xypriss-security
Version:
Advanced High-Performance Security Framework. Military-grade encryption, post-quantum resilience, and fortified data structures.
267 lines • 10.2 kB
JavaScript
;
/***************************************************************************
* XyPrissJS - Fast And Secure
*
* @author Nehonix
* @license Nehonix OSL (NOSL)
*
* Copyright (c) 2025 Nehonix. All rights reserved.
*
* This License governs the use, modification, and distribution of software
* provided by NEHONIX under its open source projects.
* NEHONIX is committed to fostering collaborative innovation while strictly
* protecting its intellectual property rights.
* Violation of any term of this License will result in immediate termination of all granted rights
* and may subject the violator to legal action.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
* INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
* AND NON-INFRINGEMENT.
* IN NO EVENT SHALL NEHONIX BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
* OR CONSEQUENTIAL DAMAGES ARISING FROM THE USE OR INABILITY TO USE THE SOFTWARE,
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
*
***************************************************************************** */
/**
* XyPrissJS Express Encryption Service
* encryption/decryption service using XyPrissJS cryptographic utilities
*
* Features:
* - AES-256-GCM encryption with authentication
* - ChaCha20-Poly1305 fallback for quantum-safe encryption
* - Proper key derivation using PBKDF2
* - Secure IV/nonce generation
* - Constant-time operations
* - Memory-safe operations with secure wiping
*/
Object.defineProperty(exports, "__esModule", { value: true });
exports.EncryptionService = void 0;
const core_1 = require("../../core");
const bridge_1 = require("../../core/bridge");
/**
* encryption service using XyPrissJS utilities
*/
class EncryptionService {
static VERSION = "1.0.0";
static DEFAULT_ITERATIONS = 100000;
static KEY_LENGTH = 32; // 256 bits
static IV_LENGTH = 12; // 96 bits for GCM
static SALT_LENGTH = 32; // 256 bits
static AUTH_TAG_LENGTH = 16; // 128 bits
/**
* Encrypt data using production-grade encryption
*/
static async encrypt(data, key, options = {}) {
try {
// Validate inputs
this.validateInputs(data, key);
const { algorithm = "aes-256-gcm", keyDerivationIterations = this.DEFAULT_ITERATIONS, additionalData, quantumSafe = false, } = options;
// Serialize data
const jsonData = JSON.stringify(data);
const dataBuffer = new TextEncoder().encode(jsonData);
// Generate cryptographically secure salt
const salt = core_1.Random.getRandomBytes(this.SALT_LENGTH);
// Derive encryption key using PBKDF2
const derivedKey = await this.deriveKey(key, salt, keyDerivationIterations);
const algoTarget = algorithm === "chacha20-poly1305" || quantumSafe ? "chacha20" : "aes";
const encHex = bridge_1.Bridge.encryptRaw(dataBuffer, derivedKey, algoTarget);
if (encHex.startsWith("error:"))
throw new Error(encHex);
const [ivHex, tagHex, dataHex] = encHex.split(":");
// Create encrypted package
const package_ = {
algorithm: quantumSafe ? "chacha20-poly1305" : algorithm,
iv: ivHex,
data: dataHex,
authTag: tagHex,
salt: this.bufferToHex(salt.toUint8Array()),
timestamp: Date.now(),
version: this.VERSION,
};
// Secure memory cleanup
this.secureWipe(derivedKey);
this.secureWipe(dataBuffer);
return JSON.stringify(package_);
}
catch (error) {
throw new Error(`Encryption failed: ${error instanceof Error ? error.message : "Unknown error"}`);
}
}
/**
* Decrypt data using production-grade decryption
*/
static async decrypt(encryptedData, key) {
try {
// Parse encrypted package
const package_ = JSON.parse(encryptedData);
this.validatePackage(package_);
const salt = this.hexToBuffer(package_.salt);
const derivedKey = await this.deriveKey(key, salt, this.DEFAULT_ITERATIONS);
// Convert hex strings back to buffers
const partsStr = `${package_.iv}:${package_.authTag}:${package_.data}`;
const algoTarget = package_.algorithm === "chacha20-poly1305" ? "chacha20" : "aes";
const decryptedHex = bridge_1.Bridge.decryptRaw(partsStr, derivedKey, algoTarget);
