Raw .lve file bytes (ArrayBuffer).
At least one credential with its PRF output, and an optional rpId for origin validation.
Decrypted plaintext and file metadata.
LvePrfNotSupportedError if credentials is empty.
LveInvalidFormatError if the bytes are not a valid .lve file.
LveUnsupportedVersionError if the file format version is not supported.
LveWrongOriginError if rpId is provided and does not match the file header.
LveWrongCredentialError if no credential matches any recipient, or DEK unwrap fails.
LveTamperedError if AES-GCM authentication tag verification fails.
const authResult = await authenticateWithPrf({ rpId, fileId: meta.fileId });
const { plaintext } = await openLveFile(lveBytes, {
rpId: window.location.hostname,
credentials: [{ credentialId: authResult.credentialId, prfOutput: authResult.prfOutput }],
});
console.log(new TextDecoder().decode(plaintext));
Decrypts a
.lvebinary container and returns the plaintext.Tries each provided credential in order. For each credential, locates the matching recipient entry in the header, derives the KEK via HKDF-SHA-256, unwraps the DEK with AES-KW, then decrypts the payload with AES-256-GCM.