react-native-ble-mesh 1.1.1 → 2.0.0

package/src/crypto/aead.js

@@ -1,189 +0,0 @@
-/**
- * @fileoverview ChaCha20-Poly1305 AEAD implementation (RFC 8439)
- * @module crypto/aead
- */
-
-'use strict';
-
-const { chacha20 } = require('./chacha20');
-const { poly1305 } = require('./poly1305');
-
-/**
- * Generates Poly1305 key using ChaCha20 with counter=0
- * @param {Uint8Array} key - 32-byte encryption key
- * @param {Uint8Array} nonce - 12-byte nonce
- * @returns {Uint8Array} 32-byte Poly1305 key
- */
-function generatePolyKey(key, nonce) {
-  const zeros = new Uint8Array(64);
-  const block = chacha20(key, nonce, 0, zeros);
-  return block.subarray(0, 32);
-}
-
-/**
- * Pads data to 16-byte boundary with zeros
- * @param {number} length - Current data length
- * @returns {Uint8Array} Padding bytes (0-15 bytes)
- */
-function pad16(length) {
-  const remainder = length % 16;
-  if (remainder === 0) {
-    return new Uint8Array(0);
-  }
-  return new Uint8Array(16 - remainder);
-}
-
-/**
- * Encodes a 64-bit little-endian integer
- * @param {number} value - Value to encode
- * @returns {Uint8Array} 8-byte little-endian representation
- */
-function encode64LE(value) {
-  const bytes = new Uint8Array(8);
-  const view = new DataView(bytes.buffer);
-  // JavaScript numbers are 64-bit floats, safe for values up to 2^53-1
-  view.setUint32(0, value >>> 0, true);
-  view.setUint32(4, Math.floor(value / 0x100000000) >>> 0, true);
-  return bytes;
-}
-
-/**
- * Constructs Poly1305 MAC input per RFC 8439
- * @param {Uint8Array} aad - Additional authenticated data
- * @param {Uint8Array} ciphertext - Ciphertext
- * @returns {Uint8Array} MAC input
- */
-function constructMacData(aad, ciphertext) {
-  const aadPad = pad16(aad.length);
-  const ctPad = pad16(ciphertext.length);
-  const aadLen = encode64LE(aad.length);
-  const ctLen = encode64LE(ciphertext.length);
-
-  const totalLen = aad.length + aadPad.length + ciphertext.length +
-                   ctPad.length + 8 + 8;
-  const data = new Uint8Array(totalLen);
-
-  let offset = 0;
-  data.set(aad, offset);
-  offset += aad.length;
-  data.set(aadPad, offset);
-  offset += aadPad.length;
-  data.set(ciphertext, offset);
-  offset += ciphertext.length;
-  data.set(ctPad, offset);
-  offset += ctPad.length;
-  data.set(aadLen, offset);
-  offset += 8;
-  data.set(ctLen, offset);
-
-  return data;
-}
-
-/**
- * Constant-time comparison of two byte arrays
- * @param {Uint8Array} a - First array
- * @param {Uint8Array} b - Second array
- * @returns {boolean} True if arrays are equal
- */
-function constantTimeEqual(a, b) {
-  if (a.length !== b.length) {
-    return false;
-  }
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) {
-    diff |= a[i] ^ b[i];
-  }
-  return diff === 0;
-}
-
-/**
- * Encrypts and authenticates data using ChaCha20-Poly1305 AEAD
- * @param {Uint8Array} key - 32-byte encryption key
- * @param {Uint8Array} nonce - 12-byte nonce (must be unique per key)
- * @param {Uint8Array} plaintext - Data to encrypt
- * @param {Uint8Array} [aad] - Additional authenticated data (optional)
- * @returns {Uint8Array} Ciphertext with appended 16-byte authentication tag
- * @throws {Error} If key is not 32 bytes or nonce is not 12 bytes
- */
