@lifeready/core 1.0.1 → 1.0.2

package/src/lib/api/key-exchange.service.ts

@@ -1,731 +0,0 @@
-import { Injectable } from '@angular/core';
-import { JWK } from 'node-jose';
-import { LifeReadyAuthService } from '../auth/life-ready-auth.service';
-import { KeyGraphResponse } from '../cryptography/cryptography.types';
-import {
-  EncryptionService,
-  JoseSerialization,
-} from '../cryptography/encryption.service';
-import { KeyService } from '../cryptography/key.service';
-import { LrCodeMismatchException } from '../_common/exceptions';
-import { UserService } from './../users/user.service';
-import {
-  CompleteOtkMutation,
-  CurrentUserSharedKeyQuery,
-  InitiateOtkMutation,
-  KeyExchangeQuery,
-  KeyExchangesQuery,
-  KeyExchangeTokenQuery,
-  RespondOtkMutation,
-} from './key-exchange.gql';
-import {
-  CompleteOtk,
-  DecryptedKeyExchange,
-  DecryptedOtk,
-  GetKeyExchangeListOptions,
-  GetKeyExchangeOptions,
-  InitiateOtkInput,
-  KeyExchange,
-  OtkState,
-  PlainInitiatorOneTimePbkCipher,
-  PlainInitiatorRootKeyCipher,
-  PlainOtKeyCipher,
-  PlainResponderPbkCipher,
-  RespondOtk,
-  RespondOtkInput,
-  UserSharedKey,
-} from './key-exchange.types';
-import { LrApolloService } from './lr-apollo.service';
-import { KeyFactoryService as KFS } from '../cryptography/key-factory.service';
-// Ref: https://stackoverflow.com/questions/59735280/angular-8-moment-error-cannot-call-a-namespace-moment
-import * as moment_ from 'moment';
-const moment = moment_;
-
-@Injectable({
-  providedIn: 'root',
-})
-export class KeyExchangeService {
-  private readonly CLIENT_NONCE_LENGTH = 32;
-
-  constructor(
-    private keyFactory: KFS,
-    private keyService: KeyService,
-    private lrApollo: LrApolloService,
-    private encryptionService: EncryptionService,
-    private authService: LifeReadyAuthService,
-    private userService: UserService
-  ) {}
-
-  public async getKeyExchangeList(
-    input: GetKeyExchangeListOptions = {}
-  ): Promise<any> {
-    const { keyExchanges } = await this.lrApollo.query<{
-      keyExchanges: any;
-      keyGraph: KeyGraphResponse;
-    }>({
-      query: KeyExchangesQuery,
-      variables: {
-        ...input,
-      },
-    });
-    return keyExchanges;
-  }
-
-  /**
-   * @param id If the current user can responder the key exchange if they are either the initiator or the receiver.
-   * @param token If not signed in, or not the initiator or responder, 'token' must be given.
-   * @param otKeyK Is the raw one-time key (string). If the responder is explicitly specified at time of initiation, then
-   *   it's possible to have the otKey wrapped by the public key of the responder. In which case, the otKeyK is not needed.
-   */
-  public async getKeyExchange(
-    id: string,
-    { otKeyK, token }: GetKeyExchangeOptions = {}
-  ): Promise<DecryptedKeyExchange> {
-    const { keyExchange } = await this.lrApollo.query<{
-      keyExchange: KeyExchange;
-      keyGraph: KeyGraphResponse;
-    }>({
-      query: token ? KeyExchangeTokenQuery : KeyExchangeQuery,
-      variables: {
-        id,
-        token,
-      },
-    });
-    return await this.decryptKeyExchange(keyExchange, otKeyK);
-  }
-
-  private async decryptResponseCipher(
-    otKey: JWK.Key,
-    otPrk: JWK.Key,
-    content: any
-  ): Promise<PlainInitiatorOneTimePbkCipher> {
-    // The response could be wrapped by the OtK as well as we the OtPrk
-    try {
-      content = await this.encryptionService.decrypt(otKey, content);
-    } catch (error) {
-      if (error.message !== 'no key found') {
-        throw error;
-      }
-      // Do nothing to support older versions where message is not wrapped with otk.
