@storacha/encrypt-upload-client 1.1.58 → 1.1.60

package/dist/crypto/factories.node.js

@@ -1,7 +1,7 @@
-import { GenericAesCtrStreamingCrypto } from './symmetric/generic-aes-ctr-streaming-crypto.js'
-import { NodeAesCbcCrypto } from './symmetric/node-aes-cbc-crypto.js'
-import { LitCryptoAdapter } from './adapters/lit-crypto-adapter.js'
-import { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js'
+import { GenericAesCtrStreamingCrypto } from './symmetric/generic-aes-ctr-streaming-crypto.js';
+import { NodeAesCbcCrypto } from './symmetric/node-aes-cbc-crypto.js';
+import { LitCryptoAdapter } from './adapters/lit-crypto-adapter.js';
+import { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js';
 /**
  * Create a KMS crypto adapter for Node.js using the generic AES-CTR streaming crypto.
  * Works in Node.js & browser environments.
@@ -9,16 +9,10 @@ import { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js'
  * @param {URL|string} keyManagerServiceURL
  * @param {string} keyManagerServiceDID
  */
-export function createGenericKMSAdapter(
-  keyManagerServiceURL,
-  keyManagerServiceDID
-) {
-  const symmetricCrypto = new GenericAesCtrStreamingCrypto()
-  return new KMSCryptoAdapter(
-    symmetricCrypto,
-    keyManagerServiceURL,
-    /** @type {`did:${string}:${string}`} */ (keyManagerServiceDID)
-  )
+export function createGenericKMSAdapter(keyManagerServiceURL, keyManagerServiceDID) {
+    const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+    return new KMSCryptoAdapter(symmetricCrypto, keyManagerServiceURL, 
+    /** @type {`did:${string}:${string}`} */ (keyManagerServiceDID));
 }
 /**
  * Create a Lit crypto adapter for Node.js using AES-CBC (legacy).
@@ -28,8 +22,8 @@ export function createGenericKMSAdapter(
  * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient
  */
 export function createNodeLitAdapter(litClient) {
-  const symmetricCrypto = new NodeAesCbcCrypto()
-  return new LitCryptoAdapter(symmetricCrypto, litClient)
+    const symmetricCrypto = new NodeAesCbcCrypto();
+    return new LitCryptoAdapter(symmetricCrypto, litClient);
 }
 /**
  * Create a Lit crypto adapter for Node.js using the generic AES-CTR streaming crypto.
@@ -38,7 +32,7 @@ export function createNodeLitAdapter(litClient) {
  * @param {import('@lit-protocol/lit-node-client').LitNodeClient} litClient
  */
 export function createGenericLitAdapter(litClient) {
-  const symmetricCrypto = new GenericAesCtrStreamingCrypto()
-  return new LitCryptoAdapter(symmetricCrypto, litClient)
+    const symmetricCrypto = new GenericAesCtrStreamingCrypto();
+    return new LitCryptoAdapter(symmetricCrypto, litClient);
 }
-//# sourceMappingURL=factories.node.js.map
+//# sourceMappingURL=factories.node.js.map

package/dist/crypto/index.d.ts

@@ -1,5 +1,5 @@
-export { GenericAesCtrStreamingCrypto } from './symmetric/generic-aes-ctr-streaming-crypto.js'
-export { NodeAesCbcCrypto } from './symmetric/node-aes-cbc-crypto.js'
-export { LitCryptoAdapter } from './adapters/lit-crypto-adapter.js'
-export { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js'
-//# sourceMappingURL=index.d.ts.map
+export { GenericAesCtrStreamingCrypto } from "./symmetric/generic-aes-ctr-streaming-crypto.js";
+export { NodeAesCbcCrypto } from "./symmetric/node-aes-cbc-crypto.js";
+export { LitCryptoAdapter } from "./adapters/lit-crypto-adapter.js";
+export { KMSCryptoAdapter } from "./adapters/kms-crypto-adapter.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/crypto/index.js

@@ -1,7 +1,7 @@
 // Symmetric crypto implementations (algorithm-specific)
