release(v4.0.0): Shade GA — V3.x consolidation + audit prep
Some checks failed
Test / test (push) Has been cancelled
Cross-platform vectors / TypeScript vectors (bun) (push) Has been cancelled
Cross-platform vectors / Kotlin vectors (gradle) (push) Has been cancelled
Docker build and publish / docker (push) Has been cancelled
Publish / publish (push) Has been cancelled
Some checks failed
Test / test (push) Has been cancelled
Cross-platform vectors / TypeScript vectors (bun) (push) Has been cancelled
Cross-platform vectors / Kotlin vectors (gradle) (push) Has been cancelled
Docker build and publish / docker (push) Has been cancelled
Publish / publish (push) Has been cancelled
V3.1 → V3.12 consolidated and tagged for the first GA release. Wire format unchanged from 0.4.x — 4.0 peers interoperate with 0.4.x peers byte-for-byte. The version bump is semantic: audit-cycle complete, opt-in surface fully exposed, threat model refreshed for every new surface. Highlights: - All 24 @shade/* packages bumped to 4.0.0 in lockstep. - CHANGELOG 4.0.0 section is the canonical manifest of what landed. - THREAT-MODEL extended (§10 fingerprint gates, §11 WebRTC P2P, §12 Web-Worker boundary) + residual-risks table refreshed. - OpenAPI now covers all 27 routes: prekey, transfer, KT, inbox, bridge, observer, /metrics, /healthz, /ready. - MIGRATION 0.3.x → 4.0 documented + smoke-tested against shade migrate-storage on a real SQLite DB. - docs/audit/REVIEW-BUNDLE.md + SCOPE.md ready for external reviewer. - scripts/soak.ts harness for the GA-stable 2-week soak window. - All V*.md plans archived under docs/archive/ with Status: Done. - Voice/Video carved out into V5.0; 4.0 audit focuses on the frozen non-realtime stack. Tests: TS 1000/1000 + Kotlin 11/11 cross-platform vectors green. Docker: gt.zyon.no/stian/shade-prekey:4.0.0 builds and reports version 4.0.0 on /health. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
218
packages/shade-crypto-web/tests/worker-provider.test.ts
Normal file
218
packages/shade-crypto-web/tests/worker-provider.test.ts
Normal file
@@ -0,0 +1,218 @@
|
||||
import { describe, expect, test, afterEach } from 'bun:test';
|
||||
import {
|
||||
createWorkerCryptoProvider,
|
||||
SubtleCryptoProvider,
|
||||
WorkerCryptoProvider,
|
||||
} from '../src/index.js';
|
||||
|
||||
const WORKER_URL = new URL('../src/worker.ts', import.meta.url);
|
||||
|
||||
const subtle = new SubtleCryptoProvider();
|
||||
let provider: WorkerCryptoProvider | null = null;
|
||||
|
||||
afterEach(async () => {
|
||||
if (provider) {
|
||||
await provider.destroy();
|
||||
provider = null;
|
||||
}
|
||||
});
|
||||
|
||||
async function makeProvider(idleTimeoutMs = 30_000): Promise<WorkerCryptoProvider> {
|
||||
provider = await createWorkerCryptoProvider({
|
||||
workerUrl: WORKER_URL,
|
||||
idleTimeoutMs,
|
||||
});
|
||||
return provider;
|
||||
}
|
||||
|
||||
describe('WorkerCryptoProvider — roundtrip and parity', () => {
|
||||
test('handshake completes', async () => {
|
||||
const p = await makeProvider();
|
||||
expect(p).toBeInstanceOf(WorkerCryptoProvider);
|
||||
});
|
||||
|
||||
test('AES-GCM encrypt → worker, decrypt locally — produces same plaintext', async () => {
|
||||
const p = await makeProvider();
|
||||
const key = subtle.randomBytes(32);
|
||||
const plaintext = new TextEncoder().encode('hello shade workers — large enough payload');
|
||||
|
||||
const enc = await p.aesGcmEncrypt(key, plaintext);
|
||||
expect(enc.nonce.length).toBe(12);
|
||||
|
||||
// Decrypt with the local SubtleCryptoProvider — proves wire compatibility
|
||||
const dec = await subtle.aesGcmDecrypt(key, enc.ciphertext, enc.nonce);
|
||||
expect(dec).toEqual(plaintext);
