@reallyme/crypto 0.1.7 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/LICENSE +201 -0
  2. package/README.md +43 -3
  3. package/dist/aead.d.ts +4 -0
  4. package/dist/aead.js +32 -15
  5. package/dist/aesKw.d.ts +3 -0
  6. package/dist/aesKw.js +10 -0
  7. package/dist/argon2id.d.ts +2 -0
  8. package/dist/argon2id.js +6 -0
  9. package/dist/cryptoFacade.d.ts +36 -0
  10. package/dist/cryptoFacade.js +71 -23
  11. package/dist/errors.d.ts +1 -1
  12. package/dist/hpke.d.ts +4 -0
  13. package/dist/hpke.js +20 -0
  14. package/dist/index.d.ts +5 -6
  15. package/dist/index.js +4 -4
  16. package/dist/jwaConcatKdf.js +8 -4
  17. package/dist/jwk.js +67 -72
  18. package/dist/memory.d.ts +8 -0
  19. package/dist/memory.js +13 -0
  20. package/dist/mlDsa.d.ts +5 -0
  21. package/dist/mlDsa.js +23 -0
  22. package/dist/mlKem.d.ts +6 -0
  23. package/dist/mlKem.js +29 -0
  24. package/dist/p256Ecdh.js +5 -1
  25. package/dist/p384Ecdh.js +5 -1
  26. package/dist/p521Ecdh.js +5 -1
  27. package/dist/proto/generated/reallyme/crypto/v1/crypto_pb.d.ts +1602 -70
  28. package/dist/proto/generated/reallyme/crypto/v1/crypto_pb.js +624 -16
  29. package/dist/proto.d.ts +113 -3
  30. package/dist/proto.js +706 -2
  31. package/dist/rsa.d.ts +2 -0
  32. package/dist/rsa.js +18 -15
  33. package/dist/slhDsa.d.ts +5 -0
  34. package/dist/slhDsa.js +21 -0
  35. package/dist/validateBytes.d.ts +1 -0
  36. package/dist/validateBytes.js +6 -0
  37. package/dist/wasm/reallyme_crypto_wasm.js +1 -246
  38. package/dist/wasm/reallyme_crypto_wasm_bg.wasm +0 -0
  39. package/dist/wasmModuleTypes.d.ts +2 -11
  40. package/dist/wasmProvider.d.ts +1 -16
  41. package/dist/wasmProvider.js +10 -25
  42. package/dist/xWing.d.ts +6 -0
  43. package/dist/xWing.js +34 -2
  44. package/package.json +7 -2
  45. package/dist/codecs.d.ts +0 -35
  46. package/dist/codecs.js +0 -216
package/dist/mlDsa.d.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  import type { ReallyMeSignatureAlgorithm } from "./algorithms.js";
2
+ import type { ReallyMeWasmProvider } from "./wasmProvider.js";
2
3
  export declare const ML_DSA_44_PUBLIC_KEY_LENGTH = 1312;
3
4
  export declare const ML_DSA_44_SIGNATURE_LENGTH = 2420;
4
5
  export declare const ML_DSA_65_PUBLIC_KEY_LENGTH = 1952;
@@ -12,7 +13,11 @@ export type ReallyMeMlDsaKeyPair = Readonly<{
12
13
  }>;
13
14
  export declare const ReallyMeMlDsa: {
14
15
  readonly generateKeyPair: (algorithm: ReallyMeSignatureAlgorithm) => ReallyMeMlDsaKeyPair;
16
+ readonly generateKeyPairWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeSignatureAlgorithm) => ReallyMeMlDsaKeyPair;
15
17
  readonly deriveKeyPair: (algorithm: ReallyMeSignatureAlgorithm, secretKey: Uint8Array) => ReallyMeMlDsaKeyPair;
18
+ readonly deriveKeyPairWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeSignatureAlgorithm, secretKey: Uint8Array) => ReallyMeMlDsaKeyPair;
16
19
  readonly sign: (algorithm: ReallyMeSignatureAlgorithm, message: Uint8Array, secretKey: Uint8Array) => Uint8Array;
20
+ readonly signWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeSignatureAlgorithm, message: Uint8Array, secretKey: Uint8Array) => Uint8Array;
17
21
  readonly verify: (algorithm: ReallyMeSignatureAlgorithm, signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array) => void;
22
+ readonly verifyWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeSignatureAlgorithm, signature: Uint8Array, message: Uint8Array, publicKey: Uint8Array) => void;
18
23
  };
package/dist/mlDsa.js CHANGED
@@ -13,6 +13,9 @@ export const ML_DSA_87_SIGNATURE_LENGTH = 4_627;
13
13
  export const ML_DSA_SECRET_KEY_LENGTH = 32;
14
14
  const mlDsaSuite = (algorithm) => {
15
15
  const provider = requireReallyMeWasmProvider();
16
+ return mlDsaSuiteWithProvider(algorithm, provider);
17
+ };
18
+ const mlDsaSuiteWithProvider = (algorithm, provider) => {
16
19
  switch (algorithm) {
17
20
  case "ML-DSA-44":
18
21
  return {
@@ -66,6 +69,10 @@ export const ReallyMeMlDsa = {
66
69
  const suite = mlDsaSuite(algorithm);
67
70
  return readKeyPair(suite.generateKeyPair(), suite);
68
71
  },
72
+ generateKeyPairWithProvider(provider, algorithm) {
73
+ const suite = mlDsaSuiteWithProvider(algorithm, provider);
74
+ return readKeyPair(suite.generateKeyPair(), suite);
75
+ },
69
76
  deriveKeyPair(algorithm, secretKey) {
70
77
  // Import an existing FIPS 204 seed and reconstruct its public key. Do not
71
78
  // feed passwords or other low-entropy material here.
