@oxyhq/services 5.16.40 → 5.16.42

package/src/core/identity-session/IdentityManager.ts

@@ -0,0 +1,474 @@
+/**
+ * Identity Manager
+ * 
+ * Manages cryptographic identity (OxyID) - SOLO NATIVE
+ * Handles key generation, storage, import, export, and signing operations.
+ */
+
+import { ec as EC } from 'elliptic';
+import type { ECKeyPair } from 'elliptic';
+import type { PlatformAdapter } from '../../adapters';
+import type { Identity, BackupData } from './types';
+import {
+  createIdentitySessionError,
+  IdentitySessionErrorCodes,
+} from './errors';
+import {
+  isValidPublicKey,
+  isValidPrivateKey,
+  derivePublicKey,
+  getEllipticCurve,
+} from '../../crypto/core';
+
+const ec = getEllipticCurve();
+
+const STORAGE_KEYS = {
+  PRIVATE_KEY: 'oxy_identity_private_key',
+  PUBLIC_KEY: 'oxy_identity_public_key',
+  BACKUP_PRIVATE_KEY: 'oxy_identity_backup_private_key',
+  BACKUP_PUBLIC_KEY: 'oxy_identity_backup_public_key',
+  BACKUP_TIMESTAMP: 'oxy_identity_backup_timestamp',
+} as const;
+
+/**
+ * Identity Manager Class
+ */
+export class IdentityManager {
+  private adapter: PlatformAdapter;
+  private cachedPublicKey: string | null = null;
+  private cachedHasIdentity: boolean | null = null;
+
+  constructor(adapter: PlatformAdapter) {
+    this.adapter = adapter;
+  }
+
+  /**
+   * Invalidate cached identity state
+   */
+  invalidateCache(): void {
+    this.cachedPublicKey = null;
+    this.cachedHasIdentity = null;
+  }
+
+  /**
+   * Check if identity operations are available (only on native)
+   */
+  private ensureNativePlatform(): void {
+    if (this.adapter.platform !== 'native') {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_AVAILABLE_ON_WEB,
+        'Identity operations are only available on native platforms (iOS/Android)'
+      );
+    }
+
+    if (!this.adapter.storage.isSecureStorageAvailable()) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.SECURE_STORAGE_NOT_AVAILABLE,
+        'Secure storage is not available on this platform'
+      );
+    }
+  }
+
+  /**
+   * Convert Uint8Array to hexadecimal string
+   */
+  private uint8ArrayToHex(bytes: Uint8Array): string {
+    return Array.from(bytes)
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('');
+  }
+
+  /**
+   * Generate a new ECDSA secp256k1 key pair
+   */
+  async generateKeyPair(): Promise<{ publicKey: string; privateKey: string }> {
+    this.ensureNativePlatform();
+
+    const randomBytes = await this.adapter.crypto.getRandomBytes(32);
+    const privateKeyHex = this.uint8ArrayToHex(randomBytes);
+    const keyPair = ec.keyFromPrivate(privateKeyHex);
+
+    return {
+      privateKey: keyPair.getPrivate('hex'),
+      publicKey: keyPair.getPublic('hex'),
+    };
+  }
+
+  /**
+   * Create a new identity (generate and store key pair)
+   */
+  async createIdentity(): Promise<string> {
+    this.ensureNativePlatform();
+
+    const { privateKey, publicKey } = await this.generateKeyPair();
+
+    await this.adapter.storage.secureSet(STORAGE_KEYS.PRIVATE_KEY, privateKey);
+    await this.adapter.storage.secureSet(STORAGE_KEYS.PUBLIC_KEY, publicKey);
+
+    // Update cache
+    this.cachedPublicKey = publicKey;
+    this.cachedHasIdentity = true;
+
+    return publicKey;
+  }
+
+  /**
+   * Import an existing key pair (e.g., from backup file)
+   */
+  async importKeyPair(privateKey: string): Promise<string> {
+    this.ensureNativePlatform();
+
+    if (!isValidPrivateKey(privateKey)) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.INVALID_PRIVATE_KEY,
+        'Invalid private key format'
+      );
+    }
+
+    const keyPair = ec.keyFromPrivate(privateKey);