|
||||
});
|
||||
|
||||
test('AES-GCM with AAD round-trips through worker', async () => {
|
||||
const p = await makeProvider();
|
||||
const key = subtle.randomBytes(32);
|
||||
const plaintext = subtle.randomBytes(1024);
|
||||
const aad = subtle.randomBytes(16);
|
||||
|
||||
const enc = await p.aesGcmEncrypt(key, plaintext, aad);
|
||||
const dec = await p.aesGcmDecrypt(key, enc.ciphertext, enc.nonce, aad);
|
||||
expect(dec).toEqual(plaintext);
|
||||
});
|
||||
|
||||
test('AES-GCM decrypt rejects tampered ciphertext', async () => {
|
||||
const p = await makeProvider();
|
||||
const key = subtle.randomBytes(32);
|
||||
const plaintext = new TextEncoder().encode('untampered');
|
||||
const enc = await p.aesGcmEncrypt(key, plaintext);
|
||||
enc.ciphertext[0]! ^= 0x01;
|
||||
await expect(p.aesGcmDecrypt(key, enc.ciphertext, enc.nonce)).rejects.toThrow();
|
||||
});
|
||||
|
||||
test('HKDF parity with SubtleCryptoProvider', async () => {
|
||||
const p = await makeProvider();
|
||||
const ikm = subtle.randomBytes(32);
|
||||
const salt = subtle.randomBytes(16);
|
||||
const info = new TextEncoder().encode('test info');
|
||||
|
||||
const a = await p.hkdf(ikm, salt, info, 64);
|
||||
const b = await subtle.hkdf(ikm, salt, info, 64);
|
||||
expect(a).toEqual(b);
|
||||
});
|
||||
|
||||
test('HMAC-SHA256 parity with SubtleCryptoProvider', async () => {
|
||||
const p = await makeProvider();
|
||||
const key = subtle.randomBytes(32);
|
||||
const data = subtle.randomBytes(256);
|
||||
|
||||
const a = await p.hmacSha256(key, data);
|
||||
const b = await subtle.hmacSha256(key, data);
|
||||
expect(a).toEqual(b);
|
||||
});
|
||||
|
||||
test('X25519 DH agrees with SubtleCryptoProvider', async () => {
|
||||
const p = await makeProvider();
|
||||
const alice = await p.generateX25519KeyPair();
|
||||
const bob = await subtle.generateX25519KeyPair();
|
||||
|
||||
const ab = await p.x25519(alice.privateKey, bob.publicKey);
|
||||
const ba = await subtle.x25519(bob.privateKey, alice.publicKey);
|
||||
expect(ab).toEqual(ba);
|
||||
});
|
||||
|
||||
test('Ed25519 sign in worker, verify locally', async () => {
|
||||
const p = await makeProvider();
|
||||
const kp = await p.generateEd25519KeyPair();
|
||||
const msg = new TextEncoder().encode('please sign me');
|
||||
|
||||
const sig = await p.sign(kp.privateKey, msg);
|
||||
expect(await subtle.verify(kp.publicKey, msg, sig)).toBe(true);
|
||||
});
|
||||
|
||||
test('Ed25519 verify rejects tampered signature', async () => {
|
||||
const p = await makeProvider();
|
||||
const kp = await subtle.generateEd25519KeyPair();
|
||||
const msg = new TextEncoder().encode('msg');
|
||||
const sig = await subtle.sign(kp.privateKey, msg);
|
||||
sig[0]! ^= 0x01;
|
||||
expect(await p.verify(kp.publicKey, msg, sig)).toBe(false);
|
||||
});
|
||||
|
||||
test('local sync helpers do not round-trip', async () => {
|
||||
const p = await makeProvider();
|
||||
const a = p.randomBytes(16);
|
||||
expect(a.length).toBe(16);
|
||||
expect(p.constantTimeEqual(a, a)).toBe(true);
|
||||
expect(p.constantTimeEqual(a, new Uint8Array(16))).toBe(false);
|
||||
expect(typeof p.randomUint32()).toBe('number');
|
||||
});
|
||||
|
||||
test('errors from worker propagate as rejected promises', async () => {
|
||||
const p = await makeProvider();
|
||||
const wrongKey = subtle.randomBytes(32);
|
||||
const ct = subtle.randomBytes(48);
|
||||
const nonce = subtle.randomBytes(12);
|
||||
await expect(p.aesGcmDecrypt(wrongKey, ct, nonce)).rejects.toThrow();
|
||||
});
|
||||
|
||||
test('parallel calls do not interleave incorrectly', async () => {
|
||||
const p = await makeProvider();
|
||||
