cipher-kit 2.1.3 → 3.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +324 -434
- package/dist/chunk-3A4RTUKO.cjs +509 -0
- package/dist/chunk-3A4RTUKO.cjs.map +1 -0
- package/dist/chunk-7254PEID.cjs +502 -0
- package/dist/chunk-7254PEID.cjs.map +1 -0
- package/dist/chunk-GL32EZRA.js +475 -0
- package/dist/chunk-GL32EZRA.js.map +1 -0
- package/dist/chunk-IY6XGUYO.js +494 -0
- package/dist/chunk-IY6XGUYO.js.map +1 -0
- package/dist/chunk-VCBHSRCS.cjs +523 -0
- package/dist/chunk-VCBHSRCS.cjs.map +1 -0
- package/dist/chunk-X6MX4NDE.js +478 -0
- package/dist/chunk-X6MX4NDE.js.map +1 -0
- package/dist/export-B-3CCZIO.d.cts +389 -0
- package/dist/export-BPo6yPV-.d.ts +389 -0
- package/dist/export-C0_UEEg8.d.ts +396 -0
- package/dist/export-DPuocAr3.d.cts +396 -0
- package/dist/index.cjs +11 -19
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +11 -40
- package/dist/index.d.ts +11 -40
- package/dist/index.js +3 -3
- package/dist/index.js.map +1 -1
- package/dist/node.cjs +39 -35
- package/dist/node.d.cts +3 -3
- package/dist/node.d.ts +3 -3
- package/dist/node.js +2 -2
- package/dist/validate-vDTesb-X.d.cts +195 -0
- package/dist/validate-vDTesb-X.d.ts +195 -0
- package/dist/web-api.cjs +39 -35
- package/dist/web-api.d.cts +2 -3
- package/dist/web-api.d.ts +2 -3
- package/dist/web-api.js +2 -2
- package/package.json +82 -92
- package/dist/chunk-BMX42IZM.cjs +0 -623
- package/dist/chunk-BMX42IZM.cjs.map +0 -1
- package/dist/chunk-HTRGOBZF.cjs +0 -169
- package/dist/chunk-HTRGOBZF.cjs.map +0 -1
- package/dist/chunk-LU7QOSQH.js +0 -141
- package/dist/chunk-LU7QOSQH.js.map +0 -1
- package/dist/chunk-S6SNCTU6.js +0 -485
- package/dist/chunk-S6SNCTU6.js.map +0 -1
- package/dist/chunk-T36BEDPY.js +0 -598
- package/dist/chunk-T36BEDPY.js.map +0 -1
- package/dist/chunk-ZNM5M6RD.cjs +0 -514
- package/dist/chunk-ZNM5M6RD.cjs.map +0 -1
- package/dist/export-BaM_OTFk.d.ts +0 -573
- package/dist/export-CCTGAosO.d.ts +0 -572
- package/dist/export-FYHgb-8E.d.cts +0 -572
- package/dist/export-KFT0YyMg.d.cts +0 -573
- package/dist/validate-lkJAHCeJ.d.cts +0 -399
- package/dist/validate-lkJAHCeJ.d.ts +0 -399
package/dist/chunk-T36BEDPY.js
DELETED
|
@@ -1,598 +0,0 @@
|
|
|
1
|
-
import { __export, $fmtResultErr, $ok, $err, $fmtError, title, $isStr, $isPlainObj, ENCRYPTION_ALGORITHMS, DIGEST_ALGORITHMS, CIPHER_ENCODING, $isSecretKey, matchEncryptedPattern, $stringifyObj, $parseToObj, ENCODING } from './chunk-LU7QOSQH.js';
|
|
2
|
-
|
|
3
|
-
// src/web/kit.ts
|
|
4
|
-
var kit_exports = {};
|
|
5
|
-
__export(kit_exports, {
|
|
6
|
-
convertBytesToStr: () => convertBytesToStr,
|
|
7
|
-
convertEncoding: () => convertEncoding,
|
|
8
|
-
convertStrToBytes: () => convertStrToBytes,
|
|
9
|
-
createSecretKey: () => createSecretKey,
|
|
10
|
-
decrypt: () => decrypt,
|
|
11
|
-
decryptObj: () => decryptObj,
|
|
12
|
-
encrypt: () => encrypt,
|
|
13
|
-
encryptObj: () => encryptObj,
|
|
14
|
-
generateUuid: () => generateUuid,
|
|
15
|
-
hash: () => hash,
|
|
16
|
-
hashPassword: () => hashPassword,
|
|
17
|
-
tryConvertBytesToStr: () => tryConvertBytesToStr,
|
|
18
|
-
tryConvertEncoding: () => tryConvertEncoding,
|
|
19
|
-
tryConvertStrToBytes: () => tryConvertStrToBytes,
|
|
20
|
-
tryCreateSecretKey: () => tryCreateSecretKey,
|
|
21
|
-
tryDecrypt: () => tryDecrypt,
|
|
22
|
-
tryDecryptObj: () => tryDecryptObj,
|
|
23
|
-
tryEncrypt: () => tryEncrypt,
|
|
24
|
-
tryEncryptObj: () => tryEncryptObj,
|
|
25
|
-
tryGenerateUuid: () => tryGenerateUuid,
|
|
26
|
-
tryHash: () => tryHash,
|
|
27
|
-
tryHashPassword: () => tryHashPassword,
|
|
28
|
-
verifyPassword: () => verifyPassword
|
|
29
|
-
