ehbp 0.0.3 → 0.0.5

package/src/example.ts

@@ -1,126 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * Example usage of the EHBP JavaScript client
- */
-
-import { Identity, createTransport } from './index.js';
-
-async function main() {
-  console.log('EHBP JavaScript Client Example');
-  console.log('==============================');
-
-  try {
-    // Create client identity
-    console.log('Creating client identity...');
-    const clientIdentity = await Identity.generate();
-    console.log('Client public key:', await clientIdentity.getPublicKeyHex());
-
-    // Create transport (this will fetch server public key)
-    console.log('Creating transport...');
-    const serverURL = 'http://localhost:8080'; // Adjust as needed
-    const transport = await createTransport(serverURL, clientIdentity);
-    console.log('Transport created successfully');
-
-    // Example 1: GET request to secure endpoint
-    console.log('\n--- GET Request ---');
-    try {
-      const getResponse = await transport.get(`${serverURL}/secure`);
-      console.log('GET Response status:', getResponse.status);
-      if (getResponse.ok) {
-        const getData = await getResponse.text();
-        console.log('GET Response:', getData);
-      } else {
-        console.log('GET Request failed with status:', getResponse.status);
-      }
-    } catch (error) {
-      console.log('GET Request failed:', error instanceof Error ? error.message : String(error));
-    }
-
-    // Example 2: POST request with JSON data
-    console.log('\n--- POST Request ---');
-    try {
-      const postData = { message: 'Hello from JavaScript client!', timestamp: new Date().toISOString() };
-      const postResponse = await transport.post(
-        `${serverURL}/secure`,
-        JSON.stringify(postData),
-        { headers: { 'Content-Type': 'application/json' } }
-      );
-      console.log('POST Response status:', postResponse.status);
-      if (postResponse.ok) {
-        const responseData = await postResponse.text();
-        console.log('POST Response:', responseData);
-      } else {
-        console.log('POST Request failed with status:', postResponse.status);
-      }
-    } catch (error) {
-      console.log('POST Request failed:', error instanceof Error ? error.message : String(error));
-    }
-
-    // Example 3: PUT request
-    console.log('\n--- PUT Request ---');
-    try {
-      const putData = { id: 1, name: 'Updated Item' };
-      const putResponse = await transport.put(
-        `${serverURL}/secure`,
-        JSON.stringify(putData),
-        { headers: { 'Content-Type': 'application/json' } }
-      );
-      console.log('PUT Response status:', putResponse.status);
-      if (putResponse.ok) {
-        const putResponseData = await putResponse.text();
-        console.log('PUT Response:', putResponseData);
-      } else {
-        console.log('PUT Request failed with status:', putResponse.status);
-      }
-    } catch (error) {
-      console.log('PUT Request failed:', error instanceof Error ? error.message : String(error));
-    }
-
-    // Example 4: Streaming request
-    console.log('\n--- Streaming Request ---');
-    try {
-      const streamResponse = await transport.get(`${serverURL}/stream`);
-      console.log('Stream Response status:', streamResponse.status);
-      if (streamResponse.ok) {
-        console.log('Streaming response (should show numbers 1-20):');
-        const reader = streamResponse.body?.getReader();
-        if (reader) {
-          const decoder = new TextDecoder();
-          let chunkCount = 0;
-          
-          while (true) {
-            const { done, value } = await reader.read();
-            if (done) break;
-            
-            const text = decoder.decode(value, { stream: true });
-            process.stdout.write(text);
-            chunkCount++;
-          }
-          
