edhoc 1.0.4 → 1.1.0

package/dist/edhoc.d.ts

@@ -0,0 +1,368 @@
+/**
+ * Enumerates the types of credential formats that can be used with EDHOC.
+ */
+export declare enum EdhocCredentialsFormat {
+    kid = 4,// Represents a key identifier.
+    x5chain = 33,// Represents an X.509 certificate chain.
+    x5t = 34
+}
+/**
+ * Base interface for EDHOC credentials.
+ */
+export interface EdhocCredentials {
+    format: EdhocCredentialsFormat;
+    privateKeyID?: Buffer;
+    publicKey?: Buffer;
+}
+/**
+ * Extends EdhocCredentials for credentials using a key identifier (KID).
+ */
+export interface EdhocCredentialsKID extends EdhocCredentials {
+    format: EdhocCredentialsFormat.kid;
+    kid: {
+        kid: number | Buffer;
+        credentials?: Buffer;
+        isCBOR?: boolean;
+    };
+}
+/**
+ * Extends EdhocCredentials for credentials using an X.509 certificate chain.
+ */
+export interface EdhocCredentialsCertificateChain extends EdhocCredentials {
+    format: EdhocCredentialsFormat.x5chain;
+    x5chain: {
+        certificates: Buffer[];
+    };
+}
+/**
+ * Extends EdhocCredentials for credentials using a hashed X.509 certificate.
+ */
+export interface EdhocCredentialsCertificateHash extends EdhocCredentials {
+    format: EdhocCredentialsFormat.x5t;
+    x5t: {
+        certificate?: Buffer;
+        hash: Buffer;
+        hashAlgorithm: EdhocCredentialsCertificateHashAlgorithm;
+    };
+}
+/**
+ * Enumerates the types of hash algorithms that can be used with hashed X.509 certificates.
+ */
+export declare enum EdhocCredentialsCertificateHashAlgorithm {
+    Sha256 = -16,// SHA-256 hash algorithm.
+    Sha256_64 = -15
+}
+/**
+ * Provides methods for managing EDHOC credentials.
+ */
+export interface EdhocCredentialManager {
+    /**
+     * Fetches EDHOC credentials based on the provided EDHOC context.
+     * @param edhoc The EDHOC context for which to fetch credentials.
+     * @return A promise that resolves to the fetched EdhocCredentials or throws an error if not successful.
+     */
+    fetch(edhoc: EDHOC): Promise<EdhocCredentials> | EdhocCredentials | never;
+    /**
+     * Verifies EDHOC credentials based on the provided EDHOC context and credentials.
+     * @param edhoc The EDHOC context against which to verify credentials.
+     * @param credentials The credentials to verify.
+     * @return A promise that resolves to the verified EdhocCredentials or throws an error if not successful.
+     */
+    verify(edhoc: EDHOC, credentials: EdhocCredentials, callback: (error: Error | null, credentials: EdhocCredentials) => void): void;
+}
+/**
+ * Enumerates the types of cryptographic operations that can be performed with EDHOC.
+ */
+export declare enum EdhocKeyType {
+    MakeKeyPair = 0,// Used to generate a key pair.
+    KeyAgreement = 1,// Used for key agreement operations.
+    Signature = 2,// Used for creating digital signatures.
+    Verify = 3,// Used for verifying digital signatures.
+    Extract = 4,// Used for extracting key material.
+    Expand = 5,// Used for expanding key material.
+    Encrypt = 6,// Used for encrypting data.
+    Decrypt = 7
+}
+/**
+ * Type representing a public key in buffer format.
+ */
+export type EdhocPublicKey = Buffer;
+/**
+ * Type representing a private key in buffer format.
+ */
+export type EdhocPrivateKey = Buffer;
+/**
+ * Represents a tuple of public and private keys.
+ */
+export interface PublicPrivateTuple {
+    publicKey: EdhocPublicKey;
+    privateKey: EdhocPrivateKey;
+}
+/**
+ * Manages cryptographic functions necessary for the operation of EDHOC protocols.
+ */
+export interface EdhocCryptoManager {
+    /**
+     * Imports a cryptographic key of the specified type.
+     * @param edhoc The EDHOC session context.
+     * @param keyType The type of key to import, as defined in EdhocKeyType.
+     * @param key Optional buffer containing seed or related data if necessary.
+     * @return A promise resolving to a Buffer containing the imported key.