});
|
|
30
|
-
|
|
31
|
-
// src/web/web-encode.ts
|
|
32
|
-
var textEncoder = new TextEncoder();
|
|
33
|
-
var textDecoder = new TextDecoder();
|
|
34
|
-
function $convertStrToBytes(data, inputEncoding = "utf8") {
|
|
35
|
-
if (!$isStr(data)) {
|
|
36
|
-
return $err({
|
|
37
|
-
msg: "Crypto Web API - String to Bytes: Empty data",
|
|
38
|
-
desc: "Data must be a non-empty string"
|
|
39
|
-
});
|
|
40
|
-
}
|
|
41
|
-
if (!ENCODING.includes(inputEncoding)) {
|
|
42
|
-
return $err({
|
|
43
|
-
msg: `Crypto Web API - String to Bytes: Unsupported encoding: ${inputEncoding}`,
|
|
44
|
-
desc: "Use base64, base64url, hex, utf8, or latin1"
|
|
45
|
-
});
|
|
46
|
-
}
|
|
47
|
-
try {
|
|
48
|
-
const bytes = strToBytes[inputEncoding](data);
|
|
49
|
-
return $ok({ result: bytes });
|
|
50
|
-
} catch (error) {
|
|
51
|
-
return $err({ msg: "Crypto Web API - String to Bytes: Failed to convert data", desc: $fmtError(error) });
|
|
52
|
-
}
|
|
53
|
-
}
|
|
54
|
-
function $convertBytesToStr(data, outputEncoding = "utf8") {
|
|
55
|
-
if (!(data instanceof ArrayBuffer || data instanceof Uint8Array)) {
|
|
56
|
-
return $err({
|
|
57
|
-
msg: "Crypto Web API - Bytes to String: Invalid data type",
|
|
58
|
-
desc: "Data must be an ArrayBuffer or Uint8Array"
|
|
59
|
-
});
|
|
60
|
-
}
|
|
61
|
-
if (!ENCODING.includes(outputEncoding)) {
|
|
62
|
-
return $err({
|
|
63
|
-
msg: `Crypto Web API - Bytes to String: Unsupported encoding: ${outputEncoding}`,
|
|
64
|
-
desc: "Use base64, base64url, hex, utf8, or latin1"
|
|
65
|
-
});
|
|
66
|
-
}
|
|
67
|
-
try {
|
|
68
|
-
const bytes = data instanceof Uint8Array ? data : new Uint8Array(data);
|
|
69
|
-
const str = bytesToStr[outputEncoding](bytes);
|
|
70
|
-
return $ok(str);
|
|
71
|
-
} catch (error) {
|
|
72
|
-
return $err({ msg: "Crypto Web API - Bytes to String: Failed to convert data", desc: $fmtError(error) });
|
|
73
|
-
}
|
|
74
|
-
}
|
|
75
|
-
function $convertEncoding(data, from, to) {
|
|
76
|
-
if (!$isStr(data)) {
|
|
77
|
-
return $err({
|
|
78
|
-
msg: "Crypto Web API - Convert Format: Empty data",
|
|
79
|
-
desc: "Data must be a non-empty string"
|
|
80
|
-
});
|
|
81
|
-
}
|
|
82
|
-
if (!ENCODING.includes(from) || !ENCODING.includes(to)) {
|
|
83
|
-
return $err({
|
|
84
|
-
msg: `Crypto Web API - Convert Format: Unsupported encoding: from ${from} to ${to}`,
|
|
85
|
-
desc: "Use base64, base64url, hex, utf8, or latin1"
|
|
86
|
-
});
|
|
87
|
-
}
|
|
88
|
-
const bytes = $convertStrToBytes(data, from);
|
|
89
|
-
if (bytes.error) return $err({ msg: bytes.error.message, desc: bytes.error.description });
|
|
90
|
-
const str = $convertBytesToStr(bytes.result, to);
|
|
91
|
-
if (str.error) return $err({ msg: str.error.message, desc: str.error.description });
|
|
92
|
-
return $ok({ result: str.result });
|
|
93
|
-
}
|
|
94
|
-
var strToBytes = {
|
|
95
|
-
base64: $fromBase64,
|
|
96
|
-
base64url: $fromBase64Url,
|
|
97
|
-
hex: $fromHex,
|
|
98
|
-
latin1: $fromLatin1,
|
|
99
|
-
utf8: (data) => textEncoder.encode(data)
|
|
100
|
-
};
|
|
101
|
-
var bytesToStr = {
|
|
102
|
-
base64: $toBase64,
|
|
103
|
-
base64url: $toBase64Url,
|
|
104
|
-
hex: $toHex,
|
|
105
|
-
latin1: $toLatin1,
|
|
106
|
-
utf8: (data) => textDecoder.decode(data)
|
|
107
|
-
};
|
|
108
|
-
function $toLatin1(bytes) {
|
|
109
|
-
let out = "";
|
|
110
|
-
const chunk = 1 << 15;
|
|
111
|
-
for (let i = 0; i < bytes.length; i += chunk) {
|
|
112
|
-
out += String.fromCharCode(...bytes.subarray(i, i + chunk));
|
|
113
|
-
}
|
|
114
|
-
return out;
|
|
115
|
-
}
|
|
116
|
-
function $fromLatin1(data) {
|
|
117
|
-
