#39 Expose methods to add/subtract private keys for key rotation (#40)

* #39 Expose methods to add/subtract private keys for key rotation

* Try specific version of alpine

* Try alpine 3.9

* Add note about why use a specific version of Alpine for Node 10

Author: Ernie Turner

.travis.yml

@@ -1,6 +1,6 @@
 language: rust
 rust:
-    - 1.38.0
+    - 1.41.0
 
 services:
     - docker
@@ -14,25 +14,6 @@ jobs:
     include:
         # PRs, pushes to master, and tags build on all target arches
         # if this is release tag, the resultant binary will be uploaded to github
-        - name: "Linux - Node 8 - glibc"
-          os: linux
-          env:
-              - TRAVIS_NODE_VERSION="8"
-              - SKIP_DEPLOY=0
-          if: tag =~ /^\d+\.\d+\.\d+/ OR branch = master OR type = pull_request
-        - name: "Linux - Node 8 - musl"
-          os: linux
-          env:
-              - SKIP_DEPLOY=0
-              - IMAGE=8-alpine
-              - INDOCKER="docker exec target"
-          if: tag =~ /^\d+\.\d+\.\d+/ OR branch = master OR type = pull_request
-        - name: "OSX - Node 8"
-          os: osx
-          env:
-              - TRAVIS_NODE_VERSION="8"
-              - SKIP_DEPLOY=0
-          if: tag =~ /^\d+\.\d+\.\d+/ OR branch = master OR type = pull_request
         - name: "Linux - Node 10 - glibc"
           os: linux
           env:
@@ -43,7 +24,10 @@ jobs:
           os: linux
           env:
               - SKIP_DEPLOY=0
-              - IMAGE=10-alpine
+              # Node 10 and Alpine 3.10/3.11 do not play well together and causes a random
+              # segfault when we try to run jest. So use Alpine 3.9 which does work.
+              # Ref: https://github.com/nodejs/docker-node/issues/1158
+              - IMAGE=10-alpine3.9
               - INDOCKER="docker exec target"
           if: tag =~ /^\d+\.\d+\.\d+/ OR branch = master OR type = pull_request
         - name: "OSX - Node 10"
@@ -77,7 +61,7 @@ jobs:
           name: "Publish to npm"
           os: linux
           env:
-              - TRAVIS_NODE_VERSION="8"
+              - TRAVIS_NODE_VERSION="10"
               - SKIP_DEPLOY=1
 
               # NPM_TOKEN

CHANGELOG.md

@@ -1,3 +1,15 @@
+## 0.7.0
+
+### Breaking Changes
+
+-   Removed support for Node 8.
+
+### Changed
+
+-   Added Windows builds.
+-   Added method `addPrivateKeys(privKeyA: PrivateKey, privKeyB: PrivateKey): PrivateKey` which takes two private keys and adds them together to return a new private key.
+-   Added method `subtractPrivateKeys(privKeyA: PrivateKey, privKeyB: PrivateKey): PrivateKey` which takes two private keys and subtracts `privKeyB` from `privKeyA` to return a new private key.
+
 ## 0.6.1
 
 ### Breaking Changes

README.md

@@ -9,11 +9,11 @@ This library uses the [Neon Bindings](https://www.neon-bindings.com) toolchain t
 
 ## Supported Platforms
 
-|                       | Node 8 | Node 10 | Node 12 |
-| --------------------- | ------ | ------- | ------- |
-| Linux x64 - glibc     | ✓      | ✓       | ✓       |
-| Linux x64 - musl-libc | ✓      | ✓       | ✓       |
-| OSX x64               | ✓      | ✓       | ✓       |
+|                       | Node 10 | Node 12 |
+| --------------------- | ------- | ------- |
+| Linux x64 - glibc     | ✓       | ✓       |
+| Linux x64 - musl-libc | ✓       | ✓       |
+| OSX x64               | ✓       | ✓       |
 
