secure-comms-hybrid 1.0.0

package/README.md

@@ -0,0 +1,17 @@
+# 🔐 Secure Comms Hybrid
+
+Hybrid encryption (RSA + AES-GCM) for secure client-server communications.
+
+## Features
+
+- ✅ **Hybrid Encryption**: RSA-2048 for key exchange + AES-GCM-256 for data
+- ✅ **Perfect Forward Secrecy**: Unique session keys
+- ✅ **Zero Configuration**: Easy setup for Express.js
+- ✅ **Browser & Node.js**: Universal support
+- ✅ **TypeScript**: Full type definitions
+- ✅ **Middleware**: Drop-in encryption for existing APIs
+
+## Installation
+
+```bash
+npm install secure-comms-hybrid

package/lib/backend/HybridCrypto.js

@@ -0,0 +1,175 @@
+const crypto = require('crypto');
+const {
+  CRYPTO_CONFIG,
+  ERRORS
+} = require('../shared/constants');
+class HybridCrypto {
+  constructor(options = {}) {
+    this.options = {
+      rsaKeySize: options.rsaKeySize || CRYPTO_CONFIG.RSA.MODULUS_LENGTH,
+      sessionExpiry: options.sessionExpiry || CRYPTO_CONFIG.SESSION.EXPIRY_MS,
+      ...options
+    };
+
+    // Generate or use provided RSA keys
+    if (options.rsaPrivateKey && options.rsaPublicKey) {
+      this.rsaPrivateKey = options.rsaPrivateKey;
+      this.rsaPublicKey = options.rsaPublicKey;
+    } else {
+      this.generateRSAKeys();
+    }
+
+    // Session storage
+    this.sessionKeys = new Map();
+    this.sessionCleanupInterval = setInterval(() => this.cleanupExpiredSessions(), CRYPTO_CONFIG.SESSION.CLEANUP_INTERVAL);
+    console.log('🔐 HybridCrypto initialized');
+  }
+  generateRSAKeys() {
+    const {
+      publicKey,
+      privateKey
+    } = crypto.generateKeyPairSync('rsa', {
+      modulusLength: this.options.rsaKeySize,
+      publicKeyEncoding: CRYPTO_CONFIG.RSA.PUBLIC_KEY_ENCODING,
+      privateKeyEncoding: CRYPTO_CONFIG.RSA.PRIVATE_KEY_ENCODING
+    });
+    this.rsaPublicKey = publicKey;
+    this.rsaPrivateKey = privateKey;
+  }
+  getPublicKey() {
+    return {
+      publicKey: this.rsaPublicKey,
+      algorithm: 'RSA-OAEP',
+      hash: CRYPTO_CONFIG.RSA.HASH,
+      keySize: this.options.rsaKeySize,
+      timestamp: new Date().toISOString()
+    };
+  }
+  decryptAESKey(encryptedAESKey) {
+    try {
+      const decrypted = crypto.privateDecrypt({
+        key: this.rsaPrivateKey,
+        padding: crypto.constants[CRYPTO_CONFIG.RSA.PADDING],
+        oaepHash: 'sha256'
+      }, Buffer.from(encryptedAESKey, 'base64'));
+      return decrypted;
+    } catch (error) {
+      throw new Error(`${ERRORS.DECRYPTION_FAILED}: ${error.message}`);
+    }
+  }
+  storeSessionKey(clientId, aesKey, customExpiry = null) {
+    const expiresAt = Date.now() + (customExpiry || this.options.sessionExpiry);
+    this.sessionKeys.set(clientId, {
+      aesKey,
+      expiresAt,
+      createdAt: Date.now()
+    });
+    return expiresAt;
+  }
+  getSessionKey(clientId) {
+    const session = this.sessionKeys.get(clientId);
+    if (!session) {
+      throw new Error(ERRORS.SESSION_EXPIRED);
+    }
+    if (Date.now() > session.expiresAt) {
+      this.sessionKeys.delete(clientId);
+      throw new Error(ERRORS.SESSION_EXPIRED);
+    }
+    return session.aesKey;
+  }
+  cleanupExpiredSessions() {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [clientId, session] of this.sessionKeys.entries()) {
+      if (now > session.expiresAt) {
+        this.sessionKeys.delete(clientId);
+        cleaned++;
+      }
+    }
+    if (cleaned > 0) {
+      console.log(`🧹 Cleaned ${cleaned} expired sessions`);
+    }
+  }
+  async decryptData(ciphertextBase64, ivBase64, authTagBase64, clientId) {
+    try {
+      const aesKey = this.getSessionKey(clientId);
+      const ciphertext = Buffer.from(ciphertextBase64, 'base64');
+      const iv = Buffer.from(ivBase64, 'base64');
+      const authTag = Buffer.from(authTagBase64, 'base64');
+      const decipher = crypto.createDecipheriv(CRYPTO_CONFIG.AES.ALGORITHM.toLowerCase(), aesKey, iv);
+      decipher.setAuthTag(authTag);
+      let decrypted = decipher.update(ciphertext, null, 'utf8');
+      decrypted += decipher.final('utf8');
+      return {
+        success: true,
+        data: JSON.parse(decrypted),
+        raw: decrypted,
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error.message,
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+  async encryptData(data, clientId) {
+    try {
+      const aesKey = this.getSessionKey(clientId);
+      const iv = crypto.randomBytes(CRYPTO_CONFIG.AES.IV_LENGTH);
+      const cipher = crypto.createCipheriv(CRYPTO_CONFIG.AES.ALGORITHM.toLowerCase(), aesKey, iv);
+      let encrypted = cipher.update(JSON.stringify(data), 'utf8', 'base64');
+      encrypted += cipher.final('base64');
+      const authTag = cipher.getAuthTag();
+      return {
+        success: true,
+        ciphertext: encrypted,
+        iv: iv.toString('base64'),
+        authTag: authTag.toString('base64'),
+        algorithm: `${CRYPTO_CONFIG.AES.ALGORITHM}-${CRYPTO_CONFIG.AES.KEY_LENGTH}`,
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error.message,
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+  async processHandshake(handshakeData, clientId, customExpiry = null) {
+    try {
+      const aesKey = this.decryptAESKey(handshakeData.encryptedAESKey);
+      const expiresAt = this.storeSessionKey(clientId, aesKey, customExpiry);
+      const clientIV = crypto.randomBytes(CRYPTO_CONFIG.AES.IV_LENGTH);
+      return {
+        success: true,
+        message: 'Handshake successful',
+        clientIV: clientIV.toString('base64'),
+        sessionExpiry: expiresAt - Date.now(),
+        expiresAt,
+        timestamp: new Date().toISOString()
+      };
+    } catch (error) {
+      return {
+        success: false,
+        error: error.message,
+        timestamp: new Date().toISOString()
+      };
+    }
+  }
+  destroy() {
+    clearInterval(this.sessionCleanupInterval);
+    this.sessionKeys.clear();
+  }
+  getStats() {
+    return {
+      activeSessions: this.sessionKeys.size,
+      rsaKeySize: this.options.rsaKeySize,
+      sessionExpiry: this.options.sessionExpiry,
+      uptime: process.uptime()
+    };
+  }
+}
+module.exports = HybridCrypto;