-    }
-
-    // The Prk is single-use and only used to send information from the responder back to the initiator.
-    return await this.encryptionService.decrypt(otPrk, content);
-  }
-
-  public async decryptKeyExchange(
-    keyExchange: KeyExchange,
-    otKeyK?: string
-  ): Promise<DecryptedKeyExchange> {
-    if (keyExchange.isInitiator) {
-      const rootKey = await this.keyService.getCurrentRootKey();
-      // Decrypt using the root key to get the Prk
-      const plainInitiatorRootKeyCipher = ((await this.encryptionService.decrypt(
-        rootKey.jwk,
-        keyExchange.initiatorRootKeyCipher
-      )) as unknown) as PlainInitiatorRootKeyCipher;
-
-      const plainInitiatorOneTimePbkCipher = keyExchange.otk
-        .initiatorOneTimePbkCipher
-        ? await this.decryptResponseCipher(
-            await KFS.asKey(plainInitiatorRootKeyCipher.otKey),
-            await KFS.asKey(plainInitiatorRootKeyCipher.oneTimePrk),
-            keyExchange.otk.initiatorOneTimePbkCipher
-          )
-        : null;
-
-      const responder =
-        plainInitiatorOneTimePbkCipher &&
-        plainInitiatorOneTimePbkCipher.responder;
-      const initiator =
-        plainInitiatorRootKeyCipher && plainInitiatorRootKeyCipher.initiator;
-
-      return {
-        ...keyExchange,
-        message: responder ? responder.message : null,
-        contactCard:
-          responder && responder.contactCard
-            ? responder.contactCard.plainSharedCipherDataJson
-            : null,
-        myContactCard:
-          initiator && initiator.contactCard
-            ? initiator.contactCard.plainSharedCipherDataJson
-            : null,
-        myMessage: initiator && initiator.message,
-      };
-    } else {
-      const decryptedOtk = await this.decryptOtk(keyExchange, otKeyK);
-
-      const initiator = decryptedOtk && decryptedOtk.plainOtKeyCipher.initiator;
-
-      return {
-        ...keyExchange,
-        decryptedOtk,
-        message: initiator && initiator.message,
-        contactCard:
-          initiator &&
-          initiator.contactCard &&
-          initiator.contactCard.plainSharedCipherDataJson,
-      };
-    }
-  }
-
-  private async decryptOtk(
-    keyExchange: KeyExchange,
-    otKeyK?: string
-  ): Promise<DecryptedOtk> {
-    const otKey = await this.getOtKey(keyExchange, otKeyK);
-
-    return otKey && keyExchange.otk.otKeyCipher
-      ? {
-          plainOtKeyCipher: await this.encryptionService.decrypt(
-            otKey,
-            keyExchange.otk.otKeyCipher
-          ),
-          otKey,
-        }
-      : null;
-  }
-
-  private async getOtKey(
-    keyExchange: KeyExchange,
-    otKeyK?: string
-  ): Promise<JWK.Key> {
-    if (otKeyK) {
-      return await KFS.asKey({
-        ...JSON.parse(keyExchange.otk.otKeyParams),
-        k: otKeyK,
-      });
-    } else if (
-      keyExchange.otk.state === OtkState.OTK_INITIATED &&
-      !keyExchange.isInitiator &&
-      keyExchange.otk.responderPbkCipher
-    ) {
-      // Assuming existing user getting invited where OTK is wrapped in responder's public key.
