react-native-quick-crypto 1.0.0-beta.21 → 1.0.0-beta.22

package/src/specs/rsaCipher.nitro.ts

@@ -0,0 +1,35 @@
+import type { HybridObject } from 'react-native-nitro-modules';
+import type { KeyObjectHandle } from './keyObjectHandle.nitro';
+
+export interface RsaCipher
+  extends HybridObject<{ ios: 'c++'; android: 'c++' }> {
+  /**
+   * Encrypt data using RSA-OAEP
+   * @param keyHandle The public key handle
+   * @param data The data to encrypt
+   * @param hashAlgorithm The hash algorithm (e.g., 'SHA-256')
+   * @param label Optional label for OAEP
+   * @returns Encrypted data
+   */
+  encrypt(
+    keyHandle: KeyObjectHandle,
+    data: ArrayBuffer,
+    hashAlgorithm: string,
+    label?: ArrayBuffer,
+  ): ArrayBuffer;
+
+  /**
+   * Decrypt data using RSA-OAEP
+   * @param keyHandle The private key handle
+   * @param data The data to decrypt
+   * @param hashAlgorithm The hash algorithm (e.g., 'SHA-256')
+   * @param label Optional label for OAEP
+   * @returns Decrypted data
+   */
+  decrypt(
+    keyHandle: KeyObjectHandle,
+    data: ArrayBuffer,
+    hashAlgorithm: string,
+    label?: ArrayBuffer,
+  ): ArrayBuffer;
+}

package/src/subtle.ts

@@ -11,8 +11,18 @@ import type {
   AesKeyGenParams,
   EncryptDecryptParams,
   Operation,
+  AesCtrParams,
+  AesCbcParams,
+  AesGcmParams,
+  RsaOaepParams,
 } from './utils';
-import { CryptoKey } from './keys';
+import {
+  CryptoKey,
+  KeyObject,
+  PublicKeyObject,
+  PrivateKeyObject,
+  SecretKeyObject,
+} from './keys';
 import type { CryptoKeyPair } from './utils/types';
 import { bufferLikeToArrayBuffer } from './utils/conversion';
 import { lazyDOMException } from './utils/errors';
@@ -20,9 +30,14 @@ import { normalizeHashName, HashContext } from './utils/hashnames';
 import { validateMaxBufferLength } from './utils/validation';
 import { asyncDigest } from './hash';
 import { createSecretKey } from './keys';
+import { NitroModules } from 'react-native-nitro-modules';
+import type { KeyObjectHandle } from './specs/keyObjectHandle.nitro';
+import type { RsaCipher } from './specs/rsaCipher.nitro';
+import type { CipherFactory } from './specs/cipher.nitro';
 import { pbkdf2DeriveBits } from './pbkdf2';
 import { ecImportKey, ecdsaSignVerify, ec_generateKeyPair } from './ec';
 import { rsa_generateKeyPair } from './rsa';
+import { getRandomValues } from './random';
 // import { pbkdf2DeriveBits } from './pbkdf2';
 // import { aesCipher, aesGenerateKey, aesImportKey, getAlgorithmName } from './aes';
 // import { rsaCipher, rsaExportKey, rsaImportKey, rsaKeyGenerate } from './rsa';
@@ -62,74 +77,558 @@ function getAlgorithmName(name: string, length: number): string {
 }
 
 // Placeholder implementations for missing functions
-function ecExportKey(
-  _key: CryptoKey,
-  _format: KWebCryptoKeyFormat,
-): ArrayBuffer {
-  throw new Error('ecExportKey not implemented');
+function ecExportKey(key: CryptoKey, format: KWebCryptoKeyFormat): ArrayBuffer {
+  const keyObject = key.keyObject;
+
+  if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
+    // Export public key in SPKI format
+    const exported = keyObject.export({ format: 'der', type: 'spki' });
+    return bufferLikeToArrayBuffer(exported);
+  } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatPKCS8) {
+    // Export private key in PKCS8 format
+    const exported = keyObject.export({ format: 'der', type: 'pkcs8' });
+    return bufferLikeToArrayBuffer(exported);
+  } else {
+    throw new Error(`Unsupported EC export format: ${format}`);
+  }
 }
 