package/lib/backend/index.js

@@ -0,0 +1,23 @@
+const HybridCrypto = require('./HybridCrypto');
+const middleware = require('./middleware');
+module.exports = {
+  HybridCrypto,
+  ...middleware,
+  // Quick setup function
+  createHybridCrypto: (options = {}) => {
+    const crypto = new HybridCrypto(options);
+    const {
+      createExpressMiddleware
+    } = middleware;
+    return {
+      crypto,
+      expressMiddleware: createExpressMiddleware(crypto, options.middlewareOptions),
+      getPublicKey: () => crypto.getPublicKey(),
+      getStats: () => crypto.getStats(),
+      destroy: () => crypto.destroy()
+    };
+  },
+  // Version info
+  version: '1.0.0',
+  description: 'Hybrid encryption for secure communications'
+};

package/lib/backend/middleware.js

@@ -0,0 +1,214 @@
+const {
+  CRYPTO_CONFIG,
+  ERRORS
+} = require('../shared/constants');
+function createEncryptionMiddleware(hybridCrypto, options = {}) {
+  const {
+    excludedPaths = ['/health', '/'],
+    requireEncryption = false,
+    logLevel = 'info'
+  } = options;
+
+  // Decryption middleware
+  const decryptRequest = (req, res, next) => {
+    // Check if path is excluded
+    if (excludedPaths.includes(req.path)) {
+      return next();
+    }
+    const isEncrypted = req.headers[CRYPTO_CONFIG.HEADERS.ENCRYPTED] === 'true';
+    const clientId = req.headers[CRYPTO_CONFIG.HEADERS.CLIENT_ID];
+    if (!isEncrypted) {
+      if (requireEncryption) {
+        return res.status(400).json({
+          success: false,
+          error: 'Encryption required',
+          timestamp: new Date().toISOString()
+        });
+      }
+      return next();
+    }
+    if (!clientId) {
+      return res.status(400).json({
+        success: false,
+        error: ERRORS.MISSING_CLIENT_ID,
+        timestamp: new Date().toISOString()
+      });
+    }
+    let rawBody = '';
+    req.on('data', chunk => {
+      rawBody += chunk.toString();
+    });
+    req.on('end', async () => {
+      try {
+        if (!rawBody) {
+          return res.status(400).json({
+            success: false,
+            error: 'Empty request body',
+            timestamp: new Date().toISOString()
+          });
+        }
+        let parsedBody;
+        try {
+          parsedBody = JSON.parse(rawBody);
+        } catch (error) {
+          return res.status(400).json({
+            success: false,
+            error: 'Invalid JSON',
+            timestamp: new Date().toISOString()
+          });
+        }
+        if (!parsedBody.ciphertext || !parsedBody.iv || !parsedBody.authTag) {
+          return res.status(400).json({
+            success: false,
+            error: ERRORS.INVALID_REQUEST,
+            required: ['ciphertext', 'iv', 'authTag'],
+            timestamp: new Date().toISOString()
+          });
+        }
+        const decrypted = await hybridCrypto.decryptData(parsedBody.ciphertext, parsedBody.iv, parsedBody.authTag, clientId);
+        if (!decrypted.success) {
+          return res.status(400).json({
+            success: false,
+            error: ERRORS.DECRYPTION_FAILED,
+            details: decrypted.error,
+            timestamp: new Date().toISOString()
+          });
+        }
+        req.originalEncryptedBody = parsedBody;
+        req.body = decrypted.data;
+        req.encryptionMetadata = {
+          type: 'hybrid',
+          clientId,
+          decryptedAt: decrypted.timestamp,
+          algorithm: 'RSA-AES-GCM'
+        };
+        next();
+      } catch (error) {
+        console.error('❌ Decryption middleware error:', error);
+        return res.status(500).json({
+          success: false,
+          error: 'Internal server error',
