@lifeready/core 1.0.1 → 1.0.3

package/src/lib/cryptography/encryption.service.spec.ts

@@ -1,125 +0,0 @@
-import { TestBed } from '@angular/core/testing';
-import { EncryptionService } from './encryption.service';
-import {
-  lrConfigureTestingModule,
-  lrExpectAsyncThrow,
-  lrit,
-} from '../_common/tests';
-import { util, JWK } from 'node-jose';
-import { KeyFactoryService as KFS } from './key-factory.service';
-
-describe('EncryptionService', () => {
-  let encService: EncryptionService;
-  let keyFactory: KFS;
-
-  beforeEach(() => {
-    lrConfigureTestingModule();
-    encService = TestBed.inject(EncryptionService);
-    keyFactory = TestBed.inject(KFS);
-  });
-
-  it('should be created', () => {
-    expect(encService).toBeTruthy();
-  });
-
-  lrit('should verify public key signature', async () => {
-    const data = {
-      test: 123,
-      nested: {
-        str: 'xyz试用',
-      },
-    };
-
-    const key = await keyFactory.createPkcSignKey();
-
-    const signed = await encService.sign(key, data);
-
-    // Wrong key
-    const wrongKey = await KFS.asKey({
-      ...(await keyFactory.createPkcSignKey()).toJSON(true),
-      kid: key.kid,
-    });
-    (
-      await lrExpectAsyncThrow(encService.verify(wrongKey, signed))
-    ).toBeTruthy();
-
-    // Wrong content
-    const wrongContent = {
-      ...signed,
-      payload: util.base64url.encode(
-        util.asBuffer(JSON.stringify({ test: 456 }), 'utf8')
-      ),
-    };
-    (
-      await lrExpectAsyncThrow(encService.verify(key, wrongContent))
-    ).toBeTruthy();
-  });
-
-  lrit('should include protected timestamp header in signature', async () => {
-    const data = 'test';
-    const key = await keyFactory.createPkcSignKey();
-    const signed = (await encService.sign(key, data)) as any;
-    console.log('signed', signed);
-
-    const verified = await encService.verify(key, signed, {
-      returnOnlyPayload: false,
-    });
-
-    console.log(verified);
-
-    expect(verified.payload).toEqual(data);
-    expect(verified.protected.includes('timestamp')).toBeTrue();
-    expect(verified.header.timestamp).toBeTruthy();
-
-    // Modify the protected timestamp field and it should fail because timestamp is in the protected header.
-    const protect = JSON.parse(
-      new TextDecoder().decode(
-        util.base64url.decode(signed.signatures[0].protected) as any
-      )
-    );
-    protect.timestamp = protect.timestamp + 1;
-    console.log('protect', protect);
-
-    signed.signatures[0].protected = util.base64url.encode(
-      JSON.stringify(protect)
-    );
-
-    console.log('after modification', signed);
-
-    (await lrExpectAsyncThrow(encService.verify(key, signed))).toBeTruthy();
-  });
-
-  lrit('should include protected timestamp header in encryption', async () => {
-    const data = 'test';
-    const key = await keyFactory.createKey();
-    const encrypted = await encService.encrypt(key, data);
-    console.log('encrypted', encrypted);
-
-    let decrypted: any = await encService.decrypt(key, encrypted, {
-      returnOnlyPayload: false,
-    });
-    expect(decrypted.payload).toEqual(data);
-
-    // Test that we correctly understand the format of the header before modifying it.
-    const protect = JSON.parse(
-      new TextDecoder().decode(
-        util.base64url.decode(encrypted.protected) as any
-      )
-    );
-    console.log('protect', protect);
-    encrypted.protected = util.base64url.encode(JSON.stringify(protect));
-
-    decrypted = await encService.decrypt(key, encrypted, {
-      returnOnlyPayload: false,
-    });
-    expect(decrypted.payload).toEqual(data);
-
-    // Modify the protected timestamp field and it should fail because timestamp is in the protected header.
