npm - ksef-client-ts - Versions diffs - 0.7.1 → 0.8.0-alpha.0 - Mend

ksef-client-ts 0.7.1 → 0.8.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/cli.js CHANGED Viewed

@@ -2371,7 +2371,7 @@ ${lines.join("\n")}
 });
 // src/crypto/cryptography-service.ts
-import * as crypto from "crypto";
+import * as crypto from "node:crypto";
 import * as x509 from "@peculiar/x509";
 function setCryptoProvider() {
   x509.cryptoProvider.set(crypto.webcrypto);
@@ -2453,20 +2453,13 @@ var init_cryptography_service = __esm({
        * Generate a random AES-256 key and IV, then wrap the key with the
        * SymmetricKeyEncryption certificate's RSA public key (RSA-OAEP SHA-256).
        */
-      getEncryptionData() {
+      async getEncryptionData() {
         const key = crypto.randomBytes(32);
         const iv = crypto.randomBytes(16);
         const certPem = this.fetcher.getSymmetricKeyEncryptionPem();
-        const encryptedKey = crypto.publicEncrypt(
-          {
-            key: certPem,
-            oaepHash: "sha256",
-            padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
-          },
-          key
-        );
+        const encryptedKey = await this.rsaOaepEncrypt(certPem, new Uint8Array(key));
         const encryptionInfo = {
-          encryptedSymmetricKey: encryptedKey.toString("base64"),
+          encryptedSymmetricKey: Buffer.from(encryptedKey).toString("base64"),
           initializationVector: iv.toString("base64")
         };
         return {
@@ -2491,14 +2484,14 @@ var init_cryptography_service = __esm({
        * The EC variant outputs bytes in the Java-compatible format:
        * `[ephemeralSPKI | nonce(12) | ciphertext+tag]`.
        */
-      encryptKsefToken(token, challengeTimestamp) {
+      async encryptKsefToken(token, challengeTimestamp) {
         const timestampMs = new Date(challengeTimestamp).getTime();
         const plaintext = Buffer.from(`${token}|${timestampMs}`, "utf-8");
         const certPem = this.fetcher.getKsefTokenEncryptionPem();
         const cert = new crypto.X509Certificate(certPem);
         const publicKey = cert.publicKey;
         if (publicKey.asymmetricKeyType === "rsa") {
-          return this.encryptRsaOaep(certPem, plaintext);
+          return this.rsaOaepEncrypt(certPem, plaintext);
         }
         if (publicKey.asymmetricKeyType === "ec") {
           return this.encryptEcdhAesGcm(publicKey, plaintext);
@@ -2589,18 +2582,40 @@ var init_cryptography_service = __esm({
       // ---------------------------------------------------------------------------
       // Private helpers
       // ---------------------------------------------------------------------------
-      /** RSA-OAEP SHA-256 encryption. */
-      encryptRsaOaep(certPem, plaintext) {
-        return new Uint8Array(
-          crypto.publicEncrypt(
-            {
-              key: certPem,
-              oaepHash: "sha256",
-              padding: crypto.constants.RSA_PKCS1_OAEP_PADDING
-            },
-            plaintext
-          )
+      /**
+       * Extract the public-key SPKI DER bytes from a CERTIFICATE PEM. Web Crypto's
+       * `importKey('spki', ...)` consumes raw DER; we parse the cert via native
+       * `X509Certificate` (available on Node and Deno) and export the key directly.
+       */
+      spkiDerFromCert(certPem) {
+        const publicKey = new crypto.X509Certificate(certPem).publicKey;
+        return new Uint8Array(publicKey.export({ type: "spki", format: "der" }));
+      }
+      /**
+       * RSA-OAEP SHA-256 encryption via Web Crypto.
