feat: experimental 005 operator (#1753)

2022-10-06 11:03:43 -05:00
parent c13dd883a4
commit cbbe913cd6
21 changed files with 284 additions and 46 deletions
--- a/packages/encryption/src/Domain/Algorithm.ts
+++ b/packages/encryption/src/Domain/Algorithm.ts
@@ -44,3 +44,8 @@ export enum V004Algorithm {
  EncryptionKeyLength = 256,
  EncryptionNonceLength = 192,
 }
+
+export enum V005Algorithm {
+  AsymmetricEncryptionNonceLength = 192,
+  SymmetricEncryptionNonceLength = 192,
+}
--- a/packages/encryption/src/Domain/Operator/004/Operator004.ts
+++ b/packages/encryption/src/Domain/Operator/004/Operator004.ts
@@ -254,21 +254,21 @@ export class SNProtocolOperator004 implements SynchronousOperator {
    encrypted: EncryptedParameters,
    key: ItemsKeyInterface | SNRootKey,
  ): DecryptedParameters<C> | ErrorDecryptingParameters {
-    const itemKeyComponents = this.deconstructEncryptedPayloadString(encrypted.enc_item_key)
-    const authenticatedData = this.stringToAuthenticatedData(itemKeyComponents.authenticatedData, {
+    const contentKeyComponents = this.deconstructEncryptedPayloadString(encrypted.enc_item_key)
+    const authenticatedData = this.stringToAuthenticatedData(contentKeyComponents.authenticatedData, {
      u: encrypted.uuid,
      v: encrypted.version,
    })

    const useAuthenticatedString = this.authenticatedDataToString(authenticatedData)
-    const itemKey = this.decryptString004(
-      itemKeyComponents.ciphertext,
+    const contentKey = this.decryptString004(
+      contentKeyComponents.ciphertext,
      key.itemsKey,
-      itemKeyComponents.nonce,
+      contentKeyComponents.nonce,
      useAuthenticatedString,
    )

