appium-ios-remotexpc 0.0.4 → 0.0.5

package/CHANGELOG.md

@@ -1,3 +1,9 @@
+## [0.0.5](https://github.com/appium/appium-ios-remotexpc/compare/v0.0.4...v0.0.5) (2025-07-04)
+
+### Miscellaneous Chores
+
+* add appletv encryption module for RemoteXPC support ([#50](https://github.com/appium/appium-ios-remotexpc/issues/50)) ([0e5f3c6](https://github.com/appium/appium-ios-remotexpc/commit/0e5f3c6064bb0dc02f05f9349bac942c4c3bc951))
+
 ## [0.0.4](https://github.com/appium/appium-ios-remotexpc/compare/v0.0.3...v0.0.4) (2025-07-03)
 
 ### Miscellaneous Chores

package/build/src/lib/apple-tv/constants.d.ts

@@ -46,4 +46,32 @@ export declare const SRP_KEY_LENGTH_BYTES = 384;
 export declare const SRP_PRIVATE_KEY_BITS = 256;
 export declare const HKDF_HASH_ALGORITHM = "sha512";
 export declare const HKDF_HASH_LENGTH = 64;
+export declare const OPACK2_NULL = 3;
+export declare const OPACK2_TRUE = 1;
+export declare const OPACK2_FALSE = 2;
+export declare const OPACK2_SMALL_INT_OFFSET = 8;
+export declare const OPACK2_SMALL_INT_MAX = 39;
+export declare const OPACK2_SMALL_STRING_MAX = 32;
+export declare const OPACK2_SMALL_BYTES_MAX = 32;
+export declare const OPACK2_SMALL_ARRAY_MAX = 15;
+export declare const OPACK2_SMALL_DICT_MAX = 15;
+export declare const OPACK2_INT8_MARKER = 48;
+export declare const OPACK2_INT32_MARKER = 50;
+export declare const OPACK2_INT64_MARKER = 51;
+export declare const OPACK2_FLOAT_MARKER = 53;
+export declare const OPACK2_SMALL_STRING_BASE = 64;
+export declare const OPACK2_STRING_8BIT_LEN_MARKER = 97;
+export declare const OPACK2_STRING_16BIT_LEN_MARKER = 98;
+export declare const OPACK2_STRING_32BIT_LEN_MARKER = 99;
+export declare const OPACK2_SMALL_BYTES_BASE = 112;
+export declare const OPACK2_BYTES_8BIT_LEN_MARKER = 145;
+export declare const OPACK2_BYTES_16BIT_LEN_MARKER = 146;
+export declare const OPACK2_BYTES_32BIT_LEN_MARKER = 147;
+export declare const OPACK2_SMALL_ARRAY_BASE = 208;
+export declare const OPACK2_VARIABLE_ARRAY_MARKER = 223;
+export declare const OPACK2_SMALL_DICT_BASE = 224;
+export declare const OPACK2_VARIABLE_DICT_MARKER = 239;
+export declare const OPACK2_UINT8_MAX = 255;
+export declare const OPACK2_UINT16_MAX = 65535;
+export declare const OPACK2_UINT32_MAX = 4294967295;
 //# sourceMappingURL=constants.d.ts.map

