react-native-dpop 0.1.0 → 0.2.0

package/README.md

@@ -10,13 +10,12 @@ React Native library for DPoP proof generation and key management.
 - Calculate JWK thumbprint (`SHA-256`, base64url).
 - Verify if a proof is bound to a given key alias.
 - Retrieve non-sensitive key metadata (hardware-backed, StrongBox info, etc.).
+- iOS key storage uses Secure Enclave when available, with Keychain fallback.
 
 ## Platform Support
 
 - Android: supported.
-- iOS: planned.
-
-Current implementation throws on non-Android platforms.
+- iOS: supported.
 
 ## Installation
 
@@ -24,6 +23,12 @@ Current implementation throws on non-Android platforms.
 npm install react-native-dpop
 ```
 
+For iOS, install pods in your app project:
+
+```sh
+cd ios && pod install
+```
+
 ## Quick Start
 
 ```ts
@@ -39,6 +44,7 @@ const dpop = await DPoP.generateProof({
 const proof = dpop.proof;
 const thumbprint = await dpop.calculateThumbprint();
 const publicJwk = await dpop.getPublicKey('JWK');
+const isBound = await dpop.isBoundToAlias();
 ```
 
 ## API
@@ -78,6 +84,7 @@ const publicJwk = await dpop.getPublicKey('JWK');
 Native errors are rejected with codes such as:
 
 - `ERR_DPOP_GENERATE_PROOF`
+- `ERR_DPOP_CALCULATE_THUMBPRINT`
 - `ERR_DPOP_PUBLIC_KEY`
 - `ERR_DPOP_SIGN_WITH_PRIVATE_KEY`
 - `ERR_DPOP_HAS_KEY_PAIR`

package/{Dpop.podspec → ReactNativeDPoP.podspec}

@@ -3,7 +3,8 @@ require "json"
 package = JSON.parse(File.read(File.join(__dir__, "package.json")))
 
 Pod::Spec.new do |s|
-  s.name         = "Dpop"
+  s.name         = "ReactNativeDPoP"
+  s.module_name  = "ReactNativeDPoP"
   s.version      = package["version"]
   s.summary      = package["description"]
   s.homepage     = package["homepage"]
@@ -14,7 +15,10 @@ Pod::Spec.new do |s|
   s.source       = { :git => "https://github.com/Cirilord/react-native-dpop.git", :tag => "#{s.version}" }
 
   s.source_files = "ios/**/*.{h,m,mm,swift,cpp}"
-  s.private_header_files = "ios/**/*.h"
 
-  install_modules_dependencies(s)
+  if respond_to?(:install_modules_dependencies, true)
+    install_modules_dependencies(s)
+  else
+    s.dependency "React-Core"
+  end
 end

package/android/build.gradle

@@ -1,5 +1,5 @@
 buildscript {
-  ext.Dpop = [
+  ext.ReactNativeDPoP = [
     kotlinVersion: "2.0.21",
     minSdkVersion: 24,
     compileSdkVersion: 36,
@@ -11,7 +11,7 @@ buildscript {
       return rootProject.ext.get(prop)
     }
 
-    return Dpop[prop]
+    return ReactNativeDPoP[prop]
   }
 
   repositories {
@@ -33,7 +33,7 @@ apply plugin: "kotlin-android"
 apply plugin: "com.facebook.react"
 
 android {
-  namespace "com.dpop"
+  namespace "com.reactnativedpop"
 
   compileSdkVersion getExtOrDefault("compileSdkVersion")
 

package/android/src/main/java/com/{dpop → reactnativedpop}/DPoPKeyStore.kt

@@ -1,4 +1,4 @@
-package com.dpop
+package com.reactnativedpop
 
 import android.content.Context
 import android.content.pm.PackageManager

package/android/src/main/java/com/{dpop/DpopModule.kt → reactnativedpop/DPoPModule.kt}

@@ -1,4 +1,4 @@
-package com.dpop
+package com.reactnativedpop
 
 import com.facebook.react.bridge.Arguments
