react-native-security-suite 1.0.0-rc.1 → 1.0.0-rc.2

package/README.md

@@ -4,7 +4,7 @@
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Downloads](https://img.shields.io/npm/dm/react-native-security-suite.svg)](https://www.npmjs.com/package/react-native-security-suite)
 
-**Comprehensive security solutions for React Native applications** — Protect your mobile apps with root/jailbreak detection, SSL certificate pinning, RFC 7515 JWS request signing, hardware-backed secure storage, X25519 key exchange, screenshot protection, and network monitoring.
+**Comprehensive security solutions for React Native applications** — Protect your mobile apps with root/jailbreak detection, SSL certificate pinning, RFC 7515 JWS request signing, hardware-backed secure storage, configurable ECDH key exchange, screenshot protection, and network monitoring.
 
 <div style="display: flex; flex-direction: row; justify-content: center; align-items: center; gap: 20px;">
 <img src="https://raw.githubusercontent.com/mohamadnavabi/react-native-security-suite/master/pulse.gif" alt="iOS Pulse Network Monitor" width="200" />
@@ -24,7 +24,7 @@
 ### Data Security & Encryption
 
 - **Secure Storage**: Hardware-backed encrypted storage (Keychain on iOS, EncryptedSharedPreferences on Android)
-- **Diffie-Hellman / X25519 Key Exchange**: Configurable key agreement with `CryptoOptions`
+- **Diffie-Hellman Key Exchange**: Application-defined algorithms and GCM parameters via `CryptoOptions`
 - **Shared-Key Encryption**: AES-GCM encrypt/decrypt using a derived shared secret
 - **Obfuscation**: Local string obfuscation with an explicit secret (not for credentials at rest)
 
@@ -200,37 +200,87 @@ const handleSecureStorage = async () => {
 
 If a native read/write fails (for example, KeyStore initialization errors on Android), the Promise rejects with a clear `Secure storage operation failed` error.
 
-### 5. Diffie-Hellman / X25519 Key Exchange
+### 5. Diffie-Hellman Key Exchange
 
-Implement secure key exchange with optional `CryptoOptions` (defaults: X25519 key agreement, AES-256-GCM, HMAC-SHA-512):
+Derive a shared encryption key from the client and server public keys. **All cryptographic algorithms and GCM lengths must be supplied by your application** — the native layer does not apply defaults.
 
-```javascript
+Use **`Crypto.establishSharedKey()`** so the derived key stays in native memory. Pass the same `cryptoOptions` to `encryptBySharedKey` / `decryptBySharedKey`.
+
+```typescript
 import {
+  Crypto,
   getPublicKey,
-  getSharedKey,
   encryptBySharedKey,
   decryptBySharedKey,
+  type CryptoOptions,
 } from 'react-native-security-suite';
 
-const cryptoOptions = {
-  keyAgreementAlgorithm: 'X25519',
-  keyType: 'OKP',
-  encryptionKeyAlgorithm: 'AES-256',
-  hmacAlgorithm: 'HMAC-SHA-512',
-  cipher: 'AES-GCM',
+/**
+ * Pick one value per field. Unions match exported package types.
+ * Use JCA names (e.g. 'HmacSHA256', 'AES/GCM/NoPadding') for native crypto.
+ */
+const cryptoOptions: CryptoOptions = {
+  keyAgreementAlgorithm: 'X25519', // 'X25519' | 'ECDH'
+  keyType: 'EC', // 'OKP' | 'EC'
+  encryptionKeyAlgorithm: 'AES-256', // 'AES-256' | 'AES'
+  hmacAlgorithm: 'HmacSHA256', // 'HmacSHA256' | 'HmacSHA384' | 'HmacSHA512' | 'HMAC-SHA-256' | 'HMAC-SHA-384' | 'HMAC-SHA-512'
+  cipher: 'AES-GCM', // 'AES-GCM' | 'AES/GCM/NoPadding'
+  tagLength: 256, // GCM auth tag size in bits
+  ivLength: 12, // GCM IV size in bytes
 };
 
 const handleKeyExchange = async () => {
   const clientPublicKey = await getPublicKey();
   const serverPublicKey = 'SERVER_PUBLIC_KEY_FROM_API';
 
-  await getSharedKey(serverPublicKey, cryptoOptions);
+  // Keeps the shared key in native memory (recommended)
+  await Crypto.establishSharedKey(serverPublicKey, cryptoOptions);
 
   const encryptedMessage = await encryptBySharedKey('Secret message', cryptoOptions);
   const decryptedMessage = await decryptBySharedKey(encryptedMessage, cryptoOptions);
 };
 ```
 
+**Legacy API** (returns the derived key to JavaScript — avoid in production):
+
+```javascript
+import { getSharedKey } from 'react-native-security-suite';
+
+const sharedKeyBase64 = await getSharedKey(serverPublicKey, cryptoOptions);
+```
+
+#### Algorithm and length options
+
+| Option | Required | Allowed values | Description |
+|--------|----------|----------------|-------------|
+| `keyAgreementAlgorithm` | yes | `'X25519' \| 'ECDH'` | Key-agreement algorithm passed to native `KeyAgreement` |
+| `keyType` | yes* | `'OKP' \| 'EC'` | Key-factory algorithm for the server public key (`keyFactoryAlgorithm` alias) |
+| `encryptionKeyAlgorithm` | yes | `'AES-256' \| 'AES'` | Symmetric key algorithm for the derived encryption key |
+| `hmacAlgorithm` | yes* | `'HmacSHA256' \| 'HmacSHA384' \| 'HmacSHA512' \| 'HMAC-SHA-256' \| 'HMAC-SHA-384' \| 'HMAC-SHA-512'` | HMAC for HKDF and MAC key material (`hmacKeyAlgorithm` alias) |
+| `cipher` | yes* | `'AES-GCM' \| 'AES/GCM/NoPadding'` | Cipher transformation for encrypt/decrypt (`cipherTransformation` alias) |
+| `tagLength` | yes* | `number` (e.g. `128`) | GCM authentication tag length in **bits** (`gcmTagLength` alias) |
+| `ivLength` | yes* | `number` (e.g. `12`) | GCM IV/nonce length in **bytes** (`gcmIvLength` alias) |
+
+\*Provide via the preferred name or its deprecated alias (see [API Reference](#cryptooptions)).
+
+Use **JCA-style names** on both Android and iOS (e.g. `HmacSHA256`, not `HMAC-SHA-256`). Omitting any required option throws before native code runs.
+
+**Typical production profile (P-256 ECDH + AES-256-GCM):**
+
+```typescript
+import type { CryptoOptions } from 'react-native-security-suite';
+
+const cryptoOptions: CryptoOptions = {
+  keyAgreementAlgorithm: 'ECDH',
+  keyType: 'EC',
+  encryptionKeyAlgorithm: 'AES',
+  hmacAlgorithm: 'HmacSHA256',
+  cipher: 'AES/GCM/NoPadding',
+  tagLength: 128,
+  ivLength: 12,
+};
+```
+
 ### 6. JWS Generation (RFC 7515)
 
 Generate [RFC 7515](https://datatracker.ietf.org/doc/html/rfc7515) compact JWS tokens. Supported algorithms: **HS256**, **HS384**, **HS512**. An explicit `secret` is always required.
@@ -408,22 +458,28 @@ const monitoredRequest = async () => {
 
 ### Key Exchange
 
-- `getPublicKey()` — Generate client public key (JWK)
-- `getSharedKey(serverPublicKey, options?)` — Derive shared secret; accepts `CryptoOptions`
-- `encryptBySharedKey(text, options?)` — AES-GCM encrypt with derived key
-- `decryptBySharedKey(encryptedText, options?)` — AES-GCM decrypt with derived key
+- `Crypto.getPublicKey()` — Client public key (base64-encoded SPKI / DER)
+- `Crypto.establishSharedKey(serverPublicKey, options)` — Derive shared key in native memory; **`options` required**
+- `getPublicKey()` — Legacy alias for `Crypto.getPublicKey()`
+- `getSharedKey(serverPublicKey, options)` — **Deprecated**; returns derived key to JS; **`options` required**
+- `encryptBySharedKey(text, options)` — Encrypt with derived key; **`options` required**
+- `decryptBySharedKey(encryptedText, options)` — Decrypt with derived key; **`options` required**
 
 #### `CryptoOptions`
 
-| Option | Default | Description |
-|--------|---------|-------------|
-| `keyAgreementAlgorithm` | `'X25519'` | Key agreement (e.g. `X25519`, `ECDH`) |
-| `keyType` | `'OKP'` | JWK key type (`OKP`, `EC`) |
-| `encryptionKeyAlgorithm` | `'AES-256'` | Symmetric key algorithm |
-| `hmacAlgorithm` | `'HMAC-SHA-512'` | HMAC for signing and key derivation |
-| `cipher` | `'AES-GCM'` | AEAD cipher mode |
-| `tagLength` | `128` | GCM authentication tag length (bits) |
-| `ivLength` | `12` | GCM IV length (bytes) |
+All fields below are **required** on every key-exchange and encrypt/decrypt call. There are no library defaults — define a shared `cryptoOptions` object in your app and reuse it.
+
+| Option | Allowed values |
+|--------|----------------|
+| `keyAgreementAlgorithm` | `'X25519' \| 'ECDH'` |
+| `keyType` | `'OKP' \| 'EC'` (alias: `keyFactoryAlgorithm`) |
+| `encryptionKeyAlgorithm` | `'AES-256' \| 'AES'` |
+| `hmacAlgorithm` | `'HmacSHA256' \| 'HmacSHA384' \| 'HmacSHA512' \| 'HMAC-SHA-256' \| 'HMAC-SHA-384' \| 'HMAC-SHA-512'` (alias: `hmacKeyAlgorithm`) |
+| `cipher` | `'AES-GCM' \| 'AES/GCM/NoPadding'` (alias: `cipherTransformation`) |
+| `tagLength` | `number` — GCM tag length in bits (alias: `gcmTagLength`) |
+| `ivLength` | `number` — GCM IV length in bytes (alias: `gcmIvLength`) |
+
+Exported types: `CryptoOptions`, `KeyAgreementAlgorithm`, `KeyType`, `EncryptionKeyAlgorithm`, `HmacAlgorithm`, `CipherAlgorithm`.