-    protect.timestamp = protect.timestamp + 1;
-    encrypted.protected = util.base64url.encode(JSON.stringify(protect));
-
-    console.log('after modification', encrypted);
-
-    (await lrExpectAsyncThrow(encService.decrypt(key, encrypted))).toBeTruthy();
-  });
-});

package/src/lib/cryptography/encryption.service.ts

@@ -1,243 +0,0 @@
-import {
-  LrException,
-  LrErrorCode,
-  LrBadArgumentException,
-} from './../_common/exceptions';
-import { ComponentFactoryResolver, Injectable } from '@angular/core';
-import { JWE, JWK, JWS, util } from 'node-jose';
-import { Key, PayloadType } from './cryptography.types';
-import { TimeService } from '../api/time.service';
-
-export enum JoseSerialization {
-  JSON = 'JSON',
-  COMPACT = 'COMPACT',
-}
-
-export interface VerifyOptions {
-  payloadType?: PayloadType;
-  returnOnlyPayload?: boolean; // If true, return only the decoded payload.
-}
-
-export interface DecryptOptions {
-  payloadType?: PayloadType;
-  returnOnlyPayload?: boolean; // If true, return only the decoded payload.
-  serializations?: JoseSerialization[];
-}
-
-export const VERIFY_OPTIONS_DEFAULT: VerifyOptions = {
-  payloadType: 'json',
-  returnOnlyPayload: true,
-};
-
-export const DECRYPT_OPTIONS_DEFAULT: DecryptOptions = {
-  payloadType: 'json',
-  returnOnlyPayload: true,
-  serializations: [JoseSerialization.JSON],
-};
-
-export function isSymmetricKey(key: JWK.Key) {
-  // TODO: make sure this covers all cases.
-  return key.kty === 'oct';
-}
-
-export function asJwk(key: JWK.Key | Key | any): JWK.Key | null {
-  // TODO: make sure this covers all cases.
-  // Excluded:
-  //   key.use - only for public keys, Ref: https://tools.ietf.org/html/rfc7517#section-4.2
-
-  if (key.id && key.jwk) {
-    return key.jwk;
-  } else if (key.keystore && key.length && key.kty && key.kid && key.alg) {
-    return key;
-  } else {
-    return null;
-  }
-}
-
-@Injectable({
-  providedIn: 'root',
-})
-export class EncryptionService {
-  constructor(private timeService: TimeService) {}
-
-  async decrypt(
-    key: JWK.Key | Key, // string is assumed to be key.id, will unwrap key.
-    jwe: object | string, // string will be JSON.parsed
-    options?: DecryptOptions
-  ): Promise<JWE.DecryptResult | any> {
-    const opt = {
-      algorithms: ['dir', 'A*GCM', 'RSA-OAEP-*'],
-    };
-
-    options = {
-      ...DECRYPT_OPTIONS_DEFAULT,
-      ...options,
-    };
-
-    if ((key as Key).jwk) {
-      key = (key as Key).jwk;
-    }
-
-    if (typeof jwe === 'string') {
-      if (options.serializations.includes(JoseSerialization.JSON)) {
-        try {
-          jwe = JSON.parse(jwe);
-        } catch (error) {
-          if (options.serializations.includes(JoseSerialization.COMPACT)) {
-            console.log(
-              'Not a JSON-formatted JWE, it maybe compact serialisation format.'
-            );
-          } else {
-            throw error;
-          }
-        }
-      }
-    }
-
-    // {result} is a Object with:
-    // *  header: the combined 'protected' and 'unprotected' header members
-    // *  protected: an array of the member names from the "protected" member
-    // *  key: Key used to decrypt
-    // *  payload: Buffer of the decrypted content
-    // *  plaintext: Buffer of the decrypted content (alternate), just a reference to payload
-    const res = await JWE.createDecrypt(key as JWK.Key, opt).decrypt(
-      jwe as any
-    );
-
-    res.payload = this.decodePayload(options.payloadType, res.payload);
-
-    if (options.returnOnlyPayload) {
-      return res.payload;
-    } else {
-      return res;
-    }
-  }
-
-  // TODO rename this to encrypt() and use as the most common usecase
-  async encryptToString(
-    key: JWK.Key,
-    content: ArrayBuffer | string | object
-  ): Promise<string> {
-    return JSON.stringify(await this.encrypt(key, content));
-  }
-
-  // TODO rename this to encryptToJSON() and use this when required.
