h3 1.2.0 → 1.2.1

package/dist/index.cjs

@@ -4,7 +4,6 @@ const ufo = require('ufo');
 const radix3 = require('radix3');
 const destr = require('destr');
 const cookieEs = require('cookie-es');
-const ironWebcrypto = require('iron-webcrypto');
 const crypto = require('uncrypto');
 
 function useBase(base, handler) {
@@ -590,6 +589,296 @@ ${header}: ${value}`;
   }
 }
 
+const base64urlEncode = (value) => (Buffer.isBuffer(value) ? value : Buffer.from(value)).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+const defaults = {
+  encryption: {
+    saltBits: 256,
+    algorithm: "aes-256-cbc",
+    iterations: 1,
+    minPasswordlength: 32
+  },
+  integrity: {
+    saltBits: 256,
+    algorithm: "sha256",
+    iterations: 1,
+    minPasswordlength: 32
+  },
+  ttl: 0,
+  timestampSkewSec: 60,
+  localtimeOffsetMsec: 0
+};
+const clone = (options) => ({
+  ...options,
+  encryption: { ...options.encryption },
+  integrity: { ...options.integrity }
+});
+const algorithms = {
+  "aes-128-ctr": { keyBits: 128, ivBits: 128, name: "AES-CTR" },
+  "aes-256-cbc": { keyBits: 256, ivBits: 128, name: "AES-CBC" },
+  sha256: { keyBits: 256, name: "SHA-256" }
+};
+const macFormatVersion = "2";
+const macPrefix = `Fe26.${macFormatVersion}`;
+const randomBytes = (_crypto, size) => {
+  const bytes = Buffer.allocUnsafe(size);
+  _crypto.getRandomValues(bytes);
+  return bytes;
+};
+const randomBits = (_crypto, bits) => {
+  if (bits < 1) {
+    throw new Error("Invalid random bits count");
+  }
+  const bytes = Math.ceil(bits / 8);
+  return randomBytes(_crypto, bytes);
+};
+const pbkdf2 = async (_crypto, password, salt, iterations, keyLength, hash) => {
+  const textEncoder = new TextEncoder();
+  const passwordBuffer = textEncoder.encode(password);
+  const importedKey = await _crypto.subtle.importKey(
+    "raw",
+    passwordBuffer,
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const saltBuffer = textEncoder.encode(salt);
+  const params = { name: "PBKDF2", hash, salt: saltBuffer, iterations };
+  const derivation = await _crypto.subtle.deriveBits(
+    params,
+    importedKey,
+    keyLength * 8
+  );
+  return Buffer.from(derivation);
+};
+const generateKey = async (_crypto, password, options) => {
+  if (password == null || password.length === 0) {
+    throw new Error("Empty password");
+  }
+  if (options == null || typeof options !== "object") {
+    throw new Error("Bad options");
+  }
+  if (!(options.algorithm in algorithms)) {
+    throw new Error(`Unknown algorithm: ${options.algorithm}`);
+  }
+  const algorithm = algorithms[options.algorithm];
+  const result = {};
+  const hmac = options.hmac ?? false;
+  const id = hmac ? { name: "HMAC", hash: algorithm.name } : { name: algorithm.name };
+  const usage = hmac ? ["sign", "verify"] : ["encrypt", "decrypt"];
+  if (typeof password === "string") {
+    if (password.length < options.minPasswordlength) {
+      throw new Error(
+        `Password string too short (min ${options.minPasswordlength} characters required)`
+      );
+    }
+    let { salt = "" } = options;
+    if (!salt) {
+      const { saltBits = 0 } = options;
+      if (!saltBits) {
+        throw new Error("Missing salt and saltBits options");
+      }
+      const randomSalt = randomBits(_crypto, saltBits);
+      salt = randomSalt.toString("hex");
+    }
+    const derivedKey = await pbkdf2(
+      _crypto,
+      password,
+      salt,
+      options.iterations,
