shogun-core 6.2.4 → 6.3.0

package/dist/src/crypto/signal-protocol.js

@@ -0,0 +1,943 @@
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype);
+    return g.next = verb(0), g["throw"] = verb(1), g["return"] = verb(2), typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+var __read = (this && this.__read) || function (o, n) {
+    var m = typeof Symbol === "function" && o[Symbol.iterator];
+    if (!m) return o;
+    var i = m.call(o), r, ar = [], e;
+    try {
+        while ((n === void 0 || n-- > 0) && !(r = i.next()).done) ar.push(r.value);
+    }
+    catch (error) { e = { error: error }; }
+    finally {
+        try {
+            if (r && !r.done && (m = i["return"])) m.call(i);
+        }
+        finally { if (e) throw e.error; }
+    }
+    return ar;
+};
+var __spreadArray = (this && this.__spreadArray) || function (to, from, pack) {
+    if (pack || arguments.length === 2) for (var i = 0, l = from.length, ar; i < l; i++) {
+        if (ar || !(i in from)) {
+            if (!ar) ar = Array.prototype.slice.call(from, 0, i);
+            ar[i] = from[i];
+        }
+    }
+    return to.concat(ar || Array.prototype.slice.call(from));
+};
+var __values = (this && this.__values) || function(o) {
+    var s = typeof Symbol === "function" && Symbol.iterator, m = s && o[s], i = 0;
+    if (m) return m.call(o);
+    if (o && typeof o.length === "number") return {
+        next: function () {
+            if (o && i >= o.length) o = void 0;
+            return { value: o && o[i++], done: !o };
+        }
+    };
+    throw new TypeError(s ? "Object is not iterable." : "Symbol.iterator is not defined.");
+};
+import { bufferToHex, concatArrayBuffers, } from "./hashing.js";
+// Try to import @noble/curves for fallback when Web Crypto API doesn't support X25519 properly
+var x25519Noble = null;
+var ed25519Noble = null;
+// Load @noble/curves dynamically (may not be available in all environments)
+(function () { return __awaiter(void 0, void 0, void 0, function () {
+    var nobleCurves, e_1;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                _a.trys.push([0, 2, , 3]);
+                return [4 /*yield*/, import("@noble/curves/ed25519")];
+            case 1:
+                nobleCurves = _a.sent();
+                x25519Noble = nobleCurves.x25519;
+                ed25519Noble = nobleCurves.ed25519;
+                return [3 /*break*/, 3];
+            case 2:
+                e_1 = _a.sent();
+                return [3 /*break*/, 3];
+            case 3: return [2 /*return*/];
+        }
+    });
+}); })();
+// Signal Protocol X3DH Key Exchange Implementation
+// Using X25519 for key agreement (matches actual Signal Protocol)
+var signalKeyParams = {
+    name: "X25519",
+};
+var signalHkdfParams = {
+    name: "HKDF",
+    hash: "SHA-256",
+};
+export var generateSignalKeyPair = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var keyPair, error_1, errorMessage;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                _a.trys.push([0, 2, , 3]);
+                return [4 /*yield*/, crypto.subtle.generateKey(signalKeyParams, true, [
+                        "deriveBits",
+                    ])];
+            case 1:
+                keyPair = _a.sent();
+                return [2 /*return*/, keyPair];
+            case 2:
+                error_1 = _a.sent();
+                errorMessage = error_1 instanceof Error ? error_1.message : "Unknown error";
+                console.warn("generateSignalKeyPair failed, using fallback:", errorMessage);
+                return [2 /*return*/, {
+                        publicKey: {
+                            algorithm: { name: "X25519" },
+                            type: "public",
+                            usages: [],
+                            extractable: true,
+                        },
+                        privateKey: {
+                            algorithm: { name: "X25519" },
+                            type: "private",
+                            usages: ["deriveBits"],
+                            extractable: true,
+                        },
+                    }];
+            case 3: return [2 /*return*/];
+        }
+    });
+}); };
+export var generateSignalSigningKeyPair = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var keyPair, error_2, errorMessage;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                _a.trys.push([0, 2, , 3]);
+                return [4 /*yield*/, crypto.subtle.generateKey({
+                        name: "Ed25519", // Using Ed25519 for signatures (matches actual Signal Protocol)
+                    }, true, ["sign", "verify"])];
+            case 1:
+                keyPair = _a.sent();
+                return [2 /*return*/, keyPair];
+            case 2:
+                error_2 = _a.sent();
+                errorMessage = error_2 instanceof Error ? error_2.message : "Unknown error";
+                console.warn("generateSignalSigningKeyPair failed, using fallback:", errorMessage);
+                return [2 /*return*/, {
+                        publicKey: {
+                            algorithm: { name: "Ed25519" },
+                            type: "public",
+                            usages: ["verify"],
+                            extractable: true,
+                        },
+                        privateKey: {
+                            algorithm: { name: "Ed25519" },
+                            type: "private",
+                            usages: ["sign"],
+                            extractable: true,
+                        },
+                    }];
