npm - @storacha/encrypt-upload-client - Versions diffs - 0.0.36 → 1.0.0-0 - Mend

@storacha/encrypt-upload-client 0.0.36 → 1.0.0-0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

package/dist/core/client.d.ts +8 -12
package/dist/core/client.d.ts.map +1 -1
package/dist/core/client.js +12 -21
package/dist/core/metadata/encrypted-metadata.d.ts +8 -0
package/dist/core/metadata/encrypted-metadata.d.ts.map +1 -0
package/dist/core/metadata/encrypted-metadata.js +69 -0
package/dist/core/metadata/kms-metadata.d.ts +36 -0
package/dist/core/metadata/kms-metadata.d.ts.map +1 -0
package/dist/core/metadata/kms-metadata.js +156 -0
package/dist/core/{encrypted-metadata.d.ts → metadata/lit-metadata.d.ts} +11 -11
package/dist/core/metadata/lit-metadata.d.ts.map +1 -0
package/dist/core/{encrypted-metadata.js → metadata/lit-metadata.js} +32 -42
package/dist/crypto/adapters/kms-crypto-adapter.d.ts +148 -0
package/dist/crypto/adapters/kms-crypto-adapter.d.ts.map +1 -0
package/dist/crypto/adapters/kms-crypto-adapter.js +321 -0
package/dist/crypto/adapters/lit-crypto-adapter.d.ts +96 -0
package/dist/crypto/adapters/lit-crypto-adapter.d.ts.map +1 -0
package/dist/crypto/adapters/lit-crypto-adapter.js +210 -0
package/dist/crypto/factories.browser.d.ts +20 -0
package/dist/crypto/factories.browser.d.ts.map +1 -0
package/dist/crypto/factories.browser.js +28 -0
package/dist/crypto/factories.node.d.ts +26 -0
package/dist/crypto/factories.node.d.ts.map +1 -0
package/dist/crypto/factories.node.js +38 -0
package/dist/crypto/index.d.ts +5 -0
package/dist/crypto/index.d.ts.map +1 -0
package/dist/crypto/index.js +7 -0
package/dist/crypto/symmetric/generic-aes-ctr-streaming-crypto.d.ts +76 -0
package/dist/crypto/symmetric/generic-aes-ctr-streaming-crypto.d.ts.map +1 -0
package/dist/crypto/symmetric/generic-aes-ctr-streaming-crypto.js +177 -0
package/dist/crypto/symmetric/node-aes-cbc-crypto.d.ts +43 -0
package/dist/crypto/symmetric/node-aes-cbc-crypto.d.ts.map +1 -0
package/dist/crypto/symmetric/node-aes-cbc-crypto.js +110 -0
package/dist/handlers/decrypt-handler.d.ts +9 -4
package/dist/handlers/decrypt-handler.d.ts.map +1 -1
package/dist/handlers/decrypt-handler.js +62 -93
package/dist/handlers/encrypt-handler.d.ts +1 -1
package/dist/handlers/encrypt-handler.d.ts.map +1 -1
package/dist/handlers/encrypt-handler.js +31 -41
package/dist/protocols/lit.d.ts +1 -3
package/dist/protocols/lit.d.ts.map +1 -1
package/dist/types.d.ts +135 -20
package/dist/types.d.ts.map +1 -1
package/package.json +27 -18
package/dist/core/encrypted-metadata.d.ts.map +0 -1
package/dist/crypto-adapters/browser-crypto-adapter.d.ts +0 -42
package/dist/crypto-adapters/browser-crypto-adapter.d.ts.map +0 -1
package/dist/crypto-adapters/browser-crypto-adapter.js +0 -109
package/dist/crypto-adapters/node-crypto-adapter.d.ts +0 -17
package/dist/crypto-adapters/node-crypto-adapter.d.ts.map +0 -1
package/dist/crypto-adapters/node-crypto-adapter.js +0 -66

package/dist/crypto/adapters/kms-crypto-adapter.d.ts ADDED Viewed

@@ -0,0 +1,148 @@
+/**
+ * KMSCryptoAdapter implements the complete CryptoAdapter interface using KMS.
+ * It uses composition with a SymmetricCrypto implementation for file encryption/decryption
+ * and KMS via private gateway for key management operations.