package/build/src/lib/apple-tv/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../src/lib/apple-tv/constants.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,sBAAsB;;;;;CAKzB,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgC3B,CAAC;AAGX,eAAO,MAAM,sBAAsB,MAAM,CAAC;AAG1C,eAAO,MAAM,cAAc,QAc1B,CAAC;AAGF,eAAO,MAAM,aAAa,QAAY,CAAC;AAGvC,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAG3C,eAAO,MAAM,YAAY,eAAe,CAAC;AAGzC,eAAO,MAAM,oBAAoB,MAAM,CAAC;AAGxC,eAAO,MAAM,oBAAoB,MAAM,CAAC;AAGxC,eAAO,MAAM,mBAAmB,WAAW,CAAC;AAG5C,eAAO,MAAM,gBAAgB,KAAK,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../../../src/lib/apple-tv/constants.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,sBAAsB;;;;;CAKzB,CAAC;AAGX,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgC3B,CAAC;AAGX,eAAO,MAAM,sBAAsB,MAAM,CAAC;AAG1C,eAAO,MAAM,cAAc,QAc1B,CAAC;AAGF,eAAO,MAAM,aAAa,QAAY,CAAC;AAGvC,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAG3C,eAAO,MAAM,YAAY,eAAe,CAAC;AAGzC,eAAO,MAAM,oBAAoB,MAAM,CAAC;AAGxC,eAAO,MAAM,oBAAoB,MAAM,CAAC;AAGxC,eAAO,MAAM,mBAAmB,WAAW,CAAC;AAG5C,eAAO,MAAM,gBAAgB,KAAK,CAAC;AAGnC,eAAO,MAAM,WAAW,IAAO,CAAC;AAChC,eAAO,MAAM,WAAW,IAAO,CAAC;AAChC,eAAO,MAAM,YAAY,IAAO,CAAC;AACjC,eAAO,MAAM,uBAAuB,IAAI,CAAC;AACzC,eAAO,MAAM,oBAAoB,KAAO,CAAC;AACzC,eAAO,MAAM,uBAAuB,KAAO,CAAC;AAC5C,eAAO,MAAM,sBAAsB,KAAO,CAAC;AAC3C,eAAO,MAAM,sBAAsB,KAAK,CAAC;AACzC,eAAO,MAAM,qBAAqB,KAAK,CAAC;AAGxC,eAAO,MAAM,kBAAkB,KAAO,CAAC;AACvC,eAAO,MAAM,mBAAmB,KAAO,CAAC;AACxC,eAAO,MAAM,mBAAmB,KAAO,CAAC;AACxC,eAAO,MAAM,mBAAmB,KAAO,CAAC;AAGxC,eAAO,MAAM,wBAAwB,KAAO,CAAC;AAC7C,eAAO,MAAM,6BAA6B,KAAO,CAAC;AAClD,eAAO,MAAM,8BAA8B,KAAO,CAAC;AACnD,eAAO,MAAM,8BAA8B,KAAO,CAAC;AAGnD,eAAO,MAAM,uBAAuB,MAAO,CAAC;AAC5C,eAAO,MAAM,4BAA4B,MAAO,CAAC;AACjD,eAAO,MAAM,6BAA6B,MAAO,CAAC;AAClD,eAAO,MAAM,6BAA6B,MAAO,CAAC;AAGlD,eAAO,MAAM,uBAAuB,MAAO,CAAC;AAC5C,eAAO,MAAM,4BAA4B,MAAO,CAAC;AAGjD,eAAO,MAAM,sBAAsB,MAAO,CAAC;AAC3C,eAAO,MAAM,2BAA2B,MAAO,CAAC;AAGhD,eAAO,MAAM,gBAAgB,MAAO,CAAC;AACrC,eAAO,MAAM,iBAAiB,QAAS,CAAC;AACxC,eAAO,MAAM,iBAAiB,aAAa,CAAC"}

package/build/src/lib/apple-tv/constants.js

@@ -69,3 +69,38 @@ export const SRP_PRIVATE_KEY_BITS = 256;
 export const HKDF_HASH_ALGORITHM = 'sha512';
 // Output length (in bytes) for HKDF key derivation
 export const HKDF_HASH_LENGTH = 64;
+// OPACK2 encoding constants
+export const OPACK2_NULL = 0x03;
+export const OPACK2_TRUE = 0x01;
+export const OPACK2_FALSE = 0x02;
+export const OPACK2_SMALL_INT_OFFSET = 8;
+export const OPACK2_SMALL_INT_MAX = 0x27;
+export const OPACK2_SMALL_STRING_MAX = 0x20;
+export const OPACK2_SMALL_BYTES_MAX = 0x20;
+export const OPACK2_SMALL_ARRAY_MAX = 15;
+export const OPACK2_SMALL_DICT_MAX = 15;
+// OPACK2 number type markers
+export const OPACK2_INT8_MARKER = 0x30;
+export const OPACK2_INT32_MARKER = 0x32;
+export const OPACK2_INT64_MARKER = 0x33;
+export const OPACK2_FLOAT_MARKER = 0x35;
+// OPACK2 string type markers
+export const OPACK2_SMALL_STRING_BASE = 0x40;
+export const OPACK2_STRING_8BIT_LEN_MARKER = 0x61;
+export const OPACK2_STRING_16BIT_LEN_MARKER = 0x62;
+export const OPACK2_STRING_32BIT_LEN_MARKER = 0x63;
+// OPACK2 bytes type markers
+export const OPACK2_SMALL_BYTES_BASE = 0x70;
+export const OPACK2_BYTES_8BIT_LEN_MARKER = 0x91;
+export const OPACK2_BYTES_16BIT_LEN_MARKER = 0x92;
+export const OPACK2_BYTES_32BIT_LEN_MARKER = 0x93;
+// OPACK2 array type markers
+export const OPACK2_SMALL_ARRAY_BASE = 0xd0;
+export const OPACK2_VARIABLE_ARRAY_MARKER = 0xdf;
+// OPACK2 dictionary type markers
+export const OPACK2_SMALL_DICT_BASE = 0xe0;
+export const OPACK2_VARIABLE_DICT_MARKER = 0xef;
+// OPACK2 size limits
+export const OPACK2_UINT8_MAX = 0xff;
+export const OPACK2_UINT16_MAX = 0xffff;
+export const OPACK2_UINT32_MAX = 0xffffffff;