const out = new Uint8Array(data.length);
|
|
118
|
-
for (let i = 0; i < data.length; i++) {
|
|
119
|
-
const charCode = data.charCodeAt(i);
|
|
120
|
-
if (charCode > 255) throw new Error("Invalid latin1 string");
|
|
121
|
-
out[i] = charCode;
|
|
122
|
-
}
|
|
123
|
-
return out;
|
|
124
|
-
}
|
|
125
|
-
function $toBase64(bytes) {
|
|
126
|
-
return btoa($toLatin1(bytes));
|
|
127
|
-
}
|
|
128
|
-
function $fromBase64(data) {
|
|
129
|
-
return $fromLatin1(atob(data));
|
|
130
|
-
}
|
|
131
|
-
function $toBase64Url(bytes) {
|
|
132
|
-
return $toBase64(bytes).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
|
|
133
|
-
}
|
|
134
|
-
function $fromBase64Url(data) {
|
|
135
|
-
let base64 = data.replace(/-/g, "+").replace(/_/g, "/");
|
|
136
|
-
const padLen = (4 - base64.length % 4) % 4;
|
|
137
|
-
base64 += "=".repeat(padLen);
|
|
138
|
-
return $fromBase64(base64);
|
|
139
|
-
}
|
|
140
|
-
function $toHex(bytes) {
|
|
141
|
-
return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
|
|
142
|
-
}
|
|
143
|
-
function $fromHex(data) {
|
|
144
|
-
const clean = data.startsWith("0x") ? data.slice(2) : data;
|
|
145
|
-
if (clean.length % 2 !== 0) throw new Error("Invalid hex string");
|
|
146
|
-
const out = new Uint8Array(clean.length / 2);
|
|
147
|
-
for (let i = 0; i < out.length; i++) {
|
|
148
|
-
const byte = Number.parseInt(clean.slice(i * 2, i * 2 + 2), 16);
|
|
149
|
-
if (Number.isNaN(byte)) throw new Error("Invalid hex string");
|
|
150
|
-
out[i] = byte;
|
|
151
|
-
}
|
|
152
|
-
return out;
|
|
153
|
-
}
|
|
154
|
-
|
|
155
|
-
// src/web/web-encrypt.ts
|
|
156
|
-
function $generateUuid() {
|
|
157
|
-
try {
|
|
158
|
-
return $ok(crypto.randomUUID());
|
|
159
|
-
} catch (error) {
|
|
160
|
-
return $err({ msg: `${title("web", "UUID Generation")}: Failed to generate UUID`, desc: $fmtError(error) });
|
|
161
|
-
}
|
|
162
|
-
}
|
|
163
|
-
async function $createSecretKey(secret, options) {
|
|
164
|
-
if (!$isStr(secret, 8)) {
|
|
165
|
-
return $err({
|
|
166
|
-
msg: `${title("web", "Key Generation")}: Empty Secret`,
|
|
167
|
-
desc: "Secret must be a non-empty string with at least 8 characters"
|
|
168
|
-
});
|
|
169
|
-
}
|
|
170
|
-
if (!$isPlainObj(options)) {
|
|
171
|
-
return $err({
|
|
172
|
-
msg: `${title("web", "Key Generation")}: Invalid options`,
|
|
173
|
-
desc: "Options must be an object"
|
|
174
|
-
});
|
|
175
|
-
}
|
|
176
|
-
const algorithm = options.algorithm ?? "aes256gcm";
|
|
177
|
-
if (!(algorithm in ENCRYPTION_ALGORITHMS)) {
|
|
178
|
-
return $err({
|
|
179
|
-
msg: `${title("web", "Key Generation")}: Unsupported algorithm: ${algorithm}`,
|
|
180
|
-
desc: `Supported algorithms are: ${Object.keys(ENCRYPTION_ALGORITHMS).join(", ")}`
|
|
181
|
-
});
|
|
182
|
-
}
|
|
183
|
-
const digest = options.digest ?? "sha256";
|
|
184
|
-
if (!(digest in DIGEST_ALGORITHMS)) {
|
|
185
|
-
return $err({
|
|
186
|
-
msg: `${title("web", "Key Generation")}: Unsupported digest: ${digest}`,
|
|
187
|
-
desc: `Supported digests are: ${Object.keys(DIGEST_ALGORITHMS).join(", ")}`
|
|
188
|
-
});
|
|
189
|
-
}
|
|
190
|
-
const salt = options.salt ?? "cipher-kit-salt";
|
|
191
|
-
if (!$isStr(salt, 8)) {
|
|
192
|
-
return $err({
|
|
193
|
-
msg: `${title("web", "Key Generation")}: Weak salt`,
|
|
194
|
-
desc: "Salt must be a non-empty string with at least 8 characters"
|
|
195
|
-
});
|
|
196
|
-
}
|
|
197
|
-
const info = options.info ?? "cipher-kit";
|
|
198
|
-
if (!$isStr(info)) {
|
|
199
|
-
return $err({
|
|
200
|
-
msg: `${title("web", "Key Generation")}: Invalid info`,
|
|
201
|
-
desc: "Info must be a non-empty string"
|
|
202
|
-
});
|
|