-export { GenericAesCtrStreamingCrypto } from './symmetric/generic-aes-ctr-streaming-crypto.js'
-export { NodeAesCbcCrypto } from './symmetric/node-aes-cbc-crypto.js'
+export { GenericAesCtrStreamingCrypto } from './symmetric/generic-aes-ctr-streaming-crypto.js';
+export { NodeAesCbcCrypto } from './symmetric/node-aes-cbc-crypto.js';
 // Strategy adapters (composition-based)
-export { LitCryptoAdapter } from './adapters/lit-crypto-adapter.js'
-export { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js'
-//# sourceMappingURL=index.js.map
+export { LitCryptoAdapter } from './adapters/lit-crypto-adapter.js';
+export { KMSCryptoAdapter } from './adapters/kms-crypto-adapter.js';
+//# sourceMappingURL=index.js.map

package/dist/crypto/symmetric/generic-aes-ctr-streaming-crypto.d.ts

@@ -19,62 +19,58 @@
  * @implements {Type.SymmetricCrypto}
  */
 export class GenericAesCtrStreamingCrypto implements Type.SymmetricCrypto {
-  /**
-   * Generate a random AES key
-   *
-   * @returns {Promise<Uint8Array>} A random AES key
-   */
-  generateKey(): Promise<Uint8Array>
-  /**
-   * Properly increment AES-CTR counter with 128-bit arithmetic
-   *
-   * @param {Uint8Array} counter - The base counter (16 bytes)
-   * @param {number} increment - The value to add
-   * @returns {Uint8Array} - New counter with proper carry propagation
-   */
-  incrementCounter(counter: Uint8Array, increment: number): Uint8Array
-  /**
-   * Encrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
-   *
-   * @param {Blob} data The data to encrypt.
-   * @returns {Promise<{ key: Uint8Array, iv: Uint8Array, encryptedStream: ReadableStream }>}
-   */
-  encryptStream(data: Blob): Promise<{
-    key: Uint8Array
-    iv: Uint8Array
-    encryptedStream: ReadableStream
-  }>
-  /**
-   * Decrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
-   *
-   * @param {ReadableStream} encryptedData The encrypted data stream.
-   * @param {Uint8Array} key The encryption key.
-   * @param {Uint8Array} iv The initialization vector (counter).
-   * @returns {Promise<ReadableStream>} A stream of decrypted data.
-   */
-  decryptStream(
-    encryptedData: ReadableStream,
-    key: Uint8Array,
-    iv: Uint8Array
-  ): Promise<ReadableStream>
-  /**
-   * Combine key and IV into a single array for AES-CTR
-   *
-   * @param {Uint8Array} key - The AES key (KEY_LENGTH/8 bytes)
-   * @param {Uint8Array} iv - The AES-CTR IV (IV_LENGTH bytes)
-   * @returns {Uint8Array} Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
-   */
-  combineKeyAndIV(key: Uint8Array, iv: Uint8Array): Uint8Array
-  /**
-   * Split combined key and IV for AES-CTR
-   *
-   * @param {Uint8Array} combined - Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
-   * @returns {{ key: Uint8Array, iv: Uint8Array }} Separated key and IV
-   */
-  splitKeyAndIV(combined: Uint8Array): {
-    key: Uint8Array
-    iv: Uint8Array
-  }
+    /**
+     * Generate a random AES key
+     *
+     * @returns {Promise<Uint8Array>} A random AES key
+     */
+    generateKey(): Promise<Uint8Array>;
+    /**
+     * Properly increment AES-CTR counter with 128-bit arithmetic
+     *
+     * @param {Uint8Array} counter - The base counter (16 bytes)
+     * @param {number} increment - The value to add
+     * @returns {Uint8Array} - New counter with proper carry propagation
+     */
+    incrementCounter(counter: Uint8Array, increment: number): Uint8Array;
+    /**
+     * Encrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
+     *
+     * @param {Blob} data The data to encrypt.
