partner_react_native_sdk 0.1.4 → 0.1.5

package/src/helpers/network/Encryption.tsx

@@ -0,0 +1,239 @@
+// // Encryption.tsx
+// // Tested with RN 0.73+.
+
+// import AsyncStorage from '@react-native-async-storage/async-storage';
+// import { v4 as uuidv4 } from 'uuid';
+// import * as base64js from 'base64-js';
+// import { ServiceNames } from '../ServiceNames';
+
+// type WebsiteKey = {
+//   kid: string;
+//   public: string; // PEM
+//   expiry: string; // ISO8601
+// };
+
+// const KEY_WEB = 'KEY_WEB';
+// const KEY_WEB_EXPIRY = 'KEY_WEB_EXPIRY';
+
+// const GCM_NONCE_LEN = 12; // 12-byte IV
+// const GCM_TAG_LEN = 16; // 16-byte auth tag
+// const AES_KEY_LEN = 256; // bits
+
+// // ---------- Base64 helpers ----------
+// const bytesToB64 = (bytes: Uint8Array): string => base64js.fromByteArray(bytes);
+
+// const b64ToBytes = (b64: string): Uint8Array => base64js.toByteArray(b64);
+
+// // ---------- UTF-8 helpers ----------
+// const utf8Encode = (s: string): Uint8Array => new TextEncoder().encode(s);
+
+// const utf8Decode = (bytes: Uint8Array): string =>
+//   new TextDecoder().decode(bytes);
+
+// // ---------- AES-256-GCM ----------
+
+// /** Generate a random AES-256-GCM CryptoKey (extractable for raw export). */
+// export async function generateAESKey(): Promise<CryptoKey> {
+//   return await crypto.subtle.generateKey(
+//     { name: 'AES-GCM', length: AES_KEY_LEN },
+//     true, // extractable to raw for Base64 export
+//     ['encrypt', 'decrypt']
+//   );
+// }
+
+// /** Export AES key bytes → Base64 (to match your RSA input). */
+// export async function exportAESKeyBase64(key: CryptoKey): Promise<string> {
+//   const raw = new Uint8Array(await crypto.subtle.exportKey('raw', key));
+//   return bytesToB64(raw);
+// }
+
+// /**
+//  * Encrypt plaintext with AES-GCM and return Base64( IV || ciphertext || tag )
+//  * Exactly matches your Flutter packing:
+//  * - IV: 12 bytes
+//  * - SubtleCrypto returns ciphertext||tag; we prepend IV and then Base64 the whole blob.
+//  */
+// export async function encryptAES(
+//   plaintext: string,
+//   key: CryptoKey
+// ): Promise<string> {
+//   const iv = crypto.getRandomValues(new Uint8Array(GCM_NONCE_LEN));
+//   const ptBytes = utf8Encode(plaintext);
+
+//   const ctWithTag = new Uint8Array(
+//     await crypto.subtle.encrypt(
+//       { name: 'AES-GCM', iv }, // 96-bit nonce
+//       key,
+//       ptBytes
+//     )
+//   );
+//   // Pack IV || (ciphertext||tag)
+//   const out = new Uint8Array(iv.length + ctWithTag.length);
+//   out.set(iv, 0);
+//   out.set(ctWithTag, iv.length);
+//   return bytesToB64(out);
+// }
+
+// /**
+//  * Decrypt Base64( IV || ciphertext || tag ) to plaintext.
+//  * Splits IV (12), tag (16) and feeds ciphertext||tag to AES-GCM.
+//  */
+// export async function decryptAES(
+//   b64Data: string,
+//   key: CryptoKey
+// ): Promise<string> {
+//   const data = b64ToBytes(b64Data);
+//   if (data.length < GCM_NONCE_LEN + GCM_TAG_LEN + 1) {
+//     throw new Error('Invalid GCM payload length');
+//   }
+//   const iv = data.slice(0, GCM_NONCE_LEN);
+//   const ctPlusTag = data.slice(GCM_NONCE_LEN); // subtle needs ciphertext||tag
+//   const pt = new Uint8Array(
+//     await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ctPlusTag)
+//   );
+//   return utf8Decode(pt);
+// }
+
+// // ---------- RSA-OAEP (SHA-256) ----------
+
+// /** Parse PEM public key and import as CryptoKey (RSA-OAEP with SHA-256). */
+// async function importRsaPublicKeyFromPem(pem: string): Promise<CryptoKey> {
+//   // Tolerate PEMs with/without headers
+//   const clean = pem
+//     .replace(/-----BEGIN PUBLIC KEY-----/g, '')
+//     .replace(/-----END PUBLIC KEY-----/g, '')
+//     .replace(/\s+/g, '');
+//   const der = b64ToBytes(clean);
+//   return await crypto.subtle.importKey(
+//     'spki',
+//     der,
+//     { name: 'RSA-OAEP', hash: 'SHA-256' },
+//     false,
+//     ['encrypt']
+//   );
+// }
+
+// /**
+//  * RSA-OAEP(SHA-256) encrypts the UTF-8 bytes of the **Base64(AES key)** string.
