fix(nano): ecdsa policy binding support for encrypt (#346)

Author: sujankota

lib/src/index.ts

@@ -13,6 +13,16 @@ import { TypedArray, createAttribute, Policy } from './tdf/index.js';
 import { fetchECKasPubKey } from './access.js';
 import { ClientConfig } from './nanotdf/Client.js';
 
+// Define the EncryptOptions type
+export type EncryptOptions = {
+  ecdsaBinding: boolean;
+};
+
+// Define default options
+const defaultOptions: EncryptOptions = {
+  ecdsaBinding: false,
+};
+
 /**
  * NanoTDF SDK Client
  *
@@ -104,13 +114,17 @@ export class NanoTDFClient extends Client {
   }
 
   /**
-   * Encrypt data
+   * Encrypts the given data using the NanoTDF encryption scheme.
    *
-   * Pass a string, TypedArray, or ArrayBuffer data and get a promise which resolves ciphertext
-   *
-   * @param data to decrypt
+   * @param {string | TypedArray | ArrayBuffer} data - The data to be encrypted.
+   * @param {EncryptOptions} [options=defaultOptions] - The encryption options (currently unused).
+   * @returns {Promise<ArrayBuffer>} A promise that resolves to the encrypted data as an ArrayBuffer.
+   * @throws {Error} If the initialization vector is not a number.
    */
-  async encrypt(data: string | TypedArray | ArrayBuffer): Promise<ArrayBuffer> {
+  async encrypt(
+    data: string | TypedArray | ArrayBuffer,
+    options?: EncryptOptions
+  ): Promise<ArrayBuffer> {
     // For encrypt always generate the client ephemeralKeyPair
     const ephemeralKeyPair = await this.ephemeralKeyPair;
     const initializationVector = this.iv;
@@ -155,7 +169,15 @@ export class NanoTDFClient extends Client {
     payloadIV[10] = lengthAsUint24[1];
     payloadIV[11] = lengthAsUint24[0];
 
-    return encrypt(policyObjectAsStr, this.kasPubKey, ephemeralKeyPair, payloadIV, data);
+    const mergedOptions: EncryptOptions = { ...defaultOptions, ...options };
+    return encrypt(
+      policyObjectAsStr,
+      this.kasPubKey,
+      ephemeralKeyPair,
+      payloadIV,
+      data,
+      mergedOptions.ecdsaBinding
+    );
   }
 }
 

lib/src/nanotdf-crypto/ecdsaSignature.ts

@@ -0,0 +1,108 @@
+import { AlgorithmName } from './../nanotdf-crypto/enums.js';
+
+/**
+ * Computes an ECDSA signature for the given data using the provided private key.
+ *
+ * This function uses the Web Crypto API to generate a digital signature
+ * for the input data using the ECDSA algorithm with SHA-256 as the hash function.
+ *
+ * @param {CryptoKey} privateKey - The ECDSA private key used for signing.
+ * @param {Uint8Array} data - The data to be signed.
+ * @returns {Promise<ArrayBuffer>} - A promise that resolves to the generated signature.
+ */
+export async function computeECDSASig(
+  privateKey: CryptoKey,
+  data: Uint8Array
+): Promise<ArrayBuffer> {
+  const signature = await crypto.subtle.sign(
+    {
+      name: AlgorithmName.ECDSA,
+      hash: { name: 'SHA-256' },
+    },
+    privateKey,
+    data
+  );
+  return signature;
+}
+
+/**
+ * Verifies an ECDSA signature using the provided public key and data.
+ *
+ * This function uses the Web Crypto API to verify the digital signature
+ * for the input data using the ECDSA algorithm with SHA-256 as the hash function.
+ *
+ * @param {CryptoKey} publicKey - The ECDSA public key used for verification.
+ * @param {Uint8Array} signature - The signature to be verified.
+ * @param {Uint8Array} data - The data that was signed.
+ * @returns {Promise<boolean>} - A promise that resolves to a boolean indicating whether the signature is valid.
+ */
+export async function verifyECDSASignature(
+  publicKey: CryptoKey,
+  signature: Uint8Array,
+  data: Uint8Array
+): Promise<boolean> {
+  const isValid = await crypto.subtle.verify(
+    {
+      name: AlgorithmName.ECDSA,
+      hash: { name: 'SHA-256' },
+    },
+    publicKey,
+    signature,
+    data
+  );
+  return isValid;
+}
+
+/**
+ * Extracts the r and s values from a given ECDSA signature.
+ *
+ * @param {Uint8Array} signatureBytes - The raw ECDSA signature bytes.
+ * @returns {{ r: Uint8Array; s: Uint8Array }} An object containing the r and s values as Uint8Arrays.
+ * @throws {Error} If the validation of the signature fails.
+ */
+export function extractRSValuesFromSignature(signatureBytes: Uint8Array): {
+  r: Uint8Array;
+  s: Uint8Array;
+} {
+  // Split the raw signature into r and s values
+  const halfLength = Math.floor(signatureBytes.length / 2);
+  const rValue = signatureBytes.slice(0, halfLength);
+  const sValue = signatureBytes.slice(halfLength);
+
+  // Correct validation
+  if (!concatAndCompareUint8Arrays(rValue, sValue, signatureBytes)) {
+    throw new Error('Invalid ECDSA signature');
+  }
+
+  return {
+    r: rValue,
+    s: sValue,
+  };
+}
+
+function concatAndCompareUint8Arrays(
+  arr1: Uint8Array,
+  arr2: Uint8Array,
+  arr3: Uint8Array
+): boolean {
+  // Create a new Uint8Array with the combined length of arr1 and arr2
+  const concatenated = new Uint8Array(arr1.length + arr2.length);
+
+  // Copy arr1 and arr2 into the new array
+  concatenated.set(arr1, 0);
+  concatenated.set(arr2, arr1.length);
+
+  // Check if the lengths are the same
+  if (concatenated.length !== arr3.length) {
+    return false;
+  }
+
+  // Compare each element
+  for (let i = 0; i < concatenated.length; i++) {
+    if (concatenated[i] !== arr3[i]) {
+      return false;
+    }
+  }
+
+  return true;
+}

