Feature/crypto layer

.gitignore

@@ -8,3 +8,4 @@ dist
 dist-test
 lib-web
 lib-esm
+test_cal_db

package.json

@@ -34,19 +34,23 @@
         "test": "npm run test:node && npm run test:web",
         "test:local": "npm run test",
         "test:ci": "npm run test",
-        "test:node": "mocha -r ts-node/register -r tsconfig-paths/register -r test/fixtures.ts ./test/index.ts --project ./test/tsconfig.json --exit",
+        "test:node": "mocha -r ts-node/register -r tsconfig-paths/register -r test/fixtures.ts ./test/index.ts --project ./test/tsconfig.json --exit --delay --fail-zero",
         "test:local:node": "npm run test:node",
         "test:web": "browsertest-runner",
         "test:web:debug": "browsertest-runner --debug"
     },
     "dependencies": {
+        "@nmshd/rs-crypto-types": "^0.2.1",
+        "@types/lodash": "^4.17.15",
         "libsodium-wrappers-sumo": "0.7.15",
+        "lodash": "^4.17.21",
         "uuid": "10.0.0"
     },
     "devDependencies": {
         "@js-soft/eslint-config-ts": "^1.6.13",
         "@js-soft/license-check": "1.0.9",
         "@js-soft/ts-serval": "2.0.10",
+        "@nmshd/rs-crypto-node": "^0.2.0",
         "@types/chai": "^5.0.0",
         "@types/libsodium-wrappers-sumo": "^0.7.8",
         "@types/mocha": "^10.0.9",

src/CryptoErrorCode.ts

@@ -46,5 +46,11 @@ export enum CryptoErrorCode {
     StateWrongNonce = "error.crypto.state.wrongNonce",
     StateWrongCounter = "error.crypto.state.wrongCounter",
     StateWrongOrder = "error.crypto.state.orderDoesNotMatch",
-    StateWrongType = "error.crypto.state.wrongType"
+    StateWrongType = "error.crypto.state.wrongType",
+
+    CalNonExtractable = "error.crypto.cal.nonExtractable",
+    CalUnsupportedAlgorithm = "error.crypto.cal.unsupportedAlgorithm",
+    CalWrongProvider = "error.crypto.cal.wrongProvider",
+    CalUninitializedKey = "error.crypto.cal.uninitializedKey",
+    CalFailedLoadingProvider = "error.crypto.cal.failedLoadingProvider"
 }

src/CryptoSerializable.ts

@@ -1,4 +1,4 @@
-import { ISerializable, Serializable } from "@js-soft/ts-serval";
+import { ISerializable, ISerializableAsync, Serializable, SerializableAsync } from "@js-soft/ts-serval";
 import { CoreBuffer } from "./CoreBuffer";
 
 export abstract class CryptoSerializable extends Serializable implements ISerializable {
@@ -10,3 +10,13 @@ export abstract class CryptoSerializable extends Serializable implements ISerial
         return CoreBuffer.utf8_base64(this.serialize(verbose));
     }
 }
+
+export abstract class CryptoSerializableAsync extends SerializableAsync implements ISerializableAsync {
+    public override serialize(verbose = true): string {
+        return JSON.stringify(this.toJSON(verbose));
+    }
+
+    public toBase64(verbose = true): string {
+        return CoreBuffer.utf8_base64(this.serialize(verbose));
+    }
+}

