toiljs 0.0.51 → 0.0.53

package/build/client/auth.d.ts

@@ -1,4 +1,11 @@
 export declare const LOGIN_CONTEXT = "qauth:login:v1";
+export declare const REGISTER_CONTEXT = "qauth:register:v1";
+export declare const SESSION_KEY_LABEL = "toil-session-key-v1";
+export declare const SERVER_CONFIRM_LABEL = "toil-server-confirm-v1";
+export declare const KEM_PUBLIC_KEY_LEN = 1184;
+export declare const KEM_CIPHERTEXT_LEN = 1088;
+export declare const SHARED_SECRET_LEN = 32;
+export declare const SERVER_KEM_PUBLIC_KEY: Uint8Array<ArrayBufferLike>;
 export declare const PUBLIC_KEY_LEN = 1312;
 export declare const SECRET_KEY_LEN = 2560;
 export declare const SIGNATURE_LEN = 2420;
@@ -9,34 +16,16 @@ export interface KdfParams {
     readonly parallelism: number;
     readonly salt: Uint8Array;
 }
-export interface Challenge {
-    readonly cid: Uint8Array;
-    readonly aud: string;
-    readonly kdf: KdfParams;
-    readonly nonce: Uint8Array;
-    readonly iat: bigint;
-    readonly exp: bigint;
-}
-export declare function buildLoginMessage(sub: string, aud: string, cid: Uint8Array, nonce: Uint8Array, iat: bigint, exp: bigint): Uint8Array;
+export declare function buildLoginMessage(sub: string, aud: string, cid: Uint8Array, nonce: Uint8Array, iat: bigint, exp: bigint, ciphertext: Uint8Array, memKiB: number, iterations: number, parallelism: number, serverKemKeyId: Uint8Array): Uint8Array;
+export declare function buildRegisterMessage(username: string, publicKey: Uint8Array): Uint8Array;
 export interface AuthOptions {
     readonly baseUrl?: string;
 }
 export declare function register(username: string, password: string, opts?: AuthOptions): Promise<void>;
 export declare function login(username: string, password: string, opts?: AuthOptions): Promise<Uint8Array>;
-export interface IdentityProof {
-    readonly envelope: Uint8Array;
-    readonly publicKeyHex: string;
-    readonly nonceHex: string;
-    readonly signatureLen: number;
-    readonly deriveMs: number;
-}
-export declare function proveIdentity(username: string, password: string, opts?: {
-    baseUrl?: string;
-}): Promise<IdentityProof>;
 export declare const Auth: {
     readonly register: typeof register;
     readonly login: typeof login;
-    readonly proveIdentity: typeof proveIdentity;
     readonly buildLoginMessage: typeof buildLoginMessage;
     readonly LOGIN_CONTEXT: "qauth:login:v1";
 };

package/build/client/auth.js

@@ -1,7 +1,22 @@
-import { argon2id, sha256 } from 'hash-wasm';
+import { argon2id, createSHA256, createHMAC } from 'hash-wasm';
 import { ml_dsa44 } from '@dacely/noble-post-quantum/ml-dsa.js';
+import { ml_kem768 } from '@dacely/noble-post-quantum/ml-kem.js';
+import { ristretto255_oprf } from '@noble/curves/ed25519.js';
 import { DataReader, DataWriter } from 'toiljs/io';
 export const LOGIN_CONTEXT = 'qauth:login:v1';
+export const REGISTER_CONTEXT = 'qauth:register:v1';
+export const SESSION_KEY_LABEL = 'toil-session-key-v1';
+export const SERVER_CONFIRM_LABEL = 'toil-server-confirm-v1';
+export const KEM_PUBLIC_KEY_LEN = 1184;
+export const KEM_CIPHERTEXT_LEN = 1088;
+export const SHARED_SECRET_LEN = 32;
+function fromHex(hex) {
+    const out = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < out.length; i++)
+        out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
+    return out;
+}
