react-native-security-suite 0.9.22 → 1.0.0-rc.2

package/src/jws.ts

@@ -0,0 +1,213 @@
+export type JwsAlgorithm = 'HS256' | 'HS384' | 'HS512';
+
+export type JwsPayload =
+  | string
+  | Record<string, unknown>
+  | unknown[]
+  | number
+  | boolean
+  | null
+  | undefined;
+
+export type JwsHeaderValue = string | number | boolean | null;
+
+export type JwsHeaders = Record<string, JwsHeaderValue>;
+
+const SUPPORTED_ALGORITHMS: readonly JwsAlgorithm[] = [
+  'HS256',
+  'HS384',
+  'HS512',
+];
+
+const SAFE_HEADER_KEY = /^[a-zA-Z][a-zA-Z0-9_-]*$/;
+
+export interface GenerateJWSOptions {
+  payload?: JwsPayload;
+  algorithm?: JwsAlgorithm;
+  headers?: JwsHeaders;
+  secret: string;
+}
+
+export interface JwsFetchOptions {
+  algorithm?: JwsAlgorithm;
+  headers?: JwsHeaders;
+  secret: string;
+  payload?: JwsPayload;
+  detached?: boolean;
+  headerName?: string;
+}
+
+export function isEmptyJwsPayload(payload: JwsPayload | undefined): boolean {
+  return (
+    payload === undefined ||
+    payload === null ||
+    (typeof payload === 'string' && payload.length === 0)
+  );
+}
+
+/**
+ * Normalizes a JWS payload to the exact UTF-8 string used for signing.
+ * Empty payload cases return an empty string (never "null" or "undefined").
+ */
+export function normalizeJwsPayload(payload: JwsPayload | undefined): string {
+  if (isEmptyJwsPayload(payload)) {
+    return '';
+  }
+
+  if (typeof payload === 'string') {
+    return payload;
+  }
+
+  if (typeof payload === 'number' || typeof payload === 'boolean') {
+    return JSON.stringify(payload);
+  }
+
+  return JSON.stringify(payload);
+}
+
+export function validateJwsAlgorithm(
+  algorithm: string | undefined
+): JwsAlgorithm {
+  if (!algorithm) {
+    return 'HS256';
+  }
+  if (!SUPPORTED_ALGORITHMS.includes(algorithm as JwsAlgorithm)) {
+    throw new Error(`Unsupported JWS algorithm: ${algorithm}`);
+  }
+  return algorithm as JwsAlgorithm;
+}
+
+export function validateJwsSecret(secret: unknown): string {
+  if (typeof secret !== 'string' || secret.trim().length === 0) {
+    throw new Error('JWS secret is required and must be a non-empty string');
+  }
+  return secret;
+}
+
+export function validateJwsHeaderKey(key: string): void {
+  if (!SAFE_HEADER_KEY.test(key)) {
+    throw new Error(`Invalid JWS header key: ${key}`);
+  }
+}
+
+export function validateJwsHeaderValue(
+  key: string,
+  value: unknown
+): JwsHeaderValue {
+  if (
+    value === null ||
+    typeof value === 'string' ||
+    typeof value === 'number' ||
+    typeof value === 'boolean'
+  ) {
+    if (typeof value === 'string' && value.length > 0) {
+      for (let i = 0; i < value.length; i++) {
+        const code = value.charCodeAt(i);
+        if (code < 0x20 || code > 0x7e) {
