HPKE wrapped transmission key

- add `useHpkeForTransmissionKey` config option to opt in

- [ ] remaining ML-KEM public keys

- [ ] unit tests?

Author: tylerccarson

keeperapi/package-lock.json

@@ -19,6 +19,7 @@
     "publish-to-npm": "npm publish"
   },
   "dependencies": {
+    "@noble/post-quantum": "^0.5.2",
     "asmcrypto.js": "^2.3.2",
     "faye-websocket": "^0.11.3",
     "form-data": "^4.0.4",

keeperapi/package.json

@@ -10,7 +10,7 @@ import {
 } from '../platform'
 import {_asnhex_getHexOfV_AtObj, _asnhex_getPosArrayOfChildren_AtObj} from "./asn1hex";
 import {RSAKey} from "./rsa";
-import {getKeeperKeys} from "../transmissionKeys";
+import {getKeeperKeys, getKeeperMlKemKeys} from "../transmissionKeys";
 import {normal64, normal64Bytes, webSafe64FromBytes} from "../utils";
 import {SocketProxy, socketSendMessage} from '../socket'
 import * as asmCrypto from 'asmcrypto.js'
@@ -45,6 +45,7 @@ export const browserPlatform: Platform = class {
     }
 
     static keys = getKeeperKeys(this.normal64Bytes);
+    static mlKemKeys = getKeeperMlKemKeys(this.base64ToBytes);
 
     static getRandomBytes(length: number): Uint8Array {
         let data = new Uint8Array(length);
@@ -808,7 +809,11 @@ export const browserPlatform: Platform = class {
     }
 
     static async calcAuthVerifier(key: Uint8Array): Promise<Uint8Array> {
-        let digest = await crypto.subtle.digest("SHA-256", key);
+        return this.sha256(key);
+    }
+
+    static async sha256(data: Uint8Array): Promise<Uint8Array> {
+        const digest = await crypto.subtle.digest("SHA-256", data);
         return new Uint8Array(digest);
     }
 

keeperapi/src/browser/platform.ts

@@ -26,6 +26,7 @@ export interface ClientConfiguration {
     useSessionResumption?: boolean
     iterations?: number
     salt?: Uint8Array
+    useHpkeForTransmissionKey?: boolean
 }
 export interface ClientConfigurationInternal extends ClientConfiguration {
     deviceConfig: DeviceConfig // v15+ device config
@@ -39,6 +40,7 @@ export type KeeperError = {
     path?: string
     result_code?: string
     key_id?: number
+    qrc_ec_key_id?: number
     region_host?: string
 }
 
@@ -48,6 +50,7 @@ export interface DeviceConfig {
     privateKey?: Uint8Array
     publicKey?: Uint8Array
     transmissionKeyId?: number
+    mlKemPublicKeyId?: number
 }
 
 export interface SessionStorage {
@@ -74,8 +77,24 @@ export interface VendorConfiguration {
 
 export interface TransmissionKey {
     key: Uint8Array
-    publicKeyId: number
-    encryptedKey: Uint8Array
+    ecKeyId: number
+    ecEncryptedKey: Uint8Array
+    mlKemKeyId: number
+}
+
+export interface QrcMessageKey {
+    clientEcPublicKey: Uint8Array
+    mlKemEncapsulatedKey: Uint8Array
+    data: Uint8Array
+    msgVersion: number
+    ecKeyId: number
+}
+
+export interface TransmissionKeyHpke {
+    key: Uint8Array
+    mlKemKeyId: number
+    qrcMessageKey: QrcMessageKey
+    optionalData?: Uint8Array
 }
 
 export interface AuthUI {

keeperapi/src/configuration.ts

@@ -4,6 +4,7 @@ import {platform} from './platform'
 import {
     formatTimeDiff,
     generateTransmissionKey,
+    generateHpkeTransmissionKey,
     getKeeperUrl,
     isTwoFactorResultCode, log,
     normal64Bytes,
@@ -26,7 +27,7 @@ import WssClientResponse = Push.WssClientResponse;
 import WssConnectionRequest = Push.WssConnectionRequest;
 import SsoCloudResponse = SsoCloud.SsoCloudResponse;
 import {KeeperHttpResponse, RestCommand} from './commands'
-import { AllowedNumbers, isAllowedNumber } from './transmissionKeys'
+import {AllowedEcKeyIds, AllowedMlKemKeyIds, isAllowedEcKeyId, isAllowedMlKemKeyId} from './transmissionKeys'
 
 export class KeeperEndpoint {
     private _transmissionKey?: TransmissionKey
@@ -37,21 +38,29 @@ export class KeeperEndpoint {
     private onsitePrivateKey: Uint8Array | null = null
     private onsitePublicKey: Uint8Array | null = null
 
