@tootallnate/aes-xts 0.0.0

package/.turbo/turbo-build.log

@@ -0,0 +1,4 @@
+
+> @tootallnate/aes-xts@0.0.0 build /Users/nrajlich/Code/TooTallNate/switch-tools/packages/aes-xts
+> tsc
+

package/dist/index.d.ts

@@ -0,0 +1,32 @@
+/**
+ * AES-128-XTS encryption/decryption using Web Crypto.
+ *
+ * Supports Nintendo's big-endian tweak format, where the sector number
+ * is stored as a big-endian 128-bit value (opposite of the IEEE P1619
+ * standard which uses little-endian).
+ *
+ * Implementation uses Web Crypto's AES-CBC with a zero IV to perform
+ * single-block AES-ECB operations, then builds the XTS mode on top.
+ */
+/**
+ * Encrypt data using AES-128-XTS with Nintendo's big-endian tweak.
+ *
+ * @param key - 32-byte key (first 16 bytes = data key K1, last 16 bytes = tweak key K2)
+ * @param data - Data to encrypt (must be a multiple of `sectorSize`)
+ * @param sectorSize - Size of each sector in bytes (typically 0x200 for NCA headers)
+ * @param startSector - Starting sector number (default: 0)
+ * @param crypto - Optional Crypto implementation (defaults to globalThis.crypto)
+ * @returns Encrypted data
+ */
+export declare function encrypt(key: ArrayBuffer | Uint8Array, data: ArrayBuffer | Uint8Array, sectorSize: number, startSector?: number, crypto?: Crypto): Promise<ArrayBuffer>;
+/**
+ * Decrypt data using AES-128-XTS with Nintendo's big-endian tweak.
+ *
+ * @param key - 32-byte key (first 16 bytes = data key K1, last 16 bytes = tweak key K2)
+ * @param data - Data to decrypt (must be a multiple of `sectorSize`)
+ * @param sectorSize - Size of each sector in bytes (typically 0x200 for NCA headers)
+ * @param startSector - Starting sector number (default: 0)
+ * @param crypto - Optional Crypto implementation (defaults to globalThis.crypto)
+ * @returns Decrypted data
+ */
+export declare function decrypt(key: ArrayBuffer | Uint8Array, data: ArrayBuffer | Uint8Array, sectorSize: number, startSector?: number, crypto?: Crypto): Promise<ArrayBuffer>;

package/dist/index.js

@@ -0,0 +1,211 @@
+/**
+ * AES-128-XTS encryption/decryption using Web Crypto.
+ *
+ * Supports Nintendo's big-endian tweak format, where the sector number
+ * is stored as a big-endian 128-bit value (opposite of the IEEE P1619
+ * standard which uses little-endian).
+ *
+ * Implementation uses Web Crypto's AES-CBC with a zero IV to perform
+ * single-block AES-ECB operations, then builds the XTS mode on top.
+ */
+const BLOCK_SIZE = 16;
+const ZERO_IV = new Uint8Array(BLOCK_SIZE);
+/**
+ * Import a raw AES-128 key for use with AES-CBC (used to emulate ECB).
+ */
+async function importKey(rawKey, crypto = globalThis.crypto) {
+    return crypto.subtle.importKey('raw', rawKey, { name: 'AES-CBC' }, false, [
+        'encrypt',
+        'decrypt',
+    ]);
+}
+/**
+ * Encrypt a single 16-byte block using AES-ECB (emulated via AES-CBC with zero IV).
+ * AES-CBC with a zero IV and a single block is equivalent to AES-ECB for that block.
+ * Web Crypto's AES-CBC adds PKCS7 padding, so the output is 32 bytes — we take only the first 16.
+ */
+async function ecbEncryptBlock(key, block, crypto = globalThis.crypto) {
+    const result = await crypto.subtle.encrypt({ name: 'AES-CBC', iv: ZERO_IV }, key, block);
+    return new Uint8Array(result, 0, BLOCK_SIZE);
+}
+/**
+ * Decrypt a single 16-byte block using AES-ECB (emulated via AES-CBC with zero IV).
+ *
+ * Strategy: Construct a 2-block CBC ciphertext [C0, C1] such that when decrypted
+ * with IV=0, the first plaintext block P0 = AES-ECB-Decrypt(C0) and the second
+ * block P1 has valid PKCS7 padding (16 bytes of 0x10).
