[PM-19603] Change asymmetric interface to only allow key encapsulation (#14046)

* Change asymmetric interface to only allow key encapsulation * Fix naming * Clean up naming * Update libs/common/src/key-management/crypto/abstractions/encrypt.service.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Update libs/common/src/key-management/crypto/abstractions/encrypt.service.ts Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> * Fix test --------- Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
2025-12-16 16:23:44 +00:00 · 2025-04-15 16:39:02 +02:00
parent 9f174e7723
commit b09305577f
30 changed files with 229 additions and 143 deletions
--- a/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
+++ b/libs/auth/src/common/services/auth-request/auth-request.service.spec.ts
@@ -88,6 +88,9 @@ describe("AuthRequestService", () => {
      encryptService.rsaEncrypt.mockResolvedValue({
        encryptedString: "ENCRYPTED_STRING",
      } as EncString);
+      encryptService.encapsulateKeyUnsigned.mockResolvedValue({
+        encryptedString: "ENCRYPTED_STRING",
+      } as EncString);
      appIdService.getAppId.mockResolvedValue("APP_ID");
    });
    it("should throw if auth request is missing id or key", async () => {
@@ -111,7 +114,10 @@ describe("AuthRequestService", () => {
        new AuthRequestResponse({ id: "123", publicKey: "KEY" }),
      );

-      expect(encryptService.rsaEncrypt).toHaveBeenCalledWith(new Uint8Array(64), expect.anything());
+      expect(encryptService.encapsulateKeyUnsigned).toHaveBeenCalledWith(
+        { encKey: new Uint8Array(64) },
+        expect.anything(),
+      );
    });

    it("should use the user key if the master key and hash do not exist", async () => {
@@ -122,7 +128,10 @@ describe("AuthRequestService", () => {
        new AuthRequestResponse({ id: "123", publicKey: "KEY" }),
      );

-      expect(encryptService.rsaEncrypt).toHaveBeenCalledWith(new Uint8Array(64), expect.anything());
+      expect(encryptService.encapsulateKeyUnsigned).toHaveBeenCalledWith(
+        { key: new Uint8Array(64) },
+        expect.anything(),
+      );
    });
  });
  describe("setUserKeyAfterDecryptingSharedUserKey", () => {
@@ -214,7 +223,9 @@ describe("AuthRequestService", () => {
      const mockDecryptedUserKeyBytes = new Uint8Array(64);
      const mockDecryptedUserKey = new SymmetricCryptoKey(mockDecryptedUserKeyBytes) as UserKey;

-      encryptService.rsaDecrypt.mockResolvedValueOnce(mockDecryptedUserKeyBytes);
+      encryptService.decapsulateKeyUnsigned.mockResolvedValueOnce(
+        new SymmetricCryptoKey(mockDecryptedUserKeyBytes),
+      );

      // Act
      const result = await sut.decryptPubKeyEncryptedUserKey(
@@ -223,7 +234,7 @@ describe("AuthRequestService", () => {
      );

      // Assert
-      expect(encryptService.rsaDecrypt).toBeCalledWith(
+      expect(encryptService.decapsulateKeyUnsigned).toBeCalledWith(
        new EncString(mockPubKeyEncryptedUserKey),
        mockPrivateKey,
      );
@@ -244,9 +255,10 @@ describe("AuthRequestService", () => {
      const mockDecryptedMasterKeyHashBytes = new Uint8Array(64);
      const mockDecryptedMasterKeyHash = Utils.fromBufferToUtf8(mockDecryptedMasterKeyHashBytes);

-      encryptService.rsaDecrypt
-        .mockResolvedValueOnce(mockDecryptedMasterKeyBytes)
-        .mockResolvedValueOnce(mockDecryptedMasterKeyHashBytes);
+      encryptService.rsaDecrypt.mockResolvedValueOnce(mockDecryptedMasterKeyHashBytes);
+      encryptService.decapsulateKeyUnsigned.mockResolvedValueOnce(
+        new SymmetricCryptoKey(mockDecryptedMasterKeyBytes),
+      );

      // Act
      const result = await sut.decryptPubKeyEncryptedMasterKeyAndHash(
@@ -256,13 +268,11 @@ describe("AuthRequestService", () => {
      );

      // Assert
-      expect(encryptService.rsaDecrypt).toHaveBeenNthCalledWith(
-        1,
+      expect(encryptService.decapsulateKeyUnsigned).toHaveBeenCalledWith(
        new EncString(mockPubKeyEncryptedMasterKey),
        mockPrivateKey,
      );
-      expect(encryptService.rsaDecrypt).toHaveBeenNthCalledWith(
-        2,
+      expect(encryptService.rsaDecrypt).toHaveBeenCalledWith(
        new EncString(mockPubKeyEncryptedMasterKeyHash),
        mockPrivateKey,
      );