+     */
+    importKey(edhoc: EDHOC, keyType: EdhocKeyType, key: Buffer): Promise<Buffer> | Buffer | never;
+    /**
+     * Destroys a cryptographic key identified by the keyID.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the key to destroy.
+     * @return A promise resolving to true if the key was successfully destroyed.
+     */
+    destroyKey(edhoc: EDHOC, keyID: Buffer): Promise<boolean> | boolean | never;
+    /**
+     * Generates a public-private key pair.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer to identify the key pair for future operations.
+     * @param privateKeySize Size in bytes for the private key.
+     * @param publicKeySize Size in bytes for the public key.
+     * @return A promise resolving to a PublicPrivateTuple containing both keys.
+    //  */
+    makeKeyPair(edhoc: EDHOC, keyID: Buffer, privateKeySize: number, publicKeySize: number): Promise<PublicPrivateTuple> | PublicPrivateTuple | never;
+    /**
+     * Performs a key agreement operation using a public and a private key.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the key agreement process.
+     * @param publicKey The public key of the other party.
+     * @param privateKeySize Size of the private key used in the key agreement.
+     * @return A promise resolving to the resultant private key.
+     */
+    keyAgreement(edhoc: EDHOC, keyID: Buffer, publicKey: EdhocPublicKey, privateKeySize: number): Promise<Buffer> | Buffer | never;
+    /**
+     * Signs data using a specified key.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the key to use for signing.
+     * @param input Buffer containing the data to sign.
+     * @param signatureSize The desired size of the signature.
+     * @return A promise resolving to the signature.
+     */
+    sign(edhoc: EDHOC, keyID: Buffer, input: Buffer, signatureSize: number): Promise<Buffer> | Buffer | never;
+    /**
+     * Verifies a signature against the provided data.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the key to use for verification.
+     * @param input Buffer containing the original data that was signed.
+     * @param signature Buffer containing the signature to verify.
+     * @return A promise resolving to true if the signature is valid.
+     */
+    verify(edhoc: EDHOC, keyID: Buffer, input: Buffer, signature: Buffer): Promise<boolean> | boolean | never;
+    /**
+     * Extracts a key using a salt.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the extraction process.
+     * @param salt Buffer containing the salt used in the extraction.
+     * @param keySize The desired size of the key to extract.
+     * @return A promise resolving to the extracted key.
+     */
+    extract(edhoc: EDHOC, keyID: Buffer, salt: Buffer, keySize: number): Promise<Buffer> | Buffer | never;
+    /**
+     * Expands a key using provided information.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the expansion process.
+     * @param info Buffer containing information used for key expansion.
+     * @param keySize The desired size of the key after expansion.
+     * @return A promise resolving to the expanded key.
+     */
+    expand(edhoc: EDHOC, keyID: Buffer, info: Buffer, keySize: number): Promise<Buffer> | Buffer | never;
+    /**
+     * Encrypts plaintext using a specified key and nonce.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the key to use for encryption.
+     * @param nonce Buffer containing the nonce to use in the encryption process.
+     * @param aad Buffer containing additional authenticated data.
+     * @param plaintext Buffer containing the data to encrypt.
+     * @param size The size of the output buffer.
+     * @return A promise resolving to the ciphertext.
+     */
+    encrypt(edhoc: EDHOC, keyID: Buffer, nonce: Buffer, aad: Buffer, plaintext: Buffer, size: number): Promise<Buffer> | Buffer | never;
+    /**
+     * Decrypts ciphertext using a specified key and nonce.
