Sterister
bd6452044f
Signal Protocol implementation with full X3DH + Double Ratchet: - M1: Core types, CryptoProvider interface, KDF chain functions, SubtleCrypto+noble/curves provider, MemoryStorage - M2: X3DH key agreement (identity keys, signed prekeys, one-time prekeys, bundle processing for both initiator and responder) - M3: Double Ratchet (symmetric-key ratchet, DH ratchet, skipped message key cache, out-of-order delivery, AAD-bound headers) 68 tests, 0 failures — including full integration test of X3DH handshake → Double Ratchet conversation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
237 lines
9.0 KiB
TypeScript
237 lines
9.0 KiB
TypeScript
import { describe, test, expect } from 'bun:test';
|
|
import { SubtleCryptoProvider } from '../src/provider.js';
|
|
|
|
const crypto = new SubtleCryptoProvider();
|
|
|
|
describe('SubtleCryptoProvider', () => {
|
|
// ─── X25519 ──────────────────────────────────────────────
|
|
|
|
describe('X25519', () => {
|
|
test('generates keypair with correct byte lengths', async () => {
|
|
const kp = await crypto.generateX25519KeyPair();
|
|
expect(kp.publicKey).toBeInstanceOf(Uint8Array);
|
|
expect(kp.privateKey).toBeInstanceOf(Uint8Array);
|
|
expect(kp.publicKey.length).toBe(32);
|
|
expect(kp.privateKey.length).toBe(32);
|
|
});
|
|
|
|
test('two keypairs produce different keys', async () => {
|
|
const a = await crypto.generateX25519KeyPair();
|
|
const b = await crypto.generateX25519KeyPair();
|
|
expect(a.publicKey).not.toEqual(b.publicKey);
|
|
expect(a.privateKey).not.toEqual(b.privateKey);
|
|
});
|
|
|
|
test('DH agreement: both sides derive same shared secret', async () => {
|
|
const alice = await crypto.generateX25519KeyPair();
|
|
const bob = await crypto.generateX25519KeyPair();
|
|
|
|
const secretA = await crypto.x25519(alice.privateKey, bob.publicKey);
|
|
const secretB = await crypto.x25519(bob.privateKey, alice.publicKey);
|
|
|
|
expect(secretA.length).toBe(32);
|
|
expect(secretA).toEqual(secretB);
|
|
});
|
|
|
|
test('DH with different peers produces different secrets', async () => {
|
|
const alice = await crypto.generateX25519KeyPair();
|
|
const bob = await crypto.generateX25519KeyPair();
|
|
const charlie = await crypto.generateX25519KeyPair();
|
|
|
|
const secretAB = await crypto.x25519(alice.privateKey, bob.publicKey);
|
|
const secretAC = await crypto.x25519(alice.privateKey, charlie.publicKey);
|
|
|
|
expect(secretAB).not.toEqual(secretAC);
|
|
});
|
|
});
|
|
|
|
// ─── Ed25519 ─────────────────────────────────────────────
|
|
|
|
describe('Ed25519', () => {
|
|
test('generates keypair with correct byte lengths', async () => {
|
|
const kp = await crypto.generateEd25519KeyPair();
|
|
expect(kp.publicKey.length).toBe(32);
|
|
expect(kp.privateKey.length).toBe(32);
|
|
});
|
|
|
|
test('sign and verify roundtrip', async () => {
|
|
const kp = await crypto.generateEd25519KeyPair();
|
|
const message = new TextEncoder().encode('hello shade');
|
|
|
|
const sig = await crypto.sign(kp.privateKey, message);
|
|
expect(sig.length).toBe(64);
|
|
|
|
const valid = await crypto.verify(kp.publicKey, message, sig);
|
|
expect(valid).toBe(true);
|
|
});
|
|
|
|
test('verify fails with wrong public key', async () => {
|
|
const alice = await crypto.generateEd25519KeyPair();
|
|
const bob = await crypto.generateEd25519KeyPair();
|
|
const message = new TextEncoder().encode('hello shade');
|
|
|
|
const sig = await crypto.sign(alice.privateKey, message);
|
|
const valid = await crypto.verify(bob.publicKey, message, sig);
|
|
expect(valid).toBe(false);
|
|
});
|
|
|
|
test('verify fails with tampered message', async () => {
|
|
const kp = await crypto.generateEd25519KeyPair();
|
|
const message = new TextEncoder().encode('hello shade');
|
|
const tampered = new TextEncoder().encode('hello SHADE');
|
|
|
|
const sig = await crypto.sign(kp.privateKey, message);
|
|
const valid = await crypto.verify(kp.publicKey, tampered, sig);
|
|
expect(valid).toBe(false);
|
|
});
|
|
});
|
|
|
|
// ─── AES-256-GCM ────────────────────────────────────────
|
|
|
|
describe('AES-256-GCM', () => {
|
|
test('encrypt/decrypt roundtrip', async () => {
|
|
const key = crypto.randomBytes(32);
|
|
const plaintext = new TextEncoder().encode('secret message');
|
|
|
|
const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key, plaintext);
|
|
expect(nonce.length).toBe(12);
|
|
expect(ciphertext.length).toBeGreaterThan(plaintext.length); // includes auth tag
|
|
|
|
const decrypted = await crypto.aesGcmDecrypt(key, ciphertext, nonce);
|
|
expect(decrypted).toEqual(plaintext);
|
|
});
|
|
|
|