 import com.facebook.react.bridge.Promise
@@ -8,8 +8,8 @@ import java.security.Signature
 import java.util.UUID
 import org.json.JSONObject
 
-class DpopModule(reactContext: ReactApplicationContext) :
-  NativeDpopSpec(reactContext) {
+class DPoPModule(reactContext: ReactApplicationContext) :
+  NativeReactNativeDPoPSpec(reactContext) {
   private val keyStore = DPoPKeyStore(reactContext)
 
   private fun resolveAlias(alias: String?): String {
@@ -297,6 +297,6 @@ class DpopModule(reactContext: ReactApplicationContext) :
 
   companion object {
     private const val DEFAULT_ALIAS = "react-native-dpop"
-    const val NAME = NativeDpopSpec.NAME
+    const val NAME = NativeReactNativeDPoPSpec.NAME
   }
 }

package/android/src/main/java/com/{dpop/DpopPackage.kt → reactnativedpop/DPoPPackage.kt}

@@ -1,4 +1,4 @@
-package com.dpop
+package com.reactnativedpop
 
 import com.facebook.react.BaseReactPackage
 import com.facebook.react.bridge.NativeModule
@@ -7,10 +7,10 @@ import com.facebook.react.module.model.ReactModuleInfo
 import com.facebook.react.module.model.ReactModuleInfoProvider
 import java.util.HashMap
 
-class DpopPackage : BaseReactPackage() {
+class DPoPPackage : BaseReactPackage() {
   override fun getModule(name: String, reactContext: ReactApplicationContext): NativeModule? {
-    return if (name == DpopModule.NAME) {
-      DpopModule(reactContext)
+    return if (name == DPoPModule.NAME) {
+      DPoPModule(reactContext)
     } else {
       null
     }
@@ -18,9 +18,9 @@ class DpopPackage : BaseReactPackage() {
 
   override fun getReactModuleInfoProvider() = ReactModuleInfoProvider {
     mapOf(
-      DpopModule.NAME to ReactModuleInfo(
-        name = DpopModule.NAME,
-        className = DpopModule.NAME,
+      DPoPModule.NAME to ReactModuleInfo(
+        name = DPoPModule.NAME,
+        className = DPoPModule.NAME,
         canOverrideExistingModule = false,
         needsEagerInit = false,
         isCxxModule = false,

package/android/src/main/java/com/{dpop → reactnativedpop}/DPoPUtils.kt

@@ -1,4 +1,4 @@
-package com.dpop
+package com.reactnativedpop
 
 import com.facebook.react.bridge.Arguments
 import com.facebook.react.bridge.ReadableArray

package/ios/DPoPKeyStore.swift

@@ -0,0 +1,99 @@
+import Foundation
+import Security
+
+struct DPoPKeyPairReference {
+  let privateKey: SecKey
+  let publicKey: SecKey
+}
+
+struct DPoPKeyInfo {
+  let alias: String
+  let algorithm: String
+  let curve: String
+  let hasKeyPair: Bool
+  let insideSecureHardware: Bool
+  let strongBoxAvailable: Bool
+  let strongBoxBacked: Bool
+}
+
+final class DPoPKeyStore {
+  private let secureEnclave = SecureEnclaveKeyStore()
+  private let keychain = KeychainKeyStore()
+
+  func generateKeyPair(alias: String) throws {
+    try deleteKeyPair(alias: alias)
+
+    do {
+      try secureEnclave.generateKeyPair(alias: alias)
+    } catch {
+      try keychain.generateKeyPair(alias: alias)
+    }
+  }
+
+  func deleteKeyPair(alias: String) throws {
+    try secureEnclave.deleteKeyPair(alias: alias)
+    try keychain.deleteKeyPair(alias: alias)