+     * @param edhoc The EDHOC session context.
+     * @param keyID Buffer identifying the key to use for decryption.
+     * @param nonce Buffer containing the nonce to use in the decryption process.
+     * @param aad Buffer containing additional authenticated data.
+     * @param ciphertext Buffer containing the data to decrypt.
+     * @param size The size of the output buffer.
+     * @return A promise resolving to the plaintext.
+     */
+    decrypt(edhoc: EDHOC, keyID: Buffer, nonce: Buffer, aad: Buffer, ciphertext: Buffer, size: number): Promise<Buffer> | Buffer | never;
+    /**
+     * Computes a hash of the given data.
+     * @param edhoc The EDHOC session context.
+     * @param data Buffer containing the data to hash.
+     * @param hashSize The size of the hash to compute.
+     * @return A promise resolving to the hash.
+     */
+    hash(edhoc: EDHOC, data: Buffer, hashSize: number): Promise<Buffer> | Buffer | never;
+}
+/**
+ * Represents an EDHOC connection identifier which can be either a number or a Buffer.
+ */
+export type EdhocConnectionID = number | Buffer;
+/**
+ * Enumerates the methods available for EDHOC protocol exchanges.
+ * Each method corresponds to different authentication mechanisms.
+ */
+export declare enum EdhocMethod {
+    Method0 = 0,
+    Method1 = 1,
+    Method2 = 2,
+    Method3 = 3
+}
+/**
+ * Enumerates the cipher suites available for EDHOC protocol operations.
+ * Each suite represents a set of cryptographic algorithms.
+ */
+export declare enum EdhocSuite {
+    Suite0 = 0,
+    Suite1 = 1,
+    Suite2 = 2,
+    Suite3 = 3,
+    Suite4 = 4,
+    Suite5 = 5,
+    Suite6 = 6,
+    Suite24 = 24,
+    Suite25 = 25
+}
+/**
+ * Represents an External Authorization Data (EAD) object used in EDHOC protocol exchanges.
+ * EAD objects carry additional authorization information relevant to the session.
+ */
+export interface EdhocEAD {
+    label: number;
+    value: Buffer;
+}
+/**
+ * Describes the context for OSCORE (Object Security for Constrained RESTful Environments) derived from EDHOC.
+ * OSCORE contexts are used to securely communicate over constrained networks.
+ */
+export interface EdhocOscoreContext {
+    masterSecret: Buffer;
+    masterSalt: Buffer;
+    senderId: Buffer;
+    recipientId: Buffer;
+}
+/**
+ * The EDHOC class encapsulates the EDHOC protocol logic, managing the lifecycle of an EDHOC session.
+ */
+export declare class EDHOC {
+    /**
+     * The connection ID used by the local entity for this EDHOC session.
+     */
+    connectionID: EdhocConnectionID;
+    /**
+     * The connection ID used by the peer entity, which is read-only and set during the EDHOC message exchange.
+     */
+    readonly peerConnectionID: EdhocConnectionID;
+    /**
+     * The methods of authentication to be used in this EDHOC session, as defined in EdhocMethod.
+     */
+    methods: EdhocMethod[];
+    /**
+     * The selected method of authentication to be used in this EDHOC session, as defined in EdhocMethod.
+     */
+    selectedMethod: EdhocMethod;
+    /**
+     * A list of cipher suites supported by this session, providing flexibility in cryptographic negotiations.
+     */
+    cipherSuites: EdhocSuite[];
+    /**
+     * Represents the selected EDHOC cipher suite.
+     */
+    selectedSuite: EdhocSuite;
+    /**
+     * A logging function to log operational data during the EDHOC protocol execution.
+     * @param name The name or description of the log entry.
+     * @param data The data to be logged, typically related to protocol messages or internal state.
+     */
+    logger: (name: string, data: Buffer) => void;
+    /**
+     * Constructs an EDHOC protocol handler.
+     * @param connectionID The identifier for this connection.
+     * @param method The EDHOC method to be used for the session.
+     * @param suite An array of supported cipher suites.
+     * @param credentials A manager for handling credentials related to EDHOC.