+      algorithm.keyBits / 8,
+      "SHA-1"
+    );
+    const importedEncryptionKey = await _crypto.subtle.importKey(
+      "raw",
+      derivedKey,
+      id,
+      false,
+      usage
+    );
+    result.key = importedEncryptionKey;
+    result.salt = salt;
+  } else {
+    if (password.length < algorithm.keyBits / 8) {
+      throw new Error("Key buffer (password) too small");
+    }
+    result.key = await _crypto.subtle.importKey(
+      "raw",
+      password,
+      id,
+      false,
+      usage
+    );
+    result.salt = "";
+  }
+  if (options.iv) {
+    result.iv = options.iv;
+  } else if ("ivBits" in algorithm) {
+    result.iv = randomBits(_crypto, algorithm.ivBits);
+  }
+  return result;
+};
+const encrypt = async (_crypto, password, options, data) => {
+  const key = await generateKey(_crypto, password, options);
+  const textEncoder = new TextEncoder();
+  const textBuffer = textEncoder.encode(data);
+  const encrypted = await _crypto.subtle.encrypt(
+    { name: algorithms[options.algorithm].name, iv: key.iv },
+    key.key,
+    textBuffer
+  );
+  return { encrypted: Buffer.from(encrypted), key };
+};
+const decrypt = async (_crypto, password, options, data) => {
+  const key = await generateKey(_crypto, password, options);
+  const decrypted = await _crypto.subtle.decrypt(
+    { name: algorithms[options.algorithm].name, iv: key.iv },
+    key.key,
+    Buffer.isBuffer(data) ? data : Buffer.from(data)
+  );
+  const textDecoder = new TextDecoder();
+  return textDecoder.decode(decrypted);
+};
+const hmacWithPassword = async (_crypto, password, options, data) => {
+  const key = await generateKey(_crypto, password, { ...options, hmac: true });
+  const textEncoder = new TextEncoder();
+  const textBuffer = textEncoder.encode(data);
+  const signed = await _crypto.subtle.sign(
+    { name: "HMAC" },
+    key.key,
+    textBuffer
+  );
+  const digest = base64urlEncode(Buffer.from(signed));
+  return { digest, salt: key.salt };
+};
+const normalizePassword = (password) => {
+  if (typeof password === "object" && !Buffer.isBuffer(password)) {
+    if ("secret" in password) {
+      return {
+        id: password.id,
+        encryption: password.secret,
+        integrity: password.secret
+      };
+    }
+    return {
+      id: password.id,
+      encryption: password.encryption,
+      integrity: password.integrity
+    };
+  }
+  return { encryption: password, integrity: password };
+};
+const seal = async (_crypto, object, password, options) => {
+  if (!password) {
+    throw new Error("Empty password");
+  }
+  const opts = clone(options);
+  const now = Date.now() + (opts.localtimeOffsetMsec || 0);
+  const objectString = JSON.stringify(object);
+  const pass = normalizePassword(password);
+  const { id = "" } = pass;
+  if (id && !/^\w+$/.test(id)) {
+    throw new Error("Invalid password id");
+  }
+  const { encrypted, key } = await encrypt(
+    _crypto,
+    pass.encryption,
+    opts.encryption,
+    objectString
+  );
+  const encryptedB64 = base64urlEncode(encrypted);
+  const iv = base64urlEncode(key.iv);
+  const expiration = opts.ttl ? now + opts.ttl : "";
+  const macBaseString = `${macPrefix}*${id}*${key.salt}*${iv}*${encryptedB64}*${expiration}`;
+  const mac = await hmacWithPassword(
+    _crypto,
+    pass.integrity,
+    opts.integrity,
+    macBaseString
+  );
+  const sealed = `${macBaseString}*${mac.salt}*${mac.digest}`;
+  return sealed;
+};