+export const SERVER_KEM_PUBLIC_KEY = fromHex('29d765e8083182891302569b3712a856e564fdd484b0706b0c68568d5ab7edc742cf74459d64595455a60f267973aa55e43c5be61925a3822eafcca445e36dc4655636e31e6fc9bec338b253f94290008ef7f40dbddb49c15c690f6755a23a1b3c85cfd5207e71a607086a6fc6d74a05080f43276901a19cafdb8de7771d58ea07f0f1056b905127b22223d08e75173199f13ab13c5dcd3b51ac784f84e520484a262b845a897c41cf27324ab6ba545c78c9ccab361051e0bba53498af26240fa0d566d1572684f4b42e253e6d052c848650915063c35641e1121ef8d9cfd17b667b351103c56d195007c9376d0c08aa268396814490eab4c364175a94533267a1933862cc4c33bcf0a13d1fa2b9d6c5082eeca1480672f2526cbe013beff14dc908a386e0b633c8761023cbed760deac6709bc328d865ac82e12307b673d96711dbb27a4d939230d25b53d594169a318be0200fa33550e9418e2a3b30e9719edc09d5fc4306f1abfd021eab14637a8a72c5931d25dc9b56db0e6ab677522b10f25307dbb804a6774ce05b87b0976a4b227bfe6caf20a79e64004fbd27b1eea018b3ab8ffa629f2dc87f19278f95168e94e44660a3370c537795678eb2f056260609769740583b51b291862927a1938737c6a37f40b78f00671cccbcb88ac3427b37915ed58782998f84051647707d48995472baad3f64a7cca54e1c0734db08751c614a34f28b84f2c1b5a6817355ab61957c486b7acffbc092bc8a7b46387f33b53ed372f7168d31a71cd008539928b0cdf91e835aa97f6a2be6d327b87a6ae478701d75a59a25179cb14997bb2552853014724170a1c49b82c2bcebc3279024e1fa44c53c7afdc43f0bd22116490f3b74c90e7296be58b9a91168f2fa0c3d378a3bcac959f357825c9976a8c9ee944f29b45e96d7345d9b478431a20cf1c5d3a3227c717fd204619777636c0cb140db5c50d2a3302334461030bee34e4eb1a6f02b733f9ccda4290fa168bc039568373241542728d00030d1f251e83737cb215adbdc1de75978675a0cd0d75b12748abdda7a9852629c63697d145af2c69854b06e03f37c4b064e4c9a4c03f2ad4d081e70180e9547247921918118086b62b4f7727f46b24e3e79ba3f28209f32b5102035bf935856232f83642268c0292ec6bf8e9462382163d30a20b4bcb7b4439310ec9d0a148193907fc07697342967cf1a16c6b3c71558951fa915400736cf699262b54b723abb2ecc27b74b68ee494287595ef818388adb49e883c67bfa5c226c0eef037a0851a29d34675912c1ea1068310b6dfcd017c809c8fbfc2c3ae78dfef07299960eeefba182662a90fa422c1790f356a2ea909012b15623a9b9e450a282cb530589a68368b3583159d9010ac3e52cc974753c342e58279516339dfb691df94b13a223ad97eb6a09c21dafe6304a3642d6d2067b5238497661fe88ad1227ca3557be2a576b6e17c5a7f997ea07929e76407e376aba74c44cd8504804776f39bbb8327624188a63501e83b404d9438cade0b11dc3ac61856447fb072b91761c228878f01b2eb6b4b21ba664c2c75882431603b25a449ffeb8410b910558581777562aa9b2181fd9c04713ad9326462d3e842121c4997f9aa932417c67851625816de66e0d65637434629f39');
 export const PUBLIC_KEY_LEN = 1312;
 export const SECRET_KEY_LEN = 2560;
 export const SIGNATURE_LEN = 2420;
@@ -10,9 +25,9 @@ function wipe(buf) {
     crypto.getRandomValues(buf);
     buf.fill(0);
 }
-async function deriveSeed(password, kdf) {
+async function deriveSeed(oprfOutput, kdf) {
     return argon2id({
-        password: new TextEncoder().encode(password.normalize('NFKC')),
+        password: oprfOutput,
         salt: kdf.salt,
         iterations: kdf.iterations,
         parallelism: kdf.parallelism,
@@ -21,7 +36,40 @@ async function deriveSeed(password, kdf) {
         outputType: 'binary',
     });
 }
-export function buildLoginMessage(sub, aud, cid, nonce, iat, exp) {
+const utf8 = (s) => new TextEncoder().encode(s);
+async function sha256Bytes(data) {
+    const h = await createSHA256();
+    h.init();
+    h.update(data);
+    return h.digest('binary');
+}
+async function hmacSha256(key, msg) {
+    const h = await createHMAC(createSHA256(), key);
+    h.init();
+    h.update(msg);
+    return h.digest('binary');
+}
+function concatBytes(...parts) {