lib/src/nanotdf/encrypt.ts

@@ -6,8 +6,9 @@ import EmbeddedPolicy from './models/Policy/EmbeddedPolicy.js';
 import Payload from './models/Payload.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import { getBitLength as authTagLengthForCipher } from './models/Ciphers.js';
-import { lengthOfBinding } from './helpers/calculateByCipher.js';
 import { TypedArray } from '../tdf/index.js';
+import { GMAC_BINDING_LEN } from './constants.js';
+import { AlgorithmName, KeyFormat, KeyUsageType } from './../nanotdf-crypto/enums.js';
 
 import {
   encrypt as cryptoEncrypt,
@@ -16,6 +17,7 @@ import {
   exportCryptoKey,
 } from '../nanotdf-crypto/index.js';
 import { KasPublicKeyInfo } from '../access.js';
+import { computeECDSASig, extractRSValuesFromSignature } from '../nanotdf-crypto/ecdsaSignature.js';
 
 /**
  * Encrypt the plain data into nanotdf buffer
@@ -25,13 +27,15 @@ import { KasPublicKeyInfo } from '../access.js';
  * @param ephemeralKeyPair SDK ephemeral key pair to generate symmetric key
  * @param iv
  * @param data The data to be encrypted
+ * @param ecdsaBinding Flag to enable ECDSA binding
  */
 export default async function encrypt(
   policy: string,
   kasInfo: KasPublicKeyInfo,
   ephemeralKeyPair: CryptoKeyPair,
   iv: Uint8Array,
-  data: string | TypedArray | ArrayBuffer
+  data: string | TypedArray | ArrayBuffer,
+  ecdsaBinding: boolean = DefaultParams.ecdsaBinding
 ): Promise<ArrayBuffer> {
   // Generate a symmetric key.
   if (!ephemeralKeyPair.privateKey) {
@@ -60,33 +64,34 @@ export default async function encrypt(
     authTagLengthInBytes * 8
   );
 
-  // Enable - once ecdsaBinding is true
-  // if (!DefaultParams.ecdsaBinding) {
-  //   throw new Error("ECDSA binding should enable by default.");
-  // }
-
-  // // Calculate the policy binding.
-  // const policyBinding = await calculateSignature(this.ephemeralKeyPair.privateKey, new Uint8Array(encryptedPolicy));
-  // console.log("Length of the policyBinding " + policyBinding.byteLength);
-
-  // // Create embedded policy
-  // const embeddedPolicy = new EmbeddedPolicy(DefaultParams.policyType,
-  //   new Uint8Array(policyBinding),
-  //   new Uint8Array(encryptedPolicy)
-  // );
+  let policyBinding: Uint8Array;
 