+     * @param crypto A crypto manager to handle cryptographic functions.
+     */
+    constructor(connectionID: EdhocConnectionID, methods: EdhocMethod[], suites: EdhocSuite[], credentials: EdhocCredentialManager, crypto: EdhocCryptoManager);
+    /**
+     * Composes the first EDHOC message.
+     * @param ead Optional array of EAD objects to include in the message.
+     * @return A promise that resolves to the composed message buffer.
+     */
+    composeMessage1(ead?: EdhocEAD[]): Promise<Buffer> | never;
+    /**
+     * Processes the received first EDHOC message.
+     * @param message The received message buffer.
+     * @return A promise that resolves to an array of EAD objects extracted from the message.
+     * @throws Error if processing fails, optionally including peerCipherSuites.
+     */
+    processMessage1(message: Buffer): Promise<EdhocEAD[]> | never;
+    /**
+     * Composes the second EDHOC message.
+     * @param ead Optional array of EAD objects to include in the message.
+     * @return A promise that resolves to the composed message buffer.
+     */
+    composeMessage2(ead?: EdhocEAD[]): Promise<Buffer> | never;
+    /**
+     * Processes the received second EDHOC message.
+     * @param message The received message buffer.
+     * @return A promise that resolves to an array of EAD objects extracted from the message.
+     * @throws Error if processing fails, optionally including peerCipherSuites.
+     */
+    processMessage2(message: Buffer): Promise<EdhocEAD[]> | never;
+    /**
+     * Composes the third EDHOC message.
+     * @param ead Optional array of EAD objects to include in the message.
+     * @return A promise that resolves to the composed message buffer.
+     */
+    composeMessage3(ead?: EdhocEAD[]): Promise<Buffer> | never;
+    /**
+     * Processes the received third EDHOC message.
+     * @param message The received message buffer.
+     * @return A promise that resolves to an array of EAD objects extracted from the message.
+     * @throws Error if processing fails, optionally including peerCipherSuites.
+     */
+    processMessage3(message: Buffer): Promise<EdhocEAD[]> | never;
+    /**
+     * Composes the fourth and final EDHOC message.
+     * @param ead Optional array of EAD objects to include in the message.
+     * @return A promise that resolves to the composed message buffer.
+     */
+    composeMessage4(ead?: EdhocEAD[]): Promise<Buffer> | never;
+    /**
+     * Processes the received fourth EDHOC message.
+     * @param message The received message buffer.
+     * @return A promise that resolves to an array of EAD objects extracted from the message.
+     * @throws Error if processing fails, optionally including peerCipherSuites.
+     */
+    processMessage4(message: Buffer): Promise<EdhocEAD[]> | never;
+    /**
+     * Exports the OSCORE context derived from the EDHOC session.
+     * @return A promise that resolves to the OSCORE context used for secured communication in constrained environments.
+     */
+    exportOSCORE(): Promise<EdhocOscoreContext> | never;
+    /**
+     * Exports the key derived from the EDHOC session using the EDHOC_Exporter interface.
+     * @param exporterLabel The label of the key to export, as a registered uint from the "EDHOC Exporter Labels" registry.
+     * @param length The desired length of the key to export.
+     * @return A promise that resolves to the exported key.
+     */
+    exportKey(exporterLabel: number, length: number): Promise<Buffer> | never;
+    /**
+     * Key update for the new OSCORE security session
+     * Read Appendix H of RFC 9528 - https://www.rfc-editor.org/rfc/rfc9528.html#appendix-H
+     * @param context Buffer containing the entropy for key update.
+     * @return A promise that resolves to void.
+     */
+    keyUpdate(context: Buffer): Promise<void> | never;
+}
+export * from './bindings';
+//# sourceMappingURL=edhoc.d.ts.map

