Alternative encryption (#73)

* Change auth manager name

* Alternative encryption algorithm

* Lint

* Fix test import

* Change iv type

* Prvent encode/decode from hex

* Bump to beta 10

Author: ilanolkies

modules/ipfs-cpinner-client/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@rsksmart/ipfs-cpinner-client",
-  "version": "0.1.1-beta.9",
+  "version": "0.1.1-beta.10",
   "description": "RIF Data Vault - IPFS centralized pinner client",
   "main": "dist/bundle.js",
   "types": "lib/index.d.ts",
@@ -47,6 +47,7 @@
   "dependencies": {
     "axios": "^0.21.1",
     "buffer": "^6.0.3",
+    "crypto-js": "^4.0.0",
     "did-jwt": "^4.6.2",
     "eth-sig-util": "^3.0.0"
   }

modules/ipfs-cpinner-client/package.json

@@ -0,0 +1,53 @@
+import HmacSHA256 from 'crypto-js/hmac-sha256'
+import HmacSHA512 from 'crypto-js/hmac-sha512'
+import AES from 'crypto-js/aes'
+import encUtf8 from 'crypto-js/enc-utf8'
+import encHex from 'crypto-js/enc-hex'
+import ModeCTR from 'crypto-js/mode-ctr'
+import WordArray from 'crypto-js/lib-typedarrays'
+import { Web3Provider } from '../web3provider/types'
+
+export const generateKeyViaRPC = (provider: Web3Provider, account: string) => provider.request({
+  method: 'personal_sign', params: [account, 'The website wants permission to access and manage your data vault']
+}).then(sig => provider.request({
+  // make sure the wallet signing is deterministic
+  method: 'personal_sign', params: [account, 'The website wants permission to access and manage your data vault']
+}).then(sig2 => {
+  if (sig2 !== sig) throw new Error('Sorry, your wallet does not support encryption. You cannot access your Data Vault')
+  // Check the size of r and s - // 0x r(32) s(32) v(1)
+  if (sig.length !== 132) throw new Error('Sorry, your wallet does not support encryption. You cannot access your Data Vault')
+  const r = sig.slice(2, 66)
+  const s = sig.slice(66, 130)
+
+  return HmacSHA512(r, s).toString()
+})
+).then(hmac => ({
+  // split the resulting string in half, and use one half as
+  // the encryption key and the other half as hmac secret
+  key: hmac.substring(0, 64),
+  macKey: hmac.substring(64, 128)
+}))
+
+export const encrypt = (key, message, macKey) => {
+  const iv = WordArray.random(16)
+
+  const c = AES.encrypt(message, key, { iv: iv, mode: ModeCTR }).toString()
+  // do a MAC preventing padding oracle attacks
+  const m = HmacSHA256(iv + c, macKey).toString()
+
+  return iv + c + m
+}
+
+export const decrypt = (key, cipher, macKey) => {
+  const iv = encHex.parse(cipher.substring(0, 32))
+  const c = cipher.substring(32, cipher.length - 64)
+  const m = cipher.substring(cipher.length - 64)
+
+  const calculatedM = HmacSHA256(iv + c, macKey).toString()
+
+  if (calculatedM !== m) {
+    throw new Error('Decryption failed. Corrupted message.')
+  }
+
+  return AES.decrypt(c, key, { iv: iv, mode: ModeCTR }).toString(encUtf8)
+}

modules/ipfs-cpinner-client/src/encryption-manager/aes.ts

@@ -1,8 +1,8 @@
 import { encrypt as ethEncrypt } from 'eth-sig-util'
 import { Web3Provider } from '../web3provider/types'
-import { DecryptFn, EncryptionManagerConfig, GetEncryptionPublicKeyFn } from './types'
+import { DecryptFn, EncryptionManagerConfig, GetEncryptionPublicKeyFn, IEncryptionManager } from './types'
 
-class EncryptionManager {
+class EncryptionManager implements IEncryptionManager {
   getEncryptionPublicKey: GetEncryptionPublicKeyFn
   private decryptInWallet: DecryptFn
   constructor ({ getEncryptionPublicKey, decrypt }: EncryptionManagerConfig) {