203
|
-
}
|
|
204
|
-
const encryptAlgo = ENCRYPTION_ALGORITHMS[algorithm];
|
|
205
|
-
const digestAlgo = DIGEST_ALGORITHMS[digest];
|
|
206
|
-
try {
|
|
207
|
-
const ikm = await crypto.subtle.importKey("raw", textEncoder.encode(secret.normalize("NFKC")), "HKDF", false, [
|
|
208
|
-
"deriveKey"
|
|
209
|
-
]);
|
|
210
|
-
const key = await crypto.subtle.deriveKey(
|
|
211
|
-
{
|
|
212
|
-
name: "HKDF",
|
|
213
|
-
hash: digestAlgo.web,
|
|
214
|
-
salt: textEncoder.encode(salt.normalize("NFKC")),
|
|
215
|
-
info: textEncoder.encode(info.normalize("NFKC"))
|
|
216
|
-
},
|
|
217
|
-
ikm,
|
|
218
|
-
{ name: encryptAlgo.web, length: encryptAlgo.keyBytes * 8 },
|
|
219
|
-
true,
|
|
220
|
-
["encrypt", "decrypt"]
|
|
221
|
-
);
|
|
222
|
-
const secretKey = Object.freeze({
|
|
223
|
-
platform: "web",
|
|
224
|
-
digest,
|
|
225
|
-
algorithm,
|
|
226
|
-
key
|
|
227
|
-
});
|
|
228
|
-
return $ok({ result: secretKey });
|
|
229
|
-
} catch (error) {
|
|
230
|
-
return $err({
|
|
231
|
-
msg: `${title("web", "Key Generation")}: Failed to create secret key`,
|
|
232
|
-
desc: $fmtError(error)
|
|
233
|
-
});
|
|
234
|
-
}
|
|
235
|
-
}
|
|
236
|
-
async function $encrypt(data, secretKey, options) {
|
|
237
|
-
if (!$isStr(data)) {
|
|
238
|
-
return $err({
|
|
239
|
-
msg: `${title("web", "Encryption")}: Empty data for encryption`,
|
|
240
|
-
desc: "Data must be a non-empty string"
|
|
241
|
-
});
|
|
242
|
-
}
|
|
243
|
-
if (!$isPlainObj(options)) {
|
|
244
|
-
return $err({
|
|
245
|
-
msg: `${title("web", "Encryption")}: Invalid options`,
|
|
246
|
-
desc: "Options must be an object"
|
|
247
|
-
});
|
|
248
|
-
}
|
|
249
|
-
const outputEncoding = options.outputEncoding ?? "base64url";
|
|
250
|
-
if (!CIPHER_ENCODING.includes(outputEncoding)) {
|
|
251
|
-
return $err({
|
|
252
|
-
msg: `${title("web", "Encryption")}: Unsupported output encoding: ${outputEncoding}`,
|
|
253
|
-
desc: "Use base64, base64url, or hex"
|
|
254
|
-
});
|
|
255
|
-
}
|
|
256
|
-
const injectedKey = $isSecretKey(secretKey, "web");
|
|
257
|
-
if (!injectedKey) {
|
|
258
|
-
return $err({
|
|
259
|
-
msg: `${title("web", "Encryption")}: Invalid Secret Key`,
|
|
260
|
-
desc: "Expected a Web SecretKey"
|
|
261
|
-
});
|
|
262
|
-
}
|
|
263
|
-
const { result, error } = $convertStrToBytes(data, "utf8");
|
|
264
|
-
if (error) return $err(error);
|
|
265
|
-
try {
|
|
266
|
-
const iv = crypto.getRandomValues(new Uint8Array(injectedKey.injected.ivLength));
|
|
267
|
-
const cipherWithTag = await crypto.subtle.encrypt(
|
|
268
|
-
{ name: injectedKey.injected.web, iv },
|
|
269
|
-
injectedKey.key,
|
|
270
|
-
result
|
|
271
|
-
);
|
|
272
|
-
const ivStr = $convertBytesToStr(iv, outputEncoding);
|
|
273
|
-
const cipherStr = $convertBytesToStr(cipherWithTag, outputEncoding);
|
|
274
|
-
if (ivStr.error || cipherStr.error) {
|
|
275
|
-
return $err({
|
|
276
|
-
msg: `${title("web", "Encryption")}: Failed to convert IV or encrypted data`,
|
|
277
|
-
desc: `Conversion error: ${$fmtResultErr(ivStr.error || cipherStr.error)}`
|
|
278
|
-
});
|
|
279
|
-
}
|
|
280
|
-
return $ok(`${ivStr.result}.${cipherStr.result}.`);
|
|
281
|
-
} catch (error2) {
|
|
282
|
-
return $err({ msg: `${title("web", "Encryption")}: Failed to encrypt data`, desc: $fmtError(error2) });
|
|
283
|
-
}
|
|
284
|
-
}
|
|
285
|
-
async function $decrypt(encrypted, secretKey, options) {
|
|
286
|
-
if (!matchEncryptedPattern(encrypted, "web")) {
|
|
287
|
-
return $err({
|
|
288
|
-
msg: `${title("web", "Decryption")}: Invalid encrypted data format`,
|
|
289
|
-
desc: 'Encrypted data must be in the format "iv.cipherWithTag."'
