npm - leviathan-crypto - Versions diffs - 2.0.1 → 3.0.0 - Mend

leviathan-crypto 2.0.1 → 3.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (312) hide show

package/CLAUDE.md +88 -281
package/LICENSE +4 -0
package/README.md +275 -87
package/dist/aes/aes-cbc.d.ts +40 -0
package/dist/aes/aes-cbc.js +158 -0
package/dist/aes/aes-ctr.d.ts +50 -0
package/dist/aes/aes-ctr.js +141 -0
package/dist/aes/aes-gcm-siv.d.ts +67 -0
package/dist/aes/aes-gcm-siv.js +217 -0
package/dist/aes/aes-gcm.d.ts +61 -0
package/dist/aes/aes-gcm.js +226 -0
package/dist/aes/cipher-suite.d.ts +21 -0
package/dist/aes/cipher-suite.js +179 -0
package/dist/aes/embedded.d.ts +1 -0
package/dist/aes/embedded.js +26 -0
package/dist/aes/generator.d.ts +14 -0
package/dist/aes/generator.js +103 -0
package/dist/aes/index.d.ts +58 -0
package/dist/aes/index.js +125 -0
package/dist/aes/ops.d.ts +60 -0
package/dist/aes/ops.js +164 -0
package/dist/aes/pool-worker.d.ts +1 -0
package/dist/aes/pool-worker.js +92 -0
package/dist/aes/types.d.ts +1 -0
package/dist/aes/types.js +23 -0
package/dist/aes.wasm +0 -0
package/dist/blake3/embedded.d.ts +1 -0
package/dist/blake3/embedded.js +26 -0
package/dist/blake3/index.d.ts +143 -0
package/dist/blake3/index.js +620 -0
package/dist/blake3/types.d.ts +102 -0
package/dist/blake3/types.js +31 -0
package/dist/blake3/validate.d.ts +29 -0
package/dist/blake3/validate.js +80 -0
package/dist/blake3.wasm +0 -0
package/dist/chacha20/cipher-suite.d.ts +10 -0
package/dist/chacha20/cipher-suite.js +98 -13
package/dist/chacha20/generator.d.ts +12 -0
package/dist/chacha20/generator.js +91 -0
package/dist/chacha20/index.d.ts +100 -3
package/dist/chacha20/index.js +169 -35
package/dist/chacha20/ops.d.ts +57 -6
package/dist/chacha20/ops.js +107 -27
package/dist/chacha20/pool-worker.js +14 -0
package/dist/chacha20/types.d.ts +1 -32
package/dist/cte-wasm.d.ts +1 -0
package/dist/cte-wasm.js +3 -0
package/dist/cte.wasm +0 -0
package/dist/curve25519.wasm +0 -0
package/dist/ecdsa/der.d.ts +23 -0
package/dist/ecdsa/der.js +192 -0
package/dist/ecdsa/ecprivatekey-der.d.ts +32 -0
package/dist/ecdsa/ecprivatekey-der.js +230 -0
package/dist/ecdsa/embedded.d.ts +1 -0
package/dist/ecdsa/embedded.js +25 -0
package/dist/ecdsa/index.d.ts +124 -0
package/dist/ecdsa/index.js +366 -0
package/dist/ecdsa/types.d.ts +31 -0
package/dist/ecdsa/types.js +28 -0
package/dist/ecdsa/validate.d.ts +18 -0
package/dist/ecdsa/validate.js +92 -0
package/dist/ed25519/embedded.d.ts +1 -0
package/dist/ed25519/embedded.js +31 -0
package/dist/ed25519/index.d.ts +70 -0
package/dist/ed25519/index.js +308 -0
package/dist/ed25519/types.d.ts +27 -0
package/dist/ed25519/types.js +27 -0
package/dist/ed25519/validate.d.ts +7 -0
package/dist/ed25519/validate.js +77 -0
package/dist/embedded/aes-pool-worker.d.ts +1 -0
package/dist/embedded/aes-pool-worker.js +5 -0
package/dist/embedded/aes.d.ts +1 -0
package/dist/embedded/aes.js +3 -0
package/dist/embedded/blake3.d.ts +1 -0
package/dist/embedded/blake3.js +3 -0
package/dist/embedded/chacha20-pool-worker.d.ts +1 -0
package/dist/embedded/chacha20-pool-worker.js +5 -0
package/dist/embedded/chacha20.d.ts +1 -1
package/dist/embedded/chacha20.js +2 -2
package/dist/embedded/curve25519.d.ts +1 -0
package/dist/embedded/curve25519.js +3 -0
package/dist/embedded/mldsa.d.ts +1 -0
package/dist/embedded/mldsa.js +3 -0
package/dist/embedded/mlkem.d.ts +1 -0
package/dist/embedded/mlkem.js +3 -0
package/dist/embedded/p256.d.ts +1 -0
package/dist/embedded/p256.js +3 -0
package/dist/embedded/serpent-pool-worker.d.ts +1 -0
package/dist/embedded/serpent-pool-worker.js +5 -0
package/dist/embedded/serpent.d.ts +1 -1
package/dist/embedded/serpent.js +2 -2
package/dist/embedded/sha2.d.ts +1 -1
package/dist/embedded/sha2.js +2 -2
package/dist/embedded/sha3.d.ts +1 -1
package/dist/embedded/sha3.js +2 -2
package/dist/embedded/slhdsa.d.ts +1 -0
package/dist/embedded/slhdsa.js +3 -0
package/dist/errors.d.ts +92 -1
package/dist/errors.js +111 -1
package/dist/fortuna.d.ts +18 -12
package/dist/fortuna.js +166 -99
package/dist/index.d.ts +42 -11
package/dist/index.js +65 -20
package/dist/init.d.ts +1 -3
package/dist/init.js +73 -7
package/dist/keccak/embedded.js +1 -1
package/dist/keccak/index.d.ts +2 -0
package/dist/keccak/index.js +4 -2
package/dist/loader.d.ts +1 -19
package/dist/loader.js +26 -32
package/dist/merkle/blake3-tree.d.ts +35 -0
package/dist/merkle/blake3-tree.js +187 -0
package/dist/merkle/checkpoint.d.ts +58 -0
package/dist/merkle/checkpoint.js +217 -0
package/dist/merkle/index.d.ts +19 -0
package/dist/merkle/index.js +37 -0
package/dist/merkle/merkle-log.d.ts +130 -0
package/dist/merkle/merkle-log.js +207 -0
package/dist/merkle/merkle-verifier.d.ts +126 -0
package/dist/merkle/merkle-verifier.js +296 -0
package/dist/merkle/proof.d.ts +70 -0
package/dist/merkle/proof.js +300 -0
package/dist/merkle/sha256-tree.d.ts +33 -0
package/dist/merkle/sha256-tree.js +145 -0
package/dist/merkle/signed-log.d.ts +156 -0
package/dist/merkle/signed-log.js +356 -0
package/dist/merkle/signed-note.d.ts +309 -0
package/dist/merkle/signed-note.js +648 -0
package/dist/merkle/sth.d.ts +31 -0
package/dist/merkle/sth.js +31 -0
package/dist/merkle/storage.d.ts +40 -0
package/dist/merkle/storage.js +71 -0
package/dist/merkle/tree.d.ts +68 -0
package/dist/merkle/tree.js +94 -0
package/dist/mldsa/embedded.d.ts +1 -0
package/dist/{kyber → mldsa}/embedded.js +5 -5
package/dist/mldsa/expand.d.ts +53 -0
package/dist/mldsa/expand.js +188 -0
package/dist/mldsa/format.d.ts +16 -0
package/dist/mldsa/format.js +68 -0
package/dist/mldsa/hashvariant.d.ts +32 -0
package/dist/mldsa/hashvariant.js +248 -0
package/dist/mldsa/index.d.ts +142 -0
package/dist/mldsa/index.js +463 -0
package/dist/mldsa/keygen.d.ts +16 -0
package/dist/mldsa/keygen.js +232 -0
package/dist/mldsa/params.d.ts +21 -0
package/dist/mldsa/params.js +55 -0
package/dist/mldsa/sha3-helpers.d.ts +30 -0
package/dist/mldsa/sha3-helpers.js +124 -0
package/dist/mldsa/sign.d.ts +36 -0
package/dist/mldsa/sign.js +380 -0
package/dist/mldsa/types.d.ts +91 -0
package/dist/mldsa/types.js +25 -0
package/dist/mldsa/validate.d.ts +55 -0