-function encrypt(key, nonce, plaintext, aad = new Uint8Array(0)) {
-  if (!(key instanceof Uint8Array) || key.length !== 32) {
-    throw new Error('Key must be 32 bytes');
-  }
-  if (!(nonce instanceof Uint8Array) || nonce.length !== 12) {
-    throw new Error('Nonce must be 12 bytes');
-  }
-  if (!(plaintext instanceof Uint8Array)) {
-    throw new Error('Plaintext must be a Uint8Array');
-  }
-  if (!(aad instanceof Uint8Array)) {
-    throw new Error('AAD must be a Uint8Array');
-  }
-
-  // Generate Poly1305 key
-  const polyKey = generatePolyKey(key, nonce);
-
-  // Encrypt plaintext with counter starting at 1
-  const ciphertext = chacha20(key, nonce, 1, plaintext);
-
-  // Compute MAC
-  const macData = constructMacData(aad, ciphertext);
-  const tag = poly1305(polyKey, macData);
-
-  // Concatenate ciphertext and tag
-  const result = new Uint8Array(ciphertext.length + 16);
-  result.set(ciphertext);
-  result.set(tag, ciphertext.length);
-
-  return result;
-}
-
-/**
- * Decrypts and verifies data using ChaCha20-Poly1305 AEAD
- * @param {Uint8Array} key - 32-byte encryption key
- * @param {Uint8Array} nonce - 12-byte nonce
- * @param {Uint8Array} ciphertext - Ciphertext with 16-byte authentication tag
- * @param {Uint8Array} [aad] - Additional authenticated data (optional)
- * @returns {Uint8Array|null} Decrypted plaintext, or null if authentication fails
- * @throws {Error} If key is not 32 bytes, nonce is not 12 bytes, or ciphertext too short
- */
-function decrypt(key, nonce, ciphertext, aad = new Uint8Array(0)) {
-  if (!(key instanceof Uint8Array) || key.length !== 32) {
-    throw new Error('Key must be 32 bytes');
-  }
-  if (!(nonce instanceof Uint8Array) || nonce.length !== 12) {
-    throw new Error('Nonce must be 12 bytes');
-  }
-  if (!(ciphertext instanceof Uint8Array)) {
-    throw new Error('Ciphertext must be a Uint8Array');
-  }
-  if (ciphertext.length < 16) {
-    throw new Error('Ciphertext must be at least 16 bytes (tag size)');
-  }
-  if (!(aad instanceof Uint8Array)) {
-    throw new Error('AAD must be a Uint8Array');
-  }
-
-  // Split ciphertext and tag
-  const ct = ciphertext.subarray(0, ciphertext.length - 16);
-  const receivedTag = ciphertext.subarray(ciphertext.length - 16);
-
-  // Generate Poly1305 key
-  const polyKey = generatePolyKey(key, nonce);
-
-  // Compute expected MAC
-  const macData = constructMacData(aad, ct);
-  const expectedTag = poly1305(polyKey, macData);
-
-  // Verify tag using constant-time comparison
-  if (!constantTimeEqual(receivedTag, expectedTag)) {
-    return null;
-  }
-
-  // Decrypt ciphertext with counter starting at 1
-  return chacha20(key, nonce, 1, ct);
-}
-
-module.exports = {
-  encrypt,
-  decrypt
-};

package/src/crypto/chacha20.js

@@ -1,181 +0,0 @@
-/**
- * @fileoverview ChaCha20 stream cipher implementation (RFC 8439)
- * @module crypto/chacha20
- */
-
-'use strict';
-
-/**
- * ChaCha20 constants: "expand 32-byte k" in ASCII
- * @constant {Uint32Array}
- */
-const CONSTANTS = new Uint32Array([0x61707865, 0x3320646e, 0x79622d32, 0x6b206574]);
-
-/**
- * Performs left rotation on a 32-bit unsigned integer
- * @param {number} v - Value to rotate
- * @param {number} c - Number of bits to rotate
- * @returns {number} Rotated value
