sello 0.1.1 → 0.1.3

package/dist/hpke/base.js

@@ -0,0 +1,349 @@
+import {
+  createCipheriv,
+  createDecipheriv,
+  createHmac,
+  createPrivateKey,
+  createPublicKey,
+  diffieHellman,
+  generateKeyPairSync,
+} from "node:crypto";
+
+import { concat } from "../cbor.js";
+
+                           
+                        
+                         
+  
+
+                             
+                        
+                  
+                   
+                                 
+                                   
+  
+
+                             
+                      
+                  
+                   
+                                  
+  
+
+const KEM_ID_DHKEM_X25519_HKDF_SHA256 = 0x0020;
+const KDF_ID_HKDF_SHA256 = 0x0001;
+const AEAD_ID_CHACHA20_POLY1305 = 0x0003;
+
+const X25519_KEY_LENGTH = 32;
+const HKDF_SHA256_LENGTH = 32;
+const CHACHA20_POLY1305_KEY_LENGTH = 32;
+const CHACHA20_POLY1305_NONCE_LENGTH = 12;
+const CHACHA20_POLY1305_TAG_LENGTH = 16;
+
+const X25519_PUBLIC_KEY_SPKI_PREFIX = hex("302a300506032b656e032100");
+const X25519_PRIVATE_KEY_PKCS8_PREFIX = hex("302e020100300506032b656e04220420");
+const EMPTY = new Uint8Array();
+const HPKE_VERSION = ascii("HPKE-v1");
+const KEM_SUITE_ID = concat([
+  ascii("KEM"),
+  i2osp(KEM_ID_DHKEM_X25519_HKDF_SHA256, 2),
+]);
+const HPKE_SUITE_ID = concat([
+  ascii("HPKE"),
+  i2osp(KEM_ID_DHKEM_X25519_HKDF_SHA256, 2),
+  i2osp(KDF_ID_HKDF_SHA256, 2),
+  i2osp(AEAD_ID_CHACHA20_POLY1305, 2),
+]);
+
+export function generateHpkeKeyPair()              {
+  const { publicKey, privateKey } = generateKeyPairSync("x25519");
+
+  return {
+    publicKey: exportRawX25519PublicKey(publicKey),
+    privateKey: exportRawX25519PrivateKey(privateKey),
+  };
+}
+
+export function sealHpkeBase(input               )             {
+  assertBytes(input.plaintext, "plaintext");
+  assertBytes(input.aad, "aad");
+  assertBytes(input.info, "info");
+  assertByteLength(input.recipientPublicKey, X25519_KEY_LENGTH, "recipientPublicKey");
+
+  const ephemeralPrivateKey = input.ephemeralPrivateKey ?? generateHpkeKeyPair().privateKey;
+  assertByteLength(ephemeralPrivateKey, X25519_KEY_LENGTH, "ephemeralPrivateKey");
+
+  const enc = publicKeyFromPrivateKey(ephemeralPrivateKey);
+  const sharedSecret = encap(ephemeralPrivateKey, input.recipientPublicKey, enc);
+  const context = keySchedule(sharedSecret, input.info);
+  const ciphertext = aeadSeal(context.key, context.baseNonce, input.aad, input.plaintext);
+
+  return concat([enc, ciphertext]);
+}
+
+export function openHpkeBase(input               )             {
+  assertBytes(input.payload, "payload");
+  assertBytes(input.aad, "aad");
+  assertBytes(input.info, "info");
+  assertByteLength(input.recipientPrivateKey, X25519_KEY_LENGTH, "recipientPrivateKey");
+
+  if (input.payload.byteLength < X25519_KEY_LENGTH + CHACHA20_POLY1305_TAG_LENGTH) {
+    throw new TypeError("HPKE payload is too short");
+  }
+
+  const enc = input.payload.subarray(0, X25519_KEY_LENGTH);
+  const ciphertext = input.payload.subarray(X25519_KEY_LENGTH);
+  const recipientPublicKey = publicKeyFromPrivateKey(input.recipientPrivateKey);
+  const sharedSecret = decap(enc, input.recipientPrivateKey, recipientPublicKey);
+  const context = keySchedule(sharedSecret, input.info);
+
+  return aeadOpen(context.key, context.baseNonce, input.aad, ciphertext);
+}
+
+function encap(
+  ephemeralPrivateKey            ,
+  recipientPublicKey            ,
+  enc            ,
+)             {
+  const dh = x25519(ephemeralPrivateKey, recipientPublicKey);
+  return extractAndExpand(dh, concat([enc, recipientPublicKey]));
+}
+