+       *
+       * Uses `crypto.webcrypto.subtle` instead of `node:crypto.publicEncrypt`
+       * because Deno's Node-compat layer silently ignores the `oaepHash` option
+       * and defaults MGF1+OAEP to SHA-1, producing ciphertext KSeF rejects as
+       * "Invalid token encryption". Web Crypto requires the hash up-front in
+       * `importKey` as part of the key's algorithm identity, so there is no room
+       * for a runtime to swap it — output is identical OAEP-SHA256 on every
+       * Web Crypto implementation (Node 18+, Deno, Bun, browsers, edge runtimes).
+       */
+      async rsaOaepEncrypt(certPem, plaintext) {
+        const key = await crypto.webcrypto.subtle.importKey(
+          "spki",
+          this.spkiDerFromCert(certPem),
+          { name: "RSA-OAEP", hash: "SHA-256" },
+          false,
+          ["encrypt"]
+        );
+        const ciphertext = await crypto.webcrypto.subtle.encrypt(
+          { name: "RSA-OAEP" },
+          key,
+          plaintext
         );
+        return new Uint8Array(ciphertext);
       }
       /**
        * ECDH (P-256) + AES-256-GCM encryption.
@@ -2632,7 +2647,7 @@ var init_cryptography_service = __esm({
 });
 // src/qr/verification-link-service.ts
-import crypto2 from "crypto";
+import crypto2 from "node:crypto";
 var VerificationLinkService;
 var init_verification_link_service = __esm({
   "src/qr/verification-link-service.ts"() {
@@ -2938,7 +2953,7 @@ var init_document_structures = __esm({
 });
 // src/workflows/offline-invoice-workflow.ts
-import crypto3 from "crypto";
+import crypto3 from "node:crypto";
 var OfflineInvoiceWorkflow;
 var init_offline_invoice_workflow = __esm({
   "src/workflows/offline-invoice-workflow.ts"() {
@@ -3051,7 +3066,7 @@ var init_offline_invoice_workflow = __esm({
         }
         if (pending.length === 0) return result;
         await client.crypto.init();
-        const encData = client.crypto.getEncryptionData();
+        const encData = await client.crypto.getEncryptionData();
         const formCode = options.formCode ?? DEFAULT_FORM_CODE;
         const openResp = await client.onlineSession.openSession(
           { formCode, encryption: encData.encryptionInfo }
@@ -3140,7 +3155,7 @@ var init_offline_invoice_workflow = __esm({
         }
         const originalHash = crypto3.createHash("sha256").update(original.invoiceXml).digest("base64");
         await client.crypto.init();
-        const encData = client.crypto.getEncryptionData();
+        const encData = await client.crypto.getEncryptionData();
         const formCode = options.formCode ?? DEFAULT_FORM_CODE;
         const openResp = await client.onlineSession.openSession(
           { formCode, encryption: encData.encryptionInfo }
@@ -3230,7 +3245,7 @@ var signature_service_exports = {};
 __export(signature_service_exports, {
   SignatureService: () => SignatureService
 });
-import * as crypto4 from "crypto";
+import * as crypto4 from "node:crypto";
 import { ExclusiveCanonicalization } from "xml-crypto";
 import { DOMParser, XMLSerializer } from "@xmldom/xmldom";
 function pickRsaAlgo() {
@@ -3690,7 +3705,7 @@ var init_client = __esm({
       async loginWithToken(token, nip) {
         const challenge2 = await this.auth.getChallenge();
         await this.crypto.init();
-        const encryptedToken = this.crypto.encryptKsefToken(token, challenge2.timestamp);
+        const encryptedToken = await this.crypto.encryptKsefToken(token, challenge2.timestamp);
         const submitResult = await this.auth.submitKsefTokenAuthRequest({
           challenge: challenge2.challenge,
           contextIdentifier: { type: "Nip", value: nip },
@@ -6473,7 +6488,7 @@ var init_invoice_validator = __esm({
 });
 // src/builders/batch-file.ts
-import * as crypto6 from "crypto";
