npm - @account-kit/react-native-signer - Versions diffs - 4.57.0 → 4.57.2-alpha.0 - Mend

@account-kit/react-native-signer 4.57.0 → 4.57.2-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (155) hide show

package/android/bin/src/main/java/com/accountkit/reactnativesigner/core/KeyExtensions.kt ADDED Viewed

@@ -0,0 +1,77 @@
+package com.accountkit.reactnativesigner.core
+import com.google.crypto.tink.CleartextKeysetHandle
+import com.google.crypto.tink.InsecureSecretKeyAccess
+import com.google.crypto.tink.KeysetHandle
+import com.google.crypto.tink.hybrid.HpkeParameters
+import com.google.crypto.tink.hybrid.HpkePrivateKey
+import com.google.crypto.tink.hybrid.HpkePublicKey
+import com.google.crypto.tink.subtle.EllipticCurves
+import com.google.crypto.tink.util.Bytes
+import com.google.crypto.tink.util.SecretBytes
+import java.security.interfaces.ECPublicKey
+import javax.xml.bind.DatatypeConverter
+import com.google.crypto.tink.proto.HpkePrivateKey as ProtoHpkePrivateKey
+import com.google.crypto.tink.proto.HpkePublicKey as ProtoHpkePublicKey
+// Keyset Handle Extensions
+fun KeysetHandle.toHpkePublicKey(hpkeParameters: HpkeParameters): HpkePublicKey {
+    val keySet = CleartextKeysetHandle.getKeyset(this.publicKeysetHandle)
+    val protoKey = ProtoHpkePublicKey.parseFrom(keySet.keyList[0].keyData.value)
+    return HpkePublicKey.create(
+        hpkeParameters,
+        Bytes.copyFrom(protoKey.publicKey.toByteArray()),
+        null
+    )
+}
+fun KeysetHandle.toHpkePrivateKey(hpkeParams: HpkeParameters): HpkePrivateKey {
+    val publicKey = this.toHpkePublicKey(hpkeParams)
+    val pkKs = CleartextKeysetHandle.getKeyset(this)
+    val pkKeyData = pkKs.keyList[0].keyData
+    check(pkKeyData.typeUrl == "type.googleapis.com/google.crypto.tink.HpkePrivateKey") {
+        "invalid key type"
+    }
+    return HpkePrivateKey.create(
+        HpkePublicKey.create(
+            hpkeParams,
+            Bytes.copyFrom(publicKey.toByteArray()),
+            null
+        ),
+        SecretBytes.copyFrom(
+            ProtoHpkePrivateKey.parseFrom(pkKeyData.value).privateKey.toByteArray(),
+            InsecureSecretKeyAccess.get()
+        )
+    )
+}
+// HPKE Public Key Extensions
+fun HpkePublicKey.toHex(): String {
+    return this.toByteArray().toHex()
+}
+fun HpkePublicKey.toByteArray(): ByteArray {
+    return this.publicKeyBytes.toByteArray()
+}
+// ECPublicKey Extensions
+fun ECPublicKey.toBytes(
+    pfType: EllipticCurves.PointFormatType
+): ByteArray {
+    return EllipticCurves.pointEncode(
+        this.params.curve,
+        pfType,
+        this.w
+    )
+}
+// Conversions from Hex <-> byte[]
+fun String.fromHex(): ByteArray {
+    return DatatypeConverter.parseHexBinary(this)
+}
+fun ByteArray.toHex(): String {
+    return DatatypeConverter.printHexBinary(this)
+}

package/android/bin/src/main/java/com/accountkit/reactnativesigner/core/TEKManager.kt ADDED Viewed

