(bundle: Uint8Array, dataKey: Uint8Array)
| 99 | } |
| 100 | |
| 101 | export function decryptWithDataKey(bundle: Uint8Array, dataKey: Uint8Array): unknown | null { |
| 102 | if (bundle.length < 1 + 12 + 16) return null; // minimum: version + nonce + authTag |
| 103 | if (bundle[0] !== 0) return null; // only version 0 |
| 104 | |
| 105 | const nonce = bundle.slice(1, 13); |
| 106 | const authTag = bundle.slice(bundle.length - 16); |
| 107 | const ciphertext = bundle.slice(13, bundle.length - 16); |
| 108 | |
| 109 | try { |
| 110 | const decipher = createDecipheriv('aes-256-gcm', dataKey, nonce); |
| 111 | decipher.setAuthTag(authTag); |
| 112 | const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]); |
| 113 | return JSON.parse(new TextDecoder().decode(decrypted)); |
| 114 | } catch { |
| 115 | return null; |
| 116 | } |
| 117 | } |
| 118 | |
| 119 | // --- Legacy TweetNaCl secretbox encryption --- |
| 120 |
no test coverage detected