-  async encrypt(
-    key: JWK.Key,
-    content: ArrayBuffer | string | object
-  ): Promise<any> {
-    if (!content) {
-      throw new Error('Encrypting empty content.');
-    }
-
-    if (!(content instanceof ArrayBuffer)) {
-      content = new TextEncoder().encode(JSON.stringify(content));
-    }
-
-    return JWE.createEncrypt(
-      {
-        contentAlg: 'A256GCM',
-        fields: {
-          timestamp: await this.timeService.serverNow(),
-        },
-      } as any,
-      key
-    )
-      .update(content)
-      .final() as any;
-  }
-
-  // <AZ> Unlike signContent, the serialised "content" variable is contained inside
-  // the result. So ordering of fields within "content" is not an issue.
-  async sign(key: JWK.Key, content: Buffer | string | object): Promise<any> {
-    const signer = JWS.createSign(
-      {
-        fields: {
-          timestamp: await this.timeService.serverNow(),
-        },
-      },
-      key
-    );
-
-    if (content instanceof Buffer) {
-      signer.update(content);
-    } else {
-      signer.update(JSON.stringify(content), 'utf8');
-    }
-
-    return signer.final();
-  }
-
-  async signToString(
-    key: JWK.Key,
-    content: Buffer | string | object
-  ): Promise<string> {
-    return JSON.stringify(await this.sign(key, content));
-  }
-
-  async verify(
-    key: JWK.Key,
-    jws: object,
-    options?: VerifyOptions
-  ): Promise<any> {
-    const opt = {
-      algorithms: ['RS*'],
-    };
-
-    options = {
-      ...VERIFY_OPTIONS_DEFAULT,
-      ...options,
-    };
-
-    try {
-      const res = await JWS.createVerify(key, opt).verify(jws as any);
-
-      res.payload = this.decodePayload(options.payloadType, res.payload);
-
-      if (options.returnOnlyPayload) {
-        return res.payload;
-      } else {
-        return res;
-      }
-    } catch (error) {
-      throw new LrException({
-        code: LrErrorCode.BadSignature,
-        message: `Bad signature: ${error}`,
-      });
-    }
-  }
-
-  async encryptThenSign(
-    {
-      key,
-      sigPrk,
-    }: {
-      key: JWK.Key;
-      sigPrk: JWK.Key;
-    },
-    content: ArrayBuffer | string | object
-  ): Promise<{ cipher: string; sig: string }> {
-    const cipher = JSON.stringify(await this.encrypt(key, content));
-    const sig = await this.sign(sigPrk, cipher);
-    delete sig.payload;
-
-    return {
-      cipher,
-      sig: JSON.stringify(sig),
-    };
-  }
-
-  private decodePayload(
-    payloadType: PayloadType,
-    payload: ArrayBuffer
-  ): ArrayBuffer | any {
-    switch (payloadType) {
-      case 'json':
-        return JSON.parse(new TextDecoder().decode(payload));
-      case 'ArrayBuffer':
-        return payload;
-      default:
-        throw new LrBadArgumentException(`Unknown payloadType: ${payloadType}`);
-    }
-  }
-}

package/src/lib/cryptography/key-factory.service.spec.ts

@@ -1,15 +0,0 @@
-import { TestBed } from '@angular/core/testing';
-import { KeyFactoryService } from './key-factory.service';
-
-describe('KeyFactoryService', () => {
-  let service: KeyFactoryService;
-
-  beforeEach(() => {
-    TestBed.configureTestingModule({});
-    service = TestBed.inject(KeyFactoryService);
-  });
-
-  it('should be created', () => {
-    expect(service).toBeTruthy();
-  });
-});

package/src/lib/cryptography/key-factory.service.ts

@@ -1,303 +0,0 @@
-import { Injectable } from '@angular/core';
-import { JWK } from 'node-jose';
-import {
-  LbopKeyParams,
-  PassIdpParams,
-  PassKeyParams,
-  DeriveKeyResult,
-  DerivePassIdpParams,
-  DerivePassKeyParams,