package/dist/edhoc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"edhoc.d.ts","sourceRoot":"","sources":["../lib/edhoc.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,oBAAY,sBAAsB;IAC9B,GAAG,IAAI,CAAU,+BAA+B;IAChD,OAAO,KAAK,CAAK,yCAAyC;IAC1D,GAAG,KAAK;CACX;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC7B,MAAM,EAAE,sBAAsB,CAAC;IAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,gBAAgB;IACzD,MAAM,EAAE,sBAAsB,CAAC,GAAG,CAAC;IACnC,GAAG,EAAE;QACD,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;QACrB,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,MAAM,CAAC,EAAE,OAAO,CAAA;KACnB,CAAA;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,gCAAiC,SAAQ,gBAAgB;IACtE,MAAM,EAAE,sBAAsB,CAAC,OAAO,CAAC;IACvC,OAAO,EAAE;QACL,YAAY,EAAE,MAAM,EAAE,CAAA;KACzB,CAAA;CACJ;AAED;;GAEG;AACH,MAAM,WAAW,+BAAgC,SAAQ,gBAAgB;IACrE,MAAM,EAAE,sBAAsB,CAAC,GAAG,CAAC;IACnC,GAAG,EAAE;QACD,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,IAAI,EAAE,MAAM,CAAC;QACb,aAAa,EAAE,wCAAwC,CAAA;KAC1D,CAAA;CACJ;AAED;;GAEG;AACH,oBAAY,wCAAwC;IAChD,MAAM,MAAM,CAAM,0BAA0B;IAC5C,SAAS,MAAM;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACnC;;;;OAIG;IACH,KAAK,CAAC,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC,GAAG,gBAAgB,GAAG,KAAK,CAAC;IAE1E;;;;;OAKG;IACH,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,QAAQ,EAAE,CAAC,KAAK,EAAE,KAAK,GAAG,IAAI,EAAE,WAAW,EAAE,gBAAgB,KAAK,IAAI,GAAG,IAAI,CAAC;CACrI;AAED;;GAEG;AACH,oBAAY,YAAY;IACpB,WAAW,IAAA,CAAG,+BAA+B;IAC7C,YAAY,IAAA,CAAE,qCAAqC;IACnD,SAAS,IAAA,CAAK,wCAAwC;IACtD,MAAM,IAAA,CAAQ,yCAAyC;IACvD,OAAO,IAAA,CAAO,oCAAoC;IAClD,MAAM,IAAA,CAAQ,mCAAmC;IACjD,OAAO,IAAA,CAAO,4BAA4B;IAC1C,OAAO,IAAA;CACV;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,MAAM,CAAC;AAEpC;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,MAAM,CAAC;AAErC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAC/B,SAAS,EAAE,cAAc,CAAC;IAC1B,UAAU,EAAE,eAAe,CAAA;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAE/B;;;;;;OAMG;IACH,SAAS,CAAC,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,YAAY,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;IAE9F;;;;;OAKG;IACH,UAAU,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,KAAK,CAAC;IAE5E;;;;;;;UAOM;IACN,WAAW,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,GAAG,kBAAkB,GAAG,KAAK,CAAC;IAElJ;;;;;;;OAOG;IACH,YAAY,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;IAE/H;;;;;;;OAOG;IACH,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;IAE1G;;;;;;;OAOG;IACH,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,GAAG,KAAK,CAAC;IAE1G;;;;;;;OAOG;IACH,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;IAEtG;;;;;;;OAOG;IACH,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;IAErG;;;;;;;;;OASG;IACH,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;IAEpI;;;;;;;;;OASG;IACH,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;IAErI;;;;;;OAMG;IACH,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,MAAM,GAAG,KAAK,CAAC;CACxF;AAED;;GAEG;AAEH,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,MAAM,CAAC;AAEhD;;;GAGG;AAEH,oBAAY,WAAW;IACnB,OAAO,IAAI;IACX,OAAO,IAAA;IACP,OAAO,IAAA;IACP,OAAO,IAAA;CACV;AAED;;;GAGG;AAEH,oBAAY,UAAU;IAClB,MAAM,IAAI;IACV,MAAM,IAAA;IACN,MAAM,IAAA;IACN,MAAM,IAAA;IACN,MAAM,IAAA;IACN,MAAM,IAAA;IACN,MAAM,IAAA;IACN,OAAO,KAAK;IACZ,OAAO,KAAA;CACV;AAED;;;GAGG;AACH,MAAM,WAAW,QAAQ;IACrB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAA;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAA;CACtB;AAED;;GAEG;AACH,MAAM,CAAC,OAAO,OAAO,KAAK;IACtB;;OAEG;IACI,YAAY,EAAE,iBAAiB,CAAC;IAEvC;;OAEG;IACH,SAAgB,gBAAgB,EAAE,iBAAiB,CAAC;IAEpD;;OAEG;IACI,OAAO,EAAE,WAAW,EAAE,CAAC;IAE9B;;OAEG;IACI,cAAc,EAAE,WAAW,CAAC;IAEnC;;OAEG;IACI,YAAY,EAAE,UAAU,EAAE,CAAC;IAElC;;OAEG;IACI,aAAa,EAAE,UAAU,CAAC;IAEjC;;;;OAIG;IACI,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC;IAEpD;;;;;;;OAOG;gBACS,YAAY,EAAE,iBAAiB,EAAE,OAAO,EAAE,WAAW,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,EAAE,WAAW,EAAE,sBAAsB,EAAE,MAAM,EAAE,kBAAkB;IAE1J;;;;OAIG;IACI,eAAe,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK;IAEjE;;;;;OAKG;IACI,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,GAAG,KAAK;IAEpE;;;;OAIG;IACI,eAAe,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK;IAEjE;;;;;OAKG;IACI,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,GAAG,KAAK;IAEpE;;;;OAIG;IACI,eAAe,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK;IAEjE;;;;;OAKG;IACI,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,GAAG,KAAK;IAEpE;;;;OAIG;IACI,eAAe,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK;IAEjE;;;;;OAKG;IACI,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,EAAE,CAAC,GAAG,KAAK;IAEpE;;;OAGG;IACI,YAAY,IAAI,OAAO,CAAC,kBAAkB,CAAC,GAAG,KAAK;IAE1D;;;;;OAKG;IACI,SAAS,CAAC,aAAa,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK;IAEhF;;;;;OAKG;IACI,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,KAAK;CAC3D;AAED,cAAc,YAAY,CAAC"}