-      const prk = await this.keyService.getCurrentPxk();
-      const decryptedCipher: any = await this.encryptionService.decrypt(
-        prk.jwk,
-        JSON.parse(keyExchange.otk.responderPbkCipher),
-        {
-          serializations: [JoseSerialization.COMPACT],
-        }
-      );
-      if (decryptedCipher.otKey) {
-        return await KFS.asKey(decryptedCipher.otKey);
-      }
-    }
-    return null;
-  }
-
-  async initiateOtk({
-    message,
-    email,
-    contactCard,
-    upgrade,
-  }: InitiateOtkInput): Promise<{ keyExchange: KeyExchange; otKeyK: string }> {
-    const otKey = await this.keyFactory.createKey();
-    const nonce = this.keyFactory.randomString(this.CLIENT_NONCE_LENGTH);
-    const user = await this.authService.getUser();
-
-    // New PKC key for encryption. This key is used only once when the responder sends
-    // back their signing public key.
-    const initiatorOneTimePrk = await this.keyFactory.createPkcKey();
-
-    // Option 1: New PKC key for signing
-    // const initiatorSigPrk = await this.keyService.createPkcSignKey();
-
-    // Option 2: Use the user's global signing key.
-    // This key is used to prove the initiator's identity.
-    const initiatorPrk = await this.keyService.getCurrentPxk();
-    const initiatorSigPrk = await this.keyService.getCurrentSigPxk();
-
-    let initiatorPlainDataSig: string = null;
-
-    if (contactCard && contactCard.ownerPlainData) {
-      initiatorPlainDataSig = JSON.stringify(
-        await this.encryptionService.sign(
-          initiatorSigPrk.jwk,
-          contactCard.ownerPlainData
-        )
-      );
-    }
-
-    const initiator = {
-      message,
-      contactCard: contactCard
-        ? {
-            plainSharedCipherDataJson: contactCard.plainSharedCipherDataJson,
-          }
-        : null,
-    };
-
-    // Content to be encrypted using the OTK.
-    const plainOtKeyCipher: PlainOtKeyCipher = {
-      nonce,
-      initiator: {
-        ...initiator,
-        oneTimePbk: initiatorOneTimePrk.toJSON(), // onetime public encryption key responder use to send data back to initiator
-        pbk: initiatorPrk.jwk.toJSON(), // public encryption key
-        sigPbk: initiatorSigPrk.jwk.toJSON(), // public signing key
-        profile: {
-          username: user.username,
-        },
-      },
-    };
-
-    const otKeyCipher = await this.encryptionService.encrypt(
-      otKey,
-      plainOtKeyCipher
-    );
-
-    // Content to be encrypted using the initiator's root key.
-    const plainInitiatorRootKeyCipher: PlainInitiatorRootKeyCipher = {
-      nonce,
-      oneTimePrk: initiatorOneTimePrk.toJSON(true),
-      // Should not need to keep this encrypted since we are using the global signing key.
-      // sigPrk: initiatorSigPrk.toJSON(true),
-
-      // Save it in case the initiator want to decode the otKeyCipher.
-      // Since the otKey is only used once, and that otKeyCipher contains only
-      // the public key of the initiator, it's safe just leave the otKey stored here.
-      otKey: otKey.toJSON(true),
-      // These should be storing information such as how the fields of the shared contact card is
-      // derived from the master contact card.
