Clean AES export and move back calculateKeyCheck to `secret-storage…

….ts` (#4440)
matrix-org · Oct 3, 2024 · da04482 · da04482
1 parent 9f40f32
commit da04482
Show file tree

Hide file tree

Showing 6 changed files with 22 additions and 44 deletions.
diff --git a/spec/unit/secret-storage.spec.ts b/spec/unit/secret-storage.spec.ts
@@ -18,6 +18,7 @@ import { Mocked } from "jest-mock";
 
 import {
     AccountDataClient,
+    calculateKeyCheck,
     PassphraseInfo,
     SecretStorageCallbacks,
     SecretStorageKeyDescriptionAesV1,
@@ -26,7 +27,6 @@ import {
     trimTrailingEquals,
 } from "../../src/secret-storage";
 import { randomString } from "../../src/randomstring";
-import { calculateKeyCheck } from "../../src/calculateKeyCheck.ts";
 
 describe("ServerSideSecretStorageImpl", function () {
     describe(".addKey", function () {

diff --git a/src/calculateKeyCheck.ts b/src/calculateKeyCheck.ts
diff --git a/src/crypto/aes.ts b/src/crypto/aes.ts
@@ -16,11 +16,8 @@ limitations under the License.
 
 import encryptAESSecretStorageItem from "../utils/encryptAESSecretStorageItem.ts";
 import decryptAESSecretStorageItem from "../utils/decryptAESSecretStorageItem.ts";
-import { AESEncryptedSecretStoragePayload } from "../@types/AESEncryptedSecretStoragePayload.ts";
 
 // Export for backwards compatibility
-export type { AESEncryptedSecretStoragePayload as IEncryptedPayload };
-// Export with new names instead of using `as` to not break react-sdk tests
-export const encryptAES = encryptAESSecretStorageItem;
-export const decryptAES = decryptAESSecretStorageItem;
-export { calculateKeyCheck } from "../calculateKeyCheck.ts";
+export type { AESEncryptedSecretStoragePayload as IEncryptedPayload } from "../@types/AESEncryptedSecretStoragePayload.ts";
+export { encryptAESSecretStorageItem as encryptAES, decryptAESSecretStorageItem as decryptAES };
+export { calculateKeyCheck } from "../secret-storage.ts";
diff --git a/src/crypto/backup.ts b/src/crypto/backup.ts
@@ -43,7 +43,7 @@ import { encodeRecoveryKey } from "../crypto-api/index.ts";
 import decryptAESSecretStorageItem from "../utils/decryptAESSecretStorageItem.ts";
 import encryptAESSecretStorageItem from "../utils/encryptAESSecretStorageItem.ts";
 import { AESEncryptedSecretStoragePayload } from "../@types/AESEncryptedSecretStoragePayload.ts";
-import { calculateKeyCheck } from "../calculateKeyCheck.ts";
+import { calculateKeyCheck } from "../secret-storage.ts";
 
 const KEY_BACKUP_KEYS_PER_REQUEST = 200;
 const KEY_BACKUP_CHECK_RATE_LIMIT = 5000; // ms

diff --git a/src/crypto/index.ts b/src/crypto/index.ts
@@ -75,6 +75,7 @@ import { MapWithDefault, recursiveMapToObject } from "../utils.ts";
 import {
     AccountDataClient,
     AddSecretStorageKeyOpts,
+    calculateKeyCheck,
     SECRET_STORAGE_ALGORITHM_V1_AES,
     SecretStorageKeyDescription,
     SecretStorageKeyObject,
@@ -109,7 +110,6 @@ import { KnownMembership } from "../@types/membership.ts";
 import decryptAESSecretStorageItem from "../utils/decryptAESSecretStorageItem.ts";
 import encryptAESSecretStorageItem from "../utils/encryptAESSecretStorageItem.ts";
 import { AESEncryptedSecretStoragePayload } from "../@types/AESEncryptedSecretStoragePayload.ts";
-import { calculateKeyCheck } from "../calculateKeyCheck.ts";
 
 /* re-exports for backwards compatibility */
 export type {

diff --git a/src/secret-storage.ts b/src/secret-storage.ts
@@ -28,7 +28,6 @@ import { logger } from "./logger.ts";
 import encryptAESSecretStorageItem from "./utils/encryptAESSecretStorageItem.ts";
 import decryptAESSecretStorageItem from "./utils/decryptAESSecretStorageItem.ts";
 import { AESEncryptedSecretStoragePayload } from "./@types/AESEncryptedSecretStoragePayload.ts";
-import { calculateKeyCheck } from "./crypto/aes.ts";
 
 export const SECRET_STORAGE_ALGORITHM_V1_AES = "m.secret_storage.v1.aes-hmac-sha2";
 
@@ -676,3 +675,19 @@ export function trimTrailingEquals(input: string): string {
         return input;
     }
 }
+
+// string of zeroes, for calculating the key check
+const ZERO_STR = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
+
+/**
+ * Calculate the MAC for checking the key.
+ * See https://spec.matrix.org/v1.11/client-server-api/#msecret_storagev1aes-hmac-sha2, steps 3 and 4.
+ *
+ * @param key - the key to use
+ * @param iv - The initialization vector as a base64-encoded string.
+ *     If omitted, a random initialization vector will be created.
+ * @returns An object that contains, `mac` and `iv` properties.
+ */
+export function calculateKeyCheck(key: Uint8Array, iv?: string): Promise<AESEncryptedSecretStoragePayload> {
+    return encryptAESSecretStorageItem(ZERO_STR, key, "", iv);
+}