ehbp 0.0.7 → 0.1.0

package/dist/cjs/derive.js

@@ -0,0 +1,136 @@
+"use strict";
+/**
+ * Response key derivation for EHBP
+ *
+ * This module implements the key derivation matching the Go implementation.
+ *
+ * The derivation follows OHTTP (RFC 9458):
+ *   salt = concat(enc, response_nonce)
+ *   prk = Extract(salt, secret)
+ *   aead_key = Expand(prk, "key", Nk)
+ *   aead_nonce = Expand(prk, "nonce", Nn)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.REQUEST_ENC_LENGTH = exports.AES_GCM_NONCE_LENGTH = exports.AES256_KEY_LENGTH = exports.RESPONSE_NONCE_LENGTH = exports.EXPORT_LENGTH = exports.EXPORT_LABEL = exports.HPKE_REQUEST_INFO = void 0;
+exports.deriveResponseKeys = deriveResponseKeys;
+exports.computeNonce = computeNonce;
+exports.encryptChunk = encryptChunk;
+exports.decryptChunk = decryptChunk;
+exports.hexToBytes = hexToBytes;
+exports.bytesToHex = bytesToHex;
+const hpke_1 = require("hpke");
+const kdf = (0, hpke_1.KDF_HKDF_SHA256)();
+const aead = (0, hpke_1.AEAD_AES_256_GCM)();
+exports.HPKE_REQUEST_INFO = 'ehbp request';
+exports.EXPORT_LABEL = 'ehbp response';
+exports.EXPORT_LENGTH = 32;
+exports.RESPONSE_NONCE_LENGTH = 32; // max(Nn, Nk) = max(12, 32) = 32
+exports.AES256_KEY_LENGTH = 32;
+exports.AES_GCM_NONCE_LENGTH = 12;
+exports.REQUEST_ENC_LENGTH = 32; // X25519 enc size
+// Labels for HKDF-Expand
+const RESPONSE_KEY_LABEL = new TextEncoder().encode('key');
+const RESPONSE_NONCE_LABEL = new TextEncoder().encode('nonce');
+/**
+ * Derives response encryption keys from the HPKE exported secret.
+ *
+ *   salt = concat(enc, response_nonce)
+ *   prk = Extract(salt, secret)
+ *   key = Expand(prk, "key", 32)
+ *   nonceBase = Expand(prk, "nonce", 12)
+ *
+ * @param exportedSecret - 32 bytes exported from HPKE context
+ * @param requestEnc - 32 bytes encapsulated key from request
+ * @param responseNonce - 32 bytes random nonce from response
+ * @returns Key material for response encryption/decryption
+ */
+async function deriveResponseKeys(exportedSecret, requestEnc, responseNonce) {
+    // Validate inputs
+    if (exportedSecret.length !== exports.EXPORT_LENGTH) {
+        throw new Error(`exported secret must be ${exports.EXPORT_LENGTH} bytes, got ${exportedSecret.length}`);
+    }
+    if (requestEnc.length !== exports.REQUEST_ENC_LENGTH) {
+        throw new Error(`request enc must be ${exports.REQUEST_ENC_LENGTH} bytes, got ${requestEnc.length}`);
+    }
+    if (responseNonce.length !== exports.RESPONSE_NONCE_LENGTH) {
+        throw new Error(`response nonce must be ${exports.RESPONSE_NONCE_LENGTH} bytes, got ${responseNonce.length}`);
+    }
+    // salt = concat(enc, response_nonce)
+    const salt = new Uint8Array(requestEnc.length + responseNonce.length);
+    salt.set(requestEnc, 0);
+    salt.set(responseNonce, requestEnc.length);
+    // prk = Extract(salt, secret)
+    const prk = await kdf.Extract(salt, exportedSecret);
+    // key = Expand(prk, "key", 32)
+    const keyBytes = await kdf.Expand(prk, RESPONSE_KEY_LABEL, exports.AES256_KEY_LENGTH);
+    // nonceBase = Expand(prk, "nonce", 12)
+    const nonceBase = await kdf.Expand(prk, RESPONSE_NONCE_LABEL, exports.AES_GCM_NONCE_LENGTH);
+    return { keyBytes, nonceBase };
+}
+/**
+ * Computes the nonce for a specific sequence number.
