UNPKG

@bedrock/web-pouch-edv

Version:

PouchDB EDV Storage

github.com/digitalbazaar/bedrock-pouch-edv

digitalbazaar/bedrock-web-pouch-edv

345 lines (321 loc) 12.2 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
/*! * Copyright (c) 2022-2023 Digital Bazaar, Inc. All rights reserved. */ import * as edvs from './edvs.js'; import * as secrets from './secrets.js'; import {assert} from './assert.js'; import {EdvClientCore} from '@digitalbazaar/edv-client'; import {initialize} from './initialize.js'; import {PouchTransport} from './PouchTransport.js'; export class PouchEdvClient extends EdvClientCore { /** * Creates a new EDV client for connecting to an Encrypted Data Vault (EDV) * that is stored in PouchDB. * * @param {object} options - The options to use. * @param {object} [options.hmac] - A default HMAC API for blinding * indexable attributes. * @param {string} [options.id] - The ID of the EDV. * @param {object} [options.keyAgreementKey] - A default KeyAgreementKey * API for deriving shared KEKs for wrapping content encryption keys. * @param {Function} [options.keyResolver] - A default function that returns * a Promise that resolves a key ID to a DH public key. * @param {string} [options.cipherVersion='recommended'] - Sets the cipher * version to either "recommended" or "fips". * * @returns {PouchEdvClient} - PouchEdvClient. */ constructor({hmac, id, keyAgreementKey, keyResolver, cipherVersion} = {}) { super({hmac, id, keyAgreementKey, keyResolver, cipherVersion}); this.transport = new PouchTransport({edvId: this.id}); // create a transport for marking tombstoned EDV docs as deleted to // improve pouchdb index performance this._deleteTransport = Object.create(this.transport); this._deleteTransport.update = async ({encrypted}) => this.transport.update({encrypted, deleted: true}); } /** * @inheritdoc * * @param {object} options - The options to use. * @param {object} options.doc - The document to insert. * @param {ReadableStream} [options.stream] - A WHATWG Readable stream to read * from to associate chunked data with this document. * @param {number} [options.chunkSize=1048576] - The size, in bytes, of the * chunks to break the incoming stream data into. * @param {object[]} [options.recipients=[]] - A set of JWE recipients * to encrypt the document for; if not present, a default recipient will * be added using `this.keyAgreementKey` and if no `keyAgreementKey` is * set, an error will be thrown. * * @returns {Promise<object>} - Resolves to the inserted document. */ async insert({ doc, stream, chunkSize, recipients = [] } = {}) { const {transport} = this; return super.insert({doc, stream, chunkSize, recipients, transport}); } /** * @inheritdoc * * @param {object} options - The options to use. * @param {object} options.doc - The document to insert. * @param {ReadableStream} [options.stream] - A WHATWG Readable stream to read * from to associate chunked data with this document. * @param {number} [options.chunkSize=1048576] - The size, in bytes, of the * chunks to break the incoming stream data into. * @param {object} [options.recipients=[]] - A set of JWE recipients to * encrypt the document for; if present, recipients will be added to any * existing recipients; to remove existing recipients, modify the * `encryptedDoc.jwe.recipients` field. * * @returns {Promise<object>} - Resolves to the updated document. */ async update({doc, stream, chunkSize, recipients = []} = {}) { const {transport} = this; return super.update({doc, stream, chunkSize, recipients, transport}); } /** * @inheritdoc * * @param {object} options - The options to use. * @param {object} options.doc - The document to delete. * @param {object} [options.recipients=[]] - A set of JWE recipients to * encrypt the document for; if present, recipients will be added to * any existing recipients; to remove existing recipients, modify * the `encryptedDoc.jwe.recipients` field. * * @returns {Promise<boolean>} - Resolves to `true` if the document was * deleted. */ async delete({doc, recipients = []} = {}) { const {_deleteTransport} = this; return super.delete({doc, recipients, transport: _deleteTransport}); } /** * @inheritdoc * * @param {object} options - The options to use. * @param {string} options.id - The ID of the document to get. * * @returns {Promise<object>} - Resolves to the document. */ async get({id} = {}) { const {transport} = this; return super.get({id, transport}); } /** * @inheritdoc * * @param {object} options - The options to use. * @param {object} options.doc - The document to get a stream for. * * @returns {Promise<ReadableStream>} - Resolves to a `ReadableStream` to * read the chunked data from. */ async getStream({doc} = {}) { const {transport} = this; return super.getStream({doc, transport}); } /** * @inheritdoc * * @see find - For more detailed documentation on the search options. * * @param {object} options - The options to use. * @param {object|Array} [options.equals] - An object with key-value * attribute pairs to match or an array of such objects. * @param {string|Array} [options.has] - A string with an attribute name to * match or an array of such strings. * * @returns {Promise<number>} - Resolves to the number of matching documents. */ async count({equals, has} = {}) { const {transport} = this; return super.count({equals, has, transport}); } /** * @inheritdoc * * @param {object} options - The options to use. * @param {object|Array} [options.equals] - An object with key-value * attribute pairs to match or an array of such objects. * @param {string|Array} [options.has] - A string with an attribute name to * match or an array of such strings. * @param {boolean} [options.count] - Set to `false` to find all documents * that match a query or to `true` to give a count of documents. * @param {number} [options.limit] - Set to limit the number of documents * to be returned from a query (min=1, max=1000). * * @returns {Promise<object>} - Resolves to the matching documents: * {documents: [...]