+ *
+ * In CBC decrypt: P0 = AES-Decrypt(C0) XOR IV = AES-Decrypt(C0) (since IV=0)
+ *                 P1 = AES-Decrypt(C1) XOR C0
+ *
+ * For P1 to be valid PKCS7 padding: we need AES-Decrypt(C1) = padding XOR C0
+ * So C1 = AES-Encrypt(padding XOR C0) = AES-Encrypt(padding XOR block)
+ */
+async function ecbDecryptBlock(key, block, crypto = globalThis.crypto) {
+    // PKCS7 padding for a full block: 16 bytes of 0x10
+    const padding = new Uint8Array(BLOCK_SIZE);
+    padding.fill(0x10);
+    // XOR padding with the ciphertext block (C0)
+    const paddingXorBlock = new Uint8Array(BLOCK_SIZE);
+    for (let i = 0; i < BLOCK_SIZE; i++) {
+        paddingXorBlock[i] = padding[i] ^ block[i];
+    }
+    // C1 = AES-ECB-Encrypt(padding XOR block)
+    const c1 = await ecbEncryptBlock(key, paddingXorBlock, crypto);
+    // Construct [C0=block, C1] and CBC-decrypt with IV=0
+    const cbcCiphertext = new Uint8Array(BLOCK_SIZE * 2);
+    cbcCiphertext.set(block, 0);
+    cbcCiphertext.set(c1, BLOCK_SIZE);
+    const result = await crypto.subtle.decrypt({ name: 'AES-CBC', iv: ZERO_IV }, key, cbcCiphertext);
+    return new Uint8Array(result, 0, BLOCK_SIZE);
+}
+/**
+ * Multiply a value in GF(2^128) by the primitive element alpha (x).
+ * This is the standard XTS doubling operation.
+ *
+ * The multiplication is performed on the 16-byte value interpreted as a
+ * little-endian polynomial in GF(2^128) with the irreducible polynomial
+ * x^128 + x^7 + x^2 + x + 1 (0x87 reduction).
+ *
+ * Operates in-place on the provided buffer.
+ */
+function gf128Mul(block) {
+    let carry = 0;
+    for (let i = 0; i < BLOCK_SIZE; i++) {
+        const nextCarry = (block[i] >> 7) & 1;
+        block[i] = ((block[i] << 1) | carry) & 0xff;
+        carry = nextCarry;
+    }
+    // If there was a carry out, XOR with the reduction polynomial
+    if (carry) {
+        block[0] ^= 0x87;
+    }
+}
+/**
+ * XOR two 16-byte blocks, storing the result in `dst`.
+ */
+function xorBlocks(dst, a, b) {
+    for (let i = 0; i < BLOCK_SIZE; i++) {
+        dst[i] = a[i] ^ b[i];
+    }
+}
+/**
+ * Generate the Nintendo big-endian tweak value for a given sector number.
+ *
+ * Nintendo stores the sector number as a big-endian 128-bit value,
+ * which is the opposite of the IEEE P1619 standard (little-endian).
+ *
+ * This matches the C implementation:
+ * ```c
+ * static void get_tweak(unsigned char *tweak, size_t sector) {
+ *     for (int i = 0xF; i >= 0; i--) {
+ *         tweak[i] = (unsigned char)(sector & 0xFF);
+ *         sector >>= 8;
+ *     }
+ * }
+ * ```
+ */
+function getNintendoTweak(sector) {
+    const tweak = new Uint8Array(BLOCK_SIZE);
+    let s = sector;
+    for (let i = 0xf; i >= 0; i--) {
+        tweak[i] = s & 0xff;
+        s = Math.floor(s / 256); // Avoid issues with bitwise ops on large numbers
+    }
+    return tweak;
+}
+/**
+ * Encrypt data using AES-128-XTS with Nintendo's big-endian tweak.