+  }
+
+  func hasKeyPair(alias: String) -> Bool {
+    secureEnclave.hasKeyPair(alias: alias) || keychain.hasKeyPair(alias: alias)
+  }
+
+  func getKeyPair(alias: String) throws -> DPoPKeyPairReference {
+    if secureEnclave.hasKeyPair(alias: alias) {
+      return DPoPKeyPairReference(
+        privateKey: try secureEnclave.getPrivateKey(alias: alias),
+        publicKey: try secureEnclave.getPublicKey(alias: alias)
+      )
+    }
+
+    if keychain.hasKeyPair(alias: alias) {
+      return DPoPKeyPairReference(
+        privateKey: try keychain.getPrivateKey(alias: alias),
+        publicKey: try keychain.getPublicKey(alias: alias)
+      )
+    }
+
+    throw DPoPError.keyNotFound(alias: alias)
+  }
+
+  func getKeyInfo(alias: String) -> DPoPKeyInfo {
+    if secureEnclave.hasKeyPair(alias: alias) {
+      return DPoPKeyInfo(
+        alias: alias,
+        algorithm: "EC",
+        curve: "P-256",
+        hasKeyPair: true,
+        insideSecureHardware: true,
+        strongBoxAvailable: false,
+        strongBoxBacked: false
+      )
+    }
+
+    if keychain.hasKeyPair(alias: alias) {
+      return DPoPKeyInfo(
+        alias: alias,
+        algorithm: "EC",
+        curve: "P-256",
+        hasKeyPair: true,
+        insideSecureHardware: false,
+        strongBoxAvailable: false,
+        strongBoxBacked: false
+      )
+    }
+
+    return DPoPKeyInfo(
+      alias: alias,
+      algorithm: "EC",
+      curve: "P-256",
+      hasKeyPair: false,
+      insideSecureHardware: false,
+      strongBoxAvailable: false,
+      strongBoxBacked: false
+    )
+  }
+
+  func isHardwareBacked(alias: String) -> Bool {
+    secureEnclave.isHardwareBacked(alias: alias)
+  }
+}

package/ios/DPoPModule.h

@@ -0,0 +1,5 @@
+#import <React/RCTBridgeModule.h>
+
+@interface ReactNativeDPoP : NSObject <RCTBridgeModule>
+
+@end

package/ios/DPoPModule.swift

@@ -0,0 +1,353 @@
+import Foundation
+import Security
+import React
+
+final class DPoPModule {
+  static let shared = DPoPModule()
+
+  private let keyStore = DPoPKeyStore()
+  private let defaultAlias = "react-native-dpop"
+
+  private init() {}
+
+  func resolveAlias(_ alias: String?) -> String {
+    guard let alias, !alias.isEmpty else {
+      return defaultAlias
+    }
+    return alias
+  }
+
+  func assertHardwareBacked(alias: String?) throws {
+    let effectiveAlias = resolveAlias(alias)
+    guard keyStore.hasKeyPair(alias: effectiveAlias) else {
+      throw DPoPError.keyNotFound(alias: effectiveAlias)
+    }
+
+    guard keyStore.isHardwareBacked(alias: effectiveAlias) else {
+      throw DPoPError.notHardwareBacked(alias: effectiveAlias)
+    }
+  }
+
+  func calculateThumbprint(alias: String?) throws -> String {
+    let effectiveAlias = resolveAlias(alias)
+    if !keyStore.hasKeyPair(alias: effectiveAlias) {
+      try keyStore.generateKeyPair(alias: effectiveAlias)
+    }
+    let keyPair = try keyStore.getKeyPair(alias: effectiveAlias)
+    let coordinates = try DPoPUtils.getPublicCoordinates(fromRawPublicKey: try DPoPUtils.toRawPublicKey(keyPair.publicKey))
