[PM-17984] Remove AES128CBC-HMAC encryption (#13304)

* Remove AES128CBC-HMAC encryption * Increase test coverage
2025-12-16 08:13:42 +00:00 · 2025-03-11 14:20:02 +01:00
parent 5cd47ac907
commit 9683779dbf
10 changed files with 50 additions and 105 deletions
--- a/libs/common/src/platform/enums/encryption-type.enum.ts
+++ b/libs/common/src/platform/enums/encryption-type.enum.ts
@@ -1,6 +1,6 @@
 export enum EncryptionType {
  AesCbc256_B64 = 0,
-  AesCbc128_HmacSha256_B64 = 1,
+  // Type 1 was the unused and removed AesCbc128_HmacSha256_B64
  AesCbc256_HmacSha256_B64 = 2,
  Rsa2048_OaepSha256_B64 = 3,
  Rsa2048_OaepSha1_B64 = 4,
@@ -17,12 +17,10 @@ export function encryptionTypeToString(encryptionType: EncryptionType): string {
 }

 /** The expected number of parts to a serialized EncString of the given encryption type.
- * For example, an EncString of type AesCbc256_B64 will have 2 parts, and an EncString of type
- * AesCbc128_HmacSha256_B64 will have 3 parts.
+ * For example, an EncString of type AesCbc256_B64 will have 2 parts
 *
 * Example of annotated serialized EncStrings:
 * 0.iv|data
- * 1.iv|data|mac
 * 2.iv|data|mac
 * 3.data
 * 4.data
@@ -33,7 +31,6 @@ export function encryptionTypeToString(encryptionType: EncryptionType): string {
 */
 export const EXPECTED_NUM_PARTS_BY_ENCRYPTION_TYPE = {
  [EncryptionType.AesCbc256_B64]: 2,
-  [EncryptionType.AesCbc128_HmacSha256_B64]: 3,
  [EncryptionType.AesCbc256_HmacSha256_B64]: 3,
  [EncryptionType.Rsa2048_OaepSha256_B64]: 1,
  [EncryptionType.Rsa2048_OaepSha1_B64]: 1,
--- a/libs/common/src/platform/models/domain/enc-array-buffer.spec.ts
+++ b/libs/common/src/platform/models/domain/enc-array-buffer.spec.ts
@@ -5,28 +5,28 @@ import { EncArrayBuffer } from "./enc-array-buffer";

 describe("encArrayBuffer", () => {
  describe("parses the buffer", () => {
-    test.each([
-      [EncryptionType.AesCbc128_HmacSha256_B64, "AesCbc128_HmacSha256_B64"],
-      [EncryptionType.AesCbc256_HmacSha256_B64, "AesCbc256_HmacSha256_B64"],
-    ])("with %c%s", (encType: EncryptionType) => {
-      const iv = makeStaticByteArray(16, 10);
-      const mac = makeStaticByteArray(32, 20);
-      // We use the minimum data length of 1 to test the boundary of valid lengths
-      const data = makeStaticByteArray(1, 100);
+    test.each([[EncryptionType.AesCbc256_HmacSha256_B64, "AesCbc256_HmacSha256_B64"]])(
+      "with %c%s",
+      (encType: EncryptionType) => {
+        const iv = makeStaticByteArray(16, 10);
+        const mac = makeStaticByteArray(32, 20);
+        // We use the minimum data length of 1 to test the boundary of valid lengths
+        const data = makeStaticByteArray(1, 100);

-      const array = new Uint8Array(1 + iv.byteLength + mac.byteLength + data.byteLength);
-      array.set([encType]);
-      array.set(iv, 1);
-      array.set(mac, 1 + iv.byteLength);
-      array.set(data, 1 + iv.byteLength + mac.byteLength);
+        const array = new Uint8Array(1 + iv.byteLength + mac.byteLength + data.byteLength);
+        array.set([encType]);
+        array.set(iv, 1);
+        array.set(mac, 1 + iv.byteLength);
+        array.set(data, 1 + iv.byteLength + mac.byteLength);

-      const actual = new EncArrayBuffer(array);
+        const actual = new EncArrayBuffer(array);

