@commit451/salamander 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +42 -42
- package/bin/salamander.js +1 -1
- package/dist/commands/runner-selection.d.ts +1 -1
- package/dist/commands/runner-selection.d.ts.map +1 -1
- package/dist/commands/runner-selection.js +68 -12
- package/dist/commands/runner-selection.js.map +1 -1
- package/dist/services/auth.d.ts.map +1 -1
- package/dist/services/auth.js +80 -50
- package/dist/services/auth.js.map +1 -1
- package/dist/services/command-listener.d.ts +1 -0
- package/dist/services/command-listener.d.ts.map +1 -1
- package/dist/services/command-listener.js +30 -7
- package/dist/services/command-listener.js.map +1 -1
- package/dist/services/crypto.d.ts +52 -0
- package/dist/services/crypto.d.ts.map +1 -0
- package/dist/services/crypto.js +104 -0
- package/dist/services/crypto.js.map +1 -0
- package/dist/services/key-manager.d.ts +45 -0
- package/dist/services/key-manager.d.ts.map +1 -0
- package/dist/services/key-manager.js +123 -0
- package/dist/services/key-manager.js.map +1 -0
- package/dist/services/multi-device-key-manager.d.ts +56 -0
- package/dist/services/multi-device-key-manager.d.ts.map +1 -0
- package/dist/services/multi-device-key-manager.js +159 -0
- package/dist/services/multi-device-key-manager.js.map +1 -0
- package/dist/services/runner.d.ts.map +1 -1
- package/dist/services/runner.js +56 -19
- package/dist/services/runner.js.map +1 -1
- package/dist/utils/storage.d.ts +5 -0
- package/dist/utils/storage.d.ts.map +1 -1
- package/dist/utils/storage.js +14 -0
- package/dist/utils/storage.js.map +1 -1
- package/package.json +52 -52
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
export interface KeyPair {
|
|
2
|
+
publicKey: string;
|
|
3
|
+
privateKey: string;
|
|
4
|
+
}
|
|
5
|
+
export interface EncryptedMessage {
|
|
6
|
+
encryptedData: string;
|
|
7
|
+
iv: string;
|
|
8
|
+
tag: string;
|
|
9
|
+
}
|
|
10
|
+
export declare class CryptoService {
|
|
11
|
+
private static readonly ALGORITHM;
|
|
12
|
+
private static readonly IV_LENGTH;
|
|
13
|
+
private static readonly TAG_LENGTH;
|
|
14
|
+
private static readonly KEY_LENGTH;
|
|
15
|
+
/**
|
|
16
|
+
* Generate an ECDH key pair for key exchange
|
|
17
|
+
*/
|
|
18
|
+
static generateECDHKeyPair(): KeyPair;
|
|
19
|
+
/**
|
|
20
|
+
* Derive a shared secret from ECDH key exchange
|
|
21
|
+
*/
|
|
22
|
+
static deriveSharedSecret(privateKey: string, publicKey: string): string;
|
|
23
|
+
/**
|
|
24
|
+
* Encrypt a message using AES-256-GCM
|
|
25
|
+
*/
|
|
26
|
+
static encrypt(message: string, key: string): EncryptedMessage;
|
|
27
|
+
/**
|
|
28
|
+
* Decrypt a message using AES-256-GCM
|
|
29
|
+
*/
|
|
30
|
+
static decrypt(encryptedMessage: EncryptedMessage, key: string): string;
|
|
31
|
+
/**
|
|
32
|
+
* Generate a random 256-bit key for symmetric encryption
|
|
33
|
+
*/
|
|
34
|
+
static generateRandomKey(): string;
|
|
35
|
+
/**
|
|
36
|
+
* Check if a message appears to be encrypted
|
|
37
|
+
*/
|
|
38
|
+
static isEncrypted(message: string): boolean;
|
|
39
|
+
/**
|
|
40
|
+
* Safely encrypt a message, handling both string and object inputs
|
|
41
|
+
*/
|
|
42
|
+
static safeEncrypt(data: any, key: string): string;
|
|
43
|
+
/**
|
|
44
|
+
* Safely decrypt a message, throwing error if decryption fails
|
|
45
|
+
*/
|
|
46
|
+
static safeDecrypt(encryptedData: string, key: string): string;
|
|
47
|
+
/**
|
|
48
|
+
* Create a hash of the key for identification purposes
|
|
49
|
+
*/
|
|
50
|
+
static createKeyHash(key: string): string;
|
|
51
|
+
}
|
|
52
|
+
//# sourceMappingURL=crypto.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/services/crypto.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,OAAO;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,gBAAgB;IAC7B,aAAa,EAAE,MAAM,CAAC;IACtB,EAAE,EAAE,MAAM,CAAC;IACX,GAAG,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,aAAa;IACtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAiB;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAM;IACvC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAM;IACxC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAM;IAExC;;OAEG;IACH,MAAM,CAAC,mBAAmB,IAAI,OAAO;IAUrC;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM;IAYxE;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,gBAAgB;IAmB9D;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM;IAevE;;OAEG;IACH,MAAM,CAAC,iBAAiB,IAAI,MAAM;IAKlC;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAS5C;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM;IAMlD;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,MAAM;IAS9D;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;CAG5C"}
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
import * as crypto from 'node:crypto';
|
|
2
|
+
export class CryptoService {
|
|
3
|
+
static ALGORITHM = 'aes-256-gcm';
|
|
4
|
+
static IV_LENGTH = 16;
|
|
5
|
+
static TAG_LENGTH = 16;
|
|
6
|
+
static KEY_LENGTH = 32;
|
|
7
|
+
/**
|
|
8
|
+
* Generate an ECDH key pair for key exchange