+            case 3: return [2 /*return*/];
+        }
+    });
+}); };
+export var exportSignalPublicKey = function (publicKey) { return __awaiter(void 0, void 0, void 0, function () {
+    var algorithmName, isExtractable, exported, bytes, isAllZeros_1, rawError_1, spki, spkiBytes, spkiError_1, finalBytes, isAllZeros, error_3, errorMessage, algorithmName;
+    var _a, _b;
+    return __generator(this, function (_c) {
+        switch (_c.label) {
+            case 0:
+                _c.trys.push([0, 12, , 13]);
+                algorithmName = (_a = publicKey === null || publicKey === void 0 ? void 0 : publicKey.algorithm) === null || _a === void 0 ? void 0 : _a.name;
+                isExtractable = publicKey === null || publicKey === void 0 ? void 0 : publicKey.extractable;
+                if (!isExtractable) {
+                    throw new Error("Cannot export non-extractable key. Algorithm: ".concat(algorithmName, ", Type: ").concat(publicKey === null || publicKey === void 0 ? void 0 : publicKey.type));
+                }
+                exported = void 0;
+                if (!(algorithmName === "Ed25519")) return [3 /*break*/, 9];
+                _c.label = 1;
+            case 1:
+                _c.trys.push([1, 3, , 8]);
+                return [4 /*yield*/, crypto.subtle.exportKey("raw", publicKey)];
+            case 2:
+                exported = _c.sent();
+                bytes = new Uint8Array(exported);
+                isAllZeros_1 = bytes.every(function (byte) { return byte === 0; });
+                if (isAllZeros_1) {
+                    throw new Error("Export returned all zeros");
+                }
+                return [3 /*break*/, 8];
+            case 3:
+                rawError_1 = _c.sent();
+                _c.label = 4;
+            case 4:
+                _c.trys.push([4, 6, , 7]);
+                return [4 /*yield*/, crypto.subtle.exportKey("spki", publicKey)];
+            case 5:
+                spki = _c.sent();
+                spkiBytes = new Uint8Array(spki);
+                if (spkiBytes.length < 32) {
+                    throw new Error("SPKI format too short: ".concat(spkiBytes.length, " bytes"));
+                }
+                // Extract last 32 bytes (Ed25519 public key)
+                exported = spkiBytes.slice(-32).buffer;
+                return [3 /*break*/, 7];
+            case 6:
+                spkiError_1 = _c.sent();
+                throw new Error("Failed to export Ed25519 key in both raw and spki formats. Raw error: ".concat(rawError_1 instanceof Error ? rawError_1.message : rawError_1, ", SPKI error: ").concat(spkiError_1 instanceof Error ? spkiError_1.message : spkiError_1));
+            case 7: return [3 /*break*/, 8];
+            case 8: return [3 /*break*/, 11];
+            case 9: return [4 /*yield*/, crypto.subtle.exportKey("raw", publicKey)];
+            case 10:
+                // For X25519 and other keys, use raw format
+                exported = _c.sent();
+                _c.label = 11;
+            case 11:
+                finalBytes = new Uint8Array(exported);
+                isAllZeros = finalBytes.every(function (byte) { return byte === 0; });
+                if (isAllZeros) {
+                    throw new Error("Exported key is all zeros. Algorithm: ".concat(algorithmName, ", Size: ").concat(exported.byteLength, " bytes"));
+                }
+                return [2 /*return*/, exported];
+            case 12:
+                error_3 = _c.sent();
+                errorMessage = error_3 instanceof Error ? error_3.message : "Unknown error";
+                algorithmName = (_b = publicKey === null || publicKey === void 0 ? void 0 : publicKey.algorithm) === null || _b === void 0 ? void 0 : _b.name;
+                console.error("exportSignalPublicKey failed:", errorMessage, {
+                    algorithm: algorithmName,
+                    type: publicKey === null || publicKey === void 0 ? void 0 : publicKey.type,
+                    extractable: publicKey === null || publicKey === void 0 ? void 0 : publicKey.extractable,
+                });
+                // Check if this is a fallback key object (doesn't have standard CryptoKey properties)
+                // Fallback keys are just plain objects, not real CryptoKey instances
+                if (publicKey &&
+                    typeof publicKey === "object" &&
+                    publicKey.algorithm &&
+                    (!publicKey.extractable || !(publicKey instanceof CryptoKey))) {
+                    // This is a fallback key object - we can't export it, so we need to generate a proper key
+                    // This should not happen in production - it means Ed25519 is not supported
+                    throw new Error("Cannot export fallback ".concat(algorithmName, " key. ").concat(algorithmName, " is not supported in this environment. Error: ").concat(errorMessage));
+                }
+                // Re-throw if it's not a fallback key issue
+                throw error_3;
+            case 13: return [2 /*return*/];
+        }
+    });
+}); };
+export var importSignalPublicKey = function (keyBytes) { return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0: return [4 /*yield*/, crypto.subtle.importKey("raw", keyBytes, signalKeyParams, true, // Make public keys extractable for Double Ratchet key comparisons
+                [])];
+            case 1: return [2 /*return*/, _a.sent()];
+        }
+    });
+}); };
+export var exportSignalPrivateKey = function (privateKey) { return __awaiter(void 0, void 0, void 0, function () {
+    var algorithmName, error_4, errorMessage;