@@ -0,0 +1,89 @@
+package com.accountkit.reactnativesigner.core
+import android.content.SharedPreferences
+import com.accountkit.reactnativesigner.core.errors.NoTEKException
+import com.google.crypto.tink.InsecureSecretKeyAccess
+import com.google.crypto.tink.KeyTemplate
+import com.google.crypto.tink.KeysetHandle
+import com.google.crypto.tink.TinkJsonProtoKeysetFormat
+import com.google.crypto.tink.hybrid.HpkeParameters
+import com.google.crypto.tink.hybrid.HpkePublicKey
+import com.google.crypto.tink.hybrid.internal.HpkeContext
+import com.google.crypto.tink.hybrid.internal.HpkeKemKeyFactory
+import com.google.crypto.tink.hybrid.internal.HpkePrimitiveFactory
+private const val TEK_STORAGE_KEY = "TEK_STORAGE_KEY"
+private val hpkeParams = HpkeParameters.builder()
+    .setKemId(HpkeParameters.KemId.DHKEM_P256_HKDF_SHA256)
+    .setKdfId(HpkeParameters.KdfId.HKDF_SHA256)
+    .setAeadId(HpkeParameters.AeadId.AES_256_GCM)
+    .setVariant(HpkeParameters.Variant.NO_PREFIX)
+    .build()
+class HpkeTEKManager(private val sharedPreferences: SharedPreferences) {
+    fun hpkeDecrypt(
+        encapsulatePublicKey: ByteArray,
+        cipherText: ByteArray,
+        info: ByteArray,
+        aad: ByteArray
+    ): ByteArray {
+        // Why do we hve to do all this rather than doing:
+        // val hybridDecrypt = tekHandle.getPrimitive(HybridDecrypt::class.java)
+        // val decryptedKey = hybridDecrypt.decrypt(ciphertext, "turnkey_hpke".toByteArray())
+        // the hybridDecrypt.decrypt that google exposes doesn't allow us to pass in
+        // the aad that's needed to complete decryption
+        val keyHandle = getKeysetHandle() ?: throw NoTEKException()
+        val recipient = HpkeContext.createRecipientContext(
+            encapsulatePublicKey,
+            HpkeKemKeyFactory.createPrivate(keyHandle.toHpkePrivateKey(hpkeParams)),
+            HpkePrimitiveFactory.createKem(hpkeParams.kemId),
+            HpkePrimitiveFactory.createKdf(hpkeParams.kdfId),
+            HpkePrimitiveFactory.createAead(hpkeParams.aeadId),
+            info
+        )
+        return recipient.open(cipherText, aad)
+    }
+    fun createTEK(): HpkePublicKey {
+        val existingPublicKey = publicKey()
+        if (existingPublicKey != null) {
+            return existingPublicKey
+        }
+        val keysetHandle = KeysetHandle.generateNew(KeyTemplate.createFrom(hpkeParams))
+        sharedPreferences
+            .edit()
+            .putString(
+                TEK_STORAGE_KEY,
+                TinkJsonProtoKeysetFormat.serializeKeyset(
+                    keysetHandle,
+                    InsecureSecretKeyAccess.get()
+                )
+            )
+            .apply()
+        return keysetHandle.toHpkePublicKey(hpkeParams)
+    }
+    fun publicKey(): HpkePublicKey? {
+        val ksHandle = getKeysetHandle() ?: return null
+        return ksHandle.toHpkePublicKey(hpkeParams)
+    }
+    fun publicKeyHex(): String? {
+        return publicKey()?.toHex()
+    }
+    private fun getKeysetHandle(): KeysetHandle? {
+        val storageVal = sharedPreferences.getString(TEK_STORAGE_KEY, null) ?: return null
+        return TinkJsonProtoKeysetFormat.parseKeyset(
+            storageVal,
+            InsecureSecretKeyAccess.get()
+        )
+    }
+}

package/android/bin/src/main/java/com/accountkit/reactnativesigner/core/TEKStamper.kt ADDED Viewed