|
|
9
|
+
*/
|
|
10
|
+
static generateECDHKeyPair() {
|
|
11
|
+
const ecdh = crypto.createECDH('secp256k1');
|
|
12
|
+
ecdh.generateKeys();
|
|
13
|
+
return {
|
|
14
|
+
publicKey: ecdh.getPublicKey('base64'),
|
|
15
|
+
privateKey: ecdh.getPrivateKey('base64')
|
|
16
|
+
};
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Derive a shared secret from ECDH key exchange
|
|
20
|
+
*/
|
|
21
|
+
static deriveSharedSecret(privateKey, publicKey) {
|
|
22
|
+
const ecdh = crypto.createECDH('secp256k1');
|
|
23
|
+
ecdh.setPrivateKey(privateKey, 'base64');
|
|
24
|
+
const sharedSecret = ecdh.computeSecret(publicKey, 'base64');
|
|
25
|
+
// Use HKDF to derive a proper encryption key
|
|
26
|
+
const derivedKey = crypto.hkdfSync('sha256', sharedSecret, '', 'salamander-e2e-encryption', CryptoService.KEY_LENGTH);
|
|
27
|
+
return Buffer.from(derivedKey).toString('base64');
|
|
28
|
+
}
|
|
29
|
+
/**
|
|
30
|
+
* Encrypt a message using AES-256-GCM
|
|
31
|
+
*/
|
|
32
|
+
static encrypt(message, key) {
|
|
33
|
+
const keyBuffer = Buffer.from(key, 'base64');
|
|
34
|
+
const iv = crypto.randomBytes(CryptoService.IV_LENGTH);
|
|
35
|
+
const cipher = crypto.createCipheriv(CryptoService.ALGORITHM, keyBuffer, iv);
|
|
36
|
+
cipher.setAAD(Buffer.from('salamander'));
|
|
37
|
+
let encryptedData = cipher.update(message, 'utf8', 'base64');
|
|
38
|
+
encryptedData += cipher.final('base64');
|
|
39
|
+
const tag = cipher.getAuthTag();
|
|
40
|
+
return {
|
|
41
|
+
encryptedData,
|
|
42
|
+
iv: iv.toString('base64'),
|
|
43
|
+
tag: tag.toString('base64')
|
|
44
|
+
};
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Decrypt a message using AES-256-GCM
|
|
48
|
+
*/
|
|
49
|
+
static decrypt(encryptedMessage, key) {
|
|
50
|
+
const keyBuffer = Buffer.from(key, 'base64');
|
|
51
|
+
const iv = Buffer.from(encryptedMessage.iv, 'base64');
|
|
52
|
+
const tag = Buffer.from(encryptedMessage.tag, 'base64');
|
|
53
|
+
const decipher = crypto.createDecipheriv(CryptoService.ALGORITHM, keyBuffer, iv);
|
|
54
|
+
decipher.setAAD(Buffer.from('salamander'));
|
|
55
|
+
decipher.setAuthTag(tag);
|
|
56
|
+
let decryptedData = decipher.update(encryptedMessage.encryptedData, 'base64', 'utf8');
|
|
57
|
+
decryptedData += decipher.final('utf8');
|
|
58
|
+
return decryptedData;
|
|
59
|
+
}
|
|
60
|
+
/**
|
|
61
|
+
* Generate a random 256-bit key for symmetric encryption
|
|
62
|
+
*/
|
|
63
|
+
static generateRandomKey() {
|
|
64
|
+
const key = crypto.randomBytes(CryptoService.KEY_LENGTH);
|
|
65
|
+
return key.toString('base64');
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Check if a message appears to be encrypted
|
|
69
|
+
*/
|
|
70
|
+
static isEncrypted(message) {
|
|
71
|
+
try {
|
|
72
|
+
const parsed = JSON.parse(message);
|
|
73
|
+
return parsed.encryptedData && parsed.iv && parsed.tag;
|
|
74
|
+
}
|
|
75
|
+
catch {
|
|
76
|
+
return false;
|
|
77
|
+
}
|
|
78
|
+
}
|
|
79
|
+
/**
|
|
80
|
+
* Safely encrypt a message, handling both string and object inputs
|
|
81
|
+
*/
|
|
82
|
+
static safeEncrypt(data, key) {
|
|
83
|
+
const message = typeof data === 'string' ? data : JSON.stringify(data);
|
|
84
|
+
const encrypted = this.encrypt(message, key);
|
|
85
|
+
return JSON.stringify(encrypted);
|
|
86
|
+
}
|
|
87
|
+
/**
|
|
88
|
+
* Safely decrypt a message, throwing error if decryption fails
|
|
89
|
+
*/
|
|
90
|
+
static safeDecrypt(encryptedData, key) {
|
|
91
|
+
if (!this.isEncrypted(encryptedData)) {
|
|
92
|
+
throw new Error('Message is not encrypted - encryption is required');
|
|
93
|
+
}
|
|
94
|
+
const encryptedMessage = JSON.parse(encryptedData);
|
|
95
|
+
return this.decrypt(encryptedMessage, key);
|
|
96
|
+
}
|
|
97
|
+
/**
|
|
98
|
+
* Create a hash of the key for identification purposes
|
|
99
|
+
*/
|
|
100
|
+
static createKeyHash(key) {
|
|
101
|
+
return crypto.createHash('sha256').update(key).digest('hex').substring(0, 16);
|
|
102
|
+
}
|
|
103
|
+
}
|
|
104
|
+
//# sourceMappingURL=crypto.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/services/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAatC,MAAM,OAAO,aAAa;IACd,MAAM,CAAU,SAAS,GAAG,aAAa,CAAC;IAC1C,MAAM,CAAU,SAAS,GAAG,EAAE,CAAC;IAC/B,MAAM,CAAU,UAAU,GAAG,EAAE,CAAC;IAChC,MAAM,CAAU,UAAU,GAAG,EAAE,CAAC;IAExC;;OAEG;IACH,MAAM,CAAC,mBAAmB;QACtB,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAC5C,IAAI,CAAC,YAAY,EAAE,CAAC;QAEpB,OAAO;YACH,SAAS,EAAE,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC;YACtC,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC;SAC3C,CAAC;IACN,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,UAAkB,EAAE,SAAiB;QAC3D,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC;QAC5C,IAAI,CAAC,aAAa,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;QAEzC,MAAM,YAAY,GAAG,IAAI,CAAC,aAAa,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;QAE7D,6CAA6C;QAC7C,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,QAAQ,EAAE,YAAY,EAAE,EAAE,EAAE,2BAA2B,EAAE,aAAa,CAAC,UAAU,CAAC,CAAC;QAEtH,OAAO,