@brightchain/brightchain-api-lib 0.14.0 → 0.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +5 -5
- package/src/index.d.ts +3 -0
- package/src/index.d.ts.map +1 -1
- package/src/index.js +5 -0
- package/src/index.js.map +1 -1
- package/src/lib/application.d.ts +1 -0
- package/src/lib/application.d.ts.map +1 -1
- package/src/lib/application.js +23 -0
- package/src/lib/application.js.map +1 -1
- package/src/lib/auth/aclEnforcedAvailability.d.ts +57 -0
- package/src/lib/auth/aclEnforcedAvailability.d.ts.map +1 -0
- package/src/lib/auth/aclEnforcedAvailability.js +87 -0
- package/src/lib/auth/aclEnforcedAvailability.js.map +1 -0
- package/src/lib/auth/aclEnforcedBlockStore.d.ts +66 -0
- package/src/lib/auth/aclEnforcedBlockStore.d.ts.map +1 -0
- package/src/lib/auth/aclEnforcedBlockStore.js +83 -0
- package/src/lib/auth/aclEnforcedBlockStore.js.map +1 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.d.ts +46 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.d.ts.map +1 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.js +110 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.js.map +1 -0
- package/src/lib/auth/index.d.ts +7 -0
- package/src/lib/auth/index.d.ts.map +1 -0
- package/src/lib/auth/index.js +13 -0
- package/src/lib/auth/index.js.map +1 -0
- package/src/lib/auth/poolAclBootstrap.d.ts +36 -0
- package/src/lib/auth/poolAclBootstrap.d.ts.map +1 -0
- package/src/lib/auth/poolAclBootstrap.js +64 -0
- package/src/lib/auth/poolAclBootstrap.js.map +1 -0
- package/src/lib/auth/poolAclStore.d.ts +77 -0
- package/src/lib/auth/poolAclStore.d.ts.map +1 -0
- package/src/lib/auth/poolAclStore.js +189 -0
- package/src/lib/auth/poolAclStore.js.map +1 -0
- package/src/lib/auth/poolAclUpdater.d.ts +79 -0
- package/src/lib/auth/poolAclUpdater.d.ts.map +1 -0
- package/src/lib/auth/poolAclUpdater.js +144 -0
- package/src/lib/auth/poolAclUpdater.js.map +1 -0
- package/src/lib/availability/availabilityService.d.ts +2 -2
- package/src/lib/availability/availabilityService.d.ts.map +1 -1
- package/src/lib/availability/availabilityService.js +12 -5
- package/src/lib/availability/availabilityService.js.map +1 -1
- package/src/lib/availability/blockRegistry.d.ts +45 -3
- package/src/lib/availability/blockRegistry.d.ts.map +1 -1
- package/src/lib/availability/blockRegistry.js +123 -5
- package/src/lib/availability/blockRegistry.js.map +1 -1
- package/src/lib/availability/discoveryProtocol.d.ts +30 -1
- package/src/lib/availability/discoveryProtocol.d.ts.map +1 -1
- package/src/lib/availability/discoveryProtocol.js +76 -0
- package/src/lib/availability/discoveryProtocol.js.map +1 -1
- package/src/lib/availability/gossipService.d.ts +45 -6
- package/src/lib/availability/gossipService.d.ts.map +1 -1
- package/src/lib/availability/gossipService.js +177 -5
- package/src/lib/availability/gossipService.js.map +1 -1
- package/src/lib/availability/reconciliationService.d.ts +88 -1
- package/src/lib/availability/reconciliationService.d.ts.map +1 -1
- package/src/lib/availability/reconciliationService.js +246 -48
- package/src/lib/availability/reconciliationService.js.map +1 -1
- package/src/lib/blockFetch/blockFetcher.d.ts +100 -0
- package/src/lib/blockFetch/blockFetcher.d.ts.map +1 -0
- package/src/lib/blockFetch/blockFetcher.js +279 -0
- package/src/lib/blockFetch/blockFetcher.js.map +1 -0
- package/src/lib/blockFetch/fetchQueue.d.ts +88 -0
- package/src/lib/blockFetch/fetchQueue.d.ts.map +1 -0
- package/src/lib/blockFetch/fetchQueue.js +204 -0
- package/src/lib/blockFetch/fetchQueue.js.map +1 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.d.ts +65 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.d.ts.map +1 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.js +104 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.js.map +1 -0
- package/src/lib/blockFetch/index.d.ts +10 -0
- package/src/lib/blockFetch/index.d.ts.map +1 -0
- package/src/lib/blockFetch/index.js +13 -0
- package/src/lib/blockFetch/index.js.map +1 -0
- package/src/lib/controllers/api/brightpass.d.ts +72 -0
- package/src/lib/controllers/api/brightpass.d.ts.map +1 -0
- package/src/lib/controllers/api/brightpass.js +577 -0
- package/src/lib/controllers/api/brightpass.js.map +1 -0
- package/src/lib/controllers/api/channels.d.ts +122 -0
- package/src/lib/controllers/api/channels.d.ts.map +1 -0
- package/src/lib/controllers/api/channels.js +701 -0
- package/src/lib/controllers/api/channels.js.map +1 -0
- package/src/lib/controllers/api/conversations.d.ts +89 -0
- package/src/lib/controllers/api/conversations.d.ts.map +1 -0
- package/src/lib/controllers/api/conversations.js +259 -0
- package/src/lib/controllers/api/conversations.js.map +1 -0
- package/src/lib/controllers/api/emails.d.ts +122 -0
- package/src/lib/controllers/api/emails.d.ts.map +1 -0
- package/src/lib/controllers/api/emails.js +494 -0
- package/src/lib/controllers/api/emails.js.map +1 -0
- package/src/lib/controllers/api/explodingMessages.d.ts +79 -0
- package/src/lib/controllers/api/explodingMessages.d.ts.map +1 -0
- package/src/lib/controllers/api/explodingMessages.js +378 -0
- package/src/lib/controllers/api/explodingMessages.js.map +1 -0
- package/src/lib/controllers/api/groups.d.ts +94 -0
- package/src/lib/controllers/api/groups.d.ts.map +1 -0
- package/src/lib/controllers/api/groups.js +484 -0
- package/src/lib/controllers/api/groups.js.map +1 -0
- package/src/lib/controllers/api/index.d.ts +6 -0
- package/src/lib/controllers/api/index.d.ts.map +1 -1
- package/src/lib/controllers/api/index.js +6 -0
- package/src/lib/controllers/api/index.js.map +1 -1
- package/src/lib/controllers/api/messages.d.ts.map +1 -1
- package/src/lib/controllers/api/messages.js +2 -1
- package/src/lib/controllers/api/messages.js.map +1 -1
- package/src/lib/controllers/api/sync.d.ts +38 -2
- package/src/lib/controllers/api/sync.d.ts.map +1 -1
- package/src/lib/controllers/api/sync.js +89 -0
- package/src/lib/controllers/api/sync.js.map +1 -1
- package/src/lib/controllers/crypto/gitController.d.ts +70 -0
- package/src/lib/controllers/crypto/gitController.d.ts.map +1 -0
- package/src/lib/controllers/crypto/gitController.js +306 -0
- package/src/lib/controllers/crypto/gitController.js.map +1 -0
- package/src/lib/controllers/crypto/index.d.ts +3 -0
- package/src/lib/controllers/crypto/index.d.ts.map +1 -0
- package/src/lib/controllers/crypto/index.js +6 -0
- package/src/lib/controllers/crypto/index.js.map +1 -0
- package/src/lib/controllers/crypto/walletController.d.ts +64 -0
- package/src/lib/controllers/crypto/walletController.d.ts.map +1 -0
- package/src/lib/controllers/crypto/walletController.js +260 -0
- package/src/lib/controllers/crypto/walletController.js.map +1 -0
- package/src/lib/controllers/identity/deviceController.d.ts +96 -0
- package/src/lib/controllers/identity/deviceController.d.ts.map +1 -0
- package/src/lib/controllers/identity/deviceController.js +355 -0
- package/src/lib/controllers/identity/deviceController.js.map +1 -0