package/dist/mldsa/validate.js +125 -0
package/dist/mldsa/verify.d.ts +29 -0
package/dist/mldsa/verify.js +269 -0
package/dist/mldsa.wasm +0 -0
package/dist/mlkem/embedded.d.ts +1 -0
package/dist/mlkem/embedded.js +27 -0
package/dist/mlkem/indcpa.d.ts +49 -0
package/dist/{kyber → mlkem}/indcpa.js +48 -48
package/dist/mlkem/index.d.ts +37 -0
package/dist/{kyber → mlkem}/index.js +41 -31
package/dist/mlkem/kem.d.ts +21 -0
package/dist/{kyber → mlkem}/kem.js +48 -13
package/dist/{kyber → mlkem}/params.d.ts +4 -4
package/dist/{kyber → mlkem}/params.js +2 -2
package/dist/mlkem/suite.d.ts +12 -0
package/dist/{kyber → mlkem}/suite.js +17 -12
package/dist/{kyber → mlkem}/types.d.ts +4 -3
package/dist/{kyber → mlkem}/types.js +1 -1
package/dist/mlkem/validate.d.ts +23 -0
package/dist/{kyber → mlkem}/validate.js +24 -20
package/dist/{kyber.wasm → mlkem.wasm} +0 -0
package/dist/p256.wasm +0 -0
package/dist/ratchet/index.d.ts +8 -0
package/dist/ratchet/index.js +38 -0
package/dist/ratchet/kdf-chain.d.ts +13 -0
package/dist/ratchet/kdf-chain.js +85 -0
package/dist/ratchet/ratchet-keypair.d.ts +9 -0
package/dist/ratchet/ratchet-keypair.js +61 -0
package/dist/ratchet/root-kdf.d.ts +4 -0
package/dist/ratchet/root-kdf.js +124 -0
package/dist/ratchet/skipped-key-store.d.ts +14 -0
package/dist/ratchet/skipped-key-store.js +154 -0
package/dist/ratchet/types.d.ts +36 -0
package/dist/ratchet/types.js +26 -0
package/dist/serpent/cipher-suite.d.ts +10 -0
package/dist/serpent/cipher-suite.js +144 -56
package/dist/serpent/generator.d.ts +12 -0
package/dist/serpent/generator.js +97 -0
package/dist/serpent/index.d.ts +62 -1
package/dist/serpent/index.js +97 -21
package/dist/serpent/pool-worker.js +28 -102
package/dist/serpent/serpent-cbc.d.ts +16 -6
package/dist/serpent/serpent-cbc.js +58 -37
package/dist/serpent/shared-ops.d.ts +63 -0
package/dist/serpent/shared-ops.js +178 -0
package/dist/serpent/types.d.ts +1 -5
package/dist/serpent.wasm +0 -0
package/dist/sha2/hash.d.ts +2 -0
package/dist/sha2/hash.js +53 -0
package/dist/sha2/hkdf.js +5 -5
package/dist/sha2/index.d.ts +22 -1
package/dist/sha2/index.js +80 -11
package/dist/sha2/types.d.ts +41 -2
package/dist/sha2.wasm +0 -0
package/dist/sha3/hash.d.ts +2 -0
package/dist/sha3/hash.js +53 -0
package/dist/sha3/index.d.ts +87 -3
package/dist/sha3/index.js +317 -19
package/dist/sha3/kmac.d.ts +121 -0
package/dist/sha3/kmac.js +800 -0
package/dist/sha3.wasm +0 -0
package/dist/shared/pkcs7.d.ts +22 -0
package/dist/shared/pkcs7.js +84 -0
package/dist/sign/ctx.d.ts +41 -0
package/dist/sign/ctx.js +102 -0
package/dist/sign/envelope.d.ts +45 -0
package/dist/sign/envelope.js +152 -0
package/dist/sign/hasher.d.ts +9 -0
package/dist/sign/hasher.js +132 -0
package/dist/sign/index.d.ts +11 -0
package/dist/sign/index.js +34 -0
package/dist/sign/sign-stream.d.ts +25 -0
package/dist/sign/sign-stream.js +112 -0
package/dist/sign/suites/ecdsa-p256.d.ts +2 -0
package/dist/sign/suites/ecdsa-p256.js +120 -0
package/dist/sign/suites/ed25519.d.ts +3 -0
package/dist/sign/suites/ed25519.js +165 -0
package/dist/sign/suites/hybrid-classical.d.ts +23 -0
package/dist/sign/suites/hybrid-classical.js +526 -0
package/dist/sign/suites/hybrid-pq.d.ts +4 -0
package/dist/sign/suites/hybrid-pq.js +234 -0
package/dist/sign/suites/mldsa.d.ts +7 -0
package/dist/sign/suites/mldsa.js +161 -0
package/dist/sign/suites/slhdsa.d.ts +7 -0
package/dist/sign/suites/slhdsa.js +176 -0
package/dist/sign/types.d.ts +106 -0
package/dist/sign/types.js +28 -0
package/dist/sign/verify-stream.d.ts +30 -0
package/dist/sign/verify-stream.js +227 -0
package/dist/slhdsa/embedded.d.ts +1 -0
package/dist/slhdsa/embedded.js +26 -0
package/dist/slhdsa/index.d.ts +149 -0
package/dist/slhdsa/index.js +493 -0
package/dist/slhdsa/params.d.ts +26 -0
package/dist/slhdsa/params.js +70 -0
package/dist/slhdsa/prehash.d.ts +68 -0
package/dist/slhdsa/prehash.js +307 -0
package/dist/slhdsa/sign.d.ts +39 -0
package/dist/slhdsa/sign.js +116 -0
package/dist/slhdsa/types.d.ts +129 -0
package/dist/slhdsa/types.js +27 -0
package/dist/slhdsa/validate.d.ts +60 -0
package/dist/slhdsa/validate.js +127 -0
package/dist/slhdsa/verify.d.ts +32 -0
package/dist/slhdsa/verify.js +107 -0
package/dist/slhdsa.wasm +0 -0
package/dist/stream/header.js +8 -8
package/dist/stream/index.d.ts +1 -0
package/dist/stream/index.js +1 -0
package/dist/stream/open-stream.js +65 -22
package/dist/stream/seal-stream-pool.d.ts +2 -0
package/dist/stream/seal-stream-pool.js +100 -33
package/dist/stream/seal-stream.d.ts +1 -1
package/dist/stream/seal-stream.js +48 -19
package/dist/stream/seal.js +6 -6
package/dist/stream/types.d.ts +3 -1
package/dist/stream/types.js +1 -1
package/dist/types.d.ts +22 -1
package/dist/types.js +1 -1
package/dist/utils.d.ts +9 -10
package/dist/utils.js +84 -59
package/dist/wasm-source.d.ts +9 -8
package/dist/wasm-source.js +1 -1
package/dist/x25519/embedded.d.ts +1 -0
package/dist/x25519/embedded.js +31 -0
package/dist/x25519/index.d.ts +43 -0
package/dist/x25519/index.js +159 -0
package/dist/x25519/types.d.ts +25 -0
package/dist/x25519/types.js +27 -0
package/dist/x25519/validate.d.ts +2 -0
package/dist/x25519/validate.js +39 -0
package/package.json +123 -64
package/SECURITY.md +0 -276
package/dist/ct-wasm.d.ts +0 -1
package/dist/ct-wasm.js +0 -3
package/dist/ct.wasm +0 -0
package/dist/docs/aead.md +0 -323
package/dist/docs/architecture.md +0 -932
package/dist/docs/argon2id.md +0 -302
package/dist/docs/chacha20.md +0 -674
package/dist/docs/exports.md +0 -241
package/dist/docs/fortuna.md +0 -313
package/dist/docs/init.md +0 -302
package/dist/docs/loader.md +0 -161
package/dist/docs/serpent.md +0 -519
package/dist/docs/sha2.md +0 -613
package/dist/docs/sha3.md +0 -546
package/dist/docs/types.md +0 -276
package/dist/docs/utils.md +0 -367
package/dist/embedded/kyber.d.ts +0 -1
package/dist/embedded/kyber.js +0 -3
package/dist/kyber/embedded.d.ts +0 -1
package/dist/kyber/indcpa.d.ts +0 -49
package/dist/kyber/index.d.ts +0 -38
package/dist/kyber/kem.d.ts +0 -21
package/dist/kyber/suite.d.ts +0 -13
package/dist/kyber/validate.d.ts +0 -19