 ## Install
 

index.d.ts

@@ -42,6 +42,8 @@ export interface TransformKey {
 export function augmentPublicKey256(publicKey: PublicKey, otherPublicKey: PublicKey): PublicKey;
 export function augmentTransformKey256(transformKey: TransformKey, privateKey: PrivateKey): TransformKey;
 export function transformKeyToBytes256(transformKey: TransformKey): Buffer;
+export function addPrivateKeys(privateKeyA: PrivateKey, privateKeyB: PrivateKey): PrivateKey;
+export function subtractPrivateKeys(privateKeyA: PrivateKey, privateKeyB: PrivateKey): PrivateKey;
 export class Api256 {
     constructor();
     generateKeyPair(): KeyPair;

native/Cargo.lock

@@ -1,9 +1,7 @@
-use neon::prelude::*;
-use neon::types::JsBuffer;
-use recrypt::api::Hashable;
+use neon::{prelude::*, types::JsBuffer};
 use recrypt::api::{
-    CryptoOps, DefaultRng, Ed25519, Ed25519Ops, KeyGenOps, PublicSigningKey, RandomBytes, Recrypt,
-    SchnorrOps, Sha256, SigningKeypair,
+    CryptoOps, DefaultRng, Ed25519, Ed25519Ops, Hashable, KeyGenOps, PublicSigningKey, RandomBytes,
+    Recrypt, SchnorrOps, Sha256, SigningKeypair,
 };
 use util;
 
@@ -268,9 +266,7 @@ declare_types! {
     }
 }
 
-///
 /// Augment the provided transform key with the provided private key. Returns an augmented TransformKey object.
-///
 pub fn augment_transform_key_256(mut cx: FunctionContext) -> JsResult<JsObject> {
     let transform_key_obj: Handle<JsObject> = cx.argument::<JsObject>(0)?;
     let private_key_buffer: Handle<JsBuffer> = cx.argument::<JsBuffer>(1)?;
@@ -283,9 +279,7 @@ pub fn augment_transform_key_256(mut cx: FunctionContext) -> JsResult<JsObject>
     Ok(util::transform_key_to_js_object(&mut cx, augmented_transform_key)?.upcast())
 }
 
-///
 /// Augment the provided public key with the other provided public key. Returns a new augmented PublicKey object.
-///
 pub fn augment_public_key_256(mut cx: FunctionContext) -> JsResult<JsObject> {
     let current_public_key_obj: Handle<JsObject> = cx.argument::<JsObject>(0)?;
     let other_public_key_obj: Handle<JsObject> = cx.argument::<JsObject>(1)?;
@@ -302,10 +296,8 @@ pub fn augment_public_key_256(mut cx: FunctionContext) -> JsResult<JsObject> {
     Ok(util::public_key_to_js_object(&mut cx, &augmented_public_key)?.upcast())
 }
 
-///
 /// Hash the provided transform key into a buffer of bytes. The various transform key object fields are concatenated
 /// in a specific order in order for transform keys to be signed over.
-///
 pub fn transform_key_to_bytes_256(mut cx: FunctionContext) -> JsResult<JsBuffer> {
     let transform_key_obj: Handle<JsObject> = cx.argument::<JsObject>(0)?;
     let transform_key = util::js_object_to_transform_key(&mut cx, transform_key_obj);
@@ -314,3 +306,23 @@ pub fn transform_key_to_bytes_256(mut cx: FunctionContext) -> JsResult<JsBuffer>
 
     Ok(transform_key_bytes)
 }
+
+/// Add the two provided private keys together. Used when performing key rotation.
+pub fn add_private_keys(mut cx: FunctionContext) -> JsResult<JsBuffer> {
+    let pub_key_a: Handle<JsBuffer> = cx.argument::<JsBuffer>(0)?;
+    let pub_key_b: Handle<JsBuffer> = cx.argument::<JsBuffer>(1)?;
+    let augmented = util::buffer_to_private_key(&cx, pub_key_a)
+        .augment_plus(&util::buffer_to_private_key(&cx, pub_key_b));
+
+    Ok(util::bytes_to_buffer(&mut cx, &augmented.to_bytes())?)
+}
+
+/// Subtract the second provided private key from the first provided private key. Used when performing key rotation
+pub fn subtract_private_keys(mut cx: FunctionContext) -> JsResult<JsBuffer> {
+    let pub_key_a: Handle<JsBuffer> = cx.argument::<JsBuffer>(0)?;
+    let pub_key_b: Handle<JsBuffer> = cx.argument::<JsBuffer>(1)?;
+    let augmented = util::buffer_to_private_key(&cx, pub_key_a)
+        .augment_minus(&util::buffer_to_private_key(&cx, pub_key_b));
+
+    Ok(util::bytes_to_buffer(&mut cx, &augmented.to_bytes())?)
+}