+          throw new Error(`Invalid JWS header value for key: ${key}`);
+        }
+      }
+    }
+    return value as JwsHeaderValue;
+  }
+
+  throw new Error(
+    `JWS header values must be JSON-serializable primitives: ${key}`
+  );
+}
+
+export function validateJwsHeaders(headers: unknown): JwsHeaders {
+  if (headers === undefined || headers === null) {
+    return {};
+  }
+  if (typeof headers !== 'object' || Array.isArray(headers)) {
+    throw new Error('JWS headers must be an object when provided');
+  }
+
+  const result: JwsHeaders = {};
+  for (const [key, value] of Object.entries(headers as Record<string, unknown>)) {
+    validateJwsHeaderKey(key);
+    result[key] = validateJwsHeaderValue(key, value);
+  }
+  return result;
+}
+
+/**
+ * Resolves the JWS algorithm from options and/or protected headers.
+ */
+export function resolveJwsAlgorithm(
+  algorithm: JwsAlgorithm | undefined,
+  headers: JwsHeaders
+): JwsAlgorithm {
+  const headerAlg =
+    headers.alg !== undefined && headers.alg !== null
+      ? String(headers.alg)
+      : undefined;
+
+  if (algorithm && headerAlg && algorithm !== headerAlg) {
+    throw new Error(
+      'JWS algorithm mismatch: options.algorithm and headers.alg must match'
+    );
+  }
+
+  if (algorithm) {
+    return validateJwsAlgorithm(algorithm);
+  }
+
+  if (headerAlg) {
+    return validateJwsAlgorithm(headerAlg);
+  }
+
+  return 'HS256';
+}
+
+export interface NativeGenerateJWSOptions {
+  payload: string;
+  algorithm: JwsAlgorithm;
+  secret: string;
+  headers: JwsHeaders;
+  detached: boolean;
+}
+
+export function toNativeGenerateJWSOptions(
+  options: GenerateJWSOptions,
+  detached = false
+): NativeGenerateJWSOptions {
+  const secret = validateJwsSecret(options.secret);
+  const headers = validateJwsHeaders(options.headers);
+  const algorithm = resolveJwsAlgorithm(options.algorithm, headers);
+  const payload = normalizeJwsPayload(options.payload);
+
+  return {
+    payload,
+    algorithm,
+    secret,
+    headers: { ...headers, alg: algorithm },
+    detached,
+  };
+}
+
+export function toNativeJwsFetchOptions(
+  jws: JwsFetchOptions
+): NativeGenerateJWSOptions {
+  const secret = validateJwsSecret(jws.secret);
+  const headers = validateJwsHeaders(jws.headers);
+  const algorithm = resolveJwsAlgorithm(jws.algorithm, headers);
+
+  return {
+    payload: normalizeJwsPayload(jws.payload),
+    algorithm,
+    secret,
+    headers: { ...headers, alg: algorithm },
+    detached: jws.detached ?? false,
+  };
+}
+
+export function assertCompactJwsShape(jws: string): void {
+  const segments = jws.split('.');
+  if (segments.length !== 3) {
+    throw new Error(
+      `Invalid compact JWS: expected 3 segments, got ${segments.length}`
+    );
+  }
+}