 
 ### JWS
 

package/android/src/main/java/com/securitysuite/CryptoConfig.java

@@ -3,17 +3,9 @@ package com.securitysuite;
 import com.facebook.react.bridge.ReadableMap;
 
 /**
- * Configurable cryptographic parameters with secure defaults and whitelist validation.
+ * Cryptographic parameters supplied by the application.
  */
 public final class CryptoConfig {
-  public static final String DEFAULT_KEY_AGREEMENT = "ECDH";
-  public static final String DEFAULT_KEY_FACTORY = "EC";
-  public static final String DEFAULT_ENCRYPTION_KEY_ALGORITHM = "AES";
-  public static final String DEFAULT_HMAC_KEY_ALGORITHM = "HmacSHA256";
-  public static final String DEFAULT_CIPHER_TRANSFORMATION = "AES/GCM/NoPadding";
-  public static final int DEFAULT_GCM_TAG_LENGTH = 128;
-  public static final int DEFAULT_GCM_IV_LENGTH = 12;
-
   public final String keyAgreementAlgorithm;
   public final String keyFactoryAlgorithm;
   public final String encryptionKeyAlgorithm;
@@ -40,35 +32,19 @@ public final class CryptoConfig {
     this.gcmIvLength = gcmIvLength;
   }
 
-  public static CryptoConfig defaults() {
-    return new CryptoConfig(
-        DEFAULT_KEY_AGREEMENT,
-        DEFAULT_KEY_FACTORY,
-        DEFAULT_ENCRYPTION_KEY_ALGORITHM,
-        DEFAULT_HMAC_KEY_ALGORITHM,
-        DEFAULT_CIPHER_TRANSFORMATION,
-        DEFAULT_GCM_TAG_LENGTH,
-        DEFAULT_GCM_IV_LENGTH
-    );
-  }
-
   public static CryptoConfig fromReadableMap(ReadableMap options) {
     if (options == null) {
-      return defaults();
+      throw new IllegalArgumentException("Crypto options are required");
     }
 
     return new CryptoConfig(
-        validateKeyAgreement(readString(options, "keyAgreementAlgorithm", DEFAULT_KEY_AGREEMENT)),
-        validateKeyFactory(readString(options, "keyFactoryAlgorithm", DEFAULT_KEY_FACTORY)),
-        validateEncryptionKeyAlgorithm(
-            readString(options, "encryptionKeyAlgorithm", DEFAULT_ENCRYPTION_KEY_ALGORITHM)
-        ),
-        validateHmacKeyAlgorithm(readString(options, "hmacKeyAlgorithm", DEFAULT_HMAC_KEY_ALGORITHM)),
-        validateCipherTransformation(
-            readString(options, "cipherTransformation", DEFAULT_CIPHER_TRANSFORMATION)
-        ),
-        options.hasKey("gcmTagLength") ? options.getInt("gcmTagLength") : DEFAULT_GCM_TAG_LENGTH,
-        options.hasKey("gcmIvLength") ? options.getInt("gcmIvLength") : DEFAULT_GCM_IV_LENGTH
+        requireString(options, "keyAgreementAlgorithm"),
+        requireString(options, "keyFactoryAlgorithm"),
+        requireString(options, "encryptionKeyAlgorithm"),
+        requireString(options, "hmacKeyAlgorithm"),
+        requireString(options, "cipherTransformation"),
+        requireInt(options, "gcmTagLength"),
+        requireInt(options, "gcmIvLength")
     );
   }
 
@@ -110,49 +86,21 @@ public final class CryptoConfig {
     return map;
   }
 
-  private static String readString(ReadableMap map, String key, String defaultValue) {
-    if (map.hasKey(key) && map.getString(key) != null) {
-      return map.getString(key).trim();
-    }
-    return defaultValue;
-  }
-
-  private static String validateKeyAgreement(String algorithm) {
-    if ("ECDH".equals(algorithm)) {
-      return algorithm;
+  private static String requireString(ReadableMap map, String key) {
+    if (!map.hasKey(key) || map.getString(key) == null) {
+      throw new IllegalArgumentException("Missing required crypto option: " + key);
     }
-    throw new IllegalArgumentException("Unsupported keyAgreementAlgorithm: " + algorithm);
-  }
-
-  private static String validateKeyFactory(String algorithm) {
-    if ("EC".equals(algorithm)) {
-      return algorithm;
-    }
-    throw new IllegalArgumentException("Unsupported keyFactoryAlgorithm: " + algorithm);
-  }
-
-  private static String validateEncryptionKeyAlgorithm(String algorithm) {
-    if ("AES".equals(algorithm)) {
-      return algorithm;
-    }
-    throw new IllegalArgumentException("Unsupported encryptionKeyAlgorithm: " + algorithm);
-  }
-
-  private static String validateHmacKeyAlgorithm(String algorithm) {
-    switch (algorithm) {
-      case "HmacSHA256":
-      case "HmacSHA384":
-      case "HmacSHA512":
-        return algorithm;
-      default:
-        throw new IllegalArgumentException("Unsupported hmacKeyAlgorithm: " + algorithm);
+    String value = map.getString(key).trim();
+    if (value.isEmpty()) {
+      throw new IllegalArgumentException("Missing required crypto option: " + key);
     }
+    return value;
   }
 
-  private static String validateCipherTransformation(String transformation) {
-    if ("AES/GCM/NoPadding".equals(transformation)) {
-      return transformation;
+  private static int requireInt(ReadableMap map, String key) {
+    if (!map.hasKey(key)) {
+      throw new IllegalArgumentException("Missing required crypto option: " + key);
     }
-    throw new IllegalArgumentException("Unsupported cipherTransformation: " + transformation);
+    return map.getInt(key);
   }
 }

package/android/src/main/java/com/securitysuite/CryptoUtils.java

@@ -11,8 +11,8 @@ import java.security.SecureRandom;
 import java.util.regex.Pattern;
 
 /**
- * Shared cryptographic utilities. HKDF-SHA256 (RFC 5869) is used instead of raw
- * ECDH output or single-pass SHA-256 to derive independent symmetric keys.
+ * Shared cryptographic utilities. HKDF (RFC 5869) is used instead of raw
+ * key-agreement output or single-pass SHA-256 to derive independent symmetric keys.
  */
 public final class CryptoUtils {
   public static final String HKDF_SALT = "react-native-security-suite";
@@ -24,18 +24,19 @@ public final class CryptoUtils {
 
   private CryptoUtils() {}
 
-  /** RFC 5869 HKDF-SHA256 expand/extract. */
-  public static byte[] hkdfSha256(byte[] ikm, byte[] salt, byte[] info, int length) throws Exception {
+  /** RFC 5869 HKDF expand/extract using the configured HMAC algorithm. */
+  public static byte[] hkdf(byte[] ikm, byte[] salt, byte[] info, int length, String macAlgorithm)
+      throws Exception {
     byte[] actualSalt = (salt == null || salt.length == 0)
         ? new byte[32]
         : salt;
 
-    Mac extractMac = Mac.getInstance("HmacSHA256");
-    extractMac.init(new SecretKeySpec(actualSalt, "HmacSHA256"));
+    Mac extractMac = Mac.getInstance(macAlgorithm);
+    extractMac.init(new SecretKeySpec(actualSalt, macAlgorithm));
     byte[] prk = extractMac.doFinal(ikm);
 
-    Mac expandMac = Mac.getInstance("HmacSHA256");
-    expandMac.init(new SecretKeySpec(prk, "HmacSHA256"));
+    Mac expandMac = Mac.getInstance(macAlgorithm);
+    expandMac.init(new SecretKeySpec(prk, macAlgorithm));
 
     byte[] result = new byte[length];
     byte[] previous = new byte[0];
@@ -59,21 +60,23 @@ public final class CryptoUtils {
     return result;
   }
 
-  public static byte[] deriveEncryptionKey(byte[] sharedSecret) throws Exception {
-    return hkdfSha256(
+  public static byte[] deriveEncryptionKey(byte[] sharedSecret, String macAlgorithm) throws Exception {
+    return hkdf(
         sharedSecret,
         HKDF_SALT.getBytes(StandardCharsets.UTF_8),
         HKDF_INFO_ENCRYPTION.getBytes(StandardCharsets.UTF_8),
-        32
+        32,
+        macAlgorithm
     );
   }
 
-  public static byte[] deriveHmacKey(byte[] sharedSecret) throws Exception {
-    return hkdfSha256(
+  public static byte[] deriveHmacKey(byte[] sharedSecret, String macAlgorithm) throws Exception {
+    return hkdf(
         sharedSecret,
         HKDF_SALT.getBytes(StandardCharsets.UTF_8),
         HKDF_INFO_HMAC.getBytes(StandardCharsets.UTF_8),
-        32
+        32,
+        macAlgorithm
     );
   }
 

package/android/src/main/java/com/securitysuite/SecuritySuiteModule.java

@@ -42,7 +42,7 @@ public class SecuritySuiteModule extends ReactContextBaseJavaModule {
 
   private SecretKey encryptionKey;
   private SecretKey hmacKey;
-  private CryptoConfig cryptoConfig = CryptoConfig.defaults();
+  private CryptoConfig cryptoConfig;
 
   public SecuritySuiteModule(ReactApplicationContext reactContext) {
     super(reactContext);
@@ -80,8 +80,8 @@ public class SecuritySuiteModule extends ReactContextBaseJavaModule {
       keyAgree.doPhase(serverPublicKey, true);
       byte[] sharedSecret = keyAgree.generateSecret();
 
-      byte[] encKeyBytes = CryptoUtils.deriveEncryptionKey(sharedSecret);
-      byte[] macKeyBytes = CryptoUtils.deriveHmacKey(sharedSecret);
+      byte[] encKeyBytes = CryptoUtils.deriveEncryptionKey(sharedSecret, cryptoConfig.hmacKeyAlgorithm);
+      byte[] macKeyBytes = CryptoUtils.deriveHmacKey(sharedSecret, cryptoConfig.hmacKeyAlgorithm);
       encryptionKey = new SecretKeySpec(encKeyBytes, cryptoConfig.encryptionKeyAlgorithm);