+const fixedTimeComparison = (a, b) => {
+  let mismatch = a.length === b.length ? 0 : 1;
+  if (mismatch) {
+    b = a;
+  }
+  for (let i = 0; i < a.length; i += 1) {
+    mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return mismatch === 0;
+};
+const unseal = async (_crypto, sealed, password, options) => {
+  if (!password) {
+    throw new Error("Empty password");
+  }
+  const opts = clone(options);
+  const now = Date.now() + (opts.localtimeOffsetMsec || 0);
+  const parts = sealed.split("*");
+  if (parts.length !== 8) {
+    throw new Error("Incorrect number of sealed components");
+  }
+  const prefix = parts[0];
+  const passwordId = parts[1];
+  const encryptionSalt = parts[2];
+  const encryptionIv = parts[3];
+  const encryptedB64 = parts[4];
+  const expiration = parts[5];
+  const hmacSalt = parts[6];
+  const hmac = parts[7];
+  const macBaseString = `${prefix}*${passwordId}*${encryptionSalt}*${encryptionIv}*${encryptedB64}*${expiration}`;
+  if (macPrefix !== prefix) {
+    throw new Error("Wrong mac prefix");
+  }
+  if (expiration) {
+    if (!/^\d+$/.test(expiration)) {
+      throw new Error("Invalid expiration");
+    }
+    const exp = Number.parseInt(expiration, 10);
+    if (exp <= now - opts.timestampSkewSec * 1e3) {
+      throw new Error("Expired seal");
+    }
+  }
+  if (typeof password === "undefined" || typeof password === "string" && password.length === 0) {
+    throw new Error("Empty password");
+  }
+  let pass;
+  if (typeof password === "object" && !Buffer.isBuffer(password)) {
+    if (!((passwordId || "default") in password)) {
+      throw new Error(`Cannot find password: ${passwordId}`);
+    }
+    pass = password[passwordId || "default"];
+  } else {
+    pass = password;
+  }
+  pass = normalizePassword(pass);
+  const macOptions = opts.integrity;
+  macOptions.salt = hmacSalt;
+  const mac = await hmacWithPassword(
+    _crypto,
+    pass.integrity,
+    macOptions,
+    macBaseString
+  );
+  if (!fixedTimeComparison(mac.digest, hmac)) {
+    throw new Error("Bad hmac value");
+  }
+  const encrypted = Buffer.from(encryptedB64, "base64");
+  const decryptOptions = opts.encryption;
+  decryptOptions.salt = encryptionSalt;
+  decryptOptions.iv = Buffer.from(encryptionIv, "base64");
+  const decrypted = await decrypt(
+    _crypto,
+    pass.encryption,
+    decryptOptions,
+    encrypted
+  );
+  if (decrypted) {
+    return JSON.parse(decrypted);
+  }
+  return null;
+};
+
 const DEFAULT_NAME = "h3";
 const DEFAULT_COOKIE = {
   path: "/",
@@ -632,11 +921,11 @@ async function getSession(event, config) {
     session.id = (config.crypto || crypto).randomUUID();
     await updateSession(event, config);
   } else {
-    const unsealed = await ironWebcrypto.unseal(
+    const unsealed = await unseal(
       config.crypto || crypto,
       reqCookie,
       config.password,
-      config.seal || ironWebcrypto.defaults
+      config.seal || defaults
     );
     Object.assign(session, unsealed);
   }
@@ -651,11 +940,11 @@ async function updateSession(event, config, update) {
   if (update) {
     Object.assign(session.data, update);
   }
-  const sealed = await ironWebcrypto.seal(
+  const sealed = await seal(
     config.crypto || crypto,
     session,
     config.password,
-    config.seal || ironWebcrypto.defaults
+    config.seal || defaults
   );
   setCookie(event, sessionName, sealed, config.cookie || DEFAULT_COOKIE);
   return session;