@@ -73,15 +80,31 @@ export const ReallyMeMlDsa = {
73
80
  ensureBytes(secretKey, ML_DSA_SECRET_KEY_LENGTH);
74
81
  return readKeyPair(suite.deriveKeyPair(secretKey), suite);
75
82
  },
83
+ deriveKeyPairWithProvider(provider, algorithm, secretKey) {
84
+ const suite = mlDsaSuiteWithProvider(algorithm, provider);
85
+ ensureBytes(secretKey, ML_DSA_SECRET_KEY_LENGTH);
86
+ return readKeyPair(suite.deriveKeyPair(secretKey), suite);
87
+ },
76
88
  sign(algorithm, message, secretKey) {
77
89
  const suite = mlDsaSuite(algorithm);
78
90
  ensureBytes(secretKey, ML_DSA_SECRET_KEY_LENGTH);
79
91
  return readSignature(suite.sign(secretKey, message), suite);
80
92
  },
93
+ signWithProvider(provider, algorithm, message, secretKey) {
94
+ const suite = mlDsaSuiteWithProvider(algorithm, provider);
95
+ ensureBytes(secretKey, ML_DSA_SECRET_KEY_LENGTH);
96
+ return readSignature(suite.sign(secretKey, message), suite);
97
+ },
81
98
  verify(algorithm, signature, message, publicKey) {
82
99
  const suite = mlDsaSuite(algorithm);
83
100
  ensureBytes(publicKey, suite.publicKeyLength);
84
101
  ensureBytes(signature, suite.signatureLength);
85
102
  readVoid(suite.verify(publicKey, message, signature));
86
103
  },
104
+ verifyWithProvider(provider, algorithm, signature, message, publicKey) {
105
+ const suite = mlDsaSuiteWithProvider(algorithm, provider);
106
+ ensureBytes(publicKey, suite.publicKeyLength);
107
+ ensureBytes(signature, suite.signatureLength);
108
+ readVoid(suite.verify(publicKey, message, signature));
109
+ },
87
110
  };
package/dist/mlKem.d.ts CHANGED
@@ -1,4 +1,5 @@
1
1
  import type { ReallyMeKemAlgorithm } from "./algorithms.js";
2
+ import type { ReallyMeWasmProvider } from "./wasmProvider.js";
2
3
  export declare const ML_KEM_512_PUBLIC_KEY_LENGTH = 800;
3
4
  export declare const ML_KEM_512_CIPHERTEXT_LENGTH = 768;
4
5
  export declare const ML_KEM_768_PUBLIC_KEY_LENGTH = 1184;
@@ -18,8 +19,13 @@ export type ReallyMeMlKemEncapsulation = Readonly<{
18
19
  }>;
19
20
  export declare const ReallyMeMlKem: {
20
21
  readonly generateKeyPair: (algorithm: ReallyMeKemAlgorithm) => ReallyMeMlKemKeyPair;
22
+ readonly generateKeyPairWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeKemAlgorithm) => ReallyMeMlKemKeyPair;
21
23
  readonly deriveKeyPair: (algorithm: ReallyMeKemAlgorithm, secretKey: Uint8Array) => ReallyMeMlKemKeyPair;
24
+ readonly deriveKeyPairWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeKemAlgorithm, secretKey: Uint8Array) => ReallyMeMlKemKeyPair;
22
25
  readonly encapsulate: (algorithm: ReallyMeKemAlgorithm, publicKey: Uint8Array) => ReallyMeMlKemEncapsulation;
26
+ readonly encapsulateWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeKemAlgorithm, publicKey: Uint8Array) => ReallyMeMlKemEncapsulation;
23
27
  readonly encapsulateDeterministicallyForTest: (algorithm: ReallyMeKemAlgorithm, publicKey: Uint8Array, randomness: Uint8Array) => ReallyMeMlKemEncapsulation;
28
+ readonly encapsulateDeterministicallyWithProviderForTest: (provider: ReallyMeWasmProvider, algorithm: ReallyMeKemAlgorithm, publicKey: Uint8Array, randomness: Uint8Array) => ReallyMeMlKemEncapsulation;