+          timestamp: new Date().toISOString()
+        });
+      }
+    });
+  };
+
+  // Encryption middleware
+  const encryptResponse = (req, res, next) => {
+    const wantsEncryption = req.headers[CRYPTO_CONFIG.HEADERS.ENCRYPTED] === 'true';
+    const clientId = req.headers[CRYPTO_CONFIG.HEADERS.CLIENT_ID];
+    if (!wantsEncryption || !clientId || excludedPaths.includes(req.path)) {
+      return next();
+    }
+    const originalJson = res.json;
+    res.json = async function (data) {
+      try {
+        if (res.statusCode >= 400) {
+          return originalJson.call(this, data);
+        }
+        const encrypted = await hybridCrypto.encryptData(data, clientId);
+        if (!encrypted.success) {
+          throw new Error(`${ERRORS.ENCRYPTION_FAILED}: ${encrypted.error}`);
+        }
+        const encryptedResponse = {
+          success: true,
+          encrypted: true,
+          algorithm: encrypted.algorithm,
+          ciphertext: encrypted.ciphertext,
+          iv: encrypted.iv,
+          authTag: encrypted.authTag,
+          timestamp: encrypted.timestamp,
+          metadata: {
+            clientId,
+            originalDataType: typeof data
+          }
+        };
+        res.setHeader(CRYPTO_CONFIG.HEADERS.ENCRYPTED, 'true');
+        res.setHeader(CRYPTO_CONFIG.HEADERS.ENCRYPTION_ALGORITHM, 'RSA-AES-GCM');
+        res.setHeader(CRYPTO_CONFIG.HEADERS.CLIENT_ID, clientId);
+        return originalJson.call(this, encryptedResponse);
+      } catch (error) {
+        console.error('❌ Response encryption failed:', error);
+        res.removeHeader(CRYPTO_CONFIG.HEADERS.ENCRYPTED);
+        res.removeHeader(CRYPTO_CONFIG.HEADERS.ENCRYPTION_ALGORITHM);
+        return originalJson.call(this, {
+          success: false,
+          error: ERRORS.ENCRYPTION_FAILED,
+          message: error.message,
+          fallbackData: data,
+          encrypted: false,
+          timestamp: new Date().toISOString()
+        });
+      }
+    };
+    next();
+  };
+  return {
+    decryptRequest,
+    encryptResponse,
+    middleware: [decryptRequest, encryptResponse]
+  };
+}
+
+// Express.js specific middleware factory
+function createExpressMiddleware(hybridCrypto, options = {}) {
+  const {
+    decryptRequest,
+    encryptResponse
+  } = createEncryptionMiddleware(hybridCrypto, options);
+  return function (req, res, next) {
+    // Apply decryption
+    decryptRequest(req, res, err => {
+      if (err) return next(err);
+      // Apply encryption
+      encryptResponse(req, res, next);
+    });
+  };
+}
+
+// Koa.js middleware
+function createKoaMiddleware(hybridCrypto, options = {}) {
+  const {
+    decryptRequest,
+    encryptResponse
+  } = createEncryptionMiddleware(hybridCrypto, options);
+  return async (ctx, next) => {
+    // Convert Koa context to Express-like req/res
+    const req = ctx.request;
+    const res = {
+      json: data => {
+        ctx.body = data;
+        ctx.type = 'application/json';
+      },
+      status: code => {
+        ctx.status = code;
+        return res;
+      },
+      setHeader: (name, value) => {
+        ctx.set(name, value);
+      },
+      removeHeader: name => {
+        ctx.remove(name);
+      }
+    };
+    await new Promise(resolve => {
+      decryptRequest(req, res, err => {
+        if (err) throw err;
+        resolve();
+      });
+    });
+    await next();
+    if (ctx.headers[CRYPTO_CONFIG.HEADERS.ENCRYPTED] === 'true') {
+      await new Promise(resolve => {
+        encryptResponse(req, res, () => resolve());
+      });
+    }
+  };
+}
+module.exports = {
+  createEncryptionMiddleware,
+  createExpressMiddleware,
+  createKoaMiddleware,
+  HybridCrypto: require('./HybridCrypto')
+};