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,OAAe,EAAE,GAAW;QACvC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC;QAEvD,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QAC7E,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;QAEzC,IAAI,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC7D,aAAa,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAExC,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAEhC,OAAO;YACH,aAAa;YACb,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACzB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;SAC9B,CAAC;IACN,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,gBAAkC,EAAE,GAAW;QAC1D,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAC7C,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QACtD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAExD,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;QACjF,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;QAC3C,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAEzB,IAAI,aAAa,GAAG,QAAQ,CAAC,MAAM,CAAC,gBAAgB,CAAC,aAAa,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QACtF,aAAa,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAExC,OAAO,aAAa,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,iBAAiB;QACpB,MAAM,GAAG,GAAG,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;QACzD,OAAO,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,OAAe;QAC9B,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,OAAO,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,EAAE,IAAI,MAAM,CAAC,GAAG,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,IAAS,EAAE,GAAW;QACrC,MAAM,OAAO,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACvE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACrC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,WAAW,CAAC,aAAqB,EAAE,GAAW;QACjD,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,EAAE,CAAC;YACnC,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACzE,CAAC;QAED,MAAM,gBAAgB,GAAqB,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QACrE,OAAO,IAAI,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;IAC/C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,aAAa,CAAC,GAAW;QAC5B,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClF,CAAC"}
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
import { KeyPair } from './crypto.js';
|
|
2
|
+
export declare class KeyManagerService {
|
|
3
|
+
private static readonly KEYS_STORAGE_KEY;
|
|
4
|
+
private static readonly KEY_EXPIRY_DAYS;
|
|
5
|
+
/**
|
|
6
|
+
* Initialize keys for a new runner
|
|
7
|
+
*/
|
|
8
|
+
static initializeRunnerKeys(runnerId: string): Promise<KeyPair>;
|
|
9
|
+
/**
|
|
10
|
+
* Complete the key exchange with the Flutter app's public key
|
|
11
|
+
*/
|
|
12
|
+
static completeKeyExchange(runnerId: string, flutterPublicKey: string): Promise<string>;
|
|
13
|
+
/**
|
|
14
|
+
* Get the shared secret for encryption/decryption
|
|
15
|
+
*/
|
|
16
|
+
static getSharedSecret(runnerId: string): Promise<string | null>;
|
|
17
|
+
/**
|
|
18
|
+
* Get the CLI's public key for a runner
|
|
19
|
+
*/
|
|
20
|
+
static getPublicKey(runnerId: string): Promise<string | null>;
|
|
21
|
+
/**
|
|
22
|
+
* Check if keys exist and are properly initialized for a runner
|
|
23
|
+
*/
|
|
24
|
+
static hasValidKeys(runnerId: string): Promise<boolean>;
|
|
25
|
+
/**
|
|
26
|
+
* Rotate keys for a runner (generate new key pair)
|
|
27
|
+
*/
|
|
28
|
+
static rotateKeys(runnerId: string): Promise<KeyPair>;
|
|
29
|
+
/**
|
|
30
|
+
* Remove keys for a runner (when runner is deleted)
|
|
31
|
+
*/
|
|
32
|
+
static removeRunnerKeys(runnerId: string): Promise<void>;
|
|
33
|
+
/**
|
|
34
|
+
* Get all runners that have encryption keys
|
|
35
|
+
*/
|
|
36
|
+
static getEncryptedRunnerIds(): Promise<string[]>;
|
|
37
|
+
/**
|
|
38
|
+
* Cleanup expired keys
|
|
39
|
+
*/
|
|
40
|
+
static cleanupExpiredKeys(): Promise<number>;
|
|
41
|
+
private static getRunnerKeys;
|
|
42
|
+
private static storeRunnerKeys;
|
|
43
|
+
private static getAllStoredKeys;
|
|
44
|
+
}
|
|
45
|
+
//# sourceMappingURL=key-manager.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"key-manager.d.ts","sourceRoot":"","sources":["../../src/services/key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAgB,OAAO,EAAC,MAAM,aAAa,CAAC;AAUnD,qBAAa,iBAAiB;IAC1B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAA4B;IACpE,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAM;IAE7C;;OAEG;WACU,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAYrE;;OAEG;WACU,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAoB7F;;OAEG;WACU,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAetE;;OAEG;WACU,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAKnE;;OAEG;WACU,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK7D;;OAEG;WACU,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAK3D;;OAEG;WACU,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAM9D;;OAEG;WACU,qBAAqB,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAQvD;;OAEG;WACU,kBAAkB,IAAI,OAAO,CAAC,MAAM,CAAC;mBAwB7B,aAAa;mBAKb,eAAe;mBAMf,gBAAgB;CAGxC"}