- package/src/lib/controllers/identity/directoryController.d.ts +75 -0
- package/src/lib/controllers/identity/directoryController.d.ts.map +1 -0
- package/src/lib/controllers/identity/directoryController.js +288 -0
- package/src/lib/controllers/identity/directoryController.js.map +1 -0
- package/src/lib/controllers/identity/identityProofController.d.ts +94 -0
- package/src/lib/controllers/identity/identityProofController.d.ts.map +1 -0
- package/src/lib/controllers/identity/identityProofController.js +454 -0
- package/src/lib/controllers/identity/identityProofController.js.map +1 -0
- package/src/lib/controllers/identity/index.d.ts +4 -0
- package/src/lib/controllers/identity/index.d.ts.map +1 -0
- package/src/lib/controllers/identity/index.js +7 -0
- package/src/lib/controllers/identity/index.js.map +1 -0
- package/src/lib/controllers/index.d.ts +2 -0
- package/src/lib/controllers/index.d.ts.map +1 -1
- package/src/lib/controllers/index.js +2 -0
- package/src/lib/controllers/index.js.map +1 -1
- package/src/lib/encryption/encryptedMetadataService.d.ts +87 -0
- package/src/lib/encryption/encryptedMetadataService.d.ts.map +1 -0
- package/src/lib/encryption/encryptedMetadataService.js +224 -0
- package/src/lib/encryption/encryptedMetadataService.js.map +1 -0
- package/src/lib/encryption/encryptionAwareReplication.d.ts +76 -0
- package/src/lib/encryption/encryptionAwareReplication.d.ts.map +1 -0
- package/src/lib/encryption/encryptionAwareReplication.js +116 -0
- package/src/lib/encryption/encryptionAwareReplication.js.map +1 -0
- package/src/lib/encryption/errors.d.ts +49 -0
- package/src/lib/encryption/errors.d.ts.map +1 -0
- package/src/lib/encryption/errors.js +80 -0
- package/src/lib/encryption/errors.js.map +1 -0
- package/src/lib/encryption/index.d.ts +6 -0
- package/src/lib/encryption/index.d.ts.map +1 -0
- package/src/lib/encryption/index.js +9 -0
- package/src/lib/encryption/index.js.map +1 -0
- package/src/lib/encryption/poolEncryptionService.d.ts +94 -0
- package/src/lib/encryption/poolEncryptionService.d.ts.map +1 -0
- package/src/lib/encryption/poolEncryptionService.js +252 -0
- package/src/lib/encryption/poolEncryptionService.js.map +1 -0
- package/src/lib/encryption/poolKeyManager.d.ts +82 -0
- package/src/lib/encryption/poolKeyManager.d.ts.map +1 -0
- package/src/lib/encryption/poolKeyManager.js +156 -0
- package/src/lib/encryption/poolKeyManager.js.map +1 -0
- package/src/lib/environment.d.ts +3 -0
- package/src/lib/environment.d.ts.map +1 -1
- package/src/lib/environment.js +5 -0
- package/src/lib/environment.js.map +1 -1
- package/src/lib/interfaces/environment.d.ts +7 -1
- package/src/lib/interfaces/environment.d.ts.map +1 -1
- package/src/lib/interfaces/index.d.ts +0 -1
- package/src/lib/interfaces/index.d.ts.map +1 -1
- package/src/lib/interfaces/requests/getBlockDataRequest.d.ts +12 -0
- package/src/lib/interfaces/requests/getBlockDataRequest.d.ts.map +1 -0
- package/src/lib/interfaces/{blockStore.js → requests/getBlockDataRequest.js} +1 -1
- package/src/lib/interfaces/requests/getBlockDataRequest.js.map +1 -0
- package/src/lib/interfaces/requests/index.d.ts +1 -0
- package/src/lib/interfaces/requests/index.d.ts.map +1 -1
- package/src/lib/routers/api.d.ts +54 -1
- package/src/lib/routers/api.d.ts.map +1 -1
- package/src/lib/routers/api.js +77 -0
- package/src/lib/routers/api.js.map +1 -1
- package/src/lib/services/blockStore.d.ts +5 -2
- package/src/lib/services/blockStore.d.ts.map +1 -1
- package/src/lib/services/blockStore.js +4 -0
- package/src/lib/services/blockStore.js.map +1 -1
- package/src/lib/services/brightpass/auditLogger.d.ts +77 -0
- package/src/lib/services/brightpass/auditLogger.d.ts.map +1 -0
- package/src/lib/services/brightpass/auditLogger.js +184 -0
- package/src/lib/services/brightpass/auditLogger.js.map +1 -0
- package/src/lib/services/brightpass/vaultEncryption.d.ts +82 -0
- package/src/lib/services/brightpass/vaultEncryption.d.ts.map +1 -0
- package/src/lib/services/brightpass/vaultEncryption.js +144 -0
- package/src/lib/services/brightpass/vaultEncryption.js.map +1 -0
- package/src/lib/services/brightpass.d.ts +294 -0
- package/src/lib/services/brightpass.d.ts.map +1 -0
- package/src/lib/services/brightpass.js +1260 -0
- package/src/lib/services/brightpass.js.map +1 -0
- package/src/lib/services/eventNotificationSystem.d.ts +69 -3
- package/src/lib/services/eventNotificationSystem.d.ts.map +1 -1
- package/src/lib/services/eventNotificationSystem.js +200 -0
- package/src/lib/services/eventNotificationSystem.js.map +1 -1
- package/src/lib/services/expirationScheduler.d.ts +90 -0
- package/src/lib/services/expirationScheduler.d.ts.map +1 -0
- package/src/lib/services/expirationScheduler.js +131 -0
- package/src/lib/services/expirationScheduler.js.map +1 -0
- package/src/lib/services/fecUsageExample.d.ts +2 -2
- package/src/lib/services/index.d.ts +2 -0
- package/src/lib/services/index.d.ts.map +1 -1
- package/src/lib/services/index.js +2 -0
- package/src/lib/services/index.js.map +1 -1
- package/src/lib/services/paginationService.d.ts +18 -0
- package/src/lib/services/paginationService.d.ts.map +1 -0
- package/src/lib/services/paginationService.js +32 -0
- package/src/lib/services/paginationService.js.map +1 -0
- package/src/lib/services/presenceService.d.ts +76 -0
- package/src/lib/services/presenceService.d.ts.map +1 -0
- package/src/lib/services/presenceService.js +143 -0
- package/src/lib/services/presenceService.js.map +1 -0
- package/src/lib/services/wireConversationPromotion.d.ts +23 -0
- package/src/lib/services/wireConversationPromotion.d.ts.map +1 -0
- package/src/lib/services/wireConversationPromotion.js +26 -0
- package/src/lib/services/wireConversationPromotion.js.map +1 -0
- package/src/lib/stores/availabilityAwareBlockStore.d.ts +115 -10
- package/src/lib/stores/availabilityAwareBlockStore.d.ts.map +1 -1
- package/src/lib/stores/availabilityAwareBlockStore.js +267 -23
- package/src/lib/stores/availabilityAwareBlockStore.js.map +1 -1
- package/src/lib/stores/diskBlockAsyncStore.d.ts +81 -2
- package/src/lib/stores/diskBlockAsyncStore.d.ts.map +1 -1
- package/src/lib/stores/diskBlockAsyncStore.js +297 -10
- package/src/lib/stores/diskBlockAsyncStore.js.map +1 -1
- package/src/lib/utils/communicationValidation.d.ts +44 -0
- package/src/lib/utils/communicationValidation.d.ts.map +1 -0
- package/src/lib/utils/communicationValidation.js +291 -0
- package/src/lib/utils/communicationValidation.js.map +1 -0
- package/src/lib/utils/emailValidation.d.ts +19 -0
- package/src/lib/utils/emailValidation.d.ts.map +1 -0
- package/src/lib/utils/emailValidation.js +232 -0
- package/src/lib/utils/emailValidation.js.map +1 -0
- package/src/lib/interfaces/blockStore.d.ts +0 -7
- package/src/lib/interfaces/blockStore.d.ts.map +0 -1
- package/src/lib/interfaces/blockStore.js.map +0 -1
|
@@ -0,0 +1,224 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Encrypted Metadata Service — handles metadata encryption/decryption
|
|
4
|
+
* for CBL Index entries in encrypted pools.