       hmacKey = new SecretKeySpec(macKeyBytes, cryptoConfig.hmacKeyAlgorithm);
 
@@ -114,8 +114,8 @@ public class SecuritySuiteModule extends ReactContextBaseJavaModule {
       keyAgree.doPhase(serverPublicKey, true);
       byte[] sharedSecret = keyAgree.generateSecret();
 
-      byte[] encKeyBytes = CryptoUtils.deriveEncryptionKey(sharedSecret);
-      byte[] macKeyBytes = CryptoUtils.deriveHmacKey(sharedSecret);
+      byte[] encKeyBytes = CryptoUtils.deriveEncryptionKey(sharedSecret, cryptoConfig.hmacKeyAlgorithm);
+      byte[] macKeyBytes = CryptoUtils.deriveHmacKey(sharedSecret, cryptoConfig.hmacKeyAlgorithm);
       encryptionKey = new SecretKeySpec(encKeyBytes, cryptoConfig.encryptionKeyAlgorithm);
       hmacKey = new SecretKeySpec(macKeyBytes, cryptoConfig.hmacKeyAlgorithm);
 
@@ -133,7 +133,7 @@ public class SecuritySuiteModule extends ReactContextBaseJavaModule {
         promise.reject("ENCRYPT_ERROR", "Encryption key not established. Call getSharedKey first.");
         return;
       }
-      CryptoConfig config = cryptoConfig.merge(options);
+      CryptoConfig config = resolveCryptoConfig(options);
       byte[] inputByte = input.getBytes(StandardCharsets.UTF_8);
       Cipher cipher = Cipher.getInstance(config.cipherTransformation);
       cipher.init(Cipher.ENCRYPT_MODE, encryptionKey);
@@ -155,7 +155,7 @@ public class SecuritySuiteModule extends ReactContextBaseJavaModule {
         promise.reject("DECRYPT_ERROR", "Encryption key not established. Call getSharedKey first.");
         return;
       }
-      CryptoConfig config = cryptoConfig.merge(options);
+      CryptoConfig config = resolveCryptoConfig(options);
       byte[] inputBytes = Base64.decode(input.getBytes(StandardCharsets.UTF_8), Base64.NO_WRAP);
       int minLength = config.gcmIvLength + (config.gcmTagLength / 8);
       if (inputBytes.length < minLength) {
@@ -352,6 +352,13 @@ public class SecuritySuiteModule extends ReactContextBaseJavaModule {
     }
   }
 
+  private CryptoConfig resolveCryptoConfig(ReadableMap options) {
+    if (cryptoConfig != null) {
+      return cryptoConfig.merge(options);
+    }
+    return CryptoConfig.fromReadableMap(options);
+  }
+
   private static String secureStorageMessage(Exception error) {
     String message = error.getMessage();
     if (message != null && !message.isEmpty()) {

package/ios/CryptoConfig.swift

@@ -2,14 +2,6 @@ import Foundation
 
 @available(iOS 13.0, *)
 struct CryptoConfig {
-    static let defaultKeyAgreement = "ECDH"
-    static let defaultKeyFactory = "EC"
-    static let defaultEncryptionKeyAlgorithm = "AES"
-    static let defaultHmacKeyAlgorithm = "HmacSHA256"
-    static let defaultCipherTransformation = "AES/GCM/NoPadding"
-    static let defaultGcmTagLength = 128
-    static let defaultGcmIvLength = 12
-
     let keyAgreementAlgorithm: String
     let keyFactoryAlgorithm: String
     let encryptionKeyAlgorithm: String
@@ -18,41 +10,21 @@ struct CryptoConfig {
     let gcmTagLength: Int
     let gcmIvLength: Int
 
-    static func defaults() -> CryptoConfig {
-        CryptoConfig(
-            keyAgreementAlgorithm: defaultKeyAgreement,
-            keyFactoryAlgorithm: defaultKeyFactory,
-            encryptionKeyAlgorithm: defaultEncryptionKeyAlgorithm,
-            hmacKeyAlgorithm: defaultHmacKeyAlgorithm,
-            cipherTransformation: defaultCipherTransformation,
-            gcmTagLength: defaultGcmTagLength,
-            gcmIvLength: defaultGcmIvLength
-        )
-    }
-
     static func from(dictionary: NSDictionary?) throws -> CryptoConfig {
         guard let dictionary = dictionary else {
-            return defaults()
+            throw NSError(domain: "CryptoConfig", code: 0, userInfo: [
+                NSLocalizedDescriptionKey: "Crypto options are required",
+            ])
         }
 
         return CryptoConfig(
-            keyAgreementAlgorithm: try validateKeyAgreement(
-                dictionary["keyAgreementAlgorithm"] as? String ?? defaultKeyAgreement
-            ),
-            keyFactoryAlgorithm: try validateKeyFactory(
-                dictionary["keyFactoryAlgorithm"] as? String ?? defaultKeyFactory
-            ),
-            encryptionKeyAlgorithm: try validateEncryptionKeyAlgorithm(
-                dictionary["encryptionKeyAlgorithm"] as? String ?? defaultEncryptionKeyAlgorithm
-            ),
-            hmacKeyAlgorithm: try validateHmacKeyAlgorithm(
-                dictionary["hmacKeyAlgorithm"] as? String ?? defaultHmacKeyAlgorithm
-            ),
-            cipherTransformation: try validateCipherTransformation(
-                dictionary["cipherTransformation"] as? String ?? defaultCipherTransformation
-            ),
-            gcmTagLength: dictionary["gcmTagLength"] as? Int ?? defaultGcmTagLength,
-            gcmIvLength: dictionary["gcmIvLength"] as? Int ?? defaultGcmIvLength
+            keyAgreementAlgorithm: try requireString(dictionary, key: "keyAgreementAlgorithm"),
+            keyFactoryAlgorithm: try requireString(dictionary, key: "keyFactoryAlgorithm"),
+            encryptionKeyAlgorithm: try requireString(dictionary, key: "encryptionKeyAlgorithm"),
+            hmacKeyAlgorithm: try requireString(dictionary, key: "hmacKeyAlgorithm"),
+            cipherTransformation: try requireString(dictionary, key: "cipherTransformation"),
+            gcmTagLength: try requireInt(dictionary, key: "gcmTagLength"),
+            gcmIvLength: try requireInt(dictionary, key: "gcmIvLength")
         )
     }
 
@@ -75,50 +47,27 @@ struct CryptoConfig {
         return try CryptoConfig.from(dictionary: merged as NSDictionary)
     }
 
-    private static func validateKeyAgreement(_ algorithm: String) throws -> String {
-        guard algorithm == "ECDH" else {
-            throw NSError(domain: "CryptoConfig", code: 1, userInfo: [
-                NSLocalizedDescriptionKey: "Unsupported keyAgreementAlgorithm: \(algorithm)",
+    private static func requireString(_ dictionary: NSDictionary, key: String) throws -> String {
+        guard let value = dictionary[key] as? String else {
+            throw NSError(domain: "CryptoConfig", code: 0, userInfo: [
+                NSLocalizedDescriptionKey: "Missing required crypto option: \(key)",
             ])
         }
-        return algorithm
-    }
-
-    private static func validateKeyFactory(_ algorithm: String) throws -> String {
-        guard algorithm == "EC" else {
-            throw NSError(domain: "CryptoConfig", code: 2, userInfo: [
-                NSLocalizedDescriptionKey: "Unsupported keyFactoryAlgorithm: \(algorithm)",
-            ])
-        }
-        return algorithm
-    }
-
-    private static func validateEncryptionKeyAlgorithm(_ algorithm: String) throws -> String {
-        guard algorithm == "AES" else {
-            throw NSError(domain: "CryptoConfig", code: 3, userInfo: [
-                NSLocalizedDescriptionKey: "Unsupported encryptionKeyAlgorithm: \(algorithm)",
-            ])
-        }
-        return algorithm
-    }
-
-    private static func validateHmacKeyAlgorithm(_ algorithm: String) throws -> String {
-        switch algorithm {
-        case "HmacSHA256", "HmacSHA384", "HmacSHA512":
-            return algorithm
-        default:
-            throw NSError(domain: "CryptoConfig", code: 4, userInfo: [
-                NSLocalizedDescriptionKey: "Unsupported hmacKeyAlgorithm: \(algorithm)",
+        let trimmed = value.trimmingCharacters(in: .whitespacesAndNewlines)
+        guard !trimmed.isEmpty else {
+            throw NSError(domain: "CryptoConfig", code: 0, userInfo: [
+                NSLocalizedDescriptionKey: "Missing required crypto option: \(key)",
             ])
         }
+        return trimmed
     }
 
-    private static func validateCipherTransformation(_ transformation: String) throws -> String {
-        guard transformation == "AES/GCM/NoPadding" else {
-            throw NSError(domain: "CryptoConfig", code: 5, userInfo: [
-                NSLocalizedDescriptionKey: "Unsupported cipherTransformation: \(transformation)",
+    private static func requireInt(_ dictionary: NSDictionary, key: String) throws -> Int {
+        guard let value = dictionary[key] as? Int else {
+            throw NSError(domain: "CryptoConfig", code: 0, userInfo: [
+                NSLocalizedDescriptionKey: "Missing required crypto option: \(key)",
             ])
         }
-        return transformation
+        return value
     }
 }

package/ios/SecuritySuite.swift

@@ -13,7 +13,7 @@ class SecuritySuite: NSObject {
     private var privateKeyData: Data?
     private var encryptionKeyData: Data?
     private var hmacKeyData: Data?