package/build/src/lib/apple-tv/encryption/chacha20-poly1305.d.ts

@@ -0,0 +1,22 @@
+export interface ChaCha20Poly1305Params {
+    plaintext?: Buffer;
+    ciphertext?: Buffer;
+    key: Buffer;
+    nonce: Buffer;
+    aad?: Buffer;
+}
+/**
+ * Encrypts data using ChaCha20-Poly1305 AEAD cipher
+ * @param params - Encryption parameters including plaintext, key, nonce, and optional AAD
+ * @returns Buffer containing encrypted data concatenated with authentication tag
+ * @throws CryptographyError if encryption fails or required parameters are missing
+ */
+export declare function encryptChaCha20Poly1305(params: ChaCha20Poly1305Params): Buffer;
+/**
+ * Decrypts data using ChaCha20-Poly1305 AEAD cipher with multiple fallback strategies
+ * @param params - Decryption parameters including ciphertext, key, nonce, and optional AAD
+ * @returns Buffer containing decrypted plaintext
+ * @throws CryptographyError if all decryption attempts fail or required parameters are missing
+ */
+export declare function decryptChaCha20Poly1305(params: ChaCha20Poly1305Params): Buffer;
+//# sourceMappingURL=chacha20-poly1305.d.ts.map

package/build/src/lib/apple-tv/encryption/chacha20-poly1305.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"chacha20-poly1305.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/encryption/chacha20-poly1305.ts"],"names":[],"mappings":"AAOA,MAAM,WAAW,sBAAsB;IACrC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAOD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,sBAAsB,GAC7B,MAAM,CAiCR;AAED;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,sBAAsB,GAC7B,MAAM,CA2ER"}