+function decap(
+  enc            ,
+  recipientPrivateKey            ,
+  recipientPublicKey            ,
+)             {
+  const dh = x25519(recipientPrivateKey, enc);
+  return extractAndExpand(dh, concat([enc, recipientPublicKey]));
+}
+
+function extractAndExpand(dh            , kemContext            )             {
+  const eaePrk = labeledExtract(KEM_SUITE_ID, EMPTY, "eae_prk", dh);
+  return labeledExpand(
+    KEM_SUITE_ID,
+    eaePrk,
+    "shared_secret",
+    kemContext,
+    HKDF_SHA256_LENGTH,
+  );
+}
+
+function keySchedule(
+  sharedSecret            ,
+  info            ,
+)                                             {
+  const pskIdHash = labeledExtract(
+    HPKE_SUITE_ID,
+    EMPTY,
+    "psk_id_hash",
+    EMPTY,
+  );
+  const infoHash = labeledExtract(HPKE_SUITE_ID, EMPTY, "info_hash", info);
+  const keyScheduleContext = concat([Uint8Array.of(0), pskIdHash, infoHash]);
+  const secret = labeledExtract(HPKE_SUITE_ID, sharedSecret, "secret", EMPTY);
+
+  return {
+    key: labeledExpand(
+      HPKE_SUITE_ID,
+      secret,
+      "key",
+      keyScheduleContext,
+      CHACHA20_POLY1305_KEY_LENGTH,
+    ),
+    baseNonce: labeledExpand(
+      HPKE_SUITE_ID,
+      secret,
+      "base_nonce",
+      keyScheduleContext,
+      CHACHA20_POLY1305_NONCE_LENGTH,
+    ),
+  };
+}
+
+function labeledExtract(
+  suiteId            ,
+  salt            ,
+  label        ,
+  ikm            ,
+)             {
+  return hkdfExtract(
+    salt,
+    concat([HPKE_VERSION, suiteId, ascii(label), ikm]),
+  );
+}
+
+function labeledExpand(
+  suiteId            ,
+  prk            ,
+  label        ,
+  info            ,
+  length        ,
+)             {
+  return hkdfExpand(
+    prk,
+    concat([i2osp(length, 2), HPKE_VERSION, suiteId, ascii(label), info]),
+    length,
+  );
+}
+
+function hkdfExtract(salt            , ikm            )             {
+  const hmacKey = salt.byteLength === 0 ? new Uint8Array(HKDF_SHA256_LENGTH) : salt;
+  return new Uint8Array(createHmac("sha256", hmacKey).update(ikm).digest());
+}
+
+function hkdfExpand(prk            , info            , length        )             {
+  if (length > 255 * HKDF_SHA256_LENGTH) {
+    throw new RangeError("HKDF output length is too large");
+  }
+
+  const blocks               = [];
+  let previous = EMPTY;
+  let remaining = length;
+
+  for (let counter = 1; remaining > 0; counter += 1) {
+    previous = new Uint8Array(
+      createHmac("sha256", prk)
+        .update(previous)
+        .update(info)
+        .update(Uint8Array.of(counter))
+        .digest(),
+    );
+    blocks.push(previous);
+    remaining -= previous.byteLength;
+  }
+
+  return concat(blocks).subarray(0, length);
+}
+
+function aeadSeal(
+  key            ,
+  nonce            ,
+  aad            ,
+  plaintext            ,
+)             {
+  const cipher = createCipheriv("chacha20-poly1305", key, nonce, {
+    authTagLength: CHACHA20_POLY1305_TAG_LENGTH,
+  });
+
+  cipher.setAAD(aad);
+  const ciphertext = concat([cipher.update(plaintext), cipher.final()]);
+  return concat([ciphertext, cipher.getAuthTag()]);
+}
+
+function aeadOpen(
+  key            ,
+  nonce            ,
+  aad            ,
+  ciphertext            ,
+)             {
+  if (ciphertext.byteLength < CHACHA20_POLY1305_TAG_LENGTH) {
+    throw new TypeError("HPKE ciphertext is too short");
+  }
+
+  const tag = ciphertext.subarray(ciphertext.byteLength - CHACHA20_POLY1305_TAG_LENGTH);
+  const body = ciphertext.subarray(0, ciphertext.byteLength - CHACHA20_POLY1305_TAG_LENGTH);
+  const decipher = createDecipheriv("chacha20-poly1305", key, nonce, {