+ *
+ * @class
+ * @implements {Type.CryptoAdapter}
+ */
+export class KMSCryptoAdapter implements Type.CryptoAdapter {
+    /**
+     * Create a new KMS crypto adapter
+     *
+     * @param {Type.SymmetricCrypto} symmetricCrypto - The symmetric crypto implementation (browser or node)
+     * @param {URL|string} keyManagerServiceURL - The key manager service URL
+     * @param {`did:${string}:${string}`} keyManagerServiceDID - The key manager service DID
+     * @param {object} [options] - Optional configuration
+     * @param {boolean} [options.allowInsecureHttp] - Allow HTTP for testing (NOT for production)
+     */
+    constructor(symmetricCrypto: Type.SymmetricCrypto, keyManagerServiceURL: URL | string, keyManagerServiceDID: `did:${string}:${string}`, options?: {
+        allowInsecureHttp?: boolean | undefined;
+    });
+    symmetricCrypto: Type.SymmetricCrypto;
+    keyManagerServiceURL: URL;
+    keyManagerServiceDID: import("@ucanto/client").PrincipalView<`did:${string}:${string}`>;
+    /**
+     * Encrypt a stream of data using the symmetric crypto
+     *
+     * @param {Type.BlobLike} data
+     */
+    encryptStream(data: Type.BlobLike): Promise<Type.EncryptOutput>;
+    /**
+     * Decrypt a stream of data using the symmetric crypto
+     *
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): Promise<ReadableStream<any>>;
+    /**
+     * Encrypt a symmetric key using the KMS
+     *
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<Type.EncryptedKeyResult>}
+     */
+    encryptSymmetricKey(key: Uint8Array, iv: Uint8Array, encryptionConfig: Type.EncryptionConfig): Promise<Type.EncryptedKeyResult>;
+    /**
+     * @param {string} encryptedKey
+     * @param {object} configs
+     * @param {Type.DecryptionOptions} configs.decryptionOptions
+     * @param {Type.ExtractedMetadata} configs.metadata
+     * @param {Uint8Array} configs.delegationCAR
+     * @param {Type.AnyLink} configs.resourceCID
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer
+     * @param {import('@storacha/client/types').DID} configs.audience
+     */
+    decryptSymmetricKey(encryptedKey: string, configs: {
+        decryptionOptions: Type.DecryptionOptions;
+        metadata: Type.ExtractedMetadata;
+        delegationCAR: Uint8Array;
+        resourceCID: Type.AnyLink;
+        issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>;
+        audience: import("@storacha/client/types").DID;
+    }): Promise<{
+        key: Uint8Array;
+        iv: Uint8Array;
+    }>;
+    /**
+     * Get decrypted symmetric key in base64 string from KMS via private gateway
+     *
+     * @param {string} encryptedSymmetricKey - The encrypted symmetric key (base64-encoded)
+     * @param {Type.SpaceDID} spaceDID - The space DID
+     * @param {import('@ucanto/interface').Proof} delegationProof - The delegation proof
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} issuer - The issuer
+     * @returns {Promise<{decryptedSymmetricKey: string}>} - The decrypted symmetric key (base64-encoded)
+     */
+    getDecryptedSymmetricKey(encryptedSymmetricKey: string, spaceDID: Type.SpaceDID, delegationProof: import("@ucanto/interface").Proof, issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>): Promise<{
+        decryptedSymmetricKey: string;
+    }>;
+    /**
+     * Extract the encrypted metadata from the CAR file
+     * KMS adapter only handles KMS format (encrypted-metadata@0.2)
+     *
+     * @param {Uint8Array} car
+     * @returns {Type.ExtractedMetadata}
+     */
+    extractEncryptedMetadata(car: Uint8Array): Type.ExtractedMetadata;
+    /**
+     * @param {Type.ExtractedMetadata} metadata
+     * @returns {string}
+     */
+    getEncryptedKey(metadata: Type.ExtractedMetadata): string;
+    /**
+     * Encode metadata for upload
+     *
+     * @param {string} encryptedDataCID - The CID of the encrypted data
+     * @param {string} encryptedKey - The encrypted key
+     * @param {Type.KMSKeyMetadata} metadata - The metadata to encode
+     * @returns {Promise<{ cid: import('@storacha/upload-client/types').AnyLink, bytes: Uint8Array }>} - The encoded metadata