|
|
@@ -0,0 +1,123 @@
|
|
|
1
|
+
import { CryptoService } from './crypto.js';
|
|
2
|
+
import { StorageService } from '../utils/storage.js';
|
|
3
|
+
export class KeyManagerService {
|
|
4
|
+
static KEYS_STORAGE_KEY = 'salamander_runner_keys';
|
|
5
|
+
static KEY_EXPIRY_DAYS = 30;
|
|
6
|
+
/**
|
|
7
|
+
* Initialize keys for a new runner
|
|
8
|
+
*/
|
|
9
|
+
static async initializeRunnerKeys(runnerId) {
|
|
10
|
+
const ecdhKeyPair = CryptoService.generateECDHKeyPair();
|
|
11
|
+
const runnerKeys = {
|
|
12
|
+
ecdhKeyPair,
|
|
13
|
+
createdAt: Date.now()
|
|
14
|
+
};
|
|
15
|
+
await this.storeRunnerKeys(runnerId, runnerKeys);
|
|
16
|
+
return ecdhKeyPair;
|
|
17
|
+
}
|
|
18
|
+
/**
|
|
19
|
+
* Complete the key exchange with the Flutter app's public key
|
|
20
|
+
*/
|
|
21
|
+
static async completeKeyExchange(runnerId, flutterPublicKey) {
|
|
22
|
+
const runnerKeys = await this.getRunnerKeys(runnerId);
|
|
23
|
+
if (!runnerKeys) {
|
|
24
|
+
throw new Error(`No keys found for runner ${runnerId}`);
|
|
25
|
+
}
|
|
26
|
+
// Derive shared secret using our private key and Flutter's public key
|
|
27
|
+
const sharedSecret = CryptoService.deriveSharedSecret(runnerKeys.ecdhKeyPair.privateKey, flutterPublicKey);
|
|
28
|
+
// Update stored keys with shared secret
|
|
29
|
+
runnerKeys.sharedSecret = sharedSecret;
|
|
30
|
+
runnerKeys.keyHash = CryptoService.createKeyHash(sharedSecret);
|
|
31
|
+
await this.storeRunnerKeys(runnerId, runnerKeys);
|
|
32
|
+
return sharedSecret;
|
|
33
|
+
}
|
|
34
|
+
/**
|
|
35
|
+
* Get the shared secret for encryption/decryption
|
|
36
|
+
*/
|
|
37
|
+
static async getSharedSecret(runnerId) {
|
|
38
|
+
const runnerKeys = await this.getRunnerKeys(runnerId);
|
|
39
|
+
if (!runnerKeys?.sharedSecret) {
|
|
40
|
+
return null;
|
|
41
|
+
}
|
|
42
|
+
// Check if keys are expired
|
|
43
|
+
const daysSinceCreation = (Date.now() - runnerKeys.createdAt) / (1000 * 60 * 60 * 24);
|
|
44
|
+
if (daysSinceCreation > this.KEY_EXPIRY_DAYS) {
|
|
45
|
+
console.warn(`Keys for runner ${runnerId} have expired. Consider key rotation.`);
|
|
46
|
+
}
|
|
47
|
+
return runnerKeys.sharedSecret;
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Get the CLI's public key for a runner
|
|
51
|
+
*/
|
|
52
|
+
static async getPublicKey(runnerId) {
|
|
53
|
+
const runnerKeys = await this.getRunnerKeys(runnerId);
|
|
54
|
+
return runnerKeys?.ecdhKeyPair.publicKey ?? null;
|
|
55
|
+
}
|
|
56
|
+
/**
|
|
57
|
+
* Check if keys exist and are properly initialized for a runner
|
|
58
|
+
*/
|
|
59
|
+
static async hasValidKeys(runnerId) {
|
|
60
|
+
const runnerKeys = await this.getRunnerKeys(runnerId);
|
|
61
|
+
return !!(runnerKeys?.ecdhKeyPair && runnerKeys?.sharedSecret);
|
|
62
|
+
}
|
|
63
|
+
/**
|
|
64
|
+
* Rotate keys for a runner (generate new key pair)
|
|
65
|
+
*/
|
|
66
|
+
static async rotateKeys(runnerId) {
|
|
67
|
+
console.log(`Rotating keys for runner ${runnerId}`);
|
|
68
|
+
return await this.initializeRunnerKeys(runnerId);
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Remove keys for a runner (when runner is deleted)
|
|
72
|
+
*/
|
|
73
|
+
static async removeRunnerKeys(runnerId) {
|
|
74
|
+
const allKeys = await this.getAllStoredKeys();
|
|
75
|
+
delete allKeys[runnerId];
|
|
76
|
+
await StorageService.set(this.KEYS_STORAGE_KEY, allKeys);
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Get all runners that have encryption keys
|
|
80
|
+
*/
|
|
81
|
+
static async getEncryptedRunnerIds() {
|
|
82
|
+
const allKeys = await this.getAllStoredKeys();
|
|
83
|
+
return Object.keys(allKeys).filter(runnerId => {
|
|
84
|
+
const keys = allKeys[runnerId];
|
|
85
|
+
return keys?.sharedSecret;
|
|
86
|
+
});
|
|
87
|
+
}
|
|
88
|
+
/**
|
|
89
|
+
* Cleanup expired keys
|
|
90
|
+
*/
|
|
91
|
+
static async cleanupExpiredKeys() {
|
|
92
|
+
const allKeys = await this.getAllStoredKeys();
|
|
93
|
+
const now = Date.now();
|
|
94
|
+
let cleanedCount = 0;
|
|
95
|
+
const updatedKeys = {};
|
|
96
|
+
for (const [runnerId, keys] of Object.entries(allKeys)) {
|
|
97
|
+
const daysSinceCreation = (now - keys.createdAt) / (1000 * 60 * 60 * 24);
|
|
98
|
+
if (daysSinceCreation <= this.KEY_EXPIRY_DAYS) {
|
|
99
|
+
updatedKeys[runnerId] = keys;
|
|
100
|
+
}
|
|
101
|
+
else {
|
|
102
|
+
cleanedCount++;
|
|
103
|
+
console.log(`Cleaned up expired keys for runner ${runnerId}`);
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
await StorageService.set(this.KEYS_STORAGE_KEY, updatedKeys);
|
|
107
|
+
return cleanedCount;
|
|
108
|
+
}
|
|
109
|
+
// Private helper methods
|
|
110
|
+
static async getRunnerKeys(runnerId) {
|
|
111
|
+
const allKeys = await this.getAllStoredKeys();
|
|
112
|
+
return allKeys[runnerId] ?? null;
|
|
113
|
+
}
|
|
114
|
+
static async storeRunnerKeys(runnerId, keys) {
|
|
115
|
+
const allKeys = await this.getAllStoredKeys();
|
|
116
|
+
allKeys[runnerId] = keys;
