PqForge class

Available extensions

Constructors

PqForge({PqForgeProfile profile = PqForgeProfile.balanced})
const

Properties

hashCode int
The hash code for this object.
no setterinherited
profile PqForgeProfile
final
runtimeType Type
A representation of the runtime type of the object.
no setterinherited

Methods

aesGcmDecrypt({required Uint8List key, required Uint8List nonce, required Uint8List ciphertext, Uint8List? aad}) Uint8List
aesGcmEncrypt({required Uint8List key, required Uint8List nonce, required Uint8List plaintext, Uint8List? aad}) Uint8List
appendSignedLogEntry({required Uint8List signerSecretKey, required Uint8List previousHash, required Uint8List payload, required int timestampMs, PqSignatureAlgorithm? algorithm}) PqSignedLogEntry
argon2id({required String password, required Uint8List salt, int outputBytes = pqForgeDefaultSessionKeyBytes, int iterations = 2, int memoryPowerOf2 = 16, int lanes = 4}) Uint8List
assembleSealedEnvelope({required PqForgeProfile profile, required Uint8List kemCiphertext, required Uint8List nonce, required Uint8List payload, Uint8List? aad, Map<String, Object?> metadata = const {}, Uint8List? signerSecretKey, PqSignatureAlgorithm? signatureAlgorithm, String? signerKeyId}) PqEnvelope
Assembles — and, when signerSecretKey is set, signs — an envelope from an already-sealed payload (the DEM stage's ciphertext‖tag).
createIdentityBinding({required Uint8List authoritySecretKey, required String subjectId, required Uint8List identityPublicKey, required int notBeforeMs, required int expiresAtMs, PqSignatureAlgorithm? algorithm}) PqIdentityBinding
decapsulate(Uint8List secretKey, Uint8List ciphertext, {PqKemAlgorithm? algorithm}) Uint8List
decrypt(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? aad, Uint8List? signerPublicKey}) Uint8List
decryptAsync(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? recipientKexSecretKey, String? recipientKeyId, PqForgeAeadEngine? engine, Uint8List? aad, Uint8List? signerPublicKey}) Future<Uint8List>

Available on PqForge, provided by the PqForgeAsync extension

Decrypts a one-shot envelope on engine, auto-detecting hybrid envelopes (hybridKex marker), a non-default AEAD suite (aeadSuite marker — the engine is rebuilt on the same provider to match), and multi-recipient envelopes (recipients[] entries).
decryptFileBytes(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? aad}) Uint8List
decryptFolderEntry(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? aad, Uint8List? signerPublicKey}) Uint8List
deriveHybridSessionKey({required Uint8List classicalSharedSecret, required Uint8List latticeSharedSecret, required Uint8List deploymentSalt, required Uint8List transcriptHash, Uint8List? roleContext, int? outputBytes}) Uint8List
dualSign({required Uint8List secretKey, required Uint8List message, required Uint8List classicalSignature, PqSignatureAlgorithm? algorithm, PqDualSignaturePolicy policy = PqDualSignaturePolicy.requireBoth}) PqDualSignature
dualVerify({required Uint8List publicKey, required Uint8List message, required PqDualSignature signature, required PqClassicalSignatureVerifier classicalVerifier, PqSignatureAlgorithm? algorithm}) bool
encapsulate(Uint8List publicKey, {PqKemAlgorithm? algorithm, Uint8List? nonce}) PqKemEncapsulation
encrypt(Uint8List recipientPublicKey, Uint8List plaintext, {PqForgeProfile? profile, Uint8List? aad, Map<String, Object?> metadata = const {}, Uint8List? signerSecretKey, PqSignatureAlgorithm? signatureAlgorithm, String? signerKeyId}) PqEnvelope
encryptAsync(Uint8List recipientPublicKey, Uint8List plaintext, {Uint8List? recipientKexPublicKey, List<PqRecipientSpec> additionalRecipients = const [], String? recipientKeyId, PqForgeAeadEngine? engine, PqForgeProfile? profile, Uint8List? aad, Map<String, Object?> metadata = const {}, Uint8List? signerSecretKey, PqSignatureAlgorithm? signatureAlgorithm, String? signerKeyId}) Future<PqEnvelope>