+     */
+    encodeMetadata(encryptedDataCID: string, encryptedKey: string, metadata: Type.KMSKeyMetadata): Promise<{
+        cid: import("@storacha/upload-client/types").AnyLink;
+        bytes: Uint8Array;
+    }>;
+    /**
+     * Get the RSA public key from the space/encryption/setup
+     *
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<{ publicKey: string, provider: string, algorithm: string }>}
+     */
+    getSpacePublicKey(encryptionConfig: Type.EncryptionConfig): Promise<{
+        publicKey: string;
+        provider: string;
+        algorithm: string;
+    }>;
+    /**
+     * Get the Web Crypto API SubtleCrypto interface (universal compatibility)
+     *
+     * @returns {SubtleCrypto} - The SubtleCrypto interface
+     */
+    getSubtleCrypto(): SubtleCrypto;
+    /**
+     * Encrypt data with RSA-OAEP using the public key
+     *
+     * @param {Uint8Array} dataToEncrypt
+     * @param {string} publicKeyPem
+     * @returns {Promise<Uint8Array>}
+     */
+    encryptWithRSA(dataToEncrypt: Uint8Array, publicKeyPem: string): Promise<Uint8Array>;
+    /**
+     * Convert PEM-encoded public key to ArrayBuffer for Web Crypto API
+     *
+     * @param {string} pem - PEM-encoded public key string
+     * @returns {ArrayBuffer} - DER-encoded key data for crypto.subtle.importKey()
+     */
+    pemToArrayBuffer(pem: string): ArrayBuffer;
+    newKeyManagerServiceConnection(): import("@ucanto/interface").ConnectionView<any>;
+    /**
+     * Sanitize the space DID for the KMS key ID
+     *
+     * @param {Type.SpaceDID} spaceDID
+     * @returns {string}
+     */
+    sanitizeSpaceDIDForKMSKeyId(spaceDID: Type.SpaceDID): string;
+}
+import * as Type from '../../types.js';
+//# sourceMappingURL=kms-crypto-adapter.d.ts.map

package/dist/crypto/adapters/kms-crypto-adapter.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"kms-crypto-adapter.d.ts","sourceRoot":"","sources":["../../../src/crypto/adapters/kms-crypto-adapter.js"],"names":[],"mappings":"AAWA;;;;;;;GAOG;AACH,yCAFgB,IAAI,CAAC,aAAa;IAGhC;;;;;;;;OAQG;IACH,6BANW,IAAI,CAAC,eAAe,wBACpB,GAAG,GAAC,MAAM,wBACV,OAAO,MAAM,IAAI,MAAM,EAAE,YAEjC;QAA0B,iBAAiB;KAC7C,EA0BA;IAnBC,sCAAsC;IAiBtC,0BAA+B;IAC/B,wFAA2D;IAG7D;;;;OAIG;IACH,oBAFW,IAAI,CAAC,QAAQ,+BAIvB;IAED;;;;;;OAMG;IACH,6BAJW,cAAc,OACd,UAAU,MACV,UAAU,gCAIpB;IAED;;;;;;;OAOG;IACH,yBALW,UAAU,MACV,UAAU,oBACV,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CA4B5C;IAED;;;;;;;;;OASG;IACH,kCATW,MAAM,WAEd;QAAwC,iBAAiB,EAAjD,IAAI,CAAC,iBAAiB;QACU,QAAQ,EAAxC,IAAI,CAAC,iBAAiB;QACF,aAAa,EAAjC,UAAU;QACY,WAAW,EAAjC,IAAI,CAAC,OAAO;QACoH,MAAM,EAAtI,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC;QACxE,QAAQ,EAAtD,OAAO,wBAAwB,EAAE,GAAG;KAC9C;;;OA4BA;IAED;;;;;;;;OAQG;IACH,gDANW,MAAM,YACN,IAAI,CAAC,QAAQ,mBACb,OAAO,mBAAmB,EAAE,KAAK,UACjC,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC,GACpH,OAAO,CAAC;QAAC,qBAAqB,EAAE,MAAM,CAAA;KAAC,CAAC,CA4BpD;IAED;;;;;;OAMG;IACH,8BAHW,UAAU,GACR,IAAI,CAAC,iBAAiB,CAiClC;IAED;;;OAGG;IACH,0BAHW,IAAI,CAAC,iBAAiB,GACpB,MAAM,CASlB;IAED;;;;;;;OAOG;IACH,iCALW,MAAM,gBACN,MAAM,YACN,IAAI,CAAC,cAAc,GACjB,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,+BAA+B,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAoBhG;IAED;;;;;OAKG;IACH,oCAHW,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAyB/E;IAED;;;;OAIG;IACH,mBAFa,YAAY,CAWxB;IAED;;;;;;OAMG;IACH,8BAJW,UAAU,gBACV,MAAM,GACJ,OAAO,CAAC,UAAU,CAAC,CAyB/B;IAED;;;;;OAKG;IACH,sBAHW,MAAM,GACJ,WAAW,CA6BvB;IAED,kFASC;IAED;;;;;OAKG;IACH,sCAHW,IAAI,CAAC,QAAQ,GACX,MAAM,CAIlB;CACF;sBAhZqB,gBAAgB"}

package/dist/crypto/adapters/kms-crypto-adapter.js ADDED Viewed

@@ -0,0 +1,321 @@
+import { connect } from '@ucanto/client';
+import { CAR, HTTP } from '@ucanto/transport';
+import { base64 } from 'multiformats/bases/base64';
+import * as Type from '../../types.js';
+import { EncryptionSetup, EncryptionKeyDecrypt, } from '@storacha/capabilities/space';
+import { KMSMetadata } from '../../core/metadata/encrypted-metadata.js';
+import * as DID from '@ipld/dag-ucan/did';
+/**
+ * KMSCryptoAdapter implements the complete CryptoAdapter interface using KMS.