|
|
117
|
+
await StorageService.set(this.KEYS_STORAGE_KEY, allKeys);
|
|
118
|
+
}
|
|
119
|
+
static async getAllStoredKeys() {
|
|
120
|
+
return (await StorageService.get(this.KEYS_STORAGE_KEY)) ?? {};
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
//# sourceMappingURL=key-manager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"key-manager.js","sourceRoot":"","sources":["../../src/services/key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,aAAa,EAAU,MAAM,aAAa,CAAC;AACnD,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AASnD,MAAM,OAAO,iBAAiB;IAClB,MAAM,CAAU,gBAAgB,GAAG,wBAAwB,CAAC;IAC5D,MAAM,CAAU,eAAe,GAAG,EAAE,CAAC;IAE7C;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,QAAgB;QAC9C,MAAM,WAAW,GAAG,aAAa,CAAC,mBAAmB,EAAE,CAAC;QAExD,MAAM,UAAU,GAAe;YAC3B,WAAW;YACX,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QAEF,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjD,OAAO,WAAW,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,QAAgB,EAAE,gBAAwB;QACvE,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACtD,IAAI,CAAC,UAAU,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,sEAAsE;QACtE,MAAM,YAAY,GAAG,aAAa,CAAC,kBAAkB,CACjD,UAAU,CAAC,WAAW,CAAC,UAAU,EACjC,gBAAgB,CACnB,CAAC;QAEF,wCAAwC;QACxC,UAAU,CAAC,YAAY,GAAG,YAAY,CAAC;QACvC,UAAU,CAAC,OAAO,GAAG,aAAa,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;QAE/D,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACjD,OAAO,YAAY,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,QAAgB;QACzC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACtD,IAAI,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,4BAA4B;QAC5B,MAAM,iBAAiB,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QACtF,IAAI,iBAAiB,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC,mBAAmB,QAAQ,uCAAuC,CAAC,CAAC;QACrF,CAAC;QAED,OAAO,UAAU,CAAC,YAAY,CAAC;IACnC,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,QAAgB;QACtC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACtD,OAAO,UAAU,EAAE,WAAW,CAAC,SAAS,IAAI,IAAI,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,QAAgB;QACtC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACtD,OAAO,CAAC,CAAC,CAAC,UAAU,EAAE,WAAW,IAAI,UAAU,EAAE,YAAY,CAAC,CAAC;IACnE,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,QAAgB;QACpC,OAAO,CAAC,GAAG,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAgB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;QACzB,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,qBAAqB;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE;YAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC/B,OAAO,IAAI,EAAE,YAAY,CAAC;QAC9B,CAAC,CAAC,CAAC;IACP,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,kBAAkB;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,MAAM,WAAW,GAA+B,EAAE,CAAC;QAEnD,KAAK,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,MAAM,iBAAiB,GAAG,CAAC,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;YAEzE,IAAI,iBAAiB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBAC5C,WAAW,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;YACjC,CAAC;iBAAM,CAAC;gBACJ,YAAY,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;YAClE,CAAC;QACL,CAAC;QAED,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;QAC7D,OAAO,YAAY,CAAC;IACxB,CAAC;IAED,yBAAyB;IAEjB,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,QAAgB;QAC/C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACrC,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,QAAgB,EAAE,IAAgB;QACnE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,OAAO,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;QACzB,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,gBAAgB;QACjC,OAAO,CAAC,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAC;IACnE,CAAC"}
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
import { type DeviceKey } from '../types/runner.js';
|
|
2
|
+
export declare class MultiDeviceKeyManagerService {
|
|
3
|
+
private static readonly KEYS_STORAGE_KEY;
|
|
4
|
+
private static readonly KEY_EXPIRY_DAYS;
|
|
5
|
+
/**
|
|
6
|
+
* Initialize keys for a new runner (CLI side)
|
|
7
|
+
*/
|
|
8
|
+
static initializeRunnerKeys(runnerId: string): Promise<{
|
|
9
|
+
publicKey: string;
|
|
10
|
+
privateKey: string;
|
|
11
|
+
}>;
|
|
12
|
+
/**
|
|
13
|
+
* Register a new device and derive shared secret
|
|
14
|
+
*/
|
|
15
|
+
static registerDevice(runnerId: string, deviceKey: DeviceKey): Promise<string>;
|
|
16
|
+
/**
|
|
17
|
+
* Remove a device from the runner
|
|
18
|
+
*/
|
|
19
|
+
static removeDevice(runnerId: string, deviceId: string): Promise<void>;
|
|
20
|
+
/**
|
|
21
|
+
* Get shared secret for specific device
|
|
22
|
+
*/
|
|
23
|
+
static getSharedSecret(runnerId: string, deviceId: string): Promise<string | null>;
|
|
24
|
+
/**
|
|
25
|
+
* Get all registered device IDs for a runner
|
|
26
|
+
*/
|
|
27
|
+
static getRegisteredDevices(runnerId: string): Promise<string[]>;
|
|
28
|
+
/**
|
|
29
|
+
* Encrypt command for specific device
|
|
30
|
+
*/
|
|
31
|
+
