UNPKG

age-encryption

Version:

<p align="center"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://github.com/FiloSottile/age/blob/main/logo/logo_white.svg"> <source media="(prefers-color-scheme: light)" srcset="https://github.com/FiloSottile/a

github.com/FiloSottile/typage

FiloSottile/typage

135 lines (134 loc) 5.54 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
import { Identity, Recipient } from "./index.js"; import { Stanza } from "./format.js"; /** * Options for {@link createCredential}. */ export interface CreationOptions { /** * The name of the key. This will be shown in various platform UIs. * * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#name_2 | PublicKeyCredentialCreationOptions.user.name} */ keyName: string; /** * The type of credential to create. * * If the default `passkey` is used, the credential will be required to be * discoverable. This means that the user will be able to select it from a * list of credentials even if {@link Options.identity} is not set. * * If `security-key` is used, the `security-key` hint and the `discouraged` * residentKey option will be passed to the authenticator. The returned * identity string MUST be passed with {@link Options.identity} to encrypt * and decrypt files, and CAN'T be regenerated if lost. The UI will prompt * the user to use a hardware token. The returned identity might also be * usable with age-plugin-fido2prf outside the browser. * * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#residentkey | PublicKeyCredentialCreationOptions.authenticatorSelection.residentKey} * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#hints | PublicKeyCredentialCreationOptions.hints} */ type?: "passkey" | "security-key"; /** * The relying party ID to use for the WebAuthn credential. * * This must be the origin's domain (e.g. `app.example.com`), or a parent * (e.g. `example.com`). Note that credentials are available to subdomains * of the RP ID, but not to parents, so it's important to choose the right * RP ID. * * @see {@link https://www.imperialviolet.org/tourofwebauthn/tourofwebauthn.html#relying-party-ids | A Tour of WebAuthn § Relying party IDs} * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialCreationOptions#id_2 | PublicKeyCredentialCreationOptions.rp.id} */ rpId?: string; } declare global { interface PublicKeyCredentialCreationOptions { hints?: ("security-key" | "client-device" | "hybrid")[]; } interface PublicKeyCredentialRequestOptions { hints?: ("security-key" | "client-device" | "hybrid")[]; } } /** * Creates a new WebAuthn credential which can be used for encryption and * decryption. * * @returns The identity string to use for encryption or decryption. * * This string begins with `AGE-PLUGIN-FIDO2PRF-1...` and encodes the credential ID, * the relying party ID, and the transport hint. * * If the credential was created with {@link CreationOptions."type"} set to the * default `passkey`, this string is mostly a hint to make selecting the * credential easier. If the credential was created with `security-key`, this * string is required to encrypt and decrypt files, and can't be regenerated if * lost. * * @see {@link Options.identity} * @experimental */ export declare function createCredential(options: CreationOptions): Promise<string>; /** * Options for {@link WebAuthnRecipient} and {@link WebAuthnIdentity}. */ export interface Options { /** * The identity string to use for encryption or decryption. * * If set, the file will be encrypted or decrypted with this specific * credential. Otherwise, the user will be prompted to select a discoverable * credential from those available for the RP (which might include login * credentials, which won't work). * * @see {@link createCredential} */ identity?: string; /** * The relying party ID for discoverable credentials. Ignored if * {@link identity} is set, as the RP ID is parsed from the identity. * * @see {@link CreationOptions.rpId} * @see {@link https://developer.mozilla.org/en-US/docs/Web/API/PublicKeyCredentialRequestOptions#rpid | PublicKeyCredentialRequestOptions.rpId} */ rpId?: string; } declare class WebAuthnInternal { private credId; private transports; private rpId; constructor(options?: Options); protected getCredential(nonce: Uint8Array): Promise<AuthenticationExtensionsPRFValues>; } /** * A {@link Recipient} that symmetrically encrypts file keys using a WebAuthn * credential, such as a passkey or a security key. * * The credential needs to already exist, and support the PRF extension. * Usually, it would have been created with {@link createCredential}. * * @see {@link Encrypter.addRecipient} * @experimental */ export declare class WebAuthnRecipient extends WebAuthnInternal implements Recipient { /** * Implements {@link Recipient.wrapFileKey}. */ wrapFileKey(fileKey: Uint8Array): Promise<Stanza[]>; } /** * An {@link Identity} that symmetrically decrypts file keys using a WebAuthn * credential, such as a passkey or a security key. * * The credential needs to already exist, and support the PRF extension. * Usually, it would have been created with {@link createCredential}. * * @see {@link Decrypter.addIdentity} * @experimental */ export declare class WebAuthnIdentity extends WebAuthnInternal implements Identity { /** * Implements {@link Identity.unwrapFileKey}. */ unwrapFileKey(stanzas: Stanza[]): Promise<Uint8Array | null>; } export {};