feat: Shade E2EE library — M1-M3 complete

Signal Protocol implementation with full X3DH + Double Ratchet: - M1: Core types, CryptoProvider interface, KDF chain functions, SubtleCrypto+noble/curves provider, MemoryStorage - M2: X3DH key agreement (identity keys, signed prekeys, one-time prekeys, bundle processing for both initiator and responder) - M3: Double Ratchet (symmetric-key ratchet, DH ratchet, skipped message key cache, out-of-order delivery, AAD-bound headers) 68 tests, 0 failures — including full integration test of X3DH handshake → Double Ratchet conversation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-09 20:08:19 +02:00
commit bd6452044f
27 changed files with 2517 additions and 0 deletions
--- a/packages/shade-crypto-web/tests/provider.test.ts
+++ b/packages/shade-crypto-web/tests/provider.test.ts
@@ -0,0 +1,236 @@
+import { describe, test, expect } from 'bun:test';
+import { SubtleCryptoProvider } from '../src/provider.js';
+
+const crypto = new SubtleCryptoProvider();
+
+describe('SubtleCryptoProvider', () => {
+  // ─── X25519 ──────────────────────────────────────────────
+
+  describe('X25519', () => {
+    test('generates keypair with correct byte lengths', async () => {
+      const kp = await crypto.generateX25519KeyPair();
+      expect(kp.publicKey).toBeInstanceOf(Uint8Array);
+      expect(kp.privateKey).toBeInstanceOf(Uint8Array);
+      expect(kp.publicKey.length).toBe(32);
+      expect(kp.privateKey.length).toBe(32);
+    });
+
+    test('two keypairs produce different keys', async () => {
+      const a = await crypto.generateX25519KeyPair();
+      const b = await crypto.generateX25519KeyPair();
+      expect(a.publicKey).not.toEqual(b.publicKey);
+      expect(a.privateKey).not.toEqual(b.privateKey);
+    });
+
+    test('DH agreement: both sides derive same shared secret', async () => {
+      const alice = await crypto.generateX25519KeyPair();
+      const bob = await crypto.generateX25519KeyPair();
+
+      const secretA = await crypto.x25519(alice.privateKey, bob.publicKey);
+      const secretB = await crypto.x25519(bob.privateKey, alice.publicKey);
+
+      expect(secretA.length).toBe(32);
+      expect(secretA).toEqual(secretB);
+    });
+
+    test('DH with different peers produces different secrets', async () => {
+      const alice = await crypto.generateX25519KeyPair();
+      const bob = await crypto.generateX25519KeyPair();
+      const charlie = await crypto.generateX25519KeyPair();
+
+      const secretAB = await crypto.x25519(alice.privateKey, bob.publicKey);
+      const secretAC = await crypto.x25519(alice.privateKey, charlie.publicKey);
+
+      expect(secretAB).not.toEqual(secretAC);
+    });
+  });
+
+  // ─── Ed25519 ─────────────────────────────────────────────
+
+  describe('Ed25519', () => {
+    test('generates keypair with correct byte lengths', async () => {
+      const kp = await crypto.generateEd25519KeyPair();
+      expect(kp.publicKey.length).toBe(32);
+      expect(kp.privateKey.length).toBe(32);
+    });
+
+    test('sign and verify roundtrip', async () => {
+      const kp = await crypto.generateEd25519KeyPair();
+      const message = new TextEncoder().encode('hello shade');
+
+      const sig = await crypto.sign(kp.privateKey, message);
+      expect(sig.length).toBe(64);
+
+      const valid = await crypto.verify(kp.publicKey, message, sig);
+      expect(valid).toBe(true);
+    });
+
+    test('verify fails with wrong public key', async () => {
+      const alice = await crypto.generateEd25519KeyPair();
+      const bob = await crypto.generateEd25519KeyPair();
+      const message = new TextEncoder().encode('hello shade');
+
+      const sig = await crypto.sign(alice.privateKey, message);
+      const valid = await crypto.verify(bob.publicKey, message, sig);
+      expect(valid).toBe(false);
+    });
+
+    test('verify fails with tampered message', async () => {
+      const kp = await crypto.generateEd25519KeyPair();
+      const message = new TextEncoder().encode('hello shade');
+      const tampered = new TextEncoder().encode('hello SHADE');
+
+      const sig = await crypto.sign(kp.privateKey, message);
+      const valid = await crypto.verify(kp.publicKey, tampered, sig);
+      expect(valid).toBe(false);
+    });
+  });
+
+  // ─── AES-256-GCM ────────────────────────────────────────
+
+  describe('AES-256-GCM', () => {
+    test('encrypt/decrypt roundtrip', async () => {
+      const key = crypto.randomBytes(32);
+      const plaintext = new TextEncoder().encode('secret message');
+
+      const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key, plaintext);
+      expect(nonce.length).toBe(12);
+      expect(ciphertext.length).toBeGreaterThan(plaintext.length); // includes auth tag
+
+      const decrypted = await crypto.aesGcmDecrypt(key, ciphertext, nonce);