static encryptForDevice(runnerId: string, deviceId: string, command: string): Promise<string>;
|
|
32
|
+
/**
|
|
33
|
+
* Encrypt command for all registered devices
|
|
34
|
+
*/
|
|
35
|
+
static encryptForAllDevices(runnerId: string, command: string): Promise<Record<string, string>>;
|
|
36
|
+
/**
|
|
37
|
+
* Decrypt command from specific device
|
|
38
|
+
*/
|
|
39
|
+
static decryptFromDevice(runnerId: string, deviceId: string, encryptedCommand: string): Promise<string>;
|
|
40
|
+
/**
|
|
41
|
+
* Check if runner has any registered devices
|
|
42
|
+
*/
|
|
43
|
+
static hasRegisteredDevices(runnerId: string): Promise<boolean>;
|
|
44
|
+
/**
|
|
45
|
+
* Clean up all keys for a runner
|
|
46
|
+
*/
|
|
47
|
+
static removeRunnerKeys(runnerId: string): Promise<void>;
|
|
48
|
+
/**
|
|
49
|
+
* Get CLI's public key for a runner
|
|
50
|
+
*/
|
|
51
|
+
static getCliPublicKey(runnerId: string): Promise<string | null>;
|
|
52
|
+
private static getRunnerKeys;
|
|
53
|
+
private static storeRunnerKeys;
|
|
54
|
+
private static getAllStoredKeys;
|
|
55
|
+
}
|
|
56
|
+
//# sourceMappingURL=multi-device-key-manager.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"multi-device-key-manager.d.ts","sourceRoot":"","sources":["../../src/services/multi-device-key-manager.ts"],"names":[],"mappings":"AAEA,OAAO,EAAC,KAAK,SAAS,EAAC,MAAM,oBAAoB,CAAC;AASlD,qBAAa,4BAA4B;IACrC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAkC;IAC1E,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAM;IAE7C;;OAEG;WACU,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC;IAcrG;;OAEG;WACU,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BpF;;OAEG;WACU,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAa5E;;OAEG;WACU,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAexF;;OAEG;WACU,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAStE;;OAEG;WACU,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IASnG;;OAEG;WACU,oBAAoB,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAuBrG;;OAEG;WACU,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAS7G;;OAEG;WACU,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKrE;;OAEG;WACU,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO9D;;OAEG;WACU,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;mBAOjD,aAAa;mBAKb,eAAe;mBAMf,gBAAgB;CAGxC"}
|
|
@@ -0,0 +1,159 @@
|
|
|
1
|
+
import { CryptoService } from './crypto.js';
|
|
2
|
+
import { StorageService } from '../utils/storage.js';
|
|
3
|
+
export class MultiDeviceKeyManagerService {
|
|
4
|
+
static KEYS_STORAGE_KEY = 'salamander_multi_device_keys';
|
|
5
|
+
static KEY_EXPIRY_DAYS = 30;
|
|
6
|
+
/**
|
|
7
|
+
* Initialize keys for a new runner (CLI side)
|
|
8
|
+
*/
|
|
9
|
+
static async initializeRunnerKeys(runnerId) {
|
|
10
|
+
const ecdhKeyPair = CryptoService.generateECDHKeyPair();
|
|
11
|
+
const keyData = {
|
|
12
|
+
ecdhKeyPair,
|
|
13
|
+
sharedSecrets: {},
|
|
14
|
+
keyHashes: {},
|
|
15
|
+
createdAt: Date.now()
|
|
16
|
+
};
|
|
17
|
+
await this.storeRunnerKeys(runnerId, keyData);
|
|
18
|
+
return ecdhKeyPair;
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Register a new device and derive shared secret
|
|
22
|
+
*/
|
|
23
|
+
static async registerDevice(runnerId, deviceKey) {
|
|
24
|
+
const keyData = await this.getRunnerKeys(runnerId);
|
|
25
|
+
if (!keyData) {
|
|
26
|
+
throw new Error(`No keys found for runner ${runnerId}`);
|
|
27
|
+
}
|
|
28
|
+
// Derive shared secret with this device
|
|
29
|
+
const sharedSecret = CryptoService.deriveSharedSecret(keyData.ecdhKeyPair.privateKey, deviceKey.publicKey);
|
|
30
|
+
const keyHash = CryptoService.createKeyHash(sharedSecret);
|
|
31
|
+
// Verify the key hash matches what the device expects
|
|
32
|
+
if (keyHash !== deviceKey.keyHash) {
|
|
33
|
+
throw new Error('Key hash mismatch during device registration');
|
|
34
|
+
}
|
|
35
|
+
// Store the shared secret for this device
|
|
36
|
+
keyData.sharedSecrets[deviceKey.deviceId] = sharedSecret;
|
|
37
|
+
keyData.keyHashes[deviceKey.deviceId] = keyHash;
|
|
38
|
+
await this.storeRunnerKeys(runnerId, keyData);
|
|
39
|
+
console.log(`✓ Device ${deviceKey.deviceId} registered for runner ${runnerId}`);
|
|
40
|
+
return sharedSecret;
|
|
41
|
+
}
|
|
42
|
+
/**
|
|
43
|
+
* Remove a device from the runner
|
|
44
|
+
*/
|
|
45
|
+
static async removeDevice(runnerId, deviceId) {
|
|
46
|
+
const keyData = await this.getRunnerKeys(runnerId);
|
|
47
|
+
if (!keyData) {
|
|
48
|
+
return; // No keys to clean up
|
|
49
|
+
}
|
|
50
|
+
delete keyData.sharedSecrets[deviceId];
|
|
51
|
+
delete keyData.keyHashes[deviceId];
|
|
52
|
+
await this.storeRunnerKeys(runnerId, keyData);
|
|
53
|
+
console.log(`Device ${deviceId} removed from runner ${runnerId}`);
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Get shared secret for specific device
|
|
57
|
+
*/
|
|
58
|
+
static async getSharedSecret(runnerId, deviceId) {
|
|
59
|
+
const keyData = await this.getRunnerKeys(runnerId);
|
|
60
|
+
if (!keyData) {
|
|
61
|
+
return null;
|