+ * It uses composition with a SymmetricCrypto implementation for file encryption/decryption
+ * and KMS via private gateway for key management operations.
+ *
+ * @class
+ * @implements {Type.CryptoAdapter}
+ */
+export class KMSCryptoAdapter {
+    /**
+     * Create a new KMS crypto adapter
+     *
+     * @param {Type.SymmetricCrypto} symmetricCrypto - The symmetric crypto implementation (browser or node)
+     * @param {URL|string} keyManagerServiceURL - The key manager service URL
+     * @param {`did:${string}:${string}`} keyManagerServiceDID - The key manager service DID
+     * @param {object} [options] - Optional configuration
+     * @param {boolean} [options.allowInsecureHttp] - Allow HTTP for testing (NOT for production)
+     */
+    constructor(symmetricCrypto, keyManagerServiceURL, keyManagerServiceDID, options = {}) {
+        this.symmetricCrypto = symmetricCrypto;
+        // SECURITY: Enforce HTTPS protocol for key manager service communications (P1.1)
+        const url = keyManagerServiceURL instanceof URL
+            ? keyManagerServiceURL
+            : new URL(keyManagerServiceURL);
+        const { allowInsecureHttp = false } = options;
+        if (url.protocol !== 'https:' && !allowInsecureHttp) {
+            throw new Error(`Key manager service must use HTTPS protocol for security. Received: ${url.protocol}. ` +
+                `Please update the service URL to use HTTPS (e.g., https://your-key-manager-service.com). ` +
+                `For testing only, you can pass { allowInsecureHttp: true } as the fourth parameter.`);
+        }
+        this.keyManagerServiceURL = url;
+        this.keyManagerServiceDID = DID.parse(keyManagerServiceDID);
+    }
+    /**
+     * Encrypt a stream of data using the symmetric crypto
+     *
+     * @param {Type.BlobLike} data
+     */
+    async encryptStream(data) {
+        return this.symmetricCrypto.encryptStream(data);
+    }
+    /**
+     * Decrypt a stream of data using the symmetric crypto
+     *
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    async decryptStream(encryptedData, key, iv) {
+        return this.symmetricCrypto.decryptStream(encryptedData, key, iv);
+    }
+    /**
+     * Encrypt a symmetric key using the KMS
+     *
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<Type.EncryptedKeyResult>}
+     */
+    async encryptSymmetricKey(key, iv, encryptionConfig) {
+        // Step 1: Combine key and IV to encrypt a single string
+        const combinedKeyAndIV = this.symmetricCrypto.combineKeyAndIV(key, iv);
+        // Step 2: Get RSA public key from space/encryption/setup
+        const setupResponse = await this.getSpacePublicKey(encryptionConfig);
+        // Step 3: Encrypt with RSA-OAEP
+        const encryptedKey = await this.encryptWithRSA(combinedKeyAndIV, setupResponse.publicKey);
+        // Step 4: Return the encrypted key and metadata
+        return {
+            strategy: 'kms',
+            encryptedKey: base64.encode(encryptedKey), // base64-encoded for transport/storage
+            metadata: {
+                space: encryptionConfig.spaceDID,
+                kms: {
+                    provider: setupResponse.provider,
+                    keyId: this.sanitizeSpaceDIDForKMSKeyId(encryptionConfig.spaceDID),
+                    algorithm: setupResponse.algorithm,
+                },
+            },
+        };
+    }
+    /**
+     * @param {string} encryptedKey
+     * @param {object} configs
+     * @param {Type.DecryptionOptions} configs.decryptionOptions
+     * @param {Type.ExtractedMetadata} configs.metadata
+     * @param {Uint8Array} configs.delegationCAR
+     * @param {Type.AnyLink} configs.resourceCID
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer
+     * @param {import('@storacha/client/types').DID} configs.audience
+     */
+    async decryptSymmetricKey(encryptedKey, configs) {
+        // Step 1: Validate configs