@@ -0,0 +1,258 @@
+package com.accountkit.reactnativesigner.core
+import android.content.Context
+import android.content.SharedPreferences
+import androidx.security.crypto.EncryptedSharedPreferences
+import androidx.security.crypto.MasterKey
+import com.accountkit.reactnativesigner.core.errors.NoInjectedBundleException
+import com.accountkit.reactnativesigner.core.errors.StamperNotInitializedException
+import com.google.crypto.tink.config.TinkConfig
+import com.google.crypto.tink.subtle.Base64
+import com.google.crypto.tink.subtle.EllipticCurves
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.encodeToString
+import kotlinx.serialization.json.Json
+import org.bitcoinj.core.Base58
+import org.bouncycastle.jce.ECNamedCurveTable
+import org.bouncycastle.jce.provider.BouncyCastleProvider
+import org.bouncycastle.jce.spec.ECPublicKeySpec
+import java.nio.ByteBuffer
+import java.security.KeyFactory
+import java.security.Security
+import java.security.Signature
+import java.security.KeyStore
+import java.security.KeyStoreException
+@Serializable
+data class ApiStamp(val publicKey: String, val scheme: String, val signature: String)
+data class Stamp(val stampHeaderName: String, val stampHeaderValue: String)
+private const val BUNDLE_PRIVATE_KEY = "BUNDLE_PRIVATE_KEY"
+private const val BUNDLE_PUBLIC_KEY = "BUNDLE_PUBLIC_KEY"
+private const val MASTER_KEY_ALIAS = "tek_master_key"
+private const val ENCRYPTED_SHARED_PREFERENCES_FILENAME = "tek_stamper_shared_prefs"
+class TEKStamper(context: Context) {
+    // This is how the docs for EncryptedSharedPreferences recommend creating this setup
+    // NOTE: we can further customize the permissions around accessing this master key and the keys
+    // used to generate it by using the .setKeyGenParameterSpec() method on this builder
+    // this would allow us to further specify the access requirements to this key
+    //
+    // we should explore the best practices on how to do this once we reach a phase of further
+    // cleanup
+    /**
+     * We are using EncryptedSharedPreferences to store 2 pieces of data
+     * 1. the TEK keypair - this is the ephemeral key-pair that Turnkey will use to encrypt the
+     * bundle with
+     * 2. the decrypted private key for a session
+     *
+     * The reason we are not using the android key store for either of these things is because
+     * 1. For us to be able to import the private key in the bundle into the KeyStore, Turnkey has
+     * to return the key in a different format (AFAIK):
+     * https://developer.android.com/privacy-and-security/keystore#ImportingEncryptedKeys
+     * 2. If we store the TEK in the KeyStore, then we have to roll our own HPKE decrypt function as
+     * there's no off the shelf solution (that I could find) to do the HPKE decryption. Rolling our
+     * own decryption feels wrong given we are not experts on this and don't have a good way to
+     * verify our implementation (and I don't trust the ChatGPT output to be correct. Even if it is,
+     * there's no guarantee we can test all the edge cases since those are unknown unknowns)
+     *
+     * NOTE: this isn't too far off from how Turnkey recommends doing it in Swift
+     * https://github.com/tkhq/swift-sdk/blob/5817374a7cbd4c99b7ea90b170363dc2bf6c59b9/docs/email-auth.md#email-authentication
+     *
+     * The open question is if the storage of the decrypted private key is secure enough though
+     */
+    private lateinit var tekManager: HpkeTEKManager
+    private lateinit var sharedPreferences: SharedPreferences
+    init {
+        try {
+            TinkConfig.register()
+            sharedPreferences = getSharedPreferences(context)
+            tekManager = HpkeTEKManager(sharedPreferences)
+            if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME).javaClass !=
+                BouncyCastleProvider::class.java
+            ) {
+                Security.removeProvider(BouncyCastleProvider.PROVIDER_NAME)
+            }
+            if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
+                Security.addProvider(BouncyCastleProvider())
+            }
+        } catch (e: Exception){
+            throw RuntimeException("Error creating master key", e)
+        }
+    }
+    fun init(): String {
+        return tekManager.createTEK().toHex()
+    }
+    fun clear() {
+        sharedPreferences.edit().clear().apply()
+    }
+    fun publicKey(): String? {
+        return tekManager.publicKeyHex()
+    }
+    fun injectCredentialBundle(bundle: String) {
+        val tekPublicKey =
+            tekManager.publicKey()
+                ?: throw StamperNotInitializedException()
+        val decodedBundle = Base58.decodeChecked(bundle)
+        val buffer = ByteBuffer.wrap(decodedBundle)
+        val ephemeralPublicKeyLength = 33
+        val ephemeralPublicKeyBytes = ByteArray(ephemeralPublicKeyLength)
+        buffer.get(ephemeralPublicKeyBytes)
+        val ephemeralPublicKey =
+            EllipticCurves.getEcPublicKey(
+                EllipticCurves.CurveType.NIST_P256,
+                EllipticCurves.PointFormatType.COMPRESSED,
+                ephemeralPublicKeyBytes,