|
|
290
|
-
});
|
|
291
|
-
}
|
|
292
|
-
if (!$isPlainObj(options)) {
|
|
293
|
-
return $err({
|
|
294
|
-
msg: `${title("web", "Decryption")}: Invalid options`,
|
|
295
|
-
desc: "Options must be an object"
|
|
296
|
-
});
|
|
297
|
-
}
|
|
298
|
-
const inputEncoding = options.inputEncoding ?? "base64url";
|
|
299
|
-
if (!CIPHER_ENCODING.includes(inputEncoding)) {
|
|
300
|
-
return $err({
|
|
301
|
-
msg: `${title("web", "Decryption")}: Unsupported input encoding: ${inputEncoding}`,
|
|
302
|
-
desc: "Use base64, base64url, or hex"
|
|
303
|
-
});
|
|
304
|
-
}
|
|
305
|
-
const [iv, encryptedWithTag] = encrypted.split(".", 3);
|
|
306
|
-
if (!$isStr(iv) || !$isStr(encryptedWithTag)) {
|
|
307
|
-
return $err({
|
|
308
|
-
msg: `${title("web", "Decryption")}: Invalid encrypted data`,
|
|
309
|
-
desc: "Encrypted data must contain valid IV, encrypted and tag components"
|
|
310
|
-
});
|
|
311
|
-
}
|
|
312
|
-
const injectedKey = $isSecretKey(secretKey, "web");
|
|
313
|
-
if (!injectedKey) {
|
|
314
|
-
return $err({
|
|
315
|
-
msg: `${title("web", "Decryption")}: Invalid Secret Key`,
|
|
316
|
-
desc: "Expected a Web SecretKey"
|
|
317
|
-
});
|
|
318
|
-
}
|
|
319
|
-
const ivBytes = $convertStrToBytes(iv, inputEncoding);
|
|
320
|
-
const cipherWithTagBytes = $convertStrToBytes(encryptedWithTag, inputEncoding);
|
|
321
|
-
if (ivBytes.error || cipherWithTagBytes.error) {
|
|
322
|
-
return $err({
|
|
323
|
-
msg: `${title("web", "Decryption")}: Failed to convert IV or encrypted data`,
|
|
324
|
-
desc: `Conversion error: ${$fmtResultErr(ivBytes.error || cipherWithTagBytes.error)}`
|
|
325
|
-
});
|
|
326
|
-
}
|
|
327
|
-
try {
|
|
328
|
-
const decrypted = await crypto.subtle.decrypt(
|
|
329
|
-
{ name: injectedKey.injected.web, iv: ivBytes.result },
|
|
330
|
-
injectedKey.key,
|
|
331
|
-
cipherWithTagBytes.result
|
|
332
|
-
);
|
|
333
|
-
return $convertBytesToStr(decrypted, "utf8");
|
|
334
|
-
} catch (error) {
|
|
335
|
-
return $err({ msg: `${title("web", "Decryption")}: Failed to decrypt data`, desc: $fmtError(error) });
|
|
336
|
-
}
|
|
337
|
-
}
|
|
338
|
-
async function $encryptObj(data, secretKey, options) {
|
|
339
|
-
const { result, error } = $stringifyObj(data);
|
|
340
|
-
if (error) return $err(error);
|
|
341
|
-
return await $encrypt(result, secretKey, options);
|
|
342
|
-
}
|
|
343
|
-
async function $decryptObj(encrypted, secretKey, options) {
|
|
344
|
-
const { result, error } = await $decrypt(encrypted, secretKey, options);
|
|
345
|
-
if (error) return $err(error);
|
|
346
|
-
return $parseToObj(result);
|
|
347
|
-
}
|
|
348
|
-
async function $hash(data, options) {
|
|
349
|
-
if (!$isStr(data)) {
|
|
350
|
-
return $err({ msg: `${title("web", "Hashing")}: Empty data for hashing`, desc: "Data must be a non-empty string" });
|
|
351
|
-
}
|
|
352
|
-
if (!$isPlainObj(options)) {
|
|
353
|
-
return $err({
|
|
354
|
-
msg: `${title("web", "Hashing")}: Invalid options`,
|
|
355
|
-
desc: "Options must be an object"
|
|
356
|
-
});
|
|
357
|
-
}
|
|
358
|
-
const outputEncoding = options.outputEncoding ?? "base64url";
|
|
359
|
-
if (!CIPHER_ENCODING.includes(outputEncoding)) {
|
|
360
|
-
return $err({
|
|
361
|
-
msg: `${title("web", "Hashing")}: Unsupported output encoding: ${outputEncoding}`,
|
|
362
|
-
desc: "Use base64, base64url, or hex"
|
|
363
|
-
});
|
|
364
|
-
}
|
|
365
|
-
const digest = options.digest ?? "sha256";
|
|
366
|
-
if (!(digest in DIGEST_ALGORITHMS)) {
|
|
367
|
-
return $err({
|
|
368
|
-
msg: `${title("web", "Hashing")}: Unsupported digest: ${digest}`,
|
|
369
|
-