package/src/legacy/cryptoOptions.ts

@@ -0,0 +1,84 @@
+/** Shared crypto option types used by legacy exports and the Crypto namespace. */
+export type KeyAgreementAlgorithm = 'X25519' | 'ECDH' | (string & {});
+
+export type KeyType = 'OKP' | 'EC' | (string & {});
+
+export type EncryptionKeyAlgorithm = 'AES-256' | 'AES' | (string & {});
+
+export type HmacAlgorithm =
+  | 'HMAC-SHA-256'
+  | 'HMAC-SHA-384'
+  | 'HMAC-SHA-512'
+  | 'HmacSHA256'
+  | 'HmacSHA384'
+  | 'HmacSHA512'
+  | (string & {});
+
+export type CipherAlgorithm = 'AES-GCM' | 'AES/GCM/NoPadding' | (string & {});
+
+export interface CryptoOptions {
+  keyAgreementAlgorithm: KeyAgreementAlgorithm;
+  encryptionKeyAlgorithm: EncryptionKeyAlgorithm;
+  keyType?: KeyType;
+  hmacAlgorithm?: HmacAlgorithm;
+  cipher?: CipherAlgorithm;
+  tagLength?: number;
+  ivLength?: number;
+  /** @deprecated Use `keyType` instead. */
+  keyFactoryAlgorithm?: KeyType;
+  /** @deprecated Use `hmacAlgorithm` instead. */
+  hmacKeyAlgorithm?: HmacAlgorithm;
+  /** @deprecated Use `cipher` instead. */
+  cipherTransformation?: CipherAlgorithm;
+  /** @deprecated Use `tagLength` instead. */
+  gcmTagLength?: number;
+  /** @deprecated Use `ivLength` instead. */
+  gcmIvLength?: number;
+}
+
+function requireCryptoOption<T>(
+  value: T | undefined | null,
+  key: string
+): T {
+  if (value === undefined || value === null || value === '') {
+    throw new Error(`Missing required crypto option: ${key}`);
+  }
+  return value;
+}
+
+export function toNativeCryptoOptions(options?: CryptoOptions | null) {
+  if (!options) {
+    throw new Error('Crypto options are required');
+  }
+
+  return {
+    keyAgreementAlgorithm: requireCryptoOption(
+      options.keyAgreementAlgorithm,
+      'keyAgreementAlgorithm'
+    ),
+    keyFactoryAlgorithm: requireCryptoOption(
+      options.keyType ?? options.keyFactoryAlgorithm,
+      'keyFactoryAlgorithm'
+    ),
+    encryptionKeyAlgorithm: requireCryptoOption(
+      options.encryptionKeyAlgorithm,
+      'encryptionKeyAlgorithm'
+    ),
+    hmacKeyAlgorithm: requireCryptoOption(
+      options.hmacAlgorithm ?? options.hmacKeyAlgorithm,
+      'hmacKeyAlgorithm'
+    ),
+    cipherTransformation: requireCryptoOption(
+      options.cipher ?? options.cipherTransformation,
+      'cipherTransformation'
+    ),
+    gcmTagLength: requireCryptoOption(
+      options.tagLength ?? options.gcmTagLength,
+      'gcmTagLength'
+    ),
+    gcmIvLength: requireCryptoOption(
+      options.ivLength ?? options.gcmIvLength,
+      'gcmIvLength'
+    ),
+  };
+}

package/src/native/bridge.ts

@@ -0,0 +1,37 @@
+import { NativeModules, Platform } from 'react-native';
+
+const LINKING_ERROR =
+  `The package 'react-native-security-suite' doesn't seem to be linked. Make sure: \n\n` +
+  Platform.select({ ios: "- You have run 'pod install'\n", default: '' }) +
+  '- You rebuilt the app after installing the package\n' +
+  '- You are not using Expo managed workflow\n';
+
+export interface SecuritySuiteNativeModule {
+  getPublicKey(): Promise<string>;
+  getSharedKey(serverPK: string, options: Record<string, unknown>): Promise<string>;
+  establishSharedKey?(
+    serverPK: string,
+    options: Record<string, unknown>
+  ): Promise<void>;
+  runtimeDetect(): Promise<Record<string, unknown>>;
+  appIntegrityVerify(): Promise<Record<string, unknown>>;
+  deviceGetEnvironment(): Promise<Record<string, unknown>>;
+  deviceHasSecurityRisk(): Promise<boolean>;
+  [key: string]: unknown;
+}
+
+export function getNativeModule(): SecuritySuiteNativeModule {
+  const module = NativeModules.SecuritySuite as
+    | SecuritySuiteNativeModule
+    | undefined;
+
+  if (module) {
+    return module;
+  }
+
+  return new Proxy({} as SecuritySuiteNativeModule, {
+    get() {
+      throw new Error(LINKING_ERROR);
+    },
+  });
+}

package/src/network/index.ts

@@ -0,0 +1 @@
+/** Phase 2+ namespace placeholder — fetch remains on legacy export for v0.9 compat. */