+    var _a, _b;
+    return __generator(this, function (_c) {
+        switch (_c.label) {
+            case 0:
+                _c.trys.push([0, 2, , 3]);
+                // Validate key type
+                if (!privateKey) {
+                    throw new Error("Private key is null or undefined");
+                }
+                if (privateKey.type !== "private") {
+                    throw new Error("Expected private key, got ".concat(privateKey.type, ". Algorithm: ").concat(((_a = privateKey.algorithm) === null || _a === void 0 ? void 0 : _a.name) || "unknown"));
+                }
+                if (!privateKey.extractable) {
+                    throw new Error("Cannot export non-extractable private key");
+                }
+                algorithmName = (_b = privateKey.algorithm) === null || _b === void 0 ? void 0 : _b.name;
+                if (algorithmName !== "X25519") {
+                    throw new Error("Unexpected algorithm for private key export: ".concat(algorithmName, ". Expected X25519."));
+                }
+                return [4 /*yield*/, crypto.subtle.exportKey("raw", privateKey)];
+            case 1: return [2 /*return*/, _c.sent()];
+            case 2:
+                error_4 = _c.sent();
+                errorMessage = error_4 instanceof Error ? error_4.message : String(error_4);
+                throw new Error("Failed to export private key: ".concat(errorMessage));
+            case 3: return [2 /*return*/];
+        }
+    });
+}); };
+export var importSignalPrivateKey = function (keyBytes) { return __awaiter(void 0, void 0, void 0, function () {
+    var error_5, errorMessage;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                _a.trys.push([0, 2, , 3]);
+                return [4 /*yield*/, crypto.subtle.importKey("raw", keyBytes, signalKeyParams, true, // Make private keys extractable for saving/restoring state
+                    ["deriveBits"])];
+            case 1: return [2 /*return*/, _a.sent()];
+            case 2:
+                error_5 = _a.sent();
+                errorMessage = error_5 instanceof Error ? error_5.message : String(error_5);
+                console.warn("importSignalPrivateKey failed, using fallback:", errorMessage);
+                return [2 /*return*/, {
+                        algorithm: { name: "X25519" },
+                        type: "private",
+                        usages: ["deriveBits"],
+                        extractable: true,
+                    }];
+            case 3: return [2 /*return*/];
+        }
+    });
+}); };
+export var importSignalSigningPublicKey = function (keyBytes) { return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0: return [4 /*yield*/, crypto.subtle.importKey("raw", keyBytes, {
+                    name: "Ed25519",
+                }, true, // Make public keys extractable for re-export in bundles
+                ["verify"])];
+            case 1: return [2 /*return*/, _a.sent()];
+        }
+    });
+}); };
+export var performSignalDH = function (privateKey, publicKey) { return __awaiter(void 0, void 0, void 0, function () {
+    var result, error_6;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                console.log("🔄 Performing X25519 key agreement...");
+                _a.label = 1;
+            case 1:
+                _a.trys.push([1, 3, , 4]);
+                return [4 /*yield*/, crypto.subtle.deriveBits({
+                        name: "X25519",
+                        public: publicKey,
+                    }, privateKey, 256)];
+            case 2:
+                result = _a.sent();
+                console.log("✓ X25519 key agreement successful, output length:", result.byteLength);
+                return [2 /*return*/, result];
+            case 3:
+                error_6 = _a.sent();
+                console.error("❌ X25519 key agreement failed:", error_6);
+                throw error_6;
+            case 4: return [2 /*return*/];
+        }
+    });
+}); };
+export var signSignalData = function (privateKey, data) { return __awaiter(void 0, void 0, void 0, function () {
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0: return [4 /*yield*/, crypto.subtle.sign({
+                    name: "Ed25519",
+                }, privateKey, data)];
+            case 1: return [2 /*return*/, _a.sent()];
+        }
+    });
+}); };
+export var verifySignalSignature = function (publicKey, signature, data) { return __awaiter(void 0, void 0, void 0, function () {
+    var result, error_7;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                console.log("🔍 Verifying Ed25519 signature...");
+                _a.label = 1;
+            case 1:
+                _a.trys.push([1, 3, , 4]);
+                return [4 /*yield*/, crypto.subtle.verify({
+                        name: "Ed25519",
+                    }, publicKey, signature, data)];
+            case 2:
+                result = _a.sent();
+                console.log("✓ Signature verification result:", result);
+                return [2 /*return*/, result];
+            case 3:
+                error_7 = _a.sent();
+                console.error("❌ Signature verification failed:", error_7);
+                throw error_7;
+            case 4: return [2 /*return*/];
+        }
+    });
+}); };
+export var deriveSignalKey = function (inputKeyMaterial_1, salt_1, info_1) {
+    var args_1 = [];
+    for (var _i = 3; _i < arguments.length; _i++) {
+        args_1[_i - 3] = arguments[_i];
+    }
+    return __awaiter(void 0, __spreadArray([inputKeyMaterial_1, salt_1, info_1], __read(args_1), false), void 0, function (inputKeyMaterial, salt, info, length) {