desc: `Supported digests are: ${Object.keys(DIGEST_ALGORITHMS).join(", ")}`
|
|
370
|
-
});
|
|
371
|
-
}
|
|
372
|
-
const digestAlgo = DIGEST_ALGORITHMS[digest];
|
|
373
|
-
const { result, error } = $convertStrToBytes(data, "utf8");
|
|
374
|
-
if (error) return $err(error);
|
|
375
|
-
try {
|
|
376
|
-
const hashed = await crypto.subtle.digest(digestAlgo.web, result);
|
|
377
|
-
return $convertBytesToStr(hashed, outputEncoding);
|
|
378
|
-
} catch (error2) {
|
|
379
|
-
return $err({ msg: `${title("web", "Hashing")}: Failed to hash data`, desc: $fmtError(error2) });
|
|
380
|
-
}
|
|
381
|
-
}
|
|
382
|
-
async function $hashPassword(password, options) {
|
|
383
|
-
if (!$isStr(password)) {
|
|
384
|
-
return $err({
|
|
385
|
-
msg: `${title("web", "Password Hashing")}: Empty password`,
|
|
386
|
-
desc: "Password must be a non-empty string"
|
|
387
|
-
});
|
|
388
|
-
}
|
|
389
|
-
if (!$isPlainObj(options)) {
|
|
390
|
-
return $err({
|
|
391
|
-
msg: `${title("web", "Password Hashing")}: Invalid options`,
|
|
392
|
-
desc: "Options must be an object"
|
|
393
|
-
});
|
|
394
|
-
}
|
|
395
|
-
const digest = options.digest ?? "sha512";
|
|
396
|
-
if (!(digest in DIGEST_ALGORITHMS)) {
|
|
397
|
-
return $err({
|
|
398
|
-
msg: `${title("web", "Password Hashing")}: Unsupported digest: ${digest}`,
|
|
399
|
-
desc: `Supported digests are: ${Object.keys(DIGEST_ALGORITHMS).join(", ")}`
|
|
400
|
-
});
|
|
401
|
-
}
|
|
402
|
-
const digestAlgo = DIGEST_ALGORITHMS[digest];
|
|
403
|
-
const outputEncoding = options.outputEncoding ?? "base64url";
|
|
404
|
-
if (!CIPHER_ENCODING.includes(outputEncoding)) {
|
|
405
|
-
return $err({
|
|
406
|
-
msg: `${title("web", "Password Hashing")}: Unsupported output encoding: ${outputEncoding}`,
|
|
407
|
-
desc: "Use base64, base64url, or hex"
|
|
408
|
-
});
|
|
409
|
-
}
|
|
410
|
-
const saltLength = options.saltLength ?? 16;
|
|
411
|
-
if (typeof saltLength !== "number" || saltLength < 8) {
|
|
412
|
-
return $err({
|
|
413
|
-
msg: `${title("web", "Password Hashing")}: Weak salt length`,
|
|
414
|
-
desc: "Salt length must be a number and at least 8 bytes (recommended 16)"
|
|
415
|
-
});
|
|
416
|
-
}
|
|
417
|
-
const iterations = options.iterations ?? 32e4;
|
|
418
|
-
if (typeof iterations !== "number" || iterations < 1e3) {
|
|
419
|
-
return $err({
|
|
420
|
-
msg: `${title("web", "Password Hashing")}: Weak iteration count`,
|
|
421
|
-
desc: "Iterations must be a number and at least 1000 (recommended 320,000 or more)"
|
|
422
|
-
});
|
|
423
|
-
}
|
|
424
|
-
const keyLength = options.keyLength ?? 64;
|
|
425
|
-
if (typeof keyLength !== "number" || keyLength < 16) {
|
|
426
|
-
return $err({
|
|
427
|
-
msg: `${title("web", "Password Hashing")}: Weak key length`,
|
|
428
|
-
desc: "Key length must be a number and at least 16 bytes (recommended 64)"
|
|
429
|
-
});
|
|
430
|
-
}
|
|
431
|
-
try {
|
|
432
|
-
const salt = crypto.getRandomValues(new Uint8Array(saltLength));
|
|
433
|
-
const baseKey = await crypto.subtle.importKey(
|
|
434
|
-
"raw",
|
|
435
|
-
textEncoder.encode(password.normalize("NFKC")),
|
|
436
|
-
"PBKDF2",
|
|
437
|
-
false,
|
|
438
|
-
["deriveBits"]
|
|
439
|
-
);
|
|
440
|
-
const bits = await crypto.subtle.deriveBits(
|
|
441
|
-
{ name: "PBKDF2", salt, iterations, hash: digestAlgo.web },
|
|
442
|
-
baseKey,
|
|
443
|
-
keyLength * 8
|
|
444
|
-
);
|
|
445
|
-
const saltStr = $convertBytesToStr(salt, outputEncoding);
|
|
446
|
-
if (saltStr.error) return $err(saltStr.error);
|
|
447
|
-
const hashedPasswordStr = $convertBytesToStr(bits, outputEncoding);
|
|
448
|
-
if (hashedPasswordStr.error) return $err(hashedPasswordStr.error);