+ *
+ * @param key - 32-byte key (first 16 bytes = data key K1, last 16 bytes = tweak key K2)
+ * @param data - Data to encrypt (must be a multiple of `sectorSize`)
+ * @param sectorSize - Size of each sector in bytes (typically 0x200 for NCA headers)
+ * @param startSector - Starting sector number (default: 0)
+ * @param crypto - Optional Crypto implementation (defaults to globalThis.crypto)
+ * @returns Encrypted data
+ */
+export async function encrypt(key, data, sectorSize, startSector = 0, crypto = globalThis.crypto) {
+    const keyBytes = new Uint8Array(key);
+    if (keyBytes.length !== 32) {
+        throw new Error(`AES-XTS key must be 32 bytes, got ${keyBytes.length}`);
+    }
+    const dataBytes = new Uint8Array(data);
+    if (dataBytes.length % sectorSize !== 0) {
+        throw new Error('Data length must be a multiple of sector size');
+    }
+    if (sectorSize % BLOCK_SIZE !== 0) {
+        throw new Error('Sector size must be a multiple of 16');
+    }
+    const k1 = await importKey(keyBytes.subarray(0, 16), crypto);
+    const k2 = await importKey(keyBytes.subarray(16, 32), crypto);
+    const output = new Uint8Array(dataBytes.length);
+    const blocksPerSector = sectorSize / BLOCK_SIZE;
+    const tempBlock = new Uint8Array(BLOCK_SIZE);
+    for (let sectorOffset = 0; sectorOffset < dataBytes.length; sectorOffset += sectorSize) {
+        const sector = startSector + sectorOffset / sectorSize;
+        // Compute the initial tweak: T = AES-ECB-Encrypt(K2, tweak_value)
+        const tweakValue = getNintendoTweak(sector);
+        const T = await ecbEncryptBlock(k2, tweakValue, crypto);
+        for (let j = 0; j < blocksPerSector; j++) {
+            const blockOffset = sectorOffset + j * BLOCK_SIZE;
+            const plainBlock = dataBytes.subarray(blockOffset, blockOffset + BLOCK_SIZE);
+            // PP = P XOR T
+            xorBlocks(tempBlock, plainBlock, T);
+            // CC = AES-ECB-Encrypt(K1, PP)
+            const encrypted = await ecbEncryptBlock(k1, tempBlock, crypto);
+            // C = CC XOR T
+            xorBlocks(output.subarray(blockOffset, blockOffset + BLOCK_SIZE), encrypted, T);
+            // T = T * alpha in GF(2^128)
+            gf128Mul(T);
+        }
+    }
+    return output.buffer;
+}
+/**
+ * Decrypt data using AES-128-XTS with Nintendo's big-endian tweak.
+ *
+ * @param key - 32-byte key (first 16 bytes = data key K1, last 16 bytes = tweak key K2)
+ * @param data - Data to decrypt (must be a multiple of `sectorSize`)
+ * @param sectorSize - Size of each sector in bytes (typically 0x200 for NCA headers)
+ * @param startSector - Starting sector number (default: 0)
+ * @param crypto - Optional Crypto implementation (defaults to globalThis.crypto)
+ * @returns Decrypted data
+ */
+export async function decrypt(key, data, sectorSize, startSector = 0, crypto = globalThis.crypto) {
+    const keyBytes = new Uint8Array(key);
+    if (keyBytes.length !== 32) {
+        throw new Error(`AES-XTS key must be 32 bytes, got ${keyBytes.length}`);
+    }
+    const dataBytes = new Uint8Array(data);
+    if (dataBytes.length % sectorSize !== 0) {
+        throw new Error('Data length must be a multiple of sector size');
+    }
+    if (sectorSize % BLOCK_SIZE !== 0) {
+        throw new Error('Sector size must be a multiple of 16');
+    }
+    const k1 = await importKey(keyBytes.subarray(0, 16), crypto);
+    const k2 = await importKey(keyBytes.subarray(16, 32), crypto);
+    const output = new Uint8Array(dataBytes.length);
+    const blocksPerSector = sectorSize / BLOCK_SIZE;
+    const tempBlock = new Uint8Array(BLOCK_SIZE);
+    for (let sectorOffset = 0; sectorOffset < dataBytes.length; sectorOffset += sectorSize) {
+        const sector = startSector + sectorOffset / sectorSize;
+        // Compute the initial tweak: T = AES-ECB-Encrypt(K2, tweak_value)
+        const tweakValue = getNintendoTweak(sector);
+        const T = await ecbEncryptBlock(k2, tweakValue, crypto);
+        for (let j = 0; j < blocksPerSector; j++) {
+            const blockOffset = sectorOffset + j * BLOCK_SIZE;
+            const cipherBlock = dataBytes.subarray(blockOffset, blockOffset + BLOCK_SIZE);
+            // CC = C XOR T
+            xorBlocks(tempBlock, cipherBlock, T);
+            // PP = AES-ECB-Decrypt(K1, CC)
+            const decrypted = await ecbDecryptBlock(k1, tempBlock, crypto);
+            // P = PP XOR T
+            xorBlocks(output.subarray(blockOffset, blockOffset + BLOCK_SIZE), decrypted, T);
+            // T = T * alpha in GF(2^128)
+            gf128Mul(T);
+        }
+    }
+    return output.buffer;