package/dist/edhoc.js

@@ -0,0 +1,76 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EdhocSuite = exports.EdhocMethod = exports.EdhocKeyType = exports.EdhocCredentialsCertificateHashAlgorithm = exports.EdhocCredentialsFormat = void 0;
+/**
+ * Enumerates the types of credential formats that can be used with EDHOC.
+ */
+var EdhocCredentialsFormat;
+(function (EdhocCredentialsFormat) {
+    EdhocCredentialsFormat[EdhocCredentialsFormat["kid"] = 4] = "kid";
+    EdhocCredentialsFormat[EdhocCredentialsFormat["x5chain"] = 33] = "x5chain";
+    EdhocCredentialsFormat[EdhocCredentialsFormat["x5t"] = 34] = "x5t"; // Represents a hashed X.509 certificate.
+})(EdhocCredentialsFormat || (exports.EdhocCredentialsFormat = EdhocCredentialsFormat = {}));
+/**
+ * Enumerates the types of hash algorithms that can be used with hashed X.509 certificates.
+ */
+var EdhocCredentialsCertificateHashAlgorithm;
+(function (EdhocCredentialsCertificateHashAlgorithm) {
+    EdhocCredentialsCertificateHashAlgorithm[EdhocCredentialsCertificateHashAlgorithm["Sha256"] = -16] = "Sha256";
+    EdhocCredentialsCertificateHashAlgorithm[EdhocCredentialsCertificateHashAlgorithm["Sha256_64"] = -15] = "Sha256_64"; // SHA-256 truncated to 64 bits.
+})(EdhocCredentialsCertificateHashAlgorithm || (exports.EdhocCredentialsCertificateHashAlgorithm = EdhocCredentialsCertificateHashAlgorithm = {}));
+/**
+ * Enumerates the types of cryptographic operations that can be performed with EDHOC.
+ */
+var EdhocKeyType;
+(function (EdhocKeyType) {
+    EdhocKeyType[EdhocKeyType["MakeKeyPair"] = 0] = "MakeKeyPair";
+    EdhocKeyType[EdhocKeyType["KeyAgreement"] = 1] = "KeyAgreement";
+    EdhocKeyType[EdhocKeyType["Signature"] = 2] = "Signature";
+    EdhocKeyType[EdhocKeyType["Verify"] = 3] = "Verify";
+    EdhocKeyType[EdhocKeyType["Extract"] = 4] = "Extract";
+    EdhocKeyType[EdhocKeyType["Expand"] = 5] = "Expand";
+    EdhocKeyType[EdhocKeyType["Encrypt"] = 6] = "Encrypt";
+    EdhocKeyType[EdhocKeyType["Decrypt"] = 7] = "Decrypt";
+})(EdhocKeyType || (exports.EdhocKeyType = EdhocKeyType = {}));
+/**
+ * Enumerates the methods available for EDHOC protocol exchanges.
+ * Each method corresponds to different authentication mechanisms.
+ */
+var EdhocMethod;
+(function (EdhocMethod) {
+    EdhocMethod[EdhocMethod["Method0"] = 0] = "Method0";
+    EdhocMethod[EdhocMethod["Method1"] = 1] = "Method1";
+    EdhocMethod[EdhocMethod["Method2"] = 2] = "Method2";
+    EdhocMethod[EdhocMethod["Method3"] = 3] = "Method3";
+})(EdhocMethod || (exports.EdhocMethod = EdhocMethod = {}));
+/**
+ * Enumerates the cipher suites available for EDHOC protocol operations.
+ * Each suite represents a set of cryptographic algorithms.
+ */
+var EdhocSuite;
+(function (EdhocSuite) {
+    EdhocSuite[EdhocSuite["Suite0"] = 0] = "Suite0";
+    EdhocSuite[EdhocSuite["Suite1"] = 1] = "Suite1";
+    EdhocSuite[EdhocSuite["Suite2"] = 2] = "Suite2";
+    EdhocSuite[EdhocSuite["Suite3"] = 3] = "Suite3";
+    EdhocSuite[EdhocSuite["Suite4"] = 4] = "Suite4";
+    EdhocSuite[EdhocSuite["Suite5"] = 5] = "Suite5";
+    EdhocSuite[EdhocSuite["Suite6"] = 6] = "Suite6";
+    EdhocSuite[EdhocSuite["Suite24"] = 24] = "Suite24";
+    EdhocSuite[EdhocSuite["Suite25"] = 25] = "Suite25";
+})(EdhocSuite || (exports.EdhocSuite = EdhocSuite = {}));
+__exportStar(require("./bindings"), exports);

package/dist/index.d.ts

@@ -0,0 +1,4 @@
+export * from "./edhoc";
+export * from "./crypto";
+export * from "./x509credentials";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,mBAAmB,CAAC"}

package/dist/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./edhoc"), exports);
+__exportStar(require("./crypto"), exports);
+__exportStar(require("./x509credentials"), exports);

