feat(wasm): unlock_with_secret + keyfile encode/decode bindings + equivalence proof
Adds three WASM bindings for the pluggable second-factor work: - unlock_with_secret: mirrors unlock() but accepts a raw 32-byte secret instead of a carrier image, skipping imgsecret::extract - keyfile_encode: armors a 32-byte secret into relicario-keyfile-v1 format - keyfile_decode: decodes keyfile armor back to the raw 32-byte secret Adds native equivalence test proving that unlock_with_secret and unlock derive an identical Argon2id master key when given the same secret, passphrase, salt, and KDF params. Comparison is direct (master-key bytes), not cross-decrypt, so the test is both native-safe and unambiguous. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01McMF5pUJbCMricmFEnf2sG
This commit is contained in:
5
extension/src/wasm.d.ts
vendored
5
extension/src/wasm.d.ts
vendored
@@ -87,6 +87,11 @@ declare module 'relicario-wasm' {
|
||||
export function wasm_generate_recovery_qr(handle: SessionHandle, passphrase: string): string;
|
||||
export function wasm_unwrap_recovery_qr(payload_b64: string, passphrase: string): Uint8Array;
|
||||
|
||||
// Pluggable second factor: key-file bindings (Task 3)
|
||||
export function unlock_with_secret(passphrase: string, secret: Uint8Array, salt: Uint8Array, params_json: string): SessionHandle;
|
||||
export function keyfile_encode(secret: Uint8Array): Uint8Array;
|
||||
export function keyfile_decode(bytes: Uint8Array): Uint8Array;
|
||||
|
||||
export default function init(module_or_path?: unknown): Promise<void>;
|
||||
export function initSync(args: { module: WebAssembly.Module }): void;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user