-          console.log(`\nStream completed with ${chunkCount} chunks`);
-        } else {
-          console.log('No readable stream available');
-        }
-      } else {
-        console.log('Stream Request failed with status:', streamResponse.status);
-      }
-    } catch (error) {
-      console.log('Stream Request failed:', error instanceof Error ? error.message : String(error));
-    }
-
-    console.log('\nExample completed successfully!');
-    console.log('\nTo test with a real server:');
-    console.log('1. Start the Go server: go run pkg/server/main.go');
-    console.log('2. Run this example: npm run example');
-
-  } catch (error) {
-    console.error('Error:', error);
-    process.exit(1);
-  }
-}
-
-// Run the example
-if (import.meta.url === `file://${process.argv[1]}`) {
-  main().catch(console.error);
-}

package/src/identity.ts

@@ -1,339 +0,0 @@
-import { CipherSuite, DhkemX25519HkdfSha256, HkdfSha256, Aes256Gcm } from '@hpke/core';
-import { PROTOCOL, HPKE_CONFIG } from './protocol.js';
-
-/**
- * Identity class for managing HPKE key pairs and encryption/decryption
- */
-export class Identity {
-  private suite: CipherSuite;
-  private publicKey: CryptoKey;
-  private privateKey: CryptoKey;
-
-  constructor(suite: CipherSuite, publicKey: CryptoKey, privateKey: CryptoKey) {
-    this.suite = suite;
-    this.publicKey = publicKey;
-    this.privateKey = privateKey;
-  }
-
-  /**
-   * Generate a new identity with X25519 key pair
-   */
-  static async generate(): Promise<Identity> {
-    const suite = new CipherSuite({
-      kem: new DhkemX25519HkdfSha256(),
-      kdf: new HkdfSha256(),
-      aead: new Aes256Gcm()
-    });
-
-    const { publicKey, privateKey } = await suite.kem.generateKeyPair();
-    
-    // Make sure the public key is extractable for serialization
-    const extractablePublicKey = await crypto.subtle.importKey(
-      'raw',
-      await crypto.subtle.exportKey('raw', publicKey),
-      { name: 'X25519' },
-      true, // extractable
-      []
-    );
-    
-    return new Identity(suite, extractablePublicKey, privateKey);
-  }
-
-
-  /**
-   * Create identity from JSON string
-   */
-  static async fromJSON(json: string): Promise<Identity> {
-    const data = JSON.parse(json);
-    const suite = new CipherSuite({
-      kem: new DhkemX25519HkdfSha256(),
-      kdf: new HkdfSha256(),
-      aead: new Aes256Gcm()
-    });
-
-    // Import public key
-    const publicKey = await crypto.subtle.importKey(
-      'raw',
-      new Uint8Array(data.publicKey),
-      { name: 'X25519' },
-      true, // extractable
-      []
-    );
-
-    // Deserialize private key using HPKE library
-    const privateKey = await suite.kem.deserializePrivateKey(new Uint8Array(data.privateKey).buffer);
-
-    return new Identity(suite, publicKey, privateKey);
-  }
-
-
-  /**
-   * Convert identity to JSON string
-   */
-  async toJSON(): Promise<string> {
-    const publicKeyBytes = new Uint8Array(await crypto.subtle.exportKey('raw', this.publicKey));
-    
-    // For X25519, we need to use the HPKE library's serialization for private keys
-    const privateKeyBytes = await this.suite.kem.serializePrivateKey(this.privateKey);
-    
-    return JSON.stringify({
-      publicKey: Array.from(publicKeyBytes),
-      privateKey: Array.from(new Uint8Array(privateKeyBytes))
-    });
-  }
-
-  /**
-   * Get public key as CryptoKey
-   */
-  getPublicKey(): CryptoKey {
-    return this.publicKey;
-  }
-
-  /**
-   * Get public key as hex string
-   */
-  async getPublicKeyHex(): Promise<string> {
-    const exported = await crypto.subtle.exportKey('raw', this.publicKey);
-    return Array.from(new Uint8Array(exported))
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join('');
-  }
-
-  /**
-   * Get private key as CryptoKey
-   */
-  getPrivateKey(): CryptoKey {
-    return this.privateKey;
-  }
-
-  /**
-   * Marshal public key configuration for server key distribution