|
|
5
|
+
*
|
|
6
|
+
* Controls which metadata fields remain searchable (unencrypted) based
|
|
7
|
+
* on pool configuration, encrypts the rest, and enforces query restrictions
|
|
8
|
+
* on encrypted fields.
|
|
9
|
+
*
|
|
10
|
+
* @see Requirements 16.1, 16.2, 16.3, 16.4, 16.5
|
|
11
|
+
*/
|
|
12
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
|
+
exports.EncryptedMetadataService = void 0;
|
|
14
|
+
const brightchain_lib_1 = require("@brightchain/brightchain-lib");
|
|
15
|
+
const errors_1 = require("./errors");
|
|
16
|
+
/**
|
|
17
|
+
* Fields that are always unencrypted regardless of pool configuration.
|
|
18
|
+
* These are structural fields required for block lookups, pool scoping,
|
|
19
|
+
* and basic index operations.
|
|
20
|
+
*
|
|
21
|
+
* Block IDs (checksums) are always unencrypted because they are content
|
|
22
|
+
* hashes of the encrypted data (Requirement 16.2).
|
|
23
|
+
*/
|
|
24
|
+
const ALWAYS_UNENCRYPTED_FIELDS = [
|
|
25
|
+
'_id',
|
|
26
|
+
'magnetUrl',
|
|
27
|
+
'blockId1',
|
|
28
|
+
'blockId2',
|
|
29
|
+
'blockSize',
|
|
30
|
+
'poolId',
|
|
31
|
+
'createdAt',
|
|
32
|
+
'sequenceNumber',
|
|
33
|
+
'visibility',
|
|
34
|
+
'createdBy',
|
|
35
|
+
];
|
|
36
|
+
/**
|
|
37
|
+
* Fields that may be encrypted unless explicitly listed as searchable
|
|
38
|
+
* in the pool configuration (Requirement 16.3).
|
|
39
|
+
*/
|
|
40
|
+
const ENCRYPTABLE_FIELDS = [
|
|
41
|
+
'metadata.fileName',
|
|
42
|
+
'metadata.mimeType',
|
|
43
|
+
'metadata.originalSize',
|
|
44
|
+
'metadata.tags',
|
|
45
|
+
'userCollection',
|
|
46
|
+
'fileId',
|
|
47
|
+
'versionNumber',
|
|
48
|
+
'previousVersion',
|
|
49
|
+
];
|
|
50
|
+
class EncryptedMetadataService {
|
|
51
|
+
constructor(encryptionService, config) {
|
|
52
|
+
this.encryptionService = encryptionService;
|
|
53
|
+
this.config = config;
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Encrypt non-searchable metadata fields on a CBL index entry.
|
|
57
|
+
*
|
|
58
|
+
* Fields listed in ALWAYS_UNENCRYPTED_FIELDS are never encrypted.
|
|
59
|
+
* Fields listed in ENCRYPTABLE_FIELDS are encrypted unless they appear
|
|
60
|
+
* in the pool config's searchableMetadataFields.
|
|
61
|
+
*
|
|
62
|
+
* Encrypted values are stored as base64 strings in the entry's
|
|
63
|
+
* `encryptedFields` map, and the original fields are set to undefined.
|
|
64
|
+
*
|
|
65
|
+
* @param entry - The CBL index entry to encrypt
|
|
66
|
+
* @param poolKey - The 32-byte symmetric pool key for AES-256-GCM encryption
|
|
67
|
+
* @returns A new entry with non-searchable fields encrypted
|
|
68
|
+
* @see Requirements 16.1, 16.3
|
|
69
|
+
*/
|
|
70
|
+
async encryptMetadata(entry, poolKey) {
|
|
71
|
+
if (this.config.mode === brightchain_lib_1.EncryptionMode.None) {
|
|
72
|
+
return { ...entry };
|
|
73
|
+
}
|
|
74
|
+
const result = { ...entry };
|
|
75
|
+
if (result.metadata) {
|
|
76
|
+
result.metadata = { ...result.metadata };
|
|
77
|
+
}
|
|
78
|
+
const encryptedFields = {
|
|
79
|
+
...(result.encryptedFields ?? {}),
|
|
80
|
+
};
|
|
81
|
+
for (const fieldPath of ENCRYPTABLE_FIELDS) {
|
|
82
|
+
if (this.isSearchable(fieldPath)) {
|
|
83
|
+
continue;
|
|
84
|
+
}
|
|
85
|
+
const value = this.getFieldValue(result, fieldPath);
|
|
86
|
+
if (value === undefined) {
|
|
87
|
+
continue;
|
|
88
|
+
}
|
|
89
|
+
const serialized = JSON.stringify(value);
|
|
90
|
+
const plaintext = new TextEncoder().encode(serialized);
|
|
91
|
+
const ciphertext = await this.encryptionService.encryptPoolShared(plaintext, poolKey);
|
|
92
|
+
encryptedFields[fieldPath] = this.uint8ArrayToBase64(ciphertext);
|
|
93
|
+
this.clearFieldValue(result, fieldPath);
|
|
94
|
+
}
|
|
95
|
+
result.encryptedFields = encryptedFields;
|
|
96
|
+
return result;
|
|
97
|
+
}
|
|
98
|
+
/**
|
|
99
|
+
* Decrypt encrypted metadata fields on a CBL index entry,
|
|
100
|
+
* restoring original field values from the `encryptedFields` map.
