@nomicfoundation/hardhat-keystore
Version:
A module for managing keystore files that store a map from IDs to encrypted string values.
251 lines • 9 kB
TypeScript
export declare const KEYSTORE_VERSION: "hardhat-v3-keystore-1";
export declare const PASSWORD_NORMALIZATION_FORM: "NFKC";
export declare const KEY_DERIVATION_ALGORITHM: "scrypt";
export declare const KEY_DERIVATION_PARAM_N: 131072;
export declare const KEY_DERIVATION_PARAM_R: 8;
export declare const KEY_DERIVATION_PARAM_P: 1;
export declare const KEY_DERIVATION_SALT_LENGTH_BYTES: 32;
export declare const MASTER_KEY_LENGTH_BITS: 256;
export declare const HMAC_ALGORITHM: "HMAC-SHA-256";
export declare const HMAC_KEY_LENGTH_BITS: 256;
export declare const DATA_ENCRYPTION_ALGORITHM: "AES-GCM-SIV";
export declare const DATA_ENCRYPTION_KEY_LENGTH_BITS: 256;
export declare const DATA_ENCRYPTION_IV_LENGTH_BYTES: 12;
/**
* This interface represents an encrypted keystore.
*
* Every data buffer here is represented as a hex string (without "0x" prefix).
*/
export interface EncryptedKeystore {
version: typeof KEYSTORE_VERSION;
crypto: {
masterKeyDerivation: {
algorithm: typeof KEY_DERIVATION_ALGORITHM;
paramN: typeof KEY_DERIVATION_PARAM_N;
paramP: typeof KEY_DERIVATION_PARAM_P;
paramR: typeof KEY_DERIVATION_PARAM_R;
unicodeNormalizationForm: typeof PASSWORD_NORMALIZATION_FORM;
keyLength: typeof MASTER_KEY_LENGTH_BITS;
salt: string;
};
encryption: {
algorithm: typeof DATA_ENCRYPTION_ALGORITHM;
keyLength: typeof DATA_ENCRYPTION_KEY_LENGTH_BITS;
};
hmac: {
algorithm: typeof HMAC_ALGORITHM;
keyLength: typeof HMAC_KEY_LENGTH_BITS;
};
};
dataEncryptionKey: SerializedEncryptedData;
hmacKey: SerializedEncryptedData;
hmac: string;
secrets: Record<string, SerializedEncryptedData>;
}
/**
* This interface represents an encrypted data buffer.
*/
export interface EncryptedData {
/**
* The initialization vector used to encrypt the data.
*/
iv: Uint8Array;
/**
* The encrypted data buffer.
*/
cypherText: Uint8Array;
}
/**
* The hex-encoding serialization of EncryptedData.
*/
export interface SerializedEncryptedData {
iv: string;
cypherText: string;
}
/**
* Serializes an EncryptedData object into a SerializedEncryptedData object.
*/
export declare function serializeEncryptedData(data: EncryptedData): SerializedEncryptedData;
/**
* Deserializes a SerializedEncryptedData object into an EncryptedData object.
*/
export declare function deserializeEncryptedData(serializedData: SerializedEncryptedData): EncryptedData;
/**
* Uses JSON.stringify with a custom replacer to make sure that a
* JsonWithNumbersAndStrings is serialized deterministically.
*
* This function only supports objects whose values are numbers, strings, or
* objects with the same constraints.
*/
export declare function deterministicJsonStringify<ObjectT extends object>(obj: ObjectT): string;
declare abstract class CustomError extends Error {
stack: string;
constructor(message: string, cause?: Error);
}
export declare class UnsupportedTypeInDeterministicJsonError extends CustomError {
readonly type: string;
constructor(type: string);
}
export declare class DecryptionError extends CustomError {
constructor(cause?: Error);
}
export declare class SecretNotFoundError extends CustomError {
readonly key: string;
constructor(key: string);
}
export declare class HmacKeyDecryptionError extends CustomError {
constructor(cause?: Error);
}
export declare class InvalidHmacError extends CustomError {
constructor();
}
/**
* Encrypts the utf-8 encoded value using the master key, and a new random iv.
*
* @param encryptionKey The encryption key to use.
* @param value The value to encrypt, which will be utf-8 encoded.
* @returns An object containing the iv and cypherText.
*
* @remarks
* The random IV is only 12 bytes, so we are assuming that no more than 2^20 encryptions are done with the same key
* as the probability of IV collision reaches 2^-57 at that point.
*/
export declare function encryptUtf8String({ encryptionKey, value, }: {
encryptionKey: Uint8Array;
value: string;
}): EncryptedData;
/**
* Decrypts an utf-8 string using the master key and the iv.