- */
-function rotl32(v, c) {
-  return ((v << c) | (v >>> (32 - c))) >>> 0;
-}
-
-/**
- * ChaCha20 quarter round operation
- * Modifies state array in place
- * @param {Uint32Array} state - 16-element state array
- * @param {number} a - Index a
- * @param {number} b - Index b
- * @param {number} c - Index c
- * @param {number} d - Index d
- */
-function quarterRound(state, a, b, c, d) {
-  state[a] = (state[a] + state[b]) >>> 0;
-  state[d] = rotl32(state[d] ^ state[a], 16);
-
-  state[c] = (state[c] + state[d]) >>> 0;
-  state[b] = rotl32(state[b] ^ state[c], 12);
-
-  state[a] = (state[a] + state[b]) >>> 0;
-  state[d] = rotl32(state[d] ^ state[a], 8);
-
-  state[c] = (state[c] + state[d]) >>> 0;
-  state[b] = rotl32(state[b] ^ state[c], 7);
-}
-
-/**
- * Creates initial ChaCha20 state from key, counter, and nonce
- * @param {Uint8Array} key - 32-byte key
- * @param {number} counter - 32-bit block counter
- * @param {Uint8Array} nonce - 12-byte nonce
- * @returns {Uint32Array} Initial state (16 x 32-bit words)
- */
-function createState(key, counter, nonce) {
-  const state = new Uint32Array(16);
-  const keyView = new DataView(key.buffer, key.byteOffset, key.byteLength);
-  const nonceView = new DataView(nonce.buffer, nonce.byteOffset, nonce.byteLength);
-
-  // Constants
-  state[0] = CONSTANTS[0];
-  state[1] = CONSTANTS[1];
-  state[2] = CONSTANTS[2];
-  state[3] = CONSTANTS[3];
-
-  // Key (little-endian)
-  for (let i = 0; i < 8; i++) {
-    state[4 + i] = keyView.getUint32(i * 4, true);
-  }
-
-  // Counter
-  state[12] = counter >>> 0;
-
-  // Nonce (little-endian)
-  for (let i = 0; i < 3; i++) {
-    state[13 + i] = nonceView.getUint32(i * 4, true);
-  }
-
-  return state;
-}
-
-/**
- * Computes a single ChaCha20 block
- * @param {Uint32Array} state - 16-element initial state
- * @returns {Uint32Array} 16-element output state
- */
-function chacha20Block(state) {
-  if (!(state instanceof Uint32Array) || state.length !== 16) {
-    throw new Error('State must be a 16-element Uint32Array');
-  }
-
-  const working = new Uint32Array(state);
-
-  // 20 rounds = 10 double rounds
-  for (let i = 0; i < 10; i++) {
-    // Column rounds
-    quarterRound(working, 0, 4, 8, 12);
-    quarterRound(working, 1, 5, 9, 13);
-    quarterRound(working, 2, 6, 10, 14);
-    quarterRound(working, 3, 7, 11, 15);
-    // Diagonal rounds
-    quarterRound(working, 0, 5, 10, 15);
-    quarterRound(working, 1, 6, 11, 12);
-    quarterRound(working, 2, 7, 8, 13);
-    quarterRound(working, 3, 4, 9, 14);
-  }
-
-  // Add original state to working state
-  const output = new Uint32Array(16);
-  for (let i = 0; i < 16; i++) {
-    output[i] = (working[i] + state[i]) >>> 0;
-  }
-
-  return output;
-}
-
-/**
- * Serializes 32-bit words to bytes (little-endian)
- * @param {Uint32Array} words - Array of 32-bit words
- * @returns {Uint8Array} Byte array
- */
-function wordsToBytes(words) {
-  const bytes = new Uint8Array(words.length * 4);
-  const view = new DataView(bytes.buffer);
-  for (let i = 0; i < words.length; i++) {
-    view.setUint32(i * 4, words[i], true);
-  }
-  return bytes;
-}
-
-/**
- * ChaCha20 encryption/decryption (XOR with keystream)
- * @param {Uint8Array} key - 32-byte key