package/build/src/lib/apple-tv/encryption/chacha20-poly1305.js

@@ -0,0 +1,97 @@
+import { logger } from '@appium/support';
+import { createCipheriv, createDecipheriv } from 'node:crypto';
+import { CryptographyError } from '../errors.js';
+const log = logger.getLogger('ChaCha20Poly1305');
+/**
+ * Encrypts data using ChaCha20-Poly1305 AEAD cipher
+ * @param params - Encryption parameters including plaintext, key, nonce, and optional AAD
+ * @returns Buffer containing encrypted data concatenated with authentication tag
+ * @throws CryptographyError if encryption fails or required parameters are missing
+ */
+export function encryptChaCha20Poly1305(params) {
+    const { plaintext, key, nonce, aad } = params;
+    if (!plaintext) {
+        throw new CryptographyError('Plaintext is required for encryption');
+    }
+    if (!key || key.length !== 32) {
+        throw new CryptographyError('Key must be 32 bytes');
+    }
+    if (!nonce || nonce.length !== 12) {
+        throw new CryptographyError('Nonce must be 12 bytes');
+    }
+    try {
+        const cipher = createCipheriv('chacha20-poly1305', key, nonce);
+        if (aad) {
+            cipher.setAAD(aad, { plaintextLength: plaintext.length });
+        }
+        const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+        const authTag = cipher.getAuthTag();
+        return Buffer.concat([encrypted, authTag]);
+    }
+    catch (error) {
+        log.error('ChaCha20-Poly1305 encryption failed:', error);
+        const message = error instanceof Error ? error.message : String(error);
+        throw new CryptographyError(`ChaCha20-Poly1305 encryption failed: ${message}`);
+    }
+}
+/**
+ * Decrypts data using ChaCha20-Poly1305 AEAD cipher with multiple fallback strategies
+ * @param params - Decryption parameters including ciphertext, key, nonce, and optional AAD
+ * @returns Buffer containing decrypted plaintext
+ * @throws CryptographyError if all decryption attempts fail or required parameters are missing
+ */
+export function decryptChaCha20Poly1305(params) {
+    const { ciphertext, key, nonce, aad } = params;
+    if (!ciphertext) {
+        throw new CryptographyError('Ciphertext is required for decryption');
+    }
+    if (!key || key.length !== 32) {
+        throw new CryptographyError('Key must be 32 bytes');
+    }
+    if (!nonce || nonce.length !== 12) {
+        throw new CryptographyError('Nonce must be 12 bytes');
+    }
+    if (ciphertext.length < 16) {
+        throw new CryptographyError('Ciphertext too short to contain authentication tag');
+    }
+    // ChaCha20-Poly1305 in Node.js only supports 16-byte authentication tags
+    const tagLength = 16;
+    const decryptionAttempts = [
+        { tagLen: tagLength, aad },
+        { tagLen: tagLength, aad: Buffer.alloc(0) },
+        { tagLen: tagLength, aad: undefined },
+    ];
+    let lastError;
+    for (const attempt of decryptionAttempts) {
+        try {
+            const encrypted = ciphertext.subarray(0, ciphertext.length - attempt.tagLen);
+            const authTag = ciphertext.subarray(ciphertext.length - attempt.tagLen);
+            const decipher = createDecipheriv('chacha20-poly1305', key, nonce);
+            decipher.setAuthTag(authTag);
+            if (attempt.aad !== undefined) {
+                decipher.setAAD(attempt.aad, { plaintextLength: encrypted.length });
+            }
+            const decrypted = Buffer.concat([
+                decipher.update(encrypted),
+                decipher.final(),
+            ]);
+            log.debug('Decryption successful with AAD:', attempt.aad ? 'provided' : 'none');
+            return decrypted;
+        }
+        catch (error) {
+            lastError = error instanceof Error ? error : new Error(String(error));
+        }
+    }
+    const errorMessage = lastError
+        ? `ChaCha20-Poly1305 decryption failed: ${lastError.message}`
+        : 'ChaCha20-Poly1305 decryption failed: invalid ciphertext or authentication tag';
+    // Log the error with stack trace for debugging real failures
+    // Skip logging in test environment to avoid cluttering test output with expected failures
+    if (lastError && process.env.NODE_ENV !== 'test') {
+        log.error('All ChaCha20-Poly1305 decryption attempts failed:', {
+            message: lastError.message,
+            stack: lastError.stack,
+        });
+    }
+    throw new CryptographyError(errorMessage);
+}

package/build/src/lib/apple-tv/encryption/ed25519.d.ts

@@ -0,0 +1,16 @@
+import type { PairingKeys } from '../types.js';
+/**
+ * Generates a new Ed25519 key pair for cryptographic operations
+ * @returns PairingKeys object containing 32-byte public and private key buffers
+ * @throws CryptographyError if key generation fails
+ */
+export declare function generateEd25519KeyPair(): PairingKeys;
+/**
+ * Creates an Ed25519 digital signature for the provided data
+ * @param data - The data to sign
+ * @param privateKey - 32-byte Ed25519 private key
+ * @returns Buffer containing the 64-byte signature
+ * @throws CryptographyError if signing fails or private key is invalid
+ */
+export declare function createEd25519Signature(data: Buffer, privateKey: Buffer): Buffer;
+//# sourceMappingURL=ed25519.d.ts.map

package/build/src/lib/apple-tv/encryption/ed25519.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ed25519.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/encryption/ed25519.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAW/C;;;;GAIG;AACH,wBAAgB,sBAAsB,IAAI,WAAW,CA4BpD;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CACpC,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,GACjB,MAAM,CA0BR"}