 function rsaExportKey(
-  _key: CryptoKey,
-  _format: KWebCryptoKeyFormat,
+  key: CryptoKey,
+  format: KWebCryptoKeyFormat,
 ): ArrayBuffer {
-  throw new Error('rsaExportKey not implemented');
+  const keyObject = key.keyObject;
+
+  if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatSPKI) {
+    // Export public key in SPKI format
+    const exported = keyObject.export({ format: 'der', type: 'spki' });
+    return bufferLikeToArrayBuffer(exported);
+  } else if (format === KWebCryptoKeyFormat.kWebCryptoKeyFormatPKCS8) {
+    // Export private key in PKCS8 format
+    const exported = keyObject.export({ format: 'der', type: 'pkcs8' });
+    return bufferLikeToArrayBuffer(exported);
+  } else {
+    throw new Error(`Unsupported RSA export format: ${format}`);
+  }
 }
 
-function rsaCipher(
-  _mode: CipherOrWrapMode,
-  _key: CryptoKey,
-  _data: ArrayBuffer,
-  _algorithm: EncryptDecryptParams,
+async function rsaCipher(
+  mode: CipherOrWrapMode,
+  key: CryptoKey,
+  data: ArrayBuffer,
+  algorithm: EncryptDecryptParams,
 ): Promise<ArrayBuffer> {
-  throw new Error('rsaCipher not implemented');
+  const rsaParams = algorithm as RsaOaepParams;
+
+  // Validate key type matches operation
+  const expectedType =
+    mode === CipherOrWrapMode.kWebCryptoCipherEncrypt ? 'public' : 'private';
+  if (key.type !== expectedType) {
+    throw lazyDOMException(
+      'The requested operation is not valid for the provided key',
+      'InvalidAccessError',
+    );
+  }
+
+  // Get hash algorithm from key
+  const hashAlgorithm = normalizeHashName(key.algorithm.hash);
+
+  // Prepare label (optional)
+  const label = rsaParams.label
+    ? bufferLikeToArrayBuffer(rsaParams.label)
+    : undefined;
+
+  // Create RSA cipher instance
+  const rsaCipherModule =
+    NitroModules.createHybridObject<RsaCipher>('RsaCipher');
+
+  if (mode === CipherOrWrapMode.kWebCryptoCipherEncrypt) {
+    // Encrypt with public key
+    return rsaCipherModule.encrypt(
+      key.keyObject.handle,
+      data,
+      hashAlgorithm,
+      label,
+    );
+  } else {
+    // Decrypt with private key
+    return rsaCipherModule.decrypt(
+      key.keyObject.handle,
+      data,
+      hashAlgorithm,
+      label,
+    );
+  }
 }
 