-  DeriveLbopKeyParams,
-} from './cryptography.types';
-import { WebCryptoService } from './web-crypto.service';
-import {
-  LrBadArgumentException,
-  LrSuspiciousException,
-} from '../_common/exceptions';
-
-export async function sha256(message) {
-  // encode as UTF-8
-  const msgBuffer = new TextEncoder().encode(message);
-
-  // hash the message
-  const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
-
-  // convert ArrayBuffer to Array
-  const hashArray = Array.from(new Uint8Array(hashBuffer));
-
-  // convert bytes to hex string
-  const hashHex = hashArray
-    .map((b) => ('00' + b.toString(16)).slice(-2))
-    .join('');
-  return hashHex;
-}
-
-@Injectable({
-  providedIn: 'root',
-})
-export class KeyFactoryService {
-  constructor(private webCryptoService: WebCryptoService) {
-    this.crypto = this.webCryptoService.crypto;
-  }
-  private readonly crypto;
-  // Global keys store. Otherwise, each call to asKey creates a new keyStore.
-  // <AZ> Did not seem to improve speed.
-  // public static keyStore = JWK.createKeyStore();
-
-  // AZ: This can't be change easily. It's basically a PassK or PassIdp rotation.
-  // todo: we should eventually increase this periodically to match with Moore's law.
-  // The iterations for each key are kept by the server as well but we assume the value
-  // from the server is not trustworthy, so need to have minimum thresholds here.
-  // If creating new keys, these minimum are used.
-  public readonly MIN_PASS_IDP_PBKDF_ITER = 100000;
-  public readonly MIN_PASS_KEY_PBKDF_ITER = 100000;
-  public readonly MIN_LBOP_KEY_PBKDF_ITER = 100000;
-
-  // These are used as the default values. They must be larger than the minimum values.
-  public readonly DEFAULT_PASS_IDP_PBKDF_ITER = this.MIN_PASS_IDP_PBKDF_ITER;
-  public readonly DEFAULT_PASS_KEY_PBKDF_ITER = this.MIN_PASS_KEY_PBKDF_ITER;
-  public readonly DEFAULT_LBOP_KEY_PBKDF_ITER = this.MIN_LBOP_KEY_PBKDF_ITER;
-
-  static asKey(
-    key: string | Buffer | object | JWK.RawKey,
-    form?:
-      | 'json'
-      | 'private'
-      | 'pkcs8'
-      | 'public'
-      | 'spki'
-      | 'pkix'
-      | 'x509'
-      | 'pem',
-    extras?: Record<string, unknown>
-  ): Promise<JWK.Key> {
-    // <AZ> Using a single global key store did not seem to improve speed.
-    // return KeyFactoryService.keyStore.add(key, form, extras);
-    return JWK.asKey(key, form, extras);
-  }
-
-  randomString(digits: number): string {
-    if (digits <= 0) {
-      throw new LrBadArgumentException('digits <= 0');
-    }
-    const validChars =
-      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
-    let array = new Uint32Array(digits);
-    this.crypto.getRandomValues(array);
-    array = array.map((x) => validChars.charCodeAt(x % validChars.length));
-    return String.fromCharCode.apply(null, array);
-  }
-
-  randomDigitsNoZeros(digits: number): string {
-    return this.randomChoices([1, 2, 3, 4, 5, 6, 7, 8, 9], digits).join('');
-  }
-
-  randomChoices<T>(array: T[], chooseN: number): T[] {
-    if (array.length <= 1) {
-      throw new LrBadArgumentException('array.length <= 0');
-    }
-    if (chooseN <= 0) {
-      throw new LrBadArgumentException('chooseN <= 0');
-    }
-    const values = new Uint32Array(chooseN);
-    this.crypto.getRandomValues(values);
-    const ret: T[] = [];
-    values.forEach((v) => ret.push(array[v % array.length]));
-    return ret;
-  }
-
-  createSalt(): string {
-    return this.randomString(16);
-  }
-
-  async createKey(): Promise<JWK.Key> {
-    const key = await this.crypto.subtle.generateKey(
