refactor!: restructure multi-key support with Encryption wrapper class

Author: RomainLanz

factories/encryption.ts

@@ -0,0 +1,26 @@
+/*
+ * @boringnode/encryption
+ *
+ * @license MIT
+ * @copyright Boring Node
+ */
+
+import { Encryption, type EncryptionConfig } from '../src/encryption.ts'
+import { chacha20poly1305 } from '../src/drivers/chacha20_poly1305.ts'
+
+export class EncryptionFactory {
+  #config: EncryptionConfig
+
+  constructor(config?: EncryptionConfig) {
+    this.#config =
+      config ||
+      chacha20poly1305({
+        id: 'nova',
+        keys: ['averylongradom32charactersstring'],
+      })
+  }
+
+  create() {
+    return new Encryption(this.#config)
+  }
+}

factories/encryption_manager.ts

@@ -5,4 +5,4 @@
  * @copyright Boring Node
  */
 
-export { EncryptionManagerFactory } from './encryption_manager.ts'
+export { EncryptionFactory } from './encryption.ts'

factories/main.ts

@@ -14,6 +14,8 @@
     ".": "./build/index.js",
     "./drivers/*": "./build/src/drivers/*.js",
     "./factories": "./build/factories/main.js",
+    "./message_verifier": "./build/src/message_verifier.js",
+    "./base64": "./build/src/base64.js",
     "./types": "./build/src/types/main.js"
   },
   "scripts": {

package.json

@@ -13,6 +13,18 @@ import * as errors from '../exceptions.ts'
 import type { AES256CBCConfig, CypherText, EncryptionDriverContract } from '../types/main.ts'
 import { base64UrlDecode, base64UrlEncode } from '../base64.ts'
 
+export interface AES256CBCDriverConfig {
+  id: string
+  keys: string[]
+}
+
+export function aes256cbc(config: AES256CBCDriverConfig) {
+  return {
+    driver: (key: string) => new AES256CBC({ id: config.id, key }),
+    keys: config.keys,
+  }
+}
+
 export class AES256CBC extends BaseDriver implements EncryptionDriverContract {
   #config: AES256CBCConfig
 
@@ -46,7 +58,7 @@ export class AES256CBC extends BaseDriver implements EncryptionDriverContract {
      */
     const iv = randomBytes(16)
 
-    const { encryptionKey, authenticationKey } = this.#deriveKey(this.getFirstKey().key, iv)
+    const { encryptionKey, authenticationKey } = this.#deriveKey(this.cryptoKey, iv)
 
     /**
      * Creating chiper
@@ -121,30 +133,28 @@ export class AES256CBC extends BaseDriver implements EncryptionDriverContract {
      * Make sure the hash is correct, it means the first 2 parts of the
      * string are not tampered.
      */
-    for (const { key } of this.cryptoKeys) {
-      const { encryptionKey, authenticationKey } = this.#deriveKey(key, iv)
-
-      const isValidHmac = new Hmac(authenticationKey).compare(
-        `${cipherEncoded}${this.separator}${ivEncoded}`,
-        macEncoded
-      )
-
-      if (!isValidHmac) {
-        continue
-      }
-
-      /**
-       * The Decipher can raise exceptions with malformed input, so we wrap it
-       * to avoid leaking sensitive information
-       */
-      try {
-        const decipher = createDecipheriv('aes-256-cbc', encryptionKey, iv)
-        const plainTextBuffer = Buffer.concat([decipher.update(cipherText), decipher.final()])
-        return new MessageBuilder().verify(plainTextBuffer, purpose)
-      } catch {}
+    const { encryptionKey, authenticationKey } = this.#deriveKey(this.cryptoKey, iv)
+
+    const isValidHmac = new Hmac(authenticationKey).compare(
+      `${cipherEncoded}${this.separator}${ivEncoded}`,
+      macEncoded
+    )
+
+    if (!isValidHmac) {
+      return null
     }
 