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,UAAU,GAAG,EAAE,CAAC;AACtB,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;AAE3C;;GAEG;AACH,KAAK,UAAU,SAAS,CACvB,MAAgC,EAChC,SAAiB,UAAU,CAAC,MAAM;IAElC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE;QACzE,SAAS;QACT,SAAS;KACT,CAAC,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,KAAK,UAAU,eAAe,CAC7B,GAAc,EACd,KAAiB,EACjB,SAAiB,UAAU,CAAC,MAAM;IAElC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACzC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAChC,GAAG,EACH,KAAK,CACL,CAAC;IACF,OAAO,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,UAAU,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,eAAe,CAC7B,GAAc,EACd,KAAiB,EACjB,SAAiB,UAAU,CAAC,MAAM;IAElC,mDAAmD;IACnD,MAAM,OAAO,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAC3C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEnB,6CAA6C;IAC7C,MAAM,eAAe,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACnD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,eAAe,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC5C,CAAC;IAED,0CAA0C;IAC1C,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;IAE/D,qDAAqD;IACrD,MAAM,aAAa,GAAG,IAAI,UAAU,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;IACrD,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC5B,aAAa,CAAC,GAAG,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,OAAO,CACzC,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,EAChC,GAAG,EACH,aAAa,CACb,CAAC;IACF,OAAO,IAAI,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,UAAU,CAAC,CAAC;AAC9C,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,QAAQ,CAAC,KAAiB;IAClC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,SAAS,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QACtC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,KAAK,CAAC,GAAG,IAAI,CAAC;QAC5C,KAAK,GAAG,SAAS,CAAC;IACnB,CAAC;IACD,8DAA8D;IAC9D,IAAI,KAAK,EAAE,CAAC;QACX,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAClB,CAAC;AACF,CAAC;AAED;;GAEG;AACH,SAAS,SAAS,CAAC,GAAe,EAAE,CAAa,EAAE,CAAa;IAC/D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IACtB,CAAC;AACF,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAS,gBAAgB,CAAC,MAAc;IACvC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IACzC,IAAI,CAAC,GAAG,MAAM,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/B,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC;QACpB,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,iDAAiD;IAC3E,CAAC;IACD,OAAO,KAAK,CAAC;AACd,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC5B,GAA6B,EAC7B,IAA8B,EAC9B,UAAkB,EAClB,WAAW,GAAG,CAAC,EACf,SAAiB,UAAU,CAAC,MAAM;IAElC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,SAAS,CAAC,MAAM,GAAG,UAAU,KAAK,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,UAAU,GAAG,UAAU,KAAK,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAC7D,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAE9D,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,eAAe,GAAG,UAAU,GAAG,UAAU,CAAC;IAChD,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAE7C,KACC,IAAI,YAAY,GAAG,CAAC,EACpB,YAAY,GAAG,SAAS,CAAC,MAAM,EAC/B,YAAY,IAAI,UAAU,EACzB,CAAC;QACF,MAAM,MAAM,GAAG,WAAW,GAAG,YAAY,GAAG,UAAU,CAAC;QAEvD,kEAAkE;QAClE,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QAExD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,WAAW,GAAG,YAAY,GAAG,CAAC,GAAG,UAAU,CAAC;YAClD,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CACpC,WAAW,EACX,WAAW,GAAG,UAAU,CACxB,CAAC;YAEF,eAAe;YACf,SAAS,CAAC,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;YAEpC,+BAA+B;YAC/B,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;YAE/D,eAAe;YACf,SAAS,CACR,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,GAAG,UAAU,CAAC,EACtD,SAAS,EACT,CAAC,CACD,CAAC;YAEF,6BAA6B;YAC7B,QAAQ,CAAC,CAAC,CAAC,CAAC;QACb,CAAC;IACF,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;AACtB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC5B,GAA6B,EAC7B,IAA8B,EAC9B,UAAkB,EAClB,WAAW,GAAG,CAAC,EACf,SAAiB,UAAU,CAAC,MAAM;IAElC,MAAM,QAAQ,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC;IACvC,IAAI,SAAS,CAAC,MAAM,GAAG,UAAU,KAAK,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IAClE,CAAC;IACD,IAAI,UAAU,GAAG,UAAU,KAAK,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAC7D,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;IAE9D,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAChD,MAAM,eAAe,GAAG,UAAU,GAAG,UAAU,CAAC;IAChD,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAE7C,KACC,IAAI,YAAY,GAAG,CAAC,EACpB,YAAY,GAAG,SAAS,CAAC,MAAM,EAC/B,YAAY,IAAI,UAAU,EACzB,CAAC;QACF,MAAM,MAAM,GAAG,WAAW,GAAG,YAAY,GAAG,UAAU,CAAC;QAEvD,kEAAkE;QAClE,MAAM,UAAU,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,CAAC,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QAExD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,eAAe,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,WAAW,GAAG,YAAY,GAAG,CAAC,GAAG,UAAU,CAAC;YAClD,MAAM,WAAW,GAAG,SAAS,CAAC,QAAQ,CACrC,WAAW,EACX,WAAW,GAAG,UAAU,CACxB,CAAC;YAEF,eAAe;YACf,SAAS,CAAC,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC;YAErC,+BAA+B;YAC/B,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;YAE/D,eAAe;YACf,SAAS,CACR,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,WAAW,GAAG,UAAU,CAAC,EACtD,SAAS,EACT,CAAC,CACD,CAAC;YAEF,6BAA6B;YAC7B,QAAQ,CAAC,CAAC,CAAC,CAAC;QACb,CAAC;IACF,CAAC;IAED,OAAO,MAAM,CAAC,MAAM,CAAC;AACtB,CAAC"}

package/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "@tootallnate/aes-xts",
+  "version": "0.0.0",
+  "type": "module",
+  "description": "AES-128-XTS encryption/decryption using Web Crypto, with support for Nintendo's big-endian tweak",
+  "main": "dist/index.js",
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run"
+  },
+  "keywords": [],
+  "author": "Nathan Rajlich <n@n8.io>",
+  "license": "MIT",
+  "devDependencies": {
+    "typescript": "^5.3.3"
+  }
+}

package/src/index.ts

@@ -0,0 +1,298 @@
+/**
+ * AES-128-XTS encryption/decryption using Web Crypto.
