dignity.js 0.2.0 → 0.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +22 -16
- package/dist/dignity.cjs.js +45 -6
- package/dist/dignity.cjs.js.map +2 -2
- package/dist/dignity.esm.js +45 -6
- package/dist/dignity.esm.js.map +2 -2
- package/dist/dignity.min.js +5 -5
- package/package.json +2 -2
- package/src/security/message-security-service.js +51 -6
package/dist/dignity.esm.js
CHANGED
|
@@ -2454,7 +2454,8 @@ var require_message_security_service = __commonJS({
|
|
|
2454
2454
|
broadcastPasswords: {},
|
|
2455
2455
|
resolveBroadcastPassword: null,
|
|
2456
2456
|
powSteps: 22,
|
|
2457
|
-
trustedPeerKeys: {}
|
|
2457
|
+
trustedPeerKeys: {},
|
|
2458
|
+
kdfIterations: 1e5
|
|
2458
2459
|
};
|
|
2459
2460
|
function stableStringify(value) {
|
|
2460
2461
|
if (value === null || typeof value !== "object") {
|
|
@@ -2481,6 +2482,33 @@ var require_message_security_service = __commonJS({
|
|
|
2481
2482
|
function utf8ToBytes(value) {
|
|
2482
2483
|
return naclUtil.decodeUTF8(value);
|
|
2483
2484
|
}
|
|
2485
|
+
async function deriveBroadcastKey(password, salt, iterations) {
|
|
2486
|
+
const subtle = globalThis.crypto && globalThis.crypto.subtle;
|
|
2487
|
+
if (subtle) {
|
|
2488
|
+
const keyMaterial = await subtle.importKey(
|
|
2489
|
+
"raw",
|
|
2490
|
+
utf8ToBytes(password),
|
|
2491
|
+
"PBKDF2",
|
|
2492
|
+
false,
|
|
2493
|
+
["deriveBits"]
|
|
2494
|
+
);
|
|
2495
|
+
const bits = await subtle.deriveBits(
|
|
2496
|
+
{ name: "PBKDF2", salt, iterations, hash: "SHA-256" },
|
|
2497
|
+
keyMaterial,
|
|
2498
|
+
256
|
|
2499
|
+
);
|
|
2500
|
+
return new Uint8Array(bits);
|
|
2501
|
+
}
|
|
2502
|
+
try {
|
|
2503
|
+
const { pbkdf2Sync } = __require("crypto");
|
|
2504
|
+
return new Uint8Array(pbkdf2Sync(password, Buffer.from(salt), iterations, 32, "sha256"));
|
|
2505
|
+
} catch (_ignored) {
|
|
2506
|
+
return hash32(concatBytes(utf8ToBytes(password), salt));
|
|
2507
|
+
}
|
|
2508
|
+
}
|
|
2509
|
+
function legacyBroadcastKey(password, salt) {
|
|
2510
|
+
return hash32(concatBytes(utf8ToBytes(password), salt));
|
|
2511
|
+
}
|
|
2484
2512
|
function normalizePeerPublicKey(publicKey) {
|
|
2485
2513
|
if (!publicKey || typeof publicKey !== "object") {
|
|
2486
2514
|
throw new Error("Public key must be an object with signingPublicKey and encryptionPublicKey");
|
|
@@ -2641,7 +2669,7 @@ var require_message_security_service = __commonJS({
|
|
|
2641
2669
|
if (envelope.security && envelope.security.signing && envelope.security.signing.enabled && this.options.signingEnabled) {
|
|
2642
2670
|
this.verifySignature(envelope);
|
|
2643
2671
|
}
|
|
2644
|
-
const payload = this.decryptPayload(envelope);
|
|
2672
|
+
const payload = await this.decryptPayload(envelope);
|
|
2645
2673
|
return {
|
|
2646
2674
|
ignored: false,
|
|
2647
2675
|
messageType: envelope.messageType,
|
|
@@ -2706,7 +2734,8 @@ var require_message_security_service = __commonJS({
|
|
|
2706
2734
|
const nonce = nacl.randomBytes(nacl.secretbox.nonceLength);
|
|
2707
2735
|
const salt = nacl.randomBytes(16);
|
|
2708
2736
|
const password = this.resolveBroadcastPassword(scope);
|
|
2709
|
-
const
|
|
2737
|
+
const iterations = this.options.kdfIterations || DEFAULT_SECURITY_OPTIONS.kdfIterations;
|
|
2738
|
+
const key = await deriveBroadcastKey(password, salt, iterations);
|
|
2710
2739
|
const encrypted = nacl.secretbox(plainText, nonce, key);
|
|
2711
2740
|
return {
|
|
2712
2741
|
payload: naclUtil.encodeBase64(encrypted),
|
|
@@ -2715,11 +2744,13 @@ var require_message_security_service = __commonJS({
|
|
|
2715
2744
|
mode: "broadcast",
|
|
2716
2745
|
scope,
|
|
2717
2746
|
nonce: naclUtil.encodeBase64(nonce),
|
|
2718
|
-
salt: naclUtil.encodeBase64(salt)
|
|
2747
|
+
salt: naclUtil.encodeBase64(salt),
|
|
2748
|
+
kdf: "pbkdf2",
|
|
2749
|
+
kdfIterations: iterations
|
|
2719
2750
|
}
|
|
2720
2751
|
};
|
|
2721
2752
|
}
|
|
2722
|
-
decryptPayload(envelope) {
|
|
2753
|
+
async decryptPayload(envelope) {
|
|
2723
2754
|
const encryption = envelope.security ? envelope.security.encryption : null;
|
|
2724
2755
|
if (!encryption || !encryption.enabled || !this.options.encryptionEnabled) {
|
|
2725
2756
|
return envelope.payload;
|
|
@@ -2730,7 +2761,13 @@ var require_message_security_service = __commonJS({
|
|
|
2730
2761
|
const password = this.resolveBroadcastPassword(scope);
|
|
2731
2762
|
const salt = naclUtil.decodeBase64(encryption.salt);
|
|
2732
2763
|
const nonce = naclUtil.decodeBase64(encryption.nonce);
|
|
2733
|
-
|
|
2764
|
+
let key;
|
|
2765
|
+
if (encryption.kdf === "pbkdf2") {
|
|
2766
|
+
const iterations = encryption.kdfIterations || DEFAULT_SECURITY_OPTIONS.kdfIterations;
|
|
2767
|
+
key = await deriveBroadcastKey(password, salt, iterations);
|
|
2768
|
+
} else {
|
|
2769
|
+
key = legacyBroadcastKey(password, salt);
|
|
2770
|
+
}
|
|
2734
2771
|
const decrypted = nacl.secretbox.open(encryptedBuffer, nonce, key);
|
|
2735
2772
|
if (!decrypted) {
|
|
2736
2773
|
throw new Error("Unable to decrypt broadcast payload");
|
|
@@ -2824,6 +2861,8 @@ var require_message_security_service = __commonJS({
|
|
|
2824
2861
|
module.exports = {
|
|
2825
2862
|
MessageSecurityService,
|
|
2826
2863
|
stableStringify,
|
|
2864
|
+
deriveBroadcastKey,
|
|
2865
|
+
legacyBroadcastKey,
|
|
2827
2866
|
DEFAULT_SECURITY_OPTIONS
|
|
2828
2867
|
};
|
|
2829
2868
|
}
|