-    private var cryptoConfig = CryptoConfig.defaults()
+    private var cryptoConfig: CryptoConfig?
 
     private func loadOrCreateECDHKeyPair() throws -> P256.KeyAgreement.PrivateKey {
         if let stored = try KeychainHelper.shared.loadECDHKeyPair() {
@@ -30,6 +30,43 @@ class SecuritySuite: NSObject {
         return key
     }
 
+    private func resolveCryptoConfig(options: NSDictionary?) throws -> CryptoConfig {
+        if let cryptoConfig {
+            return try cryptoConfig.merged(with: options)
+        }
+        return try CryptoConfig.from(dictionary: options)
+    }
+
+    private func hkdfHash(for macAlgorithm: String) throws -> any HashFunction.Type {
+        switch macAlgorithm {
+        case "HmacSHA256", "HMAC-SHA-256":
+            return SHA256.self
+        case "HmacSHA384", "HMAC-SHA-384":
+            return SHA384.self
+        case "HmacSHA512", "HMAC-SHA-512":
+            return SHA512.self
+        default:
+            throw NSError(domain: "CryptoConfig", code: 6, userInfo: [
+                NSLocalizedDescriptionKey: "Unsupported hkdf mac algorithm: \(macAlgorithm)",
+            ])
+        }
+    }
+
+    private func deriveSymmetricKey(
+        from sharedSecret: SharedSecret,
+        macAlgorithm: String,
+        info: Data,
+        outputByteCount: Int
+    ) throws -> Data {
+        let hash = try hkdfHash(for: macAlgorithm)
+        return sharedSecret.hkdfDerivedSymmetricKey(
+            using: hash,
+            salt: hkdfSalt,
+            sharedInfo: info,
+            outputByteCount: outputByteCount
+        ).withUnsafeBytes { Data($0) }
+    }
+
     @objc(getPublicKey:withRejecter:)
     func getPublicKey(resolve: @escaping RCTPromiseResolveBlock, reject: RCTPromiseRejectBlock) {
         do {
@@ -48,13 +85,8 @@ class SecuritySuite: NSObject {
         reject: RCTPromiseRejectBlock
     ) {
         do {
-            cryptoConfig = try CryptoConfig.from(dictionary: options)
-
-            guard cryptoConfig.keyAgreementAlgorithm == "ECDH",
-                  cryptoConfig.keyFactoryAlgorithm == "EC" else {
-                reject("GET_SHARED_KEY_ERROR", "Only ECDH/EC key agreement is supported on iOS", nil)
-                return
-            }
+            let config = try CryptoConfig.from(dictionary: options)
+            cryptoConfig = config
 
             let serverKeyString = (serverPK as String).trimmingCharacters(in: .whitespacesAndNewlines)
             guard !serverKeyString.isEmpty,
@@ -68,19 +100,19 @@ class SecuritySuite: NSObject {
                 with: P256.KeyAgreement.PublicKey(derRepresentation: serverPublicKeyData)
             )
 
-            encryptionKeyData = sharedSecret.hkdfDerivedSymmetricKey(
-                using: SHA256.self,
-                salt: hkdfSalt,
-                sharedInfo: hkdfInfoEncryption,
+            encryptionKeyData = try deriveSymmetricKey(
+                from: sharedSecret,
+                macAlgorithm: config.hmacKeyAlgorithm,
+                info: hkdfInfoEncryption,
                 outputByteCount: 32
-            ).withUnsafeBytes { Data($0) }
+            )
 
-            hmacKeyData = sharedSecret.hkdfDerivedSymmetricKey(
-                using: SHA256.self,
-                salt: hkdfSalt,
-                sharedInfo: hkdfInfoHmac,
+            hmacKeyData = try deriveSymmetricKey(
+                from: sharedSecret,
+                macAlgorithm: config.hmacKeyAlgorithm,
+                info: hkdfInfoHmac,
                 outputByteCount: 32
-            ).withUnsafeBytes { Data($0) }
+            )
 
             resolve(nil)
         } catch {
@@ -96,13 +128,8 @@ class SecuritySuite: NSObject {
         reject: RCTPromiseRejectBlock
     ) {
         do {
-            cryptoConfig = try CryptoConfig.from(dictionary: options)
-
-            guard cryptoConfig.keyAgreementAlgorithm == "ECDH",
-                  cryptoConfig.keyFactoryAlgorithm == "EC" else {
-                reject("GET_SHARED_KEY_ERROR", "Only ECDH/EC key agreement is supported on iOS", nil)
-                return
-            }
+            let config = try CryptoConfig.from(dictionary: options)
+            cryptoConfig = config
 
             let serverKeyString = (serverPK as String).trimmingCharacters(in: .whitespacesAndNewlines)
             guard !serverKeyString.isEmpty,
@@ -116,19 +143,19 @@ class SecuritySuite: NSObject {
                 with: P256.KeyAgreement.PublicKey(derRepresentation: serverPublicKeyData)
             )
 
-            encryptionKeyData = sharedSecret.hkdfDerivedSymmetricKey(
-                using: SHA256.self,
-                salt: hkdfSalt,
-                sharedInfo: hkdfInfoEncryption,
+            encryptionKeyData = try deriveSymmetricKey(
+                from: sharedSecret,
+                macAlgorithm: config.hmacKeyAlgorithm,
+                info: hkdfInfoEncryption,
                 outputByteCount: 32
-            ).withUnsafeBytes { Data($0) }
+            )
 
-            hmacKeyData = sharedSecret.hkdfDerivedSymmetricKey(
-                using: SHA256.self,
-                salt: hkdfSalt,
-                sharedInfo: hkdfInfoHmac,
+            hmacKeyData = try deriveSymmetricKey(
+                from: sharedSecret,
+                macAlgorithm: config.hmacKeyAlgorithm,
+                info: hkdfInfoHmac,
                 outputByteCount: 32
-            ).withUnsafeBytes { Data($0) }
+            )
 
             resolve(encryptionKeyData?.base64EncodedString())
         } catch {
@@ -148,12 +175,7 @@ class SecuritySuite: NSObject {
             return
         }
         do {
-            let config = try cryptoConfig.merged(with: options)
-            guard config.cipherTransformation == "AES/GCM/NoPadding",
-                  config.encryptionKeyAlgorithm == "AES" else {
-                reject("ENCRYPT_ERROR", "Only AES/GCM/NoPadding is supported on iOS", nil)
-                return
-            }
+            _ = try resolveCryptoConfig(options: options)
 
             let data = Data((input as String).utf8)
             let key = SymmetricKey(data: keyData)
@@ -183,12 +205,7 @@ class SecuritySuite: NSObject {
             return
         }
         do {
-            let config = try cryptoConfig.merged(with: options)
-            guard config.cipherTransformation == "AES/GCM/NoPadding",
-                  config.encryptionKeyAlgorithm == "AES" else {
-                reject("DECRYPT_ERROR", "Only AES/GCM/NoPadding is supported on iOS", nil)
-                return
-            }
+            _ = try resolveCryptoConfig(options: options)
 
             let key = SymmetricKey(data: keyData)
             let output = try AES.GCM.open(AES.GCM.SealedBox(combined: data), using: key)

package/lib/commonjs/crypto/index.js

@@ -5,17 +5,7 @@ Object.defineProperty(exports, "__esModule", {
 });
 exports.Crypto = void 0;
 var _bridge = require("../native/bridge.js");
-function toNativeCryptoOptions(options) {
-  return {
-    keyAgreementAlgorithm: options?.keyAgreementAlgorithm ?? 'X25519',
-    keyFactoryAlgorithm: options?.keyType ?? options?.keyFactoryAlgorithm ?? 'OKP',
-    encryptionKeyAlgorithm: options?.encryptionKeyAlgorithm ?? 'AES-256',