const key = subtle.randomBytes(32);
|
||||
|
||||
const inputs = Array.from({ length: 16 }, (_, i) =>
|
||||
new TextEncoder().encode(`payload-${i}-${'x'.repeat(50 * i)}`),
|
||||
);
|
||||
|
||||
const encs = await Promise.all(inputs.map((pt) => p.aesGcmEncrypt(key, pt)));
|
||||
const decs = await Promise.all(
|
||||
encs.map((e) => p.aesGcmDecrypt(key, e.ciphertext, e.nonce)),
|
||||
);
|
||||
decs.forEach((d, i) => expect(d).toEqual(inputs[i]!));
|
||||
});
|
||||
|
||||
test('after destroy(), calls reject', async () => {
|
||||
const p = await makeProvider();
|
||||
await p.destroy();
|
||||
await expect(p.aesGcmEncrypt(subtle.randomBytes(32), new Uint8Array(8))).rejects.toThrow(
|
||||
/destroyed/,
|
||||
);
|
||||
provider = null;
|
||||
});
|
||||
|
||||
test('rotate() respawns transparently', async () => {
|
||||
const p = await makeProvider();
|
||||
const key = subtle.randomBytes(32);
|
||||
await p.aesGcmEncrypt(key, new Uint8Array(8));
|
||||
await p.rotate();
|
||||
const out = await p.aesGcmEncrypt(key, new TextEncoder().encode('still works'));
|
||||
const dec = await subtle.aesGcmDecrypt(key, out.ciphertext, out.nonce);
|
||||
expect(new TextDecoder().decode(dec)).toBe('still works');
|
||||
});
|
||||
|
||||
test('idle-timeout terminates worker but next call respawns', async () => {
|
||||
const p = await makeProvider(120);
|
||||
const key = subtle.randomBytes(32);
|
||||
await p.aesGcmEncrypt(key, new Uint8Array(8));
|
||||
// Wait for the idle timer to fire.
|
||||
await new Promise((r) => setTimeout(r, 250));
|
||||
// Next call should still succeed — proves respawn works.
|
||||
const out = await p.aesGcmEncrypt(key, new TextEncoder().encode('respawned'));
|
||||
const dec = await subtle.aesGcmDecrypt(key, out.ciphertext, out.nonce);
|
||||
expect(new TextDecoder().decode(dec)).toBe('respawned');
|
||||
});
|
||||
|
||||
test('configureWorkerCrypto throws on protocol mismatch', async () => {
|
||||
// Spawn with a fake "spawn" that returns a worker echoing the wrong version.
|
||||
const fakeProvider = new WorkerCryptoProvider({
|
||||
workerUrl: WORKER_URL,
|
||||
spawn: () => {
|
||||
type Listener = (ev: { data: unknown }) => void;
|
||||
const listeners: Listener[] = [];
|
||||
return {
|
||||
postMessage(msg: unknown): void {
|
||||
const m = msg as { id: number; method: string };
|
||||
if (m.method === 'init') {
|
||||
setTimeout(() => {
|
||||
for (const l of listeners) {
|
||||
l({
|
||||
data: {
|
||||
id: m.id,
|
||||
ok: false,
|
||||
error: { name: 'Error', message: 'protocol version mismatch' },
|
||||
},
|
||||
});
|
||||
}
|
||||
}, 0);
|
||||
}
|
||||
},
|
||||
addEventListener(type: string, listener: Listener): void {
|
||||
if (type === 'message') listeners.push(listener);
|
||||
},
|
||||
removeEventListener(): void {
|
||||
// no-op
|
||||
},
|
||||
terminate(): void {
|
||||
// no-op
|
||||
},
|
||||
};
|
||||
},
|
||||
});
|
||||
await expect(fakeProvider.handshake()).rejects.toThrow(/protocol/);
|
||||
await fakeProvider.destroy();
|
||||
});
|
||||
});
|
||||
230
packages/shade-crypto-web/tests/worker-streams.test.ts
Normal file
230
packages/shade-crypto-web/tests/worker-streams.test.ts
Normal file
@@ -0,0 +1,230 @@
|
||||
import { afterEach, describe, expect, test } from 'bun:test';
|
||||
import { sha256 } from '@noble/hashes/sha2.js';
|
||||
import {
|
||||
createDecryptStream,
|
||||
createEncryptStream,
|
||||
createWorkerCryptoProvider,
|
||||
SubtleCryptoProvider,
|
||||
WorkerCryptoProvider,
|
||||
} from '../src/index.js';
|
||||
|
||||
const WORKER_URL = new URL('../src/worker.ts', import.meta.url);
|
||||
const subtle = new SubtleCryptoProvider();
|
||||
