@yeying-community/web3-bs 1.0.16 → 1.0.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/dist/auth/index.d.ts +1 -0
- package/dist/auth/profile.d.ts +34 -0
- package/dist/web3-bs.esm.js +106 -1
- package/dist/web3-bs.esm.js.map +1 -1
- package/dist/web3-bs.umd.js +111 -0
- package/dist/web3-bs.umd.js.map +1 -1
- package/docs/SDK/350/203/275/345/212/233.md +272 -0
- package/docs/UCAN/346/234/211/346/225/210/346/234/237/344/270/216/347/273/255/346/234/237/346/234/272/345/210/266.md +305 -0
- package/docs//345/212/240/350/247/243/345/257/206/346/234/215/345/212/241.md +146 -0
- package/docs//345/274/200/346/224/276/346/216/245/345/217/243/350/247/204/350/214/203.yaml +668 -0
- package/docs//345/277/253/351/200/237/344/270/212/346/211/213.md +476 -0
- package/docs//346/226/207/346/241/243/345/257/274/350/210/252.md +54 -0
- package/docs//347/247/273/345/212/250/347/253/257/350/256/244/350/257/201/344/270/216/346/216/210/346/235/203/351/200/211/345/236/213/346/214/207/345/215/227.md +151 -0
- package/docs//351/222/261/345/214/205/350/265/204/346/226/231/346/216/210/346/235/203.md +154 -0
- package/package.json +3 -2
|
@@ -0,0 +1,146 @@
|
|
|
1
|
+
# 加解密服务
|
|
2
|
+
|
|
3
|
+
本文档说明 `@yeying-community/web3-bs` 的加解密 SDK:3 个函数 + 4 个命名安全套件 + 调用模式与安全模型。
|
|
4
|
+
|
|
5
|
+
## 1. 能力概述
|
|
6
|
+
|
|
7
|
+
`encrypt` / `decrypt` / `getSupportedCipherSuites` 三个函数,调用钱包插件的 EIP-1193 自定义方法 `yeying_encrypt` / `yeying_decrypt` / `yeying_getCipherSuites`。
|
|
8
|
+
|
|
9
|
+
调用模式与 UCAN 一致:
|
|
10
|
+
- 站点必须已 `requestAccounts` 授权
|
|
11
|
+
- 钱包必须已解锁(`unlockMethods` 集合自动覆盖)
|
|
12
|
+
- **静默执行**——无审批弹窗
|
|
13
|
+
|
|
14
|
+
**不暴露裸算法参数**(key size、iv 长度、kdf 迭代、mac 长度全部锁死)。DApp 只能选套件名 + 传数据密码 + 传明文/密文。安全默认在 SDK 内部强制,避免误用。
|
|
15
|
+
|
|
16
|
+
## 2. 命名安全套件
|
|
17
|
+
|
|
18
|
+
通过 `getSupportedCipherSuites()` 拿到最新列表(结构:`{name, description, mode}`)。当前 4 个:
|
|
19
|
+
|
|
20
|
+
| name | mode | 用途 |
|
|
21
|
+
| --- | --- | --- |
|
|
22
|
+
| `aes-256-gcm` | symmetric | 国际默认(默认套件) |
|
|
23
|
+
| `sm4-cbc-hmac-sm3` | symmetric | 国密对称(encrypt-then-MAC) |
|
|
24
|
+
| `sha-256` | hash | 哈希 |
|
|
25
|
+
| `sm3` | hash | 国密哈希 |
|
|
26
|
+
|
|
27
|
+
每个套件**默认参数**:
|
|
28
|
+
- AES-256-GCM:256-bit key、12-byte IV、PBKDF2-SHA256 210k 轮
|
|
29
|
+