+ * nonce = nonceBase XOR sequence_number (big-endian in last 8 bytes)
+ */
+function computeNonce(nonceBase, seq) {
+    if (nonceBase.length !== exports.AES_GCM_NONCE_LENGTH) {
+        throw new Error(`nonce base must be ${exports.AES_GCM_NONCE_LENGTH} bytes`);
+    }
+    // Validate seq to prevent nonce reuse from integer overflow.
+    // JavaScript's >>> operator only works correctly for 32-bit unsigned integers.
+    // Values >= 2^32 wrap around (e.g., 2^32 >>> 0 === 0), causing nonce reuse.
+    // In practice, 2^32 chunks per response is impossible (~4PB minimum), but we validate defensively.
+    if (!Number.isInteger(seq) || seq < 0 || seq >= 0x100000000) {
+        throw new Error(`sequence number must be an integer in range [0, 2^32): got ${seq}`);
+    }
+    const nonce = new Uint8Array(exports.AES_GCM_NONCE_LENGTH);
+    nonce.set(nonceBase);
+    // XOR with sequence number in the last 8 bytes (big-endian)
+    for (let i = 0; i < 8; i++) {
+        const shift = i * 8;
+        if (shift < 32) {
+            nonce[exports.AES_GCM_NONCE_LENGTH - 1 - i] ^= (seq >>> shift) & 0xff;
+        }
+    }
+    return nonce;
+}
+/**
+ * Encrypts a chunk using the response key material
+ */
+async function encryptChunk(km, seq, plaintext) {
+    const nonce = computeNonce(km.nonceBase, seq);
+    const ciphertext = await aead.Seal(km.keyBytes, nonce, new Uint8Array(0), plaintext);
+    return ciphertext;
+}
+/**
+ * Decrypts a chunk using the response key material
+ */
+async function decryptChunk(km, seq, ciphertext) {
+    const nonce = computeNonce(km.nonceBase, seq);
+    const plaintext = await aead.Open(km.keyBytes, nonce, new Uint8Array(0), ciphertext);
+    return plaintext;
+}
+/**
+ * Utility: Convert hex string to Uint8Array
+ */
+function hexToBytes(hex) {
+    if (hex.length % 2 !== 0) {
+        throw new Error('Hex string must have even length');
+    }
+    if (!/^[0-9a-fA-F]*$/.test(hex)) {
+        throw new Error('Invalid hex character');
+    }
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < bytes.length; i++) {
+        bytes[i] = parseInt(hex.substring(i * 2, i * 2 + 2), 16);
+    }
+    return bytes;
+}
+/**
+ * Utility: Convert Uint8Array to hex string
+ */
+function bytesToHex(bytes) {
+    return Array.from(bytes)
+        .map(b => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+//# sourceMappingURL=derive.js.map

package/dist/cjs/derive.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive.js","sourceRoot":"","sources":["../../src/derive.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AA0CH,gDA+BC;AAMD,oCAyBC;AAKD,oCAUC;AAKD,oCAUC;AAKD,gCAYC;AAKD,gCAIC;AA9JD,+BAA8E;AAE9E,MAAM,GAAG,GAAQ,IAAA,sBAAe,GAAE,CAAC;AACnC,MAAM,IAAI,GAAS,IAAA,uBAAgB,GAAE,CAAC;AAEzB,QAAA,iBAAiB,GAAG,cAAc,CAAC;AACnC,QAAA,YAAY,GAAG,eAAe,CAAC;AAC/B,QAAA,aAAa,GAAG,EAAE,CAAC;AACnB,QAAA,qBAAqB,GAAG,EAAE,CAAC,CAAC,iCAAiC;AAC7D,QAAA,iBAAiB,GAAG,EAAE,CAAC;AACvB,QAAA,oBAAoB,GAAG,EAAE,CAAC;AAC1B,QAAA,kBAAkB,GAAG,EAAE,CAAC,CAAC,kBAAkB;AAExD,yBAAyB;AACzB,MAAM,kBAAkB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC3D,MAAM,oBAAoB,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AAY/D;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,kBAAkB,CACtC,cAA0B,EAC1B,UAAsB,EACtB,aAAyB;IAEzB,kBAAkB;IAClB,IAAI,cAAc,CAAC,MAAM,KAAK,qBAAa,EAAE,CAAC;QAC5C,MAAM,IAAI,KAAK,CAAC,2BAA2B,qBAAa,eAAe,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC;IAClG,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,0BAAkB,EAAE,CAAC;QAC7C,MAAM,IAAI,KAAK,CAAC,uBAAuB,0BAAkB,eAAe,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;IAC/F,CAAC;IACD,IAAI,aAAa,CAAC,MAAM,KAAK,6BAAqB,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,0BAA0B,6BAAqB,eAAe,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;IACxG,CAAC;IAED,qCAAqC;IACrC,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACtE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;IACxB,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,UAAU,CAAC,MAAM,CAAC,CAAC;IAE3C,8BAA8B;IAC9B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;IAEpD,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,kBAAkB,EAAE,yBAAiB,CAAC,CAAC;IAE9E,uCAAuC;IACvC,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,GAAG,EAAE,oBAAoB,EAAE,4BAAoB,CAAC,CAAC;IAEpF,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,SAAgB,YAAY,CAAC,SAAqB,EAAE,GAAW;IAC7D,IAAI,SAAS,CAAC,MAAM,KAAK,4BAAoB,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,sBAAsB,4BAAoB,QAAQ,CAAC,CAAC;IACtE,CAAC;IAED,6DAA6D;IAC7D,+EAA+E;IAC/E,4EAA4E;IAC5E,mGAAmG;IACnG,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,IAAI,WAAW,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CAAC,8DAA8D,GAAG,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,4BAAoB,CAAC,CAAC;IACnD,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAErB,4DAA4D;IAC5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;QACpB,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;YACf,KAAK,CAAC,4BAAoB,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,KAAK,KAAK,CAAC,GAAG,IAAI,CAAC;QAChE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,YAAY,CAChC,EAAuB,EACvB,GAAW,EACX,SAAqB;IAErB,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAE9C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAErF,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,YAAY,CAChC,EAAuB,EACvB,GAAW,EACX,UAAsB;IAEtB,MAAM,KAAK,GAAG,YAAY,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;IAE9C,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAErF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,GAAW;IACpC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,KAAK,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC3D,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,UAAU,CAAC,KAAiB;IAC1C,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC;SACrB,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SACzC,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC"}

package/dist/cjs/identity.d.ts

@@ -1,4 +1,12 @@
-import { CipherSuite } from '@hpke/core';
+import { CipherSuite, type SenderContext, type Key } from 'hpke';
+/**
+ * Request context for response decryption.
+ * Holds the HPKE sender context needed to derive response keys.
+ */
+export interface RequestContext {
+    senderContext: SenderContext;
+    requestEnc: Uint8Array;
+}
 /**
  * Identity class for managing HPKE key pairs and encryption/decryption
  */
@@ -6,7 +14,7 @@ export declare class Identity {
     private suite;
     private publicKey;
     private privateKey;
-    constructor(suite: CipherSuite, publicKey: CryptoKey, privateKey: CryptoKey);
+    constructor(suite: CipherSuite, publicKey: Key, privateKey: Key);
     /**
      * Generate a new identity with X25519 key pair
      */
@@ -20,17 +28,17 @@ export declare class Identity {
      */
     toJSON(): Promise<string>;
     /**
-     * Get public key as CryptoKey
+     * Get public key
      */
-    getPublicKey(): CryptoKey;
+    getPublicKey(): Key;
     /**
      * Get public key as hex string
      */
     getPublicKeyHex(): Promise<string>;
     /**
-     * Get private key as CryptoKey
+     * Get private key
      */
-    getPrivateKey(): CryptoKey;
+    getPrivateKey(): Key;
     /**
      * Marshal public key configuration for server key distribution
      * Implements RFC 9458 format
@@ -41,12 +49,31 @@ export declare class Identity {
      */
     static unmarshalPublicConfig(data: Uint8Array): Promise<Identity>;
     /**
-     * Encrypt request body and set appropriate headers
+     * Encrypt request body and return context for response decryption.
