hpke-js

hpke-js

A TypeScript Hybrid Public Key Encryption (HPKE) implementation build on top of Web Cryptography API. This module works on web browsers, Node.js, Deno and various other JavaScript runtimes.

Documentation: jsr.io | pages (only for the latest ver.)

Index

• Installation
  • Node.js
  • Deno
  • Web Browsers
• Usage
• Contributing

Installation

Where possible, it is recommended to use @hpke/core along with extension modules (such as @hpke/chacha20poly1305) instead of hpke-js.

Node.js

You can install the package with npm, yarn or pnpm.

# Using npm:
npm install hpke-js
yarn add hpke-js
pnpm install hpke-js
# Using jsr:
npx jsr add hpke-js
yarn dlx jsr add hpke-js
pnpm dlx jsr add hpke-js

The above manner can be used with other JavaScript runtimes that support npm, such as Cloudflare Workers and Bun.

Then, you can use the module from code like this:

import { AeadId, CipherSuite, KdfId, KemId } from "hpke-js";

Deno

For Deno, it is recommended to use the jsr.io registry.

deno add jsr:@hpke/hpke-js

Web Browsers

Followings are how to use the module with typical CDNs. Other CDNs can be used as well.

Using esm.sh:

<!-- use a specific version -->
<script type="module">
  import {
    AeadId,
    CipherSuite,
    KdfId,
    KemId,
  } from "https://esm.sh/hpke-js@<SEMVER>";
  // import * as hpke from "https://esm.sh/@hpke/core@<SEMVER>";
  // ...
</script>

<!-- use the latest stable version -->
<script type="module">
  import { AeadId, CipherSuite, KdfId, KemId } from "https://esm.sh/hpke-js";
  // import * as hpke from "https://esm.sh/@hpke/core";
  // ...
</script>

Using unpkg:

<!-- use a specific version -->
<script type="module">
  import {
    AeadId,
    CipherSuite,
    KdfId,
    KemId,
  } from "https://unpkg.com/hpke-js@<SEMVER>/esm/mod.js";
  // import * as hpke from "https://unpkg.com/@hpke/core@<SEMVER>/esm/mod.js";
  // ...
</script>

Usage

This section shows some typical usage examples.

Node.js

import { AeadId, CipherSuite, KdfId, KemId } from "hpke-js";

async function doHpke() {
  const suite = new CipherSuite({
    kem: KemId.DhkemX25519HkdfSha256,
    kdf: KdfId.HkdfSha256,
    aead: AeadId.Chacha20Poly1305,
  });

  // A recipient generates a key pair.
  const rkp = await suite.kem.generateKeyPair();

  // A sender encrypts a message with the recipient public key.
  const sender = await suite.createSenderContext({
    recipientPublicKey: rkp.publicKey,
  });
  const ct = await sender.seal(new TextEncoder().encode("Hello world!"));

  // The recipient decrypts it.
  const recipient = await suite.createRecipientContext({
    recipientKey: rkp.privateKey,
    enc: sender.enc,
  });
  const pt = await recipient.open(ct);

  // Hello world!
  console.log("decrypted: ", new TextDecoder().decode(pt));
}

try {
  doHpke();
} catch (e) {
  console.log("failed:", e.message);
}

Deno

import { AeadId, CipherSuite, KdfId, KemId } from "@hpke/hpke-js";

async function doHpke() {
  const suite = new CipherSuite({
    kem: KemId.DhkemX25519HkdfSha256,
    kdf: KdfId.HkdfSha256,
    aead: AeadId.Chacha20Poly1305,
  });

  const rkp = await suite.kem.generateKeyPair();

  const sender = await suite.createSenderContext({
    recipientPublicKey: rkp.publicKey,
  });

  // encrypt
  const ct = await sender.seal(new TextEncoder().encode("Hello world!"));

  const recipient = await suite.createRecipientContext({
    recipientKey: rkp.privateKey,
    enc: sender.enc,
  });

  // decrypt
  const pt = await recipient.open(ct);

  // Hello world!
  console.log(new TextDecoder().decode(pt));
}

try {
  doHpke();
} catch (_err: unknown) {
  console.log("failed.");
}

Web Browsers

<html>
  <head></head>
  <body>
    <script type="module">
      import { AeadId, CipherSuite, KdfId, KemId } from "https://esm.sh/hpke-js";

      globalThis.doHpke = async () => {
        try {
          const suite = new CipherSuite({
            kem: KemId.DhkemP256HkdfSha256,
            kdf: KdfId.HkdfSha256,
            aead: AeadId.Aes128Gcm,
          });

          const rkp = await suite.kem.generateKeyPair();

          const sender = await suite.createSenderContext({
            recipientPublicKey: rkp.publicKey,
          });

          // encrypt
          const ct = await sender.seal(new TextEncoder().encode("Hello world!"));

          const recipient = await suite.createRecipientContext({
            recipientKey: rkp.privateKey, // rkp (CryptoKeyPair) is also acceptable.
            enc: sender.enc,
          });

          // decrypt
          const pt = await recipient.open(ct);

          // Hello world!
          alert(new TextDecoder().decode(pt));
        } catch (err) {
          alert("failed:", err.message);
        }
      };
    </script>
    <button type="button" onclick="doHpke()">do HPKE</button>
  </body>
</html>

Contributing

We welcome all kind of contributions, filing issues, suggesting new features or sending PRs.

Changelog

Version 1.6.0

Released 2024-11-04

• (#445) Update dependabot.yml to check npm/package-lock.json.
• (#444) Implement X-Wing experimentally.
• (#443) Add test for serialize/deserializePrivateKey.
• (#441) Add */test/runtimes/cloudflare to npm workspaces.
• (#440) Add vscode setting.
• (#439) Refine deno task sample:node.
• (#438) Add samples to npm workspaces.
• (#437) Add @group Error for docs.
• (#437) Remove BaseError.
• (#436) Change main docs from hpke-js to @hpke/core.
• (#435) Remove deno.land from docs.
• (#433) Implement DhkemX4489HkdfSha512 on @hpke/core.
• (#432) Disclose base64UrlToBytes on @hpke/common.
• (#431) Implement DhkemX25519HkdfSha256 on @hpke/core.
• Update devDependencies:
  • (#446) Bump @noble/ciphers to 1.0.0.
  • (#446) Bump @noble/hashes to 1.5.0.
  • (#446) Bump @noble/curves to 1.6.0.