-      {
-        name: 'AES-GCM',
-        length: 256, // can be  128, 192, or 256
-      },
-      true, // whether the key is extractable (i.e. can be used in exportKey)
-      ['encrypt', 'decrypt'] // must be ["encrypt", "decrypt"] or ["wrapKey", "unwrapKey"]
-    );
-
-    const jwk = await this.crypto.subtle.exportKey('jwk', key);
-
-    // Removing the fields not needed by node-jose
-    delete jwk.ext;
-    delete jwk.key_ops;
-
-    return KeyFactoryService.asKey(jwk);
-  }
-
-  async createSignKey(): Promise<JWK.Key> {
-    const key = await this.crypto.subtle.generateKey(
-      {
-        name: 'HMAC',
-        hash: { name: 'SHA-512' },
-      },
-      true,
-      ['sign', 'verify']
-    );
-
-    const jwk = await this.crypto.subtle.exportKey('jwk', key);
-
-    // Removing the fields not needed by node-jose
-    delete jwk.key_ops;
-    delete jwk.ext;
-
-    return KeyFactoryService.asKey(jwk);
-  }
-
-  async createPkcKey(): Promise<JWK.Key> {
-    // node-jose is not using Forge properly. It should be calling the async version of
-    // pki.rsa.generateKeyPair() with a callback. Instead it calls the sync version. Webcrypto
-    // does not support sync version, so it uses the javascript implementation, which is way too slow.
-    // So we generate using webcrypto and import the key.
-    // Unfortunately Elliptical Curve is not supported by Webcrypto. So we have to settle for RSA.
-    const key = await this.crypto.subtle.generateKey(
-      {
-        name: 'RSA-OAEP',
-        modulusLength: 2048, // can be 1024, 2048, 3072, 4096 ... 16384
-        // As per suggestion: https://developer.mozilla.org/en-US/docs/Web/API/RsaHashedKeyGenParams
-        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-        hash: { name: 'SHA-256' }, // can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
-      },
-      true, // whether the key is extractable (i.e. can be used in exportKey)
-      ['encrypt', 'decrypt'] // must be ["encrypt", "decrypt"] or ["wrapKey", "unwrapKey"]
-    );
-
-    const jwk = await this.crypto.subtle.exportKey('jwk', key.privateKey);
-    // Removing the fields not needed by node-jose
-    delete jwk.key_ops;
-    delete jwk.ext;
-
-    return KeyFactoryService.asKey(jwk);
-  }
-
-  async createPkcSignKey(): Promise<JWK.Key> {
-    const key = await this.crypto.subtle.generateKey(
-      {
-        name: 'RSASSA-PKCS1-v1_5',
-        modulusLength: 2048, // can be 1024, 2048, or 4096
-        // As per suggestion: https://developer.mozilla.org/en-US/docs/Web/API/RsaHashedKeyGenParams
-        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
-        hash: { name: 'SHA-256' }, // can be "SHA-1", "SHA-256", "SHA-384", or "SHA-512"
-      },
-      true, // whether the key is extractable (i.e. can be used in exportKey)
-      ['sign', 'verify'] // can be any combination of "sign" and "verify"
-    );
-
-    const jwk = await this.crypto.subtle.exportKey('jwk', key.privateKey);
-
-    // Removing the fields not needed by node-jose
-    delete jwk.key_ops;
-    delete jwk.ext;
-
-    return KeyFactoryService.asKey(jwk);
-  }
-
-  async deriveKey({
-    password,
-    salt,
-    iterations,
-    kid,
-  }: {
-    password: string;
-    salt: string;
-    iterations: number;
-    kid?: string;
-  }): Promise<DeriveKeyResult> {
-    const enc = new TextEncoder();
-    const rawKey = await this.crypto.subtle.importKey(
-      'raw',
-      enc.encode(password),
-      'PBKDF2',
-      false,
-      ['deriveBits', 'deriveKey']
-    );
-