+    return DPoPUtils.calculateThumbprint(kty: "EC", crv: "P-256", x: coordinates.x, y: coordinates.y)
+  }
+
+  func deleteKeyPair(alias: String?) throws {
+    try keyStore.deleteKeyPair(alias: resolveAlias(alias))
+  }
+
+  func getKeyInfo(alias: String?) -> [String: Any] {
+    let effectiveAlias = resolveAlias(alias)
+    let keyInfo = keyStore.getKeyInfo(alias: effectiveAlias)
+
+    if !keyInfo.hasKeyPair {
+      return [
+        "alias": effectiveAlias,
+        "hasKeyPair": false
+      ]
+    }
+
+    return [
+      "alias": keyInfo.alias,
+      "algorithm": keyInfo.algorithm,
+      "curve": keyInfo.curve,
+      "hasKeyPair": true,
+      "insideSecureHardware": keyInfo.insideSecureHardware,
+      "strongBoxAvailable": keyInfo.strongBoxAvailable,
+      "strongBoxBacked": keyInfo.strongBoxBacked
+    ]
+  }
+
+  func getPublicKeyDer(alias: String?) throws -> String {
+    let effectiveAlias = resolveAlias(alias)
+    if !keyStore.hasKeyPair(alias: effectiveAlias) {
+      try keyStore.generateKeyPair(alias: effectiveAlias)
+    }
+    let keyPair = try keyStore.getKeyPair(alias: effectiveAlias)
+    return DPoPUtils.base64UrlEncode(try DPoPUtils.toDerPublicKey(keyPair.publicKey))
+  }
+
+  func getPublicKeyJwk(alias: String?) throws -> [String: Any] {
+    let effectiveAlias = resolveAlias(alias)
+    if !keyStore.hasKeyPair(alias: effectiveAlias) {
+      try keyStore.generateKeyPair(alias: effectiveAlias)
+    }
+    let keyPair = try keyStore.getKeyPair(alias: effectiveAlias)
+    let coordinates = try DPoPUtils.getPublicCoordinates(fromRawPublicKey: try DPoPUtils.toRawPublicKey(keyPair.publicKey))
+    return [
+      "kty": "EC",
+      "crv": "P-256",
+      "x": coordinates.x,
+      "y": coordinates.y
+    ]
+  }
+
+  func getPublicKeyRaw(alias: String?) throws -> String {
+    let effectiveAlias = resolveAlias(alias)
+    if !keyStore.hasKeyPair(alias: effectiveAlias) {
+      try keyStore.generateKeyPair(alias: effectiveAlias)
+    }
+    let keyPair = try keyStore.getKeyPair(alias: effectiveAlias)
+    return DPoPUtils.base64UrlEncode(try DPoPUtils.toRawPublicKey(keyPair.publicKey))
+  }
+
+  func hasKeyPair(alias: String?) -> Bool {
+    keyStore.hasKeyPair(alias: resolveAlias(alias))
+  }
+
+  func isBoundToAlias(proof: String, alias: String?) throws -> Bool {
+    let effectiveAlias = resolveAlias(alias)
+    if !keyStore.hasKeyPair(alias: effectiveAlias) {
+      try keyStore.generateKeyPair(alias: effectiveAlias)
+    }
+    let keyPair = try keyStore.getKeyPair(alias: effectiveAlias)
+    return try DPoPUtils.isProofBoundToPublicKey(proof, publicKey: keyPair.publicKey)
+  }
+
+  func rotateKeyPair(alias: String?) throws {
+    try keyStore.generateKeyPair(alias: resolveAlias(alias))
+  }
+
+  func signWithDpopPrivateKey(payload: String, alias: String?) throws -> String {
+    let effectiveAlias = resolveAlias(alias)
+    if !keyStore.hasKeyPair(alias: effectiveAlias) {
+      try keyStore.generateKeyPair(alias: effectiveAlias)
+    }
+    let keyPair = try keyStore.getKeyPair(alias: effectiveAlias)
+    var error: Unmanaged<CFError>?