Available on PqForge, provided by the PqForgeAsync extension

Encrypts plaintext into a one-shot envelope, running the DEM stage on engine (default: the package:cryptography AES-256-GCM backend).
encryptFileBytes(Uint8List recipientPublicKey, Uint8List fileBytes, {Uint8List? aad, Map<String, Object?> metadata = const {}, PqForgeProfile profile = PqForgeProfile.maximum}) PqEnvelope
encryptFolderEntry(Uint8List recipientPublicKey, Uint8List fileBytes, {required String relativePath, Uint8List? aad, Map<String, Object?> metadata = const {}, PqForgeProfile profile = PqForgeProfile.maximum, Uint8List? signerSecretKey, PqSignatureAlgorithm? signatureAlgorithm, String? signerKeyId}) PqEnvelope
encryptRecord(Uint8List recipientPublicKey, Uint8List payload, {required String recordType, required String recordId, Uint8List? aad, PqForgeProfile profile = PqForgeProfile.maximum}) PqEnvelope
envelopeSigningMessage(PqEnvelope envelope) Uint8List
The 32-byte digest fed to ML-DSA sign/verify (preHash:true) for an envelope's signature: SHA-256(headerFields ‖ SHA-256(payload)). The payload is hashed in one streaming pass, so neither the digest nor the signature scales with payload size (the M1 fix). The header binds every envelope field except the signature itself.
generateKemKeyPair({PqKemAlgorithm? algorithm, Uint8List? seed}) PqKeyPair
generateKeys({PqForgeProfile? profile, String? keyId}) PqKeyBundle
generateSignatureKeyPair({PqSignatureAlgorithm? algorithm}) PqKeyPair
generateSignatureKeyPairFromSeed(Uint8List seed, {PqSignatureAlgorithm? algorithm}) PqKeyPair
hkdfSha256({required Uint8List ikm, required Uint8List salt, required Uint8List info, int outputBytes = pqForgeDefaultSessionKeyBytes}) Uint8List
issueToken({required Uint8List signerSecretKey, required String issuer, required String subject, required int issuedAtMs, required int expiresAtMs, Map<String, Object?> claims = const {}, PqSignatureAlgorithm? algorithm}) PqSignedToken
noSuchMethod(Invocation invocation) → dynamic
Invoked when a nonexistent method or property is accessed.
inherited
openEmail(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? aad, Uint8List? signerPublicKey}) Uint8List
openFromKemSecretKey(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? aad, Uint8List? info}) Uint8List
openMedia(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? aad, Uint8List? signerPublicKey}) Uint8List
openSignedFromKemSecretKey(Uint8List recipientSecretKey, Uint8List signerPublicKey, PqEnvelope envelope, {Uint8List? aad, Uint8List? signatureContext}) Uint8List
openText(Uint8List recipientSecretKey, PqEnvelope envelope, {Uint8List? aad, Uint8List? signerPublicKey}) String
sealAndSign(Uint8List recipientPublicKey, Uint8List signerSecretKey, Uint8List plaintext, {PqKemAlgorithm? kemAlgorithm, PqSignatureAlgorithm? signatureAlgorithm, Uint8List? aad, Uint8List? signatureContext}) PqEnvelope
sealEmail(Uint8List recipientPublicKey, Uint8List emailBytes, {required String messageId, Uint8List? aad, Map<String, Object?> metadata = const {}, PqForgeProfile profile = PqForgeProfile.maximum, Uint8List? signerSecretKey, PqSignatureAlgorithm? signatureAlgorithm, String? signerKeyId}) PqEnvelope
sealMedia(Uint8List recipientPublicKey, Uint8List mediaBytes, {required String mediaId, required String mimeType, Uint8List? aad, Map<String, Object?> metadata = const {}, PqForgeProfile profile = PqForgeProfile.maximum, Uint8List? signerSecretKey, PqSignatureAlgorithm? signatureAlgorithm, String? signerKeyId}) PqEnvelope
