[PM-3732] Use subtle to make aes keys (#6162)

* Provide `aesGenerateKey` to make aes keys * Use aesGenerateKey when generating a key data * Fix device test
2025-12-18 01:03:35 +00:00 · 2023-09-07 11:42:35 -04:00
parent 615248e04f
commit 0448910806
11 changed files with 67 additions and 17 deletions
--- a/libs/common/src/auth/services/device-trust-crypto.service.implementation.ts
+++ b/libs/common/src/auth/services/device-trust-crypto.service.implementation.ts
@@ -167,7 +167,7 @@ export class DeviceTrustCryptoService implements DeviceTrustCryptoServiceAbstrac

  private async makeDeviceKey(): Promise<DeviceKey> {
    // Create 512-bit device key
-    const randomBytes: CsprngArray = await this.cryptoFunctionService.randomBytes(64);
+    const randomBytes: CsprngArray = await this.cryptoFunctionService.aesGenerateKey(512);
    const deviceKey = new SymmetricCryptoKey(randomBytes) as DeviceKey;

    return deviceKey;
--- a/libs/common/src/auth/services/device-trust-crypto.service.spec.ts
+++ b/libs/common/src/auth/services/device-trust-crypto.service.spec.ts
@@ -168,16 +168,16 @@ describe("deviceTrustCryptoService", () => {
      it("creates a new non-null 64 byte device key, securely stores it, and returns it", async () => {
        const mockRandomBytes = new Uint8Array(deviceKeyBytesLength) as CsprngArray;

-        const cryptoFuncSvcRandomBytesSpy = jest
-          .spyOn(cryptoFunctionService, "randomBytes")
+        const cryptoFuncSvcGenerateKeySpy = jest
+          .spyOn(cryptoFunctionService, "aesGenerateKey")
          .mockResolvedValue(mockRandomBytes);

        // TypeScript will allow calling private methods if the object is of type 'any'
        // This is a hacky workaround, but it allows for cleaner tests
        const deviceKey = await (deviceTrustCryptoService as any).makeDeviceKey();

-        expect(cryptoFuncSvcRandomBytesSpy).toHaveBeenCalledTimes(1);
-        expect(cryptoFuncSvcRandomBytesSpy).toHaveBeenCalledWith(deviceKeyBytesLength);
+        expect(cryptoFuncSvcGenerateKeySpy).toHaveBeenCalledTimes(1);
+        expect(cryptoFuncSvcGenerateKeySpy).toHaveBeenCalledWith(deviceKeyBytesLength * 8);

        expect(deviceKey).not.toBeNull();
        expect(deviceKey).toBeInstanceOf(SymmetricCryptoKey);
--- a/libs/common/src/auth/services/key-connector.service.ts
+++ b/libs/common/src/auth/services/key-connector.service.ts
@@ -93,7 +93,7 @@ export class KeyConnectorService implements KeyConnectorServiceAbstraction {
      keyConnectorUrl: legacyKeyConnectorUrl,
      userDecryptionOptions,
    } = tokenResponse;
-    const password = await this.cryptoFunctionService.randomBytes(64);
+    const password = await this.cryptoFunctionService.aesGenerateKey(512);
    const kdfConfig = new KdfConfig(kdfIterations, kdfMemory, kdfParallelism);

    const masterKey = await this.cryptoService.makeMasterKey(