native/src/api256.rs

@@ -9,5 +9,7 @@ register_module!(mut cx, {
     cx.export_function("augmentTransformKey256", api256::augment_transform_key_256)?;
     cx.export_function("augmentPublicKey256", api256::augment_public_key_256)?;
     cx.export_function("transformKeyToBytes256", api256::transform_key_to_bytes_256)?;
+    cx.export_function("addPrivateKeys", api256::add_private_keys)?;
+    cx.export_function("subtractPrivateKeys", api256::subtract_private_keys)?;
     cx.export_class::<api256::Api256>("Api256")
 });

native/src/lib.rs

@@ -1,16 +1,13 @@
-use neon::prelude::*;
-use neon::types::JsBuffer;
+use neon::{prelude::*, types::JsBuffer};
 use recrypt::api::{
     AuthHash, Ed25519Signature, EncryptedMessage, EncryptedTempKey, EncryptedValue, HashedValue,
     Plaintext, PrivateKey, PublicKey, PublicSigningKey, SchnorrSignature, TransformBlock,
     TransformKey,
 };
 use recrypt::nonemptyvec::NonEmptyVec;
 
-///
 /// Create an `$n` byte fixed u8 array given the provided JsBuffer handle. Throws an error if the provided Buffer
 /// is not of the required length.
-///
 macro_rules! buffer_to_fixed_bytes { ($($fn_name: ident, $n: expr); *) => {
     $(pub fn $fn_name<'a, T>(cx: &T, mut buffer: Handle<JsBuffer>, field_name: &str) -> [u8; $n]
         where T: Context<'a>{
@@ -28,12 +25,8 @@ macro_rules! buffer_to_fixed_bytes { ($($fn_name: ident, $n: expr); *) => {
 // Create the various methods we need to convert buffers into fixed length bytes
 buffer_to_fixed_bytes! {buffer_to_fixed_32_bytes, 32; buffer_to_fixed_64_bytes, 64; buffer_to_fixed_128_bytes, 128; buffer_to_fixed_384_bytes, 384}
 
-///
-/// Create a macro for converting JsBuffers to different types of signature objects which all have the same size. Marked as dead code because usage
-/// of this function in the wrapped macro in `api256.rs` can't be parsed by Rust.
-///
+/// Create a macro for converting JsBuffers to different types of signature objects which all have the same size.
 macro_rules! buffer_to_signature { ($($fn_name: ident, $sig_type: expr, $ret_type: ty); *) => {
-    #[allow(dead_code)]
     $(pub fn $fn_name<'a, T: Context<'a>>(cx: &T, buffer: Handle<JsBuffer>) -> $ret_type {
         $sig_type(buffer_to_fixed_64_bytes(cx, buffer, "signature"))
     })+
@@ -42,9 +35,7 @@ macro_rules! buffer_to_signature { ($($fn_name: ident, $sig_type: expr, $ret_typ
 // Create two methods from the macro for Schnorr and ED25519 signatures
 buffer_to_signature! {buffer_to_schnorr_signature, SchnorrSignature::new, SchnorrSignature; buffer_to_ed25519_signature, Ed25519Signature::new, Ed25519Signature}
 
-///
 /// Convert a JsBuffer handle of variable size into a vector
-///
 pub fn buffer_to_variable_bytes<'a, T: Context<'a>>(
     cx: &T,
     mut buffer: Handle<JsBuffer>,
@@ -54,9 +45,7 @@ pub fn buffer_to_variable_bytes<'a, T: Context<'a>>(
     slice.to_vec()
 }
 