-   * Implements RFC 9458 format
-   */
-  async marshalConfig(): Promise<Uint8Array> {
-    const kemId = HPKE_CONFIG.KEM;
-    const kdfId = HPKE_CONFIG.KDF;
-    const aeadId = HPKE_CONFIG.AEAD;
-
-    // Export public key as raw bytes
-    const publicKeyBytes = new Uint8Array(await crypto.subtle.exportKey('raw', this.publicKey));
-
-    // Key ID (1 byte) + KEM ID (2 bytes) + Public Key + Cipher Suites
-    const keyId = 0;
-    const publicKeySize = publicKeyBytes.length;
-    const cipherSuitesSize = 2 + 2; // KDF ID + AEAD ID
-
-    const buffer = new Uint8Array(1 + 2 + publicKeySize + 2 + cipherSuitesSize);
-    let offset = 0;
-
-    // Key ID
-    buffer[offset++] = keyId;
-
-    // KEM ID
-    buffer[offset++] = (kemId >> 8) & 0xFF;
-    buffer[offset++] = kemId & 0xFF;
-
-    // Public Key
-    buffer.set(publicKeyBytes, offset);
-    offset += publicKeySize;
-
-    // Cipher Suites Length (2 bytes)
-    buffer[offset++] = (cipherSuitesSize >> 8) & 0xFF;
-    buffer[offset++] = cipherSuitesSize & 0xFF;
-
-    // KDF ID
-    buffer[offset++] = (kdfId >> 8) & 0xFF;
-    buffer[offset++] = kdfId & 0xFF;
-
-    // AEAD ID
-    buffer[offset++] = (aeadId >> 8) & 0xFF;
-    buffer[offset++] = aeadId & 0xFF;
-
-    return buffer;
-  }
-
-  /**
-   * Unmarshal public configuration from server
-   */
-  static async unmarshalPublicConfig(data: Uint8Array): Promise<Identity> {
-    let offset = 0;
-
-    // Read Key ID
-    const keyId = data[offset++];
-
-    // Read KEM ID
-    const kemId = (data[offset++] << 8) | data[offset++];
-
-    // Read Public Key (32 bytes for X25519)
-    const publicKeySize = 32;
-    const publicKeyBytes = data.slice(offset, offset + publicKeySize);
-    offset += publicKeySize;
-
-    // Read Cipher Suites Length
-    const cipherSuitesLength = (data[offset++] << 8) | data[offset++];
-
-    // Read KDF ID
-    const kdfId = (data[offset++] << 8) | data[offset++];
-
-    // Read AEAD ID
-    const aeadId = (data[offset++] << 8) | data[offset++];
-
-    // Create suite (assuming X25519 for now)
-    const suite = new CipherSuite({
-      kem: new DhkemX25519HkdfSha256(),
-      kdf: new HkdfSha256(),
-      aead: new Aes256Gcm()
-    });
-
-    // Import public key using HPKE library
-    const publicKey = await suite.kem.deserializePublicKey(publicKeyBytes.buffer);
-
-    // For server config, we only have the public key, no private key
-    // We'll create a dummy private key that won't be used
-    const dummyPrivateKey = await suite.kem.deserializePrivateKey(new Uint8Array(32).buffer);
-    
-    return new Identity(suite, publicKey, dummyPrivateKey);
-  }
-
-  /**
-   * Encrypt request body and set appropriate headers
-   */
-  async encryptRequest(request: Request, serverPublicKey: CryptoKey): Promise<Request> {
-    const body = await request.arrayBuffer();
-    if (body.byteLength === 0) {
-      // No body to encrypt, just set client public key header
-      const headers = new Headers(request.headers);
-      headers.set(PROTOCOL.CLIENT_PUBLIC_KEY_HEADER, await this.getPublicKeyHex());
-      return new Request(request.url, {
-        method: request.method,
-        headers,
-        body: null
-      });
-    }
-
-    // Create sender for encryption
-    const sender = await this.suite.createSenderContext({
-      recipientPublicKey: serverPublicKey
-    });
-
-    // Encrypt the body
-    const encrypted = await sender.seal(body);
-
-    // Get encapsulated key
-    const encapKey = sender.enc;
-
-    // Create chunked format: 4-byte length header + encrypted data
-    const chunkLength = new Uint8Array(4);
-    const view = new DataView(chunkLength.buffer);
-    view.setUint32(0, encrypted.byteLength, false); // Big-endian
-    
-    const chunkedData = new Uint8Array(4 + encrypted.byteLength);
-    chunkedData.set(chunkLength, 0);
-    chunkedData.set(new Uint8Array(encrypted), 4);
-