+    let n = 0;
+    for (const p of parts)
+        n += p.length;
+    const out = new Uint8Array(n);
+    let off = 0;
+    for (const p of parts) {
+        out.set(p, off);
+        off += p.length;
+    }
+    return out;
+}
+function bytesEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+}
+export function buildLoginMessage(sub, aud, cid, nonce, iat, exp, ciphertext, memKiB, iterations, parallelism, serverKemKeyId) {
     return new DataWriter()
         .writeU8(1)
         .writeString(sub)
@@ -30,8 +78,16 @@ export function buildLoginMessage(sub, aud, cid, nonce, iat, exp) {
         .writeBytes(nonce)
         .writeU64(iat)
         .writeU64(exp)
+        .writeBytes(ciphertext)
+        .writeU32(memKiB)
+        .writeU32(iterations)
+        .writeU32(parallelism)
+        .writeBytes(serverKemKeyId)
         .toBytes();
 }
+export function buildRegisterMessage(username, publicKey) {
+    return new DataWriter().writeU8(1).writeString(username).writeBytes(publicKey).toBytes();
+}
 function decodeKdf(r) {
     return {
         memKiB: r.readU32(),
@@ -40,15 +96,6 @@ function decodeKdf(r) {
         salt: r.readBytes(),
     };
 }
-function decodeChallenge(r) {
-    const cid = r.readBytes();
-    const aud = r.readString();
-    const kdf = decodeKdf(r);
-    const nonce = r.readBytes();
-    const iat = r.readU64();
-    const exp = r.readU64();
-    return { cid, aud, kdf, nonce, iat, exp };
-}
 async function postBinary(baseUrl, path, body) {
     const res = await fetch(baseUrl + path, {
         method: 'POST',
@@ -62,39 +109,68 @@ async function postBinary(baseUrl, path, body) {
 }
 export async function register(username, password, opts = {}) {
     const baseUrl = opts.baseUrl ?? '/auth';
-    const start = await postBinary(baseUrl, '/register/start', new DataWriter().writeString(username).toBytes());
+    const oprf = ristretto255_oprf.oprf;
+    const pw = utf8(password.normalize('NFKC'));
+    const { blind, blinded } = oprf.blind(pw);
+    const start = await postBinary(baseUrl, '/register/start', new DataWriter().writeString(username).writeBytes(blinded).toBytes());
     const status = start.readU8();
     if (status !== 0)
         throw new Error('auth: registration unavailable');
     const kdf = decodeKdf(start);
-    const seed = await deriveSeed(password, kdf);
+    const evaluated = start.readBytes();
+    const oprfOutput = oprf.finalize(pw, blind, evaluated);
+    const seed = await deriveSeed(oprfOutput, kdf);
     let publicKey;
+    let regProof;
     try {
         const kp = ml_dsa44.keygen(seed);
         publicKey = kp.publicKey;
-        wipe(kp.secretKey);
+        try {
+            regProof = ml_dsa44.sign(buildRegisterMessage(username, publicKey), kp.secretKey, {
+                context: utf8(REGISTER_CONTEXT),
+            });
+        }
+        finally {
+            wipe(kp.secretKey);
+        }
     }
     finally {
         wipe(seed);
     }
     if (publicKey.length !== PUBLIC_KEY_LEN)
         throw new Error('auth: bad public key length');
-    const finish = await postBinary(baseUrl, '/register/finish', new DataWriter().writeString(username).writeBytes(publicKey).toBytes());
-    if (finish.readU8() !== 0)
+    const finish = await postBinary(baseUrl, '/register/finish', new DataWriter().writeString(username).writeBytes(publicKey).writeBytes(regProof).toBytes());
+    const finishStatus = finish.readU8();