-function aesCipher(
-  _mode: CipherOrWrapMode,
-  _key: CryptoKey,
-  _data: ArrayBuffer,
-  _algorithm: EncryptDecryptParams,
+async function aesCipher(
+  mode: CipherOrWrapMode,
+  key: CryptoKey,
+  data: ArrayBuffer,
+  algorithm: EncryptDecryptParams,
 ): Promise<ArrayBuffer> {
-  throw new Error('aesCipher not implemented');
+  const { name } = algorithm;
+
+  switch (name) {
+    case 'AES-CTR':
+      return aesCtrCipher(mode, key, data, algorithm as AesCtrParams);
+    case 'AES-CBC':
+      return aesCbcCipher(mode, key, data, algorithm as AesCbcParams);
+    case 'AES-GCM':
+      return aesGcmCipher(mode, key, data, algorithm as AesGcmParams);
+    default:
+      throw lazyDOMException(
+        `Unsupported AES algorithm: ${name}`,
+        'NotSupportedError',
+      );
+  }
+}
+
+async function aesCtrCipher(
+  mode: CipherOrWrapMode,
+  key: CryptoKey,
+  data: ArrayBuffer,
+  algorithm: AesCtrParams,
+): Promise<ArrayBuffer> {
+  // Validate counter and length
+  if (!algorithm.counter || algorithm.counter.byteLength !== 16) {
+    throw lazyDOMException(
+      'AES-CTR algorithm.counter must be 16 bytes',
+      'OperationError',
+    );
+  }
+
+  if (algorithm.length < 1 || algorithm.length > 128) {
+    throw lazyDOMException(
+      'AES-CTR algorithm.length must be between 1 and 128',
+      'OperationError',
+    );
+  }
+
+  // Get cipher type based on key length
+  const keyLength = (key.algorithm as { length: number }).length;
+  const cipherType = `aes-${keyLength}-ctr`;
+
+  // Create cipher
+  const factory =
+    NitroModules.createHybridObject<CipherFactory>('CipherFactory');
+  const cipher = factory.createCipher({
+    isCipher: mode === CipherOrWrapMode.kWebCryptoCipherEncrypt,
+    cipherType,
+    cipherKey: bufferLikeToArrayBuffer(key.keyObject.export()),
+    iv: bufferLikeToArrayBuffer(algorithm.counter),
+  });
+
+  // Process data
+  const updated = cipher.update(data);
+  const final = cipher.final();
+
+  // Concatenate results
+  const result = new Uint8Array(updated.byteLength + final.byteLength);
+  result.set(new Uint8Array(updated), 0);
+  result.set(new Uint8Array(final), updated.byteLength);
+
+  return result.buffer;
+}
+
+async function aesCbcCipher(
+  mode: CipherOrWrapMode,
+  key: CryptoKey,
+  data: ArrayBuffer,
+  algorithm: AesCbcParams,
+): Promise<ArrayBuffer> {
+  // Validate IV
+  const iv = bufferLikeToArrayBuffer(algorithm.iv);
+  if (iv.byteLength !== 16) {
+    throw lazyDOMException(
+      'algorithm.iv must contain exactly 16 bytes',
+      'OperationError',
+    );
+  }
+
+  // Get cipher type based on key length
+  const keyLength = (key.algorithm as { length: number }).length;
+  const cipherType = `aes-${keyLength}-cbc`;
+
+  // Create cipher
+  const factory =
+    NitroModules.createHybridObject<CipherFactory>('CipherFactory');
+  const cipher = factory.createCipher({
+    isCipher: mode === CipherOrWrapMode.kWebCryptoCipherEncrypt,
+    cipherType,
+    cipherKey: bufferLikeToArrayBuffer(key.keyObject.export()),
+    iv,
+  });
+
+  // Process data
+  const updated = cipher.update(data);
+  const final = cipher.final();
+
+  // Concatenate results
+  const result = new Uint8Array(updated.byteLength + final.byteLength);
+  result.set(new Uint8Array(updated), 0);
+  result.set(new Uint8Array(final), updated.byteLength);
+
+  return result.buffer;
+}
+
+async function aesGcmCipher(
+  mode: CipherOrWrapMode,
+  key: CryptoKey,
+  data: ArrayBuffer,
+  algorithm: AesGcmParams,
+): Promise<ArrayBuffer> {
+  const { tagLength = 128 } = algorithm;
+
+  // Validate tag length
+  const validTagLengths = [32, 64, 96, 104, 112, 120, 128];
+  if (!validTagLengths.includes(tagLength)) {
+    throw lazyDOMException(
+      `${tagLength} is not a valid AES-GCM tag length`,
+      'OperationError',
+    );
+  }
+
+  const tagByteLength = tagLength / 8;
+
+  // Get cipher type based on key length
+  const keyLength = (key.algorithm as { length: number }).length;
+  const cipherType = `aes-${keyLength}-gcm`;
+
+  // Create cipher
+  const factory =
+    NitroModules.createHybridObject<CipherFactory>('CipherFactory');
+  const cipher = factory.createCipher({
+    isCipher: mode === CipherOrWrapMode.kWebCryptoCipherEncrypt,
+    cipherType,
+    cipherKey: bufferLikeToArrayBuffer(key.keyObject.export()),
+    iv: bufferLikeToArrayBuffer(algorithm.iv),
+    authTagLen: tagByteLength,
+  });
+
+  let processData: ArrayBuffer;
+  let authTag: ArrayBuffer | undefined;
+
+  if (mode === CipherOrWrapMode.kWebCryptoCipherDecrypt) {
+    // For decryption, extract auth tag from end of data
+    const dataView = new Uint8Array(data);
+
+    if (dataView.byteLength < tagByteLength) {
+      throw lazyDOMException(
+        'The provided data is too small.',
+        'OperationError',
+      );
+    }
+
+    // Split data and tag
+    const ciphertextLength = dataView.byteLength - tagByteLength;
+    processData = dataView.slice(0, ciphertextLength).buffer;
+    authTag = dataView.slice(ciphertextLength).buffer;
+
+    // Set auth tag for verification
+    cipher.setAuthTag(authTag);
+  } else {
+    processData = data;
+  }
+
+  // Set additional authenticated data if provided
+  if (algorithm.additionalData) {
+    cipher.setAAD(bufferLikeToArrayBuffer(algorithm.additionalData));
+  }
+
+  // Process data
+  const updated = cipher.update(processData);
+  const final = cipher.final();
+
+  if (mode === CipherOrWrapMode.kWebCryptoCipherEncrypt) {
+    // For encryption, append auth tag to result
+    const tag = cipher.getAuthTag();
+    const result = new Uint8Array(
+      updated.byteLength + final.byteLength + tag.byteLength,
+    );
+    result.set(new Uint8Array(updated), 0);
+    result.set(new Uint8Array(final), updated.byteLength);
+    result.set(new Uint8Array(tag), updated.byteLength + final.byteLength);
+    return result.buffer;
+  } else {
+    // For decryption, just concatenate plaintext
+    const result = new Uint8Array(updated.byteLength + final.byteLength);
+    result.set(new Uint8Array(updated), 0);
+    result.set(new Uint8Array(final), updated.byteLength);
+    return result.buffer;
+  }
 }
 