- SM4-CBC + HMAC-SM3:128-bit SM4 key + 256-bit MAC key(PBKDF2 派生后拆分)、16-byte IV、PKCS#7 padding
|
|
30
|
+
- 哈希:32 字节输出
|
|
31
|
+
|
|
32
|
+
## 3. 典型用法
|
|
33
|
+
|
|
34
|
+
### 3.1 加密
|
|
35
|
+
|
|
36
|
+
```ts
|
|
37
|
+
import { encrypt, getSupportedCipherSuites } from '@yeying-community/web3-bs';
|
|
38
|
+
|
|
39
|
+
const suites = await getSupportedCipherSuites();
|
|
40
|
+
console.log(suites.map(s => `${s.name} (${s.mode})`).join(', '));
|
|
41
|
+
// → aes-256-gcm (symmetric), sm4-cbc-hmac-sm3 (symmetric), sha-256 (hash), sm3 (hash)
|
|
42
|
+
|
|
43
|
+
const ciphertext = await encrypt({
|
|
44
|
+
data: '夜莺钱包敏感数据 🔐',
|
|
45
|
+
password: 'app-specific-passphrase-2024',
|
|
46
|
+
// suite: 'aes-256-gcm' // 不传则用默认套件
|
|
47
|
+
});
|
|
48
|
+
// → v1:aes-256-gcm:<base64-salt>:<base64-iv>:<base64-ciphertext>
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
### 3.2 解密
|
|
52
|
+
|
|
53
|
+
```ts
|
|
54
|
+
import { decrypt } from '@yeying-community/web3-bs';
|
|
55
|
+
|
|
56
|
+
const plaintextBytes = await decrypt({
|
|
57
|
+
ciphertext: 'v1:aes-256-gcm:...',
|
|
58
|
+
password: 'app-specific-passphrase-2024'
|
|
59
|
+
});
|
|
60
|
+
const text = new TextDecoder().decode(plaintextBytes);
|
|
61
|
+
// → 夜莺钱包敏感数据 🔐
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
### 3.3 选国密套件
|
|
65
|
+
|
|
66
|
+
```ts
|
|
67
|
+
const ciphertext = await encrypt({
|
|
68
|
+
data: sensitiveString,
|
|
69
|
+
password: 'app-specific-passphrase-2024',
|
|
70
|
+
suite: 'sm4-cbc-hmac-sm3'
|
|
71
|
+
});
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
## 4. 错误处理
|
|
75
|
+
|
|
76
|
+
所有错误抛 `CipherError`(继承自 `Error`),并附带分类:
|
|
77
|
+
|
|
78
|
+
```ts
|
|
79
|
+
import { encrypt, CipherError, isUserRejectedWalletAction } from '@yeying-community/web3-bs';
|
|
80
|
+
|
|
81
|
+
try {
|
|
82
|
+
const ct = await encrypt({ data, password, provider });
|
|
83
|
+
} catch (err) {
|
|
84
|
+
if (err instanceof CipherError) {
|
|
85
|
+
if (err.type === 'userRejected') {
|
|
86
|
+
// 用户在钱包端点了取消
|
|
87
|
+
} else if (err.type === 'disconnected') {
|
|
88
|
+
// 钱包未连接站点 / 站点未授权 / 钱包未解锁
|
|
89
|
+
} else {
|
|
90
|
+
// 未知错误(密码错、密文坏、网络等)
|
|
91
|
+
}
|
|
92
|
+
if (isUserRejectedWalletAction(err)) {
|
|
93
|
+
// ...
