feat: move hmac fns to own package

- define hmac related functions in
  separate module

Ticket: CE-5010

Author: bitgoAaron

modules/sdk-hmac/.eslintignore

@@ -0,0 +1,2 @@
+dist/
+src/opensslbytes.ts

modules/sdk-hmac/.gitignore

@@ -0,0 +1,3 @@
+node_modules/
+.idea/
+dist/

modules/sdk-hmac/.mocharc.yml

@@ -0,0 +1,8 @@
+require: 'ts-node/register'
+timeout: '60000'
+reporter: 'min'
+reporter-option:
+  - 'cdn=true'
+  - 'json=false'
+exit: true
+spec: ['test/**/*.ts']

modules/sdk-hmac/.npmignore

@@ -0,0 +1,12 @@
+!dist/
+.idea/
+.prettierrc.yml
+tsconfig.json
+src/
+test/
+scripts/
+.nyc_output
+CODEOWNERS
+node_modules/
+.prettierignore
+.mocharc.js

modules/sdk-hmac/.prettierignore

@@ -0,0 +1,2 @@
+.nyc_output/
+dist/

modules/sdk-hmac/.prettierrc.yml

@@ -0,0 +1,3 @@
+printWidth: 120
+singleQuote: true
+trailingComma: 'es5'

modules/sdk-hmac/CHANGELOG.md

@@ -0,0 +1,19 @@
+# Change Log
+
+All notable changes to this project will be documented in this file.
+See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+
+# 2.0.0 (2024-08-20)
+
+### Features
+
+- move opensslbytes to own package ([e23c562](https://github.com/BitGo/BitGoJS/commit/e23c5627957916055e68329541dd1eb775704ca5))
+
+### BREAKING CHANGES
+
+- clients using challenge
+  generation & TSS Recovery functions must now
+  install @bitgo/sdk-opensslbytes separately &
+  provide the openSSLBytes WASM themselves.
+
+Ticket: CE-4329

modules/sdk-hmac/README.md

@@ -0,0 +1,20 @@
+# @bitgo/sdk-opensslbytes
+
+Isolated module for users of the BitGo SDK that need to generate range proofs or recover funds on a TSS wallet.
+
+## Installation
+
+```shell
+npm i @bitgo/sdk-api @bitgo/sdk-lib-mpc @bitgo/sdk-opensslbytes
+```
+
+Import the `openSSLBytes` from this module & pass to related functions that expect it:
+
+```javascript
+import { loadWebAssembly } from '@bitgo/sdk-opensslbytes';
+import { EcdsaRangeProof } from '@bitgo-beta/sdk-lib-mpc';
+
+const openSSLBytes = loadWebAssembly().buffer;
+
+const nTilde = await EcdsaRangeProof.generateNtilde(openSSLBytes, 3072);
+```

modules/sdk-hmac/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@bitgo/sdk-hmac",
+  "version": "1.0.0",
+  "description": "Split package for WASM code needed by sdk-lib-mpc",
+  "main": "./dist/src/index.js",
+  "types": "./dist/src/index.d.ts",
+  "scripts": {
+    "build": "yarn tsc --build --incremental --verbose .",
+    "fmt": "prettier --write .",
+    "check-fmt": "prettier --check .",
+    "clean": "rm -r ./dist",
+    "lint": "eslint --quiet .",
+    "test": "npm run coverage",
+    "coverage": "nyc -- npm run unit-test",
+    "unit-test": "mocha",
+    "prepare": "npm run build"
+  },
+  "dependencies": {
+    "@bitgo/sjcl": "^1.0.1"
+  },
+  "devDependencies": {
+    "should": "^13.1.3"
+  },
+  "author": "BitGo SDK Team <[email protected]>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/BitGo/BitGoJS.git",
+    "directory": "modules/sdk-opensslbytes"
+  },
+  "files": [
+    "dist/src"
+  ],
+  "lint-staged": {
+    "*.{js,ts}": [
+      "yarn prettier --write",
+      "yarn eslint --fix"
+    ]
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "nyc": {
+    "extension": [
+      ".ts"
+    ]
+  }
+}

