Integration of rust crypto-layer for secure element support

packages/app-runtime/src/AppConfig.ts

@@ -1,3 +1,5 @@
+import { StorageConfig } from "@nmshd/crypto";
+import { ProviderFactoryFunctions } from "@nmshd/rs-crypto-types";
 import { RuntimeConfig } from "@nmshd/runtime";
 import { IConfigOverwrite } from "@nmshd/transport";
 import { defaultsDeep } from "lodash";
@@ -20,6 +22,8 @@ export interface AppConfigOverwrite {
     allowMultipleAccountsWithSameAddress?: boolean;
     databaseFolder?: string;
     modules?: Record<string, { enabled?: boolean; [x: string | number | symbol]: unknown }>;
+    calFactory?: ProviderFactoryFunctions;
+    calStorageConfig?: StorageConfig;
 }
 
 export function createAppConfig(...configs: (AppConfigOverwrite | AppConfig)[]): AppConfig {

packages/consumption/package.json

@@ -73,7 +73,7 @@
         "@js-soft/docdb-access-loki": "1.3.0",
         "@js-soft/docdb-access-mongo": "1.3.0",
         "@js-soft/node-logger": "1.2.0",
-        "@nmshd/crypto": "2.1.2",
+        "@nmshd/crypto": "^2.2.0-alpha.8",
         "@types/lodash": "^4.17.20",
         "ts-mockito": "^2.6.1"
     },

packages/content/package.json

@@ -58,8 +58,8 @@
         "ts-simple-nameof": "^1.3.1"
     },
     "devDependencies": {
-        "@types/luxon": "^3.6.2",
-        "@nmshd/crypto": "2.1.2"
+        "@nmshd/crypto": "^2.2.0-alpha.8",
+        "@types/luxon": "^3.6.2"
     },
     "publishConfig": {
         "access": "public",

packages/core-types/package.json

@@ -51,7 +51,7 @@
     "dependencies": {
         "@js-soft/logging-abstractions": "^1.0.1",
         "@js-soft/ts-serval": "2.0.12",
-        "@nmshd/crypto": "^2.1.2",
+        "@nmshd/crypto": "^2.2.0-alpha.8",
         "json-stringify-safe": "^5.0.1",
         "luxon": "^3.7.1"
     },

packages/runtime/package.json

@@ -67,7 +67,7 @@
         "@nmshd/consumption": "*",
         "@nmshd/content": "*",
         "@nmshd/core-types": "*",
-        "@nmshd/crypto": "2.1.2",
+        "@nmshd/crypto": "^2.2.0-alpha.8",
         "@nmshd/iql": "^1.0.3",
         "@nmshd/runtime-types": "*",
         "@nmshd/transport": "*",
@@ -85,6 +85,7 @@
         "@js-soft/docdb-access-loki": "1.3.0",
         "@js-soft/docdb-access-mongo": "1.3.0",
         "@js-soft/node-logger": "1.2.0",
+        "@nmshd/rs-crypto-node": "0.14.0",
         "@types/json-stringify-safe": "^5.0.3",
         "@types/lodash": "^4.17.20",
         "@types/luxon": "^3.6.2",

packages/runtime/src/Runtime.ts

@@ -13,6 +13,7 @@ import {
     SettingsController
 } from "@nmshd/consumption";
 import { ICoreAddress } from "@nmshd/core-types";
+import { initializeProviders, newInitializedProviders, ProviderInitConfig } from "@nmshd/crypto";
 import { RuntimeHealth } from "@nmshd/runtime-types";
 import {
     AccountController,
@@ -144,6 +145,29 @@ export abstract class Runtime<TConfig extends RuntimeConfig = RuntimeConfig> {
 
         this.databaseConnection = await this.createDatabaseConnection();
 
