@brightchain/brightchain-api-lib 0.14.0 → 0.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +5 -5
- package/src/index.d.ts +3 -0
- package/src/index.d.ts.map +1 -1
- package/src/index.js +5 -0
- package/src/index.js.map +1 -1
- package/src/lib/application.d.ts +1 -0
- package/src/lib/application.d.ts.map +1 -1
- package/src/lib/application.js +23 -0
- package/src/lib/application.js.map +1 -1
- package/src/lib/auth/aclEnforcedAvailability.d.ts +57 -0
- package/src/lib/auth/aclEnforcedAvailability.d.ts.map +1 -0
- package/src/lib/auth/aclEnforcedAvailability.js +87 -0
- package/src/lib/auth/aclEnforcedAvailability.js.map +1 -0
- package/src/lib/auth/aclEnforcedBlockStore.d.ts +66 -0
- package/src/lib/auth/aclEnforcedBlockStore.d.ts.map +1 -0
- package/src/lib/auth/aclEnforcedBlockStore.js +83 -0
- package/src/lib/auth/aclEnforcedBlockStore.js.map +1 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.d.ts +46 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.d.ts.map +1 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.js +110 -0
- package/src/lib/auth/ecdsaNodeAuthenticator.js.map +1 -0
- package/src/lib/auth/index.d.ts +7 -0
- package/src/lib/auth/index.d.ts.map +1 -0
- package/src/lib/auth/index.js +13 -0
- package/src/lib/auth/index.js.map +1 -0
- package/src/lib/auth/poolAclBootstrap.d.ts +36 -0
- package/src/lib/auth/poolAclBootstrap.d.ts.map +1 -0
- package/src/lib/auth/poolAclBootstrap.js +64 -0
- package/src/lib/auth/poolAclBootstrap.js.map +1 -0
- package/src/lib/auth/poolAclStore.d.ts +77 -0
- package/src/lib/auth/poolAclStore.d.ts.map +1 -0
- package/src/lib/auth/poolAclStore.js +189 -0
- package/src/lib/auth/poolAclStore.js.map +1 -0
- package/src/lib/auth/poolAclUpdater.d.ts +79 -0
- package/src/lib/auth/poolAclUpdater.d.ts.map +1 -0
- package/src/lib/auth/poolAclUpdater.js +144 -0
- package/src/lib/auth/poolAclUpdater.js.map +1 -0
- package/src/lib/availability/availabilityService.d.ts +2 -2
- package/src/lib/availability/availabilityService.d.ts.map +1 -1
- package/src/lib/availability/availabilityService.js +12 -5
- package/src/lib/availability/availabilityService.js.map +1 -1
- package/src/lib/availability/blockRegistry.d.ts +45 -3
- package/src/lib/availability/blockRegistry.d.ts.map +1 -1
- package/src/lib/availability/blockRegistry.js +123 -5
- package/src/lib/availability/blockRegistry.js.map +1 -1
- package/src/lib/availability/discoveryProtocol.d.ts +30 -1
- package/src/lib/availability/discoveryProtocol.d.ts.map +1 -1
- package/src/lib/availability/discoveryProtocol.js +76 -0
- package/src/lib/availability/discoveryProtocol.js.map +1 -1
- package/src/lib/availability/gossipService.d.ts +45 -6
- package/src/lib/availability/gossipService.d.ts.map +1 -1
- package/src/lib/availability/gossipService.js +177 -5
- package/src/lib/availability/gossipService.js.map +1 -1
- package/src/lib/availability/reconciliationService.d.ts +88 -1
- package/src/lib/availability/reconciliationService.d.ts.map +1 -1
- package/src/lib/availability/reconciliationService.js +246 -48
- package/src/lib/availability/reconciliationService.js.map +1 -1
- package/src/lib/blockFetch/blockFetcher.d.ts +100 -0
- package/src/lib/blockFetch/blockFetcher.d.ts.map +1 -0
- package/src/lib/blockFetch/blockFetcher.js +279 -0
- package/src/lib/blockFetch/blockFetcher.js.map +1 -0
- package/src/lib/blockFetch/fetchQueue.d.ts +88 -0
- package/src/lib/blockFetch/fetchQueue.d.ts.map +1 -0
- package/src/lib/blockFetch/fetchQueue.js +204 -0
- package/src/lib/blockFetch/fetchQueue.js.map +1 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.d.ts +65 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.d.ts.map +1 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.js +104 -0
- package/src/lib/blockFetch/httpBlockFetchTransport.js.map +1 -0
- package/src/lib/blockFetch/index.d.ts +10 -0
- package/src/lib/blockFetch/index.d.ts.map +1 -0
- package/src/lib/blockFetch/index.js +13 -0
- package/src/lib/blockFetch/index.js.map +1 -0
- package/src/lib/controllers/api/brightpass.d.ts +72 -0
- package/src/lib/controllers/api/brightpass.d.ts.map +1 -0
- package/src/lib/controllers/api/brightpass.js +577 -0
- package/src/lib/controllers/api/brightpass.js.map +1 -0
- package/src/lib/controllers/api/channels.d.ts +122 -0
- package/src/lib/controllers/api/channels.d.ts.map +1 -0
- package/src/lib/controllers/api/channels.js +701 -0
- package/src/lib/controllers/api/channels.js.map +1 -0
- package/src/lib/controllers/api/conversations.d.ts +89 -0
- package/src/lib/controllers/api/conversations.d.ts.map +1 -0
- package/src/lib/controllers/api/conversations.js +259 -0
- package/src/lib/controllers/api/conversations.js.map +1 -0
- package/src/lib/controllers/api/emails.d.ts +122 -0
- package/src/lib/controllers/api/emails.d.ts.map +1 -0
- package/src/lib/controllers/api/emails.js +494 -0
- package/src/lib/controllers/api/emails.js.map +1 -0
- package/src/lib/controllers/api/explodingMessages.d.ts +79 -0
- package/src/lib/controllers/api/explodingMessages.d.ts.map +1 -0
- package/src/lib/controllers/api/explodingMessages.js +378 -0
- package/src/lib/controllers/api/explodingMessages.js.map +1 -0
- package/src/lib/controllers/api/groups.d.ts +94 -0
- package/src/lib/controllers/api/groups.d.ts.map +1 -0
- package/src/lib/controllers/api/groups.js +484 -0
- package/src/lib/controllers/api/groups.js.map +1 -0
- package/src/lib/controllers/api/index.d.ts +6 -0
- package/src/lib/controllers/api/index.d.ts.map +1 -1
- package/src/lib/controllers/api/index.js +6 -0
- package/src/lib/controllers/api/index.js.map +1 -1
- package/src/lib/controllers/api/messages.d.ts.map +1 -1
- package/src/lib/controllers/api/messages.js +2 -1
- package/src/lib/controllers/api/messages.js.map +1 -1
- package/src/lib/controllers/api/sync.d.ts +38 -2
- package/src/lib/controllers/api/sync.d.ts.map +1 -1
- package/src/lib/controllers/api/sync.js +89 -0
- package/src/lib/controllers/api/sync.js.map +1 -1
- package/src/lib/controllers/crypto/gitController.d.ts +70 -0
- package/src/lib/controllers/crypto/gitController.d.ts.map +1 -0
- package/src/lib/controllers/crypto/gitController.js +306 -0
- package/src/lib/controllers/crypto/gitController.js.map +1 -0
- package/src/lib/controllers/crypto/index.d.ts +3 -0
- package/src/lib/controllers/crypto/index.d.ts.map +1 -0
- package/src/lib/controllers/crypto/index.js +6 -0
- package/src/lib/controllers/crypto/index.js.map +1 -0
- package/src/lib/controllers/crypto/walletController.d.ts +64 -0
- package/src/lib/controllers/crypto/walletController.d.ts.map +1 -0
- package/src/lib/controllers/crypto/walletController.js +260 -0
- package/src/lib/controllers/crypto/walletController.js.map +1 -0
- package/src/lib/controllers/identity/deviceController.d.ts +96 -0
- package/src/lib/controllers/identity/deviceController.d.ts.map +1 -0
- package/src/lib/controllers/identity/deviceController.js +355 -0
- package/src/lib/controllers/identity/deviceController.js.map +1 -0
- package/src/lib/controllers/identity/directoryController.d.ts +75 -0
- package/src/lib/controllers/identity/directoryController.d.ts.map +1 -0
- package/src/lib/controllers/identity/directoryController.js +288 -0
- package/src/lib/controllers/identity/directoryController.js.map +1 -0
- package/src/lib/controllers/identity/identityProofController.d.ts +94 -0
- package/src/lib/controllers/identity/identityProofController.d.ts.map +1 -0
- package/src/lib/controllers/identity/identityProofController.js +454 -0
- package/src/lib/controllers/identity/identityProofController.js.map +1 -0
- package/src/lib/controllers/identity/index.d.ts +4 -0
- package/src/lib/controllers/identity/index.d.ts.map +1 -0
- package/src/lib/controllers/identity/index.js +7 -0