-    hmacKeyAlgorithm: options?.hmacAlgorithm ?? options?.hmacKeyAlgorithm ?? 'HMAC-SHA-512',
-    cipherTransformation: options?.cipher ?? options?.cipherTransformation ?? 'AES-GCM',
-    gcmTagLength: options?.tagLength ?? options?.gcmTagLength ?? 128,
-    gcmIvLength: options?.ivLength ?? options?.gcmIvLength ?? 12
-  };
-}
+var _cryptoOptions = require("../legacy/cryptoOptions.js");
 const Crypto = exports.Crypto = {
   getPublicKey() {
     return (0, _bridge.getNativeModule)().getPublicKey();
@@ -26,7 +16,7 @@ const Crypto = exports.Crypto = {
    */
   establishSharedKey(serverPublicKey, options) {
     const native = (0, _bridge.getNativeModule)();
-    const nativeOptions = toNativeCryptoOptions(options);
+    const nativeOptions = (0, _cryptoOptions.toNativeCryptoOptions)(options);
     if (options?.returnSharedKey) {
       return native.getSharedKey(serverPublicKey, nativeOptions);
     }

package/lib/commonjs/crypto/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["_bridge","require","toNativeCryptoOptions","options","keyAgreementAlgorithm","keyFactoryAlgorithm","keyType","encryptionKeyAlgorithm","hmacKeyAlgorithm","hmacAlgorithm","cipherTransformation","cipher","gcmTagLength","tagLength","gcmIvLength","ivLength","Crypto","exports","getPublicKey","getNativeModule","establishSharedKey","serverPublicKey","native","nativeOptions","returnSharedKey","getSharedKey","then","undefined"],"sourceRoot":"../../../src","sources":["crypto/index.ts"],"mappings":";;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AAGA,SAASC,qBAAqBA,CAACC,OAA8B,EAAE;EAC7D,OAAO;IACLC,qBAAqB,EAAED,OAAO,EAAEC,qBAAqB,IAAI,QAAQ;IACjEC,mBAAmB,EAAEF,OAAO,EAAEG,OAAO,IAAIH,OAAO,EAAEE,mBAAmB,IAAI,KAAK;IAC9EE,sBAAsB,EAAEJ,OAAO,EAAEI,sBAAsB,IAAI,SAAS;IACpEC,gBAAgB,EAAEL,OAAO,EAAEM,aAAa,IAAIN,OAAO,EAAEK,gBAAgB,IAAI,cAAc;IACvFE,oBAAoB,EAAEP,OAAO,EAAEQ,MAAM,IAAIR,OAAO,EAAEO,oBAAoB,IAAI,SAAS;IACnFE,YAAY,EAAET,OAAO,EAAEU,SAAS,IAAIV,OAAO,EAAES,YAAY,IAAI,GAAG;IAChEE,WAAW,EAAEX,OAAO,EAAEY,QAAQ,IAAIZ,OAAO,EAAEW,WAAW,IAAI;EAC5D,CAAC;AACH;AAOO,MAAME,MAAM,GAAAC,OAAA,CAAAD,MAAA,GAAG;EACpBE,YAAYA,CAAA,EAAoB;IAC9B,OAAO,IAAAC,uBAAe,EAAC,CAAC,CAACD,YAAY,CAAC,CAAC;EACzC,CAAC;EAED;AACF;AACA;AACA;EACEE,kBAAkBA,CAChBC,eAAuB,EACvBlB,OAAmC,EACX;IACxB,MAAMmB,MAAM,GAAG,IAAAH,uBAAe,EAAC,CAAC;IAChC,MAAMI,aAAa,GAAGrB,qBAAqB,CAACC,OAAO,CAAC;IAEpD,IAAIA,OAAO,EAAEqB,eAAe,EAAE;MAC5B,OAAOF,MAAM,CAACG,YAAY,CAACJ,eAAe,EAAEE,aAAa,CAAC;IAC5D;IAEA,IAAI,OAAOD,MAAM,CAACF,kBAAkB,KAAK,UAAU,EAAE;MACnD,OAAOE,MAAM,CAACF,kBAAkB,CAACC,eAAe,EAAEE,aAAa,CAAC;IAClE;IAEA,OAAOD,MAAM,CAACG,YAAY,CAACJ,eAAe,EAAEE,aAAa,CAAC,CAACG,IAAI,CAAC,MAAMC,SAAS,CAAC;EAClF;AACF,CAAC","ignoreList":[]}
+{"version":3,"names":["_bridge","require","_cryptoOptions","Crypto","exports","getPublicKey","getNativeModule","establishSharedKey","serverPublicKey","options","native","nativeOptions","toNativeCryptoOptions","returnSharedKey","getSharedKey","then","undefined"],"sourceRoot":"../../../src","sources":["crypto/index.ts"],"mappings":";;;;;;AAAA,IAAAA,OAAA,GAAAC,OAAA;AACA,IAAAC,cAAA,GAAAD,OAAA;AAUO,MAAME,MAAM,GAAAC,OAAA,CAAAD,MAAA,GAAG;EACpBE,YAAYA,CAAA,EAAoB;IAC9B,OAAO,IAAAC,uBAAe,EAAC,CAAC,CAACD,YAAY,CAAC,CAAC;EACzC,CAAC;EAED;AACF;AACA;AACA;EACEE,kBAAkBA,CAChBC,eAAuB,EACvBC,OAAmC,EACX;IACxB,MAAMC,MAAM,GAAG,IAAAJ,uBAAe,EAAC,CAAC;IAChC,MAAMK,aAAa,GAAG,IAAAC,oCAAqB,EAACH,OAAO,CAAC;IAEpD,IAAIA,OAAO,EAAEI,eAAe,EAAE;MAC5B,OAAOH,MAAM,CAACI,YAAY,CAACN,eAAe,EAAEG,aAAa,CAAC;IAC5D;IAEA,IAAI,OAAOD,MAAM,CAACH,kBAAkB,KAAK,UAAU,EAAE;MACnD,OAAOG,MAAM,CAACH,kBAAkB,CAACC,eAAe,EAAEG,aAAa,CAAC;IAClE;IAEA,OAAOD,MAAM,CAACI,YAAY,CAACN,eAAe,EAAEG,aAAa,CAAC,CAACI,IAAI,CAAC,MAAMC,SAAS,CAAC;EAClF;AACF,CAAC","ignoreList":[]}

package/lib/commonjs/legacy/cryptoOptions.js

@@ -6,15 +6,24 @@ Object.defineProperty(exports, "__esModule", {
 exports.toNativeCryptoOptions = toNativeCryptoOptions;
 /** Shared crypto option types used by legacy exports and the Crypto namespace. */
 
+function requireCryptoOption(value, key) {
+  if (value === undefined || value === null || value === '') {
+    throw new Error(`Missing required crypto option: ${key}`);
+  }
+  return value;
+}
 function toNativeCryptoOptions(options) {
+  if (!options) {
+    throw new Error('Crypto options are required');
+  }
   return {
-    keyAgreementAlgorithm: options?.keyAgreementAlgorithm ?? 'X25519',
-    keyFactoryAlgorithm: options?.keyType ?? options?.keyFactoryAlgorithm ?? 'OKP',
-    encryptionKeyAlgorithm: options?.encryptionKeyAlgorithm ?? 'AES-256',
-    hmacKeyAlgorithm: options?.hmacAlgorithm ?? options?.hmacKeyAlgorithm ?? 'HMAC-SHA-512',
-    cipherTransformation: options?.cipher ?? options?.cipherTransformation ?? 'AES-GCM',
-    gcmTagLength: options?.tagLength ?? options?.gcmTagLength ?? 128,
-    gcmIvLength: options?.ivLength ?? options?.gcmIvLength ?? 12
+    keyAgreementAlgorithm: requireCryptoOption(options.keyAgreementAlgorithm, 'keyAgreementAlgorithm'),
+    keyFactoryAlgorithm: requireCryptoOption(options.keyType ?? options.keyFactoryAlgorithm, 'keyFactoryAlgorithm'),
+    encryptionKeyAlgorithm: requireCryptoOption(options.encryptionKeyAlgorithm, 'encryptionKeyAlgorithm'),
+    hmacKeyAlgorithm: requireCryptoOption(options.hmacAlgorithm ?? options.hmacKeyAlgorithm, 'hmacKeyAlgorithm'),
+    cipherTransformation: requireCryptoOption(options.cipher ?? options.cipherTransformation, 'cipherTransformation'),
+    gcmTagLength: requireCryptoOption(options.tagLength ?? options.gcmTagLength, 'gcmTagLength'),
+    gcmIvLength: requireCryptoOption(options.ivLength ?? options.gcmIvLength, 'gcmIvLength')
   };
 }
 //# sourceMappingURL=cryptoOptions.js.map

package/lib/commonjs/legacy/cryptoOptions.js.map

@@ -1 +1 @@
-{"version":3,"names":["toNativeCryptoOptions","options","keyAgreementAlgorithm","keyFactoryAlgorithm","keyType","encryptionKeyAlgorithm","hmacKeyAlgorithm","hmacAlgorithm","cipherTransformation","cipher","gcmTagLength","tagLength","gcmIvLength","ivLength"],"sourceRoot":"../../../src","sources":["legacy/cryptoOptions.ts"],"mappings":";;;;;;AAAA;;AAsCO,SAASA,qBAAqBA,CAACC,OAA8B,EAAE;EACpE,OAAO;IACLC,qBAAqB,EAAED,OAAO,EAAEC,qBAAqB,IAAI,QAAQ;IACjEC,mBAAmB,EAAEF,OAAO,EAAEG,OAAO,IAAIH,OAAO,EAAEE,mBAAmB,IAAI,KAAK;IAC9EE,sBAAsB,EAAEJ,OAAO,EAAEI,sBAAsB,IAAI,SAAS;IACpEC,gBAAgB,EAAEL,OAAO,EAAEM,aAAa,IAAIN,OAAO,EAAEK,gBAAgB,IAAI,cAAc;IACvFE,oBAAoB,EAAEP,OAAO,EAAEQ,MAAM,IAAIR,OAAO,EAAEO,oBAAoB,IAAI,SAAS;IACnFE,YAAY,EAAET,OAAO,EAAEU,SAAS,IAAIV,OAAO,EAAES,YAAY,IAAI,GAAG;IAChEE,WAAW,EAAEX,OAAO,EAAEY,QAAQ,IAAIZ,OAAO,EAAEW,WAAW,IAAI;EAC5D,CAAC;AACH","ignoreList":[]}
+{"version":3,"names":["requireCryptoOption","value","key","undefined","Error","toNativeCryptoOptions","options","keyAgreementAlgorithm","keyFactoryAlgorithm","keyType","encryptionKeyAlgorithm","hmacKeyAlgorithm","hmacAlgorithm","cipherTransformation","cipher","gcmTagLength","tagLength","gcmIvLength","ivLength"],"sourceRoot":"../../../src","sources":["legacy/cryptoOptions.ts"],"mappings":";;;;;;AAAA;;AAsCA,SAASA,mBAAmBA,CAC1BC,KAA2B,EAC3BC,GAAW,EACR;EACH,IAAID,KAAK,KAAKE,SAAS,IAAIF,KAAK,KAAK,IAAI,IAAIA,KAAK,KAAK,EAAE,EAAE;IACzD,MAAM,IAAIG,KAAK,CAAC,mCAAmCF,GAAG,EAAE,CAAC;EAC3D;EACA,OAAOD,KAAK;AACd;AAEO,SAASI,qBAAqBA,CAACC,OAA8B,EAAE;EACpE,IAAI,CAACA,OAAO,EAAE;IACZ,MAAM,IAAIF,KAAK,CAAC,6BAA6B,CAAC;EAChD;EAEA,OAAO;IACLG,qBAAqB,EAAEP,mBAAmB,CACxCM,OAAO,CAACC,qBAAqB,EAC7B,uBACF,CAAC;IACDC,mBAAmB,EAAER,mBAAmB,CACtCM,OAAO,CAACG,OAAO,IAAIH,OAAO,CAACE,mBAAmB,EAC9C,qBACF,CAAC;IACDE,sBAAsB,EAAEV,mBAAmB,CACzCM,OAAO,CAACI,sBAAsB,EAC9B,wBACF,CAAC;IACDC,gBAAgB,EAAEX,mBAAmB,CACnCM,OAAO,CAACM,aAAa,IAAIN,OAAO,CAACK,gBAAgB,EACjD,kBACF,CAAC;IACDE,oBAAoB,EAAEb,mBAAmB,CACvCM,OAAO,CAACQ,MAAM,IAAIR,OAAO,CAACO,oBAAoB,EAC9C,sBACF,CAAC;IACDE,YAAY,EAAEf,mBAAmB,CAC/BM,OAAO,CAACU,SAAS,IAAIV,OAAO,CAACS,YAAY,EACzC,cACF,CAAC;IACDE,WAAW,EAAEjB,mBAAmB,CAC9BM,OAAO,CAACY,QAAQ,IAAIZ,OAAO,CAACW,WAAW,EACvC,aACF;EACF,CAAC;AACH","ignoreList":[]}