-///
 /// Copy the bytes from the provided u8 slice into the provided JS Buffer object
-///
 pub fn bytes_to_buffer<'a, T: Context<'a>>(
     cx: &mut T,
     data: &[u8],
@@ -68,25 +57,17 @@ pub fn bytes_to_buffer<'a, T: Context<'a>>(
     Ok(buffer)
 }
 
-///
 /// Convert a JsBuffer handle into a PrivateKey
-///
 pub fn buffer_to_private_key<'a, T: Context<'a>>(cx: &T, buffer: Handle<JsBuffer>) -> PrivateKey {
     PrivateKey::new(buffer_to_fixed_32_bytes(cx, buffer, "privateKey"))
 }
 
-///
-/// Convert a JsBuffer handle to a Plaintext object. Marked as dead code because usage
-/// of this function in the wrapped macro in `api256.rs` can't be parsed by Rust
-///
-#[allow(dead_code)]
+/// Convert a JsBuffer handle to a Plaintext object.
 pub fn buffer_to_plaintext<'a, T: Context<'a>>(cx: &T, buffer: Handle<JsBuffer>) -> Plaintext {
     Plaintext::new(buffer_to_fixed_384_bytes(cx, buffer, "plaintext"))
 }
 
-///
 /// Convert a JsObject with x/y Buffers into a PublicKey
-///
 pub fn js_object_to_public_key<'a, T: Context<'a>>(
     cx: &mut T,
     object: Handle<JsObject>,
@@ -101,9 +82,7 @@ pub fn js_object_to_public_key<'a, T: Context<'a>>(
     .unwrap()
 }
 
-///
 /// Convert a Recrypt PublicKey struct into a JsObject with x/y properties which are Buffers
-///
 pub fn public_key_to_js_object<'a, T: Context<'a>>(
     cx: &mut T,
     public_key: &PublicKey,
@@ -118,9 +97,7 @@ pub fn public_key_to_js_object<'a, T: Context<'a>>(
     Ok(public_key_obj)
 }
 
-///
 /// Convert a JsObject which represents a TransformKey into an internal recrypt TransformKey
-///
 pub fn js_object_to_transform_key<'a, T: Context<'a>>(
     cx: &mut T,
     object: Handle<JsObject>,
@@ -179,9 +156,7 @@ pub fn js_object_to_transform_key<'a, T: Context<'a>>(
     )
 }
 
-///
 /// Convert a Recrypt TransformKey into a JsObject with expected properties and bytes converted to Buffers
-///
 pub fn transform_key_to_js_object<'a, T: Context<'a>>(
     cx: &mut T,
     transform_key: TransformKey,
@@ -206,11 +181,7 @@ pub fn transform_key_to_js_object<'a, T: Context<'a>>(
     Ok(transform_key_obj)
 }
 
-///
-/// Convert an array of transform blocks into a non-empty vector of internal recrypt TransformBlock structs. Marked as dead code because usage
-/// of this function in the wrapped macro in `api256.rs` can't be parsed by Rust
-///
-#[allow(dead_code)]
+/// Convert an array of transform blocks into a non-empty vector of internal recrypt TransformBlock structs.
 pub fn js_object_to_transform_blocks<'a, T: Context<'a>>(
     cx: &mut T,
     js_array: Handle<JsArray>,
@@ -263,11 +234,7 @@ pub fn js_object_to_transform_blocks<'a, T: Context<'a>>(
     NonEmptyVec::try_from(&blocks).unwrap()
 }
 
-///
-/// Iterate through the provided internal TransformBlocks and convert each block to an external array of transform block objects. Marked as dead code because usage
-/// of this function in the wrapped macro in `api256.rs` can't be parsed by Rust
-///
-#[allow(dead_code)]
+/// Iterate through the provided internal TransformBlocks and convert each block to an external array of transform block objects.
 pub fn transform_blocks_to_js_object<'a, T: Context<'a>>(
     cx: &mut T,
     transform_blocks: Vec<TransformBlock>,
@@ -303,11 +270,7 @@ pub fn transform_blocks_to_js_object<'a, T: Context<'a>>(
     Ok(blocks_array)
 }
 