|
|
101
|
+
*
|
|
102
|
+
* @param entry - The CBL index entry with encrypted fields
|
|
103
|
+
* @param poolKey - The 32-byte symmetric pool key for AES-256-GCM decryption
|
|
104
|
+
* @returns A new entry with all fields decrypted and restored
|
|
105
|
+
*/
|
|
106
|
+
async decryptMetadata(entry, poolKey) {
|
|
107
|
+
if (!entry.encryptedFields ||
|
|
108
|
+
Object.keys(entry.encryptedFields).length === 0) {
|
|
109
|
+
return { ...entry };
|
|
110
|
+
}
|
|
111
|
+
const result = { ...entry };
|
|
112
|
+
if (result.metadata) {
|
|
113
|
+
result.metadata = { ...result.metadata };
|
|
114
|
+
}
|
|
115
|
+
for (const [fieldPath, base64Ciphertext] of Object.entries(entry.encryptedFields)) {
|
|
116
|
+
const ciphertext = this.base64ToUint8Array(base64Ciphertext);
|
|
117
|
+
const plaintext = await this.encryptionService.decryptPoolShared(ciphertext, poolKey);
|
|
118
|
+
const serialized = new TextDecoder().decode(plaintext);
|
|
119
|
+
const value = JSON.parse(serialized);
|
|
120
|
+
this.setFieldValue(result, fieldPath, value);
|
|
121
|
+
}
|
|
122
|
+
// Remove the encryptedFields map after decryption
|
|
123
|
+
delete result.encryptedFields;
|
|
124
|
+
return result;
|
|
125
|
+
}
|
|
126
|
+
/**
|
|
127
|
+
* Validate that queried fields are searchable (not encrypted).
|
|
128
|
+
* Throws EncryptedFieldError if any queried field is encrypted.
|
|
129
|
+
*
|
|
130
|
+
* @param queryFields - Field names being queried
|
|
131
|
+
* @throws EncryptedFieldError if a queried field is encrypted
|
|
132
|
+
* @see Requirement 16.5
|
|
133
|
+
*/
|
|
134
|
+
validateQuery(queryFields) {
|
|
135
|
+
const searchable = this.getSearchableFields();
|
|
136
|
+
for (const field of queryFields) {
|
|
137
|
+
if (!searchable.includes(field)) {
|
|
138
|
+
throw new errors_1.EncryptedFieldError(field, searchable);
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
/**
|
|
143
|
+
* Returns false if the pool has any encryption mode other than None.
|
|
144
|
+
* Content-based indexing and CBL address extraction are not possible
|
|
145
|
+
* on encrypted blocks because the block content is opaque.
|
|
146
|
+
*
|
|
147
|
+
* @returns Whether content-based indexing is allowed
|
|
148
|
+
* @see Requirement 16.4
|
|
149
|
+
*/
|
|
150
|
+
isContentIndexingAllowed() {
|
|
151
|
+
return this.config.mode === brightchain_lib_1.EncryptionMode.None;
|
|
152
|
+
}
|
|
153
|
+
/**
|
|
154
|
+
* Returns the list of always-unencrypted fields plus the configured
|
|
155
|
+
* searchable metadata fields.
|
|
156
|
+
*
|
|
157
|
+
* @returns All searchable (unencrypted) field names
|
|
158
|
+
* @see Requirement 16.1
|
|
159
|
+
*/
|
|
160
|
+
getSearchableFields() {
|
|
161
|
+
return [
|
|
162
|
+
...ALWAYS_UNENCRYPTED_FIELDS,
|
|
163
|
+
...this.config.searchableMetadataFields,
|
|
164
|
+
];
|
|
165
|
+
}
|
|
166
|
+
// ─── Private Helpers ────────────────────────────────────────────────
|
|
167
|
+
/**
|
|
168
|
+
* Check if a field path is searchable (always unencrypted or in config).
|
|
169
|
+
*/
|
|
170
|
+
isSearchable(fieldPath) {
|
|
171
|
+
return (ALWAYS_UNENCRYPTED_FIELDS.includes(fieldPath) ||
|
|
172
|
+
this.config.searchableMetadataFields.includes(fieldPath));
|
|
173
|
+
}
|
|
174
|
+
/**
|
|
175
|
+
* Get a field value from an entry by dot-notation path.
|
|
176
|
+
*/
|
|
177
|
+
getFieldValue(entry, fieldPath) {
|
|
178
|
+
const parts = fieldPath.split('.');
|
|
179
|
+
if (parts.length === 1) {
|
|
180
|
+
return entry[fieldPath];
|
|
181
|
+
}
|
|
182
|
+
if (parts.length === 2 && parts[0] === 'metadata' && entry.metadata) {
|
|
183
|
+
return entry.metadata[parts[1]];
|
|
184
|
+
}
|
|
185
|
+
return undefined;
|
|
186
|
+
}
|
|
187
|
+
/**
|
|
188
|
+
* Clear a field value on an entry by dot-notation path (set to undefined).
|
|
189
|
+
*/
|
|
190
|
+
clearFieldValue(entry, fieldPath) {
|
|
191
|
+
const parts = fieldPath.split('.');
|
|
192
|
+
if (parts.length === 1) {
|
|
193
|
+
Reflect.deleteProperty(entry, fieldPath);
|
|
194
|
+
}
|
|
195
|
+
else if (parts.length === 2 &&
|
|
196
|
+
parts[0] === 'metadata' &&
|
|
197
|
+
entry.metadata) {
|
|
198
|
+
Reflect.deleteProperty(entry.metadata, parts[1]);
|
|
199
|
+
}
|
|
200
|
+
}
|
|
201
|
+
/**
|
|
202
|
+
* Set a field value on an entry by dot-notation path.