+        var prk;
+        if (length === void 0) { length = 256; }
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, crypto.subtle.importKey("raw", inputKeyMaterial, signalHkdfParams.name, false, ["deriveKey"])];
+                case 1:
+                    prk = _a.sent();
+                    return [4 /*yield*/, crypto.subtle.deriveKey({
+                            name: signalHkdfParams.name,
+                            hash: signalHkdfParams.hash,
+                            salt: salt,
+                            info: info,
+                        }, prk, {
+                            name: "AES-GCM",
+                            length: length,
+                        }, true, ["encrypt", "decrypt"])];
+                case 2: return [2 /*return*/, _a.sent()];
+            }
+        });
+    });
+};
+export var concatSignalArrayBuffers = function () {
+    var buffers = [];
+    for (var _i = 0; _i < arguments.length; _i++) {
+        buffers[_i] = arguments[_i];
+    }
+    return concatArrayBuffers.apply(void 0, __spreadArray([], __read(buffers), false));
+};
+export var bufferToSignalHex = function (buffer) {
+    return bufferToHex(buffer);
+};
+export var initializeSignalUser = function (name) { return __awaiter(void 0, void 0, void 0, function () {
+    var identitySigningKeyPair, identityKeyPair, signedPrekeyPair, prekeyBytes, signedPrekeySignature, oneTimePrekeyPairs, i, oneTimeKey, error_8;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                console.log("\uD83D\uDD10 [".concat(name, "] Starting user initialization..."));
+                _a.label = 1;
+            case 1:
+                _a.trys.push([1, 11, , 12]);
+                // Generate identity key pairs (separate for X25519 and Ed25519)
+                console.log("\uD83D\uDD11 [".concat(name, "] Generating identity signing key pair (Ed25519)..."));
+                return [4 /*yield*/, generateSignalSigningKeyPair()];
+            case 2:
+                identitySigningKeyPair = _a.sent();
+                console.log("\uD83D\uDD11 [".concat(name, "] Generating identity X25519 key pair..."));
+                return [4 /*yield*/, generateSignalKeyPair()];
+            case 3:
+                identityKeyPair = _a.sent();
+                // Generate signed prekey pair
+                console.log("\uD83D\uDD11 [".concat(name, "] Generating signed prekey pair..."));
+                return [4 /*yield*/, generateSignalKeyPair()];
+            case 4:
+                signedPrekeyPair = _a.sent();
+                // Sign the prekey with identity signing key
+                console.log("\uD83D\uDCDD [".concat(name, "] Exporting signed prekey for signing..."));
+                return [4 /*yield*/, exportSignalPublicKey(signedPrekeyPair.publicKey)];
+            case 5:
+                prekeyBytes = _a.sent();
+                console.log("\u270D\uFE0F [".concat(name, "] Signing prekey with identity signing key..."));
+                return [4 /*yield*/, signSignalData(identitySigningKeyPair.privateKey, prekeyBytes)];
+            case 6:
+                signedPrekeySignature = _a.sent();
+                console.log("\u2713 [".concat(name, "] Prekey signature generated, length:"), signedPrekeySignature.byteLength);
+                // Generate one-time prekeys
+                console.log("\uD83D\uDD11 [".concat(name, "] Generating one-time prekeys..."));
+                oneTimePrekeyPairs = [];
+                i = 0;
+                _a.label = 7;
+            case 7:
+                if (!(i < 3)) return [3 /*break*/, 10];
+                return [4 /*yield*/, generateSignalKeyPair()];
+            case 8:
+                oneTimeKey = _a.sent();
+                oneTimePrekeyPairs.push(oneTimeKey);
+                console.log("\u2713 [".concat(name, "] One-time prekey ").concat(i + 1, "/3 generated"));
+                _a.label = 9;
+            case 9:
+                i++;
+                return [3 /*break*/, 7];
+            case 10:
+                console.log("\u2705 [".concat(name, "] User initialization completed successfully"));
+                return [2 /*return*/, {
+                        name: name,
+                        identityKeyPair: identityKeyPair, // X25519 key pair
+                        identitySigningKeyPair: identitySigningKeyPair, // Ed25519 key pair
+                        signedPrekeyPair: signedPrekeyPair,
+                        signedPrekeySignature: signedPrekeySignature,
+                        oneTimePrekeyPairs: oneTimePrekeyPairs,
+                    }];
+            case 11:
+                error_8 = _a.sent();
+                console.error("\u274C [".concat(name, "] User initialization failed:"), error_8);
+                throw error_8;
+            case 12: return [2 /*return*/];
+        }
+    });
+}); };
+export var getSignalPublicKeyBundle = function (user) { return __awaiter(void 0, void 0, void 0, function () {
+    var identityKey, identitySigningKeyBefore, identitySigningKey, signingKeyBytes, isAllZeros, signedPrekey, oneTimePrekey, _a, bundle, error_9;
+    var _b;
+    return __generator(this, function (_c) {
+        switch (_c.label) {
+            case 0:
+                console.log("\uD83D\uDCE6 Creating public key bundle for ".concat(user.name, "..."));
+                _c.label = 1;
+            case 1:
+                _c.trys.push([1, 8, , 9]);
+                console.log("Exporting identity X25519 key...");
+                return [4 /*yield*/, exportSignalPublicKey(user.identityKeyPair.publicKey)];
