@raytio/core 11.5.0 → 11.6.0

package/dist/crypto/localSecret/storage.js

@@ -0,0 +1,207 @@
+"use strict";
+/**
+ * LocalSecret Storage
+ *
+ * IndexedDB-based storage for LocalSecrets.
+ * The LocalSecret is stored locally on the device and never sent to servers.
+ *
+ * Issue #1649
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getOrCreateDeviceId = getOrCreateDeviceId;
+exports.storeLocalSecret = storeLocalSecret;
+exports.getLocalSecret = getLocalSecret;
+exports.deleteLocalSecret = deleteLocalSecret;
+exports.hasLocalSecret = hasLocalSecret;
+exports.getLocalSecretRecord = getLocalSecretRecord;
+exports.createIndexedDBStorage = createIndexedDBStorage;
+const types_1 = require("./types");
+const generator_1 = require("./generator");
+// Cached device ID
+let deviceId = null;
+/**
+ * Get or create a unique device ID
+ *
+ * The device ID is stored in localStorage for persistence.
+ */
+async function getOrCreateDeviceId() {
+    if (deviceId) {
+        return deviceId;
+    }
+    const storageKey = "raytio-device-id";
+    try {
+        const stored = localStorage.getItem(storageKey);
+        if (stored) {
+            // eslint-disable-next-line fp/no-mutation -- Cache assignment
+            deviceId = stored;
+            return deviceId;
+        }
+    }
+    catch (_a) {
+        // localStorage not available
+    }
+    // Generate new device ID
+    const newDeviceId = (0, generator_1.generateDeviceId)();
+    // eslint-disable-next-line fp/no-mutation -- Cache assignment
+    deviceId = newDeviceId;
+    try {
+        localStorage.setItem(storageKey, newDeviceId);
+    }
+    catch (_b) {
+        // localStorage not available, device ID will be regenerated on next session
+    }
+    return newDeviceId;
+}
+/**
+ * Open the IndexedDB database for LocalSecret storage
+ */
+function openDatabase() {
+    return new Promise((resolve, reject) => {
+        const request = indexedDB.open(types_1.LOCAL_SECRET_DB_CONFIG.name, types_1.LOCAL_SECRET_DB_CONFIG.version);
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to open LocalSecret database"));
+        };
+        request.onsuccess = () => {
+            resolve(request.result);
+        };
+        request.onupgradeneeded = event => {
+            const db = event.target.result;
+            // Create object store if it doesn't exist
+            if (!db.objectStoreNames.contains(types_1.LOCAL_SECRET_DB_CONFIG.storeName)) {
+                db.createObjectStore(types_1.LOCAL_SECRET_DB_CONFIG.storeName);
+            }
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Store a LocalSecret in IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ * @param secret - The 32-byte LocalSecret
+ */
+async function storeLocalSecret(userId, secret) {
+    const db = await openDatabase();
+    const deviceIdValue = await getOrCreateDeviceId();
+    const record = {
+        secret,
+        userId,
+        createdAt: new Date().toISOString(),
+        deviceId: deviceIdValue,
+    };
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction(types_1.LOCAL_SECRET_DB_CONFIG.storeName, "readwrite");
+        const store = transaction.objectStore(types_1.LOCAL_SECRET_DB_CONFIG.storeName);
+        const request = store.put(record, `local-secret-${userId}`);
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to store LocalSecret"));
+        };
+        request.onsuccess = () => {
+            resolve();
+        };
+        transaction.oncomplete = () => {
+            db.close();
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Retrieve a LocalSecret from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ * @returns The LocalSecret or null if not found
+ */
+async function getLocalSecret(userId) {
+    const db = await openDatabase();
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction(types_1.LOCAL_SECRET_DB_CONFIG.storeName, "readonly");
+        const store = transaction.objectStore(types_1.LOCAL_SECRET_DB_CONFIG.storeName);
+        const request = store.get(`local-secret-${userId}`);
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to retrieve LocalSecret"));
+        };
+        request.onsuccess = () => {
+            var _a;
+            const record = request.result;
+            resolve((_a = record === null || record === void 0 ? void 0 : record.secret) !== null && _a !== void 0 ? _a : null);
+        };
+        transaction.oncomplete = () => {
+            db.close();
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Delete a LocalSecret from IndexedDB
+ *
+ * @param userId - User's Cognito sub
+ */
+async function deleteLocalSecret(userId) {
+    const db = await openDatabase();
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction(types_1.LOCAL_SECRET_DB_CONFIG.storeName, "readwrite");
+        const store = transaction.objectStore(types_1.LOCAL_SECRET_DB_CONFIG.storeName);
+        const request = store.delete(`local-secret-${userId}`);
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to delete LocalSecret"));
+        };
+        request.onsuccess = () => {
+            resolve();
+        };
+        transaction.oncomplete = () => {
+            db.close();
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Check if a LocalSecret exists for a user
+ *
+ * @param userId - User's Cognito sub
+ * @returns true if a LocalSecret exists
+ */
+async function hasLocalSecret(userId) {
+    const secret = await getLocalSecret(userId);
+    return secret !== null;
+}
+/**
+ * Get the stored LocalSecret record (including metadata)
+ *
+ * @param userId - User's Cognito sub
+ * @returns The full storage record or null
+ */
+async function getLocalSecretRecord(userId) {
+    const db = await openDatabase();
+    return new Promise((resolve, reject) => {
+        const transaction = db.transaction(types_1.LOCAL_SECRET_DB_CONFIG.storeName, "readonly");
+        const store = transaction.objectStore(types_1.LOCAL_SECRET_DB_CONFIG.storeName);
+        const request = store.get(`local-secret-${userId}`);
+        /* eslint-disable fp/no-mutation -- IndexedDB API requires callback assignment */
+        request.onerror = () => {
+            reject(new Error("Failed to retrieve LocalSecret record"));
+        };
+        request.onsuccess = () => {
+            var _a;
+            resolve((_a = request.result) !== null && _a !== void 0 ? _a : null);
+        };
+        transaction.oncomplete = () => {
+            db.close();
+        };
+        /* eslint-enable fp/no-mutation */
+    });
+}
+/**
+ * Create a LocalSecretStorage implementation using IndexedDB
+ */
+function createIndexedDBStorage() {
+    return {
+        store: storeLocalSecret,
+        get: getLocalSecret,
+        delete: deleteLocalSecret,
+        exists: hasLocalSecret,
+    };
+}