- package/src/lib/controllers/identity/index.js.map +1 -0
- package/src/lib/controllers/index.d.ts +2 -0
- package/src/lib/controllers/index.d.ts.map +1 -1
- package/src/lib/controllers/index.js +2 -0
- package/src/lib/controllers/index.js.map +1 -1
- package/src/lib/encryption/encryptedMetadataService.d.ts +87 -0
- package/src/lib/encryption/encryptedMetadataService.d.ts.map +1 -0
- package/src/lib/encryption/encryptedMetadataService.js +224 -0
- package/src/lib/encryption/encryptedMetadataService.js.map +1 -0
- package/src/lib/encryption/encryptionAwareReplication.d.ts +76 -0
- package/src/lib/encryption/encryptionAwareReplication.d.ts.map +1 -0
- package/src/lib/encryption/encryptionAwareReplication.js +116 -0
- package/src/lib/encryption/encryptionAwareReplication.js.map +1 -0
- package/src/lib/encryption/errors.d.ts +49 -0
- package/src/lib/encryption/errors.d.ts.map +1 -0
- package/src/lib/encryption/errors.js +80 -0
- package/src/lib/encryption/errors.js.map +1 -0
- package/src/lib/encryption/index.d.ts +6 -0
- package/src/lib/encryption/index.d.ts.map +1 -0
- package/src/lib/encryption/index.js +9 -0
- package/src/lib/encryption/index.js.map +1 -0
- package/src/lib/encryption/poolEncryptionService.d.ts +94 -0
- package/src/lib/encryption/poolEncryptionService.d.ts.map +1 -0
- package/src/lib/encryption/poolEncryptionService.js +252 -0
- package/src/lib/encryption/poolEncryptionService.js.map +1 -0
- package/src/lib/encryption/poolKeyManager.d.ts +82 -0
- package/src/lib/encryption/poolKeyManager.d.ts.map +1 -0
- package/src/lib/encryption/poolKeyManager.js +156 -0
- package/src/lib/encryption/poolKeyManager.js.map +1 -0
- package/src/lib/environment.d.ts +3 -0
- package/src/lib/environment.d.ts.map +1 -1
- package/src/lib/environment.js +5 -0
- package/src/lib/environment.js.map +1 -1
- package/src/lib/interfaces/environment.d.ts +7 -1
- package/src/lib/interfaces/environment.d.ts.map +1 -1
- package/src/lib/interfaces/index.d.ts +0 -1
- package/src/lib/interfaces/index.d.ts.map +1 -1
- package/src/lib/interfaces/requests/getBlockDataRequest.d.ts +12 -0
- package/src/lib/interfaces/requests/getBlockDataRequest.d.ts.map +1 -0
- package/src/lib/interfaces/{blockStore.js → requests/getBlockDataRequest.js} +1 -1
- package/src/lib/interfaces/requests/getBlockDataRequest.js.map +1 -0
- package/src/lib/interfaces/requests/index.d.ts +1 -0
- package/src/lib/interfaces/requests/index.d.ts.map +1 -1
- package/src/lib/routers/api.d.ts +54 -1
- package/src/lib/routers/api.d.ts.map +1 -1
- package/src/lib/routers/api.js +77 -0
- package/src/lib/routers/api.js.map +1 -1
- package/src/lib/services/blockStore.d.ts +5 -2
- package/src/lib/services/blockStore.d.ts.map +1 -1
- package/src/lib/services/blockStore.js +4 -0
- package/src/lib/services/blockStore.js.map +1 -1
- package/src/lib/services/brightpass/auditLogger.d.ts +77 -0
- package/src/lib/services/brightpass/auditLogger.d.ts.map +1 -0
- package/src/lib/services/brightpass/auditLogger.js +184 -0
- package/src/lib/services/brightpass/auditLogger.js.map +1 -0
- package/src/lib/services/brightpass/vaultEncryption.d.ts +82 -0
- package/src/lib/services/brightpass/vaultEncryption.d.ts.map +1 -0
- package/src/lib/services/brightpass/vaultEncryption.js +144 -0
- package/src/lib/services/brightpass/vaultEncryption.js.map +1 -0
- package/src/lib/services/brightpass.d.ts +294 -0
- package/src/lib/services/brightpass.d.ts.map +1 -0
- package/src/lib/services/brightpass.js +1260 -0
- package/src/lib/services/brightpass.js.map +1 -0
- package/src/lib/services/eventNotificationSystem.d.ts +69 -3
- package/src/lib/services/eventNotificationSystem.d.ts.map +1 -1
- package/src/lib/services/eventNotificationSystem.js +200 -0
- package/src/lib/services/eventNotificationSystem.js.map +1 -1
- package/src/lib/services/expirationScheduler.d.ts +90 -0
- package/src/lib/services/expirationScheduler.d.ts.map +1 -0
- package/src/lib/services/expirationScheduler.js +131 -0
- package/src/lib/services/expirationScheduler.js.map +1 -0
- package/src/lib/services/fecUsageExample.d.ts +2 -2
- package/src/lib/services/index.d.ts +2 -0
- package/src/lib/services/index.d.ts.map +1 -1
- package/src/lib/services/index.js +2 -0
- package/src/lib/services/index.js.map +1 -1
- package/src/lib/services/paginationService.d.ts +18 -0
- package/src/lib/services/paginationService.d.ts.map +1 -0
- package/src/lib/services/paginationService.js +32 -0
- package/src/lib/services/paginationService.js.map +1 -0
- package/src/lib/services/presenceService.d.ts +76 -0
- package/src/lib/services/presenceService.d.ts.map +1 -0
- package/src/lib/services/presenceService.js +143 -0
- package/src/lib/services/presenceService.js.map +1 -0
- package/src/lib/services/wireConversationPromotion.d.ts +23 -0
- package/src/lib/services/wireConversationPromotion.d.ts.map +1 -0
- package/src/lib/services/wireConversationPromotion.js +26 -0
- package/src/lib/services/wireConversationPromotion.js.map +1 -0
- package/src/lib/stores/availabilityAwareBlockStore.d.ts +115 -10
- package/src/lib/stores/availabilityAwareBlockStore.d.ts.map +1 -1
- package/src/lib/stores/availabilityAwareBlockStore.js +267 -23
- package/src/lib/stores/availabilityAwareBlockStore.js.map +1 -1
- package/src/lib/stores/diskBlockAsyncStore.d.ts +81 -2
- package/src/lib/stores/diskBlockAsyncStore.d.ts.map +1 -1
- package/src/lib/stores/diskBlockAsyncStore.js +297 -10
- package/src/lib/stores/diskBlockAsyncStore.js.map +1 -1
- package/src/lib/utils/communicationValidation.d.ts +44 -0
- package/src/lib/utils/communicationValidation.d.ts.map +1 -0
- package/src/lib/utils/communicationValidation.js +291 -0
- package/src/lib/utils/communicationValidation.js.map +1 -0
- package/src/lib/utils/emailValidation.d.ts +19 -0
- package/src/lib/utils/emailValidation.d.ts.map +1 -0
- package/src/lib/utils/emailValidation.js +232 -0
- package/src/lib/utils/emailValidation.js.map +1 -0
- package/src/lib/interfaces/blockStore.d.ts +0 -7
- package/src/lib/interfaces/blockStore.d.ts.map +0 -1
- package/src/lib/interfaces/blockStore.js.map +0 -1
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pool Encryption Service — Node.js implementation of pool-level encryption.
|
|
3
|
+
*
|
|
4
|
+
* Supports two encryption modes:
|
|
5
|
+
* - Node-specific: ECIES encrypt/decrypt using the node's secp256k1 key pair
|
|
6
|
+
* - Pool-shared: AES-256-GCM with a shared symmetric key, distributed per-member via ECIES
|
|
7
|
+
*
|
|
8
|
+
* Block IDs are computed from ciphertext (not plaintext) so Bloom filters
|
|
9
|
+
* and block lookups work correctly on encrypted pools.
|
|
10
|
+
*
|
|
11
|
+
* ECIES scheme:
|
|
12
|
+
* 1. Generate ephemeral secp256k1 key pair
|
|
13
|
+
* 2. Derive shared secret via ECDH with recipient's public key
|
|
14
|
+
* 3. Derive AES-256 key from shared secret using HKDF-SHA256
|
|
15
|
+
* 4. Encrypt with AES-256-GCM (random 12-byte IV)
|
|
16
|
+
* 5. Output: ephemeral public key (33 bytes) + IV (12 bytes) + auth tag (16 bytes) + ciphertext
|
|
17
|
+
*
|
|
18
|
+
* @see Requirements 14.2, 14.3, 14.5
|
|
19
|
+
*/
|
|
20
|
+
export declare class PoolEncryptionService {
|
|
21
|
+
/**
|
|
22
|
+
* Encrypt data using ECIES with the recipient's secp256k1 public key.
|
|
23
|
+
*
|
|
24
|
+
* @param data - Plaintext data to encrypt
|
|
25
|
+
* @param publicKey - Recipient's secp256k1 public key (33 or 65 bytes)
|
|
26
|
+
* @returns Ciphertext: ephemeralPubKey (33) + IV (12) + authTag (16) + encrypted data
|
|
27
|
+
*/
|
|
28
|
+
encryptNodeSpecific(data: Uint8Array, publicKey: Uint8Array): Promise<Uint8Array>;
|
|
29
|
+
/**
|
|
30
|
+
* Decrypt ECIES-encrypted data using the recipient's secp256k1 private key.