+     *
+     * This method is called on the SERVER's identity (public key only).
+     * It:
+     * 1. Creates an HPKE sender context to this identity's public key
+     * 2. Encrypts the request body
+     * 3. Returns a RequestContext that must be used to decrypt the response
+     */
+    encryptRequestWithContext(request: Request): Promise<{
+        request: Request;
+        context: RequestContext | null;
+    }>;
+    /**
+     * Decrypt response using keys derived from request context.
+     *
+     * This method:
+     * 1. Reads the response nonce from Ehbp-Response-Nonce header
+     * 2. Exports a secret from the HPKE sender context
+     * 3. Derives response keys using HKDF
+     * 4. Decrypts the response body
      */
-    encryptRequest(request: Request, serverPublicKey: CryptoKey): Promise<Request>;
+    decryptResponseWithContext(response: Response, context: RequestContext): Promise<Response>;
     /**
-     * Decrypt response body
+     * Creates a ReadableStream that decrypts response chunks.
      */
-    decryptResponse(response: Response, serverEncapKey: Uint8Array): Promise<Response>;
+    private createDecryptStream;
 }
 //# sourceMappingURL=identity.d.ts.map

package/dist/cjs/identity.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAgD,MAAM,YAAY,CAAC;AAGvF;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,KAAK,CAAc;IAC3B,OAAO,CAAC,SAAS,CAAY;IAC7B,OAAO,CAAC,UAAU,CAAY;gBAElB,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS;IAM3E;;OAEG;WACU,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IAsB1C;;OAEG;WACU,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAwBtD;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAY/B;;OAEG;IACH,YAAY,IAAI,SAAS;IAIzB;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAOxC;;OAEG;IACH,aAAa,IAAI,SAAS;IAI1B;;;OAGG;IACG,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC;IA0C1C;;OAEG;WACU,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAuDvE;;OAEG;IACG,cAAc,CAAC,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC;IAgDpF;;OAEG;IACG,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,cAAc,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;CAwFzF"}
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EAIX,KAAK,aAAa,EAClB,KAAK,GAAG,EACT,MAAM,MAAM,CAAC;AAcd;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,aAAa,EAAE,aAAa,CAAC;IAC7B,UAAU,EAAE,UAAU,CAAC;CACxB;AAaD;;GAEG;AACH,qBAAa,QAAQ;IACnB,OAAO,CAAC,KAAK,CAAc;IAC3B,OAAO,CAAC,SAAS,CAAM;IACvB,OAAO,CAAC,UAAU,CAAM;gBAEZ,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,EAAE,UAAU,EAAE,GAAG;IAM/D;;OAEG;WACU,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC;IAO1C;;OAEG;WACU,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAWtD;;OAEG;IACG,MAAM,IAAI,OAAO,CAAC,MAAM,CAAC;IAU/B;;OAEG;IACH,YAAY,IAAI,GAAG;IAInB;;OAEG;IACG,eAAe,IAAI,OAAO,CAAC,MAAM,CAAC;IAKxC;;OAEG;IACH,aAAa,IAAI,GAAG;IAIpB;;;OAGG;IACG,aAAa,IAAI,OAAO,CAAC,UAAU,CAAC;IA0C1C;;OAEG;WACU,qBAAqB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC;IAqDvE;;;;;;;;OAQG;IACG,yBAAyB,CAC7B,OAAO,EAAE,OAAO,GACf,OAAO,CAAC;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,OAAO,EAAE,cAAc,GAAG,IAAI,CAAA;KAAE,CAAC;IAwDhE;;;;;;;;OAQG;IACG,0BAA0B,CAC9B,QAAQ,EAAE,QAAQ,EAClB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,QAAQ,CAAC;IAmCpB;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAyD5B"}

package/dist/cjs/identity.js

@@ -1,8 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Identity = void 0;
-const core_1 = require("@hpke/core");
+const hpke_1 = require("hpke");
 const protocol_js_1 = require("./protocol.js");
+const derive_js_1 = require("./derive.js");
+/**
+ * Creates a new CipherSuite for X25519/HKDF-SHA256/AES-256-GCM