package/dist/crypto/localSecret/types.d.ts

@@ -0,0 +1,68 @@
+/**
+ * LocalSecret Types
+ *
+ * Types for the device-bound LocalSecret used in 2SKD.
+ * Issue #1649
+ */
+/**
+ * LocalSecret storage record
+ */
+export interface StoredLocalSecret {
+    /** The 32-byte LocalSecret */
+    secret: Uint8Array;
+    /** User's Cognito sub (user ID) */
+    userId: string;
+    /** When the LocalSecret was created */
+    createdAt: string;
+    /** Unique identifier for this device */
+    deviceId: string;
+}
+/**
+ * LocalSecret display format
+ *
+ * Formatted for human readability with dashes between groups.
+ * Uses unambiguous character set (no 0, 1, I, O).
+ */
+export interface FormattedLocalSecret {
+    /** Full formatted string (e.g., "A7K2M9-X4P8N3-...") */
+    formatted: string;
+    /** Individual groups for display */
+    groups: string[];
+}
+/**
+ * LocalSecret storage interface
+ *
+ * Abstraction for storing LocalSecrets (IndexedDB, Keychain, etc.)
+ */
+export interface LocalSecretStorage {
+    /** Store a LocalSecret for a user */
+    store(userId: string, secret: Uint8Array): Promise<void>;
+    /** Retrieve a LocalSecret for a user */
+    get(userId: string): Promise<Uint8Array | null>;
+    /** Delete a LocalSecret for a user */
+    delete(userId: string): Promise<void>;
+    /** Check if a LocalSecret exists for a user */
+    exists(userId: string): Promise<boolean>;
+}
+/**
+ * IndexedDB configuration for LocalSecret storage
+ */
+export declare const LOCAL_SECRET_DB_CONFIG: {
+    readonly name: "raytio-secrets";
+    readonly version: 1;
+    readonly storeName: "local-secrets";
+};
+/**
+ * LocalSecret size in bytes (256 bits)
+ */
+export declare const LOCAL_SECRET_SIZE = 32;
+/**
+ * Character set for LocalSecret display format
+ *
+ * Excludes ambiguous characters: 0, 1, I, O
+ */
+export declare const LOCAL_SECRET_CHARSET = "23456789ABCDEFGHJKLMNPQRSTUVWXYZ";
+/**
+ * Number of characters per group in formatted display
+ */
+export declare const LOCAL_SECRET_GROUP_SIZE = 6;