-      initiatorContactCard: contactCard,
-      initiator,
-    };
-
-    const rootKey = await this.keyService.getCurrentRootKey();
-    const initiatorRootKeyCipher = await this.encryptionService.encrypt(
-      rootKey.jwk,
-      plainInitiatorRootKeyCipher
-    );
-
-    // The raw OTK
-    const otKeyK: string = (otKey.toJSON(true) as any).k;
-
-    // API call
-    const { initiateKeyExchangeOtk } = await this.lrApollo.mutate<any>({
-      mutation: InitiateOtkMutation,
-      variables: {
-        input: {
-          // These will be stored on the server
-          initiatorRootKeyCipher: JSON.stringify(initiatorRootKeyCipher),
-          initiatorPxkId: initiatorPrk.id,
-          initiatorSigPxkId: initiatorSigPrk.id,
-          // These will be sent to the responder
-          otKeyParams: JSON.stringify(otKey.toJSON()),
-          otKeyCipher: JSON.stringify(otKeyCipher),
-          sendEmail: email
-            ? {
-                email,
-                rawOtKey: otKeyK,
-              }
-            : null,
-          createTp: true,
-          initiatorPlainDataSig,
-          upgrade,
-        },
-      },
-    });
-    return { keyExchange: initiateKeyExchangeOtk.keyExchange, otKeyK };
-  }
-
-  async respondOtk({
-    id,
-    token,
-    decryptedOtk,
-    message,
-    initiatorContactCard,
-    responderContactCard: sentContactCard,
-  }: RespondOtkInput): Promise<RespondOtk> {
-    const user = await this.authService.getUser();
-    const rootKey = await this.keyService.getCurrentRootKey();
-
-    const masterKeyId = this.keyService.getCurrentMasterKey().id;
-    const masterKey = await this.keyService.getCurrentMasterKey();
-
-    const sharedKey = await this.keyFactory.createKey();
-    const mkSharedKey = await this.keyFactory.createKey();
-
-    const rkWrappedSharedKey = await this.encryptionService.encrypt(
-      rootKey.jwk,
-      sharedKey.toJSON(true)
-    );
-    const mkWrappedMkSharedKey = await this.encryptionService.encrypt(
-      masterKey.jwk,
-      mkSharedKey.toJSON(true)
-    );
-
-    const initiatorOneTimePbk = await KFS.asKey(
-      decryptedOtk.plainOtKeyCipher.initiator.oneTimePbk
-    );
-
-    const initiatorPbk = await KFS.asKey(
-      decryptedOtk.plainOtKeyCipher.initiator.pbk
-    );
-    const initiatorSigPbk = await KFS.asKey(
-      decryptedOtk.plainOtKeyCipher.initiator.sigPbk
-    );
-
-    // Option 1: Using new Prk for each TP pair
-    // Create a new public signing key for the responder.
-    // const responderSigPrk = await this.keyService.createPkcSignKey()
-    // const rkWrappedResponderSigPrk = await this.encrypt(rootKey, responderSigPrk.toJSON(true));
-
-    // Option 2: Responder already has a signing Prk
-    const responderPrk = await this.keyService.getCurrentPxk();
-    const responderSigPrk = await this.keyService.getCurrentSigPxk();
-
-    const signedInitiatorPbk = await this.encryptionService.sign(
-      responderSigPrk.jwk,
-      initiatorPbk.toJSON()
-    );
-    const signedInitiatorSigPbk = await this.encryptionService.sign(
-      responderSigPrk.jwk,
-      initiatorSigPbk.toJSON()
-    );
-
-    const plainInitiatorOneTimePbkCipher: PlainInitiatorOneTimePbkCipher = {
-      nonce: decryptedOtk.plainOtKeyCipher.nonce,
-      sharedKey: sharedKey.toJSON(true),
-      mkSharedKey: mkSharedKey.toJSON(true),
-      responder: {
-        pbk: responderPrk.jwk.toJSON(), // public key
-        sigPbk: responderSigPrk.jwk.toJSON(), // public key
-        profile: {
-          username: user.username,
-        },
-        message,
-      },
-    };
-
-    let receivedCardInput;
-    if (decryptedOtk.plainOtKeyCipher.initiator.contactCard) {
-      // Set the info about the initiator to be the ones sent by the initiator. We need th responder to do the encryption here
-      // because the initiator does not have the shared key yet, and we want the responder to have a functional contact card after
-      // this exchange. The initiator can double check the contact details are correct and sign it when it completes the exchange.