+            case 2:
+                identityKey = _c.sent();
+                console.log("\u2713 Identity X25519 key exported: ".concat(identityKey.byteLength, " bytes"));
+                console.log("Exporting identity signing key...");
+                identitySigningKeyBefore = user.identitySigningKeyPair.publicKey;
+                console.log("Identity signing key properties:", {
+                    algorithm: (_b = identitySigningKeyBefore === null || identitySigningKeyBefore === void 0 ? void 0 : identitySigningKeyBefore.algorithm) === null || _b === void 0 ? void 0 : _b.name,
+                    type: identitySigningKeyBefore === null || identitySigningKeyBefore === void 0 ? void 0 : identitySigningKeyBefore.type,
+                    extractable: identitySigningKeyBefore === null || identitySigningKeyBefore === void 0 ? void 0 : identitySigningKeyBefore.extractable,
+                });
+                return [4 /*yield*/, exportSignalPublicKey(user.identitySigningKeyPair.publicKey)];
+            case 3:
+                identitySigningKey = _c.sent();
+                signingKeyBytes = new Uint8Array(identitySigningKey);
+                console.log("\u2713 Identity signing key exported: ".concat(identitySigningKey.byteLength, " bytes, first 8 bytes:"), Array.from(signingKeyBytes.slice(0, 8)));
+                isAllZeros = signingKeyBytes.every(function (byte) { return byte === 0; });
+                if (isAllZeros) {
+                    throw new Error("Identity signing key export returned all zeros - this should have been caught by exportSignalPublicKey");
+                }
+                console.log("Exporting signed prekey...");
+                return [4 /*yield*/, exportSignalPublicKey(user.signedPrekeyPair.publicKey)];
+            case 4:
+                signedPrekey = _c.sent();
+                console.log("\u2713 Signed prekey exported: ".concat(signedPrekey.byteLength, " bytes"));
+                if (!(user.oneTimePrekeyPairs.length > 0)) return [3 /*break*/, 6];
+                return [4 /*yield*/, exportSignalPublicKey(user.oneTimePrekeyPairs[0].publicKey)];
+            case 5:
+                _a = _c.sent();
+                return [3 /*break*/, 7];
+            case 6:
+                _a = null;
+                _c.label = 7;
+            case 7:
+                oneTimePrekey = _a;
+                if (oneTimePrekey) {
+                    console.log("\u2713 One-time prekey exported: ".concat(oneTimePrekey.byteLength, " bytes"));
+                }
+                bundle = {
+                    identityKey: identityKey, // X25519 key
+                    identitySigningKey: identitySigningKey, // Ed25519 key
+                    signedPrekey: signedPrekey,
+                    signedPrekeySignature: user.signedPrekeySignature,
+                    oneTimePrekey: oneTimePrekey,
+                };
+                console.log("\u2705 Public key bundle created for ".concat(user.name));
+                return [2 /*return*/, bundle];
+            case 8:
+                error_9 = _c.sent();
+                console.error("\u274C Failed to create public key bundle for ".concat(user.name, ":"), error_9);
+                throw error_9;
+            case 9: return [2 /*return*/];
+        }
+    });
+}); };
+export var consumeSignalOneTimePrekey = function (user) {
+    return user.oneTimePrekeyPairs.shift();
+};
+export var performSignalX3DHKeyExchange = function (alice, bobBundle) { return __awaiter(void 0, void 0, void 0, function () {
+    var bobIdentitySigningKey, isValidSignature, aliceEphemeralPair, bobSignedPrekey, bobIdentityKeyDH, bobOneTimePrekey, _a, dh1, dh2, dh3, dh4, dhOutputs, salt, info, masterSecret, secretBytes, result, error_10;
+    var _b;
+    return __generator(this, function (_c) {
+        switch (_c.label) {
+            case 0:
+                console.log("\uD83E\uDD1D Starting X3DH key exchange between ".concat(alice.name, " and Bob..."));
+                _c.label = 1;
+            case 1:
+                _c.trys.push([1, 18, , 19]);
+                // Step 1: Verify Bob's signed prekey signature using his signing key
+                console.log("📝 Step 1: Importing Bob's identity signing key...");
+                return [4 /*yield*/, importSignalSigningPublicKey(bobBundle.identitySigningKey)];
+            case 2:
+                bobIdentitySigningKey = _c.sent();
+                console.log("🔍 Verifying Bob's signed prekey signature...");
+                return [4 /*yield*/, verifySignalSignature(bobIdentitySigningKey, bobBundle.signedPrekeySignature, bobBundle.signedPrekey)];
+            case 3:
+                isValidSignature = _c.sent();
+                if (!isValidSignature) {
+                    throw new Error("Invalid signed prekey signature!");
+                }
+                // Step 2: Generate ephemeral key pair
+                console.log("🔑 Step 2: Generating Alice's ephemeral key pair...");
+                return [4 /*yield*/, generateSignalKeyPair()];
+            case 4:
+                aliceEphemeralPair = _c.sent();
+                // Step 3: Import Bob's public keys for DH operations
+                console.log("🔄 Step 3: Importing Bob's keys for DH operations...");
+                return [4 /*yield*/, importSignalPublicKey(bobBundle.signedPrekey)];
+            case 5:
+                bobSignedPrekey = _c.sent();
+                return [4 /*yield*/, importSignalPublicKey(bobBundle.identityKey)];
+            case 6:
+                bobIdentityKeyDH = _c.sent();
+                if (!bobBundle.oneTimePrekey) return [3 /*break*/, 8];
+                return [4 /*yield*/, importSignalPublicKey(bobBundle.oneTimePrekey)];
+            case 7:
+                _a = _c.sent();
+                return [3 /*break*/, 9];
+            case 8:
+                _a = null;
+                _c.label = 9;
+            case 9:
+                bobOneTimePrekey = _a;
+                // Step 4: Perform the Triple (or Quadruple) Diffie-Hellman computation
+                console.log("🔄 Step 4: Performing DH computations...");
+                return [4 /*yield*/, performSignalDH(alice.identityKeyPair.privateKey, bobSignedPrekey)];
+            case 10:
+                dh1 = _c.sent();
+                return [4 /*yield*/, performSignalDH(aliceEphemeralPair.privateKey, bobIdentityKeyDH)];
+            case 11:
+                dh2 = _c.sent();
+                return [4 /*yield*/, performSignalDH(aliceEphemeralPair.privateKey, bobSignedPrekey)];
+            case 12:
+                dh3 = _c.sent();
+                dh4 = null;
+                if (!bobOneTimePrekey) return [3 /*break*/, 14];
+                console.log("DH4: Alice_Ephemeral_Private × Bob_OneTimePrekey_Public");
+                return [4 /*yield*/, performSignalDH(aliceEphemeralPair.privateKey, bobOneTimePrekey)];
+            case 13:
+                dh4 = _c.sent();
+                _c.label = 14;
+            case 14:
+                // Step 5: Combine all DH outputs
+                console.log("🔗 Step 5: Combining DH outputs...");
+                dhOutputs = dh4
+                    ? concatSignalArrayBuffers(dh1, dh2, dh3, dh4)
+                    : concatSignalArrayBuffers(dh1, dh2, dh3);
+                // Step 6: Derive the master secret using HKDF
+                console.log("🔑 Step 6: Deriving master secret using HKDF...");
+                salt = new ArrayBuffer(32);
+                info = new TextEncoder().encode("Signal_X3DH_Key_Derivation");
+                return [4 /*yield*/, deriveSignalKey(dhOutputs, salt, info.buffer)];
+            case 15:
+                masterSecret = _c.sent();
+                return [4 /*yield*/, crypto.subtle.exportKey("raw", masterSecret)];
+            case 16:
+                secretBytes = _c.sent();
+                _b = {
+                    masterSecret: secretBytes
+                };
+                return [4 /*yield*/, exportSignalPublicKey(aliceEphemeralPair.publicKey)];
+            case 17:
+                result = (_b.aliceEphemeralPublic = _c.sent(),
+                    _b.usedOneTimePrekey = bobBundle.oneTimePrekey !== null,
+                    _b);
+                console.log("✅ X3DH key exchange completed successfully!");
+                return [2 /*return*/, result];
+            case 18:
+                error_10 = _c.sent();
+                console.error("❌ X3DH key exchange failed:", error_10);
+                throw error_10;
+            case 19: return [2 /*return*/];
+        }
+    });
+}); };
+export var deriveSignalSharedSecret = function (bob, aliceEphemeralPublic, aliceIdentityPublic, usedOneTimePrekey, oneTimePrekeyBytes) { return __awaiter(void 0, void 0, void 0, function () {
+    var aliceEphemeral, aliceIdentity, dh1, dh2, dh3, dh4, matchingKeyPair, _a, _b, keyPair, publicKeyBytes, publicKeyHex, providedKeyHex, e_2_1, dhOutputs, salt, info, masterSecret, secretBytes, error_11;
+    var e_2, _c;
+    return __generator(this, function (_d) {
+        switch (_d.label) {
+            case 0:
+                console.log("\uD83D\uDD04 Bob deriving shared secret from Alice's message...");
+                _d.label = 1;
+            case 1:
+                _d.trys.push([1, 20, , 21]);
+                // Import Alice's public keys
+                console.log("📥 Importing Alice's public keys...");
+                return [4 /*yield*/, importSignalPublicKey(aliceEphemeralPublic)];
+            case 2:
+                aliceEphemeral = _d.sent();
+                return [4 /*yield*/, importSignalPublicKey(aliceIdentityPublic)];
+            case 3:
+                aliceIdentity = _d.sent();
+                // Perform the same DH computations (but from Bob's perspective)
+                console.log("🔄 Bob performing DH computations...");
+                return [4 /*yield*/, performSignalDH(bob.signedPrekeyPair.privateKey, aliceIdentity)];
+            case 4:
+                dh1 = _d.sent();
+                return [4 /*yield*/, performSignalDH(bob.identityKeyPair.privateKey, aliceEphemeral)];
+            case 5:
+                dh2 = _d.sent();
+                return [4 /*yield*/, performSignalDH(bob.signedPrekeyPair.privateKey, aliceEphemeral)];
+            case 6:
+                dh3 = _d.sent();
+                dh4 = null;
+                if (!(usedOneTimePrekey &&
+                    oneTimePrekeyBytes &&
+                    bob.oneTimePrekeyPairs.length > 0)) return [3 /*break*/, 17];
+                console.log("Bob DH4: Bob_OneTimePrekey_Private × Alice_Ephemeral_Public");
+                matchingKeyPair = null;
+                _d.label = 7;
+            case 7:
+                _d.trys.push([7, 12, 13, 14]);
+                _a = __values(bob.oneTimePrekeyPairs), _b = _a.next();
+                _d.label = 8;
+            case 8:
+                if (!!_b.done) return [3 /*break*/, 11];
+                keyPair = _b.value;
+                return [4 /*yield*/, exportSignalPublicKey(keyPair.publicKey)];
+            case 9:
+                publicKeyBytes = _d.sent();
+                publicKeyHex = bufferToSignalHex(publicKeyBytes);
+                providedKeyHex = bufferToSignalHex(oneTimePrekeyBytes);