|
|
31
|
+
*
|
|
32
|
+
* @param ciphertext - Output from encryptNodeSpecific
|
|
33
|
+
* @param privateKey - Recipient's raw 32-byte secp256k1 private key
|
|
34
|
+
* @returns Decrypted plaintext
|
|
35
|
+
*/
|
|
36
|
+
decryptNodeSpecific(ciphertext: Uint8Array, privateKey: Uint8Array): Promise<Uint8Array>;
|
|
37
|
+
/**
|
|
38
|
+
* Encrypt data using AES-256-GCM with the shared pool key.
|
|
39
|
+
*
|
|
40
|
+
* @param data - Plaintext data to encrypt
|
|
41
|
+
* @param sharedKey - 32-byte (256-bit) symmetric pool key
|
|
42
|
+
* @returns Ciphertext: IV (12 bytes) + authTag (16 bytes) + encrypted data
|
|
43
|
+
*/
|
|
44
|
+
encryptPoolShared(data: Uint8Array, sharedKey: Uint8Array): Promise<Uint8Array>;
|
|
45
|
+
/**
|
|
46
|
+
* Decrypt AES-256-GCM-encrypted data using the shared pool key.
|
|
47
|
+
*
|
|
48
|
+
* @param ciphertext - Output from encryptPoolShared
|
|
49
|
+
* @param sharedKey - 32-byte (256-bit) symmetric pool key
|
|
50
|
+
* @returns Decrypted plaintext
|
|
51
|
+
*/
|
|
52
|
+
decryptPoolShared(ciphertext: Uint8Array, sharedKey: Uint8Array): Promise<Uint8Array>;
|
|
53
|
+
/**
|
|
54
|
+
* Compute a block ID from ciphertext using SHA-256.
|
|
55
|
+
* Per Requirement 14.5, block IDs are hashes of encrypted data, not plaintext.
|
|
56
|
+
*
|
|
57
|
+
* @param ciphertext - Encrypted block data
|
|
58
|
+
* @returns Hex-encoded SHA-256 hash
|
|
59
|
+
*/
|
|
60
|
+
computeBlockId(ciphertext: Uint8Array): string;
|
|
61
|
+
/**
|
|
62
|
+
* Generate a random 256-bit symmetric key for pool-shared encryption.
|
|
63
|
+
*
|
|
64
|
+
* @returns 32-byte random key
|
|
65
|
+
*/
|
|
66
|
+
generatePoolKey(): Uint8Array;
|
|
67
|
+
/**
|
|
68
|
+
* Encrypt a pool key for a specific member using ECIES.
|
|
69
|
+
* Used during key distribution for pool-shared encryption.
|
|
70
|
+
*
|
|
71
|
+
* @param poolKey - The 32-byte symmetric pool key
|
|
72
|
+
* @param memberPublicKey - Member's secp256k1 public key (33 or 65 bytes)
|
|
73
|
+
* @returns ECIES-encrypted pool key
|
|
74
|
+
*/
|
|
75
|
+
encryptKeyForMember(poolKey: Uint8Array, memberPublicKey: Uint8Array): Promise<Uint8Array>;
|
|
76
|
+
/**
|
|
77
|
+
* Decrypt a pool key that was encrypted for this member.
|
|
78
|
+
*
|
|
79
|
+
* @param encryptedKey - ECIES-encrypted pool key (from encryptKeyForMember)
|
|
80
|
+
* @param memberPrivateKey - Member's raw 32-byte secp256k1 private key
|
|
81
|
+
* @returns The 32-byte symmetric pool key
|
|
82
|
+
*/
|
|
83
|
+
decryptKeyForMember(encryptedKey: Uint8Array, memberPrivateKey: Uint8Array): Promise<Uint8Array>;
|
|
84
|
+
/**
|
|
85
|
+
* Derive a 256-bit AES key from a shared secret using HKDF-SHA256.
|
|
86
|
+
*/
|
|
87
|
+
private hkdfDeriveKey;
|
|
88
|
+
/**
|
|
89
|
+
* Ensure a secp256k1 public key is in uncompressed (65-byte) format.
|
|
90
|
+
* Accepts compressed (33 bytes) or uncompressed (65 bytes) input.
|
|
91
|
+
*/
|
|
92
|
+
private ensureUncompressed;
|
|
93
|
+
}
|
|
94
|
+
//# sourceMappingURL=poolEncryptionService.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"poolEncryptionService.d.ts","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/poolEncryptionService.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAYH,qBAAa,qBAAqB;IAGhC;;;;;;OAMG;IACG,mBAAmB,CACvB,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,UAAU,CAAC;IAiDtB;;;;;;OAMG;IACG,mBAAmB,CACvB,UAAU,EAAE,UAAU,EACtB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,UAAU,CAAC;IAsDtB;;;;;;OAMG;IACG,iBAAiB,CACrB,IAAI,EAAE,UAAU,EAChB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,UAAU,CAAC;IAmCtB;;;;;;OAMG;IACG,iBAAiB,CACrB,UAAU,EAAE,UAAU,EACtB,SAAS,EAAE,UAAU,GACpB,OAAO,CAAC,UAAU,CAAC;IAwCtB;;;;;;OAMG;IACH,cAAc,CAAC,UAAU,EAAE,UAAU,GAAG,MAAM;IAO9C;;;;OAIG;IACH,eAAe,IAAI,UAAU;IAI7B;;;;;;;OAOG;IACG,mBAAmB,CACvB,OAAO,EAAE,UAAU,EACnB,eAAe,EAAE,UAAU,GAC1B,OAAO,CAAC,UAAU,CAAC;IAItB;;;;;;OAMG;IACG,mBAAmB,CACvB,YAAY,EAAE,UAAU,EACxB,gBAAgB,EAAE,UAAU,GAC3B,OAAO,CAAC,UAAU,CAAC;IAMtB;;OAEG;IACH,OAAO,CAAC,aAAa;IAWrB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;CAoB3B"}
|
|
@@ -0,0 +1,252 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Pool Encryption Service — Node.js implementation of pool-level encryption.
|
|
4
|
+
*
|
|
5
|
+
* Supports two encryption modes:
|
|
6
|
+
* - Node-specific: ECIES encrypt/decrypt using the node's secp256k1 key pair
|
|
7
|
+
* - Pool-shared: AES-256-GCM with a shared symmetric key, distributed per-member via ECIES
|
|
8
|
+
*
|
|
9
|
+
* Block IDs are computed from ciphertext (not plaintext) so Bloom filters
|
|
10
|
+
* and block lookups work correctly on encrypted pools.
|
|
11
|
+
*
|
|
12
|
+
* ECIES scheme:
|
|
13
|
+
* 1. Generate ephemeral secp256k1 key pair
|
|
14
|
+
* 2. Derive shared secret via ECDH with recipient's public key
|
|
15
|
+
* 3. Derive AES-256 key from shared secret using HKDF-SHA256
|
|
16
|
+
* 4. Encrypt with AES-256-GCM (random 12-byte IV)
|
|
17
|
+
* 5. Output: ephemeral public key (33 bytes) + IV (12 bytes) + auth tag (16 bytes) + ciphertext
|
|
18
|
+
*
|
|
19
|
+
* @see Requirements 14.2, 14.3, 14.5
|
|
20
|
+
*/
|
|
21
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
22
|
+
exports.PoolEncryptionService = void 0;
|
|
23
|
+
const tslib_1 = require("tslib");
|
|
24
|
+
const crypto = tslib_1.__importStar(require("crypto"));
|
|
25
|
+
const errors_1 = require("./errors");
|
|
26
|
+
/** Byte lengths for ECIES wire format components */
|
|
27
|
+
const COMPRESSED_PUBLIC_KEY_LENGTH = 33;
|
|
28
|
+
const IV_LENGTH = 12;
|
|
29
|
+
const AUTH_TAG_LENGTH = 16;
|
|
30
|
+
const AES_KEY_LENGTH = 32; // 256 bits
|
|
31
|
+
const HKDF_INFO = Buffer.from('brightchain-ecies-v1');
|
|
32
|
+
class PoolEncryptionService {
|
|
33
|
+
// ─── Node-Specific (ECIES) ───────────────────────────────────────────
|
|
34
|
+
/**
|
|
35
|
+
* Encrypt data using ECIES with the recipient's secp256k1 public key.
