favalib 0.0.1

package/build/CryptoProviders/browser/index.mjs

@@ -0,0 +1,209 @@
+import forge from 'node-forge';
+import { base64ToUint8Array, stringToUint8Array, uint8ArrayToBase64, uint8ArrayToString, } from 'uint8array-extras';
+import { argon2id } from 'hash-wasm';
+import { CryptoError } from '../../TwoFALibError.mjs';
+/**
+ * Normalizes line endings in a string so they match the
+ * node cryptoprovider format
+ * @param str - The input string to normalize.
+ * @returns The normalized string with consistent line endings.
+ */
+const normalizeLineEndings = (str) => {
+    return str.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+};
+/**
+ * Create a password hash
+ * @param salt - The salt to use
+ * @param passphrase - The passphrase to hash
+ * @returns The calculated password hash
+ */
+export const generatePassphraseHash = (salt, passphrase) => {
+    return argon2id({
+        password: passphrase,
+        salt,
+        parallelism: 1,
+        iterations: 256,
+        memorySize: 512,
+        hashLength: 64,
+        outputType: 'hex',
+    });
+};
+/**
+ * @inheritdoc
+ */
+class BrowserCryptoLib {
+    /**
+     * @inheritdoc
+     */
+    async getRandomBytes(count) {
+        return Promise.resolve(window.crypto.getRandomValues(new Uint8Array(count)));
+    }
+    /**
+     * @inheritdoc
+     */
+    async createKeys(passphrase) {
+        // create random salt
+        const salt = uint8ArrayToBase64(window.crypto.getRandomValues(new Uint8Array(16)));
+        // create passwordHash
+        const passphraseHash = await generatePassphraseHash(salt, passphrase);
+        const { privateKey, encryptedPrivateKey, publicKey } = await this.createKeyPair(passphraseHash);
+        const symmetricKey = await this.createSymmetricKey();
+        const encryptedSymmetricKey = await this.encrypt(publicKey, symmetricKey);
+        return {
+            privateKey,
+            symmetricKey,
+            encryptedPrivateKey,
+            encryptedSymmetricKey: encryptedSymmetricKey,
+            salt,
+            publicKey,
+        };
+    }
+    /**
+     * @inheritdoc
+     */
+    async encryptKeys(privateKey, symmetricKey, salt, passphrase) {
+        // recreate passwordHash
+        const passphraseHash = await generatePassphraseHash(salt, passphrase);
+        const encryptedPrivateKey = await this.encryptPrivateKey(privateKey, passphraseHash);
+        const publicKey = await this.getPublicKeyFromPrivateKey(privateKey);
+        const encryptedSymmetricKey = await this.encrypt(publicKey, symmetricKey);
+        return {
+            encryptedPrivateKey,
+            encryptedSymmetricKey: encryptedSymmetricKey,
+        };
+    }
+    /**
+     * @inheritdoc
+     */
+    async decryptKeys(encryptedPrivateKey, encryptedSymmetricKey, salt, passphrase) {
+        // recreate passwordHash
+        const passphraseHash = await generatePassphraseHash(salt, passphrase);
+        const { privateKey, publicKey } = await this.decryptPrivateKey(encryptedPrivateKey, passphraseHash);
+        const symmetricKey = (await this.decrypt(privateKey, encryptedSymmetricKey));
+        return { privateKey, publicKey, symmetricKey };
+    }
+    /**
+     * @inheritdoc
+     */
+    async encrypt(publicKey, plainText) {
+        const publicKeyObj = forge.pki.publicKeyFromPem(publicKey);
+        const encrypted = publicKeyObj.encrypt(plainText, 'RSA-OAEP');
+        return Promise.resolve(btoa(encrypted));
+    }
+    /**
+     * @inheritdoc
+     */
+    async decrypt(privateKey, encryptedText) {
+        const privateKeyObj = forge.pki.privateKeyFromPem(privateKey);
+        const decrypted = privateKeyObj.decrypt(atob(encryptedText), 'RSA-OAEP');
