@turnkey/crypto - npm Package Compare versions

Comparing version 2.4.1 to 2.4.2

dist/bs58check.d.ts

+type Bs58Check = {
+    encode(payload: Uint8Array | number[]): string;
+    decode(str: string): Uint8Array;
+    decodeUnsafe(str: string): Uint8Array | undefined;
+};
+declare const bs58check: Bs58Check;
+export default bs58check;
+//# sourceMappingURL=bs58check.d.ts.map

dist/bs58check.d.ts.map

+{"version":3,"file":"bs58check.d.ts","sourceRoot":"","sources":["../src/bs58check.ts"],"names":[],"mappings":"AAiBA,KAAK,SAAS,GAAG;IACf,MAAM,CAAC,OAAO,EAAE,UAAU,GAAG,MAAM,EAAE,GAAG,MAAM,CAAC;IAC/C,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAAC;IAChC,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS,CAAC;CACnD,CAAC;AAcF,QAAA,MAAM,SAAS,WAA2B,CAAC;AAE3C,eAAe,SAAS,CAAC"}

dist/bs58check.js

+'use strict';
+
+var raw = require('bs58check');
+
+function _interopNamespaceDefault(e) {
+    var n = Object.create(null);
+    if (e) {
+        Object.keys(e).forEach(function (k) {
+            if (k !== 'default') {
+                var d = Object.getOwnPropertyDescriptor(e, k);
+                Object.defineProperty(n, k, d.get ? d : {
+                    enumerable: true,
+                    get: function () { return e[k]; }
+                });
+            }
+        });
+    }
+    n.default = e;
+    return Object.freeze(n);
+}
+
+var raw__namespace = /*#__PURE__*/_interopNamespaceDefault(raw);
+
+// This is a temporary shim for bs58check@4.0.0
+//
+// See: https://github.com/bitcoinjs/bs58check/issues/47
+//
+// bs58check v4.0.0 uses ESM with only a default export, which causes compatibility
+// issues with Metro (React Native). When importing the package using
+// `import bs58check from 'bs58check'`, Metro applies multiple levels of wrapping,
+// resulting in a structure like `{ default: { default: { encode, decode, ... } } }`.
+//
+// This shim unwraps the exports until it reaches the object that contains `.decode`,
+// `.encode`, and `.decodeUnsafe`, allowing consistent usage across platforms.
+//
+// We can remove this shim once bs58check publishes a version that properly re-exports
+// named methods from its ESM build
+function unwrap(obj) {
+    let cur = obj;
+    while (cur &&
+        !(cur.encode && cur.decode && cur.decodeUnsafe) &&
+        cur.default) {
+        cur = cur.default;
+    }
+    return cur;
+}
+const bs58check = unwrap(raw__namespace);
+
+module.exports = bs58check;
+//# sourceMappingURL=bs58check.js.map

dist/bs58check.js.map

+{"version":3,"file":"bs58check.js","sources":["../src/bs58check.ts"],"sourcesContent":[null],"names":["raw"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAUA,SAAS,MAAM,CAAC,GAAQ,EAAA;IACtB,IAAI,GAAG,GAAG,GAAG,CAAC;AACd,IAAA,OACE,GAAG;AACH,QAAA,EAAE,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,YAAY,CAAC;QAC/C,GAAG,CAAC,OAAO,EACX;AACA,QAAA,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;KACnB;AACD,IAAA,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,SAAS,GAAG,MAAM,CAACA,cAAG;;;;"}

dist/bs58check.mjs

+import * as raw from 'bs58check';
+
+// This is a temporary shim for bs58check@4.0.0
+//
+// See: https://github.com/bitcoinjs/bs58check/issues/47
+//
+// bs58check v4.0.0 uses ESM with only a default export, which causes compatibility
+// issues with Metro (React Native). When importing the package using
+// `import bs58check from 'bs58check'`, Metro applies multiple levels of wrapping,
+// resulting in a structure like `{ default: { default: { encode, decode, ... } } }`.
+//
+// This shim unwraps the exports until it reaches the object that contains `.decode`,
+// `.encode`, and `.decodeUnsafe`, allowing consistent usage across platforms.
+//
+// We can remove this shim once bs58check publishes a version that properly re-exports
+// named methods from its ESM build
+function unwrap(obj) {
+    let cur = obj;
+    while (cur &&
+        !(cur.encode && cur.decode && cur.decodeUnsafe) &&
+        cur.default) {
+        cur = cur.default;
+    }
+    return cur;
+}
+const bs58check = unwrap(raw);
+
+export { bs58check as default };
+//# sourceMappingURL=bs58check.mjs.map