|
|
36
|
+
*
|
|
37
|
+
* @param data - Plaintext data to encrypt
|
|
38
|
+
* @param publicKey - Recipient's secp256k1 public key (33 or 65 bytes)
|
|
39
|
+
* @returns Ciphertext: ephemeralPubKey (33) + IV (12) + authTag (16) + encrypted data
|
|
40
|
+
*/
|
|
41
|
+
async encryptNodeSpecific(data, publicKey) {
|
|
42
|
+
try {
|
|
43
|
+
const recipientKey = this.ensureUncompressed(publicKey);
|
|
44
|
+
// Generate ephemeral key pair
|
|
45
|
+
const ephemeral = crypto.createECDH('secp256k1');
|
|
46
|
+
ephemeral.generateKeys();
|
|
47
|
+
const ephemeralPublicKey = ephemeral.getPublicKey(undefined, 'compressed');
|
|
48
|
+
// Derive shared secret via ECDH
|
|
49
|
+
const sharedSecret = ephemeral.computeSecret(recipientKey);
|
|
50
|
+
// Derive AES key via HKDF
|
|
51
|
+
const aesKey = this.hkdfDeriveKey(sharedSecret);
|
|
52
|
+
// Encrypt with AES-256-GCM
|
|
53
|
+
const iv = crypto.randomBytes(IV_LENGTH);
|
|
54
|
+
const cipher = crypto.createCipheriv('aes-256-gcm', aesKey, iv);
|
|
55
|
+
const encrypted = Buffer.concat([
|
|
56
|
+
cipher.update(Buffer.from(data)),
|
|
57
|
+
cipher.final(),
|
|
58
|
+
]);
|
|
59
|
+
const authTag = cipher.getAuthTag();
|
|
60
|
+
// Pack: ephemeralPubKey + IV + authTag + ciphertext
|
|
61
|
+
const result = new Uint8Array(COMPRESSED_PUBLIC_KEY_LENGTH +
|
|
62
|
+
IV_LENGTH +
|
|
63
|
+
AUTH_TAG_LENGTH +
|
|
64
|
+
encrypted.length);
|
|
65
|
+
result.set(ephemeralPublicKey, 0);
|
|
66
|
+
result.set(iv, COMPRESSED_PUBLIC_KEY_LENGTH);
|
|
67
|
+
result.set(authTag, COMPRESSED_PUBLIC_KEY_LENGTH + IV_LENGTH);
|
|
68
|
+
result.set(encrypted, COMPRESSED_PUBLIC_KEY_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH);
|
|
69
|
+
return result;
|
|
70
|
+
}
|
|
71
|
+
catch (err) {
|
|
72
|
+
if (err instanceof errors_1.EncryptionError)
|
|
73
|
+
throw err;
|
|
74
|
+
throw new errors_1.EncryptionError('ECIES encryption failed', err);
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
/**
|
|
78
|
+
* Decrypt ECIES-encrypted data using the recipient's secp256k1 private key.
|
|
79
|
+
*
|
|
80
|
+
* @param ciphertext - Output from encryptNodeSpecific
|
|
81
|
+
* @param privateKey - Recipient's raw 32-byte secp256k1 private key
|
|
82
|
+
* @returns Decrypted plaintext
|
|
83
|
+
*/
|
|
84
|
+
async decryptNodeSpecific(ciphertext, privateKey) {
|
|
85
|
+
const minLength = COMPRESSED_PUBLIC_KEY_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH;
|
|
86
|
+
if (ciphertext.length < minLength) {
|
|
87
|
+
throw new errors_1.DecryptionError(`ECIES ciphertext too short: expected at least ${minLength} bytes, got ${ciphertext.length}`);
|
|
88
|
+
}
|
|
89
|
+
try {
|
|
90
|
+
// Unpack components
|
|
91
|
+
const ephemeralPubKey = ciphertext.slice(0, COMPRESSED_PUBLIC_KEY_LENGTH);
|
|
92
|
+
const iv = ciphertext.slice(COMPRESSED_PUBLIC_KEY_LENGTH, COMPRESSED_PUBLIC_KEY_LENGTH + IV_LENGTH);
|
|
93
|
+
const authTag = ciphertext.slice(COMPRESSED_PUBLIC_KEY_LENGTH + IV_LENGTH, COMPRESSED_PUBLIC_KEY_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH);
|
|
94
|
+
const encryptedData = ciphertext.slice(COMPRESSED_PUBLIC_KEY_LENGTH + IV_LENGTH + AUTH_TAG_LENGTH);
|
|
95
|
+
// Reconstruct shared secret
|
|
96
|
+
const ecdh = crypto.createECDH('secp256k1');
|
|
97
|
+
ecdh.setPrivateKey(Buffer.from(privateKey));
|
|
98
|
+
const ephemeralUncompressed = this.ensureUncompressed(ephemeralPubKey);
|
|
99
|
+
const sharedSecret = ecdh.computeSecret(ephemeralUncompressed);
|
|
100
|
+
// Derive AES key via HKDF
|
|
101
|
+
const aesKey = this.hkdfDeriveKey(sharedSecret);
|
|
102
|
+
// Decrypt with AES-256-GCM
|
|
103
|
+
const decipher = crypto.createDecipheriv('aes-256-gcm', aesKey, Buffer.from(iv));
|
|
104
|
+
decipher.setAuthTag(Buffer.from(authTag));
|
|
105
|
+
const decrypted = Buffer.concat([
|
|
106
|
+
decipher.update(Buffer.from(encryptedData)),
|
|
107
|
+
decipher.final(),
|
|
108
|
+
]);
|
|
109
|
+
return new Uint8Array(decrypted);
|
|
110
|
+
}
|
|
111
|
+
catch (err) {
|
|
112
|
+
if (err instanceof errors_1.DecryptionError)
|
|
113
|
+
throw err;
|
|
114
|
+
throw new errors_1.DecryptionError('ECIES decryption failed', err);
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
// ─── Pool-Shared (AES-256-GCM) ──────────────────────────────────────
|
|
118
|
+
/**
|
|
119
|
+
* Encrypt data using AES-256-GCM with the shared pool key.
|
|
120
|
+
*
|
|
121
|
+
* @param data - Plaintext data to encrypt
|
|
122
|
+
* @param sharedKey - 32-byte (256-bit) symmetric pool key
|
|
123
|
+
* @returns Ciphertext: IV (12 bytes) + authTag (16 bytes) + encrypted data
|
|
124
|
+
*/
|
|
125
|
+
async encryptPoolShared(data, sharedKey) {
|
|
126
|
+
if (sharedKey.length !== AES_KEY_LENGTH) {
|
|
127
|
+
throw new errors_1.EncryptionError(`Invalid shared key length: expected ${AES_KEY_LENGTH} bytes, got ${sharedKey.length}`);
|
|
128
|
+
}
|
|
129
|
+
try {
|
|
130
|
+
const iv = crypto.randomBytes(IV_LENGTH);
|
|
131
|
+
const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(sharedKey), iv);
|
|
132
|
+
const encrypted = Buffer.concat([
|
|
133
|
+
cipher.update(Buffer.from(data)),
|
|
134
|
+
cipher.final(),
|
|
135
|
+
]);
|
|
136
|
+
const authTag = cipher.getAuthTag();
|
|
137
|
+
// Pack: IV + authTag + ciphertext
|
|
138
|
+
const result = new Uint8Array(IV_LENGTH + AUTH_TAG_LENGTH + encrypted.length);
|
|
139
|
+
result.set(iv, 0);
|
|
140
|
+
result.set(authTag, IV_LENGTH);
|
|
141
|
+
result.set(encrypted, IV_LENGTH + AUTH_TAG_LENGTH);
|
|
142
|
+
return result;
|
|
143
|
+
}
|
|
144
|
+
catch (err) {
|
|
145
|
+
if (err instanceof errors_1.EncryptionError)
|
|
146
|
+
throw err;
|
|
147
|
+
throw new errors_1.EncryptionError('AES-256-GCM encryption failed', err);
|
|
148
|
+
}
|
|
149
|
+
}
|
|
150
|
+
/**
|
|
151
|
+
* Decrypt AES-256-GCM-encrypted data using the shared pool key.
|
|
152
|
+
*
|
|
153
|
+
* @param ciphertext - Output from encryptPoolShared
|
|
154
|
+
* @param sharedKey - 32-byte (256-bit) symmetric pool key
|
|
155
|
+
* @returns Decrypted plaintext
|
|
156
|
+
*/
|
|
157
|
+
async decryptPoolShared(ciphertext, sharedKey) {
|
|
158
|
+
if (sharedKey.length !== AES_KEY_LENGTH) {
|
|
159
|
+
throw new errors_1.DecryptionError(`Invalid shared key length: expected ${AES_KEY_LENGTH} bytes, got ${sharedKey.length}`);
|
|
160
|
+
}
|
|
161
|
+
const minLength = IV_LENGTH + AUTH_TAG_LENGTH;
|
|
162
|
+
if (ciphertext.length < minLength) {
|
|
163
|
+
throw new errors_1.DecryptionError(`AES-256-GCM ciphertext too short: expected at least ${minLength} bytes, got ${ciphertext.length}`);
|
|
164
|
+
}
|
|
165
|
+
try {
|
|
166
|
+
// Unpack components
|
|
167
|
+
const iv = ciphertext.slice(0, IV_LENGTH);
|
|
168
|
+
const authTag = ciphertext.slice(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
|
|
169
|
+
const encryptedData = ciphertext.slice(IV_LENGTH + AUTH_TAG_LENGTH);
|
|
170
|
+
const decipher = crypto.createDecipheriv('aes-256-gcm', Buffer.from(sharedKey), Buffer.from(iv));
|
|
171
|
+
decipher.setAuthTag(Buffer.from(authTag));
|
|
172
|
+
const decrypted = Buffer.concat([
|
|
173
|
+
decipher.update(Buffer.from(encryptedData)),
|
|
174
|
+
decipher.final(),
|
|
175
|
+
]);
|
|
176
|
+
return new Uint8Array(decrypted);
|
|
177
|
+
}
|
|
178
|
+
catch (err) {
|
|
179
|
+
if (err instanceof errors_1.DecryptionError)
|
|
180
|
+
throw err;
|
|
181
|
+
throw new errors_1.DecryptionError('AES-256-GCM decryption failed', err);
|
|
182
|
+
}
|
|
183
|
+
}
|
|
184
|
+
// ─── Block ID & Key Management ──────────────────────────────────────
|
|
185
|
+
/**
|
|
186
|
+
* Compute a block ID from ciphertext using SHA-256.