+     * @returns {Promise<{ key: Uint8Array, iv: Uint8Array, encryptedStream: ReadableStream }>}
+     */
+    encryptStream(data: Blob): Promise<{
+        key: Uint8Array;
+        iv: Uint8Array;
+        encryptedStream: ReadableStream;
+    }>;
+    /**
+     * Decrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
+     *
+     * @param {ReadableStream} encryptedData The encrypted data stream.
+     * @param {Uint8Array} key The encryption key.
+     * @param {Uint8Array} iv The initialization vector (counter).
+     * @returns {Promise<ReadableStream>} A stream of decrypted data.
+     */
+    decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): Promise<ReadableStream>;
+    /**
+     * Combine key and IV into a single array for AES-CTR
+     *
+     * @param {Uint8Array} key - The AES key (KEY_LENGTH/8 bytes)
+     * @param {Uint8Array} iv - The AES-CTR IV (IV_LENGTH bytes)
+     * @returns {Uint8Array} Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     */
+    combineKeyAndIV(key: Uint8Array, iv: Uint8Array): Uint8Array;
+    /**
+     * Split combined key and IV for AES-CTR
+     *
+     * @param {Uint8Array} combined - Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     * @returns {{ key: Uint8Array, iv: Uint8Array }} Separated key and IV
+     */
+    splitKeyAndIV(combined: Uint8Array): {
+        key: Uint8Array;
+        iv: Uint8Array;
+    };
 }
-import * as Type from '../../types.js'
-//# sourceMappingURL=generic-aes-ctr-streaming-crypto.d.ts.map
+import * as Type from '../../types.js';
+//# sourceMappingURL=generic-aes-ctr-streaming-crypto.d.ts.map

package/dist/crypto/symmetric/generic-aes-ctr-streaming-crypto.js

@@ -1,8 +1,8 @@
-import * as Type from '../../types.js'
-const ENCRYPTION_ALGORITHM = 'AES-CTR'
-const KEY_LENGTH = 256 // bits
-const IV_LENGTH = 16 // bytes (128 bits, used as counter)
-const COUNTER_LENGTH = 64 // bits (Web Crypto API default for AES-CTR)
+import * as Type from '../../types.js';
+const ENCRYPTION_ALGORITHM = 'AES-CTR';
+const KEY_LENGTH = 256; // bits
+const IV_LENGTH = 16; // bytes (128 bits, used as counter)
+const COUNTER_LENGTH = 64; // bits (Web Crypto API default for AES-CTR)
 /**
  * GenericAesCtrStreamingCrypto implements TRUE streaming AES-CTR encryption for any JavaScript environment.
  *
@@ -24,181 +24,153 @@ const COUNTER_LENGTH = 64 // bits (Web Crypto API default for AES-CTR)
  * @implements {Type.SymmetricCrypto}
  */
 export class GenericAesCtrStreamingCrypto {
-  constructor() {
-    if (typeof globalThis.crypto === 'undefined') {
-      throw new Error('Web Crypto API is not available.')
-    }
-  }
-  /**
-   * Generate a random AES key
-   *
-   * @returns {Promise<Uint8Array>} A random AES key
-   */
-  async generateKey() {
-    return globalThis.crypto.getRandomValues(new Uint8Array(KEY_LENGTH / 8))
-  }
-  /**
-   * Properly increment AES-CTR counter with 128-bit arithmetic
-   *
-   * @param {Uint8Array} counter - The base counter (16 bytes)
-   * @param {number} increment - The value to add
-   * @returns {Uint8Array} - New counter with proper carry propagation
-   */
-  incrementCounter(counter, increment) {
-    const result = new Uint8Array(counter)
-    let carry = increment
-    // Implement proper 128-bit arithmetic with carry propagation
-    // Start from the least significant byte (rightmost) and propagate carry
-    for (let i = result.length - 1; i >= 0 && carry > 0; i--) {
-      const sum = result[i] + carry
-      result[i] = sum & 0xff // Keep only the low 8 bits
-      carry = sum >> 8 // Carry the high bits to next position
+    constructor() {
+        if (typeof globalThis.crypto === 'undefined') {
+            throw new Error('Web Crypto API is not available.');
+        }
     }
-    // Check for counter overflow (extremely unlikely with 128-bit counter)
-    if (carry > 0) {
-      throw new Error(
-        'Counter overflow: exceeded 128-bit limit. This should never happen in practice.'