package/dist/index.d.ts

@@ -1,9 +1,55 @@
-import { SealOptions } from 'iron-webcrypto';
 import { CookieSerializeOptions } from 'cookie-es';
 import { IncomingMessage, ServerResponse, OutgoingMessage } from 'node:http';
 export { IncomingMessage as NodeIncomingMessage, ServerResponse as NodeServerResponse } from 'node:http';
 import * as ufo from 'ufo';
 
+/**
+ * seal() method options.
+ */
+interface SealOptionsSub {
+    /**
+     * The length of the salt (random buffer used to ensure that two identical objects will generate a different encrypted result). Defaults to 256.
+     */
+    saltBits: number;
+    /**
+     * The algorithm used. Defaults to 'aes-256-cbc' for encryption and 'sha256' for integrity.
+     */
+    algorithm: "aes-128-ctr" | "aes-256-cbc" | "sha256";
+    /**
+     * The number of iterations used to derive a key from the password. Defaults to 1.
+     */
+    iterations: number;
+    /**
+     * Minimum password size. Defaults to 32.
+     */
+    minPasswordlength: number;
+}
+/**
+ * Options for customizing the key derivation algorithm used to generate encryption and integrity verification keys as well as the algorithms and salt sizes used.
+ */
+interface SealOptions {
+    /**
+     * Encryption step options.
+     */
+    encryption: SealOptionsSub;
+    /**
+     * Integrity step options.
+     */
+    integrity: SealOptionsSub;
+    /**
+     * Sealed object lifetime in milliseconds where 0 means forever. Defaults to 0.
+     */
+    ttl: number;
+    /**
+     * Number of seconds of permitted clock skew for incoming expirations. Defaults to 60 seconds.
+     */
+    timestampSkewSec: number;
+    /**
+     * Local clock time offset, expressed in number of milliseconds (positive or negative). Defaults to 0.
+     */
+    localtimeOffsetMsec: number;
+}
+
 type SessionDataT = Record<string, string | number | boolean>;
 type SessionData<T extends SessionDataT = SessionDataT> = T;
 interface Session<T extends SessionDataT = SessionDataT> {

package/dist/index.mjs

@@ -2,7 +2,6 @@ import { withoutTrailingSlash, withoutBase, getQuery as getQuery$1 } from 'ufo';
 import { createRouter as createRouter$1 } from 'radix3';
 import destr from 'destr';
 import { parse as parse$1, serialize } from 'cookie-es';
-import { unseal, defaults, seal } from 'iron-webcrypto';
 import crypto from 'uncrypto';
 
 function useBase(base, handler) {
@@ -588,6 +587,296 @@ ${header}: ${value}`;
   }
 }
 