+        const { decryptionOptions, metadata, issuer } = configs;
+        if (metadata.strategy !== 'kms') {
+            throw new Error('KMSCryptoAdapter can only handle KMS metadata');
+        }
+        const { spaceDID, delegationProof } = decryptionOptions;
+        if (!spaceDID || !delegationProof) {
+            throw new Error('SpaceDID and delegationProof are required');
+        }
+        if (!issuer) {
+            throw new Error('Issuer is required');
+        }
+        // Step 2: Get the decrypted key from KMS via gateway
+        const { decryptedSymmetricKey } = await this.getDecryptedSymmetricKey(encryptedKey, spaceDID, delegationProof, issuer);
+        // Step 3: Decode and split the combined key and IV
+        const combinedKeyAndIV = base64.decode(decryptedSymmetricKey);
+        return this.symmetricCrypto.splitKeyAndIV(combinedKeyAndIV);
+    }
+    /**
+     * Get decrypted symmetric key in base64 string from KMS via private gateway
+     *
+     * @param {string} encryptedSymmetricKey - The encrypted symmetric key (base64-encoded)
+     * @param {Type.SpaceDID} spaceDID - The space DID
+     * @param {import('@ucanto/interface').Proof} delegationProof - The delegation proof
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} issuer - The issuer
+     * @returns {Promise<{decryptedSymmetricKey: string}>} - The decrypted symmetric key (base64-encoded)
+     */
+    async getDecryptedSymmetricKey(encryptedSymmetricKey, spaceDID, delegationProof, issuer) {
+        // Step 1: Invoke the KeyDecrypt capability passing the decryption proof
+        const result = await EncryptionKeyDecrypt.invoke({
+            issuer,
+            audience: this.keyManagerServiceDID,
+            with: spaceDID,
+            nb: {
+                key: base64.decode(encryptedSymmetricKey), // Convert base64 string to bytes
+            },
+            proofs: [delegationProof],
+        }).execute(this.newKeyManagerServiceConnection());
+        // Step 2: Handle the result
+        if (result.out.error) {
+            throw new Error(`KMS decryption failed: ${JSON.stringify(result.out.error)}`);
+        }
+        // Step 3: Return the base64-encoded decrypted key from the gateway response
+        return /** @type {{decryptedSymmetricKey: string}} */ (result.out.ok);
+    }
+    /**
+     * Extract the encrypted metadata from the CAR file
+     * KMS adapter only handles KMS format (encrypted-metadata@0.2)
+     *
+     * @param {Uint8Array} car
+     * @returns {Type.ExtractedMetadata}
+     */
+    extractEncryptedMetadata(car) {
+        const kmsContentResult = KMSMetadata.extract(car);
+        if (kmsContentResult.error) {
+            throw kmsContentResult.error;
+        }
+        const kmsContent = kmsContentResult.ok.toJSON();
+        // Validate it's KMS format
+        if (!kmsContent.encryptedSymmetricKey ||
+            !kmsContent.space ||
+            !kmsContent.kms) {
+            throw new Error('Invalid KMS metadata format - missing encryptedSymmetricKey, space, or kms fields');
+        }
+        // Return with strategy identifier
+        return {
+            strategy: 'kms',
+            encryptedDataCID: kmsContent.encryptedDataCID,
+            encryptedSymmetricKey: kmsContent.encryptedSymmetricKey,
+            space: /** @type {Type.SpaceDID} */ (kmsContent.space),
+            kms: {
+                provider: kmsContent.kms.provider,
+                keyId: kmsContent.kms.keyId,
+                algorithm: kmsContent.kms.algorithm,
+            },
+        };
+    }
+    /**
+     * @param {Type.ExtractedMetadata} metadata
+     * @returns {string}
+     */
+    getEncryptedKey(metadata) {
+        // For KMS metadata, we need to handle the different structure
+        if (metadata.strategy === 'kms') {
+            return /** @type {Type.KMSExtractedMetadata} */ (metadata)