+      expect(decrypted).toEqual(plaintext);
+    });
+
+    test('each encryption produces unique nonce', async () => {
+      const key = crypto.randomBytes(32);
+      const plaintext = new TextEncoder().encode('same message');
+
+      const a = await crypto.aesGcmEncrypt(key, plaintext);
+      const b = await crypto.aesGcmEncrypt(key, plaintext);
+
+      expect(a.nonce).not.toEqual(b.nonce);
+      expect(a.ciphertext).not.toEqual(b.ciphertext);
+    });
+
+    test('wrong key fails decryption', async () => {
+      const key1 = crypto.randomBytes(32);
+      const key2 = crypto.randomBytes(32);
+      const plaintext = new TextEncoder().encode('secret');
+
+      const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key1, plaintext);
+
+      expect(crypto.aesGcmDecrypt(key2, ciphertext, nonce)).rejects.toThrow();
+    });
+
+    test('tampered ciphertext fails decryption', async () => {
+      const key = crypto.randomBytes(32);
+      const plaintext = new TextEncoder().encode('secret');
+
+      const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key, plaintext);
+      ciphertext[0] ^= 0xff; // flip a byte
+
+      expect(crypto.aesGcmDecrypt(key, ciphertext, nonce)).rejects.toThrow();
+    });
+
+    test('associated data (AAD) is authenticated', async () => {
+      const key = crypto.randomBytes(32);
+      const plaintext = new TextEncoder().encode('secret');
+      const aad = new TextEncoder().encode('header data');
+      const wrongAad = new TextEncoder().encode('wrong header');
+
+      const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key, plaintext, aad);
+
+      // Correct AAD works
+      const decrypted = await crypto.aesGcmDecrypt(key, ciphertext, nonce, aad);
+      expect(decrypted).toEqual(plaintext);
+
+      // Wrong AAD fails
+      expect(crypto.aesGcmDecrypt(key, ciphertext, nonce, wrongAad)).rejects.toThrow();
+
+      // Missing AAD fails
+      expect(crypto.aesGcmDecrypt(key, ciphertext, nonce)).rejects.toThrow();
+    });
+  });
+
+  // ─── HKDF ───────────────────────────────────────────────
+
+  describe('HKDF-SHA256', () => {
+    test('produces correct output length', async () => {
+      const ikm = crypto.randomBytes(32);
+      const salt = crypto.randomBytes(32);
+      const info = new TextEncoder().encode('test');
+
+      const out32 = await crypto.hkdf(ikm, salt, info, 32);
+      expect(out32.length).toBe(32);
+
+      const out64 = await crypto.hkdf(ikm, salt, info, 64);
+      expect(out64.length).toBe(64);
+    });
+
+    test('deterministic: same inputs produce same output', async () => {
+      const ikm = new Uint8Array(32).fill(0xab);
+      const salt = new Uint8Array(32).fill(0xcd);
+      const info = new TextEncoder().encode('deterministic test');
+
+      const a = await crypto.hkdf(ikm, salt, info, 32);
+      const b = await crypto.hkdf(ikm, salt, info, 32);
+      expect(a).toEqual(b);
+    });
+
+    test('different info produces different output', async () => {
+      const ikm = crypto.randomBytes(32);
+      const salt = crypto.randomBytes(32);
+
+      const a = await crypto.hkdf(ikm, salt, new TextEncoder().encode('info-a'), 32);
+      const b = await crypto.hkdf(ikm, salt, new TextEncoder().encode('info-b'), 32);
+      expect(a).not.toEqual(b);
+    });
+  });
+
+  // ─── HMAC-SHA256 ────────────────────────────────────────
+
+  describe('HMAC-SHA256', () => {
+    test('produces 32-byte output', async () => {
+      const key = crypto.randomBytes(32);
+      const data = new TextEncoder().encode('test data');
+
+      const mac = await crypto.hmacSha256(key, data);
+      expect(mac.length).toBe(32);
+    });
+
+    test('deterministic: same inputs produce same MAC', async () => {
+      const key = new Uint8Array(32).fill(0x42);
+      const data = new TextEncoder().encode('deterministic');
+
+      const a = await crypto.hmacSha256(key, data);
+      const b = await crypto.hmacSha256(key, data);
+      expect(a).toEqual(b);
+    });
+
+    test('different key produces different MAC', async () => {
+      const key1 = crypto.randomBytes(32);
+      const key2 = crypto.randomBytes(32);
+      const data = new TextEncoder().encode('test');
+
+      const a = await crypto.hmacSha256(key1, data);
+      const b = await crypto.hmacSha256(key2, data);
+      expect(a).not.toEqual(b);
+    });
+  });
+
+  // ─── randomBytes ────────────────────────────────────────
+
+  describe('randomBytes', () => {
+    test('produces correct length', () => {
+      expect(crypto.randomBytes(16).length).toBe(16);
+      expect(crypto.randomBytes(32).length).toBe(32);
+      expect(crypto.randomBytes(64).length).toBe(64);
+    });
+
+    test('produces different values each call', () => {
+      const a = crypto.randomBytes(32);
+      const b = crypto.randomBytes(32);
+      expect(a).not.toEqual(b);
+    });
+  });
+});