package/dist/chacha20/ops.js CHANGED Viewed

@@ -1,11 +1,18 @@
 // src/ts/chacha20/ops.ts
 //
-// Raw XChaCha20-Poly1305 operations — standalone functions that take
+// Raw XChaCha20-Poly1305 operations, standalone functions that take
 // ChaChaExports explicitly. Used by both the class wrappers (index.ts)
 // and the pool worker (pool.worker.ts), eliminating duplication.
-import { constantTimeEqual } from '../utils.js';
+import { constantTimeEqual, wipe } from '../utils.js';
 import { AuthenticationError } from '../errors.js';
-// ── Module-private helpers ───────────────────────────────────────────────────
+// ── Module-private helpers ──────────────────────────────────────────────────
+/**
+ * Feed `data` into the active Poly1305 accumulator via the WASM message buffer.
+ * No-op when `data` is empty.
+ * @param x     ChaCha20 WASM exports
+ * @param data  Bytes to absorb
+ * @internal
+ */
 function polyFeed(x, data) {
     if (data.length === 0)
         return;
@@ -19,11 +26,19 @@ function polyFeed(x, data) {
         pos += chunk;
     }
 }
+/**
+ * Build the 16-byte Poly1305 length footer from AAD and ciphertext lengths.
+ * Both lengths are encoded as 64-bit little-endian integers (RFC 8439 §2.8).
+ * @param aadLen  AAD byte length
+ * @param ctLen   Ciphertext byte length
+ * @returns       16-byte length block
+ * @internal
+ */
 function lenBlock(aadLen, ctLen) {
     const b = new Uint8Array(16);
     const dv = new DataView(b.buffer);
-    // RFC 8439 §2.8 — 64-bit LE lengths.
-    // JS numbers are f64 — write low 32 bits directly, high bits via
+    // RFC 8439 §2.8, 64-bit LE lengths.
+    // JS numbers are f64, write low 32 bits directly, high bits via
     // Math.floor(n / 2^32). Safe for n ≤ Number.MAX_SAFE_INTEGER.
     dv.setUint32(0, aadLen >>> 0, true);
     dv.setUint32(4, Math.floor(aadLen / 0x100000000) >>> 0, true);
@@ -31,12 +46,20 @@ function lenBlock(aadLen, ctLen) {
     dv.setUint32(12, Math.floor(ctLen / 0x100000000) >>> 0, true);
     return b;
 }
-// ── Inner AEAD (12-byte nonce) ───────────────────────────────────────────────
-/** ChaCha20-Poly1305 AEAD encrypt (RFC 8439 §2.8). */
+// ── Inner AEAD (12-byte nonce) ──────────────────────────────────────────────
+/**
+ * ChaCha20-Poly1305 AEAD encrypt (RFC 8439 §2.8).
+ * @param x          ChaCha20 WASM exports
+ * @param key        32-byte key
+ * @param nonce      12-byte nonce, must be unique per (key, message)
+ * @param plaintext  Data to encrypt (must be ≤ WASM CHUNK_SIZE)
+ * @param aad        Additional authenticated data
+ * @returns          `{ ciphertext, tag }`, tag is 16 bytes
+ */
 export function aeadEncrypt(x, key, nonce, plaintext, aad) {
     const maxChunk = x.getChunkSize();
     if (plaintext.length > maxChunk)
-        throw new RangeError(`plaintext exceeds ${maxChunk} bytes — split into smaller chunks`);
+        throw new RangeError(`plaintext exceeds ${maxChunk} bytes, split into smaller chunks`);
     const mem = new Uint8Array(x.memory.buffer);
     // Step 1: Generate Poly1305 one-time key at counter=0 (RFC 8439 §2.6)
     mem.set(key, x.getKeyOffset());
@@ -50,9 +73,8 @@ export function aeadEncrypt(x, key, nonce, plaintext, aad) {
     const aadPad = (16 - aad.length % 16) % 16;
     if (aadPad > 0)
         polyFeed(x, new Uint8Array(aadPad));
-    // Step 4: Re-init ChaCha20 at counter=1
+    // Step 4: counter=1 (state intact from chachaGenPolyKey; no reload needed).
     x.chachaSetCounter(1);
-    x.chachaLoadKey();
     // Step 5: Encrypt
     mem.set(plaintext, x.getChunkPtOffset());
     x.chachaEncryptChunk_simd(plaintext.length);
@@ -71,11 +93,22 @@ export function aeadEncrypt(x, key, nonce, plaintext, aad) {
     const tag = new Uint8Array(x.memory.buffer).slice(tagOff, tagOff + 16);
     return { ciphertext, tag };
 }
-/** ChaCha20-Poly1305 AEAD decrypt (RFC 8439 §2.8). Constant-time tag comparison. */
+/**
+ * ChaCha20-Poly1305 AEAD decrypt with constant-time tag comparison (RFC 8439 §2.8).
+ * Throws `AuthenticationError` on tag mismatch; never returns plaintext on failure.
+ * @param x           ChaCha20 WASM exports
+ * @param key         32-byte key
+ * @param nonce       12-byte nonce, must match the value used to encrypt
+ * @param ciphertext  Ciphertext bytes (must be ≤ WASM CHUNK_SIZE)
+ * @param tag         16-byte Poly1305 tag
+ * @param aad         Additional authenticated data
+ * @param cipherName  Error label for `AuthenticationError` (default 'chacha20-poly1305')
+ * @returns           Plaintext
+ */
 export function aeadDecrypt(x, key, nonce, ciphertext, tag, aad, cipherName = 'chacha20-poly1305') {
     const maxChunk = x.getChunkSize();
     if (ciphertext.length > maxChunk)
-        throw new RangeError(`ciphertext exceeds ${maxChunk} bytes — split into smaller chunks`);
+        throw new RangeError(`ciphertext exceeds ${maxChunk} bytes, split into smaller chunks`);
     const mem = new Uint8Array(x.memory.buffer);
     // Compute expected tag
     mem.set(key, x.getKeyOffset());