 async function aesGenerateKey(
-  _algorithm: AesKeyGenParams,
-  _extractable: boolean,
-  _keyUsages: KeyUsage[],
+  algorithm: AesKeyGenParams,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
 ): Promise<CryptoKey> {
-  throw new Error('aesGenerateKey not implemented');
+  const { length } = algorithm;
+  const name = algorithm.name;
+
+  if (!name) {
+    throw lazyDOMException('Algorithm name is required', 'OperationError');
+  }
+
+  // Validate key length
+  if (![128, 192, 256].includes(length)) {
+    throw lazyDOMException(
+      `Invalid AES key length: ${length}. Must be 128, 192, or 256.`,
+      'OperationError',
+    );
+  }
+
+  // Validate usages
+  const validUsages: KeyUsage[] = [
+    'encrypt',
+    'decrypt',
+    'wrapKey',
+    'unwrapKey',
+  ];
+  if (hasAnyNotIn(keyUsages, validUsages)) {
+    throw lazyDOMException(`Unsupported key usage for ${name}`, 'SyntaxError');
+  }
+
+  // Generate random key bytes
+  const keyBytes = new Uint8Array(length / 8);
+  getRandomValues(keyBytes);
+
+  // Create secret key
+  const keyObject = createSecretKey(keyBytes);
+
+  // Construct algorithm object with guaranteed name
+  const keyAlgorithm: SubtleAlgorithm = { name, length };
+
+  return new CryptoKey(keyObject, keyAlgorithm, keyUsages, extractable);
 }
 