+    const publicKey = keyPair.getPublic('hex');
+
+    if (!isValidPublicKey(publicKey)) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.INVALID_PUBLIC_KEY,
+        'Failed to derive valid public key from private key'
+      );
+    }
+
+    await this.adapter.storage.secureSet(STORAGE_KEYS.PRIVATE_KEY, privateKey);
+    await this.adapter.storage.secureSet(STORAGE_KEYS.PUBLIC_KEY, publicKey);
+
+    // Update cache
+    this.cachedPublicKey = publicKey;
+    this.cachedHasIdentity = true;
+
+    return publicKey;
+  }
+
+  /**
+   * Get the stored private key
+   * WARNING: Only use this for signing operations within the app
+   */
+  async getPrivateKey(): Promise<string | null> {
+    this.ensureNativePlatform();
+
+    try {
+      return await this.adapter.storage.secureGet(STORAGE_KEYS.PRIVATE_KEY);
+    } catch (error) {
+      console.warn('[IdentityManager] Failed to access secure store:', error);
+      return null;
+    }
+  }
+
+  /**
+   * Get the stored public key (cached for performance)
+   */
+  async getPublicKey(): Promise<string | null> {
+    if (this.adapter.platform !== 'native') {
+      return null; // Identity only exists on native
+    }
+
+    if (this.cachedPublicKey !== null) {
+      return this.cachedPublicKey;
+    }
+
+    try {
+      const publicKey = await this.adapter.storage.secureGet(STORAGE_KEYS.PUBLIC_KEY);
+
+      // Cache result (null is a valid cache value meaning no identity)
+      this.cachedPublicKey = publicKey;
+
+      return publicKey;
+    } catch (error) {
+      // If secure store is not available, return null (no identity)
+      this.cachedPublicKey = null;
+      console.warn('[IdentityManager] Failed to access secure store:', error);
+      return null;
+    }
+  }
+
+  /**
+   * Check if an identity (key pair) exists on this device (cached for performance)
+   */
+  async hasIdentity(): Promise<boolean> {
+    if (this.adapter.platform !== 'native') {
+      return false; // Identity only exists on native
+    }
+
+    if (this.cachedHasIdentity !== null) {
+      return this.cachedHasIdentity;
+    }
+
+    try {
+      const privateKey = await this.getPrivateKey();
+      const hasIdentity = privateKey !== null;
+
+      // Cache result
+      this.cachedHasIdentity = hasIdentity;
+
+      return hasIdentity;
+    } catch (error) {
+      // If we can't check, assume no identity (safer default)
+      this.cachedHasIdentity = false;
+      console.warn('[IdentityManager] Failed to check identity:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Delete the stored identity (both keys)
+   */
+  async deleteIdentity(
+    skipBackup: boolean = false,
+    force: boolean = false,
+    userConfirmed: boolean = false
+  ): Promise<void> {
+    this.ensureNativePlatform();
+
+    // CRITICAL SAFEGUARD: Require explicit user confirmation unless force is true
+    if (!force && !userConfirmed) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_DELETE_FAILED,
+        'Identity deletion requires explicit user confirmation'
+      );
+    }
+
+    if (!force) {
+      const hasIdentity = await this.hasIdentity();
+      if (!hasIdentity) {
+        return; // Nothing to delete
+      }
+    }
+
+    // ALWAYS create backup before deletion unless explicitly skipped
+    if (!skipBackup) {
+      try {
+        const backupSuccess = await this.backupIdentity();
+        if (!backupSuccess) {
+          console.warn('[IdentityManager] Failed to backup identity before deletion - proceeding anyway');
+        }
+      } catch (backupError) {