@@ -97,9 +130,14 @@ export function aeadDecrypt(x, key, nonce, ciphertext, tag, aad, cipherName = 'c
     const tagOff = x.getPolyTagOffset();
     const expectedTag = new Uint8Array(x.memory.buffer).slice(tagOff, tagOff + 16);
     if (!constantTimeEqual(expectedTag, tag)) {
-        // Wipe the full chunk output buffer — defense-in-depth before throwing
+        // Defense-in-depth wipe on auth fail: chunk ct, chacha block (keystream),
+        // Poly1305 one-time subkey copy at POLY_KEY_OFFSET.
         const ctOff = x.getChunkCtOffset();
         mem.fill(0, ctOff, ctOff + maxChunk);
+        const blockOff = x.getChachaBlockOffset();
+        mem.fill(0, blockOff, blockOff + 64);
+        const polyKeyOff = x.getPolyKeyOffset();
+        mem.fill(0, polyKeyOff, polyKeyOff + 32);
         throw new AuthenticationError(cipherName);
     }
     // Decrypt only after authentication succeeds
@@ -110,8 +148,15 @@ export function aeadDecrypt(x, key, nonce, ciphertext, tag, aad, cipherName = 'c
     const ptOff = x.getChunkCtOffset();
     return new Uint8Array(x.memory.buffer).slice(ptOff, ptOff + ciphertext.length);
 }
-// ── XChaCha20 helpers ────────────────────────────────────────────────────────
-/** HChaCha20 subkey derivation — first 16 bytes of nonce. */
+// ── XChaCha20 helpers ───────────────────────────────────────────────────────
+/**
+ * Derive a 32-byte HChaCha20 subkey from `key` and the first 16 bytes of `nonce`.
+ * Used as the inner key for XChaCha20-Poly1305 (draft-irtf-cfrg-xchacha §2.3).
+ * @param x      ChaCha20 WASM exports
+ * @param key    32-byte master key
+ * @param nonce  24-byte XChaCha20 nonce (only bytes 0-15 are used)
+ * @returns      32-byte HChaCha20 subkey
+ */
 export function deriveSubkey(x, key, nonce) {
     const mem = new Uint8Array(x.memory.buffer);
     mem.set(key, x.getKeyOffset());
@@ -120,28 +165,63 @@ export function deriveSubkey(x, key, nonce) {
     const off = x.getXChaChaSubkeyOffset();
     return new Uint8Array(x.memory.buffer).slice(off, off + 32);
 }
-/** Build inner 12-byte nonce from bytes 16–23 of XChaCha nonce. */
+/**
+ * Build the inner 12-byte ChaCha20 nonce for XChaCha20 from bytes 16-23 of the
+ * 24-byte XChaCha nonce (draft-irtf-cfrg-xchacha §2.3).
+ * @param nonce  24-byte XChaCha20 nonce
+ * @returns      12-byte inner nonce (bytes 0-3 are zero, bytes 4-11 are nonce[16:24])
+ */
 export function innerNonce(nonce) {
     const n = new Uint8Array(12);
     n.set(nonce.subarray(16, 24), 4);
     return n;
 }
-// ── Full XChaCha20-Poly1305 ──────────────────────────────────────────────────
-/** XChaCha20-Poly1305 encrypt → ciphertext || tag. */
+// ── Full XChaCha20-Poly1305 ─────────────────────────────────────────────────
+/**
+ * XChaCha20-Poly1305 encrypt (draft-irtf-cfrg-xchacha).
+ * Derives HChaCha20 subkey from `key` + nonce[0:16], then runs
+ * ChaCha20-Poly1305 with a 12-byte inner nonce (nonce[16:24]).
+ * @param x          ChaCha20 WASM exports
+ * @param key        32-byte key
+ * @param nonce      24-byte nonce
+ * @param plaintext  Data to encrypt
+ * @param aad        Additional authenticated data
+ * @returns          Ciphertext || 16-byte Poly1305 tag
+ */
 export function xcEncrypt(x, key, nonce, plaintext, aad) {
     const subkey = deriveSubkey(x, key, nonce);
-    const inner = innerNonce(nonce);
-    const { ciphertext, tag } = aeadEncrypt(x, subkey, inner, plaintext, aad);
-    const result = new Uint8Array(ciphertext.length + 16);
-    result.set(ciphertext);
-    result.set(tag, ciphertext.length);
-    return result;
+    try {
+        const inner = innerNonce(nonce);
+        const { ciphertext, tag } = aeadEncrypt(x, subkey, inner, plaintext, aad);
+        const result = new Uint8Array(ciphertext.length + 16);
+        result.set(ciphertext);
+        result.set(tag, ciphertext.length);
+        return result;
+    }
+    finally {
+        wipe(subkey);
+    }
 }
-/** XChaCha20-Poly1305 decrypt → plaintext (throws on auth failure). */
+/**
+ * XChaCha20-Poly1305 decrypt (draft-irtf-cfrg-xchacha).
+ * Derives HChaCha20 subkey, verifies the Poly1305 tag, then decrypts.
+ * Throws `AuthenticationError` on tag mismatch.
+ * @param x           ChaCha20 WASM exports
+ * @param key         32-byte key
+ * @param nonce       24-byte nonce, must match the value used to encrypt
+ * @param ciphertext  Ciphertext || 16-byte tag (combined format from `xcEncrypt`)
+ * @param aad         Additional authenticated data
+ * @returns           Plaintext
+ */
 export function xcDecrypt(x, key, nonce, ciphertext, aad) {
     const ct = ciphertext.subarray(0, ciphertext.length - 16);
     const tag = ciphertext.subarray(ciphertext.length - 16);
     const subkey = deriveSubkey(x, key, nonce);
-    const inner = innerNonce(nonce);
-    return aeadDecrypt(x, subkey, inner, ct, tag, aad, 'xchacha20-poly1305');
+    try {
+        const inner = innerNonce(nonce);
+        return aeadDecrypt(x, subkey, inner, ct, tag, aad, 'xchacha20-poly1305');
+    }
+    finally {
+        wipe(subkey);
+    }
 }