+ */
+function createSuite() {
+    return new hpke_1.CipherSuite(hpke_1.KEM_DHKEM_X25519_HKDF_SHA256, hpke_1.KDF_HKDF_SHA256, hpke_1.AEAD_AES_256_GCM);
+}
 /**
  * Identity class for managing HPKE key pairs and encryption/decryption
  */
@@ -19,48 +26,34 @@ class Identity {
      * Generate a new identity with X25519 key pair
      */
     static async generate() {
-        const suite = new core_1.CipherSuite({
-            kem: new core_1.DhkemX25519HkdfSha256(),
-            kdf: new core_1.HkdfSha256(),
-            aead: new core_1.Aes256Gcm()
-        });
-        const { publicKey, privateKey } = await suite.kem.generateKeyPair();
-        // Make sure the public key is extractable for serialization
-        const extractablePublicKey = await crypto.subtle.importKey('raw', await crypto.subtle.exportKey('raw', publicKey), { name: 'X25519' }, true, // extractable
-        []);
-        return new Identity(suite, extractablePublicKey, privateKey);
+        const suite = createSuite();
+        const { publicKey, privateKey } = await suite.GenerateKeyPair(true); // extractable
+        return new Identity(suite, publicKey, privateKey);
     }
     /**
      * Create identity from JSON string
      */
     static async fromJSON(json) {
         const data = JSON.parse(json);
-        const suite = new core_1.CipherSuite({
-            kem: new core_1.DhkemX25519HkdfSha256(),
-            kdf: new core_1.HkdfSha256(),
-            aead: new core_1.Aes256Gcm()
-        });
-        // Import public key
-        const publicKey = await crypto.subtle.importKey('raw', new Uint8Array(data.publicKey), { name: 'X25519' }, true, // extractable
-        []);
-        // Deserialize private key using HPKE library
-        const privateKey = await suite.kem.deserializePrivateKey(new Uint8Array(data.privateKey).buffer);
+        const suite = createSuite();
+        // Deserialize keys using the suite
+        const publicKey = await suite.DeserializePublicKey(new Uint8Array(data.publicKey));
+        const privateKey = await suite.DeserializePrivateKey(new Uint8Array(data.privateKey), true);
         return new Identity(suite, publicKey, privateKey);
     }
     /**
      * Convert identity to JSON string
      */
     async toJSON() {
-        const publicKeyBytes = new Uint8Array(await crypto.subtle.exportKey('raw', this.publicKey));
-        // For X25519, we need to use the HPKE library's serialization for private keys
-        const privateKeyBytes = await this.suite.kem.serializePrivateKey(this.privateKey);
+        const publicKeyBytes = await this.suite.SerializePublicKey(this.publicKey);
+        const privateKeyBytes = await this.suite.SerializePrivateKey(this.privateKey);
         return JSON.stringify({
             publicKey: Array.from(publicKeyBytes),
-            privateKey: Array.from(new Uint8Array(privateKeyBytes))
+            privateKey: Array.from(privateKeyBytes),
         });
     }
     /**
-     * Get public key as CryptoKey
+     * Get public key
      */
     getPublicKey() {
         return this.publicKey;
@@ -69,13 +62,11 @@ class Identity {
      * Get public key as hex string
      */
     async getPublicKeyHex() {
-        const exported = await crypto.subtle.exportKey('raw', this.publicKey);
-        return Array.from(new Uint8Array(exported))
-            .map(b => b.toString(16).padStart(2, '0'))
-            .join('');
+        const exported = await this.suite.SerializePublicKey(this.publicKey);
+        return (0, derive_js_1.bytesToHex)(exported);
     }
     /**
-     * Get private key as CryptoKey
+     * Get private key
      */
     getPrivateKey() {