   // Calculate the policy binding.
-  const lengthOfPolicyBinding = lengthOfBinding(
-    DefaultParams.ecdsaBinding,
-    DefaultParams.ephemeralCurveName
-  );
-
-  const policyBinding = await digest('SHA-256', new Uint8Array(encryptedPolicy));
+  if (ecdsaBinding) {
+    const curveName = await getCurveNameFromPrivateKey(ephemeralKeyPair.privateKey);
+    const ecdsaPrivateKey = await convertECDHToECDSA(ephemeralKeyPair.privateKey, curveName);
+    const ecdsaSignature = await computeECDSASig(ecdsaPrivateKey, new Uint8Array(encryptedPolicy));
+    const { r, s } = extractRSValuesFromSignature(new Uint8Array(ecdsaSignature));
+
+    const rLength = r.length;
+    const sLength = s.length;
+
+    policyBinding = new Uint8Array(1 + rLength + 1 + sLength);
+
+    // Set the lengths and values of r and s in policyBinding
+    policyBinding[0] = rLength;
+    policyBinding.set(r, 1);
+    policyBinding[1 + rLength] = sLength;
+    policyBinding.set(s, 1 + rLength + 1);
+  } else {
+    const signature = await digest('SHA-256', new Uint8Array(encryptedPolicy));
+    policyBinding = new Uint8Array(signature.slice(-GMAC_BINDING_LEN));
+  }
 
   // Create embedded policy
   const embeddedPolicy = new EmbeddedPolicy(
     DefaultParams.policyType,
-    new Uint8Array(policyBinding.slice(-lengthOfPolicyBinding)),
+    policyBinding,
     new Uint8Array(encryptedPolicy)
   );
 
@@ -99,7 +104,7 @@ export default async function encrypt(
   const header = new Header(
     DefaultParams.magicNumberVersion,
     kasResourceLocator,
-    DefaultParams.ecdsaBinding,
+    ecdsaBinding,
     DefaultParams.signatureCurveName,
     DefaultParams.signature,
     DefaultParams.signatureCurveName,
@@ -134,3 +139,58 @@ export default async function encrypt(
   const nanoTDF = new NanoTDF(header, payload);
   return nanoTDF.toBuffer();
 }
+
+/**
+ * Retrieves the curve name from a given ECDH private key.
+ *
+ * This function exports the provided ECDH private key in JWK format and extracts
+ * the curve name from the 'crv' property of the JWK.
+ *
+ * @param {CryptoKey} privateKey - The ECDH private key from which to retrieve the curve name.
+ * @returns {Promise<string>} - A promise that resolves to the curve name.
+ *
+ * @throws {Error} - Throws an error if the curve name is undefined.
+ *
+ */
+async function getCurveNameFromPrivateKey(privateKey: CryptoKey): Promise<string> {
+  // Export the private key
+  const keyData = await crypto.subtle.exportKey('jwk', privateKey);
+
+  // The curve name is stored in the 'crv' property of the JWK
+  if (!keyData.crv) {
+    throw new Error('Curve name is undefined');
+  }
+
+  return keyData.crv;
+}
+
+/**
+ * Converts an ECDH private key to an ECDSA private key.
+ *
+ * This function exports the given ECDH private key in PKCS#8 format and then
+ * imports it as an ECDSA private key using the specified curve name.
+ *
+ * @param {CryptoKey} key - The ECDH private key to be converted.
+ * @param {string} curveName - The name of the elliptic curve to be used for the ECDSA key.
+ * @returns {Promise<CryptoKey>} - A promise that resolves to the converted ECDSA private key.
+ *
+ * @throws {Error} - Throws an error if the key export or import fails.
+ */
+async function convertECDHToECDSA(key: CryptoKey, curveName: string): Promise<CryptoKey> {
+  // Export the ECDH private key
+  const ecdhPrivateKey = await crypto.subtle.exportKey('pkcs8', key);
+
+  // Import the ECDH private key as an ECDSA private key
+  const ecdsaPrivateKey = await crypto.subtle.importKey(
+    KeyFormat.Pkcs8,
+    ecdhPrivateKey,
+    {
+      name: AlgorithmName.ECDSA,
+      namedCurve: curveName,
+    },
+    true,
+    [KeyUsageType.Sign]
+  );
+
+  return ecdsaPrivateKey;
+}

lib/src/nanotdf/models/DefaultParams.ts

@@ -10,7 +10,6 @@ const enc = new TextEncoder();
  * @link https://github.com/virtru/tdf3-cpp/blob/develop/tdf3-src/lib/src/nanotdf_builder_impl.h
  */
 const DefaultParams = {
-  // Enabling ECDSA is not currently supported. Conflict with reusing key for `verify/sign` and `encrypt/decrypt`
   ecdsaBinding: false,
   ephemeralCurveName: CurveNameEnum.SECP256R1,
   magicNumberVersion: enc.encode('L1L'),