+    if (finishStatus === 1)
+        throw new Error('auth: username already registered (log in instead)');
+    if (finishStatus !== 0)
         throw new Error('auth: registration rejected');
 }
 export async function login(username, password, opts = {}) {
     const baseUrl = opts.baseUrl ?? '/auth';
-    const ch = decodeChallenge(await postBinary(baseUrl, '/login/start', new DataWriter().writeString(username).toBytes()));
-    if (BigInt(Math.floor(Date.now() / 1000)) >= ch.exp)
+    const oprf = ristretto255_oprf.oprf;
+    const pw = utf8(password.normalize('NFKC'));
+    const { blind, blinded } = oprf.blind(pw);
+    const r = await postBinary(baseUrl, '/login/start', new DataWriter().writeString(username).writeBytes(blinded).toBytes());
+    const cid = r.readBytes();
+    const aud = r.readString();
+    const kdf = decodeKdf(r);
+    const nonce = r.readBytes();
+    const iat = r.readU64();
+    const exp = r.readU64();
+    const evaluated = r.readBytes();
+    if (BigInt(Math.floor(Date.now() / 1000)) >= exp)
         throw new Error('auth: challenge expired');
-    const message = buildLoginMessage(username, ch.aud, ch.cid, ch.nonce, ch.iat, ch.exp);
-    const seed = await deriveSeed(password, ch.kdf);
+    const oprfOutput = oprf.finalize(pw, blind, evaluated);
+    const seed = await deriveSeed(oprfOutput, kdf);
+    const { cipherText, sharedSecret } = ml_kem768.encapsulate(SERVER_KEM_PUBLIC_KEY);
+    const serverKemKeyId = await sha256Bytes(SERVER_KEM_PUBLIC_KEY);
+    const message = buildLoginMessage(username, aud, cid, nonce, iat, exp, cipherText, kdf.memKiB, kdf.iterations, kdf.parallelism, serverKemKeyId);
     let signature;
     try {
         const kp = ml_dsa44.keygen(seed);
         try {
-            signature = ml_dsa44.sign(message, kp.secretKey, { context: new TextEncoder().encode(LOGIN_CONTEXT) });
+            signature = ml_dsa44.sign(message, kp.secretKey, { context: utf8(LOGIN_CONTEXT) });
         }
         finally {
             wipe(kp.secretKey);
@@ -105,78 +181,19 @@ export async function login(username, password, opts = {}) {
     }
     if (signature.length !== SIGNATURE_LEN)
         throw new Error('auth: bad signature length');
-    const res = await postBinary(baseUrl, '/login/finish', new DataWriter().writeBytes(ch.cid).writeBytes(signature).toBytes());
-    if (res.readU8() !== 0)
+    const res = await postBinary(baseUrl, '/login/finish', new DataWriter().writeBytes(cid).writeBytes(cipherText).writeBytes(signature).toBytes());
+    if (res.readU8() !== 0) {
+        wipe(sharedSecret);
         throw new Error('auth: login failed');
-    return res.readBytes();
-}
-function toHex(bytes) {
-    let s = '';
-    for (const b of bytes)
-        s += b.toString(16).padStart(2, '0');
-    return s;
-}
-async function demoSalt(username) {
-    const hex = await sha256('pq-demo|' + username);
-    const out = new Uint8Array(16);
-    for (let i = 0; i < 16; i++)
-        out[i] = parseInt(hex.slice(i * 2, i * 2 + 2), 16);
-    return out;
-}
-export async function proveIdentity(username, password, opts = {}) {
-    const baseUrl = opts.baseUrl ?? '/pq';
-    const cres = await fetch(baseUrl + '/challenge', { credentials: 'same-origin' });
-    if (!cres.ok)
-        throw new Error('pq: challenge request failed');
-    const cr = new DataReader(new Uint8Array(await cres.arrayBuffer()));
-    const aud = cr.readString();