package/src/risk/score.ts

@@ -0,0 +1,49 @@
+import type {
+  AppIntegrityReport,
+  DeviceEnvironment,
+  RiskLevel,
+  RuntimeThreatReport,
+} from '../types/detection';
+
+export function computeRiskScore(input: {
+  isRooted: boolean;
+  isJailbroken: boolean;
+  runtime: RuntimeThreatReport;
+  app: AppIntegrityReport;
+  environment: DeviceEnvironment;
+}): { riskScore: number; riskLevel: RiskLevel } {
+  let riskScore = 0;
+
+  if (input.isRooted || input.isJailbroken) {
+    riskScore += 40;
+  }
+
+  if (input.runtime.fridaDetected) {
+    riskScore += 40;
+  }
+
+  if (input.runtime.xposedDetected) {
+    riskScore += 40;
+  }
+
+  if (input.runtime.substrateDetected) {
+    riskScore += 40;
+  }
+
+  if (input.runtime.debuggerAttached) {
+    riskScore += 20;
+  }
+
+  if (input.environment.isEmulator || input.environment.isSimulator) {
+    riskScore += 20;
+  }
+
+  if (input.app.tampered) {
+    riskScore += 50;
+  }
+
+  const riskLevel: RiskLevel =
+    riskScore >= 70 ? 'high' : riskScore >= 30 ? 'medium' : 'low';
+
+  return { riskScore: Math.min(100, riskScore), riskLevel };
+}

package/src/runtime/index.ts

@@ -0,0 +1,43 @@
+import { getNativeModule } from '../native/bridge';
+import type { RuntimeThreatReport } from '../types/detection';
+
+function parseRuntimeReport(raw: Record<string, unknown>): RuntimeThreatReport {
+  const report: RuntimeThreatReport = {
+    debuggerAttached: Boolean(raw.debuggerAttached),
+    fridaDetected: Boolean(raw.fridaDetected),
+    suspiciousLibraries: Array.isArray(raw.suspiciousLibraries)
+      ? raw.suspiciousLibraries.filter(
+          (item): item is string => typeof item === 'string'
+        )
+      : [],
+    suspiciousPorts: Array.isArray(raw.suspiciousPorts)
+      ? raw.suspiciousPorts.filter(
+          (item): item is number => typeof item === 'number'
+        )
+      : [],
+  };
+
+  if (raw.xposedDetected !== undefined) {
+    report.xposedDetected = Boolean(raw.xposedDetected);
+  }
+
+  if (raw.substrateDetected !== undefined) {
+    report.substrateDetected = Boolean(raw.substrateDetected);
+  }
+
+  if (raw.magiskDetected !== undefined) {
+    report.magiskDetected = Boolean(raw.magiskDetected);
+  }
+
+  return report;
+}
+
+export const RuntimeSecurity = {
+  detect(): Promise<RuntimeThreatReport> {
+    return getNativeModule()
+      .runtimeDetect()
+      .then((result) => parseRuntimeReport(result));
+  },
+};
+
+export type { RuntimeThreatReport };

package/src/screen/index.ts

@@ -0,0 +1,2 @@
+/** Phase 2+ namespace placeholder — SecureView remains on legacy export for v0.9 compat. */
+export { SecureView } from '../SecureView';

package/src/securitySuite/index.ts

@@ -0,0 +1,45 @@
+import { Platform } from 'react-native';
+
+import { AppIntegrity } from '../integrity';
+import { DeviceSecurity } from '../device';
+import { RuntimeSecurity } from '../runtime';
+import { computeRiskScore } from '../risk/score';
+import type { SecurityReport } from '../types/detection';
+
+export const SecuritySuite = {
+  async getSecurityReport(): Promise<SecurityReport> {
+    const [runtime, app, environment, isCompromised] = await Promise.all([
+      RuntimeSecurity.detect(),
+      AppIntegrity.verify(),
+      DeviceSecurity.getEnvironment(),
+      DeviceSecurity.isCompromised(),
+    ]);
+
+    const isRooted = Platform.OS === 'android' && isCompromised;
+    const isJailbroken = Platform.OS === 'ios' && isCompromised;
+
+    const { riskScore, riskLevel } = computeRiskScore({
+      isRooted,
+      isJailbroken,
+      runtime,
+      app,
+      environment,
+    });
+
+    return {
+      device: {
+        isRooted,
+        isJailbroken,
+        isEmulator: environment.isEmulator,
+        isSimulator: environment.isSimulator,
+        environmentIndicators: environment.indicators,
+      },
+      runtime,
+      app,
+      riskScore,
+      riskLevel,
+    };
+  },
+};
+
+export type { SecurityReport };