+ *
+ * Supports Nintendo's big-endian tweak format, where the sector number
+ * is stored as a big-endian 128-bit value (opposite of the IEEE P1619
+ * standard which uses little-endian).
+ *
+ * Implementation uses Web Crypto's AES-CBC with a zero IV to perform
+ * single-block AES-ECB operations, then builds the XTS mode on top.
+ */
+
+const BLOCK_SIZE = 16;
+const ZERO_IV = new Uint8Array(BLOCK_SIZE);
+
+/**
+ * Import a raw AES-128 key for use with AES-CBC (used to emulate ECB).
+ */
+async function importKey(
+	rawKey: ArrayBuffer | Uint8Array,
+	crypto: Crypto = globalThis.crypto
+): Promise<CryptoKey> {
+	return crypto.subtle.importKey('raw', rawKey, { name: 'AES-CBC' }, false, [
+		'encrypt',
+		'decrypt',
+	]);
+}
+
+/**
+ * Encrypt a single 16-byte block using AES-ECB (emulated via AES-CBC with zero IV).
+ * AES-CBC with a zero IV and a single block is equivalent to AES-ECB for that block.
+ * Web Crypto's AES-CBC adds PKCS7 padding, so the output is 32 bytes — we take only the first 16.
+ */
+async function ecbEncryptBlock(
+	key: CryptoKey,
+	block: Uint8Array,
+	crypto: Crypto = globalThis.crypto
+): Promise<Uint8Array> {
+	const result = await crypto.subtle.encrypt(
+		{ name: 'AES-CBC', iv: ZERO_IV },
+		key,
+		block
+	);
+	return new Uint8Array(result, 0, BLOCK_SIZE);
+}
+
+/**
+ * Decrypt a single 16-byte block using AES-ECB (emulated via AES-CBC with zero IV).
+ *
+ * Strategy: Construct a 2-block CBC ciphertext [C0, C1] such that when decrypted
+ * with IV=0, the first plaintext block P0 = AES-ECB-Decrypt(C0) and the second
+ * block P1 has valid PKCS7 padding (16 bytes of 0x10).
+ *
+ * In CBC decrypt: P0 = AES-Decrypt(C0) XOR IV = AES-Decrypt(C0) (since IV=0)
+ *                 P1 = AES-Decrypt(C1) XOR C0
+ *
+ * For P1 to be valid PKCS7 padding: we need AES-Decrypt(C1) = padding XOR C0
+ * So C1 = AES-Encrypt(padding XOR C0) = AES-Encrypt(padding XOR block)
+ */
+async function ecbDecryptBlock(
+	key: CryptoKey,
+	block: Uint8Array,
+	crypto: Crypto = globalThis.crypto
+): Promise<Uint8Array> {
+	// PKCS7 padding for a full block: 16 bytes of 0x10
+	const padding = new Uint8Array(BLOCK_SIZE);
+	padding.fill(0x10);
+
+	// XOR padding with the ciphertext block (C0)
+	const paddingXorBlock = new Uint8Array(BLOCK_SIZE);
+	for (let i = 0; i < BLOCK_SIZE; i++) {
+		paddingXorBlock[i] = padding[i] ^ block[i];
+	}
+
+	// C1 = AES-ECB-Encrypt(padding XOR block)
+	const c1 = await ecbEncryptBlock(key, paddingXorBlock, crypto);
+
+	// Construct [C0=block, C1] and CBC-decrypt with IV=0
+	const cbcCiphertext = new Uint8Array(BLOCK_SIZE * 2);
+	cbcCiphertext.set(block, 0);
+	cbcCiphertext.set(c1, BLOCK_SIZE);
+
+	const result = await crypto.subtle.decrypt(
+		{ name: 'AES-CBC', iv: ZERO_IV },
+		key,
+		cbcCiphertext
+	);
+	return new Uint8Array(result, 0, BLOCK_SIZE);
+}
+
+/**
+ * Multiply a value in GF(2^128) by the primitive element alpha (x).