+    guard let derSignature = SecKeyCreateSignature(
+      keyPair.privateKey,
+      .ecdsaSignatureMessageX962SHA256,
+      Data(payload.utf8) as CFData,
+      &error
+    ) as Data? else {
+      throw DPoPError.securityError(error?.takeRetainedValue())
+    }
+    let joseSignature = try DPoPUtils.derToJose(derSignature, partLength: 32)
+    return DPoPUtils.base64UrlEncode(joseSignature)
+  }
+
+  func generateProof(
+    htu: String,
+    htm: String,
+    nonce: String?,
+    accessToken: String?,
+    additional: [String: Any]?,
+    kid: String?,
+    jti: String?,
+    iat: NSNumber?,
+    alias: String?
+  ) throws -> [String: Any] {
+    let effectiveAlias = resolveAlias(alias)
+    if !keyStore.hasKeyPair(alias: effectiveAlias) {
+      try keyStore.generateKeyPair(alias: effectiveAlias)
+    }
+    let keyPair = try keyStore.getKeyPair(alias: effectiveAlias)
+    let coordinates = try DPoPUtils.getPublicCoordinates(fromRawPublicKey: try DPoPUtils.toRawPublicKey(keyPair.publicKey))
+
+    var jwk: [String: Any] = [
+      "kty": "EC",
+      "crv": "P-256",
+      "x": coordinates.x,
+      "y": coordinates.y
+    ]
+
+    var header: [String: Any] = [
+      "typ": "dpop+jwt",
+      "alg": "ES256",
+      "jwk": jwk
+    ]
+
+    if let kid, !kid.isEmpty {
+      header["kid"] = kid
+    }
+
+    let issuedAt = iat?.int64Value ?? Int64(Date().timeIntervalSince1970)
+    let finalJti = (jti?.isEmpty == false) ? jti! : UUID().uuidString
+
+    var payload: [String: Any] = [
+      "jti": finalJti,
+      "htm": htm.uppercased(),
+      "htu": htu,
+      "iat": issuedAt
+    ]
+
+    if let nonce, !nonce.isEmpty {
+      payload["nonce"] = nonce
+    }
+
+    if let accessToken, !accessToken.isEmpty {
+      payload["ath"] = DPoPUtils.hashAccessToken(accessToken)
+    }
+
+    if let additional {
+      for (key, value) in additional {
+        payload[key] = value
+      }
+    }
+
+    let headerSegment = DPoPUtils.base64UrlEncode(try DPoPUtils.jsonData(header))
+    let payloadSegment = DPoPUtils.base64UrlEncode(try DPoPUtils.jsonData(payload))
+    let signingInput = "\(headerSegment).\(payloadSegment)"
+
+    var error: Unmanaged<CFError>?
+    guard let derSignature = SecKeyCreateSignature(
+      keyPair.privateKey,
+      .ecdsaSignatureMessageX962SHA256,
+      Data(signingInput.utf8) as CFData,
+      &error
+    ) as Data? else {
+      throw DPoPError.securityError(error?.takeRetainedValue())
+    }
+    let joseSignature = try DPoPUtils.derToJose(derSignature, partLength: 32)
+    let jwt = "\(signingInput).\(DPoPUtils.base64UrlEncode(joseSignature))"
+
+    let proofContext: [String: Any] = [
+      "htu": payload["htu"] as? String ?? htu,
+      "htm": payload["htm"] as? String ?? htm.uppercased(),
+      "nonce": payload["nonce"] ?? NSNull(),
+      "ath": payload["ath"] ?? NSNull(),
+      "kid": header["kid"] ?? NSNull(),
+      "jti": payload["jti"] as? String ?? finalJti,
+      "iat": Double(issuedAt),
+      "additional": additional ?? NSNull()
+    ]
+
+    return [
+      "proof": jwt,
+      "proofContext": proofContext
+    ]
+  }
+
+}
+
+@objc extension ReactNativeDPoP {
+  static func moduleName() -> String! {
+    "ReactNativeDPoP"
+  }
+
+  static func requiresMainQueueSetup() -> Bool {
+    false
+  }
+
+  func assertHardwareBacked(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      try DPoPModule.shared.assertHardwareBacked(alias: alias)