-      const plainSharedCipherDataJson =
-        decryptedOtk.plainOtKeyCipher.initiator.contactCard
-          .plainSharedCipherDataJson;
-
-      // Create keys
-      const receiverKey = await this.keyFactory.createKey();
-      const ccSharedKey = await this.keyFactory.createKey();
-      const sigPxk = await this.keyService.getCurrentSigPxk();
-
-      receivedCardInput = {
-        receiverWrappedKey: JSON.stringify(
-          await this.encryptionService.encrypt(
-            rootKey.jwk,
-            receiverKey.toJSON(true)
-          )
-        ),
-        receiverWrappingKeyId: rootKey.id,
-        receiverCipherData: initiatorContactCard
-          ? JSON.stringify(
-              await this.encryptionService.encrypt(
-                receiverKey,
-                initiatorContactCard.plainReceiverCipherDataJson
-              )
-            )
-          : '',
-        sharedWrappedKey: JSON.stringify(
-          await this.encryptionService.encrypt(
-            sharedKey,
-            ccSharedKey.toJSON(true)
-          )
-        ),
-      };
-
-      const sharedCipherData = await this.encryptionService.encrypt(
-        ccSharedKey,
-        plainSharedCipherDataJson
-      );
-      receivedCardInput.sharedCipherDataSig = JSON.stringify(
-        await this.encryptionService.sign(sigPxk.jwk, sharedCipherData)
-      );
-      receivedCardInput.sigPxkId = sigPxk.id;
-
-      plainInitiatorOneTimePbkCipher.responder.contactCard = {
-        ...plainInitiatorOneTimePbkCipher.responder.contactCard,
-        sharedCipherKey: ccSharedKey.toJSON(true),
-      };
-    }
-
-    let sentCardInput;
-    if (sentContactCard) {
-      // Create keys
-      const ownerKey = await this.keyFactory.createKey();
-      const ccSharedKey = await this.keyFactory.createKey();
-      const sigPxk = await this.keyService.getCurrentSigPxk();
-
-      sentCardInput = {
-        ownerWrappedKey: JSON.stringify(
-          await this.encryptionService.encrypt(
-            rootKey.jwk,
-            ownerKey.toJSON(true)
-          )
-        ),
-        ownerWrappingKeyId: rootKey.id,
-        ownerCipherData: sentContactCard.plainOwnerCipherDataJson
-          ? JSON.stringify(
-              await this.encryptionService.encrypt(
-                ownerKey,
-                sentContactCard.plainOwnerCipherDataJson
-              )
-            )
-          : '',
-
-        sharedWrappedKey: JSON.stringify(
-          await this.encryptionService.encrypt(
-            sharedKey,
-            ccSharedKey.toJSON(true)
-          )
-        ),
-      };
-
-      const sharedCipherData = await this.encryptionService.encrypt(
-        ccSharedKey,
-        sentContactCard.plainSharedCipherDataJson
-      );
-      sentCardInput.sharedCipherDataSig = JSON.stringify(
-        await this.encryptionService.sign(sigPxk.jwk, sharedCipherData)
-      );
-      sentCardInput.sigPxkId = sigPxk.id;
-
-      if (sentContactCard.ownerPlainData) {
-        sentCardInput.ownerPlainDataSig = JSON.stringify(
-          await this.encryptionService.sign(
-            responderSigPrk.jwk,
-            sentContactCard.ownerPlainData
-          )
-        );
-      }
-
-      // Contact card info readable by the initiator
-      plainInitiatorOneTimePbkCipher.responder.contactCard = {
-        ...plainInitiatorOneTimePbkCipher.responder.contactCard,
-        plainSharedCipherDataJson: sentContactCard.plainSharedCipherDataJson,
-      };
-    }
-
-    // Encrypt with one-time public key
-    let initiatorOneTimePbkCipher = await this.encryptionService.encrypt(
-      initiatorOneTimePbk,
-      plainInitiatorOneTimePbkCipher
-    );
-
-    // Encrypt with the otk again to keep use of asymmetric keys to a minimum.