}. */ async find({equals, has, count = false, limit} = {}) { const {transport} = this; return super.find({equals, has, count, limit, transport}); } /** * @inheritdoc * * @param {object} options - The options to use. * * @returns {Promise<object>} - Resolves to the configuration for the EDV. */ async getConfig({} = {}) { const {transport} = this; return super.getConfig({transport}); } /** * @inheritdoc * * @param {object} options - The options to use. * @param {object} options.config - The new EDV config. * * @returns {Promise<void>} - Resolves once the operation completes. */ async updateConfig({config} = {}) { const {transport} = this; return super.updateConfig({config, transport}); } /** * Creates a new EDV using the given configuration. * * @param {object} options - The options to use. * @param {string} options.config - The EDV's configuration. * @param {string} [options.password] - A password to use if the keys for * the EDV should be generated and stored locally in encrypted storage. * @param {string} [options.cipherVersion='recommended'] - Sets the cipher * version to either "recommended" or "fips". * * @returns {Promise<object>} - Resolves to an object with: * `{config, edvClient}`; `edvClient` will be set if `password` is passed. */ static async createEdv({config, password, cipherVersion} = {}) { // initialize EDV databases (if not already initialized) await initialize(); let edvClient; if(password !== undefined) { if(config.hmac || config.keyAgreementKey) { throw new Error( '"config" must not have "hmac" or "keyAgreementKey" if these are ' + 'to be populated using locally generated secrets.'); } // generate encrypted secret, use the EDV ID as the secret's ID ... if // it already exists, try to reuse it const {hmac, keyAgreementKey} = await _lazyCreateSecret({ id: config.id, password, cipherVersion }); config = { ...config, hmac: {id: hmac.id, type: hmac.type}, keyAgreementKey: {id: keyAgreementKey.id, type: keyAgreementKey.type} }; edvClient = new PouchEdvClient({ hmac, id: config.id, keyAgreementKey, keyResolver: await _createKeyResolver({ keyAgreementKey, edvConfig: config }), cipherVersion }); } assert.edvConfig(config); const transport = new PouchTransport({edvId: config.id}); const newConfig = await transport.createEdv({config}); return {config: newConfig, edvClient}; } /** * Creates a new EDV client based on encrypted secrets saved in a local * PouchDB instance. The password to decrypt the secrets must be given. * * @param {object} options - The options to use. * @param {string} [options.edvId] - The ID of the EDV. * @param {string} [options.password] - The password to use to decrypt * the secrets. * * @returns {PouchEdvClient} - PouchEdvClient. */ static async fromLocalSecrets({edvId, password} = {}) { // initialize EDV databases (if not already initialized) await initialize(); // start getting EDV config const edvConfigPromise = edvs.get({id: edvId}); edvConfigPromise.catch(e => e); // load secret using the EDV ID as the secret ID const {config} = await secrets.get({id: edvId}); const result = await secrets.decrypt({config, password}); if(!result) { throw new Error('Invalid password.'); } const {hmac, keyAgreementKey, cipherVersion} = result; // finish getting EDV config const edvConfigResult = await edvConfigPromise; if(edvConfigResult instanceof Error) { throw edvConfigResult; } const {config: edvConfig} = edvConfigResult; return new PouchEdvClient({ hmac, id: config.id, keyAgreementKey, keyResolver: await _createKeyResolver({keyAgreementKey, edvConfig}), cipherVersion }); } /** * Generates a multibase encoded random 128-bit identifier for a document. * * @returns {Promise<string>} - Resolves to the identifier. */ static async generateId() { return EdvClientCore.generateId(); } } async function _createKeyResolver({keyAgreementKey, edvConfig} = {}) { // create key resolver for the EDV's key agreement key (and no other keys) const key = await keyAgreementKey.export(); key.controller = edvConfig.controller; return async function keyResolver({id}) { if(id === keyAgreementKey.id) { return key; } const error = new Error('Key not found.'); error.name = 'NotFoundError'; throw error; }; } // called during EDV creation async function _lazyCreateSecret({id, password, cipherVersion} = {}) { // generate encrypted secret, use the EDV ID as the secret's ID const {hmac, keyAgreementKey, config} = await secrets.generate( {id, password, cipherVersion}); try { await secrets.insert({config}); return {hmac, keyAgreementKey, config}; } catch(e) { if(e.name === 'ConstraintError') { // secret already exists... if EDV config already exists, throw a // duplicate error try { await edvs.get({id}); const error = new Error('Duplicate EDV configuration.'); error.name = 'DuplicateError'; throw error; } catch(e) { if(e.name !== 'NotFoundError') { throw e; } } // try to load existing secret and reuse it as it doesn't have a // matching EDV config yet const {config} = await secrets.get({id}); const result = await secrets.decrypt({config, password}); if(!result) { throw new Error( `Secret already exists for EDV ID (${id}) but password to unlock ` + 'it is invalid.'); } const {hmac, keyAgreementKey} = result; return {hmac, keyAgreementKey, config}; } throw e; } }