*
* @param encryptionKey The encryption key to use.
* @param iv The iv to use.
* @param cypherText The cypherText to decrypt, which will then be utf-8
* decoded.
* @returns The decrypted value.
*/
export declare function decryptUtf8String({ encryptionKey, data, }: {
encryptionKey: Uint8Array;
data: EncryptedData;
}): string;
/**
* Creates a new master key from the password. This function can be called
* multiple times to derive new keys from the same password.
*
* @param password The user's password.
* @returns An object containing the salt and master key.
*/
export declare function createMasterKey({ password }: {
password: string;
}): {
salt: Uint8Array;
masterKey: Uint8Array;
};
/**
* Creates an empty EncryptedKeystore.
*
* To add and remove secrets to it see `addSecretToKeystore` and
* `removeSecretFromKeystore`.
*
* @param masterKey The master key to use.
* @param salt The salt of the master key.
* @returns The empty EncryptedKeystore.
*/
export declare function createEmptyEncryptedKeystore({ masterKey, salt, }: {
masterKey: Uint8Array;
salt: Uint8Array;
}): EncryptedKeystore;
/**
* Derives the master key from an existing keystore, using the user's password.
*
* @param password The user's password.
* @param encryptedKeystore The keystore, where the master key's salt is stored.
* @returns The derived master key. This value is safe to keep in memory.
*/
export declare function deriveMasterKeyFromKeystore({ password, encryptedKeystore, }: {
password: string;
encryptedKeystore: EncryptedKeystore;
}): Uint8Array;
/**
* Checks if the specified key exists in the provided encrypted keystore.
*
* @param masterKey The master key to use.
* @param encryptedKeystore - The encrypted keystore object containing the secrets.
* @param key - The name of the secret to check for existence.
* @returns True if the key is present in the keystore, otherwise false.
*
* @remarks
* This function first calls `validateHmac` to verify the cryptographic integrity of
* the keystore before checking for the existence of the specified key.
*/
export declare function doesKeyExist({ masterKey, encryptedKeystore, key, }: {
masterKey: Uint8Array;
encryptedKeystore: EncryptedKeystore;
key: string;
}): boolean;
/**
* Adds a secret to an existing keystore.
*
* @param masterKey The master key to use.
* @param encryptedKeystore The keystore to add the secret to.
* @param key The key of the secret to add.
* @param value The value of the secret to add.
* @returns A new EncryptedKeystore, where the secret has been added.
*/
export declare function addSecretToKeystore({ masterKey, encryptedKeystore, key, value, }: {
masterKey: Uint8Array;
encryptedKeystore: EncryptedKeystore;
key: string;
value: string;
}): EncryptedKeystore;
/**
* Removes a secret from an existing keystore.
*
* @param masterKey The master key to use.
* @param encryptedKeystore The keystore to remove the secret from.
* @param keyToRemove The key of the secret to remove.
* @returns A new EncryptedKeystore, where the secret has been removed.
*/
export declare function removeSecretFromKeystore({ masterKey, encryptedKeystore, keyToRemove, }: {
masterKey: Uint8Array;
encryptedKeystore: EncryptedKeystore;
keyToRemove: string;
}): EncryptedKeystore;
/**
* Decrypts an individual secret from the EncryptedKeystoreValuesEnvelope.
*
* @param masterKey The master key to use.
* @param valuesEnvelope The EncryptedKeystoreValuesEnvelope, where the secret
* is stored.
* @param key The key of the secret to decrypt.
* @returns The decrypted secret. Do not keep this value in memory.
*/
export declare function decryptSecret({ masterKey, encryptedKeystore, key, }: {
masterKey: Uint8Array;
encryptedKeystore: EncryptedKeystore;
key: string;
}): string;
/**
* Generates the hmac of an encrypted keystore.
*
* @param masterKey The keystore's master key to use.
* @param encryptedKeystore The keystore to generate the hmac for, without the
* hmac field.
* @returns The hmac.
*/
export declare function generateEncryptedKeystoreHmac({ masterKey, encryptedKeystore, }: {
masterKey: Uint8Array;
encryptedKeystore: Omit<EncryptedKeystore, "hmac">;
}): Uint8Array;
/**
* Throws an error if the hmac present in the encrypted keystore doesn't match
* a newly generated one.
*
* @param masterKey The keystore's master key to use.
* @param encryptedKeystore The keystore whose hmac should be validated.
*/
export declare function validateHmac({ masterKey, encryptedKeystore, }: {
masterKey: Uint8Array;
encryptedKeystore: EncryptedKeystore;
}): void;
export {};
//# sourceMappingURL=encryption.d.ts.map