-    const cid = cr.readBytes();
-    const nonce = cr.readBytes();
-    const iat = cr.readU64();
-    const exp = cr.readU64();
-    const token = cr.readString();
-    const salt = await demoSalt(username);
-    const t0 = Date.now();
-    const seed = await argon2id({
-        password: new TextEncoder().encode(password.normalize('NFKC')),
-        salt,
-        iterations: 2,
-        parallelism: 1,
-        memorySize: 16 * 1024,
-        hashLength: SEED_LEN,
-        outputType: 'binary',
-    });
-    const deriveMs = Date.now() - t0;
-    const message = buildLoginMessage(username, aud, cid, nonce, iat, exp);
-    let publicKey;
-    let signature;
-    try {
-        const kp = ml_dsa44.keygen(seed);
-        publicKey = kp.publicKey;
-        try {
-            signature = ml_dsa44.sign(message, kp.secretKey, {
-                context: new TextEncoder().encode(LOGIN_CONTEXT),
-            });
-        }
-        finally {
-            wipe(kp.secretKey);
-        }
     }
-    finally {
-        wipe(seed);
-    }
-    const envelope = new DataWriter()
-        .writeString(username)
-        .writeString(token)
-        .writeBytes(publicKey)
-        .writeBytes(signature)
-        .toBytes();
-    return {
-        envelope,
-        publicKeyHex: toHex(publicKey.slice(0, 16)),
-        nonceHex: toHex(nonce.slice(0, 16)),
-        signatureLen: signature.length,
-        deriveMs,
-    };
+    const session = res.readBytes();
+    const serverConfirm = res.readBytes();
+    const transcriptHash = await sha256Bytes(message);
+    const sessionKey = await hmacSha256(sharedSecret, concatBytes(utf8(SESSION_KEY_LABEL), transcriptHash));
+    wipe(sharedSecret);
+    const expected = await hmacSha256(sessionKey, concatBytes(utf8(SERVER_CONFIRM_LABEL), transcriptHash));
+    if (!bytesEqual(expected, serverConfirm))
+        throw new Error('auth: server authentication failed');
+    return session;
 }
-export const Auth = { register, login, proveIdentity, buildLoginMessage, LOGIN_CONTEXT };
+export const Auth = { register, login, buildLoginMessage, LOGIN_CONTEXT };

package/build/client/index.d.ts

@@ -1,7 +1,7 @@
 export { mount } from './routing/mount.js';
 export { Router } from './routing/Router.js';
-export { Auth, register as authRegister, login as authLogin, proveIdentity, buildLoginMessage, LOGIN_CONTEXT } from './auth.js';
-export type { KdfParams, Challenge, AuthOptions, IdentityProof } from './auth.js';
+export { Auth, register as authRegister, login as authLogin, buildLoginMessage, LOGIN_CONTEXT } from './auth.js';
+export type { KdfParams, AuthOptions } from './auth.js';
 export { Link } from './navigation/Link.js';
 export type { LinkProps } from './navigation/Link.js';
 export { NavLink, matchActive } from './navigation/NavLink.js';

package/build/client/index.js

@@ -1,6 +1,6 @@
 export { mount } from './routing/mount.js';
 export { Router } from './routing/Router.js';
-export { Auth, register as authRegister, login as authLogin, proveIdentity, buildLoginMessage, LOGIN_CONTEXT } from './auth.js';
+export { Auth, register as authRegister, login as authLogin, buildLoginMessage, LOGIN_CONTEXT } from './auth.js';
 export { Link } from './navigation/Link.js';
 export { NavLink, matchActive } from './navigation/NavLink.js';
 export { navigate, back, forward, refresh, setViewTransitions, setTransitions, href, } from './navigation/navigation.js';