- * @param {Uint8Array} nonce - 12-byte nonce
- * @param {number} counter - Initial block counter
- * @param {Uint8Array} data - Data to encrypt/decrypt
- * @returns {Uint8Array} Encrypted/decrypted data
- * @throws {Error} If key is not 32 bytes or nonce is not 12 bytes
- */
-function chacha20(key, nonce, counter, data) {
-  if (!(key instanceof Uint8Array) || key.length !== 32) {
-    throw new Error('Key must be 32 bytes');
-  }
-  if (!(nonce instanceof Uint8Array) || nonce.length !== 12) {
-    throw new Error('Nonce must be 12 bytes');
-  }
-  if (!(data instanceof Uint8Array)) {
-    throw new Error('Data must be a Uint8Array');
-  }
-  if (typeof counter !== 'number' || counter < 0 || counter > 0xFFFFFFFF) {
-    throw new Error('Counter must be a 32-bit unsigned integer');
-  }
-
-  const output = new Uint8Array(data.length);
-  let offset = 0;
-  let blockCounter = counter;
-
-  while (offset < data.length) {
-    const state = createState(key, blockCounter, nonce);
-    const keystream = wordsToBytes(chacha20Block(state));
-    const remaining = data.length - offset;
-    const blockSize = Math.min(64, remaining);
-
-    for (let i = 0; i < blockSize; i++) {
-      output[offset + i] = data[offset + i] ^ keystream[i];
-    }
-
-    offset += blockSize;
-    blockCounter = (blockCounter + 1) >>> 0;
-
-    if (blockCounter === 0 && offset < data.length) {
-      throw new Error('Counter overflow');
-    }
-  }
-
-  return output;
-}
-
-module.exports = {
-  chacha20Block,
-  chacha20
-};

package/src/crypto/hkdf.js

@@ -1,187 +0,0 @@
-'use strict';
-
-/**
- * HKDF Key Derivation Function (RFC 5869)
- * Pure JavaScript implementation using HMAC-SHA256
- * @module crypto/hkdf
- */
-
-const { hmacSha256 } = require('./hmac');
-
-/**
- * Hash output length in bytes (SHA-256 = 32 bytes)
- * @constant {number}
- */
-const HASH_LENGTH = 32;
-
-/**
- * Maximum output length (255 * hash length)
- * @constant {number}
- */
-const MAX_OUTPUT_LENGTH = 255 * HASH_LENGTH;
-
-/**
- * Default salt (32 zero bytes for SHA-256)
- * @constant {Uint8Array}
- */
-const DEFAULT_SALT = new Uint8Array(HASH_LENGTH);
-
-/**
- * HKDF-Extract: Extract a pseudorandom key from input keying material
- *
- * PRK = HMAC-Hash(salt, IKM)
- *
- * @param {Uint8Array|null} salt - Optional salt value (non-secret random value)
- *                                  If null/undefined/empty, uses zeros
- * @param {Uint8Array} ikm - Input keying material
- * @returns {Uint8Array} Pseudorandom key (32 bytes)
- * @throws {TypeError} If ikm is not a Uint8Array
- *
- * @example
- * const ikm = new Uint8Array([...sharedSecret]);
- * const salt = crypto.getRandomValues(new Uint8Array(32));
- * const prk = extract(salt, ikm);
- */
-function extract(salt, ikm) {
-  if (!(ikm instanceof Uint8Array)) {
-    throw new TypeError('IKM must be a Uint8Array');
-  }
-
-  // Use default salt if not provided or empty
-  const actualSalt = (salt && salt.length > 0) ? salt : DEFAULT_SALT;
-
-  return hmacSha256(actualSalt, ikm);
-}
-
-/**
- * HKDF-Expand: Expand a pseudorandom key to desired length
- *
- * T(0) = empty string
- * T(1) = HMAC-Hash(PRK, T(0) | info | 0x01)
- * T(2) = HMAC-Hash(PRK, T(1) | info | 0x02)
- * ...
- * OKM = first L bytes of T(1) | T(2) | ...