let provider: WorkerCryptoProvider | null = null;
|
||||
|
||||
afterEach(async () => {
|
||||
if (provider) {
|
||||
await provider.destroy();
|
||||
provider = null;
|
||||
}
|
||||
});
|
||||
|
||||
async function makeProvider(): Promise<WorkerCryptoProvider> {
|
||||
provider = await createWorkerCryptoProvider({ workerUrl: WORKER_URL });
|
||||
return provider;
|
||||
}
|
||||
|
||||
async function readAll(rs: ReadableStream<Uint8Array>): Promise<Uint8Array> {
|
||||
const reader = rs.getReader();
|
||||
const parts: Uint8Array[] = [];
|
||||
let total = 0;
|
||||
for (;;) {
|
||||
const { done, value } = await reader.read();
|
||||
if (done) break;
|
||||
parts.push(value);
|
||||
total += value.byteLength;
|
||||
}
|
||||
const out = new Uint8Array(total);
|
||||
let off = 0;
|
||||
for (const p of parts) {
|
||||
out.set(p, off);
|
||||
off += p.byteLength;
|
||||
}
|
||||
return out;
|
||||
}
|
||||
|
||||
function streamFromChunks(chunks: Uint8Array[]): ReadableStream<Uint8Array> {
|
||||
let i = 0;
|
||||
return new ReadableStream<Uint8Array>({
|
||||
pull(controller) {
|
||||
if (i < chunks.length) controller.enqueue(chunks[i++]!);
|
||||
else controller.close();
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
describe('encryptStream / decryptStream — round-trip', () => {
|
||||
test('round-trips small payload exactly', async () => {
|
||||
const p = await makeProvider();
|
||||
const streamId = subtle.randomBytes(16);
|
||||
const streamSecret = subtle.randomBytes(32);
|
||||
const plaintext = new TextEncoder().encode('hello stream');
|
||||
|
||||
const enc = await createEncryptStream({
|
||||
provider: p,
|
||||
streamId,
|
||||
streamSecret,
|
||||
chunkSize: 1024,
|
||||
});
|
||||
const wireBytes = await readAll(
|
||||
streamFromChunks([plaintext]).pipeThrough(enc.stream),
|
||||
);
|
||||
|
||||
// Frame: each enqueue is one wire envelope. We can't trivially split
|
||||
// a concatenated buffer back into envelopes, but we know how many
|
||||
// chunks were emitted (len/chunkSize, plus the final isLast). Easier
|
||||
// path: collect them as separate writes through a side channel.
|
||||
const chunks: Uint8Array[] = [];
|
||||
await streamFromChunks([plaintext])
|
||||
.pipeThrough(
|
||||
(
|
||||
await createEncryptStream({
|
||||
provider: p,
|
||||
streamId,
|
||||
streamSecret,
|
||||
chunkSize: 1024,
|
||||
})
|
||||
).stream,
|
||||
)
|
||||
.pipeTo(
|
||||
new WritableStream<Uint8Array>({
|
||||
write(c) {
|
||||
chunks.push(c);
|
||||
},
|
||||
}),
|
||||
);
|
||||
|
||||
const dec = await createDecryptStream({ provider: p, streamId, streamSecret });
|
||||
const recovered = await readAll(streamFromChunks(chunks).pipeThrough(dec.stream));
|
||||
expect(recovered).toEqual(plaintext);
|
||||
expect(wireBytes.byteLength).toBeGreaterThan(plaintext.byteLength); // overhead
|
||||
});
|
||||
|
||||
test('round-trips multi-chunk payload with sha256 parity', async () => {
|
||||
const p = await makeProvider();
|
||||
const streamId = subtle.randomBytes(16);
|
||||
const streamSecret = subtle.randomBytes(32);
|
||||
const total = 750 * 1024; // 750 KiB → forces 3+ chunks at 256 KiB
|
||||
const plaintext = subtle.randomBytes(total);
|
||||
const expectedSha = sha256(plaintext);
|
||||
|
||||
const enc = await createEncryptStream({
|
||||
provider: p,
|
||||
streamId,
|
||||
streamSecret,
|
||||
chunkSize: 256 * 1024,
|
||||
});
|
||||
|
||||
const wireChunks: Uint8Array[] = [];
|
||||
await streamFromChunks([plaintext])
|
||||
.pipeThrough(enc.stream)
|
||||
.pipeTo(
|
||||
new WritableStream<Uint8Array>({
|
||||
write(c) {
|
||||
wireChunks.push(c);
|
||||
},
|
||||
}),
|
||||
);
|
||||
|
||||