package/lib/module/crypto/index.js

@@ -1,17 +1,7 @@
 "use strict";
 
 import { getNativeModule } from "../native/bridge.js";
-function toNativeCryptoOptions(options) {
-  return {
-    keyAgreementAlgorithm: options?.keyAgreementAlgorithm ?? 'X25519',
-    keyFactoryAlgorithm: options?.keyType ?? options?.keyFactoryAlgorithm ?? 'OKP',
-    encryptionKeyAlgorithm: options?.encryptionKeyAlgorithm ?? 'AES-256',
-    hmacKeyAlgorithm: options?.hmacAlgorithm ?? options?.hmacKeyAlgorithm ?? 'HMAC-SHA-512',
-    cipherTransformation: options?.cipher ?? options?.cipherTransformation ?? 'AES-GCM',
-    gcmTagLength: options?.tagLength ?? options?.gcmTagLength ?? 128,
-    gcmIvLength: options?.ivLength ?? options?.gcmIvLength ?? 12
-  };
-}
+import { toNativeCryptoOptions } from "../legacy/cryptoOptions.js";
 export const Crypto = {
   getPublicKey() {
     return getNativeModule().getPublicKey();

package/lib/module/crypto/index.js.map

@@ -1 +1 @@
-{"version":3,"names":["getNativeModule","toNativeCryptoOptions","options","keyAgreementAlgorithm","keyFactoryAlgorithm","keyType","encryptionKeyAlgorithm","hmacKeyAlgorithm","hmacAlgorithm","cipherTransformation","cipher","gcmTagLength","tagLength","gcmIvLength","ivLength","Crypto","getPublicKey","establishSharedKey","serverPublicKey","native","nativeOptions","returnSharedKey","getSharedKey","then","undefined"],"sourceRoot":"../../../src","sources":["crypto/index.ts"],"mappings":";;AAAA,SAASA,eAAe,QAAQ,qBAAkB;AAGlD,SAASC,qBAAqBA,CAACC,OAA8B,EAAE;EAC7D,OAAO;IACLC,qBAAqB,EAAED,OAAO,EAAEC,qBAAqB,IAAI,QAAQ;IACjEC,mBAAmB,EAAEF,OAAO,EAAEG,OAAO,IAAIH,OAAO,EAAEE,mBAAmB,IAAI,KAAK;IAC9EE,sBAAsB,EAAEJ,OAAO,EAAEI,sBAAsB,IAAI,SAAS;IACpEC,gBAAgB,EAAEL,OAAO,EAAEM,aAAa,IAAIN,OAAO,EAAEK,gBAAgB,IAAI,cAAc;IACvFE,oBAAoB,EAAEP,OAAO,EAAEQ,MAAM,IAAIR,OAAO,EAAEO,oBAAoB,IAAI,SAAS;IACnFE,YAAY,EAAET,OAAO,EAAEU,SAAS,IAAIV,OAAO,EAAES,YAAY,IAAI,GAAG;IAChEE,WAAW,EAAEX,OAAO,EAAEY,QAAQ,IAAIZ,OAAO,EAAEW,WAAW,IAAI;EAC5D,CAAC;AACH;AAOA,OAAO,MAAME,MAAM,GAAG;EACpBC,YAAYA,CAAA,EAAoB;IAC9B,OAAOhB,eAAe,CAAC,CAAC,CAACgB,YAAY,CAAC,CAAC;EACzC,CAAC;EAED;AACF;AACA;AACA;EACEC,kBAAkBA,CAChBC,eAAuB,EACvBhB,OAAmC,EACX;IACxB,MAAMiB,MAAM,GAAGnB,eAAe,CAAC,CAAC;IAChC,MAAMoB,aAAa,GAAGnB,qBAAqB,CAACC,OAAO,CAAC;IAEpD,IAAIA,OAAO,EAAEmB,eAAe,EAAE;MAC5B,OAAOF,MAAM,CAACG,YAAY,CAACJ,eAAe,EAAEE,aAAa,CAAC;IAC5D;IAEA,IAAI,OAAOD,MAAM,CAACF,kBAAkB,KAAK,UAAU,EAAE;MACnD,OAAOE,MAAM,CAACF,kBAAkB,CAACC,eAAe,EAAEE,aAAa,CAAC;IAClE;IAEA,OAAOD,MAAM,CAACG,YAAY,CAACJ,eAAe,EAAEE,aAAa,CAAC,CAACG,IAAI,CAAC,MAAMC,SAAS,CAAC;EAClF;AACF,CAAC","ignoreList":[]}
+{"version":3,"names":["getNativeModule","toNativeCryptoOptions","Crypto","getPublicKey","establishSharedKey","serverPublicKey","options","native","nativeOptions","returnSharedKey","getSharedKey","then","undefined"],"sourceRoot":"../../../src","sources":["crypto/index.ts"],"mappings":";;AAAA,SAASA,eAAe,QAAQ,qBAAkB;AAClD,SACEC,qBAAqB,QAEhB,4BAAyB;AAOhC,OAAO,MAAMC,MAAM,GAAG;EACpBC,YAAYA,CAAA,EAAoB;IAC9B,OAAOH,eAAe,CAAC,CAAC,CAACG,YAAY,CAAC,CAAC;EACzC,CAAC;EAED;AACF;AACA;AACA;EACEC,kBAAkBA,CAChBC,eAAuB,EACvBC,OAAmC,EACX;IACxB,MAAMC,MAAM,GAAGP,eAAe,CAAC,CAAC;IAChC,MAAMQ,aAAa,GAAGP,qBAAqB,CAACK,OAAO,CAAC;IAEpD,IAAIA,OAAO,EAAEG,eAAe,EAAE;MAC5B,OAAOF,MAAM,CAACG,YAAY,CAACL,eAAe,EAAEG,aAAa,CAAC;IAC5D;IAEA,IAAI,OAAOD,MAAM,CAACH,kBAAkB,KAAK,UAAU,EAAE;MACnD,OAAOG,MAAM,CAACH,kBAAkB,CAACC,eAAe,EAAEG,aAAa,CAAC;IAClE;IAEA,OAAOD,MAAM,CAACG,YAAY,CAACL,eAAe,EAAEG,aAAa,CAAC,CAACG,IAAI,CAAC,MAAMC,SAAS,CAAC;EAClF;AACF,CAAC","ignoreList":[]}

package/lib/module/legacy/cryptoOptions.js

@@ -2,15 +2,24 @@
 
 /** Shared crypto option types used by legacy exports and the Crypto namespace. */
 
+function requireCryptoOption(value, key) {
+  if (value === undefined || value === null || value === '') {
+    throw new Error(`Missing required crypto option: ${key}`);
+  }
+  return value;
+}
 export function toNativeCryptoOptions(options) {
+  if (!options) {
+    throw new Error('Crypto options are required');
+  }
   return {
-    keyAgreementAlgorithm: options?.keyAgreementAlgorithm ?? 'X25519',
-    keyFactoryAlgorithm: options?.keyType ?? options?.keyFactoryAlgorithm ?? 'OKP',
-    encryptionKeyAlgorithm: options?.encryptionKeyAlgorithm ?? 'AES-256',
-    hmacKeyAlgorithm: options?.hmacAlgorithm ?? options?.hmacKeyAlgorithm ?? 'HMAC-SHA-512',
-    cipherTransformation: options?.cipher ?? options?.cipherTransformation ?? 'AES-GCM',
-    gcmTagLength: options?.tagLength ?? options?.gcmTagLength ?? 128,
-    gcmIvLength: options?.ivLength ?? options?.gcmIvLength ?? 12
+    keyAgreementAlgorithm: requireCryptoOption(options.keyAgreementAlgorithm, 'keyAgreementAlgorithm'),
+    keyFactoryAlgorithm: requireCryptoOption(options.keyType ?? options.keyFactoryAlgorithm, 'keyFactoryAlgorithm'),
+    encryptionKeyAlgorithm: requireCryptoOption(options.encryptionKeyAlgorithm, 'encryptionKeyAlgorithm'),
+    hmacKeyAlgorithm: requireCryptoOption(options.hmacAlgorithm ?? options.hmacKeyAlgorithm, 'hmacKeyAlgorithm'),
+    cipherTransformation: requireCryptoOption(options.cipher ?? options.cipherTransformation, 'cipherTransformation'),
+    gcmTagLength: requireCryptoOption(options.tagLength ?? options.gcmTagLength, 'gcmTagLength'),
+    gcmIvLength: requireCryptoOption(options.ivLength ?? options.gcmIvLength, 'gcmIvLength')
   };
 }
 //# sourceMappingURL=cryptoOptions.js.map

package/lib/module/legacy/cryptoOptions.js.map

@@ -1 +1 @@
-{"version":3,"names":["toNativeCryptoOptions","options","keyAgreementAlgorithm","keyFactoryAlgorithm","keyType","encryptionKeyAlgorithm","hmacKeyAlgorithm","hmacAlgorithm","cipherTransformation","cipher","gcmTagLength","tagLength","gcmIvLength","ivLength"],"sourceRoot":"../../../src","sources":["legacy/cryptoOptions.ts"],"mappings":";;AAAA;;AAsCA,OAAO,SAASA,qBAAqBA,CAACC,OAA8B,EAAE;EACpE,OAAO;IACLC,qBAAqB,EAAED,OAAO,EAAEC,qBAAqB,IAAI,QAAQ;IACjEC,mBAAmB,EAAEF,OAAO,EAAEG,OAAO,IAAIH,OAAO,EAAEE,mBAAmB,IAAI,KAAK;IAC9EE,sBAAsB,EAAEJ,OAAO,EAAEI,sBAAsB,IAAI,SAAS;IACpEC,gBAAgB,EAAEL,OAAO,EAAEM,aAAa,IAAIN,OAAO,EAAEK,gBAAgB,IAAI,cAAc;IACvFE,oBAAoB,EAAEP,OAAO,EAAEQ,MAAM,IAAIR,OAAO,EAAEO,oBAAoB,IAAI,SAAS;IACnFE,YAAY,EAAET,OAAO,EAAEU,SAAS,IAAIV,OAAO,EAAES,YAAY,IAAI,GAAG;IAChEE,WAAW,EAAEX,OAAO,EAAEY,QAAQ,IAAIZ,OAAO,EAAEW,WAAW,IAAI;EAC5D,CAAC;AACH","ignoreList":[]}