- *
- * @param {Uint8Array} prk - Pseudorandom key (from extract)
- * @param {Uint8Array} info - Context and application specific info
- * @param {number} length - Desired output length in bytes (max 8160)
- * @returns {Uint8Array} Output keying material of specified length
- * @throws {TypeError} If prk or info is not a Uint8Array
- * @throws {RangeError} If length exceeds maximum (255 * 32 = 8160 bytes)
- *
- * @example
- * const prk = extract(salt, ikm);
- * const info = new TextEncoder().encode('encryption-key');
- * const key = expand(prk, info, 32);
- */
-function expand(prk, info, length) {
-  if (!(prk instanceof Uint8Array)) {
-    throw new TypeError('PRK must be a Uint8Array');
-  }
-  if (!(info instanceof Uint8Array)) {
-    throw new TypeError('Info must be a Uint8Array');
-  }
-  if (!Number.isInteger(length) || length < 0) {
-    throw new TypeError('Length must be a non-negative integer');
-  }
-  if (length > MAX_OUTPUT_LENGTH) {
-    throw new RangeError(`Length must not exceed ${MAX_OUTPUT_LENGTH} bytes`);
-  }
-  if (length === 0) {
-    return new Uint8Array(0);
-  }
-
-  // Calculate number of iterations needed
-  const n = Math.ceil(length / HASH_LENGTH);
-  const okm = new Uint8Array(n * HASH_LENGTH);
-
-  // T(0) = empty, T(i) = HMAC(PRK, T(i-1) | info | i)
-  let previous = new Uint8Array(0);
-
-  for (let i = 1; i <= n; i++) {
-    // Construct input: T(i-1) | info | counter
-    const inputLength = previous.length + info.length + 1;
-    const input = new Uint8Array(inputLength);
-
-    let offset = 0;
-    if (previous.length > 0) {
-      input.set(previous, offset);
-      offset += previous.length;
-    }
-    input.set(info, offset);
-    offset += info.length;
-    input[offset] = i; // Counter byte (1-indexed)
-
-    // T(i) = HMAC-Hash(PRK, input)
-    previous = hmacSha256(prk, input);
-
-    // Copy to output
-    okm.set(previous, (i - 1) * HASH_LENGTH);
-  }
-
-  // Return only the requested number of bytes
-  return okm.subarray(0, length);
-}
-
-/**
- * HKDF: Combined extract-then-expand operation
- *
- * Convenience function that performs both HKDF-Extract and HKDF-Expand
- *
- * @param {Uint8Array} ikm - Input keying material
- * @param {Uint8Array|null} salt - Optional salt (uses zeros if null/empty)
- * @param {Uint8Array} info - Context and application specific info
- * @param {number} length - Desired output length in bytes
- * @returns {Uint8Array} Derived key material of specified length
- * @throws {TypeError} If ikm or info is not a Uint8Array
- * @throws {RangeError} If length exceeds maximum
- *
- * @example
- * const sharedSecret = performDH(myPrivate, theirPublic);
- * const info = new TextEncoder().encode('noise-handshake-v1');
- * const key = derive(sharedSecret, null, info, 32);
- */
-function derive(ikm, salt, info, length) {
-  const prk = extract(salt, ikm);
-  return expand(prk, info, length);
-}
-
-/**
- * Derive multiple keys in one operation
- * Useful for deriving encryption and MAC keys together
- *
- * @param {Uint8Array} ikm - Input keying material
- * @param {Uint8Array|null} salt - Optional salt
- * @param {Uint8Array} info - Context info
- * @param {number[]} lengths - Array of key lengths to derive
- * @returns {Uint8Array[]} Array of derived keys
- *
- * @example
- * const [encKey, macKey] = deriveMultiple(secret, salt, info, [32, 32]);
- */
-function deriveMultiple(ikm, salt, info, lengths) {
-  if (!Array.isArray(lengths) || lengths.length === 0) {
-    throw new TypeError('Lengths must be a non-empty array');
-  }
-
-  const totalLength = lengths.reduce((sum, len) => sum + len, 0);
-  const combined = derive(ikm, salt, info, totalLength);
-
-  const keys = [];
-  let offset = 0;
-  for (const len of lengths) {
-    keys.push(combined.slice(offset, offset + len));
-    offset += len;
-  }
-
-  return keys;
-}
-
-module.exports = {
-  extract,
