some more refactors, consolidate logic

Author: tylerccarson

keeperapi/src/configuration.ts

@@ -75,8 +75,9 @@ export interface VendorConfiguration {
 
 export interface TransmissionKey {
     key: Uint8Array
-    publicKeyId: number
-    encryptedKey: Uint8Array
+    publicKeyId: number // rename to ecKeyId?
+    // TODO: include mlKemKeyId
+    // encryptedKey: Uint8Array REMOVE
 }
 
 export interface QrcMessageKey {

keeperapi/src/endpoint.ts

@@ -161,36 +161,7 @@ export class KeeperEndpoint {
             const payload = 'toBytes' in message ? message.toBytes() : new Uint8Array()
             const apiVersion = message.apiVersion || 0
 
-            // Determine whether to use QRC or traditional EC encryption
-            const mlKemPublicKeyId = this.options.deviceConfig.mlKemPublicKeyId || 100
-
-            // TODO: consolidate this logic with prepareRequest
-            // Use QRC to wrap the transmission key
-            const ecKeyId = this.options.deviceConfig.transmissionKeyId || 7
-            if (!isAllowedNumber(ecKeyId)) {
-                throw new Error(`Invalid EC key ID: ${ecKeyId}`)
-            }
-
-            const serverEcPublicKey = platform.keys[ecKeyId]
-            const serverMlKemPublicKey = platform.mlKemKeys[mlKemPublicKeyId]
-
-            if (!serverEcPublicKey) {
-                throw new Error(`EC public key not found for ID: ${ecKeyId}`)
-            }
-            if (!serverMlKemPublicKey) {
-                throw new Error(`ML-KEM public key not found for ID: ${mlKemPublicKeyId}`)
-            }
-
-            const hpkeTransmissionKey = await generateHpkeTransmissionKey(
-                this._transmissionKey.key,
-                mlKemPublicKeyId,
-                serverEcPublicKey,
-                serverMlKemPublicKey,
-                ecKeyId,
-                true  // use optional data
-            )
-
-            const request = await prepareApiRequest(payload, hpkeTransmissionKey, sessionToken, this.locale, apiVersion)
+            const request = await prepareApiRequest(payload, this._transmissionKey, sessionToken, this.locale, apiVersion)
             log(`Calling REST URL: ${this.getUrl(message.path)}`, 'noCR');
             const startTime = Date.now()
             const response = await platform.post(this.getUrl(message.path), request)
@@ -205,7 +176,7 @@ export class KeeperEndpoint {
                 console.log("Response code:", response.statusCode);
             }
             try {
-                const decrypted = await platform.aesGcmDecrypt(response.data, hpkeTransmissionKey.key) // test still works
+                const decrypted = await platform.aesGcmDecrypt(response.data, this._transmissionKey.key)
                 if ('fromBytes' in message) return message.fromBytes(decrypted)
                 return
             } catch {
@@ -287,43 +258,7 @@ export class KeeperEndpoint {
 
     public async prepareRequest(payload: Uint8Array | unknown, sessionToken?: string, apiVersion?: number): Promise<Uint8Array> {
         this._transmissionKey = await this.getTransmissionKey()
-
-        // Determine whether to use QRC or traditional EC encryption
-        const mlKemPublicKeyId = this.options.deviceConfig.mlKemPublicKeyId
-        let requestTransmissionKey: TransmissionKey | TransmissionKeyHpke
-
-        if (mlKemPublicKeyId) {
-            // TODO: consolidate this logic with executeRestInternal
-            // Use QRC to wrap the transmission key
-            const ecKeyId = this.options.deviceConfig.transmissionKeyId || 7
-            if (!isAllowedNumber(ecKeyId)) {
-                throw new Error(`Invalid EC key ID: ${ecKeyId}`)
-            }
-
-            const serverEcPublicKey = platform.keys[ecKeyId]
-            const serverMlKemPublicKey = platform.mlKemKeys[mlKemPublicKeyId]
-
-            if (!serverEcPublicKey) {
-                throw new Error(`EC public key not found for ID: ${ecKeyId}`)
-            }
-            if (!serverMlKemPublicKey) {
-                throw new Error(`ML-KEM public key not found for ID: ${mlKemPublicKeyId}`)
-            }
-
-            requestTransmissionKey = await generateHpkeTransmissionKey(
-                this._transmissionKey.key,
-                mlKemPublicKeyId,
-                serverEcPublicKey,
-                serverMlKemPublicKey,
-                ecKeyId,
-                true  // use optional data
-            )
-        } else {
-            // Use traditional EC encryption
-            requestTransmissionKey = this._transmissionKey
-        }
-
-        return prepareApiRequest(payload, requestTransmissionKey, sessionToken, this.locale, apiVersion)
+        return prepareApiRequest(payload, this._transmissionKey, sessionToken, this.locale, apiVersion)
     }
 
     async decryptPushMessage(pushMessageData: Uint8Array): Promise<WssClientResponse> {
@@ -396,9 +331,10 @@ export async function getPushConnectionRequest(messageSessionUid: Uint8Array, tr
     return webSafe64FromBytes(apiRequest)
 }
 