|
|
187
|
+
* Per Requirement 14.5, block IDs are hashes of encrypted data, not plaintext.
|
|
188
|
+
*
|
|
189
|
+
* @param ciphertext - Encrypted block data
|
|
190
|
+
* @returns Hex-encoded SHA-256 hash
|
|
191
|
+
*/
|
|
192
|
+
computeBlockId(ciphertext) {
|
|
193
|
+
return crypto
|
|
194
|
+
.createHash('sha256')
|
|
195
|
+
.update(Buffer.from(ciphertext))
|
|
196
|
+
.digest('hex');
|
|
197
|
+
}
|
|
198
|
+
/**
|
|
199
|
+
* Generate a random 256-bit symmetric key for pool-shared encryption.
|
|
200
|
+
*
|
|
201
|
+
* @returns 32-byte random key
|
|
202
|
+
*/
|
|
203
|
+
generatePoolKey() {
|
|
204
|
+
return new Uint8Array(crypto.randomBytes(AES_KEY_LENGTH));
|
|
205
|
+
}
|
|
206
|
+
/**
|
|
207
|
+
* Encrypt a pool key for a specific member using ECIES.
|
|
208
|
+
* Used during key distribution for pool-shared encryption.
|
|
209
|
+
*
|
|
210
|
+
* @param poolKey - The 32-byte symmetric pool key
|
|
211
|
+
* @param memberPublicKey - Member's secp256k1 public key (33 or 65 bytes)
|
|
212
|
+
* @returns ECIES-encrypted pool key
|
|
213
|
+
*/
|
|
214
|
+
async encryptKeyForMember(poolKey, memberPublicKey) {
|
|
215
|
+
return this.encryptNodeSpecific(poolKey, memberPublicKey);
|
|
216
|
+
}
|
|
217
|
+
/**
|
|
218
|
+
* Decrypt a pool key that was encrypted for this member.
|
|
219
|
+
*
|
|
220
|
+
* @param encryptedKey - ECIES-encrypted pool key (from encryptKeyForMember)
|
|
221
|
+
* @param memberPrivateKey - Member's raw 32-byte secp256k1 private key
|
|
222
|
+
* @returns The 32-byte symmetric pool key
|
|
223
|
+
*/
|
|
224
|
+
async decryptKeyForMember(encryptedKey, memberPrivateKey) {
|
|
225
|
+
return this.decryptNodeSpecific(encryptedKey, memberPrivateKey);
|
|
226
|
+
}
|
|
227
|
+
// ─── Private Helpers ────────────────────────────────────────────────
|
|
228
|
+
/**
|
|
229
|
+
* Derive a 256-bit AES key from a shared secret using HKDF-SHA256.
|
|
230
|
+
*/
|
|
231
|
+
hkdfDeriveKey(sharedSecret) {
|
|
232
|
+
const derived = crypto.hkdfSync('sha256', sharedSecret, Buffer.alloc(0), // no salt
|
|
233
|
+
HKDF_INFO, AES_KEY_LENGTH);
|
|
234
|
+
return Buffer.from(derived);
|
|
235
|
+
}
|
|
236
|
+
/**
|
|
237
|
+
* Ensure a secp256k1 public key is in uncompressed (65-byte) format.
|
|
238
|
+
* Accepts compressed (33 bytes) or uncompressed (65 bytes) input.
|
|
239
|
+
*/
|
|
240
|
+
ensureUncompressed(publicKey) {
|
|
241
|
+
if (publicKey.length === 65 && publicKey[0] === 0x04) {
|
|
242
|
+
return Buffer.from(publicKey);
|
|
243
|
+
}
|
|
244
|
+
if (publicKey.length === 33 &&
|
|
245
|
+
(publicKey[0] === 0x02 || publicKey[0] === 0x03)) {
|
|
246
|
+
return crypto.ECDH.convertKey(Buffer.from(publicKey), 'secp256k1', undefined, undefined, 'uncompressed');
|
|
247
|
+
}
|
|
248
|
+
throw new errors_1.EncryptionError(`Invalid secp256k1 public key: expected 33 or 65 bytes, got ${publicKey.length}`);
|
|
249
|
+
}
|
|
250
|
+
}
|
|
251
|
+
exports.PoolEncryptionService = PoolEncryptionService;
|
|
252
|
+
//# sourceMappingURL=poolEncryptionService.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"poolEncryptionService.js","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/poolEncryptionService.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;GAkBG;;;;AAEH,uDAAiC;AACjC,qCAA4D;AAE5D,oDAAoD;AACpD,MAAM,4BAA4B,GAAG,EAAE,CAAC;AACxC,MAAM,SAAS,GAAG,EAAE,CAAC;AACrB,MAAM,eAAe,GAAG,EAAE,CAAC;AAC3B,MAAM,cAAc,GAAG,EAAE,CAAC,CAAC,WAAW;AACtC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;AAEtD,MAAa,qBAAqB;IAChC,wEAAwE;IAExE;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CACvB,IAAgB,EAChB,SAAqB;QAErB,IAAI,CAAC;YACH,MAAM,YAAY,GAAG,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC;YAExD,8BAA8B;YAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;YACjD,SAAS,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,kBAAkB,GAAG,SAAS,CAAC,YAAY,CAC/C,SAAS,EACT,YAAY,CACb,CAAC;YAEF,gCAAgC;YAChC,MAAM,YAAY,GAAG,SAAS,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;YAE3D,0BAA0B;YAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;YAEhD,2BAA2B;YAC3B,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;YAChE,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAChC,MAAM,CAAC,KAAK,EAAE;aACf,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAEpC,oDAAoD;YACpD,MAAM,MAAM,GAAG,IAAI,UAAU,CAC3B,4BAA4B;gBAC1B,SAAS;gBACT,eAAe;gBACf,SAAS,CAAC,MAAM,CACnB,CAAC;YACF,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,4BAA4B,CAAC,CAAC;YAC7C,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,4BAA4B,GAAG,SAAS,CAAC,CAAC;YAC9D,MAAM,CAAC,GAAG,CACR,SAAS,EACT,4BAA4B,GAAG,SAAS,GAAG,eAAe,CAC3D,CAAC;YAEF,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,wBAAe;gBAAE,MAAM,GAAG,CAAC;YAC9C,MAAM,IAAI,wBAAe,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CACvB,UAAsB,EACtB,UAAsB;QAEtB,MAAM,SAAS,GACb,4BAA4B,GAAG,SAAS,GAAG,eAAe,CAAC;QAC7D,IAAI,UAAU,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,wBAAe,CACvB,iDAAiD,SAAS,eAAe,UAAU,CAAC,MAAM,EAAE,CAC7F,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,oBAAoB;YACpB,MAAM,eAAe,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,4BAA4B,CAAC,CAAC;YAC1E,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CACzB,4BAA4B,EAC5B,4BAA4B,GAAG,SAAS,CACzC,CAAC;YACF,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAC9B,4BAA4B,GAAG,SAAS,EACxC,4BAA4B,GAAG,SAAS,GAAG,eAAe,CAC3D,CAAC;YACF,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CACpC,4BAA4B,GAAG,SAAS,GAAG,eAAe,CAC3D,CAAC;YAEF,4BAA4B;YAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;YAC5C,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;YAC5C,MAAM,qBAAqB,GAAG,IAAI,CAAC,kBAAkB,CAAC,eAAe,CAAC,CAAC;YACvE,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,qBAAqB,CAAC,CAAC;YAE/D,0BAA0B;YAC1B,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;YAEhD,2BAA2B;YAC3B,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,aAAa,EACb,MAAM,EACN,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAChB,CAAC;YACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAC3C,QAAQ,CAAC,KAAK,EAAE;aACjB,CAAC,CAAC;YAEH,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,wBAAe;gBAAE,MAAM,GAAG,CAAC;YAC9C,MAAM,IAAI,wBAAe,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,uEAAuE;IAEvE;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB,CACrB,IAAgB,EAChB,SAAqB;QAErB,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACxC,MAAM,IAAI,wBAAe,CACvB,uCAAuC,cAAc,eAAe,SAAS,CAAC,MAAM,EAAE,CACvF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,SAAS,CAAC,CAAC;YACzC,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAClC,aAAa,EACb,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EACtB,EAAE,CACH,CAAC;YACF,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC9B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAChC,MAAM,CAAC,KAAK,EAAE;aACf,CAAC,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;YAEpC,kCAAkC;YAClC,MAAM,MAAM,GAAG,IAAI,UAAU,CAC3B,SAAS,GAAG,eAAe,GAAG,SAAS,CAAC,MAAM,CAC/C,CAAC;YACF,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YAClB,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;YAC/B,MAAM,CAAC,GAAG,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAC;YAEnD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,wBAAe;gBAAE,MAAM,GAAG,CAAC;YAC9C,MAAM,IAAI,wBAAe,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB,CACrB,UAAsB,EACtB,SAAqB;QAErB,IAAI,SAAS,CAAC,MAAM,KAAK,cAAc,EAAE,CAAC;YACxC,MAAM,IAAI,wBAAe,CACvB,uCAAuC,cAAc,eAAe,SAAS,CAAC,MAAM,EAAE,CACvF,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,SAAS,GAAG,eAAe,CAAC;QAC9C,IAAI,UAAU,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,wBAAe,CACvB,uDAAuD,SAAS,eAAe,UAAU,CAAC,MAAM,EAAE,CACnG,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,oBAAoB;YACpB,MAAM,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;YAC1C,MAAM,OAAO,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,EAAE,SAAS,GAAG,eAAe,CAAC,CAAC;YACzE,MAAM,aAAa,GAAG,UAAU,CAAC,KAAK,CAAC,SAAS,GAAG,eAAe,CAAC,CAAC;YAEpE,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,aAAa,EACb,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EACtB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAChB,CAAC;YACF,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;YAC1C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;gBAC9B,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBAC3C,QAAQ,CAAC,KAAK,EAAE;aACjB,CAAC,CAAC;YAEH,OAAO,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,wBAAe;gBAAE,MAAM,GAAG,CAAC;YAC9C,MAAM,IAAI,wBAAe,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED,uEAAuE;IAEvE;;;;;;OAMG;IACH,cAAc,CAAC,UAAsB;QACnC,OAAO,MAAM;aACV,UAAU,CAAC,QAAQ,CAAC;aACpB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;aAC/B,MAAM,CAAC,KAAK,CAAC,CAAC;IACnB,CAAC;IAED;;;;OAIG;IACH,eAAe;QACb,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,mBAAmB,CACvB,OAAmB,EACnB,eAA2B;QAE3B,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;IAC5D,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,mBAAmB,CACvB,YAAwB,EACxB,gBAA4B;QAE5B,OAAO,IAAI,CAAC,mBAAmB,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC;IAClE,CAAC;IAED,uEAAuE;IAEvE;;OAEG;IACK,aAAa,CAAC,YAAoB;QACxC,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAC7B,QAAQ,EACR,YAAY,EACZ,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,UAAU;QAC3B,SAAS,EACT,cAAc,CACf,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACK,kBAAkB,CAAC,SAAqB;QAC9C,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACrD,OAAO,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAChC,CAAC;QACD,IACE,SAAS,CAAC,MAAM,KAAK,EAAE;YACvB,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,EAChD,CAAC;YACD,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAC3B,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EACtB,WAAW,EACX,SAAS,EACT,SAAS,EACT,cAAc,CACL,CAAC;QACd,CAAC;QACD,MAAM,IAAI,wBAAe,CACvB,8DAA8D,SAAS,CAAC,MAAM,EAAE,CACjF,CAAC;IACJ,CAAC;CACF;AAzTD,sDAyTC"}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Pool Key Manager — manages the lifecycle of pool encryption keys.
|
|
3
|
+
*
|
|
4
|
+
* Handles key generation, distribution, rotation, and member removal
|
|
5
|
+
* for pool-shared encryption mode. Old key versions are retained so
|
|
6
|
+
* older blocks can still be decrypted (Requirement 15.4).
|
|
7
|
+
*
|
|
8
|
+
* Node IDs are derived from public keys using SHA-256 hex, consistent
|
|
9
|
+
* with ECDSANodeAuthenticator.deriveNodeId.
|
|
10
|
+
*
|
|
11
|
+
* @see Requirements 15.1, 15.2, 15.3, 15.4, 15.5
|
|
12
|
+
*/
|
|
13
|
+
import type { IPoolEncryptionConfig } from '@brightchain/brightchain-lib';
|
|
14
|
+
import { PoolEncryptionService } from './poolEncryptionService';
|
|
15
|
+
export declare class PoolKeyManager {
|
|
16
|
+
private config;
|
|
17
|
+
private readonly encryptionService;
|
|
18
|
+
constructor(encryptionService: PoolEncryptionService, initialConfig: IPoolEncryptionConfig);
|
|
19
|
+
/**
|
|
20
|
+
* Generate a new pool key, encrypt it for each member, and create version 1.
|
|
21
|
+
*
|
|
22
|
+
* @param memberPublicKeys - secp256k1 public keys of all pool members
|
|
23
|
+
* @returns Updated pool encryption config with the first key version
|
|
24
|
+
* @see Requirement 15.2
|
|
25
|
+
*/
|
|
26
|
+
initializePoolKey(memberPublicKeys: Uint8Array[]): Promise<IPoolEncryptionConfig>;
|
|
27
|
+
/**
|
|
28
|
+
* Generate a new key version, encrypt for all current members,
|
|
29
|
+
* and increment currentKeyVersion. Old versions remain active
|
|
30
|
+
* for decrypting older blocks (Requirement 15.4).
|
|
31
|
+
*
|
|
32
|
+
* @param currentMemberPublicKeys - secp256k1 public keys of current members
|
|
33
|
+
* @returns Updated pool encryption config with the new key version appended
|
|
34
|
+
* @see Requirements 15.3, 15.4
|
|
35
|
+
*/
|
|
36
|
+
rotateKey(currentMemberPublicKeys: Uint8Array[]): Promise<IPoolEncryptionConfig>;
|
|
37
|
+
/**
|
|
38
|
+
* Remove a member by triggering key rotation excluding the removed member.
|
|
39
|
+
* The removed member will not have access to the new key version,
|
|
40
|
+
* so they cannot decrypt new blocks (Requirement 15.5).
|
|
41
|
+
*
|
|
42
|
+
* @param removedNodeId - Node ID of the member being removed
|
|
43
|
+
* @param remainingMemberPublicKeys - Public keys of members who remain
|
|
44
|
+
* @returns Updated pool encryption config after rotation
|
|
45
|
+
* @see Requirement 15.5
|
|
46
|
+
*/
|
|
47
|
+
removeMember(removedNodeId: string, remainingMemberPublicKeys: Uint8Array[]): Promise<IPoolEncryptionConfig>;
|
|
48
|
+
/**
|
|
49
|
+
* Look up a key version in history, find the member's encrypted key,
|
|
50
|
+
* and decrypt it.
|
|
51
|
+
*
|
|
52
|
+
* @param keyVersion - The key version number to look up
|
|
53
|
+
* @param memberPrivateKey - Member's raw 32-byte secp256k1 private key
|
|
54
|
+
* @param memberNodeId - The member's node ID
|
|
55
|
+
* @returns The decrypted symmetric pool key for that version
|
|
56
|
+
* @see Requirement 15.4
|
|
57
|
+
*/
|
|
58
|
+
getDecryptionKey(keyVersion: number, memberPrivateKey: Uint8Array, memberNodeId: string): Promise<Uint8Array>;
|
|
59
|
+
/**
|
|
60
|
+
* Shortcut for getting the current version's decrypted key.
|
|
61
|
+
*
|
|
62
|
+
* @param memberPrivateKey - Member's raw 32-byte secp256k1 private key
|
|
63
|
+
* @param memberNodeId - The member's node ID
|
|
64
|
+
* @returns The decrypted symmetric pool key for the current version
|
|
65
|
+
*/
|
|
66
|
+
getCurrentEncryptionKey(memberPrivateKey: Uint8Array, memberNodeId: string): Promise<Uint8Array>;
|
|
67
|
+
/**
|
|
68
|
+
* Return a copy of the current pool encryption config.
|
|
69
|
+
*/
|
|
70
|
+
getConfig(): IPoolEncryptionConfig;
|
|
71
|
+
/**
|
|
72
|
+
* Encrypt a pool key for each member, returning an array of
|
|
73
|
+
* { nodeId, encryptedKey } entries.
|
|
74
|
+
*/
|
|
75
|
+
private encryptKeyForMembers;
|
|
76
|
+
/**
|
|
77
|
+
* Derive a node ID from a public key via SHA-256 hex.
|
|
78
|
+
* Consistent with ECDSANodeAuthenticator.deriveNodeId.
|
|
79
|
+
*/
|
|
80
|
+
private deriveNodeId;
|
|
81
|
+
}
|
|
82
|
+
//# sourceMappingURL=poolKeyManager.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"poolKeyManager.d.ts","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/poolKeyManager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAEV,qBAAqB,EACtB,MAAM,8BAA8B,CAAC;AAGtC,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAEhE,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,QAAQ,CAAC,iBAAiB,CAAwB;gBAGxD,iBAAiB,EAAE,qBAAqB,EACxC,aAAa,EAAE,qBAAqB;IAMtC;;;;;;OAMG;IACG,iBAAiB,CACrB,gBAAgB,EAAE,UAAU,EAAE,GAC7B,OAAO,CAAC,qBAAqB,CAAC;IAuBjC;;;;;;;;OAQG;IACG,SAAS,CACb,uBAAuB,EAAE,UAAU,EAAE,GACpC,OAAO,CAAC,qBAAqB,CAAC;IAyBjC;;;;;;;;;OASG;IACG,YAAY,CAChB,aAAa,EAAE,MAAM,EACrB,yBAAyB,EAAE,UAAU,EAAE,GACtC,OAAO,CAAC,qBAAqB,CAAC;IASjC;;;;;;;;;OASG;IACG,gBAAgB,CACpB,UAAU,EAAE,MAAM,EAClB,gBAAgB,EAAE,UAAU,EAC5B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,UAAU,CAAC;IA6BtB;;;;;;OAMG;IACG,uBAAuB,CAC3B,gBAAgB,EAAE,UAAU,EAC5B,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,UAAU,CAAC;IAQtB;;OAEG;IACH,SAAS,IAAI,qBAAqB;IASlC;;;OAGG;YACW,oBAAoB;IAiBlC;;;OAGG;IACH,OAAO,CAAC,YAAY;CAMrB"}
|
|
@@ -0,0 +1,156 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Pool Key Manager — manages the lifecycle of pool encryption keys.