-  expand,
-  derive,
-  deriveMultiple,
-  HASH_LENGTH,
-  MAX_OUTPUT_LENGTH
-};

package/src/crypto/hmac.js

@@ -1,143 +0,0 @@
-'use strict';
-
-/**
- * HMAC-SHA256 Implementation (RFC 2104)
- * Pure JavaScript implementation for BLE Mesh Network
- * @module crypto/hmac
- */
-
-const { hash } = require('./sha256');
-
-/**
- * HMAC block size in bytes (SHA-256 uses 64-byte blocks)
- * @constant {number}
- */
-const BLOCK_SIZE = 64;
-
-/**
- * Inner padding byte value
- * @constant {number}
- */
-const IPAD = 0x36;
-
-/**
- * Outer padding byte value
- * @constant {number}
- */
-const OPAD = 0x5c;
-
-/**
- * Compute HMAC-SHA256 of data with given key
- *
- * HMAC is computed as:
- *   HMAC(K, m) = H((K' XOR opad) || H((K' XOR ipad) || m))
- *
- * Where K' is the key padded/hashed to block size
- *
- * @param {Uint8Array} key - Secret key (any length)
- * @param {Uint8Array} data - Message to authenticate
- * @returns {Uint8Array} 32-byte HMAC digest
- * @throws {TypeError} If key or data is not a Uint8Array
- *
- * @example
- * const key = new Uint8Array([0x0b, 0x0b, ...]);
- * const data = new TextEncoder().encode('Hi There');
- * const mac = hmacSha256(key, data);
- */
-function hmacSha256(key, data) {
-  if (!(key instanceof Uint8Array)) {
-    throw new TypeError('Key must be a Uint8Array');
-  }
-  if (!(data instanceof Uint8Array)) {
-    throw new TypeError('Data must be a Uint8Array');
-  }
-
-  // Step 1: Prepare the key
-  // If key is longer than block size, hash it first
-  // If shorter, it will be padded with zeros
-  let keyPrime;
-  if (key.length > BLOCK_SIZE) {
-    keyPrime = hash(key);
-  } else {
-    keyPrime = key;
-  }
-
-  // Step 2: Create padded key blocks
-  const keyPadded = new Uint8Array(BLOCK_SIZE);
-  keyPadded.set(keyPrime);
-  // Remaining bytes are already 0 from Uint8Array initialization
-
-  // Step 3: Create inner and outer padded keys
-  const innerKey = new Uint8Array(BLOCK_SIZE);
-  const outerKey = new Uint8Array(BLOCK_SIZE);
-
-  for (let i = 0; i < BLOCK_SIZE; i++) {
-    innerKey[i] = keyPadded[i] ^ IPAD;
-    outerKey[i] = keyPadded[i] ^ OPAD;
-  }
-
-  // Step 4: Compute inner hash: H((K' XOR ipad) || message)
-  const innerData = new Uint8Array(BLOCK_SIZE + data.length);
-  innerData.set(innerKey);
-  innerData.set(data, BLOCK_SIZE);
-  const innerHash = hash(innerData);
-
-  // Step 5: Compute outer hash: H((K' XOR opad) || innerHash)
-  const outerData = new Uint8Array(BLOCK_SIZE + 32);
-  outerData.set(outerKey);
-  outerData.set(innerHash, BLOCK_SIZE);
-
-  return hash(outerData);
-}
-
-/**
- * Verify an HMAC-SHA256 digest
- * Uses constant-time comparison to prevent timing attacks
- *
- * @param {Uint8Array} key - Secret key
- * @param {Uint8Array} data - Message that was authenticated
- * @param {Uint8Array} expectedMac - Expected HMAC digest to verify against
- * @returns {boolean} True if MAC is valid, false otherwise
- *
- * @example
- * const isValid = verifyHmac(key, data, receivedMac);
- * if (!isValid) {
- *   throw new Error('Message authentication failed');
- * }
- */
-function verifyHmac(key, data, expectedMac) {
-  if (!(expectedMac instanceof Uint8Array) || expectedMac.length !== 32) {
-    return false;
-  }
-
-  const computedMac = hmacSha256(key, data);
-  return constantTimeEqual(computedMac, expectedMac);
-}
-
-/**
- * Constant-time comparison of two byte arrays
- * Prevents timing attacks by always comparing all bytes
- *
- * @param {Uint8Array} a - First array
- * @param {Uint8Array} b - Second array
- * @returns {boolean} True if arrays are equal
- * @private
- */
-function constantTimeEqual(a, b) {
-  if (a.length !== b.length) {
-    return false;
-  }
-
-  let result = 0;
-  for (let i = 0; i < a.length; i++) {
-    result |= a[i] ^ b[i];
-  }
-
-  return result === 0;
-}
-
-module.exports = {
-  hmacSha256,
-  verifyHmac,
-  BLOCK_SIZE
-};