+        return Promise.resolve(decrypted);
+    }
+    /**
+     * @inheritdoc
+     */
+    async encryptSymmetric(symmetricKey, plainText) {
+        const key = await window.crypto.subtle.importKey('raw', base64ToUint8Array(symmetricKey), { name: 'AES-CBC', length: 256 }, false, ['encrypt']);
+        const iv = window.crypto.getRandomValues(new Uint8Array(16));
+        const encrypted = await window.crypto.subtle.encrypt({ name: 'AES-CBC', iv }, key, stringToUint8Array(plainText));
+        const result = [
+            uint8ArrayToBase64(iv),
+            uint8ArrayToBase64(new Uint8Array(encrypted)),
+        ];
+        return result.join(':');
+    }
+    /**
+     * @inheritdoc
+     */
+    async decryptSymmetric(symmetricKey, encryptedText) {
+        const [ivString, encryptedData] = encryptedText.split(':');
+        const iv = base64ToUint8Array(ivString);
+        const keyUint8Array = base64ToUint8Array(symmetricKey);
+        const key = await window.crypto.subtle.importKey('raw', keyUint8Array, { name: 'AES-CBC', length: 256 }, false, ['decrypt']);
+        const encrypted = base64ToUint8Array(encryptedData);
+        const decrypted = await window.crypto.subtle.decrypt({ name: 'AES-CBC', iv }, key, encrypted);
+        return uint8ArrayToString(decrypted);
+    }
+    /**
+     * @inheritdoc
+     */
+    async createSymmetricKey() {
+        const key = await window.crypto.subtle.generateKey({ name: 'AES-CBC', length: 256 }, true, ['encrypt', 'decrypt']);
+        const exportedKey = await window.crypto.subtle.exportKey('raw', key);
+        return uint8ArrayToBase64(new Uint8Array(exportedKey));
+    }
+    /**
+     * @inheritdoc
+     */
+    async createSyncKey(sharedKey, salt) {
+        const key = await argon2id({
+            password: sharedKey,
+            salt,
+            parallelism: 1,
+            iterations: 256,
+            memorySize: 512,
+            hashLength: 32,
+            outputType: 'binary',
+        });
+        return uint8ArrayToBase64(key);
+    }
+    async encryptPrivateKey(privateKey, passphraseHash) {
+        const privateKeyObj = forge.pki.privateKeyFromPem(privateKey);
+        const encryptedPrivateKey = forge.pki.encryptRsaPrivateKey(privateKeyObj, passphraseHash, {
+            algorithm: 'aes256',
+        });
+        return Promise.resolve(encryptedPrivateKey);
+    }
+    async decryptPrivateKey(encryptedPrivateKey, passphraseHash) {
+        try {
+            const privateKeyPem = forge.pki.decryptRsaPrivateKey(encryptedPrivateKey, passphraseHash);
+            if (!privateKeyPem) {
+                throw new CryptoError('Invalid passphrase');
+            }
+            const privateKey = forge.pki.privateKeyToPem(privateKeyPem);
+            const publicKey = forge.pki.publicKeyToPem(forge.pki.setRsaPublicKey(privateKeyPem.n, privateKeyPem.e));
+            return Promise.resolve({
+                privateKey: normalizeLineEndings(privateKey),
+                publicKey: normalizeLineEndings(publicKey),
+            });
+        }
+        catch (err) {
+            // eslint-disable-next-line no-restricted-globals
+            if (err instanceof Error) {
+                if (err.message === 'Invalid passphrase') {
+                    throw new CryptoError('Invalid passphrase');
+                }
+                if (err.message.includes('Unsupported private key')) {
+                    throw new CryptoError('Invalid private key');
+                }
+            }
+            throw err;
+        }
+    }
+    async createKeyPair(passphrase) {
+        return new Promise((resolve, reject) => {
+            forge.pki.rsa.generateKeyPair({ bits: 4096 }, (err, keyPair) => {