-    return null
+    /**
+     * The Decipher can raise exceptions with malformed input, so we wrap it
+     * to avoid leaking sensitive information
+     */
+    try {
+      const decipher = createDecipheriv('aes-256-cbc', encryptionKey, iv)
+      const plainTextBuffer = Buffer.concat([decipher.update(cipherText), decipher.final()])
+      return new MessageBuilder().verify(plainTextBuffer, purpose)
+    } catch {
+      return null
+    }
   }
 
   #deriveKey(masterKey: Buffer, iv: Buffer) {

src/drivers/aes_256_cbc.ts

@@ -12,6 +12,18 @@ import * as errors from '../exceptions.ts'
 import { base64UrlDecode, base64UrlEncode } from '../base64.ts'
 import type { AES256GCMConfig, CypherText, EncryptionDriverContract } from '../types/main.ts'
 
+export interface AES256GCMDriverConfig {
+  id: string
+  keys: string[]
+}
+
+export function aes256gcm(config: AES256GCMDriverConfig) {
+  return {
+    driver: (key: string) => new AES256GCM({ id: config.id, key }),
+    keys: config.keys,
+  }
+}
+
 export class AES256GCM extends BaseDriver implements EncryptionDriverContract {
   #config: AES256GCMConfig
 
@@ -48,7 +60,7 @@ export class AES256GCM extends BaseDriver implements EncryptionDriverContract {
     /**
      * Creating chiper
      */
-    const cipher = createCipheriv('aes-256-gcm', this.getFirstKey().key, iv)
+    const cipher = createCipheriv('aes-256-gcm', this.cryptoKey, iv)
 
     if (purpose) {
       cipher.setAAD(Buffer.from(purpose), { plaintextLength: Buffer.byteLength(purpose) })
@@ -122,25 +134,23 @@ export class AES256GCM extends BaseDriver implements EncryptionDriverContract {
       return null
     }
 
-    for (const { key } of this.cryptoKeys) {
-      /**
-       * The Decipher can raise exceptions with malformed input, so we wrap it
-       * to avoid leaking sensitive information
-       */
-      try {
-        const decipher = createDecipheriv('aes-256-gcm', key, iv)
+    /**
+     * The Decipher can raise exceptions with malformed input, so we wrap it
+     * to avoid leaking sensitive information
+     */
+    try {
+      const decipher = createDecipheriv('aes-256-gcm', this.cryptoKey, iv)
 
-        if (purpose) {
-          decipher.setAAD(Buffer.from(purpose), { plaintextLength: Buffer.byteLength(purpose) })
-        }
+      if (purpose) {
+        decipher.setAAD(Buffer.from(purpose), { plaintextLength: Buffer.byteLength(purpose) })
+      }
 
-        decipher.setAuthTag(tag)
+      decipher.setAuthTag(tag)
 
-        const plain = Buffer.concat([decipher.update(cipherText), decipher.final()])
-        return new MessageBuilder().verify(plain)
-      } catch {}
+      const plain = Buffer.concat([decipher.update(cipherText), decipher.final()])
+      return new MessageBuilder().verify(plain)
+    } catch {
+      return null
     }
-
-    return null
   }
 }

src/drivers/aes_256_gcm.ts

@@ -7,15 +7,14 @@
 
 import { createHash } from 'node:crypto'
 import * as errors from '../exceptions.ts'
-import { MessageVerifier } from '../message_verifier.ts'
 import type { BaseConfig, CypherText } from '../types/main.ts'
 
 export abstract class BaseDriver {
   /**
-   * The key for signing and encrypting values. It is derived
+   * The key for encrypting values. It is derived
    * from the user provided secret.
    */
-  cryptoKeys = new Set<{ key: Buffer; verifier: MessageVerifier }>()
+  cryptoKey: Buffer
 