-    if (!itemKey) {
+    if (!contentKey) {
      console.error('Error decrypting itemKey parameters', encrypted)
      return {
        uuid: encrypted.uuid,
@@ -279,10 +279,11 @@ export class SNProtocolOperator004 implements SynchronousOperator {
    const contentComponents = this.deconstructEncryptedPayloadString(encrypted.content)
    const content = this.decryptString004(
      contentComponents.ciphertext,
-      itemKey,
+      contentKey,
      contentComponents.nonce,
      useAuthenticatedString,
    )
+
    if (!content) {
      return {
        uuid: encrypted.uuid,
@@ -305,6 +306,7 @@ export class SNProtocolOperator004 implements SynchronousOperator {
      V004Algorithm.ArgonMemLimit,
      V004Algorithm.ArgonOutputKeyBytes,
    )
+
    const partitions = Utils.splitString(derivedKey, 2)
    const masterKey = partitions[0]
    const serverPassword = partitions[1]
--- a/packages/encryption/src/Domain/Operator/005/Operator005.spec.ts
+++ b/packages/encryption/src/Domain/Operator/005/Operator005.spec.ts
@@ -0,0 +1,75 @@
+import { ProtocolOperator005 } from './Operator005'
+import { PureCryptoInterface } from '@standardnotes/sncrypto-common'
+
+describe('operator 005', () => {
+  let crypto: PureCryptoInterface
+  let operator: ProtocolOperator005
+
+  beforeEach(() => {
+    crypto = {} as jest.Mocked<PureCryptoInterface>
+    crypto.generateRandomKey = jest.fn().mockImplementation(() => {
+      return 'random-string'
+    })
+    crypto.xchacha20Encrypt = jest.fn().mockImplementation((text: string) => {
+      return `<e>${text}<e>`
+    })
+    crypto.xchacha20Decrypt = jest.fn().mockImplementation((text: string) => {
+      return text.split('<e>')[1]
+    })
+    crypto.sodiumCryptoBoxGenerateKeypair = jest.fn().mockImplementation(() => {
+      return { privateKey: 'private-key', publicKey: 'public-key', keyType: 'x25519' }
+    })
+    crypto.sodiumCryptoBoxEasyEncrypt = jest.fn().mockImplementation((text: string) => {
+      return `<e>${text}<e>`
+    })
+    crypto.sodiumCryptoBoxEasyDecrypt = jest.fn().mockImplementation((text: string) => {
+      return text.split('<e>')[1]
+    })
+
+    operator = new ProtocolOperator005(crypto)
+  })
+
+  it('should generateKeyPair', () => {
+    const result = operator.generateKeyPair()
+
+    expect(result).toEqual({ privateKey: 'private-key', publicKey: 'public-key', keyType: 'x25519' })
+  })
+
+  it('should asymmetricEncryptKey', () => {
+    const senderKeypair = operator.generateKeyPair()
+    const recipientKeypair = operator.generateKeyPair()
+
+    const plaintext = 'foo'
+
+    const result = operator.asymmetricEncryptKey(plaintext, senderKeypair.privateKey, recipientKeypair.publicKey)
+
+    expect(result).toEqual(`${'005_KeyAsym'}:random-string:<e>foo<e>`)
+  })
+
+  it('should asymmetricDecryptKey', () => {
+    const senderKeypair = operator.generateKeyPair()
+    const recipientKeypair = operator.generateKeyPair()
+    const plaintext = 'foo'
+    const ciphertext = operator.asymmetricEncryptKey(plaintext, senderKeypair.privateKey, recipientKeypair.publicKey)
+    const decrypted = operator.asymmetricDecryptKey(ciphertext, senderKeypair.publicKey, recipientKeypair.privateKey)
+
+    expect(decrypted).toEqual('foo')
+  })
+
+  it('should symmetricEncryptPrivateKey', () => {
+    const keypair = operator.generateKeyPair()
+    const symmetricKey = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+    const encryptedKey = operator.symmetricEncryptPrivateKey(keypair.privateKey, symmetricKey)
+
+    expect(encryptedKey).toEqual(`${'005_KeySym'}:random-string:<e>${keypair.privateKey}<e>`)
+  })
+
+  it('should symmetricDecryptPrivateKey', () => {
+    const keypair = operator.generateKeyPair()
+    const symmetricKey = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
+    const encryptedKey = operator.symmetricEncryptPrivateKey(keypair.privateKey, symmetricKey)
+    const decryptedKey = operator.symmetricDecryptPrivateKey(encryptedKey, symmetricKey)
+
+    expect(decryptedKey).toEqual(keypair.privateKey)
+  })
+})
--- a/packages/encryption/src/Domain/Operator/005/Operator005.ts