sealText(Uint8List recipientPublicKey, String text, {required String textId, Uint8List? aad, Map<String, Object?> metadata = const {}, PqForgeProfile profile = PqForgeProfile.maximum, Uint8List? signerSecretKey, PqSignatureAlgorithm? signatureAlgorithm, String? signerKeyId}) PqEnvelope
sealToKemPublicKey(Uint8List recipientPublicKey, Uint8List plaintext, {PqKemAlgorithm? algorithm, Uint8List? aad, Uint8List? info, Uint8List? nonce}) PqEnvelope
sign(Uint8List secretKey, Uint8List message, {PqSignatureAlgorithm? algorithm, Uint8List? context, bool preHash = false}) Uint8List
signArtifact({required Uint8List signerSecretKey, required String artifactId, required int version, required Uint8List artifactBytes, PqSignatureAlgorithm? algorithm}) PqArtifactSignature
signDocument(Uint8List secretKey, Uint8List documentBytes, {required String documentId, PqSignatureAlgorithm? algorithm}) Uint8List
signMedia({required Uint8List signerSecretKey, required String mediaId, required String mimeType, required Uint8List mediaBytes, PqSignatureAlgorithm? algorithm}) Uint8List
signText({required Uint8List signerSecretKey, required String text, required String textId, PqSignatureAlgorithm? algorithm}) Uint8List
signWebhook({required Uint8List signerSecretKey, required String eventType, required int timestampMs, required Uint8List payload, PqSignatureAlgorithm? algorithm}) Uint8List
toString() String
A string representation of this object.
inherited
unwrapKeyWithPassphrase(PqWrappedKey wrapped, String passphrase) PqExportedKey
verify(Uint8List publicKey, Uint8List message, Uint8List signature, {PqSignatureAlgorithm? algorithm, Uint8List? context, bool preHash = false}) bool
verifyArtifact(Uint8List signerPublicKey, Uint8List artifactBytes, PqArtifactSignature artifact) bool
verifyDocument(Uint8List publicKey, Uint8List documentBytes, Uint8List signature, {required String documentId, PqSignatureAlgorithm? algorithm}) bool
verifyEnvelopeForOpen(PqEnvelope envelope, {Uint8List? aad, Uint8List? signerPublicKey}) → void
Runs every check decrypt performs before the AEAD open: the AAD commitment and, when the envelope is signed, the ML-DSA signature.
verifyIdentityBinding(Uint8List authorityPublicKey, PqIdentityBinding binding) bool
verifyMedia({required Uint8List signerPublicKey, required String mediaId, required String mimeType, required Uint8List mediaBytes, required Uint8List signature, PqSignatureAlgorithm? algorithm}) bool
verifySignedLogEntry(Uint8List signerPublicKey, PqSignedLogEntry entry) bool
verifyText({required Uint8List signerPublicKey, required String text, required String textId, required Uint8List signature, PqSignatureAlgorithm? algorithm}) bool
verifyToken(Uint8List signerPublicKey, PqSignedToken token, {int? nowMs}) bool
verifyWebhook({required Uint8List signerPublicKey, required String eventType, required int timestampMs, required Uint8List payload, required Uint8List signature, PqSignatureAlgorithm? algorithm, int? nowMs, int maxSkewMs = 300000}) bool
wrapKeyWithPassphrase(PqExportedKey key, String passphrase, {String kdf = PqKdf.argon2id, int iterations = 2, int memoryPowerOf2 = 16, int lanes = 4, int pbkdf2Iterations = 600000}) PqWrappedKey
Wraps an exported key under a passphrase: KDF → AES-256-GCM with the key identity bound into the AAD.

Operators

operator ==(Object other) bool
The equality operator.
inherited

Static Methods

deriveDemKey(PqForgeProfile profile, Uint8List sharedSecret, Uint8List kemCiphertext) Uint8List
Derives the per-message DEM key from a KEM shared secret and ciphertext.