+        console.warn('[IdentityManager] Failed to backup identity before deletion:', backupError);
+      }
+    }
+
+    await this.adapter.storage.secureDelete(STORAGE_KEYS.PRIVATE_KEY);
+    await this.adapter.storage.secureDelete(STORAGE_KEYS.PUBLIC_KEY);
+
+    // Invalidate cache
+    this.invalidateCache();
+
+    // Also clear backup if force deletion
+    if (force) {
+      try {
+        await this.adapter.storage.secureDelete(STORAGE_KEYS.BACKUP_PRIVATE_KEY);
+        await this.adapter.storage.secureDelete(STORAGE_KEYS.BACKUP_PUBLIC_KEY);
+        await this.adapter.storage.remove(STORAGE_KEYS.BACKUP_TIMESTAMP);
+      } catch (error) {
+        // Ignore backup deletion errors
+      }
+    }
+  }
+
+  /**
+   * Backup identity to SecureStore (separate backup storage)
+   */
+  async backupIdentity(): Promise<boolean> {
+    this.ensureNativePlatform();
+
+    try {
+      const privateKey = await this.getPrivateKey();
+      const publicKey = await this.getPublicKey();
+
+      if (!privateKey || !publicKey) {
+        return false; // Nothing to backup
+      }
+
+      // Store backup in SecureStore (still secure, but separate from primary storage)
+      await this.adapter.storage.secureSet(STORAGE_KEYS.BACKUP_PRIVATE_KEY, privateKey);
+      await this.adapter.storage.secureSet(STORAGE_KEYS.BACKUP_PUBLIC_KEY, publicKey);
+      await this.adapter.storage.set(STORAGE_KEYS.BACKUP_TIMESTAMP, Date.now().toString());
+
+      return true;
+    } catch (error) {
+      console.error('[IdentityManager] Failed to backup identity:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Restore identity from backup if primary storage is corrupted
+   */
+  async restoreIdentityFromBackup(): Promise<boolean> {
+    this.ensureNativePlatform();
+
+    try {
+      // Invalidate cache before restoring to ensure fresh state
+      this.invalidateCache();
+
+      // Check if backup exists
+      const backupPrivateKey = await this.adapter.storage.secureGet(STORAGE_KEYS.BACKUP_PRIVATE_KEY);
+      const backupPublicKey = await this.adapter.storage.secureGet(STORAGE_KEYS.BACKUP_PUBLIC_KEY);
+
+      if (!backupPrivateKey || !backupPublicKey) {
+        return false; // No backup available
+      }
+
+      // Verify backup integrity
+      if (!isValidPrivateKey(backupPrivateKey)) {
+        return false;
+      }
+
+      if (!isValidPublicKey(backupPublicKey)) {
+        return false;
+      }
+
+      // Verify keys match
+      const derivedPublicKey = derivePublicKey(backupPrivateKey);
+      if (derivedPublicKey !== backupPublicKey) {
+        return false; // Backup keys don't match
+      }
+
+      await this.adapter.storage.secureSet(STORAGE_KEYS.PRIVATE_KEY, backupPrivateKey);
+      await this.adapter.storage.secureSet(STORAGE_KEYS.PUBLIC_KEY, backupPublicKey);
+
+      const restored = await this.verifyIdentityIntegrity();
+      if (restored) {
+        // Update cache
+        this.cachedPublicKey = backupPublicKey;
+        this.cachedHasIdentity = true;
+
+        await this.adapter.storage.set(STORAGE_KEYS.BACKUP_TIMESTAMP, Date.now().toString());
+        return true;
+      }
+
+      return false;
+    } catch (error) {
+      console.error('[IdentityManager] Failed to restore identity from backup:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Verify identity integrity - checks if keys are valid and accessible
+   */
+  async verifyIdentityIntegrity(): Promise<boolean> {
+    this.ensureNativePlatform();
+
+    try {
+      const privateKey = await this.getPrivateKey();
+      const publicKey = await this.getPublicKey();
+
+      if (!privateKey || !publicKey) {