+                if (err) {
+                    reject(err);
+                }
+                else {
+                    const publicKey = forge.pki.publicKeyToPem(keyPair.publicKey);
+                    const privateKey = forge.pki.privateKeyToPem(keyPair.privateKey);
+                    const encryptedPrivateKey = forge.pki.encryptRsaPrivateKey(keyPair.privateKey, passphrase, {
+                        algorithm: 'aes256',
+                    });
+                    resolve({
+                        privateKey: normalizeLineEndings(privateKey),
+                        publicKey: normalizeLineEndings(publicKey),
+                        encryptedPrivateKey,
+                    });
+                }
+            });
+        });
+    }
+    async getPublicKeyFromPrivateKey(privateKey) {
+        const privateKeyObj = forge.pki.privateKeyFromPem(privateKey);
+        const publicKey = forge.pki.publicKeyToPem(forge.pki.setRsaPublicKey(privateKeyObj.n, privateKeyObj.e));
+        return Promise.resolve(normalizeLineEndings(publicKey));
+    }
+}
+export default BrowserCryptoLib;

package/build/CryptoProviders/node/index.d.mts

@@ -0,0 +1,62 @@
+import type CryptoLib from '../../interfaces/CryptoLib.mjs';
+import type { Encrypted, EncryptedPrivateKey, EncryptedSymmetricKey, Passphrase, PrivateKey, PublicKey, Salt, SymmetricKey, SyncKey } from '../../interfaces/CryptoLib.mjs';
+/**
+ * @inheritdoc
+ */
+declare class NodeCryptoLib implements CryptoLib {
+    /**
+     * @inheritdoc
+     */
+    getRandomBytes(count: number): Promise<Uint8Array>;
+    /**
+     * @inheritdoc
+     */
+    createKeys(passphrase: Passphrase): Promise<{
+        privateKey: PrivateKey;
+        symmetricKey: SymmetricKey;
+        publicKey: PublicKey;
+        salt: Salt;
+        encryptedPrivateKey: EncryptedPrivateKey;
+        encryptedSymmetricKey: EncryptedSymmetricKey;
+    }>;
+    /**
+     * @inheritdoc
+     */
+    encryptKeys(privateKey: PrivateKey, symmetricKey: SymmetricKey, salt: Salt, passphrase: Passphrase): Promise<{
+        encryptedPrivateKey: EncryptedPrivateKey;
+        encryptedSymmetricKey: EncryptedSymmetricKey;
+    }>;
+    /**
+     * @inheritdoc
+     */
+    decryptKeys(encryptedPrivateKey: EncryptedPrivateKey, encryptedSymmetricKey: EncryptedSymmetricKey, salt: Salt, passphrase: Passphrase): Promise<{
+        privateKey: PrivateKey;
+        publicKey: PublicKey;
+        symmetricKey: SymmetricKey;
+    }>;
+    /**
+     * @inheritdoc
+     */
+    encrypt<T extends string>(publicKey: PublicKey, plainText: T): Promise<Encrypted<T>>;
+    /**
+     * @inheritdoc
+     */
+    decrypt<T extends string>(privateKey: PrivateKey, encryptedText: Encrypted<T>): Promise<T>;
+    /**
+     * @inheritdoc
+     */
+    encryptSymmetric<T extends string>(symmetricKey: SymmetricKey, plainText: T): Promise<Encrypted<T>>;
+    /**
+     * @inheritdoc
+     */
+    decryptSymmetric<T extends string>(symmetricKey: SymmetricKey, encryptedText: Encrypted<T>): Promise<T>;
+    /**
+     * @inheritdoc
+     */
+    createSymmetricKey(): Promise<SymmetricKey>;
+    /**
+     * @inheritdoc
+     */
+    createSyncKey(sharedKey: Uint8Array, salt: string): Promise<SyncKey>;
+}
+export default NodeCryptoLib;

package/build/CryptoProviders/node/index.mjs

@@ -0,0 +1,189 @@
+/* eslint no-restricted-globals: ["error", "Error"] */
+import { promisify } from 'node:util';
+import { generateKeyPair as generateKeyPairCb, generateKey as generateKeyCb, publicEncrypt, privateDecrypt, createPrivateKey, createPublicKey, randomBytes, createCipheriv, createDecipheriv, } from 'node:crypto';
+import { argon2id } from 'hash-wasm';