 function rsaImportKey(
-  _format: ImportFormat,
-  _data: BufferLike | JWK,
-  _algorithm: SubtleAlgorithm,
-  _extractable: boolean,
-  _keyUsages: KeyUsage[],
+  format: ImportFormat,
+  data: BufferLike | JWK,
+  algorithm: SubtleAlgorithm,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
 ): CryptoKey {
-  throw new Error('rsaImportKey not implemented');
+  const { name } = algorithm;
+
+  // Validate usages
+  let checkSet: KeyUsage[];
+  switch (name) {
+    case 'RSASSA-PKCS1-v1_5':
+    case 'RSA-PSS':
+      checkSet = ['sign', 'verify'];
+      break;
+    case 'RSA-OAEP':
+      checkSet = ['encrypt', 'decrypt', 'wrapKey', 'unwrapKey'];
+      break;
+    default:
+      throw new Error(`Unsupported RSA algorithm: ${name}`);
+  }
+
+  if (hasAnyNotIn(keyUsages, checkSet)) {
+    throw new Error(`Unsupported key usage for ${name}`);
+  }
+
+  let keyObject: KeyObject;
+
+  if (format === 'jwk') {
+    const jwk = data as JWK;
+
+    // Validate JWK
+    if (jwk.kty !== 'RSA') {
+      throw new Error('Invalid JWK format for RSA key');
+    }
+
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    const keyType = handle.initJwk(jwk, undefined);
+
+    if (keyType === undefined) {
+      throw new Error('Failed to import RSA JWK');
+    }
+
+    // Create the appropriate KeyObject based on type
+    if (keyType === 1) {
+      keyObject = new PublicKeyObject(handle);
+    } else if (keyType === 2) {
+      keyObject = new PrivateKeyObject(handle);
+    } else {
+      throw new Error('Unexpected key type from RSA JWK import');
+    }
+  } else if (format === 'spki') {
+    const keyData = bufferLikeToArrayBuffer(data as BufferLike);
+    keyObject = KeyObject.createKeyObject('public', keyData, 'der', 'spki');
+  } else if (format === 'pkcs8') {
+    const keyData = bufferLikeToArrayBuffer(data as BufferLike);
+    keyObject = KeyObject.createKeyObject('private', keyData, 'der', 'pkcs8');
+  } else {
+    throw new Error(`Unsupported format for RSA import: ${format}`);
+  }
+
+  // Get the modulus length from the key and add it to the algorithm
+  const keyDetails = (keyObject as PublicKeyObject | PrivateKeyObject)
+    .asymmetricKeyDetails;
+
+  // Convert publicExponent number to big-endian byte array
+  let publicExponentBytes: Uint8Array | undefined;
+  if (keyDetails?.publicExponent) {
+    const exp = keyDetails.publicExponent;
+    // Convert number to big-endian bytes
+    const bytes: number[] = [];
+    let value = exp;
+    while (value > 0) {
+      bytes.unshift(value & 0xff);
+      value = Math.floor(value / 256);
+    }
+    publicExponentBytes = new Uint8Array(bytes.length > 0 ? bytes : [0]);
+  }
+
+  const algorithmWithDetails = {
+    ...algorithm,
+    modulusLength: keyDetails?.modulusLength,
+    publicExponent: publicExponentBytes,
+  };
+
+  return new CryptoKey(keyObject, algorithmWithDetails, keyUsages, extractable);
 }
 
 async function hmacImportKey(
-  _algorithm: SubtleAlgorithm,
-  _format: ImportFormat,
-  _data: BufferLike | JWK,
-  _extractable: boolean,
-  _keyUsages: KeyUsage[],
+  algorithm: SubtleAlgorithm,
+  format: ImportFormat,
+  data: BufferLike | JWK,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
 ): Promise<CryptoKey> {
-  throw new Error('hmacImportKey not implemented');
+  // Validate usages
+  if (hasAnyNotIn(keyUsages, ['sign', 'verify'])) {
+    throw new Error('Unsupported key usage for an HMAC key');
+  }
+
+  let keyObject: KeyObject;
+
+  if (format === 'jwk') {
+    const jwk = data as JWK;
+
+    // Validate JWK
+    if (!jwk || typeof jwk !== 'object') {
+      throw new Error('Invalid keyData');
+    }
+
+    if (jwk.kty !== 'oct') {
+      throw new Error('Invalid JWK format for HMAC key');
+    }
+
+    // Validate key length if specified
+    if (algorithm.length !== undefined) {
+      if (!jwk.k) {
+        throw new Error('JWK missing key data');
+      }
+      // Decode to check length
+      const decoded = SBuffer.from(jwk.k, 'base64');
+      const keyBitLength = decoded.length * 8;
+      if (algorithm.length === 0) {
+        throw new Error('Zero-length key is not supported');
+      }
+      if (algorithm.length !== keyBitLength) {
+        throw new Error('Invalid key length');
+      }
+    }
+
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    const keyType = handle.initJwk(jwk, undefined);
+
+    if (keyType === undefined || keyType !== 0) {
+      throw new Error('Failed to import HMAC JWK');
+    }
+
+    keyObject = new SecretKeyObject(handle);
+  } else if (format === 'raw') {
+    keyObject = createSecretKey(data as BinaryLike);
+  } else {
+    throw new Error(`Unable to import HMAC key with format ${format}`);
+  }
+
+  return new CryptoKey(
+    keyObject,
+    { ...algorithm, name: 'HMAC' },
+    keyUsages,
+    extractable,
+  );
 }
 