+const base64urlEncode = (value) => (Buffer.isBuffer(value) ? value : Buffer.from(value)).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+const defaults = {
+  encryption: {
+    saltBits: 256,
+    algorithm: "aes-256-cbc",
+    iterations: 1,
+    minPasswordlength: 32
+  },
+  integrity: {
+    saltBits: 256,
+    algorithm: "sha256",
+    iterations: 1,
+    minPasswordlength: 32
+  },
+  ttl: 0,
+  timestampSkewSec: 60,
+  localtimeOffsetMsec: 0
+};
+const clone = (options) => ({
+  ...options,
+  encryption: { ...options.encryption },
+  integrity: { ...options.integrity }
+});
+const algorithms = {
+  "aes-128-ctr": { keyBits: 128, ivBits: 128, name: "AES-CTR" },
+  "aes-256-cbc": { keyBits: 256, ivBits: 128, name: "AES-CBC" },
+  sha256: { keyBits: 256, name: "SHA-256" }
+};
+const macFormatVersion = "2";
+const macPrefix = `Fe26.${macFormatVersion}`;
+const randomBytes = (_crypto, size) => {
+  const bytes = Buffer.allocUnsafe(size);
+  _crypto.getRandomValues(bytes);
+  return bytes;
+};
+const randomBits = (_crypto, bits) => {
+  if (bits < 1) {
+    throw new Error("Invalid random bits count");
+  }
+  const bytes = Math.ceil(bits / 8);
+  return randomBytes(_crypto, bytes);
+};
+const pbkdf2 = async (_crypto, password, salt, iterations, keyLength, hash) => {
+  const textEncoder = new TextEncoder();
+  const passwordBuffer = textEncoder.encode(password);
+  const importedKey = await _crypto.subtle.importKey(
+    "raw",
+    passwordBuffer,
+    "PBKDF2",
+    false,
+    ["deriveBits"]
+  );
+  const saltBuffer = textEncoder.encode(salt);
+  const params = { name: "PBKDF2", hash, salt: saltBuffer, iterations };
+  const derivation = await _crypto.subtle.deriveBits(
+    params,
+    importedKey,
+    keyLength * 8
+  );
+  return Buffer.from(derivation);
+};
+const generateKey = async (_crypto, password, options) => {
+  if (password == null || password.length === 0) {
+    throw new Error("Empty password");
+  }
+  if (options == null || typeof options !== "object") {
+    throw new Error("Bad options");
+  }
+  if (!(options.algorithm in algorithms)) {
+    throw new Error(`Unknown algorithm: ${options.algorithm}`);
+  }
+  const algorithm = algorithms[options.algorithm];
+  const result = {};
+  const hmac = options.hmac ?? false;
+  const id = hmac ? { name: "HMAC", hash: algorithm.name } : { name: algorithm.name };
+  const usage = hmac ? ["sign", "verify"] : ["encrypt", "decrypt"];
+  if (typeof password === "string") {
+    if (password.length < options.minPasswordlength) {
+      throw new Error(
+        `Password string too short (min ${options.minPasswordlength} characters required)`
+      );
+    }
+    let { salt = "" } = options;
+    if (!salt) {
+      const { saltBits = 0 } = options;
+      if (!saltBits) {
+        throw new Error("Missing salt and saltBits options");
+      }
+      const randomSalt = randomBits(_crypto, saltBits);
+      salt = randomSalt.toString("hex");
+    }
+    const derivedKey = await pbkdf2(
+      _crypto,
+      password,
+      salt,
+      options.iterations,
+      algorithm.keyBits / 8,
+      "SHA-1"
+    );
+    const importedEncryptionKey = await _crypto.subtle.importKey(
+      "raw",
+      derivedKey,
+      id,
+      false,
+      usage
+    );
+    result.key = importedEncryptionKey;
+    result.salt = salt;
+  } else {
+    if (password.length < algorithm.keyBits / 8) {
+      throw new Error("Key buffer (password) too small");
+    }
+    result.key = await _crypto.subtle.importKey(
+      "raw",
+      password,
+      id,
+      false,
+      usage
+    );
+    result.salt = "";
+  }
+  if (options.iv) {
+    result.iv = options.iv;
+  } else if ("ivBits" in algorithm) {
+    result.iv = randomBits(_crypto, algorithm.ivBits);
+  }
+  return result;
+};
+const encrypt = async (_crypto, password, options, data) => {
+  const key = await generateKey(_crypto, password, options);
+  const textEncoder = new TextEncoder();
+  const textBuffer = textEncoder.encode(data);
+  const encrypted = await _crypto.subtle.encrypt(
+    { name: algorithms[options.algorithm].name, iv: key.iv },
+    key.key,
+    textBuffer
+  );
+  return { encrypted: Buffer.from(encrypted), key };
+};
+const decrypt = async (_crypto, password, options, data) => {
+  const key = await generateKey(_crypto, password, options);
+  const decrypted = await _crypto.subtle.decrypt(
+    { name: algorithms[options.algorithm].name, iv: key.iv },
+    key.key,
+    Buffer.isBuffer(data) ? data : Buffer.from(data)
+  );
+  const textDecoder = new TextDecoder();
+  return textDecoder.decode(decrypted);
+};
+const hmacWithPassword = async (_crypto, password, options, data) => {
