Add cose migration on userkey rotation

libs/common/src/enums/feature-flag.enum.ts

@@ -45,6 +45,7 @@ export enum FeatureFlag {
   UserKeyRotationV2 = "userkey-rotation-v2",
   PM4154_BulkEncryptionService = "PM-4154-bulk-encryption-service",
   PM17987_BlockType0 = "pm-17987-block-type-0",
+  EnrollAeadOnKeyRotation = "enroll-aead-on-key-rotation",
 
   /* Tools */
   ItemShare = "item-share",
@@ -126,9 +127,10 @@ export const DefaultFeatureFlagValue = {
 
   /* Key Management */
   [FeatureFlag.PrivateKeyRegeneration]: FALSE,
-  [FeatureFlag.UserKeyRotationV2]: FALSE,
+  [FeatureFlag.UserKeyRotationV2]: true,
   [FeatureFlag.PM4154_BulkEncryptionService]: FALSE,
   [FeatureFlag.PM17987_BlockType0]: FALSE,
+  [FeatureFlag.EnrollAeadOnKeyRotation]: true,
 
   /* Platform */
   [FeatureFlag.IpcChannelFramework]: FALSE,

libs/common/src/platform/enums/encryption-type.enum.ts

@@ -2,6 +2,9 @@ export enum EncryptionType {
   AesCbc256_B64 = 0,
   // Type 1 was the unused and removed AesCbc128_HmacSha256_B64
   AesCbc256_HmacSha256_B64 = 2,
+  // Cose is the encoding for the key used, but contained can be:
+  // - XChaCha20Poly1305
+  CoseEncrypt0 = 7,
   Rsa2048_OaepSha256_B64 = 3,
   Rsa2048_OaepSha1_B64 = 4,
   Rsa2048_OaepSha256_HmacSha256_B64 = 5,
@@ -36,4 +39,5 @@ export const EXPECTED_NUM_PARTS_BY_ENCRYPTION_TYPE = {
   [EncryptionType.Rsa2048_OaepSha1_B64]: 1,
   [EncryptionType.Rsa2048_OaepSha256_HmacSha256_B64]: 2,
   [EncryptionType.Rsa2048_OaepSha1_HmacSha256_B64]: 2,
+  [EncryptionType.CoseEncrypt0]: 1,
 };

libs/common/src/platform/models/domain/symmetric-crypto-key.ts

@@ -16,13 +16,19 @@ export type Aes256CbcKey = {
   encryptionKey: Uint8Array;
 };
 
+export type CoseKey = {
+  type: EncryptionType.CoseEncrypt0;
+  // Encryption key here refers to the cose-encoded and padded key. This MAY later be refactored to contain the actual key bytes, as is the case in the SDK
+  encryptionKey: Uint8Array;
+};
+
 /**
  *  A symmetric crypto key represents a symmetric key usable for symmetric encryption and decryption operations.
  *  The specific algorithm used is private to the key, and should only be exposed to encrypt service implementations.
  *  This can be done via `inner()`.
  */
 export class SymmetricCryptoKey {
-  private innerKey: Aes256CbcHmacKey | Aes256CbcKey;
+  private innerKey: Aes256CbcHmacKey | Aes256CbcKey | CoseKey;
 
   keyB64: string;
 
@@ -47,6 +53,12 @@ export class SymmetricCryptoKey {
         authenticationKey: key.slice(32),
       };
       this.keyB64 = this.toBase64();
+    } else if (key.byteLength > 64) {
+      this.innerKey = {
+        type: EncryptionType.CoseEncrypt0,
+        encryptionKey: key,
+      };
+      this.keyB64 = this.toBase64();
     } else {
       throw new Error(`Unsupported encType/key length ${key.byteLength}`);
     }
@@ -63,7 +75,7 @@ export class SymmetricCryptoKey {
    *
    * @returns The inner key instance that can be directly used for encryption primitives
    */
-  inner(): Aes256CbcHmacKey | Aes256CbcKey {
+  inner(): Aes256CbcHmacKey | Aes256CbcKey | CoseKey {
     return this.innerKey;
   }
 
@@ -90,6 +102,8 @@ export class SymmetricCryptoKey {
       encodedKey.set(this.innerKey.encryptionKey, 0);
       encodedKey.set(this.innerKey.authenticationKey, 32);
       return encodedKey;
+    } else if (this.innerKey.type === EncryptionType.CoseEncrypt0) {
+      return this.innerKey.encryptionKey;
     } else {
       throw new Error("Unsupported encryption type.");
     }