@verii/crypto 1.0.0-pre.1752076816 → 1.0.0-pre.1754289942

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@verii/crypto",
-  "version": "1.0.0-pre.1752076816",
-  "description": "Set of secp256k1 based functions used in Velocity Foundation projects",
+  "version": "1.0.0-pre.1754289942",
+  "description": "Set of crypto functions used in Verii projects",
   "repository": "https://github.com/LFDT-Verii/core",
   "main": "index.js",
   "publishConfig": {
@@ -16,9 +16,11 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@trust/keyto": "~2.0.0-alpha1",
-    "@verii/test-regexes": "1.0.0-pre.1752076816",
-    "argon2": "0.43.0",
-    "canonicalize": "^2.0.0",
+    "@verii/test-regexes": "1.0.0-pre.1754289942",
+    "argon2": "0.43.1",
+    "bigint-crypto-utils": "3.3.0",
+    "canonicalize": "^2.1.0",
+    "cborg": "4.2.12",
     "elliptic": "^6.6.1",
     "lodash": "^4.17.21",
     "multihashing": "~0.3.3",
@@ -42,5 +44,5 @@
       "lib"
     ]
   },
-  "gitHead": "5885ce94149cc0102b2bc9cde18834293174bfaf"
+  "gitHead": "772b121fb3eb2ee0077a1b5c9eec3281215e9e9f"
 }

package/src/constants.js

@@ -26,8 +26,10 @@ const KeyPurposes = {
 
 // TODO If we create a keys entity package, KeyAlgorithms should probably be moved there
 const KeyAlgorithms = {
-  SECP256K1: 'SECP256K1',
+  // Could be renamed to JsonWebAlgorithms
+  SECP256K1: 'SECP256K1', // Also ES256K
   ES256: 'ES256',
+  RS256: 'RS256',
 };
 
 // TODO If we create a keys entity package, KeyEncodings should probably be moved there

package/src/crypto.js

@@ -22,6 +22,7 @@ const randomNumber = require('random-number-csprng');
 const multihash = require('multihashing');
 const keyto = require('@trust/keyto');
 const { HEX_FORMAT } = require('@verii/test-regexes');
+const { KeyAlgorithms } = require('./constants');
 
 const secp256k1 = new EC('secp256k1');
 
@@ -35,14 +36,33 @@ const createCommitment = (val) => {
   return Buffer.from(hash).toString('base64');
 };
 
-const generateJWAKeyPair = (config) =>
-  config.algorithm === 'rsa'
+const generateJWAKeyPair = (dsaOrConfig) => {
+  const jwaConfig = isString(dsaOrConfig)
+    ? dsaJwaConfigMap[dsaOrConfig]
+    : dsaOrConfig;
+
+  return jwaConfig.algorithm === 'rsa'
     ? generateKeyPair({ type: 'rsa', format: 'jwk', modulusLength: 2048 })
     : generateKeyPair({
         type: 'ec',
         format: 'jwk',
-        curve: config.curve,
+        curve: jwaConfig.curve,
       });
+};
+
+const dsaJwaConfigMap = {
+  [KeyAlgorithms.SECP256K1]: {
+    algorithm: 'ec',
+    curve: 'secp256k1',
+  },
+  [KeyAlgorithms.ES256]: {
+    algorithm: 'ec',
+    curve: 'P-256',
+  },
+  [KeyAlgorithms.RS256]: {
+    algorithm: 'rsa',
+  },
+};
 
 const generateKeyPair = (options = {}) => {
   const { format = 'hex', type = 'ec' } = options;
@@ -154,30 +174,47 @@ const verifyBase64Signature = (value, signature, publicKey) => {
     );
 };
 
-const encrypt = (text, secret) => {
-  const iv = crypto.randomBytes(16);
+const encryptBuffer = (buffer, secret) =>
+  doEncrypt(secret, (cipher) => cipher.update(buffer));
+
+const encrypt = (text, secret) =>
+  doEncrypt(secret, (cipher) => cipher.update(text, 'utf8')).toString('base64');
+
+const decryptBuffer = (encrypted, secret) =>
+  doDecrypt(encrypted, secret, (encryptedBuffer, decipher) =>
+    Buffer.concat([decipher.update(encryptedBuffer), decipher.final()])
+  );
+
+const decrypt = (encrypted, secret) => {
+  const bData = Buffer.from(encrypted, 'base64');
+  return doDecrypt(
+    bData,
+    secret,
+    (encryptedBuffer, decipher) =>
+      decipher.update(encryptedBuffer, 'binary', 'utf8') +
+      decipher.final('utf8')
+  );
+};
+
+const doEncrypt = (secret, callback) => {
   const salt = crypto.randomBytes(64);
+  const iv = crypto.randomBytes(16);
   const key = crypto.pbkdf2Sync(secret, salt, 2145, 32, 'sha512');
   const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
-
-  const encrypted = Buffer.concat([
-    cipher.update(text, 'utf8'),
-    cipher.final(),
-  ]);
+  const encrypted = Buffer.concat([callback(cipher), cipher.final()]);
   const tag = cipher.getAuthTag();
-  return Buffer.concat([salt, iv, tag, encrypted]).toString('base64');
+  return Buffer.concat([salt, iv, tag, encrypted]);
 };
 
-const decrypt = (encrypted, secret) => {
-  const bData = Buffer.from(encrypted, 'base64');
-  const salt = bData.slice(0, 64);
-  const iv = bData.slice(64, 80);
-  const tag = bData.slice(80, 96);
-  const text = bData.slice(96);
+const doDecrypt = (encrypted, secret, callback) => {
+  const salt = encrypted.slice(0, 64);
+  const iv = encrypted.slice(64, 80);
+  const tag = encrypted.slice(80, 96);
+  const buffer = encrypted.slice(96);
   const key = crypto.pbkdf2Sync(secret, salt, 2145, 32, 'sha512');
   const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
   decipher.setAuthTag(tag);
-  return decipher.update(text, 'binary', 'utf8') + decipher.final('utf8');
+  return callback(buffer, decipher);
 };
 
 const generateRandomNumber = (length) =>
@@ -198,9 +235,9 @@ const initBuildRefreshToken = (bitLength = 512) => {
   return () => generateRandomBytes(byteLength).toString('hex');
 };
 
-const deriveEncryptionSecretFromPassword = async (contentHash) => {
-  const salt = Buffer.from(contentHash.slice(-16), 'hex');
-  const secret = await argon2.hash(contentHash, {
+const deriveEncryptionSecretFromPassword = async (password) => {
+  const salt = Buffer.from(password.slice(-16), 'hex');
+  const secret = await argon2.hash(password, {
     type: argon2.argon2i,
     salt,
     raw: true,
@@ -219,6 +256,8 @@ module.exports = {
   publicKeyHexToPem,
   encrypt,
   decrypt,
+  encryptBuffer,
+  decryptBuffer,
   signPayload,
   verifyPayload,
   hashAndEncodeHex,