package/src/storage/index.ts

@@ -0,0 +1 @@
+/** Phase 2+ namespace placeholder — SecureStorage remains on the legacy export for v0.9 compat. */

package/src/types/detection.ts

@@ -0,0 +1,46 @@
+export interface RuntimeThreatReport {
+  debuggerAttached: boolean;
+  fridaDetected: boolean;
+  xposedDetected?: boolean;
+  substrateDetected?: boolean;
+  magiskDetected?: boolean;
+  suspiciousLibraries: string[];
+  suspiciousPorts: number[];
+}
+
+export type BuildType = 'debug' | 'release' | 'testflight';
+
+export interface AppIntegrityReport {
+  validSignature: boolean;
+  installerTrusted?: boolean;
+  debuggable: boolean;
+  tampered: boolean;
+  buildType: BuildType;
+  signingCertificateSha256?: string;
+  installerPackage?: string | null;
+  bundleIdentifier?: string;
+}
+
+export interface DeviceEnvironment {
+  isEmulator: boolean;
+  isSimulator: boolean;
+  indicators: string[];
+}
+
+export interface DeviceSecurityReport {
+  isRooted: boolean;
+  isJailbroken: boolean;
+  isEmulator: boolean;
+  isSimulator: boolean;
+  environmentIndicators: string[];
+}
+
+export type RiskLevel = 'low' | 'medium' | 'high';
+
+export interface SecurityReport {
+  device: DeviceSecurityReport;
+  runtime: RuntimeThreatReport;
+  app: AppIntegrityReport;
+  riskScore: number;
+  riskLevel: RiskLevel;
+}

package/android/src/main/java/com/securitysuite/StorageEncryption.java

@@ -1,52 +0,0 @@
-package com.securitysuite;
-
-import android.util.Base64;
-
-import java.security.SecureRandom;
-import java.util.Arrays;
-
-import javax.crypto.Cipher;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
-public class StorageEncryption {
-
-  public static String encrypt(String input, String encryptionKey, Boolean hardEncryption) {
-    try {
-      byte[] iv = new byte[16];
-      if (hardEncryption) {
-        new SecureRandom().nextBytes(iv);
-      }
-
-      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-      cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(encryptionKey.getBytes("utf-8"), "AES"), new IvParameterSpec(iv));
-      byte[] cipherText = cipher.doFinal(input.getBytes("utf-8"));
-      byte[] ivAndCipherText = getCombinedArray(iv, cipherText);
-      return Base64.encodeToString(ivAndCipherText, Base64.NO_WRAP);
-    } catch (Exception e) {
-      return null;
-    }
-  }
-
-  public static String decrypt(String encoded, String encryptionKey) {
-    try {
-      byte[] ivAndCipherText = Base64.decode(encoded, Base64.NO_WRAP);
-      byte[] iv = Arrays.copyOfRange(ivAndCipherText, 0, 16);
-      byte[] cipherText = Arrays.copyOfRange(ivAndCipherText, 16, ivAndCipherText.length);
-
-      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
-      cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(encryptionKey.getBytes("utf-8"), "AES"), new IvParameterSpec(iv));
-      return new String(cipher.doFinal(cipherText), "utf-8");
-    } catch (Exception e) {
-      return null;
-    }
-  }
-
-  private static byte[] getCombinedArray(byte[] one, byte[] two) {
-    byte[] combined = new byte[one.length + two.length];
-    for (int i = 0; i < combined.length; ++i) {
-      combined[i] = i < one.length ? one[i] : two[i - one.length];
-    }
-    return combined;
-  }
-}