   /**
    * Use `dot` as a separator for joining encrypted value, iv and the
@@ -24,16 +23,8 @@ export abstract class BaseDriver {
   separator = '.'
 
   protected constructor(config: BaseConfig) {
-    if (!config.keys || !Array.isArray(config.keys)) {
-      throw new errors.E_MISSING_ENCRYPTER_KEY()
-    }
-
-    for (const key of config.keys) {
-      this.#validateSecret(key)
-
-      const cryptoKey = createHash('sha256').update(key).digest()
-      this.cryptoKeys.add({ key: cryptoKey, verifier: new MessageVerifier(key) })
-    }
+    this.#validateSecret(config.key)
+    this.cryptoKey = createHash('sha256').update(config.key).digest()
   }
 
   /**
@@ -53,15 +44,6 @@ export abstract class BaseDriver {
     return values.join(this.separator) as CypherText
   }
 
-  protected getFirstKey() {
-    const [firstKey] = this.cryptoKeys
-    return firstKey
-  }
-
-  getMessageVerifier() {
-    return this.getFirstKey().verifier
-  }
-
   /**
    * Encrypt a given piece of value using the app secret. A wide range of
    * data types are supported.

src/drivers/base_driver.ts

@@ -12,6 +12,18 @@ import * as errors from '../exceptions.ts'
 import type { ChaCha20Poly1305Config, CypherText, EncryptionDriverContract } from '../types/main.ts'
 import { base64UrlDecode, base64UrlEncode } from '../base64.ts'
 
+export interface ChaCha20Poly1305DriverConfig {
+  id: string
+  keys: string[]
+}
+
+export function chacha20poly1305(config: ChaCha20Poly1305DriverConfig) {
+  return {
+    driver: (key: string) => new ChaCha20Poly1305({ id: config.id, key }),
+    keys: config.keys,
+  }
+}
+
 export class ChaCha20Poly1305 extends BaseDriver implements EncryptionDriverContract {
   #config: ChaCha20Poly1305Config
 
@@ -48,7 +60,7 @@ export class ChaCha20Poly1305 extends BaseDriver implements EncryptionDriverCont
     /**
      * Creating cipher
      */
-    const cipher = createCipheriv('chacha20-poly1305', this.getFirstKey().key, iv, {
+    const cipher = createCipheriv('chacha20-poly1305', this.cryptoKey, iv, {
       authTagLength: 16,
     })
 
@@ -124,27 +136,25 @@ export class ChaCha20Poly1305 extends BaseDriver implements EncryptionDriverCont
       return null
     }
 
-    for (const { key } of this.cryptoKeys) {
-      /**
-       * The Decipher can raise exceptions with malformed input, so we wrap it
-       * to avoid leaking sensitive information
-       */
-      try {
-        const decipher = createDecipheriv('chacha20-poly1305', key, iv, {
-          authTagLength: 16,
-        })
-
-        if (purpose) {
-          decipher.setAAD(Buffer.from(purpose), { plaintextLength: Buffer.byteLength(purpose) })
-        }
-
-        decipher.setAuthTag(tag)
-
-        const plain = Buffer.concat([decipher.update(cipherText), decipher.final()])
-        return new MessageBuilder().verify(plain)
-      } catch {}
-    }
+    /**
+     * The Decipher can raise exceptions with malformed input, so we wrap it
+     * to avoid leaking sensitive information
+     */
+    try {
+      const decipher = createDecipheriv('chacha20-poly1305', this.cryptoKey, iv, {
+        authTagLength: 16,
+      })
+
+      if (purpose) {
+        decipher.setAAD(Buffer.from(purpose), { plaintextLength: Buffer.byteLength(purpose) })
+      }
 
-    return null
+      decipher.setAuthTag(tag)
+
+      const plain = Buffer.concat([decipher.update(cipherText), decipher.final()])
+      return new MessageBuilder().verify(plain)
+    } catch {
+      return null
+    }
   }
 }