         return this.privateKey;
@@ -89,7 +80,7 @@ class Identity {
         const kdfId = protocol_js_1.HPKE_CONFIG.KDF;
         const aeadId = protocol_js_1.HPKE_CONFIG.AEAD;
         // Export public key as raw bytes
-        const publicKeyBytes = new Uint8Array(await crypto.subtle.exportKey('raw', this.publicKey));
+        const publicKeyBytes = await this.suite.SerializePublicKey(this.publicKey);
         // Key ID (1 byte) + KEM ID (2 bytes) + Public Key + Cipher Suites
         const keyId = 0;
         const publicKeySize = publicKeyBytes.length;
@@ -99,20 +90,20 @@ class Identity {
         // Key ID
         buffer[offset++] = keyId;
         // KEM ID
-        buffer[offset++] = (kemId >> 8) & 0xFF;
-        buffer[offset++] = kemId & 0xFF;
+        buffer[offset++] = (kemId >> 8) & 0xff;
+        buffer[offset++] = kemId & 0xff;
         // Public Key
         buffer.set(publicKeyBytes, offset);
         offset += publicKeySize;
         // Cipher Suites Length (2 bytes)
-        buffer[offset++] = (cipherSuitesSize >> 8) & 0xFF;
-        buffer[offset++] = cipherSuitesSize & 0xFF;
+        buffer[offset++] = (cipherSuitesSize >> 8) & 0xff;
+        buffer[offset++] = cipherSuitesSize & 0xff;
         // KDF ID
-        buffer[offset++] = (kdfId >> 8) & 0xFF;
-        buffer[offset++] = kdfId & 0xFF;
+        buffer[offset++] = (kdfId >> 8) & 0xff;
+        buffer[offset++] = kdfId & 0xff;
         // AEAD ID
-        buffer[offset++] = (aeadId >> 8) & 0xFF;
-        buffer[offset++] = aeadId & 0xFF;
+        buffer[offset++] = (aeadId >> 8) & 0xff;
+        buffer[offset++] = aeadId & 0xff;
         return buffer;
     }
     /**
@@ -147,140 +138,155 @@ class Identity {
         if (firstSuite.kdfId !== protocol_js_1.HPKE_CONFIG.KDF || firstSuite.aeadId !== protocol_js_1.HPKE_CONFIG.AEAD) {
             throw new Error(`Unsupported cipher suite: KDF=0x${firstSuite.kdfId.toString(16)}, AEAD=0x${firstSuite.aeadId.toString(16)}`);
         }
-        // Create cipher suite (currently only supports X25519/HKDF-SHA256/AES-256-GCM)
-        const suite = new core_1.CipherSuite({
-            kem: new core_1.DhkemX25519HkdfSha256(),
-            kdf: new core_1.HkdfSha256(),
-            aead: new core_1.Aes256Gcm()
-        });
-        // Import public key using HPKE library
-        const publicKey = await suite.kem.deserializePublicKey(publicKeyBytes.buffer);
+        // Create cipher suite
+        const suite = createSuite();
+        // Import public key
+        const publicKey = await suite.DeserializePublicKey(publicKeyBytes);
         // For server config, we only have the public key, no private key
         // We'll create a dummy private key that won't be used
-        const dummyPrivateKey = await suite.kem.deserializePrivateKey(new Uint8Array(32).buffer);
+        const dummyPrivateKey = await suite.DeserializePrivateKey(new Uint8Array(32), false);
         return new Identity(suite, publicKey, dummyPrivateKey);
     }
     /**
-     * Encrypt request body and set appropriate headers
+     * Encrypt request body and return context for response decryption.
+     *
+     * This method is called on the SERVER's identity (public key only).
+     * It:
+     * 1. Creates an HPKE sender context to this identity's public key
+     * 2. Encrypts the request body
+     * 3. Returns a RequestContext that must be used to decrypt the response
      */
-    async encryptRequest(request, serverPublicKey) {
+    async encryptRequestWithContext(request) {
         const body = await request.arrayBuffer();
+        // Bodyless requests pass through unmodified - no HPKE context needed.