modules/sdk-hmac/src/hmac.ts

@@ -0,0 +1,131 @@
+import { createHmac } from 'crypto';
+import * as urlLib from 'url';
+import * as sjcl from '@bitgo/sjcl';
+import {
+  CalculateHmacSubjectOptions,
+  CalculateRequestHeadersOptions,
+  CalculateRequestHmacOptions,
+  RequestHeaders,
+  VerifyResponseInfo,
+  VerifyResponseOptions,
+} from './types';
+
+/**
+ * Calculate the HMAC for the given key and message
+ * @param key {String} - the key to use for the HMAC
+ * @param message {String} - the actual message to HMAC
+ * @returns {*} - the result of the HMAC operation
+ */
+export function calculateHMAC(key: string, message: string): string {
+  return createHmac('sha256', key).update(message).digest('hex');
+}
+
+/**
+ * Calculate the subject string that is to be HMAC'ed for a HTTP request or response
+ * @param urlPath request url, including query params
+ * @param text request body text
+ * @param timestamp request timestamp from `Date.now()`
+ * @param statusCode Only set for HTTP responses, leave blank for requests
+ * @param method request method
+ * @returns {string}
+ */
+export function calculateHMACSubject({
+  urlPath,
+  text,
+  timestamp,
+  statusCode,
+  method,
+  authVersion,
+}: CalculateHmacSubjectOptions): string {
+  const urlDetails = urlLib.parse(urlPath);
+  const queryPath = urlDetails.query && urlDetails.query.length > 0 ? urlDetails.path : urlDetails.pathname;
+  if (statusCode !== undefined && isFinite(statusCode) && Number.isInteger(statusCode)) {
+    if (authVersion === 3) {
+      return [method.toUpperCase(), timestamp, queryPath, statusCode, text].join('|');
+    }
+    return [timestamp, queryPath, statusCode, text].join('|');
+  }
+  if (authVersion === 3) {
+    return [method.toUpperCase(), timestamp, '3.0', queryPath, text].join('|');
+  }
+  return [timestamp, queryPath, text].join('|');
+}
+
+/**
+ * Calculate the HMAC for an HTTP request
+ */
+export function calculateRequestHMAC({
+  url: urlPath,
+  text,
+  timestamp,
+  token,
+  method,
+  authVersion,
+}: CalculateRequestHmacOptions): string {
+  const signatureSubject = calculateHMACSubject({ urlPath, text, timestamp, method, authVersion });
+
+  // calculate the HMAC
+  return calculateHMAC(token, signatureSubject);
+}
+
+/**
+ * Calculate request headers with HMAC
+ */
+export function calculateRequestHeaders({
+  url,
+  text,
+  token,
+  method,
+  authVersion,
+}: CalculateRequestHeadersOptions): RequestHeaders {
+  const timestamp = Date.now();
+  const hmac = calculateRequestHMAC({ url, text, timestamp, token, method, authVersion });
+
+  // calculate the SHA256 hash of the token
+  const hashDigest = sjcl.hash.sha256.hash(token);
+  const tokenHash = sjcl.codec.hex.fromBits(hashDigest);
+  return {
+    hmac,
+    timestamp,
+    tokenHash,
+  };
+}
+
+/**
+ * Verify the HMAC for an HTTP response
+ */
+export function verifyResponse({
+  url: urlPath,
+  statusCode,
+  text,
+  timestamp,
+  token,
+  hmac,
+  method,
+  authVersion,
+}: VerifyResponseOptions): VerifyResponseInfo {
+  const signatureSubject = calculateHMACSubject({
+    urlPath,
+    text,
+    timestamp,
+    statusCode,
+    method,
+    authVersion,
+  });
+
+  // calculate the HMAC
+  const expectedHmac = calculateHMAC(token, signatureSubject);
+
+  // determine if the response is still within the validity window (5 minute window)
+  const now = Date.now();
+  const isInResponseValidityWindow = timestamp >= now - 1000 * 60 * 5 && timestamp <= now;
+
+  // verify the HMAC and timestamp
+  return {
+    isValid: expectedHmac === hmac,
+    expectedHmac,
+    signatureSubject,
+    isInResponseValidityWindow,
+    verificationTime: now,
+  };
+}