package/dist/chacha20/pool-worker.js CHANGED Viewed

@@ -8,6 +8,17 @@ import { aeadEncrypt, aeadDecrypt } from './ops.js';
 import { AuthenticationError } from '../errors.js';
 let x;
 let subkey;
+/**
+ * Message handler for the XChaCha20 pool worker.
+ *
+ * Accepts three message types:
+ * - `'init'` , instantiate the chacha20 WASM module and store the derived subkey
+ * - `'wipe'` , zero subkey and WASM buffers, then post `{ type: 'wiped' }`
+ * - `{ op: 'seal' | 'open', ... }`, encrypt or decrypt one chunk
+ *
+ * Replies with `{ type: 'result', id, data }` on success or
+ * `{ type: 'error', id, message, isAuthError }` on failure.
+ */
 self.onmessage = async (e) => {
     const msg = e.data;
     if (msg.type === 'init') {
@@ -23,6 +34,8 @@ self.onmessage = async (e) => {
             self.postMessage({ type: 'ready' });
         }
         catch (err) {
+            if (msg.derivedKeyBytes)
+                msg.derivedKeyBytes.fill(0);
             self.postMessage({ type: 'error', id: -1, message: err.message, isAuthError: false });
         }
         return;
@@ -34,6 +47,7 @@ self.onmessage = async (e) => {
         if (x)
             x.wipeBuffers();
         x = undefined;
+        self.postMessage({ type: 'wiped' });
         return;
     }
     if (!x || !subkey) {