|
62
|
+
}
|
|
63
|
+
// Check if keys are expired
|
|
64
|
+
const daysSinceCreation = (Date.now() - keyData.createdAt) / (1000 * 60 * 60 * 24);
|
|
65
|
+
if (daysSinceCreation > this.KEY_EXPIRY_DAYS) {
|
|
66
|
+
console.warn(`Keys for runner ${runnerId} have expired. Consider key rotation.`);
|
|
67
|
+
}
|
|
68
|
+
return keyData.sharedSecrets[deviceId] || null;
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Get all registered device IDs for a runner
|
|
72
|
+
*/
|
|
73
|
+
static async getRegisteredDevices(runnerId) {
|
|
74
|
+
const keyData = await this.getRunnerKeys(runnerId);
|
|
75
|
+
if (!keyData) {
|
|
76
|
+
return [];
|
|
77
|
+
}
|
|
78
|
+
return Object.keys(keyData.sharedSecrets);
|
|
79
|
+
}
|
|
80
|
+
/**
|
|
81
|
+
* Encrypt command for specific device
|
|
82
|
+
*/
|
|
83
|
+
static async encryptForDevice(runnerId, deviceId, command) {
|
|
84
|
+
const sharedSecret = await this.getSharedSecret(runnerId, deviceId);
|
|
85
|
+
if (!sharedSecret) {
|
|
86
|
+
throw new Error(`No shared secret found for device ${deviceId} on runner ${runnerId}`);
|
|
87
|
+
}
|
|
88
|
+
return CryptoService.safeEncrypt(command, sharedSecret);
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Encrypt command for all registered devices
|
|
92
|
+
*/
|
|
93
|
+
static async encryptForAllDevices(runnerId, command) {
|
|
94
|
+
const keyData = await this.getRunnerKeys(runnerId);
|
|
95
|
+
if (!keyData) {
|
|
96
|
+
throw new Error(`No keys found for runner ${runnerId}`);
|
|
97
|
+
}
|
|
98
|
+
const encryptedCommands = {};
|
|
99
|
+
for (const [deviceId, sharedSecret] of Object.entries(keyData.sharedSecrets)) {
|
|
100
|
+
try {
|
|
101
|
+
encryptedCommands[deviceId] = CryptoService.safeEncrypt(command, sharedSecret);
|
|
102
|
+
}
|
|
103
|
+
catch (error) {
|
|
104
|
+
console.warn(`Failed to encrypt command for device ${deviceId}: ${error}`);
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
if (Object.keys(encryptedCommands).length === 0) {
|
|
108
|
+
throw new Error(`No devices registered for runner ${runnerId}`);
|
|
109
|
+
}
|
|
110
|
+
return encryptedCommands;
|
|
111
|
+
}
|
|
112
|
+
/**
|
|
113
|
+
* Decrypt command from specific device
|
|
114
|
+
*/
|
|
115
|
+
static async decryptFromDevice(runnerId, deviceId, encryptedCommand) {
|
|
116
|
+
const sharedSecret = await this.getSharedSecret(runnerId, deviceId);
|
|
117
|
+
if (!sharedSecret) {
|
|
118
|
+
throw new Error(`No shared secret found for device ${deviceId} on runner ${runnerId}`);
|
|
119
|
+
}
|
|
120
|
+
return CryptoService.safeDecrypt(encryptedCommand, sharedSecret);
|
|
121
|
+
}
|
|
122
|
+
/**
|
|
123
|
+
* Check if runner has any registered devices
|
|
124
|
+
*/
|
|
125
|
+
static async hasRegisteredDevices(runnerId) {
|
|
126
|
+
const devices = await this.getRegisteredDevices(runnerId);
|
|
127
|
+
return devices.length > 0;
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Clean up all keys for a runner
|
|
131
|
+
*/
|
|
132
|
+
static async removeRunnerKeys(runnerId) {
|
|
133
|
+
const allKeys = await this.getAllStoredKeys();
|
|
134
|
+
delete allKeys[runnerId];
|
|
135
|
+
await StorageService.set(this.KEYS_STORAGE_KEY, allKeys);
|
|
136
|
+
console.log(`Cleaned up all keys for runner ${runnerId}`);
|
|
137
|
+
}
|
|
138
|
+
/**
|
|
139
|
+
* Get CLI's public key for a runner
|
|
140
|
+
*/
|
|
141
|
+
static async getCliPublicKey(runnerId) {
|
|
142
|
+
const keyData = await this.getRunnerKeys(runnerId);
|
|
143
|
+
return keyData?.ecdhKeyPair.publicKey || null;
|
|
144
|
+
}
|
|
145
|
+
// Private helper methods
|
|
146
|
+
static async getRunnerKeys(runnerId) {
|
|
147
|
+
const allKeys = await this.getAllStoredKeys();
|
|
148
|
+
return allKeys[runnerId] || null;
|
|
149
|
+
}
|
|
150
|
+
static async storeRunnerKeys(runnerId, keys) {
|
|
151
|
+
const allKeys = await this.getAllStoredKeys();
|
|
152
|
+
allKeys[runnerId] = keys;
|
|
153
|
+
await StorageService.set(this.KEYS_STORAGE_KEY, allKeys);
|
|
154
|
+
}
|
|
155
|
+
static async getAllStoredKeys() {
|
|
156
|
+
return (await StorageService.get(this.KEYS_STORAGE_KEY)) ?? {};
|
|
157
|
+
}
|
|
158
|
+
}
|
|
159
|
+
//# sourceMappingURL=multi-device-key-manager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"multi-device-key-manager.js","sourceRoot":"","sources":["../../src/services/multi-device-key-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,aAAa,EAAC,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAUnD,MAAM,OAAO,4BAA4B;IAC7B,MAAM,CAAU,gBAAgB,GAAG,8BAA8B,CAAC;IAClE,MAAM,CAAU,eAAe,GAAG,EAAE,CAAC;IAE7C;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,QAAgB;QAC9C,MAAM,WAAW,GAAG,aAAa,CAAC,mBAAmB,EAAE,CAAC;QAExD,MAAM,OAAO,GAAkB;YAC3B,WAAW;YACX,aAAa,EAAE,EAAE;YACjB,SAAS,EAAE,EAAE;YACb,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACxB,CAAC;QAEF,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,OAAO,WAAW,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,QAAgB,EAAE,SAAoB;QAC9D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