package/dist/crypto/localSecret/types.js

@@ -0,0 +1,31 @@
+"use strict";
+/**
+ * LocalSecret Types
+ *
+ * Types for the device-bound LocalSecret used in 2SKD.
+ * Issue #1649
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LOCAL_SECRET_GROUP_SIZE = exports.LOCAL_SECRET_CHARSET = exports.LOCAL_SECRET_SIZE = exports.LOCAL_SECRET_DB_CONFIG = void 0;
+/**
+ * IndexedDB configuration for LocalSecret storage
+ */
+exports.LOCAL_SECRET_DB_CONFIG = {
+    name: "raytio-secrets",
+    version: 1,
+    storeName: "local-secrets",
+};
+/**
+ * LocalSecret size in bytes (256 bits)
+ */
+exports.LOCAL_SECRET_SIZE = 32;
+/**
+ * Character set for LocalSecret display format
+ *
+ * Excludes ambiguous characters: 0, 1, I, O
+ */
+exports.LOCAL_SECRET_CHARSET = "23456789ABCDEFGHJKLMNPQRSTUVWXYZ";
+/**
+ * Number of characters per group in formatted display
+ */
+exports.LOCAL_SECRET_GROUP_SIZE = 6;

package/dist/crypto/pgpKey/encryption.d.ts

@@ -0,0 +1,49 @@
+/**
+ * PGP Private Key Encryption
+ *
+ * Encrypts private keys using AES-GCM with the user's 2SKD KEK.
+ * Issue #1374
+ */
+/**
+ * Encryption result containing ciphertext and IV
+ */
+export interface EncryptedPrivateKey {
+    /** AES-GCM encrypted private key bytes */
+    encryptedPrivateKey: Uint8Array;
+    /** 12-byte initialization vector for decryption */
+    iv: Uint8Array;
+}
+/**
+ * Encrypt private key bytes with the user's KEK using AES-GCM
+ *
+ * Uses a random 12-byte IV for each encryption operation.
+ *
+ * @param privateKeyBytes - Raw private key bytes (PKCS8 format)
+ * @param kek - 32-byte Key Encryption Key from 2SKD
+ * @returns Encrypted private key and IV
+ */
+export declare function encryptPrivateKey(privateKeyBytes: Uint8Array, kek: Uint8Array): Promise<EncryptedPrivateKey>;
+/**
+ * Decrypt private key bytes with the user's KEK using AES-GCM
+ *
+ * @param encryptedPrivateKey - AES-GCM encrypted private key bytes
+ * @param iv - 12-byte initialization vector used during encryption
+ * @param kek - 32-byte Key Encryption Key from 2SKD
+ * @returns Decrypted private key bytes (PKCS8 format)
+ * @throws Error if decryption fails (wrong key or tampered data)
+ */
+export declare function decryptPrivateKey(encryptedPrivateKey: Uint8Array, iv: Uint8Array, kek: Uint8Array): Promise<Uint8Array>;
+/**
+ * Import private key bytes as a CryptoKey for RSA-PSS signing
+ *
+ * @param privateKeyBytes - Private key in PKCS8 format
+ * @returns CryptoKey configured for RSA-PSS signing with SHA-256
+ */
+export declare function importPrivateKey(privateKeyBytes: Uint8Array): Promise<CryptoKey>;
+/**
+ * Import a PEM-encoded public key as a CryptoKey for RSA-PSS verification
+ *
+ * @param publicKeyPem - Public key in PEM format (SPKI)
+ * @returns CryptoKey configured for RSA-PSS verification with SHA-256
+ */
+export declare function importPublicKey(publicKeyPem: string): Promise<CryptoKey>;