+  const key = await generateKey(_crypto, password, { ...options, hmac: true });
+  const textEncoder = new TextEncoder();
+  const textBuffer = textEncoder.encode(data);
+  const signed = await _crypto.subtle.sign(
+    { name: "HMAC" },
+    key.key,
+    textBuffer
+  );
+  const digest = base64urlEncode(Buffer.from(signed));
+  return { digest, salt: key.salt };
+};
+const normalizePassword = (password) => {
+  if (typeof password === "object" && !Buffer.isBuffer(password)) {
+    if ("secret" in password) {
+      return {
+        id: password.id,
+        encryption: password.secret,
+        integrity: password.secret
+      };
+    }
+    return {
+      id: password.id,
+      encryption: password.encryption,
+      integrity: password.integrity
+    };
+  }
+  return { encryption: password, integrity: password };
+};
+const seal = async (_crypto, object, password, options) => {
+  if (!password) {
+    throw new Error("Empty password");
+  }
+  const opts = clone(options);
+  const now = Date.now() + (opts.localtimeOffsetMsec || 0);
+  const objectString = JSON.stringify(object);
+  const pass = normalizePassword(password);
+  const { id = "" } = pass;
+  if (id && !/^\w+$/.test(id)) {
+    throw new Error("Invalid password id");
+  }
+  const { encrypted, key } = await encrypt(
+    _crypto,
+    pass.encryption,
+    opts.encryption,
+    objectString
+  );
+  const encryptedB64 = base64urlEncode(encrypted);
+  const iv = base64urlEncode(key.iv);
+  const expiration = opts.ttl ? now + opts.ttl : "";
+  const macBaseString = `${macPrefix}*${id}*${key.salt}*${iv}*${encryptedB64}*${expiration}`;
+  const mac = await hmacWithPassword(
+    _crypto,
+    pass.integrity,
+    opts.integrity,
+    macBaseString
+  );
+  const sealed = `${macBaseString}*${mac.salt}*${mac.digest}`;
+  return sealed;
+};
+const fixedTimeComparison = (a, b) => {
+  let mismatch = a.length === b.length ? 0 : 1;
+  if (mismatch) {
+    b = a;
+  }
+  for (let i = 0; i < a.length; i += 1) {
+    mismatch |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  }
+  return mismatch === 0;
+};
+const unseal = async (_crypto, sealed, password, options) => {
+  if (!password) {
+    throw new Error("Empty password");
+  }
+  const opts = clone(options);
+  const now = Date.now() + (opts.localtimeOffsetMsec || 0);
+  const parts = sealed.split("*");
+  if (parts.length !== 8) {
+    throw new Error("Incorrect number of sealed components");
+  }
+  const prefix = parts[0];
+  const passwordId = parts[1];
+  const encryptionSalt = parts[2];
+  const encryptionIv = parts[3];
+  const encryptedB64 = parts[4];
+  const expiration = parts[5];
+  const hmacSalt = parts[6];
+  const hmac = parts[7];
+  const macBaseString = `${prefix}*${passwordId}*${encryptionSalt}*${encryptionIv}*${encryptedB64}*${expiration}`;
+  if (macPrefix !== prefix) {
+    throw new Error("Wrong mac prefix");
+  }
+  if (expiration) {
+    if (!/^\d+$/.test(expiration)) {
+      throw new Error("Invalid expiration");
+    }
+    const exp = Number.parseInt(expiration, 10);
+    if (exp <= now - opts.timestampSkewSec * 1e3) {
+      throw new Error("Expired seal");
+    }
+  }
+  if (typeof password === "undefined" || typeof password === "string" && password.length === 0) {
+    throw new Error("Empty password");
+  }
+  let pass;
+  if (typeof password === "object" && !Buffer.isBuffer(password)) {
+    if (!((passwordId || "default") in password)) {
+      throw new Error(`Cannot find password: ${passwordId}`);
+    }
+    pass = password[passwordId || "default"];
+  } else {
+    pass = password;
+  }
+  pass = normalizePassword(pass);
+  const macOptions = opts.integrity;
+  macOptions.salt = hmacSalt;
+  const mac = await hmacWithPassword(
+    _crypto,
+    pass.integrity,
+    macOptions,
+    macBaseString
+  );
+  if (!fixedTimeComparison(mac.digest, hmac)) {
+    throw new Error("Bad hmac value");
+  }
+  const encrypted = Buffer.from(encryptedB64, "base64");
+  const decryptOptions = opts.encryption;
+  decryptOptions.salt = encryptionSalt;
+  decryptOptions.iv = Buffer.from(encryptionIv, "base64");
+  const decrypted = await decrypt(
+    _crypto,
+    pass.encryption,
+    decryptOptions,
+    encrypted
+  );
+  if (decrypted) {
+    return JSON.parse(decrypted);
+  }
+  return null;
+};
+
 const DEFAULT_NAME = "h3";
 const DEFAULT_COOKIE = {
   path: "/",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "h3",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "Tiny JavaScript Server",
   "repository": "unjs/h3",
   "license": "MIT",
@@ -22,7 +22,6 @@
   "dependencies": {
     "cookie-es": "^0.5.0",
     "destr": "^1.2.2",
-    "iron-webcrypto": "^0.2.7",
     "radix3": "^1.0.0",
     "ufo": "^1.0.1",
     "uncrypto": "^0.1.2"