-///
-/// Convert a JsObject with various encrypted value keys into a EncryptedOnce or TransformedValue value. Marked as dead code because usage
-/// of this function in the wrapped macro in `api256.rs` can't be parsed by Rust
-///
-#[allow(dead_code)]
+/// Convert a JsObject with various encrypted value keys into a EncryptedOnce or TransformedValue value.
 pub fn js_object_to_encrypted_value<'a, T: Context<'a>>(
     cx: &mut T,
     object: Handle<JsObject>,
@@ -380,11 +343,7 @@ pub fn js_object_to_encrypted_value<'a, T: Context<'a>>(
     encrypted_value
 }
 
-///
-/// Convert a Recrypt EncryptedValue into a JsObbject with expeted properties and bytes converted to Buffers. Marked as dead code because usage
-/// of this function in the wrapped macro in `api256.rs` can't be parsed by Rust
-///
-#[allow(dead_code)]
+/// Convert a Recrypt EncryptedValue into a JsObbject with expeted properties and bytes converted to Buffers.
 pub fn encrypted_value_to_js_object<'a, T: Context<'a>>(
     cx: &mut T,
     encrypted_value: EncryptedValue,

native/src/util.rs

@@ -31,10 +31,10 @@
         "node-pre-gyp": "^0.14.0"
     },
     "devDependencies": {
-        "@types/node": "^12.12.20",
+        "@types/node": "^12.12.27",
         "benchmark": "^2.1.4",
-        "jest": "^24.9.0",
-        "jest-extended": "^0.11.2",
+        "jest": "^25.1.0",
+        "jest-extended": "^0.11.5",
         "neon-cli": "^0.3.3",
         "shelljs": "^0.8.3"
     },

package.json

@@ -466,4 +466,30 @@ describe("Recrypt-Node", () => {
             expect(transformKeyBytes).toHaveLength(672);
         });
     });
+
+    describe("addPrivateKeys", () => {
+        it("should add together the provided keys", () => {
+            //prettier-ignore
+            const key1 = Buffer.from([1, 2, 0, 221, 116, 9, 241, 149, 253, 82, 219, 45, 60, 186, 93, 114, 202, 103, 9, 191, 29, 148, 18, 27, 243, 116, 136, 1, 180, 1, 1, 0]);
+            //prettier-ignore
+            const key2 = Buffer.from([1, 1, 1, 104, 32, 121, 170, 221, 21, 229, 188, 159, 140, 164, 44, 173, 30, 151, 210, 60, 34, 10, 160, 186, 168, 36, 102, 174, 64, 0, 0, 1]);
+            expect(recrypt.addPrivateKeys(key1, key2)).toEqual(
+                //prettier-ignore
+                Buffer.from([2, 3, 2, 69, 148, 131, 156, 115, 19, 56, 151, 204, 201, 94, 138, 31, 232, 254, 219, 251, 63, 158, 178, 214, 155, 152, 238, 175, 244, 1, 1, 1])
+            );
+        });
+    });
+
+    describe("subtractPrivateKeys", () => {
+        it("should subtract the provided keys", () => {
+            //prettier-ignore
+            const key1 = Buffer.from([1, 2, 0, 221, 116, 9, 241, 149, 253, 82, 219, 45, 60, 186, 93, 114, 202, 103, 9, 191, 29, 148, 18, 27, 243, 116, 136, 1, 180, 1, 1, 0]);
+            //prettier-ignore
+            const key2 = Buffer.from([1, 1, 1, 104, 32, 121, 170, 221, 21, 229, 188, 159, 140, 164, 44, 173, 30, 151, 210, 60, 34, 10, 160, 186, 168, 36, 102, 174, 64, 0, 0, 1]);
+            expect(recrypt.subtractPrivateKeys(key1, key2)).toEqual(
+                //prettier-ignore
+                Buffer.from([0, 0, 255, 117, 83, 144, 70, 184, 231, 109, 30, 141, 176, 22, 48, 197, 171, 207, 55, 130, 251, 137, 113, 97, 75, 80, 33, 83, 116, 1, 0, 255])
+            );
+        });
+    });
 });