package/dist/crypto/pgpKey/encryption.js

@@ -0,0 +1,104 @@
+"use strict";
+/**
+ * PGP Private Key Encryption
+ *
+ * Encrypts private keys using AES-GCM with the user's 2SKD KEK.
+ * Issue #1374
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.encryptPrivateKey = encryptPrivateKey;
+exports.decryptPrivateKey = decryptPrivateKey;
+exports.importPrivateKey = importPrivateKey;
+exports.importPublicKey = importPublicKey;
+const types_1 = require("./types");
+/**
+ * Import a raw KEK as a CryptoKey for AES-GCM operations
+ *
+ * @param kek - 32-byte KEK (Key Encryption Key)
+ * @returns CryptoKey for encryption/decryption
+ */
+async function importKek(kek) {
+    return crypto.subtle.importKey("raw", kek, { name: "AES-GCM" }, false, [
+        "encrypt",
+        "decrypt",
+    ]);
+}
+/**
+ * Encrypt private key bytes with the user's KEK using AES-GCM
+ *
+ * Uses a random 12-byte IV for each encryption operation.
+ *
+ * @param privateKeyBytes - Raw private key bytes (PKCS8 format)
+ * @param kek - 32-byte Key Encryption Key from 2SKD
+ * @returns Encrypted private key and IV
+ */
+async function encryptPrivateKey(privateKeyBytes, kek) {
+    if (kek.length !== 32) {
+        throw new Error("KEK must be 32 bytes for AES-256");
+    }
+    if (privateKeyBytes.length === 0) {
+        throw new Error("Private key cannot be empty");
+    }
+    // Generate random IV
+    const iv = new Uint8Array(types_1.AES_GCM_IV_SIZE);
+    crypto.getRandomValues(iv);
+    // Import KEK as CryptoKey
+    const cryptoKey = await importKek(kek);
+    // Encrypt with AES-GCM
+    const encryptedBuffer = await crypto.subtle.encrypt({ name: "AES-GCM", iv }, cryptoKey, privateKeyBytes);
+    return {
+        encryptedPrivateKey: new Uint8Array(encryptedBuffer),
+        iv,
+    };
+}
+/**
+ * Decrypt private key bytes with the user's KEK using AES-GCM
+ *
+ * @param encryptedPrivateKey - AES-GCM encrypted private key bytes
+ * @param iv - 12-byte initialization vector used during encryption
+ * @param kek - 32-byte Key Encryption Key from 2SKD
+ * @returns Decrypted private key bytes (PKCS8 format)
+ * @throws Error if decryption fails (wrong key or tampered data)
+ */
+async function decryptPrivateKey(encryptedPrivateKey, iv, kek) {
+    if (kek.length !== 32) {
+        throw new Error("KEK must be 32 bytes for AES-256");
+    }
+    if (iv.length !== types_1.AES_GCM_IV_SIZE) {
+        throw new Error("IV must be 12 bytes");
+    }
+    if (encryptedPrivateKey.length === 0) {
+        throw new Error("Encrypted private key cannot be empty");
+    }
+    // Import KEK as CryptoKey
+    const cryptoKey = await importKek(kek);
+    // Decrypt with AES-GCM
+    const decryptedBuffer = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, cryptoKey, encryptedPrivateKey);
+    return new Uint8Array(decryptedBuffer);
+}
+/**
+ * Import private key bytes as a CryptoKey for RSA-PSS signing
+ *
+ * @param privateKeyBytes - Private key in PKCS8 format
+ * @returns CryptoKey configured for RSA-PSS signing with SHA-256
+ */
+async function importPrivateKey(privateKeyBytes) {
+    return crypto.subtle.importKey("pkcs8", privateKeyBytes, { name: "RSA-PSS", hash: "SHA-256" }, false, ["sign"]);
+}
+/**
+ * Import a PEM-encoded public key as a CryptoKey for RSA-PSS verification
+ *
+ * @param publicKeyPem - Public key in PEM format (SPKI)
+ * @returns CryptoKey configured for RSA-PSS verification with SHA-256
+ */
+async function importPublicKey(publicKeyPem) {
+    // Extract base64 content from PEM
+    const pemContents = publicKeyPem
+        .replace(/-----BEGIN PUBLIC KEY-----/, "")
+        .replace(/-----END PUBLIC KEY-----/, "")
+        .replace(/\s/g, "");
+    // Decode base64 to bytes using functional approach
+    const binaryString = atob(pemContents);
+    const bytes = Uint8Array.from(binaryString, c => c.charCodeAt(0));
+    return crypto.subtle.importKey("spki", bytes, { name: "RSA-PSS", hash: "SHA-256" }, false, ["verify"]);
+}