-    initiatorOneTimePbkCipher = await this.encryptionService.encrypt(
-      decryptedOtk.otKey,
-      initiatorOneTimePbkCipher
-    );
-
-    const { respondKeyExchangeOtk } = await this.lrApollo.mutate<any>({
-      mutation: RespondOtkMutation,
-      variables: {
-        input: {
-          keyExchangeId: id,
-          keyExchangeToken: token,
-          rootKeyId: rootKey.id,
-          masterKeyId,
-          // These will be stored on the server
-          responderPxkId: responderPrk.id,
-          responderSigPxkId: responderSigPrk.id,
-          signedInitiatorPbk: JSON.stringify(signedInitiatorPbk),
-          signedInitiatorSigPbk: JSON.stringify(signedInitiatorSigPbk),
-          // rkWrappedInitiatorSigPbk: JSON.stringify(rkWrappedInitiatorSigPbk),
-
-          // Option 1: Using new Prk for each TP pair
-          // rkWrappedResponderSigPrk: JSON.stringify(rkWrappedResponderSigPrk),
-          rkWrappedSharedKey: JSON.stringify(rkWrappedSharedKey),
-          mkWrappedMkSharedKey: JSON.stringify(mkWrappedMkSharedKey),
-          // These will be sent to the initiator
-          initiatorOneTimePbkCipher: JSON.stringify(initiatorOneTimePbkCipher),
-          initiatorContactCard: receivedCardInput,
-          responderContactCard: sentCardInput,
-        },
-      },
-    });
-
-    return {
-      keyExchange: respondKeyExchangeOtk.keyExchange,
-      userSharedKey: respondKeyExchangeOtk.userSharedKey,
-      tp: respondKeyExchangeOtk.tp,
-    };
-  }
-
-  async completeOtk(
-    keyExchangeId: string,
-    initiatorRootKeyCipher: string,
-    initiatorOneTimePbkCipher: string,
-    responderContactCard?: string
-  ): Promise<CompleteOtk> {
-    const rootKey = await this.keyService.getCurrentRootKey();
-    const masterKey = await this.keyService.getCurrentMasterKey();
-
-    // Decrypt using the root key to get the Prk
-    const plainInitiatorRootKeyCipher = ((await this.encryptionService.decrypt(
-      rootKey.jwk,
-      initiatorRootKeyCipher
-    )) as unknown) as PlainInitiatorRootKeyCipher;
-
-    // The Prk is single-use and only used to send information from the responder back to the initiator.
-    const plainInitiatorOneTimePbkCipher = await this.decryptResponseCipher(
-      await KFS.asKey(plainInitiatorRootKeyCipher.otKey),
-      await KFS.asKey(plainInitiatorRootKeyCipher.oneTimePrk),
-      initiatorOneTimePbkCipher
-    );
-
-    // Check the nonce match to ensure the responder was the one holding the OTK
-    if (
-      plainInitiatorRootKeyCipher.nonce !== plainInitiatorOneTimePbkCipher.nonce
-    ) {
-      throw new LrCodeMismatchException(
-        'The nonce returned by responder does not match with the one created by the initiator.'
-      );
-    }
-
-    // Option 1: Assuming the signing key is unique between users.
-    // const initiatorSigPrk = await KFS.asKey(ke.plainInitiatorRootKeyCipher.sigPrk);
-    // const rkWrappedInitiatorSigPrk = await this.encrypt(rootKey, initiatorSigPrk.toJSON(true));
-
-    // Option 2: Use the user's global signing key.
-    // In this case the initiatorSigPrk is already a part of the key graph.
-    // So there's nothing to do here.
-
-    // Protected the signing public key of the responder.
-    const initiatorSigPrk = await this.keyService.getCurrentSigPxk();
-    const responderSigPbk = await KFS.asKey(
-      plainInitiatorOneTimePbkCipher.responder.sigPbk
-    );
-    const responderPbk = await KFS.asKey(
-      plainInitiatorOneTimePbkCipher.responder.pbk
-    );
-
-    const signedResponderPbk = await this.encryptionService.sign(
-      initiatorSigPrk.jwk,
-      responderPbk.toJSON()
-    );
-    const signedResponderSigPbk = await this.encryptionService.sign(
-      initiatorSigPrk.jwk,
-      responderSigPbk.toJSON()
-    );
-
-    const sharedKey = await KFS.asKey(plainInitiatorOneTimePbkCipher.sharedKey);
-    const rkWrappedSharedKey = await this.encryptionService.encrypt(
-      rootKey.jwk,
-      sharedKey.toJSON(true)
-    );
-
-    const mkSharedKey = await KFS.asKey(
-      plainInitiatorOneTimePbkCipher.mkSharedKey
-    );
-    const mkWrappedMkSharedKey = await this.encryptionService.encrypt(
-      masterKey.jwk,
-      mkSharedKey.toJSON(true)
-    );
-
-    let responderContactCardCipherInput;
-    if (responderContactCard) {
-      // Create key
-      const receiverKey = await this.keyFactory.createKey();
-
-      responderContactCardCipherInput = {
-        receiverWrappedKey: JSON.stringify(
-          await this.encryptionService.encrypt(
-            rootKey.jwk,
-            receiverKey.toJSON(true)
-          )
-        ),
-        receiverWrappingKeyId: rootKey.id,
-        receiverCipherData: JSON.stringify(
-          await this.encryptionService.encrypt(
-            receiverKey,
-            responderContactCard
-          )
-        ),
-      };
-    }
-
-    // Get the data needed from the initiator's cipher data.