package/package.json

@@ -0,0 +1,76 @@
+{
+  "name": "secure-comms-hybrid",
+  "version": "1.0.0",
+  "description": "Hybrid encryption (RSA + AES) for secure client-server communications",
+  "main": "lib/backend/index.js",
+  "browser": "dist/frontend/index.js",
+  "module": "src/frontend/index.js",
+  "types": "types/index.d.ts",
+  "exports": {
+    ".": {
+      "node": "./lib/backend/index.js",
+      "browser": "./dist/frontend/index.js",
+      "import": "./lib/frontend/index.js",
+      "require": "./lib/backend/index.js"
+    },
+    "./backend": "./lib/backend/index.js",
+    "./frontend": "./dist/frontend/index.js",
+    "./express": "./lib/backend/middleware.js"
+  },
+"scripts": {
+  "build": "npm run build:backend",
+  "build:backend": "babel src/backend --out-dir lib/backend",
+  "build:types": "tsc --declaration --emitDeclarationOnly",
+  "dev": "npm run build:backend && nodemon --exec babel-node src/backend/test.js",
+  "test": "jest --passWithNoTests",
+  "test:backend": "jest backend.test.js --passWithNoTests",
+  "lint": "eslint src/**/*.js",
+  "prepublishOnly": "npm run build && npm test",
+  "example:backend": "node examples/backend/express-example.js"
+},
+  "keywords": [
+    "encryption",
+    "security",
+    "crypto",
+    "aes",
+    "rsa",
+    "hybrid",
+    "secure-communications",
+    "end-to-end-encryption"
+  ],
+  "author": "Abhay Singh Kathayat",
+  "license": "MIT",
+  "dependencies": {
+    "crypto": "^1.0.1"
+  },
+  "devDependencies": {
+    "@babel/cli": "^7.23.4",
+    "@babel/core": "^7.23.5",
+    "@babel/preset-env": "^7.23.5",
+    "@types/crypto-js": "^4.2.1",
+    "@types/jest": "^29.5.11",
+    "@types/node": "^20.10.5",
+    "babel-jest": "^29.7.0",
+    "eslint": "^8.55.0",
+    "express": "^4.18.2",
+    "jest": "^29.7.0",
+    "nodemon": "^3.0.2",
+    "typescript": "^5.3.3",
+    "webpack": "^5.89.0",
+    "webpack-cli": "^5.1.4"
+  },
+  "peerDependencies": {
+    "express": "^4.0.0"
+  },
+  "engines": {
+    "node": ">=14.0.0",
+    "npm": ">=6.0.0"
+  },
+  "files": [
+    "lib",
+    "dist",
+    "types",
+    "README.md",
+    "LICENSE"
+  ]
+}