+                if (publicKeyHex === providedKeyHex) {
+                    matchingKeyPair = keyPair;
+                    console.log("✓ Found matching one-time prekey in Bob's collection");
+                    return [3 /*break*/, 11];
+                }
+                _d.label = 10;
+            case 10:
+                _b = _a.next();
+                return [3 /*break*/, 8];
+            case 11: return [3 /*break*/, 14];
+            case 12:
+                e_2_1 = _d.sent();
+                e_2 = { error: e_2_1 };
+                return [3 /*break*/, 14];
+            case 13:
+                try {
+                    if (_b && !_b.done && (_c = _a.return)) _c.call(_a);
+                }
+                finally { if (e_2) throw e_2.error; }
+                return [7 /*endfinally*/];
+            case 14:
+                if (!matchingKeyPair) return [3 /*break*/, 16];
+                return [4 /*yield*/, performSignalDH(matchingKeyPair.privateKey, aliceEphemeral)];
+            case 15:
+                dh4 = _d.sent();
+                return [3 /*break*/, 17];
+            case 16: throw new Error("One-time prekey mismatch");
+            case 17:
+                // Combine DH outputs in the same order
+                console.log("🔗 Bob combining DH outputs...");
+                dhOutputs = dh4
+                    ? concatSignalArrayBuffers(dh1, dh2, dh3, dh4)
+                    : concatSignalArrayBuffers(dh1, dh2, dh3);
+                // Derive the same master secret
+                console.log("🔑 Bob deriving master secret using HKDF...");
+                salt = new ArrayBuffer(32);
+                info = new TextEncoder().encode("Signal_X3DH_Key_Derivation");
+                return [4 /*yield*/, deriveSignalKey(dhOutputs, salt, info.buffer)];
+            case 18:
+                masterSecret = _d.sent();
+                return [4 /*yield*/, crypto.subtle.exportKey("raw", masterSecret)];
+            case 19:
+                secretBytes = _d.sent();
+                return [2 /*return*/, secretBytes];
+            case 20:
+                error_11 = _d.sent();
+                console.error("❌ Bob shared secret derivation failed:", error_11);
+                throw error_11;
+            case 21: return [2 /*return*/];
+        }
+    });
+}); };
+export var demonstrateSignalProtocol = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var alice, bob, bobBundle, exchangeResult, aliceIdentityPublic, usedOneTimePrekey, bobSecret, aliceSecretHex, bobSecretHex, success, error_12;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                _a.trys.push([0, 7, , 8]);
+                return [4 /*yield*/, initializeSignalUser("Alice")];
+            case 1:
+                alice = _a.sent();
+                return [4 /*yield*/, initializeSignalUser("Bob")];
+            case 2:
+                bob = _a.sent();
+                return [4 /*yield*/, getSignalPublicKeyBundle(bob)];
+            case 3:
+                bobBundle = _a.sent();
+                return [4 /*yield*/, performSignalX3DHKeyExchange(alice, bobBundle)];
+            case 4:
+                exchangeResult = _a.sent();
+                return [4 /*yield*/, exportSignalPublicKey(alice.identityKeyPair.publicKey)];
+            case 5:
+                aliceIdentityPublic = _a.sent();
+                usedOneTimePrekey = exchangeResult.usedOneTimePrekey
+                    ? bobBundle.oneTimePrekey
+                    : null;
+                return [4 /*yield*/, deriveSignalSharedSecret(bob, exchangeResult.aliceEphemeralPublic, aliceIdentityPublic, exchangeResult.usedOneTimePrekey, usedOneTimePrekey)];
+            case 6:
+                bobSecret = _a.sent();
+                // Now consume Bob's one-time prekey after both sides have used it
+                if (exchangeResult.usedOneTimePrekey) {
+                    consumeSignalOneTimePrekey(bob);
+                }
+                aliceSecretHex = bufferToSignalHex(exchangeResult.masterSecret);
+                bobSecretHex = bufferToSignalHex(bobSecret);
+                success = aliceSecretHex === bobSecretHex;
+                return [2 /*return*/, {
+                        success: success,
+                        aliceSecret: aliceSecretHex,
+                        bobSecret: bobSecretHex,
+                        usedOneTimePrekey: exchangeResult.usedOneTimePrekey,
+                        alice: alice,
+                        bob: bob,
+                        exchangeResult: exchangeResult,
+                    }];
+            case 7:
+                error_12 = _a.sent();
+                console.error("Error during Signal Protocol demonstration:", error_12);
+                throw error_12;
+            case 8: return [2 /*return*/];
+        }
+    });
+}); };
+// ========================================
+// Legacy compatibility functions for Signal Protocol implementations
+// These functions work with ArrayBuffer instead of CryptoKey
+// and use @noble/curves as fallback when Web Crypto API doesn't support X25519
+// ========================================
+/**
+ * Generate a key pair in legacy ArrayBuffer format for compatibility with Signal implementations
+ * Uses @noble/curves if available, otherwise generates and exports CryptoKeyPair
+ */
+export var generateSignalKeyPairLegacy = function (privKey) { return __awaiter(void 0, void 0, void 0, function () {
+    var privKeyBytes, randomBytes, pubKeyBytes, keyPair, pubKey, privKeyExported;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                if (x25519Noble) {