+        // See SPEC.md Section 5.1: "When the request has no payload body, an encrypted
+        // response is not possible (since there is no HPKE context to derive response
+        // keys from). Such requests pass through unmodified."
         if (body.byteLength === 0) {
-            // No body to encrypt, just set client public key header
-            const headers = new Headers(request.headers);
-            headers.set(protocol_js_1.PROTOCOL.CLIENT_PUBLIC_KEY_HEADER, await this.getPublicKeyHex());
-            return new Request(request.url, {
-                method: request.method,
-                headers,
-                body: null
-            });
+            return {
+                request: new Request(request.url, {
+                    method: request.method,
+                    headers: request.headers,
+                    body: null,
+                }),
+                context: null,
+            };
         }
-        // Create sender for encryption
-        const sender = await this.suite.createSenderContext({
-            recipientPublicKey: serverPublicKey
+        // Create sender context for encryption with info parameter for domain separation
+        const infoBytes = new TextEncoder().encode(derive_js_1.HPKE_REQUEST_INFO);
+        const { encapsulatedSecret, ctx } = await this.suite.SetupSender(this.publicKey, {
+            info: infoBytes,
         });
+        // Store context for response decryption
+        const context = {
+            senderContext: ctx,
+            requestEnc: encapsulatedSecret,
+        };
+        // Set headers - only encapsulated key for requests with body
+        const headers = new Headers(request.headers);
+        headers.set(protocol_js_1.PROTOCOL.ENCAPSULATED_KEY_HEADER, (0, derive_js_1.bytesToHex)(context.requestEnc));
         // Encrypt the body
-        const encrypted = await sender.seal(body);
-        // Get encapsulated key
-        const encapKey = sender.enc;
+        const encrypted = await ctx.Seal(new Uint8Array(body));
         // Create chunked format: 4-byte length header + encrypted data
         const chunkLength = new Uint8Array(4);
-        const view = new DataView(chunkLength.buffer);
-        view.setUint32(0, encrypted.byteLength, false); // Big-endian
+        new DataView(chunkLength.buffer).setUint32(0, encrypted.byteLength, false);
         const chunkedData = new Uint8Array(4 + encrypted.byteLength);
         chunkedData.set(chunkLength, 0);
-        chunkedData.set(new Uint8Array(encrypted), 4);
-        // Create new request with encrypted body and headers
-        const headers = new Headers(request.headers);
-        headers.set(protocol_js_1.PROTOCOL.CLIENT_PUBLIC_KEY_HEADER, await this.getPublicKeyHex());
-        headers.set(protocol_js_1.PROTOCOL.ENCAPSULATED_KEY_HEADER, Array.from(new Uint8Array(encapKey))
-            .map(b => b.toString(16).padStart(2, '0'))
-            .join(''));
-        return new Request(request.url, {
-            method: request.method,
-            headers,
-            body: chunkedData,
-            duplex: 'half'
-        });
+        chunkedData.set(encrypted, 4);
+        return {
+            request: new Request(request.url, {
+                method: request.method,
+                headers,
+                body: chunkedData,
+                duplex: 'half',
+            }),
+            context,
+        };
     }
     /**
-     * Decrypt response body
+     * Decrypt response using keys derived from request context.
+     *
+     * This method:
+     * 1. Reads the response nonce from Ehbp-Response-Nonce header
+     * 2. Exports a secret from the HPKE sender context
+     * 3. Derives response keys using HKDF
+     * 4. Decrypts the response body
      */
-    async decryptResponse(response, serverEncapKey) {
+    async decryptResponseWithContext(response, context) {
         if (!response.body) {
             return response;
         }
-        // Create receiver for decryption
-        const receiver = await this.suite.createRecipientContext({
-            recipientKey: this.privateKey,
-            enc: serverEncapKey.buffer
+        // Get response nonce from header
+        const responseNonceHex = response.headers.get(protocol_js_1.PROTOCOL.RESPONSE_NONCE_HEADER);
+        if (!responseNonceHex) {
+            throw new Error(`Missing ${protocol_js_1.PROTOCOL.RESPONSE_NONCE_HEADER} header`);
+        }
+        const responseNonce = (0, derive_js_1.hexToBytes)(responseNonceHex);
+        if (responseNonce.length !== derive_js_1.RESPONSE_NONCE_LENGTH) {
+            throw new Error(`Invalid response nonce length: expected ${derive_js_1.RESPONSE_NONCE_LENGTH}, got ${responseNonce.length}`);
+        }
+        // Export secret from request context
+        const exportLabelBytes = new TextEncoder().encode(derive_js_1.EXPORT_LABEL);
+        const exportedSecret = await context.senderContext.Export(exportLabelBytes, derive_js_1.EXPORT_LENGTH);
+        // Derive response keys
+        const km = await (0, derive_js_1.deriveResponseKeys)(exportedSecret, context.requestEnc, responseNonce);
+        // Create decrypting stream
+        const decryptedStream = this.createDecryptStream(response.body, km);
+        return new Response(decryptedStream, {
+            status: response.status,
+            statusText: response.statusText,
+            headers: response.headers,
         });
-        // Create a readable stream that decrypts chunks as they arrive