package/dist/chacha20/types.d.ts CHANGED Viewed

@@ -1,32 +1 @@
-/** WASM exports for the chacha module */
-export interface ChaChaExports {
-    memory: WebAssembly.Memory;
-    getModuleId(): number;
-    getKeyOffset(): number;
-    getChachaNonceOffset(): number;
-    getChachaCtrOffset(): number;
-    getChachaBlockOffset(): number;
-    getChachaStateOffset(): number;
-    getChunkPtOffset(): number;
-    getChunkCtOffset(): number;
-    getChunkSize(): number;
-    getPolyKeyOffset(): number;
-    getPolyMsgOffset(): number;
-    getPolyTagOffset(): number;
-    getPolyBufLenOffset(): number;
-    getXChaChaNonceOffset(): number;
-    getXChaChaSubkeyOffset(): number;
-    chachaLoadKey(): void;
-    chachaSetCounter(n: number): void;
-    chachaResetCounter(): void;
-    chachaEncryptChunk(n: number): number;
-    chachaDecryptChunk(n: number): number;
-    chachaEncryptChunk_simd(n: number): number;
-    chachaDecryptChunk_simd(n: number): number;
-    chachaGenPolyKey(): void;
-    hchacha20(): void;
-    polyInit(): void;
-    polyUpdate(n: number): void;
-    polyFinal(): void;
-    wipeBuffers(): void;
-}
+export {};

package/dist/cte-wasm.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare const CTE_WASM: Uint8Array<ArrayBuffer>;

package/dist/cte-wasm.js ADDED Viewed

@@ -0,0 +1,3 @@
+// auto-generated, do not edit
+// raw WASM bytes for constant-time equality comparison module
+export const CTE_WASM = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 8, 1, 96, 3, 127, 127, 127, 1, 127, 3, 2, 1, 0, 5, 4, 1, 1, 1, 1, 7, 20, 2, 7, 99, 111, 109, 112, 97, 114, 101, 0, 0, 6, 109, 101, 109, 111, 114, 121, 2, 0, 10, 133, 1, 1, 130, 1, 3, 2, 127, 1, 126, 1, 123, 3, 64, 32, 3, 65, 16, 106, 34, 4, 32, 2, 76, 4, 64, 32, 6, 32, 0, 32, 3, 106, 253, 0, 4, 0, 32, 1, 32, 3, 106, 253, 0, 4, 0, 253, 81, 253, 80, 33, 6, 32, 4, 33, 3, 12, 1, 11, 11, 3, 64, 32, 2, 32, 3, 74, 4, 64, 32, 5, 32, 0, 32, 3, 106, 49, 0, 0, 32, 1, 32, 3, 106, 49, 0, 0, 133, 132, 33, 5, 32, 3, 65, 1, 106, 33, 3, 12, 1, 11, 11, 66, 0, 32, 5, 32, 6, 253, 29, 0, 32, 6, 253, 29, 1, 132, 132, 34, 5, 125, 32, 5, 132, 66, 63, 135, 66, 127, 133, 167, 65, 1, 113, 11]);

package/dist/cte.wasm ADDED Viewed

Binary file

package/dist/curve25519.wasm ADDED Viewed

Binary file

package/dist/ecdsa/der.d.ts ADDED Viewed

@@ -0,0 +1,23 @@
+/**
+ * Convert a 64-byte raw r || s signature to DER per RFC 3279 §2.2.3.
+ * Output length is variable: 8 bytes minimum (r = s = 1 byte each, no
+ * sign-pad), 72 bytes maximum (both components 32 bytes with high bit
+ * set, each picking up a 0x00 sign-pad).
+ *
+ * @throws TypeError if `sig` is not a Uint8Array
+ * @throws RangeError if `sig.length !== 64`
+ */
+export declare function ecdsaSignatureToDer(sig: Uint8Array): Uint8Array;
+/**
+ * Convert a DER ECDSA-P256 signature to 64-byte raw r || s. Rejects
+ * any DER syntax violation via SigningError('sig-malformed-input'):
+ * see the file-level header for the rejection rules.
+ *
+ * Semantic value rejections (r = 0, s = 0, high-s, off-range) are
+ * deferred to the WASM verify path; this function only enforces DER
+ * structure.
+ *
+ * @throws TypeError if `der` is not a Uint8Array
+ * @throws SigningError('sig-malformed-input') on any DER syntax error
+ */
+export declare function ecdsaSignatureFromDer(der: Uint8Array): Uint8Array;