,wCAAwC;QACxC,MAAM,YAAY,GAAG,aAAa,CAAC,kBAAkB,CACjD,OAAO,CAAC,WAAW,CAAC,UAAU,EAC9B,SAAS,CAAC,SAAS,CACtB,CAAC;QAEF,MAAM,OAAO,GAAG,aAAa,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;QAE1D,sDAAsD;QACtD,IAAI,OAAO,KAAK,SAAS,CAAC,OAAO,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QACpE,CAAC;QAED,0CAA0C;QAC1C,OAAO,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,YAAY,CAAC;QACzD,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC;QAEhD,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAE9C,OAAO,CAAC,GAAG,CAAC,YAAY,SAAS,CAAC,QAAQ,0BAA0B,QAAQ,EAAE,CAAC,CAAC;QAChF,OAAO,YAAY,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,QAAgB;QACxD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO,CAAC,sBAAsB;QAClC,CAAC;QAED,OAAO,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACvC,OAAO,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAEnC,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,UAAU,QAAQ,wBAAwB,QAAQ,EAAE,CAAC,CAAC;IACtE,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,QAAgB,EAAE,QAAgB;QAC3D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,4BAA4B;QAC5B,MAAM,iBAAiB,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QACnF,IAAI,iBAAiB,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;YAC3C,OAAO,CAAC,IAAI,CAAC,mBAAmB,QAAQ,uCAAuC,CAAC,CAAC;QACrF,CAAC;QAED,OAAO,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACnD,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,QAAgB;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,OAAO,EAAE,CAAC;QACd,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,QAAgB,EAAE,OAAe;QAC7E,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACpE,IAAI,CAAC,YAAY,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,cAAc,QAAQ,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,OAAO,aAAa,CAAC,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;IAC5D,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,QAAgB,EAAE,OAAe;QAC/D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,CAAC,OAAO,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,4BAA4B,QAAQ,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,iBAAiB,GAA2B,EAAE,CAAC;QAErD,KAAK,MAAM,CAAC,QAAQ,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAC3E,IAAI,CAAC;gBACD,iBAAiB,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,WAAW,CAAC,OAAO,EAAE,YAAY,CAAC,CAAC;YACnF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACb,OAAO,CAAC,IAAI,CAAC,wCAAwC,QAAQ,KAAK,KAAK,EAAE,CAAC,CAAC;YAC/E,CAAC;QACL,CAAC;QAED,IAAI,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,oCAAoC,QAAQ,EAAE,CAAC,CAAC;QACpE,CAAC;QAED,OAAO,iBAAiB,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,QAAgB,EAAE,QAAgB,EAAE,gBAAwB;QACvF,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QACpE,IAAI,CAAC,YAAY,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,cAAc,QAAQ,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,OAAO,aAAa,CAAC,WAAW,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC;IACrE,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,QAAgB;QAC9C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,QAAQ,CAAC,CAAC;QAC1D,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAgB;QAC1C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,OAAO,OAAO,CAAC,QAAQ,CAAC,CAAC;QACzB,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;QACzD,OAAO,CAAC,GAAG,CAAC,kCAAkC,QAAQ,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,QAAgB;QACzC,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACnD,OAAO,OAAO,EAAE,WAAW,CAAC,SAAS,IAAI,IAAI,CAAC;IAClD,CAAC;IAED,yBAAyB;IAEjB,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,QAAgB;QAC/C,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC;IACrC,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,QAAgB,EAAE,IAAmB;QACtE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,gBAAgB,EAAE,CAAC;QAC9C,OAAO,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;QACzB,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,gBAAgB;QACjC,OAAO,CAAC,MAAM,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC,IAAI,EAAE,CAAC;IACnE,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/services/runner.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../src/services/runner.ts"],"names":[],"mappings":"AAIA,OAAO,EAAa,oBAAoB,EAAC,MAAM,UAAU,CAAC;AAC1D,OAAO,EAAC,KAAK,gBAAgB,EAAE,KAAK,MAAM,EAAa,MAAM,oBAAoB,CAAC;AAKlF,qBAAa,aAAa;IACtB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAa;WAE1C,aAAa,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;WAkBlC,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,MAAM,CAAC;WAmDrD,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;WAK7C,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;WAMpD,wBAAwB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;WAQ5F,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;WAOrE,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC;IAavF,MAAM,CAAC,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,KAAK,IAAI,GAAG,MAAM,IAAI;IAiE9F,OAAO,CAAC,MAAM,CAAC,WAAW;IAiB1B,OAAO,CAAC,MAAM,CAAC,eAAe;CAWjC"}
|