+        if (this.runtimeConfig.calFactory && this.runtimeConfig.calStorageConfig) {
+            this.logger.trace("Initializing Crypto Layer");
+            const calDB = await this.databaseConnection.getDatabase("cryptoConfig");
+            const calMap = await calDB.getMap("calConfig");
+            const calConfig = await calMap.get("initializedProviders");
+            if (calConfig === null) {
+                this.logger.trace("Initializing Crypto Layer with new config");
+                const calConfig = await newInitializedProviders(this.runtimeConfig.calStorageConfig, this.runtimeConfig.calFactory);
+                if (!calConfig) {
+                    throw RuntimeErrors.startup.failedCalInit();
+                }
+                const serializedConfig = calConfig.serialize();
+                await calMap.set("initializedProviders", serializedConfig);
+            } else {
+                this.logger.trace("Initializing Crypto Layer with saved config");
+                const calConfigloaded = ProviderInitConfig.deserialize(calConfig);
+                await initializeProviders(calConfigloaded, this.runtimeConfig.calStorageConfig, this.runtimeConfig.calFactory);
+            }
+            this.logger.trace("Crypto Layer initialized");
+        } else {
+            this.logger.trace("No Crypto Layer configuration provided, skipping initialization.");
+        }
+
         await this.initTransportLibrary();
         await this.initAccount();
 

packages/runtime/src/RuntimeConfig.ts

@@ -1,3 +1,5 @@
+import { StorageConfig } from "@nmshd/crypto";
+import { ProviderFactoryFunctions } from "@nmshd/rs-crypto-types";
 import { IConfigOverwrite } from "@nmshd/transport";
 import { ModuleConfiguration } from "./extensibility/modules/RuntimeModule";
 import { DeciderModuleConfiguration } from "./modules";
@@ -7,4 +9,6 @@ export interface RuntimeConfig {
     modules: Record<string, ModuleConfiguration> & {
         decider: DeciderModuleConfiguration;
     };
+    calFactory?: ProviderFactoryFunctions;
+    calStorageConfig?: StorageConfig;
 }

packages/runtime/src/useCases/common/RuntimeErrors.ts

@@ -169,6 +169,10 @@ class Startup {
     public noActiveExpander(): ApplicationError {
         return new ApplicationError("error.runtime.startup.noActiveExpander", "No DataViewExpander could be found. You might have to login first.");
     }
+
+    public failedCalInit(): ApplicationError {
+        return new ApplicationError("error.runtime.startup.failedCalInit", "Initialising Crypto Abtraction Layer failed.");
+    }
 }
 
 class Challenges {

packages/transport/package.json

@@ -71,7 +71,7 @@
         "@js-soft/simple-logger": "1.0.5",
         "@js-soft/ts-utils": "^2.3.3",
         "@nmshd/core-types": "*",
-        "@nmshd/crypto": "2.1.2",
+        "@nmshd/crypto": "^2.2.0-alpha.8",
         "axios": "^1.10.0",
         "fast-json-patch": "^3.1.1",
         "form-data": "^4.0.3",
@@ -89,10 +89,12 @@
         "@js-soft/docdb-access-mongo": "1.3.0",
         "@js-soft/node-logger": "1.2.0",
         "@js-soft/ts-serval": "2.0.12",
+        "@nmshd/rs-crypto-node": "0.14.0",
         "@types/json-stringify-safe": "^5.0.3",
         "@types/lodash": "^4.17.20",
         "@types/luxon": "^3.6.2",
         "@types/qs": "^6.14.0",
+        "@types/tmp": "0.2.6",
         "@types/uuid": "^10.0.0",
         "correlation-id": "^5.2.0",
         "expect": "^30.0.4",