package/ios/StorageEncryption.swift

@@ -1,89 +0,0 @@
-//
-//  SoftEncryption.swift
-//  EncryptionSecurity
-//
-//  Created by Mohammad on 5/9/1401 AP.
-//  Copyright © 1401 AP Facebook. All rights reserved.
-//
-
-import Foundation
-import CryptoKit
-
-@available(iOS 13.0, *)
-class StorageEncryption {
-    let nonce = try! AES.GCM.Nonce(data: Data(base64Encoded: "bj1nixTVoYpSvpdA")!)
-
-    func encrypt(plain: String, encryptionKey: String, hardEncryption: Bool) throws -> String {
-        do {
-            guard let encryptionKeyData = Data(base64Encoded: encryptionKey) else {
-                return "Could not decode encryptionKey text: \(encryptionKey)"
-            }
-            guard let plainData = plain.data(using: .utf8) else {
-                return "Could not decode plain text: \(plain)"
-            }
-            let symmetricKey = SymmetricKey(data: encryptionKeyData)
-            var encrypted = try AES.GCM.seal(plainData, using: symmetricKey, nonce: nonce, authenticating: ASN1.ec256)
-            if (hardEncryption) {
-                encrypted = try AES.GCM.seal(plainData, using: symmetricKey)
-            }
-            return encrypted.combined!.base64EncodedString()
-        } catch let error {
-            return "Error encrypting message: \(error.localizedDescription)"
-        }
-    }
-
-    func decrypt(decoded: String, encryptionKey: String, hardEncryption: Bool) throws -> String {
-        do {
-            guard let encryptionKeyData = Data(base64Encoded: encryptionKey) else {
-                return "Could not decode encryption key: \(encryptionKey)"
-            }
-            guard let decodedData = Data(base64Encoded: decoded) else {
-                return "Could not decode decoded text: \(decoded)"
-            }
-            let symmetricKey = SymmetricKey(data: encryptionKeyData)
-            if (hardEncryption) {
-                let sealedBoxToOpen = try AES.GCM.SealedBox(combined: decodedData)
-                let decrypted = try AES.GCM.open(sealedBoxToOpen, using: symmetricKey)
-                return String(data: decrypted, encoding: .utf8)!
-            } else {
-                let sealedBoxRestored = try AES.GCM.SealedBox(combined: decodedData)
-                let decrypted = try AES.GCM.open(sealedBoxRestored, using: symmetricKey, authenticating: ASN1.ec256)
-                return String(data: decrypted, encoding: .utf8)!
-            }
-        } catch let error {
-            return "Error decrypting message: \(error.localizedDescription)"
-        }
-    }
-}
-
-public extension Data {
-    init?(hexString: String) {
-        let len = hexString.count / 2
-        var data = Data(capacity: len)
-        var i = hexString.startIndex
-        for _ in 0..<len {
-            let j = hexString.index(i, offsetBy: 2)
-            let bytes = hexString[i..<j]
-            if var num = UInt8(bytes, radix: 16) {
-              data.append(&num, count: 1)
-            } else {
-              return nil
-            }
-            i = j
-        }
-        self = data
-    }
-    /// Hexadecimal string representation of `Data` object.
-    var hexadecimal: String {
-        return map { String(format: "%02x", $0) }
-            .joined()
-    }
-}
-
-struct ASN1 {
-    static let rsa2048 = Data(base64Encoded: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A")!
-    static let rsa4096 = Data(base64Encoded: "MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A")!
-    static let ec256   = Data(base64Encoded: "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgA=")!
-    static let ec384   = Data(base64Encoded: "MHYwEAYHKoZIzj0CAQYFK4EEACIDYgA=")!
-    static let ec521   = Data(base64Encoded: "MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQ=")!
-}