dist/bs58check.mjs.map

+{"version":3,"file":"bs58check.mjs","sources":["../src/bs58check.ts"],"sourcesContent":[null],"names":[],"mappings":";;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAUA,SAAS,MAAM,CAAC,GAAQ,EAAA;IACtB,IAAI,GAAG,GAAG,GAAG,CAAC;AACd,IAAA,OACE,GAAG;AACH,QAAA,EAAE,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,YAAY,CAAC;QAC/C,GAAG,CAAC,OAAO,EACX;AACA,QAAA,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;KACnB;AACD,IAAA,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,SAAS,GAAG,MAAM,CAAC,GAAG;;;;"}

CHANGELOG.md

 # @turnkey/crypto
 
+## 2.4.2
+
+### Patch Changes
+
+- [#699](https://github.com/tkhq/sdk/pull/699) [`c5cdf82`](https://github.com/tkhq/sdk/commit/c5cdf8229da5da1bd6d52db06b2fe42826e96d57) Author [@andrewkmin](https://github.com/andrewkmin) - Add validations to `fromDerSignature` for parsing DER signatures in the Turnkey context
+
+- [#716](https://github.com/tkhq/sdk/pull/716) [`fa46701`](https://github.com/tkhq/sdk/commit/fa467019eef34b5199372248edff1e7a64934e79) Author [@moeodeh3](https://github.com/moeodeh3) - Fixed `decryptCredentialBundle` not working in React Native by adding a shim to handle `bs58check`'s ESM-only export.
+
 ## 2.4.1
@@ -4,0 +12,0 @@

dist/crypto.js

@@ -369,4 +369,34 @@ 'use strict';
     const derSignatureBuf = encoding.uint8ArrayFromHexString(derSignature);
-    // Check and skip the sequence tag (0x30)
-    let index = 2;
+    // Check minimum length
+    if (derSignatureBuf.length < 2) {
+        throw new Error("failed to convert DER-encoded signature: insufficient length");
+    }
+    // Check SEQUENCE tag (0x30 at first byte)
+    if (derSignatureBuf[0] !== 0x30) {
+        throw new Error("failed to convert DER-encoded signature: invalid format (missing SEQUENCE tag)");
+    }
+    // Check second byte, start of length field
+    let index = 1;
+    const lengthByte = derSignatureBuf[index];
+    if (lengthByte <= 0x7f) {
+        // Short form: single byte length
+        // directly take the consumed value as length and check against buffer
+        // buffer length: initial header bytes + claimed remaining length
+        if (derSignatureBuf.length < 1 + 1 + lengthByte) {
+            throw new Error("failed to convert DER-encoded signature: inconsistent message length header");
+        }
+        // continue parsing
+        index += 1;
+    }
+    else {
+        // Multi-byte DER length header
+        // Invalid DER values: lengthByte 0x80 and 0xff
+        // Valid DER values: lengthByte > 0x80, < 0xff
+        //
+        // We do not expect signature data in the Long form notation
+        // -> reject all such inputs
+        //
+        // More complex parsing for longer signature sequences can be implemented once needed
+        throw new Error("failed to convert DER-encoded signature: unexpectedly large or invalid signature length");
+    }
     // Parse 'r' and check for integer tag (0x02)
@@ -378,2 +408,6 @@ if (derSignatureBuf[index] !== 0x02) {
     const rLength = derSignatureBuf[index];
+    // Allow up to 32 data bytes + 1 byte 0-padding prefix
+    if (rLength > 33) {
+        throw new Error("failed to convert DER-encoded signature: unexpected length for r");
+    }
     index++; // Move past the length byte
@@ -388,2 +422,6 @@ const r = derSignatureBuf.slice(index, index + rLength);
     const sLength = derSignatureBuf[index];
+    // Allow up to 32 data bytes + 1 byte 0-padding prefix
+    if (sLength > 33) {
+        throw new Error("failed to convert DER-encoded signature: unexpected length for s");
+    }
     index++; // Move past the length byte
@@ -390,0 +428,0 @@ const s = derSignatureBuf.slice(index, index + sLength);