+ * This is the standard XTS doubling operation.
+ *
+ * The multiplication is performed on the 16-byte value interpreted as a
+ * little-endian polynomial in GF(2^128) with the irreducible polynomial
+ * x^128 + x^7 + x^2 + x + 1 (0x87 reduction).
+ *
+ * Operates in-place on the provided buffer.
+ */
+function gf128Mul(block: Uint8Array): void {
+	let carry = 0;
+	for (let i = 0; i < BLOCK_SIZE; i++) {
+		const nextCarry = (block[i] >> 7) & 1;
+		block[i] = ((block[i] << 1) | carry) & 0xff;
+		carry = nextCarry;
+	}
+	// If there was a carry out, XOR with the reduction polynomial
+	if (carry) {
+		block[0] ^= 0x87;
+	}
+}
+
+/**
+ * XOR two 16-byte blocks, storing the result in `dst`.
+ */
+function xorBlocks(dst: Uint8Array, a: Uint8Array, b: Uint8Array): void {
+	for (let i = 0; i < BLOCK_SIZE; i++) {
+		dst[i] = a[i] ^ b[i];
+	}
+}
+
+/**
+ * Generate the Nintendo big-endian tweak value for a given sector number.
+ *
+ * Nintendo stores the sector number as a big-endian 128-bit value,
+ * which is the opposite of the IEEE P1619 standard (little-endian).
+ *
+ * This matches the C implementation:
+ * ```c
+ * static void get_tweak(unsigned char *tweak, size_t sector) {
+ *     for (int i = 0xF; i >= 0; i--) {
+ *         tweak[i] = (unsigned char)(sector & 0xFF);
+ *         sector >>= 8;
+ *     }
+ * }
+ * ```
+ */
+function getNintendoTweak(sector: number): Uint8Array {
+	const tweak = new Uint8Array(BLOCK_SIZE);
+	let s = sector;
+	for (let i = 0xf; i >= 0; i--) {
+		tweak[i] = s & 0xff;
+		s = Math.floor(s / 256); // Avoid issues with bitwise ops on large numbers
+	}
+	return tweak;
+}
+
+/**
+ * Encrypt data using AES-128-XTS with Nintendo's big-endian tweak.
+ *
+ * @param key - 32-byte key (first 16 bytes = data key K1, last 16 bytes = tweak key K2)
+ * @param data - Data to encrypt (must be a multiple of `sectorSize`)
+ * @param sectorSize - Size of each sector in bytes (typically 0x200 for NCA headers)
+ * @param startSector - Starting sector number (default: 0)
+ * @param crypto - Optional Crypto implementation (defaults to globalThis.crypto)
+ * @returns Encrypted data
+ */
+export async function encrypt(
+	key: ArrayBuffer | Uint8Array,
+	data: ArrayBuffer | Uint8Array,
+	sectorSize: number,
+	startSector = 0,
+	crypto: Crypto = globalThis.crypto
+): Promise<ArrayBuffer> {
+	const keyBytes = new Uint8Array(key);
+	if (keyBytes.length !== 32) {
+		throw new Error(`AES-XTS key must be 32 bytes, got ${keyBytes.length}`);
+	}
+
+	const dataBytes = new Uint8Array(data);
+	if (dataBytes.length % sectorSize !== 0) {
+		throw new Error('Data length must be a multiple of sector size');
+	}
+	if (sectorSize % BLOCK_SIZE !== 0) {
+		throw new Error('Sector size must be a multiple of 16');
+	}
+
+	const k1 = await importKey(keyBytes.subarray(0, 16), crypto);
+	const k2 = await importKey(keyBytes.subarray(16, 32), crypto);
+
+	const output = new Uint8Array(dataBytes.length);
+	const blocksPerSector = sectorSize / BLOCK_SIZE;
+	const tempBlock = new Uint8Array(BLOCK_SIZE);
+
+	for (
+		let sectorOffset = 0;
+		sectorOffset < dataBytes.length;
+		sectorOffset += sectorSize
+	) {
+		const sector = startSector + sectorOffset / sectorSize;
+
+		// Compute the initial tweak: T = AES-ECB-Encrypt(K2, tweak_value)
+		const tweakValue = getNintendoTweak(sector);
+		const T = await ecbEncryptBlock(k2, tweakValue, crypto);
+
+		for (let j = 0; j < blocksPerSector; j++) {
+			const blockOffset = sectorOffset + j * BLOCK_SIZE;
+			const plainBlock = dataBytes.subarray(
+				blockOffset,
+				blockOffset + BLOCK_SIZE
+			);
+
+			// PP = P XOR T
+			xorBlocks(tempBlock, plainBlock, T);
+
+			// CC = AES-ECB-Encrypt(K1, PP)
+			const encrypted = await ecbEncryptBlock(k1, tempBlock, crypto);
+
+			// C = CC XOR T
+			xorBlocks(
+				output.subarray(blockOffset, blockOffset + BLOCK_SIZE),
+				encrypted,
+				T
+			);
+
+			// T = T * alpha in GF(2^128)
+			gf128Mul(T);
+		}
+	}
+
+	return output.buffer;
+}
+
+/**
+ * Decrypt data using AES-128-XTS with Nintendo's big-endian tweak.