+// why isn't this on the KeeperEndpoint class?
 export async function prepareApiRequest(
     payload: Uint8Array | unknown,
-    transmissionKey: TransmissionKey | TransmissionKeyHpke,
+    transmissionKey: TransmissionKey,
     sessionToken?: string,
     locale?: string,
     apiVersion?: number
@@ -416,36 +352,40 @@ export async function prepareApiRequest(
     let requestPayloadBytes = ApiRequestPayload.encode(requestPayload).finish()
     let encryptedRequestPayload = await platform.aesGcmEncrypt(requestPayloadBytes, transmissionKey.key)
 
-    // Check if this is a QRC transmission key
-    const isQrc = 'qrcMessageKey' in transmissionKey;
-
-    let apiRequest: Authentication.IApiRequest;
-    if (isQrc) {
-        // Use QRC encryption
-        const qrcKey = transmissionKey as TransmissionKeyHpke;
-        apiRequest = ApiRequest.create({
-            qrcMessageKey: {
-                clientEcPublicKey: qrcKey.qrcMessageKey.clientEcPublicKey,
-                mlKemEncapsulatedKey: qrcKey.qrcMessageKey.mlKemEncapsulatedKey,
-                data: qrcKey.qrcMessageKey.data,
-                msgVersion: qrcKey.qrcMessageKey.msgVersion,
-                ecKeyId: qrcKey.qrcMessageKey.ecKeyId
-            },
-            encryptedPayload: encryptedRequestPayload,
-            publicKeyId: qrcKey.publicKeyId,  // ML-KEM key ID
-            encryptedTransmissionKey: qrcKey.optionalData || new Uint8Array(0),  // Optional data or empty
-            locale: locale || 'en_US'
-        });
-    } else {
-        // Use traditional EC encryption
-        apiRequest = ApiRequest.create({
-            encryptedTransmissionKey: transmissionKey.encryptedKey,
-            encryptedPayload: encryptedRequestPayload,
-            publicKeyId: transmissionKey.publicKeyId,
-            locale: locale || 'en_US'
-        });
+    // Use QRC to wrap the transmission key
+    const mlKemPublicKeyId = 100 // HARD CODED FOR NOW this.options.deviceConfig.mlKemPublicKeyId || 100
+    const ecKeyId = transmissionKey.publicKeyId
+    if (!isAllowedNumber(ecKeyId)) {
+        throw new Error(`Invalid EC key ID: ${ecKeyId}`)
     }
 
+    const serverEcPublicKey = platform.keys[ecKeyId]
+    const serverMlKemPublicKey = platform.mlKemKeys[mlKemPublicKeyId]
+
+    if (!serverEcPublicKey) {
+        throw new Error(`EC public key not found for ID: ${ecKeyId}`)
+    }
+    if (!serverMlKemPublicKey) {
+        throw new Error(`ML-KEM public key not found for ID: ${mlKemPublicKeyId}`)
+    }
+
+    const hpkeTransmissionKey = await generateHpkeTransmissionKey(
+        transmissionKey.key,
+        mlKemPublicKeyId,
+        serverEcPublicKey,
+        serverMlKemPublicKey,
+        ecKeyId,
+        true  // use optional data
+    )
+
+    const apiRequest = ApiRequest.create({
+        qrcMessageKey: hpkeTransmissionKey.qrcMessageKey,
+        encryptedPayload: encryptedRequestPayload,
+        publicKeyId: hpkeTransmissionKey.publicKeyId,  // ML-KEM key ID
+        encryptedTransmissionKey: hpkeTransmissionKey.optionalData || new Uint8Array(0),  // Optional data or empty
+        locale: locale || 'en_US'
+    });
+
     return ApiRequest.encode(apiRequest).finish()
 }
 

keeperapi/src/utils.ts

@@ -47,13 +47,16 @@ export function getKeeperAutomatorAdminUrl(host: KeeperHost, forPath: string, au
 
 export async function generateTransmissionKey(keyNumber: AllowedNumbers): Promise<TransmissionKey> {
     const transmissionKey = platform.getRandomBytes(32)
+    // Hmm. Do we switch this to HPKE only?
     return {
-        publicKeyId: keyNumber,
+        publicKeyId: keyNumber, // TODO: rename to ecKeyId
         key: transmissionKey,
-        encryptedKey: await platform.publicEncryptEC(transmissionKey, platform.keys[keyNumber])
+        // TODO: add the mlKemKeyId
+        // encryptedKey: await platform.publicEncryptEC(transmissionKey, platform.keys[keyNumber]) // deprecate this
     }
 }
 
+// call this instead (is it exported? also, should we just return the protobuf instead?
 export async function generateHpkeTransmissionKey(
     transmissionKey: Uint8Array,
     mlKemKeyId: number,