+            )
+                .toBytes(EllipticCurves.PointFormatType.UNCOMPRESSED)
+        val ciphertext = ByteArray(buffer.remaining())
+        buffer.get(ciphertext)
+        val aad = ephemeralPublicKey + tekPublicKey.toByteArray()
+        val decryptedKey =
+            tekManager.hpkeDecrypt(
+                ephemeralPublicKey,
+                ciphertext,
+                "turnkey_hpke".toByteArray(),
+                aad
+            )
+        val (publicKeyBytes, privateKeyBytes) = privateKeyToKeyPair(decryptedKey)
+        sharedPreferences
+            .edit()
+            .putString(BUNDLE_PRIVATE_KEY, privateKeyBytes.toHex().lowercase())
+            .apply()
+        sharedPreferences
+            .edit()
+            .putString(BUNDLE_PUBLIC_KEY, publicKeyBytes.toHex().lowercase())
+            .apply()
+    }
+    fun stamp(payload: String): Stamp {
+        val signingKeyHex =
+            sharedPreferences.getString(BUNDLE_PRIVATE_KEY, null)
+                ?: throw NoInjectedBundleException()
+        val publicSigningKeyHex =
+            sharedPreferences.getString(BUNDLE_PUBLIC_KEY, null)
+                ?: throw NoInjectedBundleException()
+        val ecPrivateKey =
+            EllipticCurves.getEcPrivateKey(
+                EllipticCurves.CurveType.NIST_P256,
+                signingKeyHex.fromHex()
+            )
+        val signer = Signature.getInstance("SHA256withECDSA")
+        signer.initSign(ecPrivateKey)
+        signer.update(payload.toByteArray())
+        val signature = signer.sign()
+        val apiStamp =
+            ApiStamp(publicSigningKeyHex, "SIGNATURE_SCHEME_TK_API_P256", signature.toHex())
+        return Stamp(
+            "X-Stamp",
+            Base64.urlSafeEncode(Json.encodeToString(apiStamp).toByteArray())
+        )
+    }
+    private fun privateKeyToKeyPair(privateKey: ByteArray): Pair<ByteArray, ByteArray> {
+        val ecPrivateKey =
+            EllipticCurves.getEcPrivateKey(EllipticCurves.CurveType.NIST_P256, privateKey)
+        // compute the public key
+        val s = ecPrivateKey.s
+        val bcSpec = ECNamedCurveTable.getParameterSpec("secp256r1")
+        val pubSpec = ECPublicKeySpec(bcSpec.g.multiply(s).normalize(), bcSpec)
+        val keyFactory = KeyFactory.getInstance("EC", BouncyCastleProvider.PROVIDER_NAME)
+        val ecPublicKey = EllipticCurves.getEcPublicKey(keyFactory.generatePublic(pubSpec).encoded)
+        // verify the key pair
+        EllipticCurves.validatePublicKey(ecPublicKey, ecPrivateKey)
+        // compress it to match turnkey expectations
+        val compressedPublicKey =
+            ecPublicKey.toBytes(
+                EllipticCurves.PointFormatType.COMPRESSED,
+            )
+        return Pair(compressedPublicKey, privateKey)
+    }
+    private fun createSharedPreferences(masterKey: MasterKey, context: Context): SharedPreferences {
+        return EncryptedSharedPreferences.create(
+            context,
+            ENCRYPTED_SHARED_PREFERENCES_FILENAME,
+            masterKey,
+            EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
+            EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM
+        )
+    }
+    private fun createMasterKey(context: Context): MasterKey {
+         return MasterKey.Builder(context.applicationContext, MASTER_KEY_ALIAS)
+            .setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
+            .setUserAuthenticationRequired(false)
+            .build()
+    }
+    private fun getSharedPreferences(context: Context): SharedPreferences {
+        try {
+            // Attempt to create or load the EncryptedSharedPreferences file
+            val masterKey = createMasterKey(context)
+            return createSharedPreferences(masterKey, context)
+        } catch(e: Exception) {
+            // Log the Exception
+            e.printStackTrace()
+        }
+        // An error occured creating or retrieving the Shared Preferences file.
+        // Delete the existing master key and EncryptedSharedPreferences
+        // first delete the MasterKey
+        try {
+            val keyStore = KeyStore.getInstance("AndroidKeyStore")
+            keyStore.load(null)
+            keyStore.deleteEntry(MASTER_KEY_ALIAS)
+        } catch (keyStoreDeletionException: Exception) {
+            throw RuntimeException("An error occured deleting the Master Key", keyStoreDeletionException)
+        }
+        // attempt to recreate a new EncryptedSharedPreferences file
+        try {
+            // Create a new MasterKey
+            val newMasterKey = createMasterKey(context)
+            context.getSharedPreferences(ENCRYPTED_SHARED_PREFERENCES_FILENAME, Context.MODE_PRIVATE).edit().clear().apply()
+            context.deleteSharedPreferences(ENCRYPTED_SHARED_PREFERENCES_FILENAME)
+            return createSharedPreferences(newMasterKey, context)
+        } catch(retryException: Exception) {
+            throw RuntimeException("Couldn't create the required shared preferences file. Ensure you are properly authenticated on this device.", retryException)
+        }
+    }
+}