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
`CipherError.type` 取值:`'userRejected' | 'disconnected' | 'timeout' | 'notFound' | 'unknown'`,与 `classifyWalletError` 保持一致。
|
|
100
|
+
|
|
101
|
+
## 5. 安全模型
|
|
102
|
+
|
|
103
|
+
### 5.1 信任假设
|
|
104
|
+
|
|
105
|
+
- **站点已授权 + 钱包已解锁** = 站点可在用户不知情下调用加解密(与 UCAN 同模型)
|
|
106
|
+
- **站点被 XSS** = XSS 攻击者可在该站点 origin 下调用加解密——这是 DApp 自身的责任,UCAN 沿用同模型
|
|
107
|
+
- **数据密码独立**——`password` 参数是 DApp 自己的密码,**与钱包解锁密码不同**;钱包解锁用 DApp 用户在钱包插件里输的密码,加解密用 DApp 在自己代码里持有的密码
|
|
108
|
+
|
|
109
|
+
### 5.2 数据密码选择
|
|
110
|
+
|
|
111
|
+
推荐做法:
|
|
112
|
+
- **永远不要**用用户的钱包密码作为 `password`
|
|
113
|
+
- **永远不要**用用户已知的其他密码(如邮箱密码、登录密码)
|
|
114
|
+
- 推荐 DApp 在用户首次使用时**随机生成 32+ 字符的"应用密码"**,存到 `localStorage`(**加密形式**——DApp 自己的"数据密码"本身也要保护)或让用户保管
|
|
115
|
+
|
|
116
|
+
### 5.3 DApp 端的安全实践
|
|
117
|
+
|
|
118
|
+
- **不要**把密文/明文写到 `console.log` / `localStorage` 明文 / DOM
|
|
119
|
+
- **不要**用加解密服务来保护**私钥/助记词**——那是 wallet 自己的职责;DApp 永远不该接触明文私钥
|
|
120
|
+
- 解密后的 `Uint8Array` 用完即弃(不可显式 `secureWipe`,但应尽快失去引用)
|
|
121
|
+
- 在 `password` 字段发生错误时,**不**把错误信息(如"wrong password")显示给最终用户——防止攻击者用错误信息侧信道试密码
|
|
122
|
+
|
|
123
|
+
## 6. 限制与陷阱
|
|
124
|
+
|
|
125
|
+
- **不要**对相同 `(suite, password, plaintext)` 期待确定密文——salt + iv 每次随机
|
|
126
|
+
- **不要**在 UCAN 过期 / 站点未连接钱包 / 钱包锁定 时调用——会抛 `CipherError type=disconnected`
|
|
127
|
+
- 输出格式 `v1:...` 是 base64 字符串——**可粘贴到任何地方存储**(数据库、localStorage、剪贴板)
|
|
128
|
+
- 哈希套件(`sha-256` / `sm3`)的输出**没有"解密"概念**——`decrypt` 对哈希套件会抛 `Suite xxx is a hash, cannot decrypt`(钱包侧)
|
|
129
|
+
- 当前**不**支持 SM2 非对称加密(仅对称 + 哈希)——以后可能扩展
|
|
130
|
+
|
|
131
|
+
## 7. 完整 API
|
|
132
|
+
|
|
133
|
+
```ts
|
|
134
|
+
// src/auth/encrypt.ts
|
|
135
|
+
export interface CipherSuiteInfo { name: string; description: string; mode: 'hash' | 'symmetric'; }
|
|
136
|
+
export interface EncryptOptions { data: string | Uint8Array; password: string; suite?: string; provider?: Eip1193Provider; }
|
|
137
|
+
export interface DecryptOptions { ciphertext: string; password: string; provider?: Eip1193Provider; }
|
|
138
|
+
export interface GetCipherSuitesOptions { provider?: Eip1193Provider; }
|
|
139
|
+
|
|
140
|
+
export class CipherError extends Error { type; code; originalError; ... }
|
|
141
|
+
|
|
142
|
+
export function encrypt(options: EncryptOptions): Promise<string>;
|
|
143
|
+
export function decrypt(options: DecryptOptions): Promise<Uint8Array>;
|
|
144
|
+
export function getSupportedCipherSuites(options?: GetCipherSuitesOptions): Promise<CipherSuiteInfo[]>;
|
|
145
|
+
export function isUserRejectedWalletAction(error: unknown): boolean;
|
|
146
|
+
```
|