.subtle.exportKey("raw", this.cryptoKeyPair.publicKey);
+    const rawPublicKeyBuffer = await crypto.subtle.exportKey("raw", keyPair.publicKey);
     const publicKeyBase58 = bs58.encode(new Uint8Array(rawPublicKeyBuffer));
     const keyIdBuffer = await crypto.subtle.digest("SHA-256", rawPublicKeyBuffer);
     const keyId = base64urlEncode(new Uint8Array(keyIdBuffer)).substring(0, 16);
+    const now = Date.now();
     const keyInfo = {
       keyId,
-      publicKey: publicKeyBase58
+      publicKey: publicKeyBase58,
+      createdAt: now
     };
-    await this.storeKeyPair(this.cryptoKeyPair, keyInfo);
-    return keyInfo;
+    const record = {
+      keyPair,
+      keyInfo,
+      createdAt: now,
+      expiresAt: 0,
+      // Not used anymore, kept for backward compatibility
+      status: type
+    };
+    await this.storeKeyPairRecord(record, type);
+    return record;
   }
-  async storeKeyPair(keyPair, keyInfo) {
+  async storeKeyPairRecord(record, type) {
     if (!this.db) {
       throw new Error("Database not initialized");
     }
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readwrite");
       const store = transaction.objectStore(this.storeName);
-      const keyPairRequest = store.put(keyPair, `${this.keyName}-keypair`);
-      const keyInfoRequest = store.put(keyInfo, `${this.keyName}-info`);
-      let completed = 0;
-      const total = 2;
-      const checkComplete = () => {
-        completed++;
-        if (completed === total) {
-          resolve();
-        }
-      };
-      keyPairRequest.onsuccess = checkComplete;
-      keyInfoRequest.onsuccess = checkComplete;
-      keyPairRequest.onerror = () => reject(keyPairRequest.error);
-      keyInfoRequest.onerror = () => reject(keyInfoRequest.error);
+      const request = store.put(record, `${this.keyName}-${type}`);
+      request.onsuccess = () => resolve();
+      request.onerror = () => reject(request.error);
     });
   }
-  async loadKeyPair() {
+  async loadActiveKeyPairRecord() {
     if (!this.db) {
-      return;
+      return null;
     }
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readonly");
       const store = transaction.objectStore(this.storeName);
-      const request = store.get(`${this.keyName}-keypair`);
-      request.onsuccess = () => {
-        this.cryptoKeyPair = request.result || null;
-        resolve();
-      };
+      const request = store.get(`${this.keyName}-active`);
+      request.onsuccess = () => resolve(request.result || null);
       request.onerror = () => reject(request.error);
     });
   }
-  async getStoredKeyInfo() {
+  async loadPendingKeyPairRecord() {
     if (!this.db) {
       return null;
     }
     return new Promise((resolve, reject) => {
       const transaction = this.db.transaction([this.storeName], "readonly");
       const store = transaction.objectStore(this.storeName);
-      const request = store.get(`${this.keyName}-info`);
+      const request = store.get(`${this.keyName}-pending`);
       request.onsuccess = () => resolve(request.result || null);
       request.onerror = () => reject(request.error);
     });
   }
+  async removeKeyPairRecord(type) {
+    if (!this.db) {
+      return;
+    }
+    return new Promise((resolve, reject) => {
+      const transaction = this.db.transaction([this.storeName], "readwrite");
+      const store = transaction.objectStore(this.storeName);
+      const request = store.delete(`${this.keyName}-${type}`);
+      request.onsuccess = () => resolve();
+      request.onerror = () => reject(request.error);
+    });
+  }
 };
 export {
   IndexedDbStamper

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@phantom/indexed-db-stamper",
-  "version": "0.1.4",
+  "version": "1.0.0-beta.0",
   "description": "IndexedDB stamper for Phantom Wallet SDK with non-extractable key storage",
   "main": "dist/index.js",
   "module": "dist/index.mjs",
@@ -39,10 +39,10 @@
     "typescript": "^5.0.4"
   },
   "dependencies": {
-    "@phantom/base64url": "^0.1.0",
-    "@phantom/crypto": "^0.1.2",
-    "@phantom/embedded-provider-core": "^0.1.5",
-    "@phantom/sdk-types": "^0.1.4",
+    "@phantom/base64url": "^1.0.0-beta.0",
+    "@phantom/crypto": "^1.0.0-beta.0",
+    "@phantom/embedded-provider-core": "^1.0.0-beta.0",
+    "@phantom/sdk-types": "^1.0.0-beta.0",
     "bs58": "^6.0.0",
     "buffer": "^6.0.3"
   },