 async function aesImportKey(
-  _algorithm: SubtleAlgorithm,
-  _format: ImportFormat,
-  _data: BufferLike | JWK,
-  _extractable: boolean,
-  _keyUsages: KeyUsage[],
+  algorithm: SubtleAlgorithm,
+  format: ImportFormat,
+  data: BufferLike | JWK,
+  extractable: boolean,
+  keyUsages: KeyUsage[],
 ): Promise<CryptoKey> {
-  throw new Error('aesImportKey not implemented');
+  const { name, length } = algorithm;
+
+  // Validate usages
+  const validUsages: KeyUsage[] = [
+    'encrypt',
+    'decrypt',
+    'wrapKey',
+    'unwrapKey',
+  ];
+  if (hasAnyNotIn(keyUsages, validUsages)) {
+    throw new Error(`Unsupported key usage for ${name}`);
+  }
+
+  let keyObject: KeyObject;
+  let actualLength: number;
+
+  if (format === 'jwk') {
+    const jwk = data as JWK;
+
+    // Validate JWK
+    if (jwk.kty !== 'oct') {
+      throw new Error('Invalid JWK format for AES key');
+    }
+
+    const handle =
+      NitroModules.createHybridObject<KeyObjectHandle>('KeyObjectHandle');
+    const keyType = handle.initJwk(jwk, undefined);
+
+    if (keyType === undefined || keyType !== 0) {
+      throw new Error('Failed to import AES JWK');
+    }
+
+    keyObject = new SecretKeyObject(handle);
+
+    // Get actual key length from imported key
+    const exported = keyObject.export();
+    actualLength = exported.byteLength * 8;
+  } else if (format === 'raw') {
+    const keyData = bufferLikeToArrayBuffer(data as BufferLike);
+    actualLength = keyData.byteLength * 8;
+
+    // Validate key length
+    if (![128, 192, 256].includes(actualLength)) {
+      throw new Error('Invalid AES key length');
+    }
+
+    keyObject = createSecretKey(keyData);
+  } else {
+    throw new Error(`Unsupported format for AES import: ${format}`);
+  }
+
+  // Validate length if specified
+  if (length !== undefined && length !== actualLength) {
+    throw new Error(
+      `Key length mismatch: expected ${length}, got ${actualLength}`,
+    );
+  }
+
+  return new CryptoKey(
+    keyObject,
+    { name, length: actualLength },
+    keyUsages,
+    extractable,
+  );
 }
 
 const exportKeySpki = async (
@@ -203,8 +702,14 @@ const exportKeyRaw = (key: CryptoKey): ArrayBuffer | unknown => {
     // Fall through
     case 'AES-KW':
     // Fall through
-    case 'HMAC':
-      return key.keyObject.export();
+    case 'HMAC': {
+      const exported = key.keyObject.export();
+      // Convert Buffer to ArrayBuffer
+      return exported.buffer.slice(
+        exported.byteOffset,
+        exported.byteOffset + exported.byteLength,
+      );
+    }
   }
 
   throw lazyDOMException(

package/src/utils/conversion.ts

@@ -138,7 +138,9 @@ export function binaryLikeToArrayBuffer(
     return input.handle.exportKey();
   }
 
-  throw new Error('input could not be converted to ArrayBuffer');
+  throw new Error(
+    'Invalid argument type for "key". Need ArrayBuffer, TypedArray, KeyObject, CryptoKey, string',
+  );
 }
 
 export function ab2str(buf: ArrayBuffer, encoding: string = 'hex') {