-      )
+    /**
+     * Generate a random AES key
+     *
+     * @returns {Promise<Uint8Array>} A random AES key
+     */
+    async generateKey() {
+        return globalThis.crypto.getRandomValues(new Uint8Array(KEY_LENGTH / 8));
     }
-    return result
-  }
-  /**
-   * Encrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
-   *
-   * @param {Blob} data The data to encrypt.
-   * @returns {Promise<{ key: Uint8Array, iv: Uint8Array, encryptedStream: ReadableStream }>}
-   */
-  async encryptStream(data) {
-    const key = await this.generateKey()
-    const iv = globalThis.crypto.getRandomValues(new Uint8Array(IV_LENGTH))
-    // Pre-import the crypto key for reuse across chunks
-    const cryptoKey = await globalThis.crypto.subtle.importKey(
-      'raw',
-      key,
-      { name: ENCRYPTION_ALGORITHM },
-      false,
-      ['encrypt', 'decrypt']
-    )
-    // State for AES-CTR counter management
-    let counter = new Uint8Array(iv) // Copy the IV for counter
-    let totalBlocks = 0 // Track total blocks processed
-    // Create TransformStream (inspired by Node.js approach)
-    const encryptTransform = new TransformStream({
-      transform: async (chunk, controller) => {
-        try {
-          // SECURITY: Calculate counter based on total blocks, not chunks
-          const chunkCounter = this.incrementCounter(counter, totalBlocks)
-          // SECURITY: Increment by blocks in this chunk (16 bytes per block)
-          const blocksInChunk = Math.ceil(chunk.length / 16)
-          totalBlocks += blocksInChunk
-          // Encrypt chunk using Web Crypto API
-          const encrypted = new Uint8Array(
-            await globalThis.crypto.subtle.encrypt(
-              {
-                name: ENCRYPTION_ALGORITHM,
-                counter: chunkCounter,
-                length: COUNTER_LENGTH,
-              },
-              cryptoKey,
-              chunk
-            )
-          )
-          controller.enqueue(encrypted)
-        } catch (error) {
-          controller.error(error)
+    /**
+     * Properly increment AES-CTR counter with 128-bit arithmetic
+     *
+     * @param {Uint8Array} counter - The base counter (16 bytes)
+     * @param {number} increment - The value to add
+     * @returns {Uint8Array} - New counter with proper carry propagation
+     */
+    incrementCounter(counter, increment) {
+        const result = new Uint8Array(counter);
+        let carry = increment;
+        // Implement proper 128-bit arithmetic with carry propagation
+        // Start from the least significant byte (rightmost) and propagate carry
+        for (let i = result.length - 1; i >= 0 && carry > 0; i--) {
+            const sum = result[i] + carry;
+            result[i] = sum & 0xff; // Keep only the low 8 bits
+            carry = sum >> 8; // Carry the high bits to next position
         }
-      },
-      // Note: No flush needed for AES-CTR (unlike CBC which needs final padding)
-    })
-    const encryptedStream = data.stream().pipeThrough(encryptTransform)
-    return { key, iv, encryptedStream }
-  }
-  /**
-   * Decrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
-   *
-   * @param {ReadableStream} encryptedData The encrypted data stream.
-   * @param {Uint8Array} key The encryption key.
-   * @param {Uint8Array} iv The initialization vector (counter).
-   * @returns {Promise<ReadableStream>} A stream of decrypted data.