src/crypto-layer/CryptoAsymmetricKeyHandle.ts

@@ -0,0 +1,80 @@
+import { SerializableAsync, serialize, type, validate } from "@js-soft/ts-serval";
+import { KeyPairHandle, KeyPairSpec, Provider } from "@nmshd/rs-crypto-types";
+import { CoreBuffer } from "src/CoreBuffer";
+import { CryptoError } from "../CryptoError";
+import { CryptoErrorCode } from "../CryptoErrorCode";
+import { CryptoSerializableAsync } from "../CryptoSerializable";
+import { getProvider } from "./CryptoLayerProviders";
+
+/**
+ * Loose check if `value` can be initialized as if it was a `CryptoAsymmetricKeyHandle`.
+ */
+function isCryptoAsymmetricKeyHandle(value: any): value is CryptoAsymmetricKeyHandle {
+    return typeof value["providerName"] === "string" && typeof value["id"] === "string";
+}
+
+@type("CryptoAsymmetricKeyHandle")
+export class CryptoAsymmetricKeyHandle extends CryptoSerializableAsync {
+    @validate()
+    @serialize()
+    public spec: KeyPairSpec;
+
+    @validate()
+    @serialize()
+    public id: string;
+
+    @validate()
+    @serialize()
+    public providerName: string;
+
+    public provider: Provider;
+
+    public keyPairHandle: KeyPairHandle;
+
+    public static async newFromProviderAndKeyPairHandle<T extends CryptoAsymmetricKeyHandle>(
+        this: new () => T,
+        provider: Provider,
+        keyPairHandle: KeyPairHandle,
+        other?: {
+            providerName?: string;
+            keyId?: string;
+            keySpec?: KeyPairSpec;
+        }
+    ): Promise<T> {
+        const result = new this();
+
+        result.providerName = other?.providerName ?? (await provider.providerName());
+        result.id = other?.keyId ?? (await keyPairHandle.id());
+        result.spec = other?.keySpec ?? (await keyPairHandle.spec());
+
+        result.provider = provider;
+        result.keyPairHandle = keyPairHandle;
+        return result;
+    }
+
+    public static async from(value: any): Promise<CryptoAsymmetricKeyHandle> {
+        return await this.fromAny(value);
+    }
+
+    public static async fromBase64(value: string): Promise<CryptoAsymmetricKeyHandle> {
+        return await this.deserialize(CoreBuffer.base64_utf8(value));
+    }
+
+    public static override async postFrom<T extends SerializableAsync>(value: T): Promise<T> {
+        if (!isCryptoAsymmetricKeyHandle(value)) {
+            throw new CryptoError(CryptoErrorCode.WrongParameters, `Expected 'CryptoAsymmetricKeyHandle'.`);
+        }
+        const provider = getProvider({ providerName: value.providerName });
+        if (!provider) {
+            throw new CryptoError(
+                CryptoErrorCode.CalFailedLoadingProvider,
+                `Failed loading provider ${value.providerName}`
+            );
+        }
+        const keyHandle = await provider.loadKeyPair(value.id);
+
+        value.keyPairHandle = keyHandle;
+        value.provider = provider;
+        return value;
+    }
+}

src/crypto-layer/CryptoExportedPublicKey.ts

@@ -0,0 +1,33 @@
+import { serialize, type, validate } from "@js-soft/ts-serval";
+import { KeyPairHandle, KeyPairSpec, Provider } from "@nmshd/rs-crypto-types";
+import { CoreBuffer } from "src/CoreBuffer";
+import { CryptoSerializable } from "src/CryptoSerializable";
+import { getProviderOrThrow, ProviderIdentifier } from "./CryptoLayerProviders";
+import { CryptoPublicKeyHandle } from "./CryptoPublicKeyHandle";
+
+@type("CryptoExportedPublicKey")
+export class CryptoExportedPublicKey extends CryptoSerializable {
+    @validate()
+    @serialize()
+    public rawPublicKey: CoreBuffer;
+
+    @validate()
+    @serialize()
+    public spec: KeyPairSpec;
+
+    public async into<T extends CryptoPublicKeyHandle>(
+        constructor: { newFromProviderAndKeyPairHandle(provider: Provider, keyPairHandle: KeyPairHandle): Promise<T> },
+        providerIdent: ProviderIdentifier
+    ): Promise<T> {
+        const provider = getProviderOrThrow(providerIdent);
+        const keyPairHandle = await provider.importPublicKey(this.spec, this.rawPublicKey.buffer);
+        return await constructor.newFromProviderAndKeyPairHandle(provider, keyPairHandle);
+    }
+
+    public static async from(publicKeyHandle: CryptoPublicKeyHandle): Promise<CryptoExportedPublicKey> {
+        const exportedPublicKey = new CryptoExportedPublicKey();
+        exportedPublicKey.spec = publicKeyHandle.spec;
+        exportedPublicKey.rawPublicKey = new CoreBuffer(await publicKeyHandle.keyPairHandle.getPublicKey());
+        return exportedPublicKey;
+    }
+}