+import { toUint8Array } from 'uint8array-extras';
+import { CryptoError } from '../../TwoFALibError.mjs';
+import { generatePassphraseHash } from '../browser/index.mjs';
+const generateKeyPair = promisify(generateKeyPairCb);
+const generateKey = promisify(generateKeyCb);
+/**
+ * @inheritdoc
+ */
+class NodeCryptoLib {
+    /**
+     * @inheritdoc
+     */
+    async getRandomBytes(count) {
+        return Promise.resolve(toUint8Array(randomBytes(count)));
+    }
+    /**
+     * @inheritdoc
+     */
+    async createKeys(passphrase) {
+        // create random salt
+        const salt = randomBytes(16).toString('base64');
+        // create passwordHash
+        const passphraseHash = await generatePassphraseHash(salt, passphrase);
+        // Generate public/private key pair
+        const { publicKey, privateKey: encryptedPrivateKey } = await generateKeyPair('rsa', {
+            modulusLength: 4096,
+            publicKeyEncoding: {
+                type: 'spki',
+                format: 'pem',
+            },
+            privateKeyEncoding: {
+                type: 'pkcs8',
+                format: 'pem',
+                cipher: 'aes-256-cbc',
+                passphrase: passphraseHash,
+            },
+        });
+        // Create and encrypt symmetric key with public key
+        const symmetricKey = await this.createSymmetricKey();
+        const encryptedSymmetricKey = await this.encrypt(publicKey, symmetricKey);
+        const { privateKey } = await this.decryptKeys(encryptedPrivateKey, encryptedSymmetricKey, salt, passphrase);
+        return {
+            privateKey: privateKey,
+            symmetricKey,
+            publicKey: publicKey,
+            salt: salt,
+            encryptedPrivateKey: encryptedPrivateKey,
+            encryptedSymmetricKey: encryptedSymmetricKey,
+        };
+    }
+    /**
+     * @inheritdoc
+     */
+    async encryptKeys(privateKey, symmetricKey, salt, passphrase) {
+        // recreate passwordHash
+        const passphraseHash = await generatePassphraseHash(salt, passphrase);
+        // Encrypt private key
+        const privateKeyObject = createPrivateKey({
+            key: privateKey,
+            format: 'pem',
+        });
+        const encryptedPrivateKey = privateKeyObject.export({
+            type: 'pkcs8',
+            format: 'pem',
+            cipher: 'aes-256-cbc',
+            passphrase: passphraseHash,
+        });
+        // Encrypt symmetric key with public key
+        const publicKeyObject = createPublicKey(privateKeyObject);
+        const publicKey = publicKeyObject.export({
+            type: 'spki',
+            format: 'pem',
+        });
+        const encryptedSymmetricKey = await this.encrypt(publicKey, symmetricKey);
+        return {
+            encryptedPrivateKey,
+            encryptedSymmetricKey: encryptedSymmetricKey,
+        };
+    }
+    /**
+     * @inheritdoc
+     */
+    async decryptKeys(encryptedPrivateKey, encryptedSymmetricKey, salt, passphrase) {
+        // recreate passwordHash
+        const passphraseHash = await generatePassphraseHash(salt, passphrase);
+        let privateKeyObject;
+        let privateKey;
+        try {
+            privateKeyObject = createPrivateKey({
+                key: encryptedPrivateKey,
+                type: 'pkcs8',
+                format: 'pem',
+                passphrase: passphraseHash,
+            });
+            privateKey = privateKeyObject.export({
+                type: 'pkcs8',
+                format: 'pem',
+            });
+        }
+        catch (err) {
+            // eslint-disable-next-line no-restricted-globals
+            if (err instanceof Error && 'code' in err) {