-   */
-  async decryptStream(encryptedData, key, iv) {
-    // Pre-import the crypto key for reuse across chunks
-    const cryptoKey = await globalThis.crypto.subtle.importKey(
-      'raw',
-      key,
-      { name: ENCRYPTION_ALGORITHM },
-      false,
-      ['encrypt', 'decrypt']
-    )
-    // State for AES-CTR counter management
-    let counter = new Uint8Array(iv)
-    let totalBlocks = 0 // Track total blocks processed (CRITICAL for security)
-    const decryptTransform = new TransformStream({
-      transform: async (chunk, controller) => {
-        try {
-          // SECURITY: Calculate counter based on total blocks, not chunks
-          const chunkCounter = this.incrementCounter(counter, totalBlocks)
-          // SECURITY: Increment by blocks in this chunk (16 bytes per block)
-          const blocksInChunk = Math.ceil(chunk.length / 16)
-          totalBlocks += blocksInChunk
-          // Decrypt chunk using Web Crypto API
-          const decrypted = new Uint8Array(
-            await globalThis.crypto.subtle.decrypt(
-              {
-                name: ENCRYPTION_ALGORITHM,
-                counter: chunkCounter,
-                length: COUNTER_LENGTH,
-              },
-              cryptoKey,
-              chunk
-            )
-          )
-          controller.enqueue(decrypted)
-        } catch (error) {
-          controller.error(error)
+        // Check for counter overflow (extremely unlikely with 128-bit counter)
+        if (carry > 0) {
+            throw new Error('Counter overflow: exceeded 128-bit limit. This should never happen in practice.');
         }
-      },
-      // Note: No flush needed for AES-CTR (unlike CBC which needs final padding)
-    })
-    return encryptedData.pipeThrough(decryptTransform)
-  }
-  /**
-   * Combine key and IV into a single array for AES-CTR
-   *
-   * @param {Uint8Array} key - The AES key (KEY_LENGTH/8 bytes)
-   * @param {Uint8Array} iv - The AES-CTR IV (IV_LENGTH bytes)
-   * @returns {Uint8Array} Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
-   */
-  combineKeyAndIV(key, iv) {
-    const keyBytes = KEY_LENGTH / 8
-    if (key.length !== keyBytes) {
-      throw new Error(
-        `AES-${KEY_LENGTH} key must be ${keyBytes} bytes, got ${key.length}`
-      )
+        return result;
+    }
+    /**
+     * Encrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
+     *
+     * @param {Blob} data The data to encrypt.
+     * @returns {Promise<{ key: Uint8Array, iv: Uint8Array, encryptedStream: ReadableStream }>}
+     */
+    async encryptStream(data) {
+        const key = await this.generateKey();
+        const iv = globalThis.crypto.getRandomValues(new Uint8Array(IV_LENGTH));
+        // Pre-import the crypto key for reuse across chunks
+        const cryptoKey = await globalThis.crypto.subtle.importKey('raw', key, { name: ENCRYPTION_ALGORITHM }, false, ['encrypt', 'decrypt']);
+        // State for AES-CTR counter management
+        let counter = new Uint8Array(iv); // Copy the IV for counter
+        let totalBlocks = 0; // Track total blocks processed
+        // Create TransformStream (inspired by Node.js approach)
+        const encryptTransform = new TransformStream({
+            transform: async (chunk, controller) => {
+                try {
+                    // SECURITY: Calculate counter based on total blocks, not chunks
+                    const chunkCounter = this.incrementCounter(counter, totalBlocks);
+                    // SECURITY: Increment by blocks in this chunk (16 bytes per block)
+                    const blocksInChunk = Math.ceil(chunk.length / 16);
+                    totalBlocks += blocksInChunk;
+                    // Encrypt chunk using Web Crypto API
+                    const encrypted = new Uint8Array(await globalThis.crypto.subtle.encrypt({
+                        name: ENCRYPTION_ALGORITHM,
+                        counter: chunkCounter,
+                        length: COUNTER_LENGTH,
+                    }, cryptoKey, chunk));
+                    controller.enqueue(encrypted);
+                }
+                catch (error) {
+                    controller.error(error);
+                }
+            },
+            // Note: No flush needed for AES-CTR (unlike CBC which needs final padding)
+        });
+        const encryptedStream = data.stream().pipeThrough(encryptTransform);
+        return { key, iv, encryptedStream };
     }
-    if (iv.length !== IV_LENGTH) {
-      throw new Error(`AES-CTR IV must be ${IV_LENGTH} bytes, got ${iv.length}`)
+    /**
+     * Decrypt a stream of data using AES-CTR with TRUE streaming (no buffering).