|
|
203
|
+
*/
|
|
204
|
+
setFieldValue(entry, fieldPath, value) {
|
|
205
|
+
const parts = fieldPath.split('.');
|
|
206
|
+
if (parts.length === 1) {
|
|
207
|
+
Reflect.set(entry, fieldPath, value);
|
|
208
|
+
}
|
|
209
|
+
else if (parts.length === 2 && parts[0] === 'metadata') {
|
|
210
|
+
if (!entry.metadata) {
|
|
211
|
+
entry.metadata = {};
|
|
212
|
+
}
|
|
213
|
+
Reflect.set(entry.metadata, parts[1], value);
|
|
214
|
+
}
|
|
215
|
+
}
|
|
216
|
+
uint8ArrayToBase64(data) {
|
|
217
|
+
return Buffer.from(data).toString('base64');
|
|
218
|
+
}
|
|
219
|
+
base64ToUint8Array(base64) {
|
|
220
|
+
return new Uint8Array(Buffer.from(base64, 'base64'));
|
|
221
|
+
}
|
|
222
|
+
}
|
|
223
|
+
exports.EncryptedMetadataService = EncryptedMetadataService;
|
|
224
|
+
//# sourceMappingURL=encryptedMetadataService.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"encryptedMetadataService.js","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/encryptedMetadataService.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAMH,kEAA8D;AAC9D,qCAA+C;AAG/C;;;;;;;GAOG;AACH,MAAM,yBAAyB,GAAsB;IACnD,KAAK;IACL,WAAW;IACX,UAAU;IACV,UAAU;IACV,WAAW;IACX,QAAQ;IACR,WAAW;IACX,gBAAgB;IAChB,YAAY;IACZ,WAAW;CACH,CAAC;AAEX;;;GAGG;AACH,MAAM,kBAAkB,GAAsB;IAC5C,mBAAmB;IACnB,mBAAmB;IACnB,uBAAuB;IACvB,eAAe;IACf,gBAAgB;IAChB,QAAQ;IACR,eAAe;IACf,iBAAiB;CACT,CAAC;AAEX,MAAa,wBAAwB;IAInC,YACE,iBAAwC,EACxC,MAA6B;QAE7B,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,KAAK,CAAC,eAAe,CACnB,KAAqB,EACrB,OAAmB;QAEnB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,IAAI,EAAE,CAAC;YAC7C,OAAO,EAAE,GAAG,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,MAAM,GAAmB,EAAE,GAAG,KAAK,EAAE,CAAC;QAC5C,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC3C,CAAC;QACD,MAAM,eAAe,GAA2B;YAC9C,GAAG,CAAC,MAAM,CAAC,eAAe,IAAI,EAAE,CAAC;SAClC,CAAC;QAEF,KAAK,MAAM,SAAS,IAAI,kBAAkB,EAAE,CAAC;YAC3C,IAAI,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,EAAE,CAAC;gBACjC,SAAS;YACX,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;YACpD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,SAAS;YACX,CAAC;YAED,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;YACzC,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;YACvD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAC/D,SAAS,EACT,OAAO,CACR,CAAC;YACF,eAAe,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;YAEjE,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAC1C,CAAC;QAED,MAAM,CAAC,eAAe,GAAG,eAAe,CAAC;QACzC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,eAAe,CACnB,KAAqB,EACrB,OAAmB;QAEnB,IACE,CAAC,KAAK,CAAC,eAAe;YACtB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC,MAAM,KAAK,CAAC,EAC/C,CAAC;YACD,OAAO,EAAE,GAAG,KAAK,EAAE,CAAC;QACtB,CAAC;QAED,MAAM,MAAM,GAAmB,EAAE,GAAG,KAAK,EAAE,CAAC;QAC5C,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACpB,MAAM,CAAC,QAAQ,GAAG,EAAE,GAAG,MAAM,CAAC,QAAQ,EAAE,CAAC;QAC3C,CAAC;QAED,KAAK,MAAM,CAAC,SAAS,EAAE,gBAAgB,CAAC,IAAI,MAAM,CAAC,OAAO,CACxD,KAAK,CAAC,eAAe,CACtB,EAAE,CAAC;YACF,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;YAC7D,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,iBAAiB,CAC9D,UAAU,EACV,OAAO,CACR,CAAC;YACF,MAAM,UAAU,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YACvD,MAAM,KAAK,GAAY,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YAE9C,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QAC/C,CAAC;QAED,kDAAkD;QAClD,OAAO,MAAM,CAAC,eAAe,CAAC;QAC9B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;OAOG;IACH,aAAa,CAAC,WAAqB;QACjC,MAAM,UAAU,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;QAC9C,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,MAAM,IAAI,4BAAmB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;YACnD,CAAC;QACH,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,wBAAwB;QACtB,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,IAAI,CAAC;IAClD,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB;QACjB,OAAO;YACL,GAAG,yBAAyB;YAC5B,GAAG,IAAI,CAAC,MAAM,CAAC,wBAAwB;SACxC,CAAC;IACJ,CAAC;IAED,uEAAuE;IAEvE;;OAEG;IACK,YAAY,CAAC,SAAiB;QACpC,OAAO,CACL,yBAAyB,CAAC,QAAQ,CAAC,SAAS,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,wBAAwB,CAAC,QAAQ,CAAC,SAAS,CAAC,CACzD,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,KAAqB,EAAE,SAAiB;QAC5D,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,KAAK,CAAC,SAAiC,CAAC,CAAC;QAClD,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,UAAU,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YACpE,OAAO,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAgC,CAAC,CAAC;QACjE,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,KAAqB,EAAE,SAAiB;QAC9D,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,IACL,KAAK,CAAC,MAAM,KAAK,CAAC;YAClB,KAAK,CAAC,CAAC,CAAC,KAAK,UAAU;YACvB,KAAK,CAAC,QAAQ,EACd,CAAC;YACD,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACnD,CAAC;IACH,CAAC;IAED;;OAEG;IACK,aAAa,CACnB,KAAqB,EACrB,SAAiB,EACjB,KAAc;QAEd,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;QACvC,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,UAAU,EAAE,CAAC;YACzD,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;gBACpB,KAAK,CAAC,QAAQ,GAAG,EAAE,CAAC;YACtB,CAAC;YACD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IAEO,kBAAkB,CAAC,IAAgB;QACzC,OAAO,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAC9C,CAAC;IAEO,kBAAkB,CAAC,MAAc;QACvC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IACvD,CAAC;CACF;AA9ND,4DA8NC"}
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Encryption-Aware Replication — enforces encryption-mode-based replication rules.
|
|
3
|
+
*
|
|
4
|
+
* - Node-specific encryption: replication is NOT allowed (other nodes cannot decrypt)
|
|
5
|
+
* - Pool-shared encryption: replication is allowed; pool key must be distributed first
|
|
6
|
+
* - None: replication is allowed with no key management needed
|
|
7
|
+
*
|
|
8
|
+
* Also handles FEC parity block encryption for node-specific mode:
|
|
9
|
+
* parity blocks must be encrypted with the same node key as data blocks.
|
|
10
|
+
*
|
|
11
|
+
* @see Requirements 17.1, 17.2, 17.3, 17.4, 17.5
|
|
12
|
+
*/
|
|
13
|
+
import type { IPoolEncryptionConfig } from '@brightchain/brightchain-lib';
|
|
14
|
+
import { EncryptionMode } from '@brightchain/brightchain-lib';
|
|
15
|
+
import { PoolEncryptionService } from './poolEncryptionService';
|
|
16
|
+
import { PoolKeyManager } from './poolKeyManager';
|
|
17
|
+
export declare class EncryptionAwareReplication {
|
|
18
|
+
private readonly config;
|
|
19
|
+
private readonly keyManager;
|
|
20
|
+
private readonly encryptionService;
|
|
21
|
+
constructor(config: IPoolEncryptionConfig, keyManager: PoolKeyManager, encryptionService: PoolEncryptionService);
|
|
22
|
+
/**
|
|
23
|
+
* Whether replication is allowed for this pool's encryption mode.
|
|
24
|
+
* Returns true for `none` and `pool-shared`, false for `node-specific`.
|
|
25
|
+
*
|
|
26
|
+
* @see Requirements 17.1, 17.2
|
|
27
|
+
*/
|
|
28
|
+
canReplicate(): boolean;
|
|
29
|
+
/**
|
|
30
|
+
* Throws ReplicationNotAllowedError if the pool uses node-specific encryption.
|
|
31
|
+
* Call before initiating any replication operation.
|
|
32
|
+
*
|
|
33
|
+
* @throws ReplicationNotAllowedError if mode is node-specific
|
|
34
|
+
* @see Requirement 17.1
|
|
35
|
+
*/
|
|
36
|
+
validateReplication(): void;
|
|
37
|
+
/**
|
|
38
|
+
* Prepare a new member to receive replicated blocks by encrypting the
|
|
39
|
+
* current pool key for them. Only valid for pool-shared mode.