+import * as crypto6 from "node:crypto";
 function splitBuffer(data, maxPartSize) {
   if (data.length <= maxPartSize) {
     return [data];
@@ -6679,7 +6694,7 @@ async function uploadBatch(client, zipData, options) {
       }
     }
   }
-  const encData = client.crypto.getEncryptionData();
+  const encData = await client.crypto.getEncryptionData();
   const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
   const encryptFn = (part) => client.crypto.encryptAES256(part, encData.cipherKey, encData.cipherIv);
   const { batchFile, encryptedParts } = BatchFileBuilder.build(zipData, encryptFn, {
@@ -6727,7 +6742,7 @@ async function uploadBatchStream(client, zipStreamFactory, zipSize, options) {
     throw new Error("parallelism must be a positive integer");
   }
   await client.crypto.init();
-  const encData = client.crypto.getEncryptionData();
+  const encData = await client.crypto.getEncryptionData();
   const formCode = options?.formCode ?? DEFAULT_FORM_CODE;
   const encryptStreamFn = (stream) => client.crypto.encryptAES256Stream(stream, encData.cipherKey, encData.cipherIv);
   const hashStreamFn = (stream) => client.crypto.getFileMetadataFromStream(stream);
@@ -6802,18 +6817,18 @@ var init_batch_session_workflow = __esm({
 });
 // src/cli/index.ts
-import { readFileSync as readFileSync11 } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { dirname as dirname3, resolve } from "path";
+import { readFileSync as readFileSync11 } from "node:fs";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+import { dirname as dirname3, resolve } from "node:path";
 import { defineCommand as defineCommand19, runMain } from "citty";
 // src/cli/commands/config.ts
 import { defineCommand } from "citty";
 // src/cli/config-store.ts
-import * as fs from "fs";
-import * as path from "path";
-import * as os from "os";
+import * as fs from "node:fs";
+import * as path from "node:path";
+import * as os from "node:os";
 // src/cli/types.ts
 var ENV_MAP = {
@@ -6892,9 +6907,9 @@ function outputWarning(msg) {
 }
 // src/cli/session-store.ts
-import * as fs2 from "fs";
-import * as path2 from "path";
-import * as os2 from "os";
+import * as fs2 from "node:fs";
+import * as path2 from "node:path";
+import * as os2 from "node:os";
 var SESSION_DIR = path2.join(os2.homedir(), ".ksef");
 var SESSION_FILE = path2.join(SESSION_DIR, "session.json");
 function loadSession() {
@@ -7149,7 +7164,7 @@ var configCommand = defineCommand({
 });
 // src/cli/commands/auth.ts
-import * as fs5 from "fs";
+import * as fs5 from "node:fs";
 import { defineCommand as defineCommand2 } from "citty";
 import { consola as consola7 } from "consola";
@@ -7161,9 +7176,9 @@ import { consola as consola6 } from "consola";
 import { consola as consola5 } from "consola";
 // src/cli/credentials-store.ts
-import * as fs3 from "fs";
-import * as path3 from "path";
-import * as os3 from "os";
+import * as fs3 from "node:fs";
+import * as path3 from "node:path";
+import * as os3 from "node:os";
 var CREDENTIALS_DIR = path3.join(os3.homedir(), ".ksef");
 var CREDENTIALS_FILE = path3.join(CREDENTIALS_DIR, "credentials.json");
 function loadCredentials() {
@@ -7196,7 +7211,7 @@ init_auth_xml_builder();
 async function authenticateWithToken(client, options) {
   const challenge2 = await client.auth.getChallenge();
   await client.crypto.init();
-  const encryptedToken = client.crypto.encryptKsefToken(options.token, challenge2.timestamp);
+  const encryptedToken = await client.crypto.encryptKsefToken(options.token, challenge2.timestamp);
   const submitResult = await client.auth.submitKsefTokenAuthRequest({
     challenge: challenge2.challenge,
     contextIdentifier: { type: "Nip", value: options.nip },
@@ -7303,9 +7318,9 @@ async function requireSession(globalOpts) {
 }
 // src/cli/pending-challenge-store.ts