-    // Create new request with encrypted body and headers
-    const headers = new Headers(request.headers);
-    headers.set(PROTOCOL.CLIENT_PUBLIC_KEY_HEADER, await this.getPublicKeyHex());
-    headers.set(PROTOCOL.ENCAPSULATED_KEY_HEADER, Array.from(new Uint8Array(encapKey))
-      .map(b => b.toString(16).padStart(2, '0'))
-      .join(''));
-
-    return new Request(request.url, {
-      method: request.method,
-      headers,
-      body: chunkedData,
-      duplex: 'half'
-    } as RequestInit);
-  }
-
-  /**
-   * Decrypt response body
-   */
-  async decryptResponse(response: Response, serverEncapKey: Uint8Array): Promise<Response> {
-    if (!response.body) {
-      return response;
-    }
-
-    // Create receiver for decryption
-    const receiver = await this.suite.createRecipientContext({
-      recipientKey: this.privateKey,
-      enc: serverEncapKey.buffer as ArrayBuffer
-    });
-
-    // Create a readable stream that decrypts chunks as they arrive
-    const decryptedStream = new ReadableStream({
-      start(controller) {
-        const reader = response.body!.getReader();
-        let buffer = new Uint8Array(0);
-        let offset = 0;
-
-        async function pump() {
-          try {
-            while (true) {
-              const { done, value } = await reader.read();
-              if (done) break;
-
-              // Append new data to buffer
-              const newBuffer = new Uint8Array(buffer.length + value.length);
-              newBuffer.set(buffer);
-              newBuffer.set(value, buffer.length);
-              buffer = newBuffer;
-
-              // Process complete chunks
-              while (offset + 4 <= buffer.length) {
-                // Read chunk length (4 bytes big-endian)
-                const chunkLength = (buffer[offset] << 24) | 
-                                  (buffer[offset + 1] << 16) | 
-                                  (buffer[offset + 2] << 8) | 
-                                  buffer[offset + 3];
-                offset += 4;
-
-                if (chunkLength === 0) {
-                  continue; // Empty chunk
-                }
-
-                // Check if we have the complete chunk
-                if (offset + chunkLength > buffer.length) {
-                  // Not enough data yet, wait for more
-                  break;
-                }
-
-                // Extract and decrypt the chunk
-                const encryptedChunk = buffer.slice(offset, offset + chunkLength);
-                offset += chunkLength;
-
-                try {
-                  const decryptedChunk = await receiver.open(encryptedChunk.buffer);
-                  controller.enqueue(new Uint8Array(decryptedChunk));
-                } catch (error) {
-                  controller.error(new Error(`Failed to decrypt chunk: ${error}`));
-                  return;
-                }
-              }
-
-              // Remove processed data from buffer
-              if (offset > 0) {
-                buffer = buffer.slice(offset);
-                offset = 0;
-              }
-            }
-
-            controller.close();
-          } catch (error) {
-            controller.error(error);
-          }
-        }
-
-        pump();
-      }
-    });
-
-    // Create new response with decrypted stream
-    return new Response(decryptedStream, {
-      status: response.status,
-      statusText: response.statusText,
-      headers: response.headers
-    });
-  }
-
-}

package/src/protocol.ts

@@ -1,19 +0,0 @@
-/**
- * Protocol constants for EHBP (Encrypted HTTP Body Protocol)
- */
-export const PROTOCOL = {
-  ENCAPSULATED_KEY_HEADER: 'Ehbp-Encapsulated-Key',
-  CLIENT_PUBLIC_KEY_HEADER: 'Ehbp-Client-Public-Key',
-  KEYS_MEDIA_TYPE: 'application/ohttp-keys',
-  KEYS_PATH: '/.well-known/hpke-keys',
-  FALLBACK_HEADER: 'Ehbp-Fallback'
-} as const;
-
-/**
- * HPKE suite configuration matching the Go implementation