+ *
+ * @param key - 32-byte key (first 16 bytes = data key K1, last 16 bytes = tweak key K2)
+ * @param data - Data to decrypt (must be a multiple of `sectorSize`)
+ * @param sectorSize - Size of each sector in bytes (typically 0x200 for NCA headers)
+ * @param startSector - Starting sector number (default: 0)
+ * @param crypto - Optional Crypto implementation (defaults to globalThis.crypto)
+ * @returns Decrypted data
+ */
+export async function decrypt(
+	key: ArrayBuffer | Uint8Array,
+	data: ArrayBuffer | Uint8Array,
+	sectorSize: number,
+	startSector = 0,
+	crypto: Crypto = globalThis.crypto
+): Promise<ArrayBuffer> {
+	const keyBytes = new Uint8Array(key);
+	if (keyBytes.length !== 32) {
+		throw new Error(`AES-XTS key must be 32 bytes, got ${keyBytes.length}`);
+	}
+
+	const dataBytes = new Uint8Array(data);
+	if (dataBytes.length % sectorSize !== 0) {
+		throw new Error('Data length must be a multiple of sector size');
+	}
+	if (sectorSize % BLOCK_SIZE !== 0) {
+		throw new Error('Sector size must be a multiple of 16');
+	}
+
+	const k1 = await importKey(keyBytes.subarray(0, 16), crypto);
+	const k2 = await importKey(keyBytes.subarray(16, 32), crypto);
+
+	const output = new Uint8Array(dataBytes.length);
+	const blocksPerSector = sectorSize / BLOCK_SIZE;
+	const tempBlock = new Uint8Array(BLOCK_SIZE);
+
+	for (
+		let sectorOffset = 0;
+		sectorOffset < dataBytes.length;
+		sectorOffset += sectorSize
+	) {
+		const sector = startSector + sectorOffset / sectorSize;
+
+		// Compute the initial tweak: T = AES-ECB-Encrypt(K2, tweak_value)
+		const tweakValue = getNintendoTweak(sector);
+		const T = await ecbEncryptBlock(k2, tweakValue, crypto);
+
+		for (let j = 0; j < blocksPerSector; j++) {
+			const blockOffset = sectorOffset + j * BLOCK_SIZE;
+			const cipherBlock = dataBytes.subarray(
+				blockOffset,
+				blockOffset + BLOCK_SIZE
+			);
+
+			// CC = C XOR T
+			xorBlocks(tempBlock, cipherBlock, T);
+
+			// PP = AES-ECB-Decrypt(K1, CC)
+			const decrypted = await ecbDecryptBlock(k1, tempBlock, crypto);
+
+			// P = PP XOR T
+			xorBlocks(
+				output.subarray(blockOffset, blockOffset + BLOCK_SIZE),
+				decrypted,
+				T
+			);
+
+			// T = T * alpha in GF(2^128)
+			gf128Mul(T);
+		}
+	}
+
+	return output.buffer;
+}

package/test/index.test.ts

@@ -0,0 +1,114 @@
+import { describe, it, expect } from 'vitest';
+import { encrypt, decrypt } from '../src/index.js';
+
+// Test vectors generated using Node.js crypto with identical key/tweak settings
+const TEST_KEY = hexToBytes(
+	'00112233445566778899aabbccddeeffaabbccddeeff00112233445566778899'
+);
+
+const SECTOR_0_EXPECTED =
+	'7575d42fde6b2f7190ff26861970b889b0f7d93951047e4913017c4a6dd4a1cc';
+
+const SECTOR_1_EXPECTED =
+	'd573fc38797f8affbe2bd3b104b0ef085667c568fed42c7773f8e936e780d1f5';
+
+function hexToBytes(hex: string): Uint8Array {
+	const bytes = new Uint8Array(hex.length / 2);
+	for (let i = 0; i < bytes.length; i++) {
+		bytes[i] = parseInt(hex.substring(i * 2, i * 2 + 2), 16);
+	}
+	return bytes;
+}
+
+function bytesToHex(bytes: Uint8Array): string {
+	return Array.from(bytes)
+		.map((b) => b.toString(16).padStart(2, '0'))
+		.join('');
+}
+
+function makeTestData(size: number): Uint8Array {
+	const data = new Uint8Array(size);