+     *
+     * @param {ReadableStream} encryptedData The encrypted data stream.
+     * @param {Uint8Array} key The encryption key.
+     * @param {Uint8Array} iv The initialization vector (counter).
+     * @returns {Promise<ReadableStream>} A stream of decrypted data.
+     */
+    async decryptStream(encryptedData, key, iv) {
+        // Pre-import the crypto key for reuse across chunks
+        const cryptoKey = await globalThis.crypto.subtle.importKey('raw', key, { name: ENCRYPTION_ALGORITHM }, false, ['encrypt', 'decrypt']);
+        // State for AES-CTR counter management
+        let counter = new Uint8Array(iv);
+        let totalBlocks = 0; // Track total blocks processed (CRITICAL for security)
+        const decryptTransform = new TransformStream({
+            transform: async (chunk, controller) => {
+                try {
+                    // SECURITY: Calculate counter based on total blocks, not chunks
+                    const chunkCounter = this.incrementCounter(counter, totalBlocks);
+                    // SECURITY: Increment by blocks in this chunk (16 bytes per block)
+                    const blocksInChunk = Math.ceil(chunk.length / 16);
+                    totalBlocks += blocksInChunk;
+                    // Decrypt chunk using Web Crypto API
+                    const decrypted = new Uint8Array(await globalThis.crypto.subtle.decrypt({
+                        name: ENCRYPTION_ALGORITHM,
+                        counter: chunkCounter,
+                        length: COUNTER_LENGTH,
+                    }, cryptoKey, chunk));
+                    controller.enqueue(decrypted);
+                }
+                catch (error) {
+                    controller.error(error);
+                }
+            },
+            // Note: No flush needed for AES-CTR (unlike CBC which needs final padding)
+        });
+        return encryptedData.pipeThrough(decryptTransform);
     }
-    return new Uint8Array([...key, ...iv])
-  }
-  /**
-   * Split combined key and IV for AES-CTR
-   *
-   * @param {Uint8Array} combined - Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
-   * @returns {{ key: Uint8Array, iv: Uint8Array }} Separated key and IV
-   */
-  splitKeyAndIV(combined) {
-    const keyBytes = KEY_LENGTH / 8
-    const expectedLength = keyBytes + IV_LENGTH
-    if (combined.length !== expectedLength) {
-      throw new Error(
-        `AES-${KEY_LENGTH}-CTR combined key+IV must be ${expectedLength} bytes, got ${combined.length}`
-      )
+    /**
+     * Combine key and IV into a single array for AES-CTR
+     *
+     * @param {Uint8Array} key - The AES key (KEY_LENGTH/8 bytes)
+     * @param {Uint8Array} iv - The AES-CTR IV (IV_LENGTH bytes)
+     * @returns {Uint8Array} Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     */
+    combineKeyAndIV(key, iv) {
+        const keyBytes = KEY_LENGTH / 8;
+        if (key.length !== keyBytes) {
+            throw new Error(`AES-${KEY_LENGTH} key must be ${keyBytes} bytes, got ${key.length}`);
+        }
+        if (iv.length !== IV_LENGTH) {
+            throw new Error(`AES-CTR IV must be ${IV_LENGTH} bytes, got ${iv.length}`);
+        }
+        return new Uint8Array([...key, ...iv]);
     }
-    return {
-      key: combined.subarray(0, keyBytes),
-      iv: combined.subarray(keyBytes, keyBytes + IV_LENGTH),