test('each encryption produces unique nonce', async () => {
|
|
const key = crypto.randomBytes(32);
|
|
const plaintext = new TextEncoder().encode('same message');
|
|
|
|
const a = await crypto.aesGcmEncrypt(key, plaintext);
|
|
const b = await crypto.aesGcmEncrypt(key, plaintext);
|
|
|
|
expect(a.nonce).not.toEqual(b.nonce);
|
|
expect(a.ciphertext).not.toEqual(b.ciphertext);
|
|
});
|
|
|
|
test('wrong key fails decryption', async () => {
|
|
const key1 = crypto.randomBytes(32);
|
|
const key2 = crypto.randomBytes(32);
|
|
const plaintext = new TextEncoder().encode('secret');
|
|
|
|
const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key1, plaintext);
|
|
|
|
expect(crypto.aesGcmDecrypt(key2, ciphertext, nonce)).rejects.toThrow();
|
|
});
|
|
|
|
test('tampered ciphertext fails decryption', async () => {
|
|
const key = crypto.randomBytes(32);
|
|
const plaintext = new TextEncoder().encode('secret');
|
|
|
|
const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key, plaintext);
|
|
ciphertext[0] ^= 0xff; // flip a byte
|
|
|
|
expect(crypto.aesGcmDecrypt(key, ciphertext, nonce)).rejects.toThrow();
|
|
});
|
|
|
|
test('associated data (AAD) is authenticated', async () => {
|
|
const key = crypto.randomBytes(32);
|
|
const plaintext = new TextEncoder().encode('secret');
|
|
const aad = new TextEncoder().encode('header data');
|
|
const wrongAad = new TextEncoder().encode('wrong header');
|
|
|
|
const { ciphertext, nonce } = await crypto.aesGcmEncrypt(key, plaintext, aad);
|
|
|
|
// Correct AAD works
|
|
const decrypted = await crypto.aesGcmDecrypt(key, ciphertext, nonce, aad);
|
|
expect(decrypted).toEqual(plaintext);
|
|
|
|
// Wrong AAD fails
|
|
expect(crypto.aesGcmDecrypt(key, ciphertext, nonce, wrongAad)).rejects.toThrow();
|
|
|
|
// Missing AAD fails
|
|
expect(crypto.aesGcmDecrypt(key, ciphertext, nonce)).rejects.toThrow();
|
|
});
|
|
});
|
|
|
|
// ─── HKDF ───────────────────────────────────────────────
|
|
|
|
describe('HKDF-SHA256', () => {
|
|
test('produces correct output length', async () => {
|
|
const ikm = crypto.randomBytes(32);
|
|
const salt = crypto.randomBytes(32);
|
|
const info = new TextEncoder().encode('test');
|
|
|
|
const out32 = await crypto.hkdf(ikm, salt, info, 32);
|
|
expect(out32.length).toBe(32);
|
|
|
|
const out64 = await crypto.hkdf(ikm, salt, info, 64);
|
|
expect(out64.length).toBe(64);
|
|
});
|
|
|
|
test('deterministic: same inputs produce same output', async () => {
|
|
const ikm = new Uint8Array(32).fill(0xab);
|
|
const salt = new Uint8Array(32).fill(0xcd);
|
|
const info = new TextEncoder().encode('deterministic test');
|
|
|
|
const a = await crypto.hkdf(ikm, salt, info, 32);
|
|
const b = await crypto.hkdf(ikm, salt, info, 32);
|
|
expect(a).toEqual(b);
|
|
});
|
|
|
|
test('different info produces different output', async () => {
|
|
const ikm = crypto.randomBytes(32);
|
|
const salt = crypto.randomBytes(32);
|
|
|
|
const a = await crypto.hkdf(ikm, salt, new TextEncoder().encode('info-a'), 32);
|
|
const b = await crypto.hkdf(ikm, salt, new TextEncoder().encode('info-b'), 32);
|
|
expect(a).not.toEqual(b);
|
|
});
|
|
});
|
|
|
|
// ─── HMAC-SHA256 ────────────────────────────────────────
|
|
|
|
describe('HMAC-SHA256', () => {
|
|
test('produces 32-byte output', async () => {
|
|
const key = crypto.randomBytes(32);
|
|
const data = new TextEncoder().encode('test data');
|
|
|
|
const mac = await crypto.hmacSha256(key, data);
|
|
expect(mac.length).toBe(32);
|
|
});
|
|
|
|
test('deterministic: same inputs produce same MAC', async () => {
|
|
const key = new Uint8Array(32).fill(0x42);
|
|
const data = new TextEncoder().encode('deterministic');
|
|
|
|
const a = await crypto.hmacSha256(key, data);
|
|
const b = await crypto.hmacSha256(key, data);
|
|
expect(a).toEqual(b);
|
|
});
|
|
|
|
test('different key produces different MAC', async () => {
|
|
const key1 = crypto.randomBytes(32);
|
|
const key2 = crypto.randomBytes(32);
|
|
const data = new TextEncoder().encode('test');
|
|
|
|
const a = await crypto.hmacSha256(key1, data);
|
|
const b = await crypto.hmacSha256(key2, data);
|
|
expect(a).not.toEqual(b);
|
|
});
|
|
});
|
|
|
|
// ─── randomBytes ────────────────────────────────────────
|
|
|
|
describe('randomBytes', () => {
|
|
test('produces correct length', () => {
|
|
expect(crypto.randomBytes(16).length).toBe(16);
|
|
expect(crypto.randomBytes(32).length).toBe(32);
|
|
expect(crypto.randomBytes(64).length).toBe(64);
|
|
});
|
|
|
|
test('produces different values each call', () => {
|
|
const a = crypto.randomBytes(32);
|
|
const b = crypto.randomBytes(32);
|
|
expect(a).not.toEqual(b);
|
|
});
|
|
});
|
|
});
|