-    const passKey = await crypto.subtle.deriveKey(
-      {
-        name: 'PBKDF2',
-        salt: new TextEncoder().encode(salt),
-        iterations,
-        hash: 'SHA-256',
-      },
-      rawKey,
-      { name: 'AES-GCM', length: 256 },
-      true,
-      ['encrypt', 'decrypt']
-    );
-
-    const passKeyJson: any = await crypto.subtle.exportKey('jwk', passKey);
-    if (kid) {
-      passKeyJson.kid = kid;
-    }
-
-    const jwk = await KeyFactoryService.asKey(passKeyJson);
-
-    return { jwk };
-  }
-
-  async derivePassIdp(params: DerivePassIdpParams): Promise<DeriveKeyResult> {
-    if (params.iterations < this.MIN_PASS_IDP_PBKDF_ITER) {
-      throw new LrSuspiciousException(
-        `The number of PassIdp key derivation iterations sent from the server (${params.iterations}) is lower than the minimum (${this.MIN_PASS_IDP_PBKDF_ITER})`
-      );
-    }
-    return this.deriveKey(params);
-  }
-
-  async derivePassKey(params: DerivePassKeyParams): Promise<DeriveKeyResult> {
-    if (params.iterations < this.MIN_PASS_KEY_PBKDF_ITER) {
-      throw new LrSuspiciousException(
-        `The number of PassKey key derivation iterations sent from the server(${params.iterations}) is lower than the minimum(${this.MIN_PASS_KEY_PBKDF_ITER})`
-      );
-    }
-    return this.deriveKey(params);
-  }
-
-  async deriveLbopKey(params: DeriveLbopKeyParams): Promise<DeriveKeyResult> {
-    if (params.iterations < this.MIN_LBOP_KEY_PBKDF_ITER) {
-      throw new LrSuspiciousException(
-        `The number of LbopKey key derivation iterations sent from the server(${params.iterations}) is lower than the minimum(${this.MIN_LBOP_KEY_PBKDF_ITER})`
-      );
-    }
-    return this.deriveKey(params);
-  }
-
-  async createKid(): Promise<string> {
-    // todo: AZ: node-jose source uses node's default UUID() function for kid, so just change to use that.
-    // for now, we are just creating a new key to use it's kid.
-    // The kid is a part of the JWK system. LR backend maintains the key hierarchy separately with it's own
-    // key id. But we just use it here as a double check.
-    return (await this.createKey()).kid;
-  }
-
-  async createPassIdpParams(): Promise<PassIdpParams> {
-    return {
-      salt: this.createSalt(),
-      iterations: this.DEFAULT_PASS_IDP_PBKDF_ITER,
-    };
-  }
-
-  async createPassKeyParams(): Promise<PassKeyParams> {
-    return {
-      salt: this.createSalt(),
-      kid: await this.createKid(),
-      iterations: this.DEFAULT_PASS_KEY_PBKDF_ITER,
-    };
-  }
-
-  async createLbopKeyParams(): Promise<LbopKeyParams> {
-    return {
-      salt: this.createSalt(),
-      // todo: AZ: node-jose source uses node's default UUID() function for kid, so just change to use that.
-      // for now, we are just creating a new key to use it's kid.
-      // The kid is a part of the JWK system. LR backend maintains the key hierarchy separately with it's own
-      // key id. But we just use it here as a double check.
-      kid: await this.createKid(),
-      iterations: this.DEFAULT_PASS_KEY_PBKDF_ITER,
-    };
-  }
-}

package/src/lib/cryptography/key-graph.service.spec.ts

@@ -1,16 +0,0 @@
-import { TestBed } from '@angular/core/testing';
-import { lrConfigureTestingModule } from '../_common/tests';
-import { KeyGraphService } from './key-graph.service';
-
-describe('KeyGraph', () => {
-  let service: KeyGraphService;
-
-  beforeEach(() => {
-    lrConfigureTestingModule();
-    service = TestBed.inject(KeyGraphService);
-  });
-
-  it('should be created', () => {
-    expect(service).toBeTruthy();
-  });
-});