// 750 KiB / 256 KiB = 2 full chunks + 1 final (238 KiB, isLast=true)
|
||||
expect(wireChunks.length).toBe(3);
|
||||
|
||||
const senderLaneSha = await enc.laneSha256;
|
||||
expect(senderLaneSha).toEqual(expectedSha);
|
||||
|
||||
const dec = await createDecryptStream({
|
||||
provider: p,
|
||||
streamId,
|
||||
streamSecret,
|
||||
});
|
||||
const recovered = await readAll(streamFromChunks(wireChunks).pipeThrough(dec.stream));
|
||||
expect(recovered).toEqual(plaintext);
|
||||
expect(await dec.laneSha256).toEqual(expectedSha);
|
||||
});
|
||||
|
||||
test('fragmented input produces same output as single-shot', async () => {
|
||||
const p = await makeProvider();
|
||||
const streamId = subtle.randomBytes(16);
|
||||
const streamSecret = subtle.randomBytes(32);
|
||||
const plaintext = subtle.randomBytes(50_000);
|
||||
|
||||
async function run(parts: Uint8Array[]): Promise<Uint8Array[]> {
|
||||
const wire: Uint8Array[] = [];
|
||||
const e = await createEncryptStream({
|
||||
provider: p!,
|
||||
streamId,
|
||||
streamSecret,
|
||||
chunkSize: 8 * 1024,
|
||||
});
|
||||
await streamFromChunks(parts)
|
||||
.pipeThrough(e.stream)
|
||||
.pipeTo(new WritableStream({ write: (c) => void wire.push(c) }));
|
||||
return wire;
|
||||
}
|
||||
|
||||
const single = await run([plaintext]);
|
||||
const split = await run([
|
||||
plaintext.subarray(0, 17_000),
|
||||
plaintext.subarray(17_000, 33_000),
|
||||
plaintext.subarray(33_000),
|
||||
]);
|
||||
expect(split.length).toBe(single.length);
|
||||
for (let i = 0; i < single.length; i++) {
|
||||
// Same chunk size, same lane key, same seq — wire bytes match
|
||||
// byte-for-byte (deterministic nonces + AEAD).
|
||||
expect(split[i]).toEqual(single[i]!);
|
||||
}
|
||||
});
|
||||
|
||||
test('100 KiB stream end-to-end completes', async () => {
|
||||
const p = await makeProvider();
|
||||
const streamId = subtle.randomBytes(16);
|
||||
const streamSecret = subtle.randomBytes(32);
|
||||
const plaintext = subtle.randomBytes(100 * 1024);
|
||||
|
||||
const enc = await createEncryptStream({
|
||||
provider: p,
|
||||
streamId,
|
||||
streamSecret,
|
||||
chunkSize: 16 * 1024,
|
||||
});
|
||||
const wire: Uint8Array[] = [];
|
||||
await streamFromChunks([plaintext])
|
||||
.pipeThrough(enc.stream)
|
||||
.pipeTo(new WritableStream({ write: (c) => void wire.push(c) }));
|
||||
|
||||
const dec = await createDecryptStream({ provider: p, streamId, streamSecret });
|
||||
const out = await readAll(streamFromChunks(wire).pipeThrough(dec.stream));
|
||||
expect(out).toEqual(plaintext);
|
||||
expect(await dec.laneSha256).toEqual(await enc.laneSha256);
|
||||
});
|
||||
|
||||
test('decryptStream rejects out-of-order chunks', async () => {
|
||||
const p = await makeProvider();
|
||||
const streamId = subtle.randomBytes(16);
|
||||
const streamSecret = subtle.randomBytes(32);
|
||||
const plaintext = subtle.randomBytes(20_000);
|
||||
|
||||
const enc = await createEncryptStream({
|
||||
provider: p,
|
||||
streamId,
|
||||
streamSecret,
|
||||
chunkSize: 4 * 1024,
|
||||
});
|
||||
const wire: Uint8Array[] = [];
|
||||
await streamFromChunks([plaintext])
|
||||
.pipeThrough(enc.stream)
|
||||
.pipeTo(new WritableStream({ write: (c) => void wire.push(c) }));
|
||||
|
||||
expect(wire.length).toBeGreaterThan(2);
|
||||
// Swap first and second chunk
|
||||
[wire[0], wire[1]] = [wire[1]!, wire[0]!];
|
||||
|
||||
const dec = await createDecryptStream({ provider: p, streamId, streamSecret });
|
||||
await expect(
|
||||
streamFromChunks(wire).pipeThrough(dec.stream).pipeTo(
|
||||
new WritableStream({ write() {} }),
|
||||
),
|
||||
).rejects.toThrow();
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user