-import * as fs4 from "fs";
-import * as path4 from "path";
-import * as os4 from "os";
+import * as fs4 from "node:fs";
+import * as path4 from "node:path";
+import * as os4 from "node:os";
 var PENDING_CHALLENGE_FILE = path4.join(os4.homedir(), ".ksef", "pending-challenge.json");
 function savePendingChallenge(data) {
   const dir = path4.dirname(PENDING_CHALLENGE_FILE);
@@ -7390,11 +7405,11 @@ var login = defineCommand2({
       if (token) {
         loginResult = await client.loginWithToken(token, nip);
       } else if (args.p12) {
-        const fs17 = await import("fs");
+        const fs17 = await import("node:fs");
         const p12Buffer = fs17.readFileSync(args.p12);
         loginResult = await client.loginWithPkcs12(p12Buffer, args["p12-password"] ?? "", nip);
       } else if (args.cert && args.key) {
-        const fs17 = await import("fs");
+        const fs17 = await import("node:fs");
         const certPem = fs17.readFileSync(args.cert, "utf-8");
         const keyPem = fs17.readFileSync(args.key, "utf-8");
         loginResult = await client.loginWithCertificate(certPem, keyPem, nip, args["key-password"]);
@@ -7745,7 +7760,7 @@ var authCommand = defineCommand2({
 });
 // src/cli/commands/session.ts
-import * as fs6 from "fs";
+import * as fs6 from "node:fs";
 import { defineCommand as defineCommand3 } from "citty";
 import { consola as consola8 } from "consola";
 init_document_structures();
@@ -7780,7 +7795,7 @@ var open = defineCommand3({
         throw new Error("NIP is required. Provide --nip or set it via `ksef config set --nip <nip>`.");
       }
       await client.crypto.init();
-      const encryptionData = client.crypto.getEncryptionData();
+      const encryptionData = await client.crypto.getEncryptionData();
       const formCodeKey = args.formCode;
       let formCode = DEFAULT_FORM_CODE;
       if (formCodeKey) {
@@ -8200,21 +8215,21 @@ var sessionCommand = defineCommand3({
 });
 // src/cli/commands/invoice.ts
-import * as fs11 from "fs";
-import * as path8 from "path";
-import { Readable } from "stream";
+import * as fs11 from "node:fs";
+import * as path8 from "node:path";
+import { Readable } from "node:stream";
 import { defineCommand as defineCommand6 } from "citty";
 import { consola as consola11 } from "consola";
 init_document_structures();
 // src/cli/commands/export-incremental.ts
-import * as fs8 from "fs";
-import * as path5 from "path";
+import * as fs8 from "node:fs";
+import * as path5 from "node:path";
 import { defineCommand as defineCommand4 } from "citty";
 import { consola as consola9 } from "consola";
 // src/workflows/hwm-storage.ts
-import * as fs7 from "fs/promises";
+import * as fs7 from "node:fs/promises";
 var FileHwmStore = class {
   constructor(filePath) {
     this.filePath = filePath;
@@ -8240,7 +8255,7 @@ init_zip();
 init_polling();
 // src/utils/hash.ts
-import crypto5 from "crypto";
+import crypto5 from "node:crypto";
 function sha256Base64(data) {
   return crypto5.createHash("sha256").update(data).digest("base64");
 }
@@ -8251,7 +8266,7 @@ function verifyHash(data, expectedHash) {
 // src/workflows/invoice-export-workflow.ts
 async function doExport(client, filters, options) {
   await client.crypto.init();
-  const encData = client.crypto.getEncryptionData();
+  const encData = await client.crypto.getEncryptionData();
   const opResp = await client.invoices.exportInvoices({
     encryption: encData.encryptionInfo,
     filters,
@@ -8492,10 +8507,10 @@ init_xml();
 init_invoice_validator();
 // src/validation/xsd-validator.ts
-import { createRequire } from "module";
-import * as fs9 from "fs";
-import * as path6 from "path";
-import { fileURLToPath, pathToFileURL } from "url";
+import { createRequire } from "node:module";
+import * as fs9 from "node:fs";