src/crypto-layer/CryptoLayerConfig.ts

@@ -0,0 +1,34 @@
+/* eslint-disable @typescript-eslint/naming-convention */
+import { AdditionalConfig, ProviderConfig, ProviderFactoryFunctions, SecurityLevel } from "@nmshd/rs-crypto-types";
+
+/**
+ * Interface holding functions for listing and creating providers and configuration for initializing the key meta data store.
+ *
+ * @property factoryFunctions - Functions that list providers or create providers.
+ * @property keyMetadataStoreConfig - Configuration needed for saving key metadata.
+ * @property keyMetadataStoreAuth - ~~Optional~~ configuration for authenticating key metadata.
+ * @property providersToBeInitialized - Array of providers to initalize.
+ */
+export interface CryptoLayerConfig {
+    factoryFunctions: ProviderFactoryFunctions;
+    keyMetadataStoreConfig: Extract<AdditionalConfig, { KVStoreConfig: any } | { FileStoreConfig: any }>;
+    keyMetadataStoreAuth?: Extract<
+        AdditionalConfig,
+        { StorageConfigHMAC: any } | { StorageConfigDSA: any } | { StorageConfigPass: any }
+    >;
+    providersToBeInitialized: CryptoLayerProviderFilter[];
+}
+
+/**
+ * Reference to a specific provider, if a name is supplied, or any provider that fullfills the other requirements.
+ */
+export type CryptoLayerProviderFilter =
+    | {
+          providerName: string;
+      }
+    | {
+          securityLevel: SecurityLevel;
+      }
+    | {
+          providerConfig: ProviderConfig;
+      };