package/dist/crypto/pgpKey/export.d.ts

@@ -0,0 +1,59 @@
+/**
+ * PGP Key Export
+ *
+ * Export PKCS8 private keys to OpenPGP armored format.
+ * Compatible with GPG and GitHub.
+ *
+ * This module converts existing PKCS8 key material to OpenPGP format,
+ * preserving the original cryptographic material rather than generating
+ * new keys.
+ *
+ * Issue #1374
+ */
+/**
+ * Options for exporting a PGP key
+ */
+export interface ExportPGPKeyOptions {
+    /** Optional passphrase to encrypt the exported key */
+    passphrase?: string;
+    /** User IDs to associate with the key */
+    userIds?: Array<{
+        name?: string;
+        email?: string;
+    }>;
+    /** Key creation date (defaults to current time) */
+    date?: Date;
+}
+/**
+ * Result of exporting a PGP key
+ */
+export interface ExportedPGPKey {
+    /** Armored private key in OpenPGP format */
+    armoredPrivateKey: string;
+    /** Armored public key in OpenPGP format */
+    armoredPublicKey: string;
+    /** Whether the exported private key is encrypted */
+    isEncrypted: boolean;
+    /** Key fingerprint (SHA-256 of SPKI bytes, first 40 hex chars) */
+    fingerprint: string;
+}
+/**
+ * Error thrown when key export fails
+ */
+export declare class PGPKeyExportError extends Error {
+    readonly code: string;
+    constructor(message: string, code: string);
+}
+/**
+ * Export a PKCS8 private key to OpenPGP armored format
+ *
+ * This function converts existing PKCS8 RSA key material to OpenPGP format,
+ * preserving the original cryptographic material. The exported key can be
+ * used with GPG, GitHub, and other OpenPGP-compatible tools.
+ *
+ * @param privateKeyBytes - PKCS8 encoded private key bytes
+ * @param options - Export options (passphrase, userIds, date)
+ * @returns Armored private and public keys with fingerprint
+ * @throws PGPKeyExportError if export fails
+ */
+export declare function exportPGPKeyToArmored(privateKeyBytes: Uint8Array, options?: ExportPGPKeyOptions): Promise<ExportedPGPKey>;