package/dist/x509credentials.d.ts

@@ -0,0 +1,20 @@
+import { EDHOC, EdhocCredentialManager, EdhocCredentials, EdhocCredentialsFormat } from './edhoc';
+import { X509Certificate } from 'crypto';
+export declare class X509CertificateCredentialManager implements EdhocCredentialManager {
+    private certificates;
+    private peerCertificates;
+    private trustedCAs;
+    private cryptoKeyID;
+    fetchFormat: EdhocCredentialsFormat;
+    constructor(credentials: X509Certificate[] | Buffer[], cryptoKeyID: Buffer);
+    addPeerCertificate(certificate: X509Certificate | Buffer): void;
+    addTrustedCA(certificate: X509Certificate | Buffer): void;
+    private convertAndValidateCredentials;
+    private convertAndValidateSingleCredential;
+    fetch(edhoc: EDHOC): Promise<EdhocCredentials>;
+    verify(edhoc: EDHOC, credentials: EdhocCredentials): Promise<EdhocCredentials>;
+    private verifyCertificateChain;
+    private verifyAgainstTrustRoots;
+    private extractPublicKey;
+}
+//# sourceMappingURL=x509credentials.d.ts.map

package/dist/x509credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"x509credentials.d.ts","sourceRoot":"","sources":["../lib/x509credentials.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,sBAAsB,EAAE,gBAAgB,EAAE,sBAAsB,EAA+G,MAAM,SAAS,CAAC;AAC/M,OAAO,EAAc,eAAe,EAAE,MAAM,QAAQ,CAAC;AAErD,qBAAa,gCAAiC,YAAW,sBAAsB;IAE3E,OAAO,CAAC,YAAY,CAAyB;IAC7C,OAAO,CAAC,gBAAgB,CAAyB;IACjD,OAAO,CAAC,UAAU,CAAyB;IAC3C,OAAO,CAAC,WAAW,CAAS;IAE5B,WAAW,EAAE,sBAAsB,CAAkC;gBAEzD,WAAW,EAAE,eAAe,EAAE,GAAG,MAAM,EAAE,EAAE,WAAW,EAAE,MAAM;IAK1E,kBAAkB,CAAC,WAAW,EAAE,eAAe,GAAG,MAAM;IAIxD,YAAY,CAAC,WAAW,EAAE,eAAe,GAAG,MAAM;IAIlD,OAAO,CAAC,6BAA6B;IAIrC,OAAO,CAAC,kCAAkC;IAUpC,KAAK,CAAC,KAAK,EAAE,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAmC9C,MAAM,CAAC,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,gBAAgB;IAwCxD,OAAO,CAAC,sBAAsB;IAU9B,OAAO,CAAC,uBAAuB;IAU/B,OAAO,CAAC,gBAAgB;CAY3B"}