-        const decryptedStream = new ReadableStream({
-            start(controller) {
-                const reader = response.body.getReader();
-                let buffer = new Uint8Array(0);
-                let offset = 0;
-                async function pump() {
-                    try {
-                        while (true) {
-                            const { done, value } = await reader.read();
-                            if (done)
-                                break;
-                            // Append new data to buffer
-                            const newBuffer = new Uint8Array(buffer.length + value.length);
-                            newBuffer.set(buffer);
-                            newBuffer.set(value, buffer.length);
-                            buffer = newBuffer;
-                            // Process complete chunks
-                            while (offset + 4 <= buffer.length) {
-                                // Read chunk length (4 bytes big-endian)
-                                const chunkLength = (buffer[offset] << 24) |
-                                    (buffer[offset + 1] << 16) |
-                                    (buffer[offset + 2] << 8) |
-                                    buffer[offset + 3];
-                                offset += 4;
-                                if (chunkLength === 0) {
-                                    continue; // Empty chunk
-                                }
-                                // Check if we have the complete chunk
-                                if (offset + chunkLength > buffer.length) {
-                                    // Not enough data yet, rewind offset and wait for more
-                                    offset -= 4;
-                                    break;
-                                }
-                                // Extract and decrypt the chunk
-                                const encryptedChunk = buffer.slice(offset, offset + chunkLength);
-                                offset += chunkLength;
-                                try {
-                                    const decryptedChunk = await receiver.open(encryptedChunk.buffer);
-                                    controller.enqueue(new Uint8Array(decryptedChunk));
-                                }
-                                catch (error) {
-                                    controller.error(new Error(`Failed to decrypt chunk: ${error}`));
-                                    return;
-                                }
+    }
+    /**
+     * Creates a ReadableStream that decrypts response chunks.
+     */
+    createDecryptStream(body, km) {
+        let buffer = new Uint8Array(0);
+        let seq = 0;
+        const reader = body.getReader();
+        return new ReadableStream({
+            async pull(controller) {
+                while (true) {
+                    // Try to read a complete chunk from buffer
+                    if (buffer.length >= 4) {
+                        const chunkLength = (buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | buffer[3];
+                        if (chunkLength === 0) {
+                            // Skip empty chunk
+                            buffer = buffer.slice(4);
+                            continue;
+                        }
+                        if (buffer.length >= 4 + chunkLength) {
+                            const ciphertext = buffer.slice(4, 4 + chunkLength);
+                            buffer = buffer.slice(4 + chunkLength);
+                            try {
+                                const plaintext = await (0, derive_js_1.decryptChunk)(km, seq++, ciphertext);
+                                controller.enqueue(plaintext);
+                                return;
                             }
-                            // Remove processed data from buffer
-                            if (offset > 0) {
-                                buffer = buffer.slice(offset);
-                                offset = 0;
+                            catch (error) {
+                                controller.error(new Error(`Decryption failed at chunk ${seq - 1}: ${error}`));
+                                return;
                             }
                         }
-                        controller.close();
                     }
-                    catch (error) {
-                        controller.error(error);
+                    // Need more data
+                    const { done, value } = await reader.read();
+                    if (done) {
+                        controller.close();
+                        return;
                     }
+                    // Append to buffer
+                    const newBuffer = new Uint8Array(buffer.length + value.length);
+                    newBuffer.set(buffer);
+                    newBuffer.set(value, buffer.length);
+                    buffer = newBuffer;
                 }
-                pump();
-            }
-        });
-        // Create new response with decrypted stream
-        return new Response(decryptedStream, {
-            status: response.status,
-            statusText: response.statusText,
-            headers: response.headers
+            },
+            cancel(reason) {
+                // Release the underlying reader when the stream is cancelled
+                return reader.cancel(reason);
+            },
         });
     }
 }