src/crypto-layer/CryptoLayerProviders.ts

@@ -0,0 +1,153 @@
+/* eslint-disable @typescript-eslint/naming-convention */
+import {
+    Provider,
+    ProviderConfig,
+    ProviderFactoryFunctions,
+    ProviderImplConfig,
+    SecurityLevel
+} from "@nmshd/rs-crypto-types";
+
+import { defaults } from "lodash";
+import { CryptoError } from "../CryptoError";
+import { CryptoErrorCode } from "../CryptoErrorCode";
+import { CryptoLayerConfig, CryptoLayerProviderFilter } from "./CryptoLayerConfig";
+
+let PROVIDERS_BY_SECURITY: Map<SecurityLevel, Provider[]> | undefined = undefined;
+let PROVIDERS_BY_NAME: Map<string, Provider> | undefined = undefined;
+
+const DEFAULT_PROVIDER_CONFIG: ProviderConfig = {
+    max_security_level: "Hardware",
+    min_security_level: "Software",
+    supported_asym_spec: ["P256", "Curve25519"],
+    supported_ciphers: ["AesCbc256", "AesGcm256"],
+    supported_hashes: ["Sha2_256", "Sha2_512"]
+};
+
+async function providerBySecurityMapFromProviderByNameMap(
+    providersByName: Map<string, Provider>
+): Promise<Map<SecurityLevel, Provider[]>> {
+    const providersBySecurity = new Map<SecurityLevel, Provider[]>();
+    for (const [providerName, provider] of providersByName) {
+        const caps = await provider.getCapabilities();
+        if (!caps) {
+            throw new CryptoError(
+                CryptoErrorCode.CalFailedLoadingProvider,
+                `Failed fetching capabilities or security levels of provider ${providerName}`
+            );
+        }
+        if (caps.max_security_level !== caps.min_security_level) {
+            throw new CryptoError(
+                CryptoErrorCode.CalFailedLoadingProvider,
+                `Minimum and maximum security levels of provider ${providerName} must be the same.`
+            );
+        }
+        const securityLevel = caps.min_security_level;
+
+        if (!providersBySecurity.has(securityLevel)) {
+            providersBySecurity.set(securityLevel, []);
+        }
+
+        providersBySecurity.get(securityLevel)!.push(provider);
+    }
+    return providersBySecurity;
+}
+
+/**
+ * Creates a provider if possible with the given provider filter. This means, that the provider created must adhere to the filter.
+ *
+ * If a `SecurityLevel` is given, the default provider config (`DEFAULT_PROVIDER_CONFIG`) will be used to fill in the rest for the selection.
+ */
+async function createProviderFromProviderFilter(
+    providerToBeInitialized: CryptoLayerProviderFilter,
+    factoryFunctions: ProviderFactoryFunctions,
+    providerImplConfig: ProviderImplConfig
+): Promise<Provider | undefined> {
+    if ("providerName" in providerToBeInitialized) {
+        return await factoryFunctions.createProviderFromName(providerToBeInitialized.providerName, providerImplConfig);
+    }
+    if ("securityLevel" in providerToBeInitialized) {
+        const providerConfig: ProviderConfig = defaults(
+            {
+                max_security_level: providerToBeInitialized.securityLevel,
+                min_security_level: providerToBeInitialized.securityLevel
+            },
+            DEFAULT_PROVIDER_CONFIG
+        );
+        return await factoryFunctions.createProvider(providerConfig, providerImplConfig);
+    }
+    if ("providerConfig" in providerToBeInitialized) {
+        return await factoryFunctions.createProvider(providerToBeInitialized.providerConfig, providerImplConfig);
+    }
+
+    throw new CryptoError(CryptoErrorCode.WrongParameters);
+}
+
+/**
+ * Intializes global providers with the given configuration.
+ *
+ * This enables the crypto layer functionality.
+ *
+ * @param config Configuration to initialize providers. At least one software provider should be initialized.
+ */
+export async function initCryptoLayerProviders(config: CryptoLayerConfig): Promise<void> {
+    if (PROVIDERS_BY_NAME || PROVIDERS_BY_SECURITY) {
+        return;
+    }
+
+    const providerImplConfig: ProviderImplConfig = { additional_config: [config.keyMetadataStoreConfig] };
+    if (config.keyMetadataStoreAuth) {
+        providerImplConfig.additional_config.push(config.keyMetadataStoreAuth);
+    }
+
+    const providers: Map<string, Provider> = new Map();
+
+    for (const providerFilter of config.providersToBeInitialized) {
+        const provider = await createProviderFromProviderFilter(
+            providerFilter,
+            config.factoryFunctions,
+            providerImplConfig
+        );
+
+        if (!provider) {
+            throw new CryptoError(CryptoErrorCode.CalFailedLoadingProvider, `Failed loading provider.`);
+        }
+
+        providers.set(await provider.providerName(), provider);
+    }
+
+    PROVIDERS_BY_NAME = providers;
+    PROVIDERS_BY_SECURITY = await providerBySecurityMapFromProviderByNameMap(PROVIDERS_BY_NAME);
+}
+
+export type ProviderIdentifier = Exclude<CryptoLayerProviderFilter, { providerConfig: any }>;
+
+/**
+ * Returns an initialized provider with the given name or security level if possible.
+ *
+ * Returns `undefined` if providers are not initialized or provider asked for was not initialized by `initCryptoLayerProviders`.
+ */
+export function getProvider(identifier: ProviderIdentifier): Provider | undefined {
+    if (!PROVIDERS_BY_NAME || !PROVIDERS_BY_SECURITY) {
+        return undefined;
+    }
+
+    if ("providerName" in identifier) {
+        return PROVIDERS_BY_NAME.get(identifier.providerName);
+    }
+    if ("securityLevel" in identifier) {
+        return PROVIDERS_BY_SECURITY.get(identifier.securityLevel)?.[0];
+    }
+
+    throw new CryptoError(CryptoErrorCode.WrongParameters);
+}
+
+export function getProviderOrThrow(identifier: ProviderIdentifier): Provider {
+    const provider = getProvider(identifier);
+    if (!provider) {
+        throw new CryptoError(
+            CryptoErrorCode.WrongParameters,
+            `Failed finding provider with name or security level ${identifier}`
+        );
+    }
+    return provider;
+}