+                .encryptedSymmetricKey;
+        }
+        throw new Error('KMSCryptoAdapter can only handle KMS metadata');
+    }
+    /**
+     * Encode metadata for upload
+     *
+     * @param {string} encryptedDataCID - The CID of the encrypted data
+     * @param {string} encryptedKey - The encrypted key
+     * @param {Type.KMSKeyMetadata} metadata - The metadata to encode
+     * @returns {Promise<{ cid: import('@storacha/upload-client/types').AnyLink, bytes: Uint8Array }>} - The encoded metadata
+     */
+    async encodeMetadata(encryptedDataCID, encryptedKey, metadata) {
+        const kmsKeyMetadata =
+        /** @type {import('../../types.js').KMSKeyMetadata} */ (metadata);
+        /** @type {Type.KMSMetadataInput} */
+        const uploadData = {
+            encryptedDataCID,
+            encryptedSymmetricKey: encryptedKey,
+            space: kmsKeyMetadata.space,
+            kms: {
+                provider: kmsKeyMetadata.kms.provider,
+                keyId: kmsKeyMetadata.kms.keyId,
+                algorithm: kmsKeyMetadata.kms.algorithm,
+            },
+        };
+        const kmsMetadata = KMSMetadata.create(uploadData);
+        return await kmsMetadata.archiveBlock();
+    }
+    /**
+     * Get the RSA public key from the space/encryption/setup
+     *
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<{ publicKey: string, provider: string, algorithm: string }>}
+     */
+    async getSpacePublicKey(encryptionConfig) {
+        // Step 1: Invoke the EncryptionSetup capability
+        const setupResult = await EncryptionSetup.invoke({
+            issuer: encryptionConfig.issuer,
+            audience: this.keyManagerServiceDID,
+            with: encryptionConfig.spaceDID,
+            nb: {
+                location: encryptionConfig.location,
+                keyring: encryptionConfig.keyring,
+            },
+        }).execute(this.newKeyManagerServiceConnection());
+        // Step 2: Handle the result
+        if (setupResult.out.error) {
+            throw new Error(`Failed to get public key: ${JSON.stringify(setupResult.out.error)}`);
+        }
+        // Step 3: Return the public key and key reference
+        return /** @type {{ publicKey: string, provider: string, algorithm: string }} */ (setupResult.out.ok);
+    }
+    /**
+     * Get the Web Crypto API SubtleCrypto interface (universal compatibility)
+     *
+     * @returns {SubtleCrypto} - The SubtleCrypto interface
+     */
+    getSubtleCrypto() {
+        // Web Crypto API is available in modern browsers (secure contexts) and Node.js 16+
+        if (globalThis.crypto?.subtle) {
+            return globalThis.crypto.subtle;
+        }
+        throw new Error('Web Crypto API (SubtleCrypto) not available. Ensure you are running in a secure context (HTTPS) or Node.js 16+.');
+    }
+    /**
+     * Encrypt data with RSA-OAEP using the public key
+     *
+     * @param {Uint8Array} dataToEncrypt
+     * @param {string} publicKeyPem
+     * @returns {Promise<Uint8Array>}
+     */
+    async encryptWithRSA(dataToEncrypt, publicKeyPem) {
+        const subtle = this.getSubtleCrypto();
+        // Step 1. Import the PEM public key
+        const publicKey = await subtle.importKey('spki', this.pemToArrayBuffer(publicKeyPem), {
+            name: 'RSA-OAEP',
+            hash: 'SHA-256',
+        }, false, ['encrypt']);
+        // Step 2. Encrypt the raw data directly
+        const encrypted = await subtle.encrypt({ name: 'RSA-OAEP' }, publicKey, dataToEncrypt);
+        return new Uint8Array(encrypted);
+    }
+    /**
+     * Convert PEM-encoded public key to ArrayBuffer for Web Crypto API
+     *
+     * @param {string} pem - PEM-encoded public key string
+     * @returns {ArrayBuffer} - DER-encoded key data for crypto.subtle.importKey()
+     */
+    pemToArrayBuffer(pem) {
+        // Strip PEM headers, footers, and whitespace to get base64 DER data