+	for (let i = 0; i < size; i++) data[i] = i & 0xff;
+	return data;
+}
+
+describe('AES-128-XTS with Nintendo big-endian tweak', () => {
+	describe('encrypt', () => {
+		it('should encrypt a single sector (sector 0)', async () => {
+			const plain = makeTestData(512);
+			const ct = new Uint8Array(await encrypt(TEST_KEY, plain, 512, 0));
+			expect(bytesToHex(ct.subarray(0, 32))).toBe(SECTOR_0_EXPECTED);
+		});
+
+		it('should encrypt with correct sector 1 tweak', async () => {
+			const plain = makeTestData(512);
+			const ct = new Uint8Array(await encrypt(TEST_KEY, plain, 512, 1));
+			expect(bytesToHex(ct.subarray(0, 32))).toBe(SECTOR_1_EXPECTED);
+		});
+
+		it('should encrypt multiple sectors', async () => {
+			const plain = makeTestData(1024);
+			const ct = new Uint8Array(await encrypt(TEST_KEY, plain, 512, 0));
+			// First 512 bytes = sector 0 ciphertext
+			expect(bytesToHex(ct.subarray(0, 32))).toBe(SECTOR_0_EXPECTED);
+			// Second 512 bytes = sector 1 ciphertext
+			expect(bytesToHex(ct.subarray(512, 544))).toBe(SECTOR_1_EXPECTED);
+		});
+	});
+
+	describe('decrypt', () => {
+		it('should round-trip encrypt/decrypt', async () => {
+			const plain = makeTestData(512);
+			const ct = await encrypt(TEST_KEY, plain, 512, 0);
+			const decrypted = new Uint8Array(
+				await decrypt(TEST_KEY, ct, 512, 0)
+			);
+			expect(bytesToHex(decrypted)).toBe(bytesToHex(plain));
+		});
+
+		it('should round-trip multiple sectors', async () => {
+			const plain = makeTestData(1024);
+			const ct = await encrypt(TEST_KEY, plain, 512, 0);
+			const decrypted = new Uint8Array(
+				await decrypt(TEST_KEY, ct, 512, 0)
+			);
+			expect(bytesToHex(decrypted)).toBe(bytesToHex(plain));
+		});
+
+		it('should round-trip with non-zero start sector', async () => {
+			const plain = makeTestData(512);
+			const ct = await encrypt(TEST_KEY, plain, 512, 5);
+			const decrypted = new Uint8Array(
+				await decrypt(TEST_KEY, ct, 512, 5)
+			);
+			expect(bytesToHex(decrypted)).toBe(bytesToHex(plain));
+		});
+	});
+
+	describe('NCA header size (0xC00 = 3072 bytes, sector size 0x200)', () => {
+		it('should encrypt/decrypt NCA-header-sized data', async () => {
+			const data = makeTestData(0xc00);
+			const ct = await encrypt(TEST_KEY, data, 0x200, 0);
+			const decrypted = new Uint8Array(
+				await decrypt(TEST_KEY, ct, 0x200, 0)
+			);
+			expect(bytesToHex(decrypted)).toBe(bytesToHex(data));
+		});
+	});
+
+	describe('validation', () => {
+		it('should reject non-32-byte keys', async () => {
+			const plain = makeTestData(512);
+			await expect(
+				encrypt(new Uint8Array(16), plain, 512)
+			).rejects.toThrow('32 bytes');
+		});
+
+		it('should reject data not aligned to sector size', async () => {
+			const plain = makeTestData(500);
+			await expect(encrypt(TEST_KEY, plain, 512)).rejects.toThrow(
+				'multiple of sector size'
+			);
+		});
+	});
+});

package/tsconfig.json

@@ -0,0 +1,14 @@
+{
+  "compilerOptions": {
+    "target": "es2020",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "outDir": "./dist",
+    "declaration": true,
+    "sourceMap": true,
+    "forceConsistentCasingInFileNames": true,
+    "strict": true,
+    "skipLibCheck": true
+  },
+  "include": ["src/**/*.ts"]
+}