…r-client/src/encryption-manager/index.ts …ent/src/encryption-manager/asymmetric.tsmodules/ipfs-cpinner-client/src/encryption-manager/index.ts renamed to modules/ipfs-cpinner-client/src/encryption-manager/asymmetric.ts modules/ipfs-cpinner-client/src/encryption-manager/index.ts renamed to modules/ipfs-cpinner-client/src/encryption-manager/asymmetric.ts

@@ -5,3 +5,8 @@ export type EncryptionManagerConfig = {
   decrypt?: DecryptFn
   getEncryptionPublicKey?: GetEncryptionPublicKeyFn
 }
+
+export interface IEncryptionManager {
+  encrypt(data: string): Promise<string>
+  decrypt(data: string): Promise<string>
+}

modules/ipfs-cpinner-client/src/encryption-manager/types.ts

@@ -0,0 +1,24 @@
+import { IEncryptionManager } from './types'
+import { encrypt, decrypt, generateKeyViaRPC } from './aes'
+import { Web3Provider } from '../web3provider/types'
+
+class EncryptionManager implements IEncryptionManager {
+  private key: string
+  private macKey: string
+
+  constructor (key: string, macKey: string) {
+    this.key = key
+    this.macKey = macKey
+  }
+
+  encrypt = (data: string) => Promise.resolve(encrypt(this.key, data, this.macKey))
+  decrypt = (cipher: string) => Promise.resolve(decrypt(this.key, cipher, this.macKey))
+
+  static fromWeb3Provider = (provider: Web3Provider) =>
+    provider.request({
+      method: 'eth_accounts'
+    }).then(accounts => generateKeyViaRPC(provider, accounts[0]))
+      .then(({ key, macKey }) => new EncryptionManager(key, macKey))
+}
+
+export default EncryptionManager

modules/ipfs-cpinner-client/src/encryption-manager/with-signer.ts

@@ -1,6 +1,6 @@
 import axios from 'axios'
 import AuthManager from './auth-manager'
-import EncryptionManager from './encryption-manager'
+import EncryptionManager from './encryption-manager/asymmetric'
 import { AUTHENTICATION_ERROR, MAX_STORAGE_REACHED, SERVICE_MAX_STORAGE_REACHED, UNKNOWN_ERROR } from './constants'
 import {
   CreateContentPayload, CreateContentResponse,

modules/ipfs-cpinner-client/src/index.ts

@@ -1,5 +1,5 @@
 import AuthManager from './auth-manager'
-import EncryptionManager from './encryption-manager'
+import EncryptionManager from './encryption-manager/asymmetric'
 export type GetContentPayload = { key: string }
 export type GetContentResponsePayload = { id: string, content: string }
 export type CreateContentPayload = { key: string, content: string }

modules/ipfs-cpinner-client/src/types.ts

@@ -6,7 +6,7 @@ import MockDate from 'mockdate'
 import localStorageMockFactory from './localStorageMockFactory'
 import { deleteDatabase, resetDatabase, startService, testTimestamp, setupDataVaultClient, testMaxStorage, getEncryptionPublicKeyTestFn, decryptTestFn } from './util'
 import { MAX_STORAGE_REACHED } from '../src/constants'
-import EncryptionManager from '../src/encryption-manager'
+import EncryptionManager from '../src/encryption-manager/asymmetric'
 
 jest.setTimeout(12000)
 

modules/ipfs-cpinner-client/test/create-content.test.ts

@@ -4,7 +4,7 @@ import { Server } from 'http'
 import { customStorageFactory, decryptTestFn, deleteDatabase, getEncryptionPublicKeyTestFn, identityFactory, resetDatabase, startService, testTimestamp } from './util'
 import MockDate from 'mockdate'
 import AuthManager from '../src/auth-manager'
-import EncryptionManager from '../src/encryption-manager'
+import EncryptionManager from '../src/encryption-manager/asymmetric'
 
 jest.setTimeout(12000)