packages/transport/src/core/CoreCrypto.ts

@@ -3,8 +3,10 @@ import {
     CryptoCipher,
     CryptoDerivation,
     CryptoDerivationAlgorithm,
+    CryptoDerivationHandle,
     CryptoEncryption,
     CryptoEncryptionAlgorithm,
+    CryptoEncryptionHandle,
     CryptoExchange,
     CryptoExchangeAlgorithm,
     CryptoExchangeKeypair,
@@ -19,7 +21,12 @@ import {
     CryptoSignaturePrivateKey,
     CryptoSignaturePublicKey,
     CryptoSignatures,
-    Encoding
+    DeviceBoundDerivedKeyHandle,
+    DeviceBoundKeyHandle,
+    Encoding,
+    PortableDerivedKeyHandle,
+    PortableKeyHandle,
+    CryptoLayerProviderIdentifier as ProviderIdentifier
 } from "@nmshd/crypto";
 import { PasswordGenerator } from "../util";
 import { TransportError } from "./TransportError";
@@ -81,6 +88,74 @@ export abstract class CoreCrypto {
         }
     }
 
+    /**
+     * Generates a handle-based secret key for symmetric encryption.
+     * Depending on the given version, different algorithms are used:
+     *
+     * v1: AES256_GCM
+     *
+     * @param providerIdent The provider identifier
+     * @param version The version which should be used, "latest" is the default.
+     * @returns A Promise object resolving into a new CryptoSecretKeyHandle.
+     */
+    public static async generateDeviceBoundKeyHandle(providerIdent: ProviderIdentifier, version: TransportVersion = TransportVersion.Latest): Promise<DeviceBoundKeyHandle> {
+        switch (version) {
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+            case TransportVersion.V1:
+                return await CryptoEncryptionHandle.generateDeviceBoundKeyHandle(providerIdent, CryptoEncryptionAlgorithm.XCHACHA20_POLY1305, CryptoHashAlgorithm.SHA512);
+            default:
+                throw this.invalidVersion(version);
+        }
+    }
+
+    /**
+     * Generates a handle-based secret key for symmetric encryption.
+     * Depending on the given version, different algorithms are used:
+     *
+     * v1: AES256_GCM
+     *
+     * @param providerIdent The provider identifier
+     * @param version The version which should be used, "latest" is the default.
+     * @returns A Promise object resolving into a new CryptoSecretKeyHandle.
+     */
+    public static async generatePortableKeyHandle(providerIdent: ProviderIdentifier, version: TransportVersion = TransportVersion.Latest): Promise<PortableKeyHandle> {
+        switch (version) {
+            // eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
+            case TransportVersion.V1:
+                return await CryptoEncryptionHandle.generatePortableKeyHandle(providerIdent, CryptoEncryptionAlgorithm.XCHACHA20_POLY1305, CryptoHashAlgorithm.SHA512);
+            default:
+                throw this.invalidVersion(version);
+        }
+    }
+
+    /**
+     * Generates a handle-based secret key for symmetric encryption.
+     * Depending on the given version, different algorithms are used:
+     *
+     * v1: AES256_GCM
+     *
+     * @param providerIdent The provider identifier
+     * @param version The version which should be used, "latest" is the default.
+     * @returns A Promise object resolving into a new CryptoSecretKeyHandle.
+     */
+    public static async generateDeviceBoundDerivationHandle(baseKey: DeviceBoundKeyHandle, keyId: number, context: string): Promise<DeviceBoundDerivedKeyHandle> {
+        return await CryptoDerivationHandle.deriveDeviceBoundKeyHandle(baseKey, keyId, context);
+    }
+
+    /**
+     * Generates a handle-based secret key for symmetric encryption.
+     * Depending on the given version, different algorithms are used:
+     *
+     * v1: AES256_GCM
+     *
+     * @param providerIdent The provider identifier
+     * @param version The version which should be used, "latest" is the default.
+     * @returns A Promise object resolving into a new CryptoSecretKeyHandle.
+     */
+    public static async generatePortableDerivationHandle(baseKey: PortableKeyHandle, keyId: number, context: string): Promise<PortableDerivedKeyHandle> {
+        return await CryptoDerivationHandle.derivePortableKeyHandle(baseKey, keyId, context);
+    }
+
     /**
      * Generates a high entropy key / hash derived from a low entropy human readable/memorable master password, a unique salt,
      * the given symmetric algorithm and the version. Depending on the given version, different key derivation algorithms are used.