24
29
  readonly decapsulate: (algorithm: ReallyMeKemAlgorithm, ciphertext: Uint8Array, secretKey: Uint8Array) => Uint8Array;
30
+ readonly decapsulateWithProvider: (provider: ReallyMeWasmProvider, algorithm: ReallyMeKemAlgorithm, ciphertext: Uint8Array, secretKey: Uint8Array) => Uint8Array;
25
31
  };
package/dist/mlKem.js CHANGED
@@ -15,6 +15,9 @@ export const ML_KEM_ENCAPSULATION_RANDOMNESS_LENGTH = 32;
15
15
  export const ML_KEM_SHARED_SECRET_LENGTH = 32;
16
16
  const mlKemSuite = (algorithm) => {
17
17
  const provider = requireReallyMeWasmProvider();
18
+ return mlKemSuiteWithProvider(algorithm, provider);
19
+ };
20
+ const mlKemSuiteWithProvider = (algorithm, provider) => {
18
21
  switch (algorithm) {
19
22
  case "ML-KEM-512":
20
23
  return {
@@ -70,6 +73,10 @@ export const ReallyMeMlKem = {
70
73
  const suite = mlKemSuite(algorithm);
71
74
  return readKeyPair(suite.generateKeyPair(), suite);
72
75
  },
76
+ generateKeyPairWithProvider(provider, algorithm) {
77
+ const suite = mlKemSuiteWithProvider(algorithm, provider);
78
+ return readKeyPair(suite.generateKeyPair(), suite);
79
+ },
73
80
  deriveKeyPair(algorithm, secretKey) {
74
81
  // Import an existing FIPS 203 seed-form secret and reconstruct its public
75
82
  // key. Do not feed passwords or other low-entropy material here.
@@ -77,21 +84,43 @@ export const ReallyMeMlKem = {
77
84
  ensureBytes(secretKey, ML_KEM_SECRET_KEY_LENGTH);
78
85
  return readKeyPair(suite.deriveKeyPair(secretKey), suite);
79
86
  },
87
+ deriveKeyPairWithProvider(provider, algorithm, secretKey) {
88
+ const suite = mlKemSuiteWithProvider(algorithm, provider);
89
+ ensureBytes(secretKey, ML_KEM_SECRET_KEY_LENGTH);
90
+ return readKeyPair(suite.deriveKeyPair(secretKey), suite);
91
+ },
80
92
  encapsulate(algorithm, publicKey) {
81
93
  const suite = mlKemSuite(algorithm);
82
94
  ensureBytes(publicKey, suite.publicKeyLength);
83
95
  return readEncapsulation(suite.encapsulate(publicKey), suite);
84
96
  },
97
+ encapsulateWithProvider(provider, algorithm, publicKey) {
98
+ const suite = mlKemSuiteWithProvider(algorithm, provider);
99
+ ensureBytes(publicKey, suite.publicKeyLength);
100
+ return readEncapsulation(suite.encapsulate(publicKey), suite);
101
+ },
85
102
  encapsulateDeterministicallyForTest(algorithm, publicKey, randomness) {
86
103
  const suite = mlKemSuite(algorithm);
87
104
  ensureBytes(publicKey, suite.publicKeyLength);
88
105
  ensureBytes(randomness, ML_KEM_ENCAPSULATION_RANDOMNESS_LENGTH);
89
106
  return readEncapsulation(suite.encapsulateDerand(publicKey, randomness), suite);
90
107
  },
108
+ encapsulateDeterministicallyWithProviderForTest(provider, algorithm, publicKey, randomness) {
109
+ const suite = mlKemSuiteWithProvider(algorithm, provider);
110
+ ensureBytes(publicKey, suite.publicKeyLength);
111
+ ensureBytes(randomness, ML_KEM_ENCAPSULATION_RANDOMNESS_LENGTH);
112
+ return readEncapsulation(suite.encapsulateDerand(publicKey, randomness), suite);