+                if (err.code === 'ERR_OSSL_BAD_DECRYPT') {
+                    throw new CryptoError('Invalid passphrase');
+                }
+                if (err.code === 'ERR_OSSL_UNSUPPORTED') {
+                    throw new CryptoError('Invalid private key');
+                }
+            }
+            throw err;
+        }
+        const publicKeyObject = createPublicKey(privateKeyObject);
+        const publicKey = publicKeyObject.export({
+            type: 'spki',
+            format: 'pem',
+        });
+        // Decrypt the symmetric key
+        const symmetricKey = (await this.decrypt(privateKey, encryptedSymmetricKey));
+        return { privateKey, publicKey, symmetricKey };
+    }
+    /**
+     * @inheritdoc
+     */
+    async encrypt(publicKey, plainText) {
+        const buffer = Buffer.from(plainText, 'utf8');
+        const encrypted = publicEncrypt(publicKey, buffer);
+        return Promise.resolve(encrypted.toString('base64'));
+    }
+    /**
+     * @inheritdoc
+     */
+    async decrypt(privateKey, encryptedText) {
+        const buffer = Buffer.from(encryptedText, 'base64');
+        const decrypted = privateDecrypt({
+            key: privateKey,
+        }, buffer);
+        return Promise.resolve(decrypted.toString('utf8'));
+    }
+    /**
+     * @inheritdoc
+     */
+    async encryptSymmetric(symmetricKey, plainText) {
+        const iv = randomBytes(16);
+        const keyBuffer = Buffer.from(symmetricKey, 'base64');
+        const cipher = createCipheriv('aes-256-cbc', keyBuffer, iv);
+        let encrypted = cipher.update(plainText, 'utf8', 'base64');
+        encrypted += cipher.final('base64');
+        return Promise.resolve((iv.toString('base64') + ':' + encrypted));
+    }
+    /**
+     * @inheritdoc
+     */
+    async decryptSymmetric(symmetricKey, encryptedText) {
+        const [ivString, encryptedData] = encryptedText.split(':');
+        const iv = Buffer.from(ivString, 'base64');
+        const keyBuffer = Buffer.from(symmetricKey, 'base64');
+        const decipher = createDecipheriv('aes-256-cbc', keyBuffer, iv);
+        let decrypted = decipher.update(encryptedData, 'base64', 'utf8');
+        decrypted += decipher.final('utf8');
+        return Promise.resolve(decrypted);
+    }
+    /**
+     * @inheritdoc
+     */
+    async createSymmetricKey() {
+        const key = await generateKey('aes', { length: 256 });
+        return key.export().toString('base64');
+    }
+    /**
+     * @inheritdoc
+     */
+    async createSyncKey(sharedKey, salt) {
+        const keyBuffer = await argon2id({
+            password: sharedKey,
+            salt,
+            parallelism: 1,
+            iterations: 256,
+            memorySize: 512,
+            hashLength: 32,
+            outputType: 'binary',
+        });
+        return Buffer.from(keyBuffer).toString('base64');
+    }
+}
+export default NodeCryptoLib;

package/build/TwoFALibError.d.mts

@@ -0,0 +1,77 @@
+/**
+ * Custom error class for the libs errors.
+ */
+export declare class TwoFALibError extends Error {
+    /**
+     * Creates a new Error.
+     * @param message - The error message.
+     */
+    constructor(message: string);
+}
+/**
+ * Error thrown during lib initialization failures.
+ */
+export declare class InitializationError extends TwoFALibError {
+}
+/**
+ * Error thrown during authentication, e.g. wrong passphrase for locked vault.
+ */
+export declare class AuthenticationError extends TwoFALibError {
+}
+/**
+ * Error thrown when an entry is requested but not found.
+ */
+export declare class EntryNotFoundError extends TwoFALibError {
+}
+/**
+ * Error thrown when token generation fails.