dist/crypto.mjs

@@ -348,4 +348,34 @@ import { p256 } from '@noble/curves/p256';
     const derSignatureBuf = uint8ArrayFromHexString(derSignature);
-    // Check and skip the sequence tag (0x30)
-    let index = 2;
+    // Check minimum length
+    if (derSignatureBuf.length < 2) {
+        throw new Error("failed to convert DER-encoded signature: insufficient length");
+    }
+    // Check SEQUENCE tag (0x30 at first byte)
+    if (derSignatureBuf[0] !== 0x30) {
+        throw new Error("failed to convert DER-encoded signature: invalid format (missing SEQUENCE tag)");
+    }
+    // Check second byte, start of length field
+    let index = 1;
+    const lengthByte = derSignatureBuf[index];
+    if (lengthByte <= 0x7f) {
+        // Short form: single byte length
+        // directly take the consumed value as length and check against buffer
+        // buffer length: initial header bytes + claimed remaining length
+        if (derSignatureBuf.length < 1 + 1 + lengthByte) {
+            throw new Error("failed to convert DER-encoded signature: inconsistent message length header");
+        }
+        // continue parsing
+        index += 1;
+    }
+    else {
+        // Multi-byte DER length header
+        // Invalid DER values: lengthByte 0x80 and 0xff
+        // Valid DER values: lengthByte > 0x80, < 0xff
+        //
+        // We do not expect signature data in the Long form notation
+        // -> reject all such inputs
+        //
+        // More complex parsing for longer signature sequences can be implemented once needed
+        throw new Error("failed to convert DER-encoded signature: unexpectedly large or invalid signature length");
+    }
     // Parse 'r' and check for integer tag (0x02)
@@ -357,2 +387,6 @@ if (derSignatureBuf[index] !== 0x02) {
     const rLength = derSignatureBuf[index];
+    // Allow up to 32 data bytes + 1 byte 0-padding prefix
+    if (rLength > 33) {
+        throw new Error("failed to convert DER-encoded signature: unexpected length for r");
+    }
     index++; // Move past the length byte
@@ -367,2 +401,6 @@ const r = derSignatureBuf.slice(index, index + rLength);
     const sLength = derSignatureBuf[index];
+    // Allow up to 32 data bytes + 1 byte 0-padding prefix
+    if (sLength > 33) {
+        throw new Error("failed to convert DER-encoded signature: unexpected length for s");
+    }
     index++; // Move past the length byte
@@ -369,0 +407,0 @@ const s = derSignatureBuf.slice(index, index + sLength);

dist/turnkey.js

 'use strict';
 
-var bs58check = require('bs58check');
+var bs58check = require('./bs58check.js');
 var bs58 = require('bs58');
@@ -5,0 +5,0 @@ var encoding = require('@turnkey/encoding');

dist/turnkey.mjs

@@ -1,2 +0,2 @@
-import bs58check from 'bs58check';
+import bs58check from './bs58check.mjs';
 import bs58 from 'bs58';
@@ -3,0 +3,0 @@ import { uint8ArrayToHexString, uint8ArrayFromHexString, hexToAscii } from '@turnkey/encoding';

package.json

 {
   "name": "@turnkey/crypto",
-  "version": "2.4.1",
+  "version": "2.4.2",
   "main": "./dist/index.js",
@@ -47,4 +47,4 @@ "module": "./dist/index.mjs",
     "@turnkey/encoding": "0.5.0",
-    "@turnkey/api-key-stamper": "0.4.7",
-    "@turnkey/http": "3.5.0"
+    "@turnkey/http": "3.5.0",
+    "@turnkey/api-key-stamper": "0.4.7"
   },
@@ -51,0 +51,0 @@ "scripts": {

New alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Fixed alerts

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

176834

5.86%

Number of package files

41

17.14%

Lines of code

2092

8%

No dependency changes