+        const base64String = pem
+            .replace('-----BEGIN PUBLIC KEY-----', '')
+            .replace('-----END PUBLIC KEY-----', '')
+            .replace(/\s/g, '');
+        // For Node.js environment, use Buffer for standard base64 decoding
+        if (typeof Buffer !== 'undefined') {
+            return Buffer.from(base64String, 'base64');
+        }
+        // For browser environment, use atob for standard base64 decoding
+        let binaryString;
+        if (typeof globalThis !== 'undefined' && globalThis.atob) {
+            binaryString = globalThis.atob(base64String);
+        }
+        else if (typeof Buffer !== 'undefined') {
+            // @ts-ignore - Buffer exists in Node.js environment
+            binaryString = Buffer.from(base64String, 'base64').toString('binary');
+        }
+        else {
+            throw new Error('Neither atob nor Buffer available for base64 decoding');
+        }
+        const bytes = new Uint8Array(binaryString.length);
+        for (let i = 0; i < binaryString.length; i++) {
+            bytes[i] = binaryString.charCodeAt(i);
+        }
+        return bytes;
+    }
+    newKeyManagerServiceConnection() {
+        return connect({
+            id: this.keyManagerServiceDID,
+            codec: CAR.outbound,
+            channel: HTTP.open({
+                url: this.keyManagerServiceURL,
+                method: 'POST',
+            }),
+        });
+    }
+    /**
+     * Sanitize the space DID for the KMS key ID
+     *
+     * @param {Type.SpaceDID} spaceDID
+     * @returns {string}
+     */
+    sanitizeSpaceDIDForKMSKeyId(spaceDID) {
+        return spaceDID.replace(/^did:key:/, '');
+    }
+}
+//# sourceMappingURL=kms-crypto-adapter.js.map

package/dist/crypto/adapters/lit-crypto-adapter.d.ts ADDED Viewed

@@ -0,0 +1,96 @@
+/**
+ * LitCryptoAdapter implements the complete CryptoAdapter interface using Lit Protocol.
+ * It uses composition with a SymmetricCrypto implementation for file encryption/decryption
+ * and Lit Protocol for key management operations.
+ *
+ * @class
+ * @implements {Type.CryptoAdapter}
+ */
+export class LitCryptoAdapter implements Type.CryptoAdapter {
+    /**
+     * Create a new Lit crypto adapter
+     *
+     * @param {Type.SymmetricCrypto} symmetricCrypto - The symmetric crypto implementation (browser or node)
+     * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient - The Lit client instance
+     */
+    constructor(symmetricCrypto: Type.SymmetricCrypto, litClient: import("@lit-protocol/lit-node-client").LitNodeClient);
+    symmetricCrypto: Type.SymmetricCrypto;
+    litClient: import("@lit-protocol/lit-node-client").LitNodeClient;
+    /**
+     * Encrypt a stream of data using the symmetric crypto implementation
+     *
+     * @param {Type.BlobLike} data - The data to encrypt
+     * @returns {Promise<Type.EncryptOutput>} - The encrypted data
+     */
+    encryptStream(data: Type.BlobLike): Promise<Type.EncryptOutput>;
+    /**
+     * Decrypt a stream of data using the symmetric crypto implementation
+     *
+     * @param {ReadableStream} encryptedData - The encrypted data to decrypt
+     * @param {Uint8Array} key - The key to use for decryption
+     * @param {Uint8Array} iv - The initialization vector to use for decryption
+     * @returns {Promise<ReadableStream>} - The decrypted data
+     */
+    decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): Promise<ReadableStream>;
+    /**
+     * Encrypt a symmetric key using the Lit crypto adapter
+     *
+     * @param {Uint8Array} key - The symmetric key to encrypt
+     * @param {Uint8Array} iv - The initialization vector to encrypt
+     * @param {Type.EncryptionConfig} encryptionConfig - The encryption configuration
+     * @returns {Promise<Type.EncryptedKeyResult>} - The encrypted key result
+     */
