Stian/Shade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80c410f518b43479ec44034d377dd320d73853af
Shade/packages/shade-storage-encrypted/tests/blob-vectors.test.ts

51 lines
1.5 KiB
TypeScript
Raw Normal View History

release(v4.9.0): relay-side encrypted blob primitive + SDK Profile namespace Ships the Prism FR (encrypted-profile-storage-v4.9.md) as a generic relay-side encrypted blob primitive: deterministically-located, AEAD-sealed blobs keyed by a 32-byte slotId derived client-side via HKDF from the user's master key. Unlocks credential-only bootstrap of new devices into existing E2EE state — no QR, no physical access. Server: BlobStore interface + Memory/Sqlite/Postgres impls, createBlobRoutes for GET/PUT/DELETE /v1/blob/:slotId with TOFU pubkey auth and If-Match CAS (409/412 semantics). Mounted on the same Hono app as the inbox; SHADE_BLOB_PG_URL / SHADE_BLOB_DB_PATH / SHADE_DISABLE_BLOB env-var plumbing in standalone. SDK: createProfileNamespace high-level wrapper (HKDF derivation, random-nonce AEAD seal, slotId-bound AAD) + low-level BlobClient. Cross-platform test vectors in test-vectors/blob-storage.json. New errors: ConflictError (409), PreconditionFailedError (412). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 02:44:42 +02:00
import { describe, test, expect } from 'bun:test';
import { readFileSync } from 'fs';
import { join } from 'path';
import {
deriveBlobSlotId,
deriveBlobKey,
deriveBlobSigningSeed,
} from '../src/crypto/kdf.js';
import { ed25519PublicKeyFromSeed } from '@shade/crypto-web';
function fromHex(s: string): Uint8Array {
const out = new Uint8Array(s.length / 2);
for (let i = 0; i < out.length; i++) {
out[i] = parseInt(s.substr(i * 2, 2), 16);
}
return out;
}
function toHex(b: Uint8Array): string {
let s = '';
for (const x of b) s += x.toString(16).padStart(2, '0');
return s;
}
describe('V4.9 blob-storage KDF vectors', () => {
// Resolve relative to this file, not to cwd, so the test passes
// regardless of which directory `bun test` is invoked from.
const vectorPath = join(import.meta.dir, '..', '..', '..', 'test-vectors', 'blob-storage.json');
const vectors = JSON.parse(readFileSync(vectorPath, 'utf-8')) as {
kdf: Array<{
masterKey: string;
app: string;
slotId: string;
blobKey: string;
signingSeed: string;
ownerPubkey: string;
}>;
};
for (const v of vectors.kdf) {
test(`(master=${v.masterKey.slice(0, 8)}…, app=${v.app})`, () => {
const km = fromHex(v.masterKey);
expect(toHex(deriveBlobSlotId(km, v.app))).toBe(v.slotId);
expect(toHex(deriveBlobKey(km, v.app))).toBe(v.blobKey);
const seed = deriveBlobSigningSeed(km, v.app);
expect(toHex(seed)).toBe(v.signingSeed);
expect(toHex(ed25519PublicKeyFromSeed(seed))).toBe(v.ownerPubkey);
});
}
});
Reference in New Issue Copy Permalink