+    authTagLength: CHACHA20_POLY1305_TAG_LENGTH,
+  });
+
+  decipher.setAAD(aad);
+  decipher.setAuthTag(tag);
+
+  try {
+    return concat([decipher.update(body), decipher.final()]);
+  } catch {
+    throw new TypeError("HPKE open failed");
+  }
+}
+
+function x25519(privateKey            , publicKey            )             {
+  const sharedSecret = new Uint8Array(
+    diffieHellman({
+      privateKey: createX25519PrivateKey(privateKey),
+      publicKey: createX25519PublicKey(publicKey),
+    }),
+  );
+
+  if (sharedSecret.every((byte) => byte === 0)) {
+    throw new TypeError("X25519 shared secret must not be all zero");
+  }
+
+  return sharedSecret;
+}
+
+function publicKeyFromPrivateKey(privateKey            )             {
+  return exportRawX25519PublicKey(createPublicKey(createX25519PrivateKey(privateKey)));
+}
+
+function createX25519PublicKey(rawPublicKey            )                                     {
+  assertByteLength(rawPublicKey, X25519_KEY_LENGTH, "rawPublicKey");
+  return createPublicKey({
+    key: Buffer.from(concat([X25519_PUBLIC_KEY_SPKI_PREFIX, rawPublicKey])),
+    format: "der",
+    type: "spki",
+  });
+}
+
+function createX25519PrivateKey(rawPrivateKey            )                                      {
+  assertByteLength(rawPrivateKey, X25519_KEY_LENGTH, "rawPrivateKey");
+  return createPrivateKey({
+    key: Buffer.from(concat([X25519_PRIVATE_KEY_PKCS8_PREFIX, rawPrivateKey])),
+    format: "der",
+    type: "pkcs8",
+  });
+}
+
+function exportRawX25519PublicKey(key                                    )             {
+  const der = new Uint8Array(key.export({ format: "der", type: "spki" }));
+  return new Uint8Array(der.subarray(der.byteLength - X25519_KEY_LENGTH));
+}
+
+function exportRawX25519PrivateKey(key                                     )             {
+  const der = new Uint8Array(key.export({ format: "der", type: "pkcs8" }));
+  return new Uint8Array(der.subarray(der.byteLength - X25519_KEY_LENGTH));
+}
+
+function i2osp(value        , length        )             {
+  if (!Number.isSafeInteger(value) || value < 0) {
+    throw new TypeError("I2OSP value must be a non-negative safe integer");
+  }
+
+  const out = new Uint8Array(length);
+  let remaining = value;
+
+  for (let index = length - 1; index >= 0; index -= 1) {
+    out[index] = remaining & 0xff;
+    remaining >>= 8;
+  }
+
+  if (remaining !== 0) {
+    throw new RangeError("I2OSP value does not fit");
+  }
+
+  return out;
+}
+
+function assertByteLength(
+  value         ,
+  length        ,
+  name        ,
+)                              {
+  if (!(value instanceof Uint8Array) || value.byteLength !== length) {
+    throw new TypeError(`${name} must be a ${length}-byte Uint8Array`);
+  }
+}
+
+function assertBytes(value         , name        )                              {
+  if (!(value instanceof Uint8Array)) {
+    throw new TypeError(`${name} must be a Uint8Array`);
+  }
+}
+
+function ascii(value        )             {
+  return new TextEncoder().encode(value);
+}
+
+function hex(value        )             {
+  return Uint8Array.from(Buffer.from(value, "hex"));
+}

package/dist/hpke/receipt.js

@@ -0,0 +1,79 @@
+import { encodeCbor } from "../cbor.js";
+import { assertTokenRef } from "../crypto/identifiers.js";
+import {
+  generateHpkeKeyPair,
+  openHpkeBase,
+  sealHpkeBase,
+                   
+} from "./base.js";
+
+                            
+
+                                    
+                        
+                             
+                                   
+                            
+                            
+                                   
+  
+