|
|
40
|
+
*
|
|
41
|
+
* @param newMemberPublicKey - The new member's secp256k1 public key (33 or 65 bytes)
|
|
42
|
+
* @returns The current pool key encrypted with the new member's public key (ECIES)
|
|
43
|
+
* @throws ReplicationNotAllowedError if mode is node-specific
|
|
44
|
+
* @see Requirement 17.3
|
|
45
|
+
*/
|
|
46
|
+
prepareNewMember(newMemberPublicKey: Uint8Array): Promise<Uint8Array>;
|
|
47
|
+
/**
|
|
48
|
+
* Whether FEC parity blocks should be encrypted.
|
|
49
|
+
* True only for node-specific mode, where parity blocks must be
|
|
50
|
+
* encrypted with the same node key as data blocks.
|
|
51
|
+
*
|
|
52
|
+
* @see Requirement 17.5
|
|
53
|
+
*/
|
|
54
|
+
shouldEncryptParity(): boolean;
|
|
55
|
+
/**
|
|
56
|
+
* Encrypt a FEC parity block with the node's public key (ECIES).
|
|
57
|
+
* Only meaningful for node-specific mode.
|
|
58
|
+
*
|
|
59
|
+
* @param parityData - The raw parity block data
|
|
60
|
+
* @param nodePublicKey - The node's secp256k1 public key (33 or 65 bytes)
|
|
61
|
+
* @returns The ECIES-encrypted parity block
|
|
62
|
+
* @see Requirement 17.5
|
|
63
|
+
*/
|
|
64
|
+
encryptParityBlock(parityData: Uint8Array, nodePublicKey: Uint8Array): Promise<Uint8Array>;
|
|
65
|
+
/**
|
|
66
|
+
* Returns a summary of the replication policy for this pool.
|
|
67
|
+
*
|
|
68
|
+
* @see Requirements 17.1, 17.2, 17.3, 17.4
|
|
69
|
+
*/
|
|
70
|
+
getReplicationPolicy(): {
|
|
71
|
+
allowed: boolean;
|
|
72
|
+
mode: EncryptionMode;
|
|
73
|
+
requiresKeyDistribution: boolean;
|
|
74
|
+
};
|
|
75
|
+
}
|
|
76
|
+
//# sourceMappingURL=encryptionAwareReplication.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"encryptionAwareReplication.d.ts","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/encryptionAwareReplication.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAC;AAC1E,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAElD,qBAAa,0BAA0B;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAC/C,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAiB;IAC5C,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAwB;gBAGxD,MAAM,EAAE,qBAAqB,EAC7B,UAAU,EAAE,cAAc,EAC1B,iBAAiB,EAAE,qBAAqB;IAO1C;;;;;OAKG;IACH,YAAY,IAAI,OAAO;IAIvB;;;;;;OAMG;IACH,mBAAmB,IAAI,IAAI;IAM3B;;;;;;;;OAQG;IACG,gBAAgB,CAAC,kBAAkB,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAsC3E;;;;;;OAMG;IACH,mBAAmB,IAAI,OAAO;IAI9B;;;;;;;;OAQG;IACG,kBAAkB,CACtB,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,UAAU,GACxB,OAAO,CAAC,UAAU,CAAC;IAOtB;;;;OAIG;IACH,oBAAoB,IAAI;QACtB,OAAO,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,cAAc,CAAC;QACrB,uBAAuB,EAAE,OAAO,CAAC;KAClC;CAOF"}
|
|
@@ -0,0 +1,116 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Encryption-Aware Replication — enforces encryption-mode-based replication rules.
|
|
4
|
+
*
|
|
5
|
+
* - Node-specific encryption: replication is NOT allowed (other nodes cannot decrypt)
|
|
6
|
+
* - Pool-shared encryption: replication is allowed; pool key must be distributed first
|
|
7
|
+
* - None: replication is allowed with no key management needed
|
|
8
|
+
*
|
|
9
|
+
* Also handles FEC parity block encryption for node-specific mode:
|
|
10
|
+
* parity blocks must be encrypted with the same node key as data blocks.
|
|
11
|
+
*
|
|
12
|
+
* @see Requirements 17.1, 17.2, 17.3, 17.4, 17.5
|
|
13
|
+
*/
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.EncryptionAwareReplication = void 0;
|
|
16
|
+
const brightchain_lib_1 = require("@brightchain/brightchain-lib");
|
|
17
|
+
const errors_1 = require("./errors");
|
|
18
|
+
class EncryptionAwareReplication {
|
|
19
|
+
constructor(config, keyManager, encryptionService) {
|
|
20
|
+
this.config = config;
|
|
21
|
+
this.keyManager = keyManager;
|
|
22
|
+
this.encryptionService = encryptionService;
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Whether replication is allowed for this pool's encryption mode.
|
|
26
|
+
* Returns true for `none` and `pool-shared`, false for `node-specific`.
|
|
27
|
+
*
|
|
28
|
+
* @see Requirements 17.1, 17.2
|
|
29
|
+
*/
|
|
30
|
+
canReplicate() {
|
|
31
|
+
return this.config.mode !== brightchain_lib_1.EncryptionMode.NodeSpecific;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Throws ReplicationNotAllowedError if the pool uses node-specific encryption.
|
|
35
|
+
* Call before initiating any replication operation.
|
|
36
|
+
*
|
|
37
|
+
* @throws ReplicationNotAllowedError if mode is node-specific
|
|
38
|
+
* @see Requirement 17.1
|
|
39
|
+
*/
|
|
40
|
+
validateReplication() {
|
|
41
|
+
if (this.config.mode === brightchain_lib_1.EncryptionMode.NodeSpecific) {
|
|
42
|
+
throw new errors_1.ReplicationNotAllowedError(this.config.poolId);
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* Prepare a new member to receive replicated blocks by encrypting the
|
|
47
|
+
* current pool key for them. Only valid for pool-shared mode.
|
|
48
|
+
*
|
|
49
|
+
* @param newMemberPublicKey - The new member's secp256k1 public key (33 or 65 bytes)
|
|
50
|
+
* @returns The current pool key encrypted with the new member's public key (ECIES)
|
|
51
|
+
* @throws ReplicationNotAllowedError if mode is node-specific
|
|
52
|
+
* @see Requirement 17.3
|
|
53
|
+
*/
|
|
54
|
+
async prepareNewMember(newMemberPublicKey) {
|
|
55
|
+
if (this.config.mode === brightchain_lib_1.EncryptionMode.NodeSpecific) {
|
|
56
|
+
throw new errors_1.ReplicationNotAllowedError(this.config.poolId);
|
|
57
|
+
}
|
|
58
|
+
if (this.config.mode === brightchain_lib_1.EncryptionMode.None) {
|
|
59
|
+
// No key distribution needed for unencrypted pools;
|
|
60
|
+
// return empty array as a no-op signal
|
|
61
|
+
return new Uint8Array(0);
|
|
62
|
+
}
|
|
63
|
+
// Pool-shared: encrypt the current pool key for the new member
|
|
64
|
+
// We need to get the raw pool key from the current key version,
|
|
65
|
+
// then re-encrypt it for the new member via ECIES.
|
|
66
|
+
const currentVersion = this.config.keyVersions.find((kv) => kv.version === this.config.currentKeyVersion);
|
|
67
|
+
if (!currentVersion ||
|
|
68
|
+
!currentVersion.encryptedKeys ||
|
|
69
|
+
currentVersion.encryptedKeys.length === 0) {
|
|
70
|
+
// No key material available — pool key hasn't been initialized
|
|
71
|
+
return new Uint8Array(0);
|
|
72
|
+
}
|
|
73
|
+
// Encrypt the pool key for the new member using ECIES
|
|
74
|
+
// We use encryptKeyForMember which wraps encryptNodeSpecific
|
|
75
|
+
// The caller is responsible for having the raw pool key available;
|
|
76
|
+
// here we re-encrypt the first member's encrypted key material
|
|
77
|
+
// as a proxy. In practice, the caller would pass the decrypted key.