+++ b/packages/encryption/src/Domain/Operator/005/Operator005.ts
@@ -0,0 +1,80 @@
+import { ProtocolVersion } from '@standardnotes/common'
+import { Base64String, HexString, PkcKeyPair, Utf8String } from '@standardnotes/sncrypto-common'
+import { V005Algorithm } from '../../Algorithm'
+import { SNProtocolOperator004 } from '../004/Operator004'
+
+const VersionString = '005'
+const SymmetricCiphertextPrefix = `${VersionString}_KeySym`
+const AsymmetricCiphertextPrefix = `${VersionString}_KeyAsym`
+
+export type AsymmetricallyEncryptedKey = Base64String
+export type SymmetricallyEncryptedPrivateKey = Base64String
+
+/**
+ * @experimental
+ * @unreleased
+ */
+export class ProtocolOperator005 extends SNProtocolOperator004 {
+  public override getEncryptionDisplayName(): string {
+    return 'XChaCha20-Poly1305'
+  }
+
+  override get version(): ProtocolVersion {
+    return VersionString as ProtocolVersion
+  }
+
+  generateKeyPair(): PkcKeyPair {
+    return this.crypto.sodiumCryptoBoxGenerateKeypair()
+  }
+
+  asymmetricEncryptKey(
+    keyToEncrypt: HexString,
+    senderSecretKey: HexString,
+    recipientPublicKey: HexString,
+  ): AsymmetricallyEncryptedKey {
+    const nonce = this.crypto.generateRandomKey(V005Algorithm.AsymmetricEncryptionNonceLength)
+
+    const ciphertext = this.crypto.sodiumCryptoBoxEasyEncrypt(keyToEncrypt, nonce, senderSecretKey, recipientPublicKey)
+
+    return [AsymmetricCiphertextPrefix, nonce, ciphertext].join(':')
+  }
+
+  asymmetricDecryptKey(
+    keyToDecrypt: AsymmetricallyEncryptedKey,
+    senderPublicKey: HexString,
+    recipientSecretKey: HexString,
+  ): Utf8String {
+    const components = keyToDecrypt.split(':')
+
+    const nonce = components[1]
+
+    return this.crypto.sodiumCryptoBoxEasyDecrypt(keyToDecrypt, nonce, senderPublicKey, recipientSecretKey)
+  }
+
+  symmetricEncryptPrivateKey(privateKey: HexString, symmetricKey: HexString): SymmetricallyEncryptedPrivateKey {
+    if (symmetricKey.length !== 64) {
+      throw new Error('Symmetric key length must be 256 bits')
+    }
+
+    const nonce = this.crypto.generateRandomKey(V005Algorithm.SymmetricEncryptionNonceLength)
+
+    const encryptedKey = this.crypto.xchacha20Encrypt(privateKey, nonce, symmetricKey)
+
+    return [SymmetricCiphertextPrefix, nonce, encryptedKey].join(':')
+  }
+
+  symmetricDecryptPrivateKey(
+    encryptedPrivateKey: SymmetricallyEncryptedPrivateKey,
+    symmetricKey: HexString,
+  ): HexString | null {
+    if (symmetricKey.length !== 64) {
+      throw new Error('Symmetric key length must be 256 bits')
+    }
+
+    const components = encryptedPrivateKey.split(':')
+
+    const nonce = components[1]
+
+    return this.crypto.xchacha20Decrypt(encryptedPrivateKey, nonce, symmetricKey)
+  }
+}
--- a/packages/encryption/src/Domain/Service/Encryption/EncryptionProviderInterface.ts
+++ b/packages/encryption/src/Domain/Service/Encryption/EncryptionProviderInterface.ts
@@ -11,7 +11,7 @@ import { SNRootKeyParams } from '../../Keys/RootKey/RootKeyParams'
 import { KeyedDecryptionSplit } from '../../Split/KeyedDecryptionSplit'
 import { KeyedEncryptionSplit } from '../../Split/KeyedEncryptionSplit'

-export interface EncryptionProvider {
+export interface EncryptionProviderInterface {
  encryptSplitSingle(split: KeyedEncryptionSplit): Promise<EncryptedPayloadInterface>

  encryptSplit(split: KeyedEncryptionSplit): Promise<EncryptedPayloadInterface[]>
--- a/packages/encryption/src/Domain/index.ts
+++ b/packages/encryption/src/Domain/index.ts
@@ -14,11 +14,12 @@ export * from './Operator/001/Operator001'
 export * from './Operator/002/Operator002'
 export * from './Operator/003/Operator003'
 export * from './Operator/004/Operator004'
+export * from './Operator/005/Operator005'
 export * from './Operator/Functions'
 export * from './Operator/Operator'
 export * from './Operator/OperatorManager'
 export * from './Operator/OperatorWrapper'
-export * from './Service/Encryption/EncryptionProvider'
+export * from './Service/Encryption/EncryptionProviderInterface'
 export * from './Service/Functions'
 export * from './Service/RootKey/KeyMode'
 export * from './Service/RootKey/RootKeyServiceEvent'