+{"version":3,"names":["requireCryptoOption","value","key","undefined","Error","toNativeCryptoOptions","options","keyAgreementAlgorithm","keyFactoryAlgorithm","keyType","encryptionKeyAlgorithm","hmacKeyAlgorithm","hmacAlgorithm","cipherTransformation","cipher","gcmTagLength","tagLength","gcmIvLength","ivLength"],"sourceRoot":"../../../src","sources":["legacy/cryptoOptions.ts"],"mappings":";;AAAA;;AAsCA,SAASA,mBAAmBA,CAC1BC,KAA2B,EAC3BC,GAAW,EACR;EACH,IAAID,KAAK,KAAKE,SAAS,IAAIF,KAAK,KAAK,IAAI,IAAIA,KAAK,KAAK,EAAE,EAAE;IACzD,MAAM,IAAIG,KAAK,CAAC,mCAAmCF,GAAG,EAAE,CAAC;EAC3D;EACA,OAAOD,KAAK;AACd;AAEA,OAAO,SAASI,qBAAqBA,CAACC,OAA8B,EAAE;EACpE,IAAI,CAACA,OAAO,EAAE;IACZ,MAAM,IAAIF,KAAK,CAAC,6BAA6B,CAAC;EAChD;EAEA,OAAO;IACLG,qBAAqB,EAAEP,mBAAmB,CACxCM,OAAO,CAACC,qBAAqB,EAC7B,uBACF,CAAC;IACDC,mBAAmB,EAAER,mBAAmB,CACtCM,OAAO,CAACG,OAAO,IAAIH,OAAO,CAACE,mBAAmB,EAC9C,qBACF,CAAC;IACDE,sBAAsB,EAAEV,mBAAmB,CACzCM,OAAO,CAACI,sBAAsB,EAC9B,wBACF,CAAC;IACDC,gBAAgB,EAAEX,mBAAmB,CACnCM,OAAO,CAACM,aAAa,IAAIN,OAAO,CAACK,gBAAgB,EACjD,kBACF,CAAC;IACDE,oBAAoB,EAAEb,mBAAmB,CACvCM,OAAO,CAACQ,MAAM,IAAIR,OAAO,CAACO,oBAAoB,EAC9C,sBACF,CAAC;IACDE,YAAY,EAAEf,mBAAmB,CAC/BM,OAAO,CAACU,SAAS,IAAIV,OAAO,CAACS,YAAY,EACzC,cACF,CAAC;IACDE,WAAW,EAAEjB,mBAAmB,CAC9BM,OAAO,CAACY,QAAQ,IAAIZ,OAAO,CAACW,WAAW,EACvC,aACF;EACF,CAAC;AACH","ignoreList":[]}

package/lib/typescript/commonjs/src/crypto/index.d.ts

@@ -1,4 +1,4 @@
-import type { CryptoOptions } from '../legacy/cryptoOptions';
+import { type CryptoOptions } from '../legacy/cryptoOptions';
 export interface EstablishSharedKeyOptions extends CryptoOptions {
     /** @deprecated Prefer native-only flow; set true only for legacy compatibility. */
     returnSharedKey?: boolean;

package/lib/typescript/commonjs/src/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/crypto/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAc7D,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC9D,mFAAmF;IACnF,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,eAAO,MAAM,MAAM;oBACD,OAAO,CAAC,MAAM,CAAC;IAI/B;;;OAGG;wCAEgB,MAAM,YACb,yBAAyB,GAClC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAc1B,CAAC;AAEF,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/crypto/index.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,KAAK,aAAa,EACnB,MAAM,yBAAyB,CAAC;AAEjC,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC9D,mFAAmF;IACnF,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,eAAO,MAAM,MAAM;oBACD,OAAO,CAAC,MAAM,CAAC;IAI/B;;;OAGG;wCAEgB,MAAM,YACb,yBAAyB,GAClC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAc1B,CAAC;AAEF,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}

package/lib/typescript/commonjs/src/legacy/cryptoOptions.d.ts

@@ -5,9 +5,9 @@ export type EncryptionKeyAlgorithm = 'AES-256' | 'AES' | (string & {});
 export type HmacAlgorithm = 'HMAC-SHA-256' | 'HMAC-SHA-384' | 'HMAC-SHA-512' | 'HmacSHA256' | 'HmacSHA384' | 'HmacSHA512' | (string & {});
 export type CipherAlgorithm = 'AES-GCM' | 'AES/GCM/NoPadding' | (string & {});
 export interface CryptoOptions {
-    keyAgreementAlgorithm?: KeyAgreementAlgorithm;
+    keyAgreementAlgorithm: KeyAgreementAlgorithm;
+    encryptionKeyAlgorithm: EncryptionKeyAlgorithm;
     keyType?: KeyType;
-    encryptionKeyAlgorithm?: EncryptionKeyAlgorithm;
     hmacAlgorithm?: HmacAlgorithm;
     cipher?: CipherAlgorithm;
     tagLength?: number;
@@ -24,11 +24,11 @@ export interface CryptoOptions {
     gcmIvLength?: number;
 }
 export declare function toNativeCryptoOptions(options?: CryptoOptions | null): {
-    keyAgreementAlgorithm: KeyAgreementAlgorithm;
-    keyFactoryAlgorithm: KeyType;
-    encryptionKeyAlgorithm: EncryptionKeyAlgorithm;
-    hmacKeyAlgorithm: HmacAlgorithm;
-    cipherTransformation: CipherAlgorithm;
+    keyAgreementAlgorithm: "X25519" | (string & {}) | "ECDH";
+    keyFactoryAlgorithm: (string & {}) | "OKP" | "EC";
+    encryptionKeyAlgorithm: (string & {}) | "AES-256" | "AES";
+    hmacKeyAlgorithm: (string & {}) | "HMAC-SHA-256" | "HMAC-SHA-384" | "HMAC-SHA-512" | "HmacSHA256" | "HmacSHA384" | "HmacSHA512";
+    cipherTransformation: (string & {}) | "AES-GCM" | "AES/GCM/NoPadding";
     gcmTagLength: number;
     gcmIvLength: number;
 };

package/lib/typescript/commonjs/src/legacy/cryptoOptions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cryptoOptions.d.ts","sourceRoot":"","sources":["../../../../../src/legacy/cryptoOptions.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEtE,MAAM,MAAM,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEnD,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEvE,MAAM,MAAM,aAAa,GACrB,cAAc,GACd,cAAc,GACd,cAAc,GACd,YAAY,GACZ,YAAY,GACZ,YAAY,GACZ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,mBAAmB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE9E,MAAM,WAAW,aAAa;IAC5B,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAC9C,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;IAChD,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,aAAa,CAAC;IACjC,wCAAwC;IACxC,oBAAoB,CAAC,EAAE,eAAe,CAAC;IACvC,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,wBAAgB,qBAAqB,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,IAAI;;;;;;;;EAUnE"}
+{"version":3,"file":"cryptoOptions.d.ts","sourceRoot":"","sources":["../../../../../src/legacy/cryptoOptions.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEtE,MAAM,MAAM,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEnD,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEvE,MAAM,MAAM,aAAa,GACrB,cAAc,GACd,cAAc,GACd,cAAc,GACd,YAAY,GACZ,YAAY,GACZ,YAAY,GACZ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,mBAAmB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE9E,MAAM,WAAW,aAAa;IAC5B,qBAAqB,EAAE,qBAAqB,CAAC;IAC7C,sBAAsB,EAAE,sBAAsB,CAAC;IAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,aAAa,CAAC;IACjC,wCAAwC;IACxC,oBAAoB,CAAC,EAAE,eAAe,CAAC;IACvC,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAYD,wBAAgB,qBAAqB,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,IAAI;;;;;;;;EAmCnE"}

package/lib/typescript/module/src/crypto/index.d.ts

@@ -1,4 +1,4 @@
-import type { CryptoOptions } from '../legacy/cryptoOptions';
+import { type CryptoOptions } from '../legacy/cryptoOptions';
 export interface EstablishSharedKeyOptions extends CryptoOptions {
     /** @deprecated Prefer native-only flow; set true only for legacy compatibility. */
     returnSharedKey?: boolean;

package/lib/typescript/module/src/crypto/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/crypto/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC;AAc7D,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC9D,mFAAmF;IACnF,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,eAAO,MAAM,MAAM;oBACD,OAAO,CAAC,MAAM,CAAC;IAI/B;;;OAGG;wCAEgB,MAAM,YACb,yBAAyB,GAClC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAc1B,CAAC;AAEF,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../src/crypto/index.ts"],"names":[],"mappings":"AACA,OAAO,EAEL,KAAK,aAAa,EACnB,MAAM,yBAAyB,CAAC;AAEjC,MAAM,WAAW,yBAA0B,SAAQ,aAAa;IAC9D,mFAAmF;IACnF,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,eAAO,MAAM,MAAM;oBACD,OAAO,CAAC,MAAM,CAAC;IAI/B;;;OAGG;wCAEgB,MAAM,YACb,yBAAyB,GAClC,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;CAc1B,CAAC;AAEF,YAAY,EAAE,aAAa,EAAE,MAAM,yBAAyB,CAAC"}

package/lib/typescript/module/src/legacy/cryptoOptions.d.ts

@@ -5,9 +5,9 @@ export type EncryptionKeyAlgorithm = 'AES-256' | 'AES' | (string & {});
 export type HmacAlgorithm = 'HMAC-SHA-256' | 'HMAC-SHA-384' | 'HMAC-SHA-512' | 'HmacSHA256' | 'HmacSHA384' | 'HmacSHA512' | (string & {});
 export type CipherAlgorithm = 'AES-GCM' | 'AES/GCM/NoPadding' | (string & {});
 export interface CryptoOptions {