|
|
78
|
+
return this.encryptionService.encryptKeyForMember(currentVersion.encryptedKeys[0].encryptedKey, newMemberPublicKey);
|
|
79
|
+
}
|
|
80
|
+
/**
|
|
81
|
+
* Whether FEC parity blocks should be encrypted.
|
|
82
|
+
* True only for node-specific mode, where parity blocks must be
|
|
83
|
+
* encrypted with the same node key as data blocks.
|
|
84
|
+
*
|
|
85
|
+
* @see Requirement 17.5
|
|
86
|
+
*/
|
|
87
|
+
shouldEncryptParity() {
|
|
88
|
+
return this.config.mode === brightchain_lib_1.EncryptionMode.NodeSpecific;
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Encrypt a FEC parity block with the node's public key (ECIES).
|
|
92
|
+
* Only meaningful for node-specific mode.
|
|
93
|
+
*
|
|
94
|
+
* @param parityData - The raw parity block data
|
|
95
|
+
* @param nodePublicKey - The node's secp256k1 public key (33 or 65 bytes)
|
|
96
|
+
* @returns The ECIES-encrypted parity block
|
|
97
|
+
* @see Requirement 17.5
|
|
98
|
+
*/
|
|
99
|
+
async encryptParityBlock(parityData, nodePublicKey) {
|
|
100
|
+
return this.encryptionService.encryptNodeSpecific(parityData, nodePublicKey);
|
|
101
|
+
}
|
|
102
|
+
/**
|
|
103
|
+
* Returns a summary of the replication policy for this pool.
|
|
104
|
+
*
|
|
105
|
+
* @see Requirements 17.1, 17.2, 17.3, 17.4
|
|
106
|
+
*/
|
|
107
|
+
getReplicationPolicy() {
|
|
108
|
+
return {
|
|
109
|
+
allowed: this.canReplicate(),
|
|
110
|
+
mode: this.config.mode,
|
|
111
|
+
requiresKeyDistribution: this.config.mode === brightchain_lib_1.EncryptionMode.PoolShared,
|
|
112
|
+
};
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
exports.EncryptionAwareReplication = EncryptionAwareReplication;
|
|
116
|
+
//# sourceMappingURL=encryptionAwareReplication.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"encryptionAwareReplication.js","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/encryptionAwareReplication.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAGH,kEAA8D;AAC9D,qCAAsD;AAItD,MAAa,0BAA0B;IAKrC,YACE,MAA6B,EAC7B,UAA0B,EAC1B,iBAAwC;QAExC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;QAC7B,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;IAC7C,CAAC;IAED;;;;;OAKG;IACH,YAAY;QACV,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,YAAY,CAAC;IAC1D,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB;QACjB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,YAAY,EAAE,CAAC;YACrD,MAAM,IAAI,mCAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,gBAAgB,CAAC,kBAA8B;QACnD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,YAAY,EAAE,CAAC;YACrD,MAAM,IAAI,mCAA0B,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAC3D,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,IAAI,EAAE,CAAC;YAC7C,oDAAoD;YACpD,uCAAuC;YACvC,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,+DAA+D;QAC/D,gEAAgE;QAChE,mDAAmD;QACnD,MAAM,cAAc,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CACjD,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,KAAK,IAAI,CAAC,MAAM,CAAC,iBAAiB,CACrD,CAAC;QAEF,IACE,CAAC,cAAc;YACf,CAAC,cAAc,CAAC,aAAa;YAC7B,cAAc,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EACzC,CAAC;YACD,+DAA+D;YAC/D,OAAO,IAAI,UAAU,CAAC,CAAC,CAAC,CAAC;QAC3B,CAAC;QAED,sDAAsD;QACtD,6DAA6D;QAC7D,mEAAmE;QACnE,+DAA+D;QAC/D,oEAAoE;QACpE,OAAO,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAC/C,cAAc,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,YAAY,EAC5C,kBAAkB,CACnB,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,YAAY,CAAC;IAC1D,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,kBAAkB,CACtB,UAAsB,EACtB,aAAyB;QAEzB,OAAO,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAC/C,UAAU,EACV,aAAa,CACd,CAAC;IACJ,CAAC;IAED;;;;OAIG;IACH,oBAAoB;QAKlB,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE;YAC5B,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI;YACtB,uBAAuB,EAAE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gCAAc,CAAC,UAAU;SACxE,CAAC;IACJ,CAAC;CACF;AAnID,gEAmIC"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Custom error types for pool encryption operations.
|
|
3
|
+
*
|
|
4
|
+
* @see Requirements 14.2, 14.3, 14.5
|
|
5
|
+
*/
|
|
6
|
+
/**
|
|
7
|
+
* Thrown when an encryption operation fails.
|
|
8
|
+
*/
|
|
9
|
+
export declare class EncryptionError extends Error {
|
|
10
|
+
readonly cause?: Error;
|
|
11
|
+
constructor(message: string, cause?: unknown);
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Thrown when a decryption operation fails (wrong key, corrupted data, etc.).
|
|
15
|
+
*/
|
|
16
|
+
export declare class DecryptionError extends Error {
|
|
17
|
+
readonly cause?: Error;
|
|
18
|
+
constructor(message: string, cause?: unknown);
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Thrown when a requested key version does not exist in the key history.
|
|
22
|
+
*/
|
|
23
|
+
export declare class KeyVersionNotFoundError extends Error {
|
|
24
|
+
constructor(version: number);
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Thrown when a query targets an encrypted (non-searchable) metadata field.
|
|
28
|
+
*
|
|
29
|
+
* @see Requirement 16.5
|
|
30
|
+
*/
|
|
31
|
+
export declare class EncryptedFieldError extends Error {
|
|
32
|
+
/** The field name that was queried but is encrypted */
|
|
33
|
+
readonly fieldName: string;
|
|
34
|
+
/** The pool's searchable metadata fields for reference */
|
|
35
|
+
readonly searchableFields: string[];
|
|
36
|
+
constructor(fieldName: string, searchableFields: string[]);
|
|
37
|
+
}
|
|
38
|
+
/**
|
|
39
|
+
* Thrown when replication is attempted on a pool with node-specific encryption,
|
|
40
|
+
* which does not support replication because other nodes cannot decrypt the data.
|
|
41
|
+
*
|
|
42
|
+
* @see Requirement 17.1
|
|
43
|
+
*/
|
|
44
|
+
export declare class ReplicationNotAllowedError extends Error {
|
|
45
|
+
/** The pool ID where replication was attempted */
|
|
46
|
+
readonly poolId: string;
|
|
47
|
+
constructor(poolId: string);
|
|
48
|
+
}
|
|
49
|
+
//# sourceMappingURL=errors.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IACxC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC;gBAEX,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;CAQ7C;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;IACxC,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC;gBAEX,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;CAQ7C;AAED;;GAEG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACpC,OAAO,EAAE,MAAM;CAK5B;AAED;;;;GAIG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;IAC5C,uDAAuD;IACvD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,0DAA0D;IAC1D,QAAQ,CAAC,gBAAgB,EAAE,MAAM,EAAE,CAAC;gBAExB,SAAS,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE;CAU1D;AAED;;;;;GAKG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;IACnD,kDAAkD;IAClD,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;gBAEZ,MAAM,EAAE,MAAM;CAS3B"}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Custom error types for pool encryption operations.