+ */
+export declare class TokenGenerationError extends TwoFALibError {
+}
+/**
+ * Error thrown when an unexpected error occurs during cryptographic operations.
+ */
+export declare class CryptoError extends TwoFALibError {
+}
+/**
+ * Error thrown when an unexpected error occurs during export/import operations.
+ */
+export declare class ExportImportError extends TwoFALibError {
+}
+/**
+ * Error thrown when an unexpected error occurs during synchronization.
+ */
+export declare class SyncError extends TwoFALibError {
+}
+/**
+ * Error thrown when synchronization is in the wrong state for the operation.
+ */
+export declare class SyncInWrongStateError extends SyncError {
+    /**
+     * @inheritdoc
+     */
+    constructor(message?: string);
+}
+/**
+ * Error thrown when starting an add device flow while a previous one is still active.
+ */
+export declare class SyncAddDeviceFlowConflictError extends SyncError {
+    /**
+     * @inheritdoc
+     */
+    constructor(message?: string);
+}
+/**
+ * Error thrown when attempting a sync operation when there is no server connection.
+ */
+export declare class SyncNoServerConnectionError extends SyncError {
+    /**
+     * @inheritdoc
+     */
+    constructor(message?: string);
+}
+/**
+ * Error thrown when an invalid command is being executed.
+ */
+export declare class InvalidCommandError extends TwoFALibError {
+}

package/build/TwoFALibError.mjs

@@ -0,0 +1,91 @@
+/* eslint-disable no-restricted-globals */
+/**
+ * Custom error class for the libs errors.
+ */
+export class TwoFALibError extends Error {
+    /**
+     * Creates a new Error.
+     * @param message - The error message.
+     */
+    constructor(message) {
+        super(message);
+        this.name = 'TwoFALibError';
+    }
+}
+/**
+ * Error thrown during lib initialization failures.
+ */
+export class InitializationError extends TwoFALibError {
+}
+/**
+ * Error thrown during authentication, e.g. wrong passphrase for locked vault.
+ */
+export class AuthenticationError extends TwoFALibError {
+}
+/**
+ * Error thrown when an entry is requested but not found.
+ */
+export class EntryNotFoundError extends TwoFALibError {
+}
+/**
+ * Error thrown when token generation fails.
+ */
+export class TokenGenerationError extends TwoFALibError {
+}
+/**
+ * Error thrown when an unexpected error occurs during cryptographic operations.
+ */
+export class CryptoError extends TwoFALibError {
+}
+/**
+ * Error thrown when an unexpected error occurs during export/import operations.
+ */
+export class ExportImportError extends TwoFALibError {
+}
+/**
+ * Error thrown when an unexpected error occurs during synchronization.
+ */
+export class SyncError extends TwoFALibError {
+}
+/**
+ * Error thrown when synchronization is in the wrong state for the operation.
+ */
+export class SyncInWrongStateError extends SyncError {
+    /**
+     * @inheritdoc
+     */
+    constructor(message) {
+        super(message ?? 'Unexpected state while syncing');
+        this.name = 'TwoFALibError';
+    }
+}
+/**
+ * Error thrown when starting an add device flow while a previous one is still active.
+ */
+export class SyncAddDeviceFlowConflictError extends SyncError {
+    /**
+     * @inheritdoc
+     */
+    constructor(message) {
+        super(message ??
+            "Can't start an add device flow while a previous one is still active");
+        this.name = 'TwoFALibError';
+    }
+}
+/**
+ * Error thrown when attempting a sync operation when there is no server connection.
+ */
+export class SyncNoServerConnectionError extends SyncError {
+    /**
+     * @inheritdoc
+     */
+    constructor(message) {
+        super(message ?? 'No server connection available');
+        this.name = 'TwoFALibError';
+    }
+}
+/**
+ * Error thrown when an invalid command is being executed.
+ */
+export class InvalidCommandError extends TwoFALibError {
+}