+//  * Returns Base64 ciphertext.
+//  */
+// export async function encryptAESKeyWithRSA(
+//   aesKeyBase64: string,
+//   publicKeyPem: string
+// ): Promise<string> {
+//   const pub = await importRsaPublicKeyFromPem(publicKeyPem);
+//   const data = utf8Encode(aesKeyBase64);
+//   const enc = new Uint8Array(
+//     await crypto.subtle.encrypt({ name: 'RSA-OAEP' }, pub, data)
+//   );
+//   return bytesToB64(enc);
+// }
+
+// // ---------- Website key fetch / cache ----------
+
+// /**
+//  * Fetches & caches the server public key.
+//  * Accepts two shapes (same as your Flutter):
+//  *  A) { "<kid>": { kid, public, expiry } }
+//  *  B) { kid, public, expiry }
+//  */
+// export async function getWebsiteKey(): Promise<WebsiteKey> {
+//   const cachedJson = await AsyncStorage.getItem(KEY_WEB);
+//   const cachedExpiry = await AsyncStorage.getItem(KEY_WEB_EXPIRY);
+
+//   if (cachedJson && cachedExpiry) {
+//     try {
+//       const expiry = new Date(cachedExpiry);
+//       if (new Date() < expiry) {
+//         return JSON.parse(cachedJson) as WebsiteKey;
+//       }
+//     } catch {
+//       // ignore and refetch
+//     }
+//   }
+//   const txnId = uuidv4();
+//   const resp = await fetch(ServiceNames.WEBSITE_KEYS, {
+//     method: 'GET',
+//     headers: {
+//       'X-Txn-ID': txnId,
+//     },
+//   });
+
+//   if (!resp.ok) {
+//     throw new Error(`Website keys fetch failed: ${resp.status}`);
+//   }
+//   const raw = await resp.json();
+//   console.log('Fetched website key', { txnId, raw });
+
+//   let obj: any;
+//   if (
+//     raw &&
+//     typeof raw === 'object' &&
+//     !(
+//       Object.prototype.hasOwnProperty.call(raw, 'kid') &&
+//       (Object.prototype.hasOwnProperty.call(raw, 'public') ||
+//         Object.prototype.hasOwnProperty.call(raw, 'public_key'))
+//     )
+//   ) {
+//     // Assume single-entry map keyed by KID
+//     const values = Object.values(raw);
+//     if (!values.length || typeof values[0] !== 'object') {
+//       throw new Error('Unexpected keyset response shape');
+//     }
+//     obj = values[0];
+//   } else {
+//     obj = raw;
+//   }
+
+//   const kid: string | undefined = obj.kid ?? obj.KID;
+//   const publicKey: string | undefined = obj.public ?? obj.public_key;
+//   const expiry: string | undefined = obj.expiry ?? obj.exp ?? obj.expiresAt;
+
+//   if (!kid || !publicKey || !expiry) {
+//     throw new Error('Missing kid/public/expiry in website key response');
+//   }
+
+//   const normalized: WebsiteKey = { kid, public: publicKey, expiry };
+
+//   await AsyncStorage.setItem(KEY_WEB, JSON.stringify(normalized));
+//   await AsyncStorage.setItem(KEY_WEB_EXPIRY, expiry);
+
+//   return normalized;
+// }
+
+// // ---------- Optional: Hybrid helpers (one-liners) ----------
+
+// export type HybridEnvelope = {
+//   kid: string;
+//   rsaWrappedAESKey: string; // Base64 RSA(OAEP) of Base64(AES key)
+//   cipherData: string; // Base64( IV || ciphertext || tag )
+// };
+
+// export async function encryptHybrid(
+//   plaintext: string
+// ): Promise<HybridEnvelope> {
+//   // 1) fetch server key
+//   const { kid, public: publicPem } = await getWebsiteKey();
+
+//   // 2) generate AES key & encrypt data
+//   const aesKey = await generateAESKey();
+//   const cipherData = await encryptAES(plaintext, aesKey);
+
+//   // 3) export AES key to Base64 and RSA-wrap it
+//   const aesKeyB64 = await exportAESKeyBase64(aesKey);
+//   const rsaWrappedAESKey = await encryptAESKeyWithRSA(aesKeyB64, publicPem);
+
+//   return { kid, rsaWrappedAESKey, cipherData };
+// }
+
+// /**
+//  * Decrypt using an already-imported AES key (symmetric path).
+//  * Use this for local decrypts (e.g., testing) or when the server sends you encrypted data
+//  * and you already have the AES key.
+//  */
+// export async function decryptHybridLocal(
+//   cipherData: string,
+//   aesKey: CryptoKey
+// ): Promise<string> {
+//   return await decryptAES(cipherData, aesKey);
+// }