|
|
4
|
+
*
|
|
5
|
+
* Handles key generation, distribution, rotation, and member removal
|
|
6
|
+
* for pool-shared encryption mode. Old key versions are retained so
|
|
7
|
+
* older blocks can still be decrypted (Requirement 15.4).
|
|
8
|
+
*
|
|
9
|
+
* Node IDs are derived from public keys using SHA-256 hex, consistent
|
|
10
|
+
* with ECDSANodeAuthenticator.deriveNodeId.
|
|
11
|
+
*
|
|
12
|
+
* @see Requirements 15.1, 15.2, 15.3, 15.4, 15.5
|
|
13
|
+
*/
|
|
14
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
15
|
+
exports.PoolKeyManager = void 0;
|
|
16
|
+
const tslib_1 = require("tslib");
|
|
17
|
+
const crypto = tslib_1.__importStar(require("crypto"));
|
|
18
|
+
const errors_1 = require("./errors");
|
|
19
|
+
class PoolKeyManager {
|
|
20
|
+
constructor(encryptionService, initialConfig) {
|
|
21
|
+
this.encryptionService = encryptionService;
|
|
22
|
+
this.config = { ...initialConfig };
|
|
23
|
+
}
|
|
24
|
+
/**
|
|
25
|
+
* Generate a new pool key, encrypt it for each member, and create version 1.
|
|
26
|
+
*
|
|
27
|
+
* @param memberPublicKeys - secp256k1 public keys of all pool members
|
|
28
|
+
* @returns Updated pool encryption config with the first key version
|
|
29
|
+
* @see Requirement 15.2
|
|
30
|
+
*/
|
|
31
|
+
async initializePoolKey(memberPublicKeys) {
|
|
32
|
+
const poolKey = this.encryptionService.generatePoolKey();
|
|
33
|
+
const encryptedKeys = await this.encryptKeyForMembers(poolKey, memberPublicKeys);
|
|
34
|
+
const keyVersion = {
|
|
35
|
+
version: 1,
|
|
36
|
+
createdAt: new Date(),
|
|
37
|
+
encryptedKeys,
|
|
38
|
+
active: true,
|
|
39
|
+
};
|
|
40
|
+
this.config = {
|
|
41
|
+
...this.config,
|
|
42
|
+
keyVersions: [keyVersion],
|
|
43
|
+
currentKeyVersion: 1,
|
|
44
|
+
};
|
|
45
|
+
return this.getConfig();
|
|
46
|
+
}
|
|
47
|
+
/**
|
|
48
|
+
* Generate a new key version, encrypt for all current members,
|
|
49
|
+
* and increment currentKeyVersion. Old versions remain active
|
|
50
|
+
* for decrypting older blocks (Requirement 15.4).
|
|
51
|
+
*
|
|
52
|
+
* @param currentMemberPublicKeys - secp256k1 public keys of current members
|
|
53
|
+
* @returns Updated pool encryption config with the new key version appended
|
|
54
|
+
* @see Requirements 15.3, 15.4
|
|
55
|
+
*/
|
|
56
|
+
async rotateKey(currentMemberPublicKeys) {
|
|
57
|
+
const poolKey = this.encryptionService.generatePoolKey();
|
|
58
|
+
const newVersion = this.config.currentKeyVersion + 1;
|
|
59
|
+
const encryptedKeys = await this.encryptKeyForMembers(poolKey, currentMemberPublicKeys);
|
|
60
|
+
const keyVersion = {
|
|
61
|
+
version: newVersion,
|
|
62
|
+
createdAt: new Date(),
|
|
63
|
+
encryptedKeys,
|
|
64
|
+
active: true,
|
|
65
|
+
};
|
|
66
|
+
this.config = {
|
|
67
|
+
...this.config,
|
|
68
|
+
keyVersions: [...this.config.keyVersions, keyVersion],
|
|
69
|
+
currentKeyVersion: newVersion,
|
|
70
|
+
};
|
|
71
|
+
return this.getConfig();
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
74
|
+
* Remove a member by triggering key rotation excluding the removed member.
|
|
75
|
+
* The removed member will not have access to the new key version,
|
|
76
|
+
* so they cannot decrypt new blocks (Requirement 15.5).
|
|
77
|
+
*
|
|
78
|
+
* @param removedNodeId - Node ID of the member being removed
|
|
79
|
+
* @param remainingMemberPublicKeys - Public keys of members who remain
|
|
80
|
+
* @returns Updated pool encryption config after rotation
|
|
81
|
+
* @see Requirement 15.5
|
|
82
|
+
*/
|
|
83
|
+
async removeMember(removedNodeId, remainingMemberPublicKeys) {
|
|
84
|
+
// Filter out the removed member's keys just in case they were included
|
|
85
|
+
const filteredKeys = remainingMemberPublicKeys.filter((pk) => this.deriveNodeId(pk) !== removedNodeId);
|
|
86
|
+
return this.rotateKey(filteredKeys);
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Look up a key version in history, find the member's encrypted key,
|
|
90
|
+
* and decrypt it.
|
|
91
|
+
*
|
|
92
|
+
* @param keyVersion - The key version number to look up
|
|
93
|
+
* @param memberPrivateKey - Member's raw 32-byte secp256k1 private key
|
|
94
|
+
* @param memberNodeId - The member's node ID
|
|
95
|
+
* @returns The decrypted symmetric pool key for that version
|
|
96
|
+
* @see Requirement 15.4
|
|
97
|
+
*/
|
|
98
|
+
async getDecryptionKey(keyVersion, memberPrivateKey, memberNodeId) {
|
|
99
|
+
const version = this.config.keyVersions.find((kv) => kv.version === keyVersion);
|
|
100
|
+
if (!version) {
|
|
101
|
+
throw new errors_1.KeyVersionNotFoundError(keyVersion);
|
|
102
|
+
}
|
|
103
|
+
if (!version.encryptedKeys || version.encryptedKeys.length === 0) {
|
|
104
|
+
throw new errors_1.DecryptionError(`Key version ${keyVersion} has no encrypted keys`);
|
|
105
|
+
}
|
|
106
|
+
const memberEntry = version.encryptedKeys.find((ek) => ek.nodeId === memberNodeId);
|
|
107
|
+
if (!memberEntry) {
|
|
108
|
+
throw new errors_1.DecryptionError(`No encrypted key found for member ${memberNodeId} in key version ${keyVersion}`);
|
|
109
|
+
}
|
|
110
|
+
return this.encryptionService.decryptKeyForMember(memberEntry.encryptedKey, memberPrivateKey);
|
|
111
|
+
}
|
|
112
|
+
/**
|
|
113
|
+
* Shortcut for getting the current version's decrypted key.
|
|
114
|
+
*
|
|
115
|
+
* @param memberPrivateKey - Member's raw 32-byte secp256k1 private key
|
|
116
|
+
* @param memberNodeId - The member's node ID
|
|
117
|
+
* @returns The decrypted symmetric pool key for the current version
|
|
118
|
+
*/
|
|
119
|
+
async getCurrentEncryptionKey(memberPrivateKey, memberNodeId) {
|
|
120
|
+
return this.getDecryptionKey(this.config.currentKeyVersion, memberPrivateKey, memberNodeId);
|
|
121
|
+
}
|
|
122
|
+
/**
|
|
123
|
+
* Return a copy of the current pool encryption config.
|
|
124
|
+
*/
|
|
125
|
+
getConfig() {
|
|
126
|
+
return {
|
|
127
|
+
...this.config,
|
|
128
|
+
keyVersions: this.config.keyVersions.map((kv) => ({ ...kv })),
|
|
129
|
+
};
|
|
130
|
+
}
|
|
131
|
+
// ─── Private Helpers ────────────────────────────────────────────────
|
|
132
|
+
/**
|
|
133
|
+
* Encrypt a pool key for each member, returning an array of
|
|
134
|
+
* { nodeId, encryptedKey } entries.
|
|
135
|
+
*/
|
|
136
|
+
async encryptKeyForMembers(poolKey, memberPublicKeys) {
|
|
137
|
+
const entries = await Promise.all(memberPublicKeys.map(async (publicKey) => {
|
|
138
|
+
const nodeId = this.deriveNodeId(publicKey);
|
|
139
|
+
const encryptedKey = await this.encryptionService.encryptKeyForMember(poolKey, publicKey);
|
|
140
|
+
return { nodeId, encryptedKey };
|
|
141
|
+
}));
|
|
142
|
+
return entries;
|
|
143
|
+
}
|
|
144
|
+
/**
|
|
145
|
+
* Derive a node ID from a public key via SHA-256 hex.
|
|
146
|
+
* Consistent with ECDSANodeAuthenticator.deriveNodeId.