|
|
449
|
-
return $ok({ result: hashedPasswordStr.result, salt: saltStr.result });
|
|
450
|
-
} catch (error) {
|
|
451
|
-
return $err({ msg: `${title("web", "Password Hashing")}: Failed to hash password`, desc: $fmtError(error) });
|
|
452
|
-
}
|
|
453
|
-
}
|
|
454
|
-
async function $verifyPassword(password, hashedPassword, salt, options) {
|
|
455
|
-
if (!$isStr(password) || !$isStr(hashedPassword) || !$isStr(salt) || !$isPlainObj(options)) {
|
|
456
|
-
return false;
|
|
457
|
-
}
|
|
458
|
-
const digest = options.digest ?? "sha512";
|
|
459
|
-
if (!(digest in DIGEST_ALGORITHMS)) return false;
|
|
460
|
-
const digestAlgo = DIGEST_ALGORITHMS[digest];
|
|
461
|
-
const inputEncoding = options.inputEncoding ?? "base64url";
|
|
462
|
-
if (!CIPHER_ENCODING.includes(inputEncoding)) return false;
|
|
463
|
-
const iterations = options.iterations ?? 32e4;
|
|
464
|
-
if (typeof iterations !== "number" || iterations < 1e3) return false;
|
|
465
|
-
const keyLength = options.keyLength ?? 64;
|
|
466
|
-
if (typeof keyLength !== "number" || keyLength < 16) return false;
|
|
467
|
-
const saltBytes = $convertStrToBytes(salt, inputEncoding);
|
|
468
|
-
if (saltBytes.error) return false;
|
|
469
|
-
const hashedPasswordBytes = $convertStrToBytes(hashedPassword, inputEncoding);
|
|
470
|
-
if (hashedPasswordBytes.error) return false;
|
|
471
|
-
try {
|
|
472
|
-
const baseKey = await crypto.subtle.importKey(
|
|
473
|
-
"raw",
|
|
474
|
-
textEncoder.encode(password.normalize("NFKC")),
|
|
475
|
-
"PBKDF2",
|
|
476
|
-
false,
|
|
477
|
-
["deriveBits"]
|
|
478
|
-
);
|
|
479
|
-
const bits = new Uint8Array(
|
|
480
|
-
await crypto.subtle.deriveBits(
|
|
481
|
-
{
|
|
482
|
-
name: "PBKDF2",
|
|
483
|
-
salt: saltBytes.result,
|
|
484
|
-
iterations,
|
|
485
|
-
hash: digestAlgo.web
|
|
486
|
-
},
|
|
487
|
-
baseKey,
|
|
488
|
-
keyLength * 8
|
|
489
|
-
)
|
|
490
|
-
);
|
|
491
|
-
if (bits === void 0 || hashedPasswordBytes.result === void 0) return false;
|
|
492
|
-
if (bits.length !== hashedPasswordBytes.result.length) return false;
|
|
493
|
-
let diff = 0;
|
|
494
|
-
for (let i = 0; i < bits.length; i++) {
|
|
495
|
-
diff |= bits[i] ^ hashedPasswordBytes.result[i];
|
|
496
|
-
}
|
|
497
|
-
return diff === 0;
|
|
498
|
-
} catch {
|
|
499
|
-
return false;
|
|
500
|
-
}
|
|
501
|
-
}
|
|
502
|
-
|
|
503
|
-
// src/web/kit.ts
|
|
504
|
-
function tryGenerateUuid() {
|
|
505
|
-
return $generateUuid();
|
|
506
|
-
}
|
|
507
|
-
function generateUuid() {
|
|
508
|
-
const { result, error } = $generateUuid();
|
|
509
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
510
|
-
return result;
|
|
511
|
-
}
|
|
512
|
-
async function tryCreateSecretKey(secret, options = {}) {
|
|
513
|
-
return await $createSecretKey(secret, options);
|
|
514
|
-
}
|
|
515
|
-
async function createSecretKey(secret, options = {}) {
|
|
516
|
-
const { result, error } = await $createSecretKey(secret, options);
|
|
517
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
518
|
-
return result;
|
|
519
|
-
}
|
|
520
|
-
async function tryEncrypt(data, secretKey, options = {}) {
|
|
521
|
-
return await $encrypt(data, secretKey, options);
|
|
522
|
-
}
|
|
523
|
-
async function encrypt(data, secretKey, options = {}) {
|
|
524
|
-
const { result, error } = await $encrypt(data, secretKey, options);
|
|
525
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
526
|
-
return result;
|
|
527
|
-
}
|
|
528
|
-
async function tryDecrypt(encrypted, secretKey, options = {}) {
|
|
529
|
-
return await $decrypt(encrypted, secretKey, options);
|
|
530
|
-
}
|
|
531
|
-