if (decryptedHex.startsWith("error:"))
throw new Error(decryptedHex);
const decrypted = this.hexToBuffer(decryptedHex);
// Convert back to string and parse JSON
const jsonString = new TextDecoder().decode(decrypted);
const result = JSON.parse(jsonString);
// Secure memory cleanup
this.secureWipe(derivedKey);
this.secureWipe(decrypted);
return result;
}
catch (error) {
throw new Error(`Decryption failed: ${error instanceof Error ? error.message : "Invalid encrypted data"}`);
}
}
/**
* Derive encryption key using PBKDF2
*/
static async deriveKey(password, salt, iterations) {
const saltBuffer = salt instanceof Uint8Array ? salt : salt.toUint8Array();
const resultHex = bridge_1.Bridge.pbkdf2(password, saltBuffer, iterations, this.KEY_LENGTH, "sha256");
if (resultHex.startsWith("error:"))
throw new Error(resultHex);
return Buffer.from(resultHex, "hex");
}
// Obsolete encryption wrappers leveraging Node.js crypto removed
/**
* Validate inputs for encryption
*/
static validateInputs(data, key) {
if (data === undefined || data === null) {
throw new Error("Data cannot be null or undefined");
}
if (!key || typeof key !== "string") {
throw new Error("Key must be a non-empty string");
}
if (key.length < 8) {
throw new Error("Key must be at least 8 characters long");
}
try {
if (key.length < 8) {
throw new Error("Key length invalid");
}
}
catch (error) {
throw new Error(`Invalid key: ${error instanceof Error ? error.message : "Unknown error"}`);
}
}
/**
* Validate encrypted package structure
*/
static validatePackage(package_) {
const requiredFields = [
"algorithm",
"iv",
"data",
"authTag",
"salt",
"timestamp",
"version",
];
for (const field of requiredFields) {
if (!package_[field]) {
throw new Error(`Invalid encrypted package: missing ${field}`);
}
}
if (!["aes-256-gcm", "chacha20-poly1305"].includes(package_.algorithm)) {
throw new Error(`Unsupported encryption algorithm: ${package_.algorithm}`);
}
// Validate timestamp (not too old, not in future)
const now = Date.now();
const maxAge = 24 * 60 * 60 * 1000; // 24 hours
if (package_.timestamp > now + 60000) {
// 1 minute future tolerance
throw new Error("Invalid encrypted package: timestamp in future");
}
if (now - package_.timestamp > maxAge) {
throw new Error("Invalid encrypted package: timestamp too old");
}
}
/**
* Convert buffer to hex string
*/
static bufferToHex(buffer) {
return Array.from(buffer)
.map((b) => b.toString(16).padStart(2, "0"))
.join("");
}
/**
* Convert hex string to buffer
*/
static hexToBuffer(hex) {
if (hex.length % 2 !== 0) {
throw new Error("Invalid hex string length");
}
const buffer = new Uint8Array(hex.length / 2);
for (let i = 0; i < hex.length; i += 2) {
buffer[i / 2] = parseInt(hex.substring(i, i + 2), 16);
}
return buffer;
}
/**
* Secure memory wipe using XyPrissJS utilities
*/
static secureWipe(buffer) {
try {
// Use XyPrissJS secure memory wiping
if (buffer && buffer.length > 0) {
// Overwrite with random data first
const randomData = core_1.Random.getRandomBytes(buffer.length);
buffer.set(randomData.toUint8Array());
// Then overwrite with zeros
buffer.fill(0);
// Finally overwrite with 0xFF
buffer.fill(0xff);
buffer.fill(0);
}
}
catch (error) {
// Fallback to simple zero fill
if (buffer && buffer.length > 0) {
buffer.fill(0);
}
}
}
/**
* Generate a secure session key for temporary use
*/
static generateSessionKey() {
const keyBytes = core_1.Random.getRandomBytes(32);
return this.bufferToHex(keyBytes.toUint8Array());
}
/**
* Verify the integrity of encrypted data without decrypting
*/
static verifyIntegrity(encryptedData) {
try {
const package_ = JSON.parse(encryptedData);
this.validatePackage(package_);
return true;
}
catch (error) {
return false;
}
}
/**
* Get encryption metadata without decrypting
*/
static getMetadata(encryptedData) {
try {
const package_ = JSON.parse(encryptedData);
return {
algorithm: package_.algorithm,
timestamp: package_.timestamp,
version: package_.version,
};
}
catch (error) {
throw new Error("Invalid encrypted data format");
}
}
}
exports.EncryptionService = EncryptionService;
//# sourceMappingURL=EncryptionService.js.map