-    let initiatorContactCardCipherInput;
-    let initiatorContactCardSharedCipherInput;
-    if (plainInitiatorRootKeyCipher.initiatorContactCard) {
-      const initiatorContactCard =
-        plainInitiatorRootKeyCipher.initiatorContactCard;
-      const ownerKey = await this.keyFactory.createKey();
-      const sharedCipherKey = await KFS.asKey(
-        plainInitiatorOneTimePbkCipher.responder.contactCard.sharedCipherKey
-      );
-
-      const ownerWrappedKey = JSON.stringify(
-        await this.encryptionService.encrypt(rootKey.jwk, ownerKey.toJSON(true))
-      );
-      const ownerCipherData = initiatorContactCard.plainOwnerCipherDataJson
-        ? JSON.stringify(
-            await this.encryptionService.encrypt(
-              ownerKey,
-              initiatorContactCard.plainOwnerCipherDataJson
-            )
-          )
-        : '';
-
-      initiatorContactCardCipherInput = {
-        ownerWrappedKey,
-        ownerWrappingKeyId: rootKey.id,
-        ownerCipherData,
-      };
-
-      initiatorContactCardSharedCipherInput = {
-        sigPxkId: initiatorSigPrk.id,
-      };
-
-      const sharedCipherData = await this.encryptionService.encrypt(
-        sharedCipherKey,
-        initiatorContactCard.plainSharedCipherDataJson
-      );
-      initiatorContactCardSharedCipherInput.sharedCipherDataSig = JSON.stringify(
-        await this.encryptionService.sign(initiatorSigPrk.jwk, sharedCipherData)
-      );
-    }
-
-    // TODO ideally we update the shared data in the contact card sent to the responder as well since that
-    // CC was created by the responder.
-
-    const res = await this.lrApollo.mutate<any>({
-      mutation: CompleteOtkMutation,
-      variables: {
-        input: {
-          keyExchangeId,
-          rootKeyId: rootKey.id,
-          masterKeyId: masterKey.id,
-          initiatorSigPxkId: initiatorSigPrk.id,
-          signedResponderPbk: JSON.stringify(signedResponderPbk),
-          signedResponderSigPbk: JSON.stringify(signedResponderSigPbk),
-          rkWrappedSharedKey: JSON.stringify(rkWrappedSharedKey),
-          mkWrappedMkSharedKey: JSON.stringify(mkWrappedMkSharedKey),
-          responderContactCardCipher: responderContactCardCipherInput,
-          initiatorContactCardCipher: initiatorContactCardCipherInput,
-          initiatorContactCardSharedCipher: initiatorContactCardSharedCipherInput,
-        },
-      },
-    });
-    return res.completeKeyExchangeOtk;
-  }
-
-  public async currentUserSharedKey(input: {
-    username?: string;
-    userId?: string;
-  }): Promise<UserSharedKey> {
-    const { currentUserSharedKey } = await this.lrApollo.query<any>({
-      query: CurrentUserSharedKeyQuery,
-      variables: {
-        username: input.username,
-        userId: input.userId,
-      },
-    });
-    return currentUserSharedKey.userSharedKey;
-  }
-}