+        return false;
+      }
+
+      // Validate private key format
+      if (!isValidPrivateKey(privateKey)) {
+        return false;
+      }
+
+      // Validate public key format
+      if (!isValidPublicKey(publicKey)) {
+        return false;
+      }
+
+      // Verify public key can be derived from private key
+      const derivedPublicKey = derivePublicKey(privateKey);
+      if (derivedPublicKey !== publicKey) {
+        return false; // Keys don't match
+      }
+
+      // Verify we can create a key pair object (tests elliptic curve operations)
+      const keyPair = await this.getKeyPairObject();
+      if (!keyPair) {
+        return false;
+      }
+
+      return true;
+    } catch (error) {
+      console.error('[IdentityManager] Identity integrity check failed:', error);
+      return false;
+    }
+  }
+
+  /**
+   * Get the elliptic curve key object from the stored private key
+   * Used internally for signing operations
+   */
+  async getKeyPairObject(): Promise<ECKeyPair | null> {
+    this.ensureNativePlatform();
+
+    const privateKey = await this.getPrivateKey();
+    if (!privateKey) return null;
+
+    return ec.keyFromPrivate(privateKey);
+  }
+
+  /**
+   * Decrypt backup data and import identity
+   */
+  async decryptAndImportBackup(backupData: BackupData, password: string): Promise<string> {
+    this.ensureNativePlatform();
+
+    try {
+      // Convert hex strings to Uint8Array
+      const saltBytes = new Uint8Array(
+        backupData.salt.match(/.{1,2}/g)?.map(byte => parseInt(byte, 16)) || []
+      );
+      const ivBytes = new Uint8Array(
+        backupData.iv.match(/.{1,2}/g)?.map(byte => parseInt(byte, 16)) || []
+      );
+
+      // Derive key from password (same algorithm as EncryptedBackupGenerator)
+      const saltHex = Array.from(saltBytes).map(b => b.toString(16).padStart(2, '0')).join('');
+      let key = password + saltHex;
+      for (let i = 0; i < 10000; i++) {
+        key = await this.adapter.crypto.digestStringAsync('SHA256', key);
+      }
+      const keyBytes = new Uint8Array(32);
+      for (let i = 0; i < 64 && i < key.length; i += 2) {
+        keyBytes[i / 2] = parseInt(key.substring(i, i + 2), 16);
+      }
+
+      // Decrypt private key (XOR decryption - same as encryption)
+      const encryptedBytes = Buffer.from(backupData.encrypted, 'base64');
+      const decryptedBytes = new Uint8Array(encryptedBytes.length);
+      for (let i = 0; i < encryptedBytes.length; i++) {
+        decryptedBytes[i] = encryptedBytes[i] ^ keyBytes[i % keyBytes.length] ^ ivBytes[i % ivBytes.length];
+      }
+      const privateKey = new TextDecoder().decode(decryptedBytes);
+
+      // Import the key pair
+      return await this.importKeyPair(privateKey);
+    } catch (error) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.BACKUP_DECRYPTION_FAILED,
+        `Failed to decrypt backup: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+
+  /**
+   * Sign a challenge using the stored private key
+   */
+  async signChallenge(challenge: string): Promise<string> {
+    this.ensureNativePlatform();
+
+    const keyPair = await this.getKeyPairObject();
+    if (!keyPair) {
+      throw createIdentitySessionError(
+        IdentitySessionErrorCodes.IDENTITY_NOT_FOUND,
+        'No identity found. Please create or import an identity first.'
+      );
+    }
+
+    // Hash the challenge
+    const messageHash = await this.adapter.crypto.digestStringAsync('SHA256', challenge);
+    
+    // Sign the hash
+    const signature = keyPair.sign(messageHash);
+    return signature.toDER('hex');
+  }
+}
+