async function decrypt(encrypted, secretKey, options = {}) {
|
|
532
|
-
const { result, error } = await $decrypt(encrypted, secretKey, options);
|
|
533
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
534
|
-
return result;
|
|
535
|
-
}
|
|
536
|
-
async function tryEncryptObj(obj, secretKey, options = {}) {
|
|
537
|
-
return await $encryptObj(obj, secretKey, options);
|
|
538
|
-
}
|
|
539
|
-
async function encryptObj(obj, secretKey, options = {}) {
|
|
540
|
-
const { result, error } = await $encryptObj(obj, secretKey, options);
|
|
541
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
542
|
-
return result;
|
|
543
|
-
}
|
|
544
|
-
async function tryDecryptObj(encrypted, secretKey, options = {}) {
|
|
545
|
-
return await $decryptObj(encrypted, secretKey, options);
|
|
546
|
-
}
|
|
547
|
-
async function decryptObj(encrypted, secretKey, options = {}) {
|
|
548
|
-
const { result, error } = await $decryptObj(encrypted, secretKey, options);
|
|
549
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
550
|
-
return result;
|
|
551
|
-
}
|
|
552
|
-
async function tryHash(data, options = {}) {
|
|
553
|
-
return await $hash(data, options);
|
|
554
|
-
}
|
|
555
|
-
async function hash(data, options = {}) {
|
|
556
|
-
const { result, error } = await $hash(data, options);
|
|
557
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
558
|
-
return result;
|
|
559
|
-
}
|
|
560
|
-
async function tryHashPassword(password, options = {}) {
|
|
561
|
-
return await $hashPassword(password, options);
|
|
562
|
-
}
|
|
563
|
-
async function hashPassword(password, options = {}) {
|
|
564
|
-
const { result, salt, error } = await $hashPassword(password, options);
|
|
565
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
566
|
-
return { result, salt };
|
|
567
|
-
}
|
|
568
|
-
async function verifyPassword(password, hashedPassword, salt, options = {}) {
|
|
569
|
-
return await $verifyPassword(password, hashedPassword, salt, options);
|
|
570
|
-
}
|
|
571
|
-
function tryConvertStrToBytes(data, inputEncoding = "utf8") {
|
|
572
|
-
return $convertStrToBytes(data, inputEncoding);
|
|
573
|
-
}
|
|
574
|
-
function convertStrToBytes(data, inputEncoding = "utf8") {
|
|
575
|
-
const { result, error } = $convertStrToBytes(data, inputEncoding);
|
|
576
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
577
|
-
return result;
|
|
578
|
-
}
|
|
579
|
-
function tryConvertBytesToStr(data, outputEncoding = "utf8") {
|
|
580
|
-
return $convertBytesToStr(data, outputEncoding);
|
|
581
|
-
}
|
|
582
|
-
function convertBytesToStr(data, outputEncoding = "utf8") {
|
|
583
|
-
const { result, error } = $convertBytesToStr(data, outputEncoding);
|
|
584
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
585
|
-
return result;
|
|
586
|
-
}
|
|
587
|
-
function tryConvertEncoding(data, from, to) {
|
|
588
|
-
return $convertEncoding(data, from, to);
|
|
589
|
-
}
|
|
590
|
-
function convertEncoding(data, from, to) {
|
|
591
|
-
const { result, error } = $convertEncoding(data, from, to);
|
|
592
|
-
if (error) throw new Error($fmtResultErr(error));
|
|
593
|
-
return result;
|
|
594
|
-
}
|
|
595
|
-
|
|
596
|
-
export { convertBytesToStr, convertEncoding, convertStrToBytes, createSecretKey, decrypt, decryptObj, encrypt, encryptObj, generateUuid, hash, hashPassword, kit_exports, tryConvertBytesToStr, tryConvertEncoding, tryConvertStrToBytes, tryCreateSecretKey, tryDecrypt, tryDecryptObj, tryEncrypt, tryEncryptObj, tryGenerateUuid, tryHash, tryHashPassword, verifyPassword };
|
|
597
|
-
//# sourceMappingURL=chunk-T36BEDPY.js.map
|
|
598
|
-
//# sourceMappingURL=chunk-T36BEDPY.js.map
|