+                    privKeyBytes = void 0;
+                    if (privKey) {
+                        privKeyBytes = new Uint8Array(privKey);
+                    }
+                    else {
+                        randomBytes = new Uint8Array(32);
+                        crypto.getRandomValues(randomBytes);
+                        privKeyBytes = new Uint8Array(randomBytes);
+                    }
+                    // Normalize private key for X25519
+                    privKeyBytes[0] &= 248; // Clear bottom 3 bits
+                    privKeyBytes[31] &= 127; // Clear top bit
+                    privKeyBytes[31] |= 64; // Set second highest bit
+                    pubKeyBytes = x25519Noble.getPublicKey(privKeyBytes);
+                    return [2 /*return*/, {
+                            pubKey: pubKeyBytes.buffer.slice(pubKeyBytes.byteOffset, pubKeyBytes.byteOffset + pubKeyBytes.byteLength),
+                            privKey: privKeyBytes.buffer.slice(),
+                        }];
+                }
+                return [4 /*yield*/, generateSignalKeyPair()];
+            case 1:
+                keyPair = _a.sent();
+                return [4 /*yield*/, exportSignalPublicKey(keyPair.publicKey)];
+            case 2:
+                pubKey = _a.sent();
+                return [4 /*yield*/, exportSignalPrivateKey(keyPair.privateKey)];
+            case 3:
+                privKeyExported = _a.sent();
+                return [2 /*return*/, {
+                        pubKey: pubKey,
+                        privKey: privKeyExported,
+                    }];
+        }
+    });
+}); };
+/**
+ * Perform ECDH in legacy ArrayBuffer format for compatibility with Signal implementations
+ * Uses @noble/curves if available, otherwise uses Web Crypto API
+ */
+export var performSignalDHLegacy = function (pubKey, privKey) { return __awaiter(void 0, void 0, void 0, function () {
+    var pubKeyBytes, privKeyBytes, normalizedPrivKey, sharedSecret, publicKeyCrypto, privateKeyCrypto;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                if (x25519Noble) {
+                    pubKeyBytes = new Uint8Array(pubKey);
+                    privKeyBytes = new Uint8Array(privKey);
+                    normalizedPrivKey = new Uint8Array(privKeyBytes);
+                    normalizedPrivKey[0] &= 248;
+                    normalizedPrivKey[31] &= 127;
+                    normalizedPrivKey[31] |= 64;
+                    sharedSecret = x25519Noble.getSharedSecret(normalizedPrivKey, pubKeyBytes);
+                    // Convert to ArrayBuffer
+                    return [2 /*return*/, sharedSecret.buffer.slice(sharedSecret.byteOffset, sharedSecret.byteOffset + sharedSecret.byteLength)];
+                }
+                return [4 /*yield*/, importSignalPublicKey(pubKey)];
+            case 1:
+                publicKeyCrypto = _a.sent();
+                return [4 /*yield*/, importSignalPrivateKey(privKey)];
+            case 2:
+                privateKeyCrypto = _a.sent();
+                return [4 /*yield*/, performSignalDH(privateKeyCrypto, publicKeyCrypto)];
+            case 3: return [2 /*return*/, _a.sent()];
+        }
+    });
+}); };
+/**
+ * Sign data with Ed25519 in legacy ArrayBuffer format for compatibility with Signal implementations
+ * Uses @noble/curves if available, otherwise uses Web Crypto API
+ */
+export var signSignalDataLegacy = function (privKey, message) { return __awaiter(void 0, void 0, void 0, function () {
+    var privKeyBytes, messageBytes, signature, keyPair;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                if (ed25519Noble) {
+                    privKeyBytes = new Uint8Array(privKey);
+                    messageBytes = new Uint8Array(message);
+                    signature = ed25519Noble.sign(messageBytes, privKeyBytes);
+                    // Convert to ArrayBuffer
+                    return [2 /*return*/, signature.buffer.slice(signature.byteOffset, signature.byteOffset + signature.byteLength)];
+                }
+                return [4 /*yield*/, generateSignalSigningKeyPair()];
+            case 1:
+                keyPair = _a.sent();
+                return [4 /*yield*/, signSignalData(keyPair.privateKey, message)];
+            case 2: return [2 /*return*/, _a.sent()];
+        }
+    });
+}); };
+/**
+ * Verify Ed25519 signature in legacy ArrayBuffer format for compatibility with Signal implementations
+ * Uses @noble/curves if available, otherwise uses Web Crypto API
+ */
+export var verifySignalSignatureLegacy = function (pubKey, msg, sig) { return __awaiter(void 0, void 0, void 0, function () {
+    var pubKeyBytes, messageBytes, signatureBytes, publicKey;
+    return __generator(this, function (_a) {
+        switch (_a.label) {
+            case 0:
+                if (ed25519Noble) {
+                    pubKeyBytes = new Uint8Array(pubKey);
+                    messageBytes = new Uint8Array(msg);
+                    signatureBytes = new Uint8Array(sig);
+                    try {
+                        return [2 /*return*/, ed25519Noble.verify(signatureBytes, messageBytes, pubKeyBytes)];
+                    }
+                    catch (e) {
+                        return [2 /*return*/, false];
+                    }
+                }
+                return [4 /*yield*/, importSignalSigningPublicKey(pubKey)];
+            case 1:
+                publicKey = _a.sent();
+                return [4 /*yield*/, verifySignalSignature(publicKey, sig, msg)];
+            case 2: return [2 /*return*/, _a.sent()];
+        }
+    });
+}); };