package/build/src/lib/apple-tv/encryption/ed25519.js

@@ -0,0 +1,93 @@
+import { logger } from '@appium/support';
+import { generateKeyPairSync, sign, } from 'node:crypto';
+import { CryptographyError } from '../errors.js';
+const log = logger.getLogger('Ed25519');
+const ED25519_PUBLIC_KEY_LENGTH = 32;
+const ED25519_PRIVATE_KEY_LENGTH = 32;
+const ED25519_PKCS8_PREFIX = Buffer.from('302e020100300506032b657004220420', 'hex');
+/**
+ * Generates a new Ed25519 key pair for cryptographic operations
+ * @returns PairingKeys object containing 32-byte public and private key buffers
+ * @throws CryptographyError if key generation fails
+ */
+export function generateEd25519KeyPair() {
+    try {
+        const keyPair = generateKeyPairSync('ed25519');
+        const publicKeyDer = keyPair.publicKey.export({
+            type: 'spki',
+            format: 'der',
+        });
+        const privateKeyDer = keyPair.privateKey.export({
+            type: 'pkcs8',
+            format: 'der',
+        });
+        const publicKeyBuffer = extractEd25519PublicKey(publicKeyDer);
+        const privateKeyBuffer = extractEd25519PrivateKey(privateKeyDer);
+        return {
+            publicKey: publicKeyBuffer,
+            privateKey: privateKeyBuffer,
+        };
+    }
+    catch (error) {
+        log.error('Failed to generate Ed25519 key pair:', error);
+        const message = error instanceof Error ? error.message : String(error);
+        throw new CryptographyError(`Failed to generate Ed25519 key pair: ${message}`);
+    }
+}
+/**
+ * Creates an Ed25519 digital signature for the provided data
+ * @param data - The data to sign
+ * @param privateKey - 32-byte Ed25519 private key
+ * @returns Buffer containing the 64-byte signature
+ * @throws CryptographyError if signing fails or private key is invalid
+ */
+export function createEd25519Signature(data, privateKey) {
+    if (!data || data.length === 0) {
+        throw new CryptographyError('Data to sign cannot be empty');
+    }
+    if (!privateKey || privateKey.length !== ED25519_PRIVATE_KEY_LENGTH) {
+        throw new CryptographyError(`Private key must be ${ED25519_PRIVATE_KEY_LENGTH} bytes`);
+    }
+    try {
+        const privateKeyDer = Buffer.concat([ED25519_PKCS8_PREFIX, privateKey]);
+        return sign(null, data, {
+            key: privateKeyDer,
+            format: 'der',
+            type: 'pkcs8',
+        });
+    }
+    catch (error) {
+        log.error('Failed to create Ed25519 signature:', error);
+        const message = error instanceof Error ? error.message : String(error);
+        throw new CryptographyError(`Failed to create Ed25519 signature: ${message}`);
+    }
+}
+/**
+ * Extracts the raw 32-byte public key from DER-encoded SPKI format
+ * @param publicKeyDer - DER-encoded public key
+ * @returns 32-byte public key buffer
+ * @throws CryptographyError if extraction fails
+ */
+function extractEd25519PublicKey(publicKeyDer) {
+    if (publicKeyDer.length < ED25519_PUBLIC_KEY_LENGTH) {
+        throw new CryptographyError('Invalid public key DER format');
+    }
+    return publicKeyDer.subarray(publicKeyDer.length - ED25519_PUBLIC_KEY_LENGTH);
+}
+/**
+ * Extracts the raw 32-byte private key from DER-encoded PKCS#8 format
+ * @param privateKeyDer - DER-encoded private key
+ * @returns 32-byte private key buffer
+ * @throws CryptographyError if extraction fails
+ */
+function extractEd25519PrivateKey(privateKeyDer) {
+    const octetStringPattern = Buffer.from([0x04, 0x20]);
+    const index = privateKeyDer.indexOf(octetStringPattern);
+    if (index !== -1 && index + 34 <= privateKeyDer.length) {
+        return privateKeyDer.subarray(index + 2, index + 34);
+    }
+    if (privateKeyDer.length >= 48) {
+        return privateKeyDer.subarray(16, 48);
+    }
+    throw new CryptographyError('Unable to extract private key from DER format');
+}

package/build/src/lib/apple-tv/encryption/hkdf.d.ts

@@ -0,0 +1,18 @@
+export interface HKDFParams {
+    ikm: Buffer;
+    salt: Buffer | null;
+    info: Buffer;
+    length: number;
+}
+/**
+ * HMAC-based Key Derivation Function (HKDF) as defined in RFC 5869
+ * Derives cryptographic keys from input key material using a two-step process:
+ * 1. Extract: Generate a pseudorandom key from the input key material
+ * 2. Expand: Expand the pseudorandom key to the desired output length
+ *
+ * @param params - HKDF parameters including input key material, salt, info, and desired output length
+ * @returns Buffer containing the derived key material of specified length
+ * @throws CryptographyError if derivation fails or parameters are invalid
+ */
+export declare function hkdf(params: HKDFParams): Buffer;
+//# sourceMappingURL=hkdf.d.ts.map