+                                    
+                      
+                              
+                                   
+                            
+                            
+  
+
+const HPKE_PAYLOAD_MIN_LENGTH = 49;
+
+export { generateHpkeKeyPair };
+
+export function buildReceiptHpkeInfo(
+  serviceIdentifier        ,
+  selloTokenRef            ,
+)             {
+  if (typeof serviceIdentifier !== "string" || serviceIdentifier.length === 0) {
+    throw new TypeError("serviceIdentifier must be a non-empty string");
+  }
+
+  assertTokenRef(selloTokenRef, "selloTokenRef");
+
+  return encodeCbor(["sello/0.1.0/receipt", serviceIdentifier, selloTokenRef]);
+}
+
+export function sealReceiptBody(input                      )             {
+  assertBytes(input.plaintext, "plaintext");
+  assertBytes(input.protectedHeaderBytes, "protectedHeaderBytes");
+
+  return sealHpkeBase({
+    plaintext: input.plaintext,
+    aad: input.protectedHeaderBytes,
+    info: buildReceiptHpkeInfo(input.serviceIdentifier, input.selloTokenRef),
+    recipientPublicKey: input.ownerPublicKey,
+    ephemeralPrivateKey: input.ephemeralPrivateKey,
+  });
+}
+
+export function openReceiptBody(input                      )             {
+  assertBytes(input.payload, "payload");
+  assertBytes(input.protectedHeaderBytes, "protectedHeaderBytes");
+
+  if (input.payload.byteLength < HPKE_PAYLOAD_MIN_LENGTH) {
+    throw new TypeError("HPKE payload must be at least 49 bytes");
+  }
+
+  return openHpkeBase({
+    payload: input.payload,
+    aad: input.protectedHeaderBytes,
+    info: buildReceiptHpkeInfo(input.serviceIdentifier, input.selloTokenRef),
+    recipientPrivateKey: input.ownerPrivateKey,
+  });
+}
+
+function assertBytes(value         , name        )                              {
+  if (!(value instanceof Uint8Array)) {
+    throw new TypeError(`${name} must be a Uint8Array`);
+  }
+}

package/dist/index.js

@@ -0,0 +1,15 @@
+export * from "./cose/protected-header.js";
+export * from "./cose/sign1.js";
+export * from "./crypto/identifiers.js";
+export * from "./hpke/receipt.js";
+export * from "./log/canonical-url.js";
+export * from "./log/mock-log.js";
+export * from "./log/rekor.js";
+export * from "./log/types.js";
+export * from "./mcp/middleware.js";
+export * from "./owner/verify.js";
+export * from "./registry/json-registry.js";
+export * from "./receipt/body.js";
+export * from "./sdk/index.js";
+export * from "./service/create-receipt.js";
+export * from "./token/jws-profile.js";

package/dist/log/canonical-url.js

@@ -0,0 +1,168 @@
+                                                                                     
+
+const UNRESERVED = /^[A-Za-z0-9._~-]$/;
+
+export function isCanonicalLogUrl(value         )                           {
+  try {
+    assertCanonicalLogUrl(value);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function assertCanonicalLogUrl(
+  value         ,
+  name = "logUrl",
+)                                   {
+  if (typeof value !== "string") {
+    throw new TypeError(`${name} must be a string`);
+  }
+
+  if (!value.startsWith("https://")) {
+    throw new TypeError(`${name} must use lowercase https scheme`);
+  }
+
+  let parsed     ;
+  try {
+    parsed = new URL(value);
+  } catch {
+    throw new TypeError(`${name} must be a valid URL`);
+  }
+
+  if (parsed.protocol !== "https:") {
+    throw new TypeError(`${name} must use https`);
+  }
+
+  if (parsed.username !== "" || parsed.password !== "") {
+    throw new TypeError(`${name} must not contain userinfo`);
+  }
+
+  if (parsed.search !== "") {
+    throw new TypeError(`${name} must not contain a query string`);