package/android/bin/src/main/java/com/accountkit/reactnativesigner/core/errors/NoInjectedBundleException.kt ADDED Viewed

@@ -0,0 +1,3 @@
+package com.accountkit.reactnativesigner.core.errors
+class NoInjectedBundleException: IllegalStateException("No injected bundle, did you complete auth?")

package/android/bin/src/main/java/com/accountkit/reactnativesigner/core/errors/NoTEKException.kt ADDED Viewed

@@ -0,0 +1,3 @@
+package com.accountkit.reactnativesigner.core.errors
+class NoTEKException: IllegalStateException("No TEK found!")

package/android/bin/src/main/java/com/accountkit/reactnativesigner/core/errors/StamperNotInitialized.kt ADDED Viewed

@@ -0,0 +1,3 @@
+package com.accountkit.reactnativesigner.core.errors
+class StamperNotInitializedException: IllegalStateException("Stamper has not been initialized")

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@account-kit/react-native-signer",
-  "version": "4.57.0",
+  "version": "4.57.2-alpha.0",
   "author": "Alchemy",
   "description": "React Native compatible Smart Wallets signer",
   "source": "./src/index.tsx",
@@ -142,11 +142,11 @@
     "version": "0.42.2"
   },
   "dependencies": {
-    "@aa-sdk/core": "^4.57.0",
-    "@account-kit/signer": "^4.57.0",
+    "@aa-sdk/core": "^4.57.2-alpha.0",
+    "@account-kit/signer": "^4.57.2-alpha.0",
     "@turnkey/react-native-passkey-stamper": "^1.0.14",
     "uuid": "^11.1.0",
     "viem": "^2.29.2"
   },
-  "gitHead": "98db427dcc3f23885590cfea69151ab0fc616ae8"
+  "gitHead": "97926325edd215f1e36fe50775eb2d16f0d40fa5"
 }