|
|
147
|
+
*/
|
|
148
|
+
deriveNodeId(publicKey) {
|
|
149
|
+
return crypto
|
|
150
|
+
.createHash('sha256')
|
|
151
|
+
.update(Buffer.from(publicKey))
|
|
152
|
+
.digest('hex');
|
|
153
|
+
}
|
|
154
|
+
}
|
|
155
|
+
exports.PoolKeyManager = PoolKeyManager;
|
|
156
|
+
//# sourceMappingURL=poolKeyManager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"poolKeyManager.js","sourceRoot":"","sources":["../../../../../brightchain-api-lib/src/lib/encryption/poolKeyManager.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;;AAMH,uDAAiC;AACjC,qCAAoE;AAGpE,MAAa,cAAc;IAIzB,YACE,iBAAwC,EACxC,aAAoC;QAEpC,IAAI,CAAC,iBAAiB,GAAG,iBAAiB,CAAC;QAC3C,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,aAAa,EAAE,CAAC;IACrC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,iBAAiB,CACrB,gBAA8B;QAE9B,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,eAAe,EAAE,CAAC;QACzD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,oBAAoB,CACnD,OAAO,EACP,gBAAgB,CACjB,CAAC;QAEF,MAAM,UAAU,GAAgB;YAC9B,OAAO,EAAE,CAAC;YACV,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,aAAa;YACb,MAAM,EAAE,IAAI;SACb,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,IAAI,CAAC,MAAM;YACd,WAAW,EAAE,CAAC,UAAU,CAAC;YACzB,iBAAiB,EAAE,CAAC;SACrB,CAAC;QAEF,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;IAC1B,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,SAAS,CACb,uBAAqC;QAErC,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAAC,eAAe,EAAE,CAAC;QACzD,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,iBAAiB,GAAG,CAAC,CAAC;QAErD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,oBAAoB,CACnD,OAAO,EACP,uBAAuB,CACxB,CAAC;QAEF,MAAM,UAAU,GAAgB;YAC9B,OAAO,EAAE,UAAU;YACnB,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,aAAa;YACb,MAAM,EAAE,IAAI;SACb,CAAC;QAEF,IAAI,CAAC,MAAM,GAAG;YACZ,GAAG,IAAI,CAAC,MAAM;YACd,WAAW,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,UAAU,CAAC;YACrD,iBAAiB,EAAE,UAAU;SAC9B,CAAC;QAEF,OAAO,IAAI,CAAC,SAAS,EAAE,CAAC;IAC1B,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,YAAY,CAChB,aAAqB,EACrB,yBAAuC;QAEvC,uEAAuE;QACvE,MAAM,YAAY,GAAG,yBAAyB,CAAC,MAAM,CACnD,CAAC,EAAE,EAAE,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC,KAAK,aAAa,CAChD,CAAC;QAEF,OAAO,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,gBAAgB,CACpB,UAAkB,EAClB,gBAA4B,EAC5B,YAAoB;QAEpB,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,IAAI,CAC1C,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,KAAK,UAAU,CAClC,CAAC;QACF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,gCAAuB,CAAC,UAAU,CAAC,CAAC;QAChD,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjE,MAAM,IAAI,wBAAe,CACvB,eAAe,UAAU,wBAAwB,CAClD,CAAC;QACJ,CAAC;QAED,MAAM,WAAW,GAAG,OAAO,CAAC,aAAa,CAAC,IAAI,CAC5C,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,KAAK,YAAY,CACnC,CAAC;QACF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,IAAI,wBAAe,CACvB,qCAAqC,YAAY,mBAAmB,UAAU,EAAE,CACjF,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CAC/C,WAAW,CAAC,YAAY,EACxB,gBAAgB,CACjB,CAAC;IACJ,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,uBAAuB,CAC3B,gBAA4B,EAC5B,YAAoB;QAEpB,OAAO,IAAI,CAAC,gBAAgB,CAC1B,IAAI,CAAC,MAAM,CAAC,iBAAiB,EAC7B,gBAAgB,EAChB,YAAY,CACb,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO;YACL,GAAG,IAAI,CAAC,MAAM;YACd,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;SAC9D,CAAC;IACJ,CAAC;IAED,uEAAuE;IAEvE;;;OAGG;IACK,KAAK,CAAC,oBAAoB,CAChC,OAAmB,EACnB,gBAA8B;QAE9B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,CAC/B,gBAAgB,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,EAAE,EAAE;YACvC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAC5C,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,mBAAmB,CACnE,OAAO,EACP,SAAS,CACV,CAAC;YACF,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;QAClC,CAAC,CAAC,CACH,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;;OAGG;IACK,YAAY,CAAC,SAAqB;QACxC,OAAO,MAAM;aACV,UAAU,CAAC,QAAQ,CAAC;aACpB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;aAC9B,MAAM,CAAC,KAAK,CAAC,CAAC;IACnB,CAAC;CACF;AA9MD,wCA8MC"}
|
package/src/lib/environment.d.ts
CHANGED
|
@@ -2,10 +2,12 @@ import { HexString } from '@digitaldefiance/ecies-lib';
|
|
|
2
2
|
import { Environment as BaseEnvironment } from '@digitaldefiance/node-express-suite';
|
|
3
3
|
import { BlockSize } from '@brightchain/brightchain-lib';
|
|
4
4
|
import { PlatformID } from '@digitaldefiance/node-ecies-lib';
|
|
5
|
+
import { IUpnpConfig } from '@digitaldefiance/node-express-suite';
|
|
5
6
|
import { IEnvironment } from './interfaces/environment';
|
|
6
7
|
import { IEnvironmentAws } from './interfaces/environment-aws';
|
|
7
8
|
import { DefaultBackendIdType } from './shared-types';
|
|
8
9
|
export declare class Environment<TID extends PlatformID = DefaultBackendIdType> extends BaseEnvironment<TID> implements IEnvironment<TID> {
|
|
10
|
+
private _upnp;
|
|
9
11
|
private _fontAwesomeKitId;
|
|
10
12
|
private _aws;
|
|
11
13
|
private _blockStorePath?;
|
|
@@ -16,6 +18,7 @@ export declare class Environment<TID extends PlatformID = DefaultBackendIdType>
|
|
|
16
18
|
set adminId(value: any);
|
|
17
19
|
get idAdapter(): (bytes: Uint8Array) => HexString;
|
|
18
20
|
constructor(path?: string, initialization?: boolean, override?: boolean);
|
|
21
|
+
get upnp(): IUpnpConfig;
|
|
19
22
|
get fontAwesomeKitId(): string;
|
|
20
23
|
get aws(): IEnvironmentAws;
|
|
21
24
|
get blockStorePath(): string | undefined;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"environment.d.ts","sourceRoot":"","sources":["../../../../brightchain-api-lib/src/lib/environment.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAgB,MAAM,4BAA4B,CAAC;AACrE,OAAO,EACL,WAAW,IAAI,eAAe,EAE/B,MAAM,qCAAqC,CAAC;AAE7C,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;
|
|
1
|
+
{"version":3,"file":"environment.d.ts","sourceRoot":"","sources":["../../../../brightchain-api-lib/src/lib/environment.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAgB,MAAM,4BAA4B,CAAC;AACrE,OAAO,EACL,WAAW,IAAI,eAAe,EAE/B,MAAM,qCAAqC,CAAC;AAE7C,OAAO,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AACzD,OAAO,EAAE,UAAU,EAAE,MAAM,iCAAiC,CAAC;AAC7D,OAAO,EAAE,WAAW,EAAc,MAAM,qCAAqC,CAAC;AAG9E,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AAEtD,qBAAa,WAAW,CAAC,GAAG,SAAS,UAAU,GAAG,oBAAoB,CACpE,SAAQ,eAAe,CAAC,GAAG,CAC3B,YAAW,YAAY,CAAC,GAAG,CAAC;IAE5B,OAAO,CAAC,KAAK,CAAc;IAC3B,OAAO,CAAC,iBAAiB,CAAS;IAClC,OAAO,CAAC,IAAI,CAAkB;IAC9B,OAAO,CAAC,eAAe,CAAC,CAAS;IACjC,OAAO,CAAC,oBAAoB,CAAY;IACxC,OAAO,CAAC,uBAAuB,CAAU;IAEzC,OAAO,CAAC,QAAQ,CAAM;IACtB,IAAoB,OAAO,IAAI,GAAG,CAEjC;IACD,IAAoB,OAAO,CAAC,KAAK,EAAE,GAAG,EAErC;IAED,IAAW,SAAS,IAAI,CAAC,KAAK,EAAE,UAAU,KAAK,SAAS,CAMvD;gBAEW,IAAI,CAAC,EAAE,MAAM,EAAE,cAAc,UAAQ,EAAE,QAAQ,UAAO;IAqDlE,IAAW,IAAI,IAAI,WAAW,CAE7B;IAED,IAAW,gBAAgB,IAAI,MAAM,CAEpC;IAED,IAAW,GAAG,IAAI,eAAe,CAEhC;IAED,IAAW,cAAc,IAAI,MAAM,GAAG,SAAS,CAE9C;IAED,IAAW,mBAAmB,IAAI,SAAS,CAE1C;IAED,IAAW,sBAAsB,IAAI,OAAO,CAE3C;CACF"}
|