+      resolve(nil)
+    } catch {
+      reject("ERR_DPOP_ASSERT_HARDWARE_BACKED", error.localizedDescription, error)
+    }
+  }
+
+  func calculateThumbprint(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      resolve(try DPoPModule.shared.calculateThumbprint(alias: alias))
+    } catch {
+      reject("ERR_DPOP_CALCULATE_THUMBPRINT", error.localizedDescription, error)
+    }
+  }
+
+  func deleteKeyPair(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      try DPoPModule.shared.deleteKeyPair(alias: alias)
+      resolve(nil)
+    } catch {
+      reject("ERR_DPOP_DELETE_KEY_PAIR", error.localizedDescription, error)
+    }
+  }
+
+  func getKeyInfo(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    resolve(DPoPModule.shared.getKeyInfo(alias: alias))
+  }
+
+  func getPublicKeyDer(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      resolve(try DPoPModule.shared.getPublicKeyDer(alias: alias))
+    } catch {
+      reject("ERR_DPOP_PUBLIC_KEY", error.localizedDescription, error)
+    }
+  }
+
+  func getPublicKeyJwk(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      resolve(try DPoPModule.shared.getPublicKeyJwk(alias: alias))
+    } catch {
+      reject("ERR_DPOP_PUBLIC_KEY", error.localizedDescription, error)
+    }
+  }
+
+  func getPublicKeyRaw(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      resolve(try DPoPModule.shared.getPublicKeyRaw(alias: alias))
+    } catch {
+      reject("ERR_DPOP_PUBLIC_KEY", error.localizedDescription, error)
+    }
+  }
+
+  func hasKeyPair(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    resolve(DPoPModule.shared.hasKeyPair(alias: alias))
+  }
+
+  func isBoundToAlias(_ proof: String, alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      resolve(try DPoPModule.shared.isBoundToAlias(proof: proof, alias: alias))
+    } catch {
+      reject("ERR_DPOP_IS_BOUND_TO_ALIAS", error.localizedDescription, error)
+    }
+  }
+
+  func rotateKeyPair(_ alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      try DPoPModule.shared.rotateKeyPair(alias: alias)
+      resolve(nil)
+    } catch {
+      reject("ERR_DPOP_ROTATE_KEY_PAIR", error.localizedDescription, error)
+    }
+  }
+
+  func signWithDpopPrivateKey(_ payload: String, alias: String?, resolve: @escaping RCTPromiseResolveBlock, reject: @escaping RCTPromiseRejectBlock) {
+    do {
+      resolve(try DPoPModule.shared.signWithDpopPrivateKey(payload: payload, alias: alias))
+    } catch {
+      reject("ERR_DPOP_SIGN_WITH_PRIVATE_KEY", error.localizedDescription, error)
+    }
+  }
+
+  func generateProof(
+    _ htu: String,
+    htm: String,
+    nonce: String?,
+    accessToken: String?,
+    additional: [String: Any]?,
+    kid: String?,
+    jti: String?,
+    iat: NSNumber?,
+    alias: String?,
+    resolve: @escaping RCTPromiseResolveBlock,
+    reject: @escaping RCTPromiseRejectBlock
+  ) {
+    do {
+      resolve(
+        try DPoPModule.shared.generateProof(
+          htu: htu,
+          htm: htm,
+          nonce: nonce,
+          accessToken: accessToken,
+          additional: additional,
+          kid: kid,
+          jti: jti,
+          iat: iat,
+          alias: alias
+        )
+      )
+    } catch {
+      reject("ERR_DPOP_GENERATE_PROOF", error.localizedDescription, error)
+    }
+  }
+}