113
+ },
91
114
  decapsulate(algorithm, ciphertext, secretKey) {
92
115
  const suite = mlKemSuite(algorithm);
93
116
  ensureBytes(ciphertext, suite.ciphertextLength);
94
117
  ensureBytes(secretKey, ML_KEM_SECRET_KEY_LENGTH);
95
118
  return readSharedSecret(suite.decapsulate(ciphertext, secretKey));
96
119
  },
120
+ decapsulateWithProvider(provider, algorithm, ciphertext, secretKey) {
121
+ const suite = mlKemSuiteWithProvider(algorithm, provider);
122
+ ensureBytes(ciphertext, suite.ciphertextLength);
123
+ ensureBytes(secretKey, ML_KEM_SECRET_KEY_LENGTH);
124
+ return readSharedSecret(suite.decapsulate(ciphertext, secretKey));
125
+ },
97
126
  };
package/dist/p256Ecdh.js CHANGED
@@ -3,6 +3,7 @@
3
3
  // SPDX-License-Identifier: Apache-2.0
4
4
  import { p256 } from "@noble/curves/nist.js";
5
5
  import { ReallyMeCryptoError } from "./errors.js";
6
+ import { bestEffortClear } from "./memory.js";
6
7
  /**
7
8
  * P-256 ECDH backed by @noble/curves.
8
9
  *
@@ -44,7 +45,10 @@ export const ReallyMeP256Ecdh = {
44
45
  throw new ReallyMeCryptoError("invalid-input");
45
46
  }
46
47
  try {
47
- return p256.getSharedSecret(secretKey, publicKey, false).slice(1, 33);
48
+ const uncompressed = p256.getSharedSecret(secretKey, publicKey, false);
49
+ const sharedSecret = uncompressed.slice(1, 33);
50
+ bestEffortClear(uncompressed);
51
+ return sharedSecret;
48
52
  }
49
53
  catch {
50
54
  throw new ReallyMeCryptoError("invalid-input");
package/dist/p384Ecdh.js CHANGED
@@ -3,6 +3,7 @@
3
3
  // SPDX-License-Identifier: Apache-2.0
4
4
  import { p384 } from "@noble/curves/nist.js";
5
5
  import { ReallyMeCryptoError } from "./errors.js";
6
+ import { bestEffortClear } from "./memory.js";
6
7
  /**
7
8
  * P-384 ECDH backed by @noble/curves.
8
9
  *
@@ -44,7 +45,10 @@ export const ReallyMeP384Ecdh = {
44
45
  throw new ReallyMeCryptoError("invalid-input");
45
46
  }
46
47
  try {
47
- return p384.getSharedSecret(secretKey, publicKey, false).slice(1, 49);
48
+ const uncompressed = p384.getSharedSecret(secretKey, publicKey, false);
49
+ const sharedSecret = uncompressed.slice(1, 49);
50
+ bestEffortClear(uncompressed);
51
+ return sharedSecret;
48
52
  }
49
53
  catch {
50
54
  throw new ReallyMeCryptoError("invalid-input");
package/dist/p521Ecdh.js CHANGED
@@ -3,6 +3,7 @@
3
3
  // SPDX-License-Identifier: Apache-2.0
4
4
  import { p521 } from "@noble/curves/nist.js";
5
5
  import { ReallyMeCryptoError } from "./errors.js";
6
+ import { bestEffortClear } from "./memory.js";
6
7
  /**
7
8
  * P-521 ECDH backed by @noble/curves.
8
9
  *
@@ -44,7 +45,10 @@ export const ReallyMeP521Ecdh = {
44
45
  throw new ReallyMeCryptoError("invalid-input");
45
46
  }
46
47
  try {
47
- return p521.getSharedSecret(secretKey, publicKey, false).slice(1, 67);
48
+ const uncompressed = p521.getSharedSecret(secretKey, publicKey, false);
49
+ const sharedSecret = uncompressed.slice(1, 67);
50
+ bestEffortClear(uncompressed);
51
+ return sharedSecret;
48
52
  }
49
53
  catch {
50
54
  throw new ReallyMeCryptoError("invalid-input");