package/dist/ecdsa/der.js ADDED Viewed

@@ -0,0 +1,192 @@
+//                  ▄▄▄▄▄▄▄▄▄▄
+//           ▄████████████████████▄▄          ▒  ▄▀▀ ▒ ▒ █ ▄▀▄ ▀█▀ █ ▒ ▄▀▄ █▀▄
+//        ▄██████████████████████ ▀████▄      ▓  ▓▀  ▓ ▓ ▓ ▓▄▓  ▓  ▓▀▓ ▓▄▓ ▓ ▓
+//      ▄█████████▀▀▀     ▀███████▄▄███████▌  ▀▄ ▀▄▄ ▀▄▀ ▒ ▒ ▒  ▒  ▒ █ ▒ ▒ ▒ █
+//     ▐████████▀   ▄▄▄▄     ▀████████▀██▀█▌
+//     ████████      ███▀▀     ████▀  █▀ █▀       Leviathan Crypto Library
+//     ███████▌    ▀██▀         ███
+//      ███████   ▀███           ▀██ ▀█▄      Repository & Mirror:
+//       ▀██████   ▄▄██            ▀▀  ██▄    github.com/xero/leviathan-crypto
+//         ▀█████▄   ▄██▄             ▄▀▄▀    unpkg.com/leviathan-crypto
+//            ▀████▄   ▄██▄
+//              ▐████   ▐███                  Author: xero (https://x-e.ro)
+//       ▄▄██████████    ▐███         ▄▄      License: MIT
+//    ▄██▀▀▀▀▀▀▀▀▀▀     ▄████      ▄██▀
+//  ▄▀  ▄▄█████████▄▄  ▀▀▀▀▀     ▄███         This file is provided completely
+//   ▄██████▀▀▀▀▀▀██████▄ ▀▄▄▄▄████▀          free, "as is", and without
+//  ████▀    ▄▄▄▄▄▄▄ ▀████▄ ▀█████▀  ▄▄▄▄     warranty of any kind. The author
+//  █████▄▄█████▀▀▀▀▀▀▄ ▀███▄      ▄████      assumes absolutely no liability
+//   ▀██████▀             ▀████▄▄▄████▀       for its {ab,mis,}use.
+//                           ▀█████▀▀
+//
+// src/ts/ecdsa/der.ts
+//
+// ECDSA signature DER ↔ raw r||s conversion utility, RFC 3279 §2.2.3,
+// ECDSA Signature Algorithm.
+//
+//   Ecdsa-Sig-Value ::= SEQUENCE {
+//       r  INTEGER,
+//       s  INTEGER
+//   }
+//
+// The library's WASM ABI consumes and produces raw 64-byte r || s
+// signatures. DER is a side utility for callers who need X.509 / JWS /
+// TLS interop. The encoder / decoder is hand-rolled against X.690 §8.3
+// (INTEGER) and §8.9 (SEQUENCE); leviathan-crypto is zero-dependency
+// so no external ASN.1 parser is used.
+//
+// Strict DER (not BER). The decoder rejects:
+//   - non-minimal length encodings (long-form length when short-form
+//     would suffice; X.690 §10.1, definite-length encoding)
+//   - excess leading-zero bytes inside INTEGER content (X.690 §8.3.2)
+//   - negative INTEGERs (sign bit set on the leading content octet
+//     without a 0x00 sign-pad; ECDSA r, s ∈ [1, n-1] are positive)
+//   - INTEGER content longer than 33 bytes (32-byte BE scalar plus an
+//     optional 0x00 sign-pad)
+//   - trailing bytes after the outer SEQUENCE
+//   - wrong tags (outer 0x30 SEQUENCE, inner 0x02 INTEGER)
+//
+// The from-DER path never throws on a semantic value problem
+// (r = 0, s = 0, high-s, off-range); those are verify-time rejections
+// in the WASM. Only DER syntax violations throw.
+import { SigningError } from '../errors.js';
+const SEQUENCE_TAG = 0x30;
+const INTEGER_TAG = 0x02;
+function reject(detail) {
+    throw new SigningError('sig-malformed-input', `leviathan-crypto: ecdsa-p256 DER signature ${detail}`);
+}
+/**
+ * Encode a positive 32-byte BE scalar (r or s component) as a DER
+ * INTEGER TLV. Strips leading zero bytes to the minimal encoding per
+ * X.690 §8.3.2, then prepends a single 0x00 if the high bit of the
+ * resulting first content byte is set, so the INTEGER remains positive.
+ *
+ * The component length is at most 33 bytes (32-byte scalar + optional
+ * sign-pad), so the DER length octet always fits in short-form.
+ */
+function encodeInteger(scalarBE) {
+    let start = 0;
+    while (start < scalarBE.length - 1 && scalarBE[start] === 0)
+        start++;
+    const stripped = scalarBE.subarray(start);
+    const needsPad = (stripped[0] & 0x80) !== 0;
+    const contentLen = stripped.length + (needsPad ? 1 : 0);
+    const out = new Uint8Array(2 + contentLen);
+    out[0] = INTEGER_TAG;
+    out[1] = contentLen;
+    if (needsPad) {
+        out[2] = 0;
+        out.set(stripped, 3);
+    }
+    else {
+        out.set(stripped, 2);
+    }
+    return out;
+}
+/**
+ * Decode one DER INTEGER TLV starting at `start`. Returns the strict-DER
+ * minimal content bytes (with any leading 0x00 sign-pad stripped) and
+ * the offset immediately past the INTEGER. Throws SigningError on any
+ * DER syntax violation.
+ */
+function decodeInteger(der, start) {
+    if (start + 2 > der.length)
+        reject(`has a truncated INTEGER header at offset ${start}`);
+    if (der[start] !== INTEGER_TAG)
+        reject(`INTEGER tag at offset ${start} is 0x${der[start].toString(16).padStart(2, '0')}, expected 0x02`);
+    const lenByte = der[start + 1];
+    // Strict DER: ECDSA-P256 INTEGER content is at most 33 bytes, so the
+    // length octet is always short-form (high bit clear, value 1..127).
+    if (lenByte & 0x80)
+        reject(`INTEGER at offset ${start} uses long-form length encoding (forbidden for content < 128 bytes)`);
+    // Zero-length INTEGER content has no representable value; ASN.1
+    // requires at least one content octet (X.690 §8.3.1).
+    if (lenByte === 0)
+        reject(`INTEGER at offset ${start} has zero-length content`);
+    const contentStart = start + 2;
+    const contentEnd = contentStart + lenByte;
+    if (contentEnd > der.length)
+        reject(`INTEGER at offset ${start} extends past the outer SEQUENCE end`);
+    const content = der.subarray(contentStart, contentEnd);
+    // Minimal encoding: a leading 0x00 octet is permitted only when the
+    // next byte's high bit is set (sign-pad). Otherwise the 0x00 is
+    // excess per X.690 §8.3.2.
+    if (content[0] === 0x00 && content.length > 1 && (content[1] & 0x80) === 0)
+        reject(`INTEGER at offset ${start} has excess leading zero byte (non-minimal DER)`);
+    // ECDSA r, s ∈ [1, n-1] are positive integers. A first content
+    // octet with the high bit set means the ASN.1 INTEGER decodes as a
+    // negative two's-complement value; reject.
+    if ((content[0] & 0x80) !== 0)
+        reject(`INTEGER at offset ${start} is negative (high bit set on first content byte); ECDSA r, s are positive`);
+    const value = (content[0] === 0x00) ? content.subarray(1) : content;
+    return { value, next: contentEnd };
+}
+/**
+ * Convert a 64-byte raw r || s signature to DER per RFC 3279 §2.2.3.
+ * Output length is variable: 8 bytes minimum (r = s = 1 byte each, no
+ * sign-pad), 72 bytes maximum (both components 32 bytes with high bit
+ * set, each picking up a 0x00 sign-pad).
+ *
+ * @throws TypeError if `sig` is not a Uint8Array
+ * @throws RangeError if `sig.length !== 64`
+ */
+export function ecdsaSignatureToDer(sig) {
+    if (!(sig instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: ecdsa-p256 raw signature must be a Uint8Array');
+    if (sig.length !== 64)
+        throw new RangeError(`leviathan-crypto: ecdsa-p256 raw signature must be 64 bytes r||s (got ${sig.length})`);
+    const r = encodeInteger(sig.subarray(0, 32));
+    const s = encodeInteger(sig.subarray(32, 64));
+    const contentLen = r.length + s.length;
+    // SEQUENCE content is at most 2 * 35 = 70 bytes, so the SEQUENCE
+    // length octet is always short-form.
+    const out = new Uint8Array(2 + contentLen);
+    out[0] = SEQUENCE_TAG;
+    out[1] = contentLen;
+    out.set(r, 2);
+    out.set(s, 2 + r.length);
+    return out;
+}
+/**
+ * Convert a DER ECDSA-P256 signature to 64-byte raw r || s. Rejects
+ * any DER syntax violation via SigningError('sig-malformed-input'):
+ * see the file-level header for the rejection rules.
+ *
+ * Semantic value rejections (r = 0, s = 0, high-s, off-range) are
+ * deferred to the WASM verify path; this function only enforces DER
+ * structure.
+ *
+ * @throws TypeError if `der` is not a Uint8Array
+ * @throws SigningError('sig-malformed-input') on any DER syntax error
+ */
+export function ecdsaSignatureFromDer(der) {
+    if (!(der instanceof Uint8Array))
+        throw new TypeError('leviathan-crypto: ecdsa-p256 DER signature must be a Uint8Array');
+    // 8 bytes is the absolute minimum: SEQUENCE(2) + INTEGER(0x01 0x01)
+    // + INTEGER(0x01 0x01) = 8. Anything shorter cannot represent two
+    // non-empty INTEGER components.
+    if (der.length < 8)
+        reject(`is shorter than the 8-byte minimum (got ${der.length} bytes)`);
+    if (der[0] !== SEQUENCE_TAG)
+        reject(`outer tag is 0x${der[0].toString(16).padStart(2, '0')}, expected 0x30 (SEQUENCE)`);
+    const seqLen = der[1];
+    // ECDSA-P256 SEQUENCE content is at most 70 bytes; strict DER
+    // requires short-form length encoding when < 128.
+    if (seqLen & 0x80)
+        reject('uses long-form length encoding for the outer SEQUENCE (forbidden for content < 128 bytes)');
+    if (2 + seqLen !== der.length)
+        reject(`outer SEQUENCE length ${seqLen} does not match input size (${der.length} bytes total)`);
+    const { value: r, next: afterR } = decodeInteger(der, 2);
+    const { value: s, next: end } = decodeInteger(der, afterR);
+    if (end !== der.length)
+        reject('has trailing bytes after the second INTEGER');
+    // Each component must fit in 32 bytes BE (P-256 scalar size).
+    if (r.length > 32)
+        reject(`r component is ${r.length} bytes, exceeds the 32-byte scalar size`);
+    if (s.length > 32)
+        reject(`s component is ${s.length} bytes, exceeds the 32-byte scalar size`);
+    const out = new Uint8Array(64);
+    out.set(r, 32 - r.length);
+    out.set(s, 64 - s.length);
+    return out;
+}