package/dist/x509credentials.js

@@ -0,0 +1,140 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.X509CertificateCredentialManager = void 0;
+const edhoc_1 = require("./edhoc");
+const crypto_1 = require("crypto");
+class X509CertificateCredentialManager {
+    certificates = [];
+    peerCertificates = [];
+    trustedCAs = [];
+    cryptoKeyID;
+    fetchFormat = edhoc_1.EdhocCredentialsFormat.x5chain;
+    constructor(credentials, cryptoKeyID) {
+        this.cryptoKeyID = cryptoKeyID;
+        this.certificates = this.convertAndValidateCredentials(credentials);
+    }
+    addPeerCertificate(certificate) {
+        this.peerCertificates.push(this.convertAndValidateSingleCredential(certificate));
+    }
+    addTrustedCA(certificate) {
+        this.trustedCAs.push(this.convertAndValidateSingleCredential(certificate));
+    }
+    convertAndValidateCredentials(credentials) {
+        return credentials.map(cred => this.convertAndValidateSingleCredential(cred));
+    }
+    convertAndValidateSingleCredential(cred) {
+        if (cred instanceof crypto_1.X509Certificate) {
+            return cred;
+        }
+        else if (cred instanceof Buffer) {
+            return new crypto_1.X509Certificate(cred);
+        }
+        else {
+            throw new Error('Invalid credentials');
+        }
+    }
+    async fetch(edhoc) {
+        if (this.certificates.length === 0) {
+            throw new Error('No certificates found');
+        }
+        switch (this.fetchFormat) {
+            case edhoc_1.EdhocCredentialsFormat.x5chain: {
+                const chain = {
+                    format: edhoc_1.EdhocCredentialsFormat.x5chain,
+                    privateKeyID: this.cryptoKeyID,
+                    x5chain: {
+                        certificates: this.certificates.map(cert => cert.raw)
+                    }
+                };
+                return chain;
+            }
+            case edhoc_1.EdhocCredentialsFormat.x5t: {
+                if (this.certificates.length > 1) {
+                    throw new Error('x5t format only supports a single certificate');
+                }
+                const hash = {
+                    format: edhoc_1.EdhocCredentialsFormat.x5t,
+                    privateKeyID: this.cryptoKeyID,
+                    x5t: {
+                        certificate: this.certificates[0].raw,
+                        hash: Buffer.from(this.certificates[0].fingerprint256.replace(/:/g, ''), 'hex').subarray(0, 8),
+                        hashAlgorithm: edhoc_1.EdhocCredentialsCertificateHashAlgorithm.Sha256_64
+                    }
+                };
+                return hash;
+            }
+            default:
+                throw new Error('Unsupported credentials format');
+        }
+    }
+    async verify(edhoc, credentials) {
+        if (credentials.format !== edhoc_1.EdhocCredentialsFormat.x5chain &&
+            credentials.format !== edhoc_1.EdhocCredentialsFormat.x5t) {
+            throw new Error('Credentials format not supported');
+        }
+        let certificates = [];
+        if (credentials.format === edhoc_1.EdhocCredentialsFormat.x5chain) {
+            const x5chain = credentials.x5chain;
+            certificates = x5chain.certificates;
+        }
+        else if (credentials.format === edhoc_1.EdhocCredentialsFormat.x5t) {
+            const x5t = credentials.x5t;
+            certificates = this.peerCertificates
+                .filter(certificate => {
+                const checksum = Buffer.from(certificate.fingerprint256.replace(/:/g, ''), 'hex');
+                if (x5t.hashAlgorithm == edhoc_1.EdhocCredentialsCertificateHashAlgorithm.Sha256_64) {
+                    return checksum.subarray(0, 8).equals(x5t.hash);
+                }
+                else if (x5t.hashAlgorithm == edhoc_1.EdhocCredentialsCertificateHashAlgorithm.Sha256) {
+                    return checksum.equals(x5t.hash);
+                }
+                else {
+                    throw new Error('Unsupported hash algorithm');
+                }
+            })
+                .flatMap(certificate => certificate.raw);
+            x5t.certificate = certificates[0];
+        }
+        if (certificates.length < 1) {
+            throw new Error('Certificate chain must contain at least one certificate.');
+        }
+        this.verifyCertificateChain(certificates);
+        this.verifyAgainstTrustRoots(certificates[certificates.length - 1]);
+        const token = new crypto_1.X509Certificate(certificates[0]).publicKey.export({ format: 'jwk' });
+        credentials.publicKey = this.extractPublicKey(token);
+        return credentials;
+    }
+    verifyCertificateChain(certificates) {
+        for (let i = 0; i < certificates.length - 1; i++) {
+            const currentCert = new crypto_1.X509Certificate(certificates[i]);
+            const nextCert = new crypto_1.X509Certificate(certificates[i + 1]);
+            if (!currentCert.verify(nextCert.publicKey)) {
+                throw new Error(`Verification failed: Certificate at index ${i} is not signed by the next certificate in the chain.`);
+            }
+        }
+    }
+    verifyAgainstTrustRoots(lastCertBuffer) {
+        const lastCert = new crypto_1.X509Certificate(lastCertBuffer);
+        for (const trustRoot of this.trustedCAs) {
+            if (lastCert.verify(trustRoot.publicKey)) {
+                return;
+            }
+        }
+        throw new Error('Certificate chain not verified');
+    }
+    extractPublicKey(token) {
+        if (token.crv === 'P-256') {
+            return Buffer.concat([
+                Buffer.from(token.x, 'base64'),
+                Buffer.from(token.y, 'base64')
+            ]);
+        }
+        else if (token.crv === 'Ed25519') {
+            return Buffer.from(token.x, 'base64');
+        }
+        else {
+            throw new Error('Unsupported curve');
+        }
+    }
+}
+exports.X509CertificateCredentialManager = X509CertificateCredentialManager;

package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_decode.h

@@ -1,5 +1,5 @@
 /*
- * Generated using zcbor version 0.7.0
+ * Generated using zcbor version 0.8.1
  * https://github.com/NordicSemiconductor/zcbor
  * Generated with a --default-max-qty of 3
  */

package/external/libedhoc/backends/cbor/include/backend_cbor_bstr_type_encode.h

@@ -1,5 +1,5 @@
 /*
- * Generated using zcbor version 0.7.0
+ * Generated using zcbor version 0.8.1
  * https://github.com/NordicSemiconductor/zcbor
  * Generated with a --default-max-qty of 3
  */