[PM-17440] Use SDK for decryption (#14277)

* Improve dev logging * Define decrypt with sdk flag * Use SDK's pure crypto functions for decryption feature flagged by `use-sdk-for-decryption` * Avoid pushing decryption requests to web workers for SDK web workers are able to use the SDK, but they require the SDK module to be initialized. If this is eventually seen as desired, we'll need client-specific worker scripts. * Apply suggestions from code review Co-authored-by: Bernd Schoolmann <mail@quexten.com> * fixup! Apply suggestions from code review * fixup: Update feature flag state in config callbacks * Apply suggestions from code review Co-authored-by: Bernd Schoolmann <mail@quexten.com> --------- Co-authored-by: Bernd Schoolmann <mail@quexten.com>
2025-12-16 00:03:56 +00:00 · 2025-05-05 09:19:52 -07:00
parent e0cabd1df0
commit 013a34e042
6 changed files with 114 additions and 2 deletions
--- a/libs/common/src/platform/models/domain/enc-array-buffer.ts
+++ b/libs/common/src/platform/models/domain/enc-array-buffer.ts
@@ -57,6 +57,41 @@ export class EncArrayBuffer implements Encrypted {
    );
  }

+  static fromParts(
+    encryptionType: EncryptionType,
+    iv: Uint8Array,
+    data: Uint8Array,
+    mac: Uint8Array | undefined | null,
+  ) {
+    if (encryptionType == null || iv == null || data == null) {
+      throw new Error("encryptionType, iv, and data must be provided");
+    }
+
+    switch (encryptionType) {
+      case EncryptionType.AesCbc256_B64:
+      case EncryptionType.AesCbc256_HmacSha256_B64:
+        EncArrayBuffer.validateIvLength(iv);
+        EncArrayBuffer.validateMacLength(encryptionType, mac);
+        break;
+      default:
+        throw new Error(`Unknown EncryptionType ${encryptionType} for EncArrayBuffer.fromParts`);
+    }
+
+    let macLen = 0;
+    if (mac != null) {
+      macLen = mac.length;
+    }
+
+    const bytes = new Uint8Array(1 + iv.byteLength + macLen + data.byteLength);
+    bytes.set([encryptionType], 0);
+    bytes.set(iv, 1);
+    if (mac != null) {
+      bytes.set(mac, 1 + iv.byteLength);
+    }
+    bytes.set(data, 1 + iv.byteLength + macLen);
+    return new EncArrayBuffer(bytes);
+  }
+
  static async fromResponse(response: {
    arrayBuffer: () => Promise<ArrayBuffer>;
  }): Promise<EncArrayBuffer> {
@@ -71,4 +106,27 @@ export class EncArrayBuffer implements Encrypted {
    const buffer = Utils.fromB64ToArray(b64);
    return new EncArrayBuffer(buffer);
  }
+
+  static validateIvLength(iv: Uint8Array) {
+    if (iv == null || iv.length !== IV_LENGTH) {
+      throw new Error("Invalid IV length");
+    }
+  }
+
+  static validateMacLength(encType: EncryptionType, mac: Uint8Array | null | undefined) {
+    switch (encType) {
+      case EncryptionType.AesCbc256_B64:
+        if (mac != null) {
+          throw new Error("mac must not be provided for AesCbc256_B64");
+        }
+        break;
+      case EncryptionType.AesCbc256_HmacSha256_B64:
+        if (mac == null || mac.length !== MAC_LENGTH) {
+          throw new Error("Invalid MAC length");
+        }
+        break;
+      default:
+        throw new Error("Invalid encryption type and mac combination");
+    }
+  }
 }