package/build/src/lib/apple-tv/encryption/hkdf.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hkdf.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/encryption/hkdf.ts"],"names":[],"mappings":"AAQA,MAAM,WAAW,UAAU;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;CAChB;AAID;;;;;;;;;GASG;AACH,wBAAgB,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CA6B/C"}

package/build/src/lib/apple-tv/encryption/hkdf.js

@@ -0,0 +1,73 @@
+import { logger } from '@appium/support';
+import { createHmac } from 'node:crypto';
+import { HKDF_HASH_ALGORITHM, HKDF_HASH_LENGTH } from '../constants.js';
+import { CryptographyError } from '../errors.js';
+const log = logger.getLogger('HKDF');
+const MAX_OUTPUT_LENGTH = 255 * HKDF_HASH_LENGTH;
+/**
+ * HMAC-based Key Derivation Function (HKDF) as defined in RFC 5869
+ * Derives cryptographic keys from input key material using a two-step process:
+ * 1. Extract: Generate a pseudorandom key from the input key material
+ * 2. Expand: Expand the pseudorandom key to the desired output length
+ *
+ * @param params - HKDF parameters including input key material, salt, info, and desired output length
+ * @returns Buffer containing the derived key material of specified length
+ * @throws CryptographyError if derivation fails or parameters are invalid
+ */
+export function hkdf(params) {
+    const { ikm, salt, info, length } = params;
+    if (!ikm || ikm.length === 0) {
+        throw new CryptographyError('Input key material (IKM) cannot be empty');
+    }
+    if (!info) {
+        throw new CryptographyError('Info parameter is required');
+    }
+    if (length <= 0) {
+        throw new CryptographyError('Output length must be positive');
+    }
+    if (length > MAX_OUTPUT_LENGTH) {
+        throw new CryptographyError(`Output length cannot exceed ${MAX_OUTPUT_LENGTH} bytes`);
+    }
+    try {
+        const extractedKey = hkdfExtract(ikm, salt);
+        return hkdfExpand(extractedKey, info, length);
+    }
+    catch (error) {
+        log.error('HKDF derivation failed:', error);
+        const message = error instanceof Error ? error.message : String(error);
+        throw new CryptographyError(`HKDF derivation failed: ${message}`);
+    }
+}
+/**
+ * HKDF Extract step: generates a pseudorandom key from input key material
+ * @param ikm - Input key material
+ * @param salt - Optional salt value (uses zero salt if null)
+ * @returns Pseudorandom key of hash length
+ */
+function hkdfExtract(ikm, salt) {
+    const actualSalt = salt || Buffer.alloc(HKDF_HASH_LENGTH);
+    return createHmac(HKDF_HASH_ALGORITHM, actualSalt).update(ikm).digest();
+}
+/**
+ * HKDF Expand a step: expands a pseudorandom key to desired output length
+ * @param prk - Pseudorandom key from extract step
+ * @param info - Context and application specific information
+ * @param length - Desired output key material length
+ * @returns Output key material of specified length
+ */
+function hkdfExpand(prk, info, length) {
+    const numberOfBlocks = Math.ceil(length / HKDF_HASH_LENGTH);
+    const blocks = [];
+    let previousBlock = Buffer.alloc(0);
+    for (let blockIndex = 1; blockIndex <= numberOfBlocks; blockIndex++) {
+        const hmac = createHmac(HKDF_HASH_ALGORITHM, prk);
+        hmac.update(previousBlock);
+        hmac.update(info);
+        hmac.update(Buffer.from([blockIndex]));
+        const currentBlock = hmac.digest();
+        blocks.push(currentBlock);
+        previousBlock = currentBlock;
+    }
+    const outputKeyMaterial = Buffer.concat(blocks);
+    return outputKeyMaterial.subarray(0, length);
+}

package/build/src/lib/apple-tv/encryption/index.d.ts

@@ -0,0 +1,5 @@
+export { Opack2 } from './opack2.js';
+export { encryptChaCha20Poly1305, decryptChaCha20Poly1305, type ChaCha20Poly1305Params, } from './chacha20-poly1305.js';
+export { generateEd25519KeyPair, createEd25519Signature } from './ed25519.js';
+export { hkdf, type HKDFParams } from './hkdf.js';
+//# sourceMappingURL=index.d.ts.map

