Add optional aad for aes gcm mode decryption

This is used in key connector communication tunneling to prevent downgrade attacks in the future

libs/node/src/services/node-crypto-function.service.spec.ts

@@ -226,6 +226,21 @@ describe("NodeCrypto Function Service", () => {
       const decValue = await cryptoFunctionService.aesDecrypt(envValue, iv, key, "gcm");
       expect(Utils.fromBufferToUtf8(decValue)).toBe(value);
     });
+
+    it("should successfully encrypt and then decrypt data with aad", async () => {
+      const cryptoFunctionService = new NodeCryptoFunctionService();
+      const iv = makeStaticByteArray(12);
+      const key = makeStaticByteArray(32);
+      const value = "EncryptMe!";
+      const data = Utils.fromUtf8ToArray(value);
+      const aad = Utils.fromUtf8ToArray("aad");
+      const encAndIv = new Uint8Array(
+        await cryptoFunctionService.aesGcmEncrypt(data, iv, key, aad),
+      );
+      const envValue = encAndIv.slice(0, encAndIv.length - 12);
+      const decValue = await cryptoFunctionService.aesDecrypt(envValue, iv, key, "gcm", aad);
+      expect(Utils.fromBufferToUtf8(decValue)).toBe(value);
+    });
   });
 
   describe("aesDecryptFast CBC mode", () => {
@@ -251,18 +266,6 @@ describe("NodeCrypto Function Service", () => {
     });
   });
 
-  describe("aesDecryptFast GCM mode", () => {
-    it("successfully decrypts data", async () => {
-      const nodeCryptoFunctionService = new NodeCryptoFunctionService();
-      const iv = Utils.fromBufferToB64(makeStaticByteArray(12));
-      const symKey = new SymmetricCryptoKey(makeStaticByteArray(32));
-      const data = "Amy1abyVtlboYFBtLnDAzAwAgb3Qg2m4fMo=";
-      const params = nodeCryptoFunctionService.aesDecryptFastParameters(data, iv, null, symKey);
-      const decValue = await nodeCryptoFunctionService.aesDecryptFast(params, "gcm");
-      expect(decValue).toBe("EncryptMe!");
-    });
-  });
-
   describe("aesDecrypt CBC mode", () => {
     it("should successfully decrypt data", async () => {
       const nodeCryptoFunctionService = new NodeCryptoFunctionService();

libs/node/src/services/node-crypto-function.service.ts

@@ -210,7 +210,7 @@ export class NodeCryptoFunctionService implements CryptoFunctionService {
 
   async aesDecryptFast(
     parameters: DecryptParameters<Uint8Array>,
-    mode: "cbc" | "ecb" | "gcm",
+    mode: "cbc" | "ecb",
   ): Promise<string> {
     const decBuf = await this.aesDecrypt(parameters.data, parameters.iv, parameters.encKey, mode);
     return Utils.fromBufferToUtf8(decBuf);
@@ -221,15 +221,22 @@ export class NodeCryptoFunctionService implements CryptoFunctionService {
     iv: Uint8Array,
     key: Uint8Array,
     mode: "cbc" | "ecb" | "gcm",
+    additionalData?: Uint8Array,
   ): Promise<Uint8Array> {
     const nodeData =
       mode !== "gcm" ? this.toNodeBuffer(data) : this.toNodeBuffer(data.slice(0, -16)); // remove gcm tag
     const nodeIv = mode === "ecb" ? null : this.toNodeBuffer(iv);
     const nodeKey = this.toNodeBuffer(key);
     const decipher = crypto.createDecipheriv(this.toNodeCryptoAesMode(mode), nodeKey, nodeIv);
+
     if (mode === "gcm") {
       (decipher as crypto.DecipherGCM).setAuthTag(data.slice(-16));
     }
+    if (additionalData != null && mode === "gcm") {
+      const nodeAdditionalData = this.toNodeBuffer(additionalData);
+      (decipher as crypto.DecipherGCM).setAAD(nodeAdditionalData);
+    }
+
     const decBuf = Buffer.concat([decipher.update(nodeData), decipher.final()]);
     return Promise.resolve(this.toUint8Buffer(decBuf));
   }