+    /**
+     * Split combined key and IV for AES-CTR
+     *
+     * @param {Uint8Array} combined - Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     * @returns {{ key: Uint8Array, iv: Uint8Array }} Separated key and IV
+     */
+    splitKeyAndIV(combined) {
+        const keyBytes = KEY_LENGTH / 8;
+        const expectedLength = keyBytes + IV_LENGTH;
+        if (combined.length !== expectedLength) {
+            throw new Error(`AES-${KEY_LENGTH}-CTR combined key+IV must be ${expectedLength} bytes, got ${combined.length}`);
+        }
+        return {
+            key: combined.subarray(0, keyBytes),
+            iv: combined.subarray(keyBytes, keyBytes + IV_LENGTH),
+        };
     }
-  }
 }
-//# sourceMappingURL=generic-aes-ctr-streaming-crypto.js.map
+//# sourceMappingURL=generic-aes-ctr-streaming-crypto.js.map

package/dist/crypto/symmetric/node-aes-cbc-crypto.d.ts

@@ -8,40 +8,36 @@
  * @implements {Type.SymmetricCrypto}
  */
 export class NodeAesCbcCrypto implements Type.SymmetricCrypto {
-  /** @param {Type.BlobLike} data  */
-  encryptStream(data: Type.BlobLike): Promise<{
-    key: Buffer<ArrayBufferLike>
-    iv: Buffer<ArrayBufferLike>
-    encryptedStream: ReadableStream<any>
-  }>
-  /**
-   * @param {ReadableStream} encryptedData
-   * @param {Uint8Array} key
-   * @param {Uint8Array} iv
-   */
-  decryptStream(
-    encryptedData: ReadableStream,
-    key: Uint8Array,
-    iv: Uint8Array
-  ): Promise<ReadableStream<any>>
-  /**
-   * Combine key and IV into a single array for AES-CBC
-   *
-   * @param {Uint8Array} key - The AES key (KEY_LENGTH/8 bytes)
-   * @param {Uint8Array} iv - The AES-CBC IV (IV_LENGTH bytes)
-   * @returns {Uint8Array} Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
-   */
-  combineKeyAndIV(key: Uint8Array, iv: Uint8Array): Uint8Array
-  /**
-   * Split combined key and IV for AES-CBC
-   *
-   * @param {Uint8Array} combined - Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
-   * @returns {{ key: Uint8Array, iv: Uint8Array }} Separated key and IV
-   */
-  splitKeyAndIV(combined: Uint8Array): {
-    key: Uint8Array
-    iv: Uint8Array
-  }
+    /** @param {Type.BlobLike} data  */
+    encryptStream(data: Type.BlobLike): Promise<{
+        key: Buffer<ArrayBufferLike>;
+        iv: Buffer<ArrayBufferLike>;
+        encryptedStream: ReadableStream<any>;
+    }>;
+    /**
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): Promise<ReadableStream<any>>;
+    /**
+     * Combine key and IV into a single array for AES-CBC
+     *
+     * @param {Uint8Array} key - The AES key (KEY_LENGTH/8 bytes)
+     * @param {Uint8Array} iv - The AES-CBC IV (IV_LENGTH bytes)
+     * @returns {Uint8Array} Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     */
+    combineKeyAndIV(key: Uint8Array, iv: Uint8Array): Uint8Array;
+    /**
+     * Split combined key and IV for AES-CBC
+     *
+     * @param {Uint8Array} combined - Combined key and IV (KEY_LENGTH/8 + IV_LENGTH bytes)
+     * @returns {{ key: Uint8Array, iv: Uint8Array }} Separated key and IV
+     */
+    splitKeyAndIV(combined: Uint8Array): {
+        key: Uint8Array;
+        iv: Uint8Array;
+    };
 }
-import * as Type from '../../types.js'
-//# sourceMappingURL=node-aes-cbc-crypto.d.ts.map
+import * as Type from '../../types.js';
+//# sourceMappingURL=node-aes-cbc-crypto.d.ts.map