+    encryptSymmetricKey(key: Uint8Array, iv: Uint8Array, encryptionConfig: Type.EncryptionConfig): Promise<Type.EncryptedKeyResult>;
+    /**
+     * Decrypt a symmetric key using the Lit crypto adapter
+     *
+     * @param {string} encryptedKey - The encrypted key to decrypt
+     * @param {object} configs - The decryption configuration
+     * @param {Type.DecryptionOptions} configs.decryptionOptions - The decryption options
+     * @param {Type.ExtractedMetadata} configs.metadata - The extracted metadata
+     * @param {Uint8Array} configs.delegationCAR - The delegation CAR
+     * @param {Type.AnyLink} configs.resourceCID - The resource CID
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer - The issuer
+     * @param {import('@storacha/client/types').DID} configs.audience - The audience
+     * @returns {Promise<{ key: Uint8Array, iv: Uint8Array }>} - The decrypted key and IV
+     */
+    decryptSymmetricKey(encryptedKey: string, configs: {
+        decryptionOptions: Type.DecryptionOptions;
+        metadata: Type.ExtractedMetadata;
+        delegationCAR: Uint8Array;
+        resourceCID: Type.AnyLink;
+        issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>;
+        audience: import("@storacha/client/types").DID;
+    }): Promise<{
+        key: Uint8Array;
+        iv: Uint8Array;
+    }>;
+    /**
+     * Extract encrypted metadata from a CAR file
+     *
+     * @param {Uint8Array} car - The CAR file to extract metadata from
+     * @returns {Type.ExtractedMetadata} - The extracted metadata
+     */
+    extractEncryptedMetadata(car: Uint8Array): Type.ExtractedMetadata;
+    /**
+     * Get the encrypted key from the metadata
+     *
+     * @param {Type.ExtractedMetadata} metadata - The metadata to get the encrypted key from
+     * @returns {string} - The encrypted key
+     */
+    getEncryptedKey(metadata: Type.ExtractedMetadata): string;
+    /**
+     * Encode metadata for upload
+     *
+     * @param {string} encryptedDataCID - The CID of the encrypted data
+     * @param {string} encryptedKey - The encrypted key
+     * @param {Type.LitKeyMetadata} metadata - The metadata to encode
+     * @returns {Promise<{ cid: import('@storacha/upload-client/types').AnyLink, bytes: Uint8Array }>} - The encoded metadata
+     */
+    encodeMetadata(encryptedDataCID: string, encryptedKey: string, metadata: Type.LitKeyMetadata): Promise<{
+        cid: import("@storacha/upload-client/types").AnyLink;
+        bytes: Uint8Array;
+    }>;
+}
+import * as Type from '../../types.js';
+//# sourceMappingURL=lit-crypto-adapter.d.ts.map

package/dist/crypto/adapters/lit-crypto-adapter.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"lit-crypto-adapter.d.ts","sourceRoot":"","sources":["../../../src/crypto/adapters/lit-crypto-adapter.js"],"names":[],"mappings":"AAMA;;;;;;;GAOG;AACH,yCAFgB,IAAI,CAAC,aAAa;IAGhC;;;;;OAKG;IACH,6BAHW,IAAI,CAAC,eAAe,aACpB,OAAO,+BAA+B,EAAE,aAAa,EAK/D;IAFC,sCAAsC;IACtC,iEAA0B;IAG5B;;;;;OAKG;IACH,oBAHW,IAAI,CAAC,QAAQ,GACX,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAIvC;IAED;;;;;;;OAOG;IACH,6BALW,cAAc,OACd,UAAU,MACV,UAAU,GACR,OAAO,CAAC,cAAc,CAAC,CAInC;IAED;;;;;;;OAOG;IACH,yBALW,UAAU,MACV,UAAU,oBACV,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAgC5C;IAED;;;;;;;;;;;;OAYG;IACH,kCAVW,MAAM,WAEd;QAAwC,iBAAiB,EAAjD,IAAI,CAAC,iBAAiB;QACU,QAAQ,EAAxC,IAAI,CAAC,iBAAiB;QACF,aAAa,EAAjC,UAAU;QACY,WAAW,EAAjC,IAAI,CAAC,OAAO;QACoH,MAAM,EAAtI,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC;QACxE,QAAQ,EAAtD,OAAO,wBAAwB,EAAE,GAAG;KAC5C,GAAU,OAAO,CAAC;QAAE,GAAG,EAAE,UAAU,CAAC;QAAC,EAAE,EAAE,UAAU,CAAA;KAAE,CAAC,CAsFxD;IAED;;;;;OAKG;IACH,8BAHW,UAAU,GACR,IAAI,CAAC,iBAAiB,CA4BlC;IAED;;;;;OAKG;IACH,0BAHW,IAAI,CAAC,iBAAiB,GACpB,MAAM,CAOlB;IAED;;;;;;;OAOG;IACH,iCALW,MAAM,gBACN,MAAM,YACN,IAAI,CAAC,cAAc,GACjB,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,+BAA+B,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAehG;CACF;sBA5PqB,gBAAgB"}