- */
-export const HPKE_CONFIG = {
-  KEM: 0x0020, // X25519 HKDF SHA256
-  KDF: 0x0001, // HKDF SHA256
-  AEAD: 0x0002 // AES-256-GCM
-} as const;

package/src/streaming-test.ts

@@ -1,118 +0,0 @@
-#!/usr/bin/env node
-
-import { Identity, createTransport } from './index.js';
-
-async function streamingTest() {
-  console.log('EHBP Streaming Test');
-  console.log('===================');
-
-  try {
-    // Create client identity
-    console.log('Creating client identity...');
-    const clientIdentity = await Identity.generate();
-    console.log('Client identity created');
-
-    // Create transport
-    console.log('Creating transport...');
-    const serverURL = 'http://localhost:8080';
-    const transport = await createTransport(serverURL, clientIdentity);
-    console.log('Transport created');
-
-    // Test 1: Basic streaming request
-    console.log('\n--- Test 1: Basic Streaming ---');
-    const streamResponse = await transport.get(`${serverURL}/stream`);
-    console.log('Stream request sent, status:', streamResponse.status);
-
-    if (streamResponse.ok) {
-      console.log('Reading stream data...');
-      const reader = streamResponse.body?.getReader();
-      if (reader) {
-        const decoder = new TextDecoder();
-
-        while (true) {
-          const { done, value } = await reader.read();
-          if (done) break;
-
-          const text = decoder.decode(value, { stream: true });
-          process.stdout.write(text);
-        }
-
-        console.log('\nStream completed');
-      } else {
-        console.log('No readable stream available');
-      }
-    } else {
-      console.log('Stream request failed with status:', streamResponse.status);
-    }
-
-    // Test 2: Multiple concurrent streams
-    console.log('\n--- Test 2: Concurrent Streams ---');
-    const concurrentStreams = 3;
-    const streamPromises = [];
-
-    for (let i = 0; i < concurrentStreams; i++) {
-      streamPromises.push(
-        (async (streamId: number) => {
-          const response = await transport.get(`${serverURL}/stream`);
-          if (response.ok && response.body) {
-            const reader = response.body.getReader();
-            const decoder = new TextDecoder();
-
-            while (true) {
-              const { done, value } = await reader.read();
-              if (done) break;
-
-              const text = decoder.decode(value, { stream: true });
-              
-              // Prefix with stream ID to show concurrency
-              process.stdout.write(`[Stream ${streamId}] ${text}`);
-            }
-
-            return { streamId };
-          }
-          return { streamId };
-        })(i + 1)
-      );
-    }
-
-    const results = await Promise.all(streamPromises);
-    console.log('\nConcurrent streams completed:');
-    results.forEach(result => {
-      console.log(`  - Stream ${result.streamId}: completed`);
-    });
-
-    // Test 3: Large data streaming (if server supports it)
-    console.log('\n--- Test 3: Large Data Stream ---');
-    try {
-      const largeStreamResponse = await transport.get(`${serverURL}/stream`);
-      if (largeStreamResponse.ok) {
-        console.log('Reading large data stream...');
-        const reader = largeStreamResponse.body?.getReader();
-        if (reader) {
-          const decoder = new TextDecoder();
-
-          while (true) {
-            const { done, value } = await reader.read();
-            if (done) break;
-
-            const text = decoder.decode(value, { stream: true });
-            process.stdout.write(text);
-          }
-        }
-      }
-    } catch (error) {
-      console.log('Large data stream test failed:', error instanceof Error ? error.message : String(error));
-    }
-
-    console.log('\nAll streaming tests completed successfully!');
-
-  } catch (error) {
-    console.error('Streaming test failed:', error);
-    process.exit(1);