package/dist/ecdsa/ecprivatekey-der.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * Encode a 32-byte P-256 secret scalar as DER `ECPrivateKey` per
+ * RFC 5915 §3. Output length is exactly 51 bytes; version is 1, the
+ * named-curve OID for secp256r1 (`1.2.840.10045.3.1.7`,
+ * SP 800-186 §3.2.1.3) is included in `parameters [0]`, and the
+ * `publicKey [1]` field is omitted.
+ *
+ * Byte-stable: same input scalar produces byte-identical output. No
+ * canonicalisation pass needed because every field has a single legal
+ * DER encoding under the strict-DER rules of X.690 §10.
+ *
+ * @throws TypeError if `scalar` is not a Uint8Array
+ * @throws RangeError if `scalar.length !== 32`
+ */
+export declare function encodeEcPrivateKey(scalar: Uint8Array): Uint8Array;
+/**
+ * Decode a DER `ECPrivateKey` (RFC 5915 §3) and return the 32-byte
+ * raw P-256 secret scalar.
+ *
+ * Strict-DER per X.690 §10 (Restrictions on the BER). Rejects the
+ * cases enumerated in the file-level header. Accepts (and ignores)
+ * an optional `publicKey [1]` field per RFC 5915 §3 lenient input;
+ * the scalar is the only return value.
+ *
+ * Any curve OID inside `parameters [0]` other than secp256r1
+ * (`1.2.840.10045.3.1.7`) is rejected. Decoders that need other
+ * curves must use a different parser; this library is P-256 only.
+ *
+ * @throws TypeError if `der` is not a Uint8Array
+ * @throws Error on any DER syntax violation or unsupported parameter
+ */
+export declare function decodeEcPrivateKey(der: Uint8Array): Uint8Array;