UNPKG

avo-inspector

Version:

[![npm version](https://badge.fury.io/js/avo-inspector.svg)](https://badge.fury.io/js/avo-inspector)

github.com/avohq/web-avo-inspector

avohq/web-avo-inspector

48 lines (47 loc) 2.16 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
/** * Generates a new ECC key pair for encryption/decryption. * Uses P-256 (prime256v1 / NIST P-256) curve which is standard for Web Crypto API. * * @returns An object containing the private and public keys as hex strings */ export declare function generateKeyPair(): { privateKey: string; publicKey: string; }; /** * Encrypts a value using ECC public key encryption (ECIES). * The encrypted output can only be decrypted by the client using their private key. * This ensures that Avo cannot decrypt the values on the backend. * * ECIES uses hybrid encryption (ECDH + AES-256-GCM) which provides: * - No message size limitations * - Fast encryption even for large values * - Strong authentication via GCM * * SPECIFICATION (Standard Web Crypto Profile): * 1. Curve: P-256 (prime256v1 / NIST P-256) * 2. Key Derivation (KDF): SHA-256(SharedSecret) * 3. Cipher: AES-256-GCM * 4. Serialization: [Version(1b)] + [EphemeralPubKey(33 or 65b)] + [IV(16b)] + [AuthTag(16b)] + [Ciphertext] * Version 0x00 = Standard Web Profile * EphemeralPubKey: 0x04 (uncompressed) + 64 bytes = 65 bytes total, or compressed format (33 bytes) * * @param value - The value to encrypt (any type - will be JSON stringified) * @param publicKey - The ECC public key in hex format provided by the client * @returns Promise resolving to base64-encoded encrypted string that can only be decrypted with the private key */ export declare function encryptValue(value: any, publicKey: string): Promise<string>; /** * Decrypts a value that was encrypted with encryptValue. * * SPECIFICATION (Standard Web Crypto Profile): * 1. Curve: P-256 (prime256v1 / NIST P-256) * 2. Key Derivation (KDF): SHA-256(SharedSecret) * 3. Cipher: AES-256-GCM * 4. Deserialization: [Version(1b)] + [EphemeralPubKey(33 or 65b)] + [IV(16b)] + [AuthTag(16b)] + [Ciphertext] * * @param encryptedValue - The base64-encoded encrypted string * @param privateKey - The ECC private key in hex format * @returns Promise resolving to the original decrypted value (parsed from JSON) */ export declare function decryptValue(encryptedValue: string, privateKey: string): Promise<any>;