-      expect(actual.encryptionType).toEqual(encType);
-      expect(actual.ivBytes).toEqualBuffer(iv);
-      expect(actual.macBytes).toEqualBuffer(mac);
-      expect(actual.dataBytes).toEqualBuffer(data);
-    });
+        expect(actual.encryptionType).toEqual(encType);
+        expect(actual.ivBytes).toEqualBuffer(iv);
+        expect(actual.macBytes).toEqualBuffer(mac);
+        expect(actual.dataBytes).toEqualBuffer(data);
+      },
+    );

    it("with AesCbc256_B64", () => {
      const encType = EncryptionType.AesCbc256_B64;
@@ -50,7 +50,6 @@ describe("encArrayBuffer", () => {

  describe("throws if the buffer has an invalid length", () => {
    test.each([
-      [EncryptionType.AesCbc128_HmacSha256_B64, 50, "AesCbc128_HmacSha256_B64"],
      [EncryptionType.AesCbc256_HmacSha256_B64, 50, "AesCbc256_HmacSha256_B64"],
      [EncryptionType.AesCbc256_B64, 18, "AesCbc256_B64"],
    ])("with %c%c%s", (encType: EncryptionType, minLength: number) => {
--- a/libs/common/src/platform/models/domain/enc-array-buffer.ts
+++ b/libs/common/src/platform/models/domain/enc-array-buffer.ts
@@ -20,7 +20,6 @@ export class EncArrayBuffer implements Encrypted {
    const encType = encBytes[0];

    switch (encType) {
-      case EncryptionType.AesCbc128_HmacSha256_B64:
      case EncryptionType.AesCbc256_HmacSha256_B64: {
        const minimumLength = ENC_TYPE_LENGTH + IV_LENGTH + MAC_LENGTH + MIN_DATA_LENGTH;
        if (encBytes.length < minimumLength) {
--- a/libs/common/src/platform/models/domain/enc-string.spec.ts
+++ b/libs/common/src/platform/models/domain/enc-string.spec.ts
@@ -60,9 +60,7 @@ describe("EncString", () => {

      const cases = [
        "aXY=|Y3Q=", // AesCbc256_B64 w/out header
-        "aXY=|Y3Q=|cnNhQ3Q=", // AesCbc128_HmacSha256_B64 w/out header
        "0.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==", // AesCbc256_B64 with header
-        "1.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==|QmFzZTY0UGFydA==", // AesCbc128_HmacSha256_B64
        "2.QmFzZTY0UGFydA==|QmFzZTY0UGFydA==|QmFzZTY0UGFydA==", // AesCbc256_HmacSha256_B64
        "3.QmFzZTY0UGFydA==", // Rsa2048_OaepSha256_B64
        "4.QmFzZTY0UGFydA==", // Rsa2048_OaepSha1_B64
--- a/libs/common/src/platform/models/domain/enc-string.ts
+++ b/libs/common/src/platform/models/domain/enc-string.ts
@@ -89,7 +89,6 @@ export class EncString implements Encrypted {
    }

    switch (encType) {
-      case EncryptionType.AesCbc128_HmacSha256_B64:
      case EncryptionType.AesCbc256_HmacSha256_B64:
        this.iv = encPieces[0];
        this.data = encPieces[1];
@@ -132,10 +131,7 @@ export class EncString implements Encrypted {
      }
    } else {
      encPieces = encryptedString.split("|");
-      encType =
-        encPieces.length === 3
-          ? EncryptionType.AesCbc128_HmacSha256_B64
-          : EncryptionType.AesCbc256_B64;
+      encType = EncryptionType.AesCbc256_B64;
    }

    return {
--- a/libs/common/src/platform/models/domain/symmetric-crypto-key.spec.ts
+++ b/libs/common/src/platform/models/domain/symmetric-crypto-key.spec.ts
@@ -27,21 +27,6 @@ describe("SymmetricCryptoKey", () => {
      });
    });

-    it("AesCbc128_HmacSha256_B64", () => {
-      const key = makeStaticByteArray(32);
-      const cryptoKey = new SymmetricCryptoKey(key, EncryptionType.AesCbc128_HmacSha256_B64);
-
-      expect(cryptoKey).toEqual({
-        encKey: key.slice(0, 16),
-        encKeyB64: "AAECAwQFBgcICQoLDA0ODw==",
-        encType: 1,
-        key: key,
-        keyB64: "AAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8=",
-        macKey: key.slice(16, 32),
-        macKeyB64: "EBESExQVFhcYGRobHB0eHw==",
-      });
-    });
-
    it("AesCbc256_HmacSha256_B64", () => {
      const key = makeStaticByteArray(64);
      const cryptoKey = new SymmetricCryptoKey(key);
--- a/libs/common/src/platform/models/domain/symmetric-crypto-key.ts
+++ b/libs/common/src/platform/models/domain/symmetric-crypto-key.ts
@@ -38,9 +38,6 @@ export class SymmetricCryptoKey {
    if (encType === EncryptionType.AesCbc256_B64 && key.byteLength === 32) {
      this.encKey = key;
      this.macKey = null;
-    } else if (encType === EncryptionType.AesCbc128_HmacSha256_B64 && key.byteLength === 32) {
-      this.encKey = key.slice(0, 16);
-      this.macKey = key.slice(16, 32);
    } else if (encType === EncryptionType.AesCbc256_HmacSha256_B64 && key.byteLength === 64) {
      this.encKey = key.slice(0, 32);
      this.macKey = key.slice(32, 64);