All files / src/services KeyManagementService.ts

97.95% Statements 48/49
75% Branches 3/4
100% Functions 12/12
97.87% Lines 46/47

Press n or j to go to the next uncovered block, b, p or k for the previous block.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 1261x 1x 1x 1x 1x 1x     1x 1x               1x 92x     1x 92x   92x       1x       259x                     48x   47x         92x 92x   92x   92x       42x 42x   42x       48x 48x 47x       44x 44x       3x 3x       42x   42x   42x 42x   1x   1x 1x                                       41x 41x 41x 41x   41x 39x 39x     41x      
import { JwtService, KeysService } from '@affinidi/common'
import { KeyStorageApiService } from '@affinidi/internal-api-clients'
import { profile } from '@affinidi/tools-common'
import retry from 'async-retry'
import { extractSDKVersion } from '../_helpers'
const createHash = require('create-hash')
 
import { KeyParams } from '../dto/shared.dto'
import { withDidData } from '../shared/getDidData'
import SdkErrorFromCode from '../shared/SdkErrorFromCode'
 
type ConstructorOptions = {
  keyStorageUrl: string
  accessApiKey: string
  tenantToken?: string
}
 
const sha256 = (data: unknown) => {
  return createHash('sha256').update(data).digest()
}
 
const hashFromString = (data: string): string => {
  const buffer = sha256(Buffer.from(data))
 
  return buffer.toString('hex')
}
 
@profile()
export default class KeyManagementService {
  private _keyStorageApiService
 
  constructor(options: ConstructorOptions) {
    this._keyStorageApiService = new KeyStorageApiService({
      keyStorageUrl: options.keyStorageUrl,
      accessApiKey: options.accessApiKey,
      sdkVersion: extractSDKVersion(),
      tenantToken: options.tenantToken,
    })
  }
 
  private async _pullEncryptedSeed(accessToken: string) {
    const {
      body: { encryptedSeed },
    } = await this._keyStorageApiService.readMyKey({ accessToken })
 
    return encryptedSeed
  }
 
  private async _pullEncryptionKey(accessToken: string): Promise<string> {
    // TODO: must use key provider, its just a mock at this point
    const { payload } = JwtService.fromJWT(accessToken)
    const userId = payload.sub
 
    const encryptionKey = hashFromString(userId)
 
    return encryptionKey
  }
 
  private async _storeEncryptedSeed(accessToken: string, seedHex: string, encryptionKey: string): Promise<void> {
    const encryptionKeyBuffer = Buffer.from(encryptionKey, 'hex')
    const encryptedSeed = await KeysService.encryptSeed(seedHex, encryptionKeyBuffer)
 
    await this._keyStorageApiService.storeMyKey(accessToken, { encryptedSeed })
  }
 
  public async pullKeyAndSeed(accessToken: string) {
    const encryptionKey = await this._pullEncryptionKey(accessToken)
    const encryptedSeed = await this._pullEncryptedSeed(accessToken)
    return { encryptionKey, encryptedSeed }
  }
 
  public async pullUserData(accessToken: string) {
    const { encryptionKey, encryptedSeed } = await this.pullKeyAndSeed(accessToken)
    return withDidData({ encryptedSeed, password: encryptionKey })
  }
 
  public async pullEncryptionKeyAndStoreEncryptedSeed(accessToken: string, seedHexWithMethod: string) {
    const encryptionKey = await this._pullEncryptionKey(accessToken)
    await this.storeEncryptedSeed(accessToken, seedHexWithMethod, encryptionKey)
  }
 
  private async storeEncryptedSeed(accessToken: string, seedHexWithMethod: string, encryptionKey: string) {
    await retry(
      async (bail) => {
        const errorCodes = ['COR-1', 'WAL-2']
 
        try {
          await this._storeEncryptedSeed(accessToken, seedHexWithMethod, encryptionKey)
        } catch (error) {
          Eif (errorCodes.indexOf(error.code) >= 0) {
            // If it's a known error we can bail out of the retry and that error will be what's thrown
            bail(error)
            return
          } else {
            // Otherwise we wrap the error and throw that,
            // this will trigger a retry until "retries" count is met
            throw new SdkErrorFromCode('COR-18', { accessToken }, error)
          }
        }
      },
      { retries: 3 },
    )
  }
 
  /* To cover scenario when registration failed and private key is not saved:
   *    1. seed is generated before user is confirmed in Cognito
   *    2. encrypt seed with user's password
   *    3. confirm user in Cognito, if registration is successful
   *    4. get user's encryptionKey
   *    5. re-encrypt user's seed with encryptionKey
   */
  public async reencryptSeed(accessToken: string, keyParams: KeyParams, backupUpdatedSeed: boolean) {
    const encryptionKey = await this._pullEncryptionKey(accessToken)
    const { fullSeedHex } = KeysService.decryptSeed(keyParams.encryptedSeed, keyParams.password)
    const encryptionKeyBuffer = KeysService.normalizePassword(encryptionKey)
    const updatedEncryptedSeed = await KeysService.encryptSeed(fullSeedHex, encryptionKeyBuffer)
 
    if (backupUpdatedSeed) {
      const { fullSeedHex } = KeysService.decryptSeed(updatedEncryptedSeed, encryptionKey)
      await this.storeEncryptedSeed(accessToken, fullSeedHex, encryptionKey)
    }
 
    return { encryptionKey, updatedEncryptedSeed }
  }
}