-    keyAgreementAlgorithm?: KeyAgreementAlgorithm;
+    keyAgreementAlgorithm: KeyAgreementAlgorithm;
+    encryptionKeyAlgorithm: EncryptionKeyAlgorithm;
     keyType?: KeyType;
-    encryptionKeyAlgorithm?: EncryptionKeyAlgorithm;
     hmacAlgorithm?: HmacAlgorithm;
     cipher?: CipherAlgorithm;
     tagLength?: number;
@@ -24,11 +24,11 @@ export interface CryptoOptions {
     gcmIvLength?: number;
 }
 export declare function toNativeCryptoOptions(options?: CryptoOptions | null): {
-    keyAgreementAlgorithm: KeyAgreementAlgorithm;
-    keyFactoryAlgorithm: KeyType;
-    encryptionKeyAlgorithm: EncryptionKeyAlgorithm;
-    hmacKeyAlgorithm: HmacAlgorithm;
-    cipherTransformation: CipherAlgorithm;
+    keyAgreementAlgorithm: "X25519" | (string & {}) | "ECDH";
+    keyFactoryAlgorithm: (string & {}) | "OKP" | "EC";
+    encryptionKeyAlgorithm: (string & {}) | "AES-256" | "AES";
+    hmacKeyAlgorithm: (string & {}) | "HMAC-SHA-256" | "HMAC-SHA-384" | "HMAC-SHA-512" | "HmacSHA256" | "HmacSHA384" | "HmacSHA512";
+    cipherTransformation: (string & {}) | "AES-GCM" | "AES/GCM/NoPadding";
     gcmTagLength: number;
     gcmIvLength: number;
 };

package/lib/typescript/module/src/legacy/cryptoOptions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cryptoOptions.d.ts","sourceRoot":"","sources":["../../../../../src/legacy/cryptoOptions.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEtE,MAAM,MAAM,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEnD,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEvE,MAAM,MAAM,aAAa,GACrB,cAAc,GACd,cAAc,GACd,cAAc,GACd,YAAY,GACZ,YAAY,GACZ,YAAY,GACZ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,mBAAmB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE9E,MAAM,WAAW,aAAa;IAC5B,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAC9C,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,sBAAsB,CAAC,EAAE,sBAAsB,CAAC;IAChD,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,aAAa,CAAC;IACjC,wCAAwC;IACxC,oBAAoB,CAAC,EAAE,eAAe,CAAC;IACvC,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,wBAAgB,qBAAqB,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,IAAI;;;;;;;;EAUnE"}
+{"version":3,"file":"cryptoOptions.d.ts","sourceRoot":"","sources":["../../../../../src/legacy/cryptoOptions.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAClF,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,MAAM,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEtE,MAAM,MAAM,OAAO,GAAG,KAAK,GAAG,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEnD,MAAM,MAAM,sBAAsB,GAAG,SAAS,GAAG,KAAK,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAEvE,MAAM,MAAM,aAAa,GACrB,cAAc,GACd,cAAc,GACd,cAAc,GACd,YAAY,GACZ,YAAY,GACZ,YAAY,GACZ,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAElB,MAAM,MAAM,eAAe,GAAG,SAAS,GAAG,mBAAmB,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;AAE9E,MAAM,WAAW,aAAa;IAC5B,qBAAqB,EAAE,qBAAqB,CAAC;IAC7C,sBAAsB,EAAE,sBAAsB,CAAC;IAC/C,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,aAAa,CAAC,EAAE,aAAa,CAAC;IAC9B,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,aAAa,CAAC;IACjC,wCAAwC;IACxC,oBAAoB,CAAC,EAAE,eAAe,CAAC;IACvC,2CAA2C;IAC3C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,0CAA0C;IAC1C,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAYD,wBAAgB,qBAAqB,CAAC,OAAO,CAAC,EAAE,aAAa,GAAG,IAAI;;;;;;;;EAmCnE"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "react-native-security-suite",
-  "version": "1.0.0-rc.1",
+  "version": "1.0.0-rc.2",
   "description": "Comprehensive security suite for React Native apps - Root/Jailbreak detection, SSL pinning, encryption, secure storage, screenshot protection, and network monitoring",
   "source": "./src/index.tsx",
   "main": "./lib/commonjs/index.js",

package/src/crypto/index.ts

@@ -1,17 +1,8 @@
 import { getNativeModule } from '../native/bridge';
-import type { CryptoOptions } from '../legacy/cryptoOptions';
-
-function toNativeCryptoOptions(options?: CryptoOptions | null) {
-  return {
-    keyAgreementAlgorithm: options?.keyAgreementAlgorithm ?? 'X25519',
-    keyFactoryAlgorithm: options?.keyType ?? options?.keyFactoryAlgorithm ?? 'OKP',
-    encryptionKeyAlgorithm: options?.encryptionKeyAlgorithm ?? 'AES-256',
-    hmacKeyAlgorithm: options?.hmacAlgorithm ?? options?.hmacKeyAlgorithm ?? 'HMAC-SHA-512',
-    cipherTransformation: options?.cipher ?? options?.cipherTransformation ?? 'AES-GCM',
-    gcmTagLength: options?.tagLength ?? options?.gcmTagLength ?? 128,
-    gcmIvLength: options?.ivLength ?? options?.gcmIvLength ?? 12,
-  };
-}
+import {
+  toNativeCryptoOptions,
+  type CryptoOptions,
+} from '../legacy/cryptoOptions';
 
 export interface EstablishSharedKeyOptions extends CryptoOptions {
   /** @deprecated Prefer native-only flow; set true only for legacy compatibility. */

package/src/legacy/cryptoOptions.ts

@@ -17,9 +17,9 @@ export type HmacAlgorithm =
 export type CipherAlgorithm = 'AES-GCM' | 'AES/GCM/NoPadding' | (string & {});
 
 export interface CryptoOptions {
-  keyAgreementAlgorithm?: KeyAgreementAlgorithm;
+  keyAgreementAlgorithm: KeyAgreementAlgorithm;
+  encryptionKeyAlgorithm: EncryptionKeyAlgorithm;
   keyType?: KeyType;
-  encryptionKeyAlgorithm?: EncryptionKeyAlgorithm;
   hmacAlgorithm?: HmacAlgorithm;
   cipher?: CipherAlgorithm;
   tagLength?: number;
@@ -36,14 +36,49 @@ export interface CryptoOptions {
   gcmIvLength?: number;
 }
 
+function requireCryptoOption<T>(
+  value: T | undefined | null,
+  key: string
+): T {
+  if (value === undefined || value === null || value === '') {
+    throw new Error(`Missing required crypto option: ${key}`);
+  }
+  return value;
+}
+
 export function toNativeCryptoOptions(options?: CryptoOptions | null) {
+  if (!options) {
+    throw new Error('Crypto options are required');
+  }
+
   return {
-    keyAgreementAlgorithm: options?.keyAgreementAlgorithm ?? 'X25519',
-    keyFactoryAlgorithm: options?.keyType ?? options?.keyFactoryAlgorithm ?? 'OKP',
-    encryptionKeyAlgorithm: options?.encryptionKeyAlgorithm ?? 'AES-256',
-    hmacKeyAlgorithm: options?.hmacAlgorithm ?? options?.hmacKeyAlgorithm ?? 'HMAC-SHA-512',
-    cipherTransformation: options?.cipher ?? options?.cipherTransformation ?? 'AES-GCM',
-    gcmTagLength: options?.tagLength ?? options?.gcmTagLength ?? 128,
-    gcmIvLength: options?.ivLength ?? options?.gcmIvLength ?? 12,
+    keyAgreementAlgorithm: requireCryptoOption(
+      options.keyAgreementAlgorithm,
+      'keyAgreementAlgorithm'
+    ),
+    keyFactoryAlgorithm: requireCryptoOption(
+      options.keyType ?? options.keyFactoryAlgorithm,
+      'keyFactoryAlgorithm'
+    ),
+    encryptionKeyAlgorithm: requireCryptoOption(
+      options.encryptionKeyAlgorithm,
+      'encryptionKeyAlgorithm'
+    ),
+    hmacKeyAlgorithm: requireCryptoOption(
+      options.hmacAlgorithm ?? options.hmacKeyAlgorithm,
+      'hmacKeyAlgorithm'
+    ),
+    cipherTransformation: requireCryptoOption(
+      options.cipher ?? options.cipherTransformation,
+      'cipherTransformation'
+    ),
+    gcmTagLength: requireCryptoOption(
+      options.tagLength ?? options.gcmTagLength,
+      'gcmTagLength'
+    ),
+    gcmIvLength: requireCryptoOption(
+      options.ivLength ?? options.gcmIvLength,
+      'gcmIvLength'
+    ),
   };
 }