package/build/src/lib/apple-tv/encryption/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/encryption/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,OAAO,EACL,uBAAuB,EACvB,uBAAuB,EACvB,KAAK,sBAAsB,GAC5B,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,sBAAsB,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAE9E,OAAO,EAAE,IAAI,EAAE,KAAK,UAAU,EAAE,MAAM,WAAW,CAAC"}

package/build/src/lib/apple-tv/encryption/index.js

@@ -0,0 +1,4 @@
+export { Opack2 } from './opack2.js';
+export { encryptChaCha20Poly1305, decryptChaCha20Poly1305, } from './chacha20-poly1305.js';
+export { generateEd25519KeyPair, createEd25519Signature } from './ed25519.js';
+export { hkdf } from './hkdf.js';

package/build/src/lib/apple-tv/encryption/opack2.d.ts

@@ -0,0 +1,57 @@
+interface SerializableArray extends Array<SerializableValue> {
+}
+interface SerializableObject extends Record<string, SerializableValue> {
+}
+type SerializableValue = null | undefined | boolean | number | string | Buffer | SerializableArray | SerializableObject;
+/**
+ * OPACK2 binary serialization format encoder
+ * Implements Apple's OPACK2 protocol for efficient binary serialization of structured data
+ */
+export declare class Opack2 {
+    /**
+     * Serializes a JavaScript object to OPACK2 binary format
+     * @param obj - The object to serialize (supports primitives, arrays, objects, and Buffers)
+     * @returns Buffer containing the serialized data
+     * @throws AppleTVError if the object contains unsupported types
+     */
+    static dumps(obj: SerializableValue): Buffer;
+    /**
+     * Main encoding dispatcher that routes values to appropriate type-specific encoders
+     * @param obj - Value to encode
+     * @returns Buffer containing encoded value
+     * @throws AppleTVError for unsupported types
+     */
+    private static encode;
+    /**
+     * Encodes numeric values with the appropriate size optimization
+     * @param num - Number to encode
+     * @returns Buffer containing encoded number
+     */
+    private static encodeNumber;
+    /**
+     * Encodes UTF-8 strings with length-optimized headers
+     * @param str - String to encode
+     * @returns Buffer containing encoded string
+     */
+    private static encodeString;
+    /**
+     * Encodes binary data with length-optimized headers
+     * @param bytes - Buffer to encode
+     * @returns Buffer containing encoded binary data
+     */
+    private static encodeBytes;
+    /**
+     * Encodes arrays with count-optimized headers
+     * @param arr - Array to encode
+     * @returns Buffer containing encoded array
+     */
+    private static encodeArray;
+    /**
+     * Encodes objects/dictionaries with count-optimized headers
+     * @param dict - Object to encode
+     * @returns Buffer containing encoded dictionary
+     */
+    private static encodeDict;
+}
+export {};
+//# sourceMappingURL=opack2.d.ts.map

package/build/src/lib/apple-tv/encryption/opack2.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"opack2.d.ts","sourceRoot":"","sources":["../../../../../src/lib/apple-tv/encryption/opack2.ts"],"names":[],"mappings":"AAGA,UAAU,iBAAkB,SAAQ,KAAK,CAAC,iBAAiB,CAAC;CAAG;AAC/D,UAAU,kBAAmB,SAAQ,MAAM,CAAC,MAAM,EAAE,iBAAiB,CAAC;CAAG;AAEzE,KAAK,iBAAiB,GAClB,IAAI,GACJ,SAAS,GACT,OAAO,GACP,MAAM,GACN,MAAM,GACN,MAAM,GACN,iBAAiB,GACjB,kBAAkB,CAAC;AAEvB;;;GAGG;AACH,qBAAa,MAAM;IACjB;;;;;OAKG;IACH,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,iBAAiB,GAAG,MAAM;IAI5C;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,MAAM;IAwCrB;;;;OAIG;IACH,OAAO,CAAC,MAAM,CAAC,YAAY;IAiC3B;;;;OAIG;IACH,OAAO,CAAC,MAAM,CAAC,YAAY;IAqC3B;;;;OAIG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAoC1B;;;;OAIG;IACH,OAAO,CAAC,MAAM,CAAC,WAAW;IAuB1B;;;;OAIG;IACH,OAAO,CAAC,MAAM,CAAC,UAAU;CAyB1B"}