+  }
+
+  if (parsed.hash !== "") {
+    throw new TypeError(`${name} must not contain a fragment`);
+  }
+
+  const authority = getAuthority(value);
+  if (authority.includes("@")) {
+    throw new TypeError(`${name} must not contain userinfo`);
+  }
+
+  const { rawHost, rawPort } = splitAuthority(authority);
+  if (rawHost === "") {
+    throw new TypeError(`${name} must contain a host`);
+  }
+
+  if (/[A-Z]/.test(rawHost)) {
+    throw new TypeError(`${name} host must be lowercase`);
+  }
+
+  if (rawPort === "443") {
+    throw new TypeError(`${name} must omit default port :443`);
+  }
+
+  if (rawPort !== undefined && !/^[0-9]+$/.test(rawPort)) {
+    throw new TypeError(`${name} port must be numeric`);
+  }
+
+  const rawPath = getRawPath(value);
+  if (rawPath === "") {
+    throw new TypeError(`${name} must include a path prefix`);
+  }
+
+  if (!rawPath.startsWith("/")) {
+    throw new TypeError(`${name} path must start with /`);
+  }
+
+  if (rawPath.length > 1 && rawPath.endsWith("/")) {
+    throw new TypeError(`${name} must not have a trailing slash`);
+  }
+
+  assertPercentEncoding(rawPath, name);
+  assertNoDotSegments(rawPath, name);
+}
+
+export function logUrlsEqual(a                 , b                 )          {
+  assertCanonicalLogUrl(a, "a");
+  assertCanonicalLogUrl(b, "b");
+  return a === b;
+}
+
+function getAuthority(value        )         {
+  const withoutScheme = value.slice("https://".length);
+  const end = withoutScheme.search(/[/?#]/);
+  return end === -1 ? withoutScheme : withoutScheme.slice(0, end);
+}
+
+function getRawPath(value        )         {
+  const withoutScheme = value.slice("https://".length);
+  const pathStart = withoutScheme.search(/[/?#]/);
+  if (pathStart === -1 || withoutScheme[pathStart] !== "/") {
+    return "";
+  }
+
+  const pathAndSuffix = withoutScheme.slice(pathStart);
+  const end = pathAndSuffix.search(/[?#]/);
+  return end === -1 ? pathAndSuffix : pathAndSuffix.slice(0, end);
+}
+
+function splitAuthority(authority        )                                        {
+  if (authority.startsWith("[")) {
+    const closing = authority.indexOf("]");
+    if (closing === -1) {
+      return { rawHost: authority };
+    }
+    const rawHost = authority.slice(0, closing + 1);
+    const rest = authority.slice(closing + 1);
+    return rest.startsWith(":")
+      ? { rawHost, rawPort: rest.slice(1) }
+      : { rawHost };
+  }
+
+  const colon = authority.lastIndexOf(":");
+  if (colon === -1) {
+    return { rawHost: authority };
+  }
+
+  return {
+    rawHost: authority.slice(0, colon),
+    rawPort: authority.slice(colon + 1),
+  };
+}
+
+function assertPercentEncoding(rawPath        , name        )       {
+  for (let index = 0; index < rawPath.length; index += 1) {
+    if (rawPath[index] !== "%") {
+      continue;
+    }
+
+    const hex = rawPath.slice(index + 1, index + 3);
+    if (!/^[0-9A-Fa-f]{2}$/.test(hex)) {
+      throw new TypeError(`${name} contains invalid percent-encoding`);
+    }
+
+    if (hex !== hex.toUpperCase()) {
+      throw new TypeError(`${name} percent-encoding hex digits must be uppercase`);
+    }
+
+    const decoded = String.fromCharCode(Number.parseInt(hex, 16));
+    if (UNRESERVED.test(decoded)) {
+      throw new TypeError(`${name} must not percent-encode unreserved characters`);
+    }
+
+    index += 2;
+  }
+}
+
+function assertNoDotSegments(rawPath        , name        )       {
+  const segments = rawPath.split("/");
+
+  for (const segment of segments) {
+    if (segment === "." || segment === "..") {
+      throw new TypeError(`${name} must not contain dot segments`);
+    }
+  }
+}