|
|
4
|
+
*
|
|
5
|
+
* @see Requirements 14.2, 14.3, 14.5
|
|
6
|
+
*/
|
|
7
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
8
|
+
exports.ReplicationNotAllowedError = exports.EncryptedFieldError = exports.KeyVersionNotFoundError = exports.DecryptionError = exports.EncryptionError = void 0;
|
|
9
|
+
/**
|
|
10
|
+
* Thrown when an encryption operation fails.
|
|
11
|
+
*/
|
|
12
|
+
class EncryptionError extends Error {
|
|
13
|
+
constructor(message, cause) {
|
|
14
|
+
super(message);
|
|
15
|
+
this.name = 'EncryptionError';
|
|
16
|
+
if (cause instanceof Error) {
|
|
17
|
+
this.cause = cause;
|
|
18
|
+
}
|
|
19
|
+
Object.setPrototypeOf(this, new.target.prototype);
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
exports.EncryptionError = EncryptionError;
|
|
23
|
+
/**
|
|
24
|
+
* Thrown when a decryption operation fails (wrong key, corrupted data, etc.).
|
|
25
|
+
*/
|
|
26
|
+
class DecryptionError extends Error {
|
|
27
|
+
constructor(message, cause) {
|
|
28
|
+
super(message);
|
|
29
|
+
this.name = 'DecryptionError';
|
|
30
|
+
if (cause instanceof Error) {
|
|
31
|
+
this.cause = cause;
|
|
32
|
+
}
|
|
33
|
+
Object.setPrototypeOf(this, new.target.prototype);
|
|
34
|
+
}
|
|
35
|
+
}
|
|
36
|
+
exports.DecryptionError = DecryptionError;
|
|
37
|
+
/**
|
|
38
|
+
* Thrown when a requested key version does not exist in the key history.
|
|
39
|
+
*/
|
|
40
|
+
class KeyVersionNotFoundError extends Error {
|
|
41
|
+
constructor(version) {
|
|
42
|
+
super(`Key version ${version} not found in key history`);
|
|
43
|
+
this.name = 'KeyVersionNotFoundError';
|
|
44
|
+
Object.setPrototypeOf(this, new.target.prototype);
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
exports.KeyVersionNotFoundError = KeyVersionNotFoundError;
|
|
48
|
+
/**
|
|
49
|
+
* Thrown when a query targets an encrypted (non-searchable) metadata field.
|
|
50
|
+
*
|
|
51
|
+
* @see Requirement 16.5
|
|
52
|
+
*/
|
|
53
|
+
class EncryptedFieldError extends Error {
|
|
54
|
+
constructor(fieldName, searchableFields) {
|
|
55
|
+
super(`Field "${fieldName}" is encrypted and not searchable in the current pool configuration. ` +
|
|
56
|
+
`Searchable fields: ${searchableFields.join(', ')}`);
|
|
57
|
+
this.name = 'EncryptedFieldError';
|
|
58
|
+
this.fieldName = fieldName;
|
|
59
|
+
this.searchableFields = searchableFields;
|
|
60
|
+
Object.setPrototypeOf(this, new.target.prototype);
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
exports.EncryptedFieldError = EncryptedFieldError;
|
|
64
|
+
/**
|
|
65
|
+
* Thrown when replication is attempted on a pool with node-specific encryption,
|
|
66
|
+
* which does not support replication because other nodes cannot decrypt the data.
|
|
67
|
+
*
|
|
68
|
+
* @see Requirement 17.1
|
|
69
|
+
*/
|
|
70
|
+
class ReplicationNotAllowedError extends Error {
|
|
71
|
+
constructor(poolId) {
|
|
72
|
+
super(`Replication is not allowed for pool "${poolId}" because it uses node-specific encryption. ` +
|
|
73
|
+
`Other nodes cannot decrypt node-specific encrypted blocks.`);
|
|
74
|
+
this.name = 'ReplicationNotAllowedError';
|
|
75
|
+
this.poolId = poolId;
|
|
76
|
+
Object.setPrototypeOf(this, new.target.prototype);
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
exports.ReplicationNotAllowedError = ReplicationNotAllowedError;
|
|
80
|
+
//# sourceMappingURL=errors.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/errors.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAEH;;GAEG;AACH,MAAa,eAAgB,SAAQ,KAAK;IAGxC,YAAY,OAAe,EAAE,KAAe;QAC1C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;QAC9B,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACrB,CAAC;QACD,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAXD,0CAWC;AAED;;GAEG;AACH,MAAa,eAAgB,SAAQ,KAAK;IAGxC,YAAY,OAAe,EAAE,KAAe;QAC1C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;QAC9B,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACrB,CAAC;QACD,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAXD,0CAWC;AAED;;GAEG;AACH,MAAa,uBAAwB,SAAQ,KAAK;IAChD,YAAY,OAAe;QACzB,KAAK,CAAC,eAAe,OAAO,2BAA2B,CAAC,CAAC;QACzD,IAAI,CAAC,IAAI,GAAG,yBAAyB,CAAC;QACtC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAND,0DAMC;AAED;;;;GAIG;AACH,MAAa,mBAAoB,SAAQ,KAAK;IAM5C,YAAY,SAAiB,EAAE,gBAA0B;QACvD,KAAK,CACH,UAAU,SAAS,uEAAuE;YACxF,sBAAsB,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACtD,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,qBAAqB,CAAC;QAClC,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;QAC3B,IAAI,CAAC,gBAAgB,GAAG,gBAAgB,CAAC;QACzC,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAhBD,kDAgBC;AAED;;;;;GAKG;AACH,MAAa,0BAA2B,SAAQ,KAAK;IAInD,YAAY,MAAc;QACxB,KAAK,CACH,wCAAwC,MAAM,8CAA8C;YAC1F,4DAA4D,CAC/D,CAAC;QACF,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;QACzC,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAbD,gEAaC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/index.ts"],"names":[],"mappings":"AAAA,cAAc,4BAA4B,CAAC;AAC3C,cAAc,8BAA8B,CAAC;AAC7C,cAAc,UAAU,CAAC;AACzB,cAAc,yBAAyB,CAAC;AACxC,cAAc,kBAAkB,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
const tslib_1 = require("tslib");
|
|
4
|
+
tslib_1.__exportStar(require("./encryptedMetadataService"), exports);
|
|
5
|
+
tslib_1.__exportStar(require("./encryptionAwareReplication"), exports);
|
|
6
|
+
tslib_1.__exportStar(require("./errors"), exports);
|
|
7
|
+
tslib_1.__exportStar(require("./poolEncryptionService"), exports);
|
|
8
|
+
tslib_1.__exportStar(require("./poolKeyManager"), exports);
|
|
9
|
+
//# sourceMappingURL=index.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/index.ts"],"names":[],"mappings":";;;AAAA,qEAA2C;AAC3C,uEAA6C;AAC7C,mDAAyB;AACzB,kEAAwC;AACxC,2DAAiC"}
|