+import * as path6 from "node:path";
+import { fileURLToPath, pathToFileURL } from "node:url";
 var cachedPkgRoot = null;
 function locatePackageRoot() {
   if (cachedPkgRoot !== null) return cachedPkgRoot;
@@ -8600,8 +8615,8 @@ init_ksef_xsd_validation_error();
 // src/cli/commands/invoice-build-helpers.ts
 init_ksef_validation_error();
 init_ksef_xsd_validation_error();
-import * as fs10 from "fs";
-import * as path7 from "path";
+import * as fs10 from "node:fs";
+import * as path7 from "node:path";
 import { parse as parseYaml, YAMLParseError } from "yaml";
 // src/cli/commands/invoice-build-templates/fa2.json
@@ -9247,7 +9262,7 @@ var send = defineCommand6({
         }
         if (!args.json) consola11.start(`Sending ${xmlFiles.length} invoices via batch session...`);
         await client.crypto.init();
-        const encryptionData = client.crypto.getEncryptionData();
+        const encryptionData = await client.crypto.getEncryptionData();
         const parts = fileBuffers.map(({ content }, i) => {
           const metadata = client.crypto.getFileMetadata(new Uint8Array(content));
           return {
@@ -9424,7 +9439,7 @@ var exportCmd = defineCommand6({
       const { client } = await requireSession(globalOpts);
       if (!args.json) consola11.start("Starting invoice export...");
       await client.crypto.init();
-      const encryptionData = client.crypto.getEncryptionData();
+      const encryptionData = await client.crypto.getEncryptionData();
       const filters = buildQueryFilters(args);
       const result = await client.invoices.exportInvoices(
         { encryption: encryptionData.encryptionInfo, filters, onlyMetadata: args.onlyMetadata }
@@ -10279,11 +10294,11 @@ var tokenCommand = defineCommand8({
 // src/cli/commands/cert.ts
 import { defineCommand as defineCommand9 } from "citty";
 import { consola as consola13 } from "consola";
-import fs12 from "fs";
-import path9 from "path";
+import fs12 from "node:fs";
+import path9 from "node:path";
 // src/crypto/certificate-service.ts
-import * as crypto7 from "crypto";
+import * as crypto7 from "node:crypto";
 import * as x5092 from "@peculiar/x509";
 var CertificateService = class {
   static getSha256Fingerprint(certPem) {
@@ -10722,7 +10737,7 @@ var certCommand = defineCommand9({
 });
 // src/cli/commands/qr.ts
-import * as fs13 from "fs";
+import * as fs13 from "node:fs";
 import { defineCommand as defineCommand10 } from "citty";
 // src/qr/qrcode-service.ts
@@ -11874,9 +11889,9 @@ var completionCommand = defineCommand16({
 });
 // src/cli/commands/setup.ts
-import * as fs14 from "fs";
-import * as path10 from "path";
-import * as os5 from "os";
+import * as fs14 from "node:fs";
+import * as path10 from "node:path";
+import * as os5 from "node:os";
 import { defineCommand as defineCommand17 } from "citty";
 import { consola as consola16 } from "consola";
 init_patterns();
@@ -11884,7 +11899,7 @@ init_auth_xml_builder();
 init_polling();
 // src/cli/utils/open-folder.ts
-import { execFile } from "child_process";
+import { execFile } from "node:child_process";
 function openFolder(folderPath) {
   return new Promise((resolve2) => {
     const platform = process.platform;
@@ -12143,14 +12158,14 @@ var setupCommand = defineCommand17({
 });
 // src/cli/commands/offline.ts
-import * as fs16 from "fs";
+import * as fs16 from "node:fs";
 import { defineCommand as defineCommand18 } from "citty";
 import { consola as consola17 } from "consola";
 // src/offline/file-storage.ts
-import * as fs15 from "fs/promises";
-import * as path11 from "path";
-import * as os6 from "os";
+import * as fs15 from "node:fs/promises";
+import * as path11 from "node:path";
+import * as os6 from "node:os";
 // src/offline/storage.ts
 function matchesFilter(invoice3, filter) {