-  }
-}
-
-// Run the streaming test
-if (import.meta.url === `file://${process.argv[1]}`) {
-  streamingTest().catch(console.error);
-}

package/src/test/client.test.ts

@@ -1,93 +0,0 @@
-import { describe, it, before, after } from 'node:test';
-import assert from 'node:assert';
-import { Identity, Transport, createTransport } from '../index.js';
-import { PROTOCOL } from '../protocol.js';
-
-describe('Transport', () => {
-  let clientIdentity: Identity;
-  let serverIdentity: Identity;
-
-  before(async () => {
-    clientIdentity = await Identity.generate();
-    serverIdentity = await Identity.generate();
-  });
-
-  it('should create transport with server public key', () => {
-    const transport = new Transport(
-      clientIdentity,
-      'localhost:8080',
-      serverIdentity.getPublicKey()
-    );
-    
-    assert(transport instanceof Transport, 'Should create transport instance');
-  });
-
-  it('should encrypt and decrypt request', async () => {
-    const serverPublicKey = serverIdentity.getPublicKey();
-    const originalBody = new TextEncoder().encode('Hello, World!');
-    const request = new Request('http://localhost:8080/test', {
-      method: 'POST',
-      body: originalBody
-    });
-
-    const encryptedRequest = await clientIdentity.encryptRequest(request, serverPublicKey);
-    
-    // Check that headers are set
-    assert(encryptedRequest.headers.get(PROTOCOL.CLIENT_PUBLIC_KEY_HEADER), 'Client public key header should be set');
-    assert(encryptedRequest.headers.get(PROTOCOL.ENCAPSULATED_KEY_HEADER), 'Encapsulated key header should be set');
-    
-    // Check that body is encrypted (different from original)
-    const encryptedBody = await encryptedRequest.arrayBuffer();
-    assert(encryptedBody.byteLength > 0, 'Encrypted body should not be empty');
-    assert(encryptedBody.byteLength !== originalBody.length, 'Encrypted body should have different length');
-  });
-
-  it('should handle request without body', async () => {
-    const serverPublicKey = serverIdentity.getPublicKey();
-    const request = new Request('http://localhost:8080/test', {
-      method: 'GET'
-    });
-
-    const encryptedRequest = await clientIdentity.encryptRequest(request, serverPublicKey);
-    
-    // Check that only client public key header is set
-    assert(encryptedRequest.headers.get(PROTOCOL.CLIENT_PUBLIC_KEY_HEADER), 'Client public key header should be set');
-    assert(!encryptedRequest.headers.get(PROTOCOL.ENCAPSULATED_KEY_HEADER), 'Encapsulated key header should not be set for empty body');
-  });
-
-  it('should connect to actual server and POST to /secure endpoint', async (t) => {
-    const serverURL = 'http://localhost:8080';
-    
-    try {
-      const keysResponse = await fetch(`${serverURL}${PROTOCOL.KEYS_PATH}`);
-      if (!keysResponse.ok) {
-        t.skip('Server not running at localhost:8080');
-        return;
-      }
-    } catch (error) {
-      t.skip('Server not running at localhost:8080');
-      return;
-    }
-
-    // Create transport that will connect to the real server
-    const transport = await createTransport(serverURL, clientIdentity);
-    
-    const testName = 'Integration Test User';
-
-    const serverPubKeyHex = await transport.getServerPublicKeyHex();
-    assert.strictEqual(serverPubKeyHex.length, 64, 'Server public key should be 64 bytes');
-
-    // Make actual POST request to /secure endpoint
-    const response = await transport.post(`${serverURL}/secure`, testName, {
-      headers: { 'Content-Type': 'text/plain' }
-    });
-    
-    // Verify response
-    assert(response.ok, `Response should be ok, got status: ${response.status}`);
-    
-    const responseText = await response.text();
-    assert.strictEqual(responseText, `Hello, ${testName}`, 'Server should respond with Hello, {name}');
-    
-    console.log(`✓ Integration test passed: ${responseText}`);
-  });
-});