-    constructor(private options: ClientConfigurationInternal) {       
+    private useHpkeForTransmissionKey: boolean = false
+
+    constructor(private options: ClientConfigurationInternal) {
         if (options.deviceToken) {
             this.deviceToken = options.deviceToken
-        } 
+        }
         if (options.locale) {
             this.locale = options.locale
         }
+        if (options.useHpkeForTransmissionKey) {
+            this.useHpkeForTransmissionKey = true
+        }
     }
 
     async getTransmissionKey():Promise<TransmissionKey> {
-        const deviceConfigTransmissionKeyId = this.options.deviceConfig.transmissionKeyId || 7
-        if(!this._transmissionKey && isAllowedNumber(deviceConfigTransmissionKeyId)){
-            this._transmissionKey = await generateTransmissionKey(deviceConfigTransmissionKeyId)
+        const DEFAULT_PROD_EC_KEY_ID = 10
+        const DEFAULT_PROD_ML_KEM_KEY_ID = 100
+        const deviceConfigTransmissionKeyId = this.options.deviceConfig.transmissionKeyId || DEFAULT_PROD_EC_KEY_ID
+        const deviceConfigMlKemKeyId = this.options.deviceConfig.mlKemPublicKeyId || DEFAULT_PROD_ML_KEM_KEY_ID
+        if(!this._transmissionKey && isAllowedEcKeyId(deviceConfigTransmissionKeyId) && isAllowedMlKemKeyId(deviceConfigMlKemKeyId)){
+            this._transmissionKey = await generateTransmissionKey(deviceConfigTransmissionKeyId, deviceConfigMlKemKeyId)
         } else if(!this._transmissionKey){
-            this._transmissionKey = await generateTransmissionKey(7)
+            this._transmissionKey = await generateTransmissionKey(DEFAULT_PROD_EC_KEY_ID, DEFAULT_PROD_ML_KEM_KEY_ID)
         }
 
         return this._transmissionKey
@@ -159,7 +168,15 @@ export class KeeperEndpoint {
         while (true) {
             const payload = 'toBytes' in message ? message.toBytes() : new Uint8Array()
             const apiVersion = message.apiVersion || 0
-            const request = await this.prepareRequest(payload, sessionToken, apiVersion)
+
+            const request = await prepareApiRequest({
+                payload, 
+                transmissionKey: this._transmissionKey, 
+                sessionToken, 
+                locale: this.locale, 
+                apiVersion, 
+                useHpkeForTransmissionKey: this.useHpkeForTransmissionKey
+            })
             log(`Calling REST URL: ${this.getUrl(message.path)}`, 'noCR');
             const startTime = Date.now()
             const response = await platform.post(this.getUrl(message.path), request)
@@ -183,9 +200,14 @@ export class KeeperEndpoint {
                     const errorObj: KeeperError = JSON.parse(errorMessage)
                     switch (errorObj.error) {
                         case 'key':
-                            if(isAllowedNumber(errorObj.key_id!)){
-                                await this.updateTransmissionKey(errorObj.key_id!)
-                            } else {
+                            if (errorObj.qrc_ec_key_id && isAllowedEcKeyId(errorObj.qrc_ec_key_id) && isAllowedMlKemKeyId(errorObj.key_id!)){
+                                // Rotate EC key and ML-KEM key
+                                await this.updateTransmissionKey(errorObj.qrc_ec_key_id!, errorObj.key_id!)
+                            } else if (errorObj.key_id && isAllowedEcKeyId(errorObj.key_id) && this._transmissionKey) {
+                                // Rotate EC key
+                                await this.updateTransmissionKey(errorObj.key_id, this._transmissionKey.mlKemKeyId as AllowedMlKemKeyIds)
+                            }
+                            else {
                                 throw new Error('Incorrect Transmission Key ID being used.')
                             }
                             continue
@@ -245,18 +267,26 @@ export class KeeperEndpoint {
         return platform.get(this.getUrl(path), {})
     }
 
-    public async updateTransmissionKey(keyNumber: AllowedNumbers) {
-        this._transmissionKey = await generateTransmissionKey(keyNumber)
+    public async updateTransmissionKey(ecKeyId: AllowedEcKeyIds, mlKemKeyId: AllowedMlKemKeyIds) {
+        this._transmissionKey = await generateTransmissionKey(ecKeyId, mlKemKeyId)
 
-        this.options.deviceConfig.transmissionKeyId = keyNumber
+        this.options.deviceConfig.transmissionKeyId = ecKeyId
+        this.options.deviceConfig.mlKemPublicKeyId = mlKemKeyId
         if (this.options.onDeviceConfig) {
             await this.options.onDeviceConfig(this.options.deviceConfig, this.options.host);
         }
     }
 
     public async prepareRequest(payload: Uint8Array | unknown, sessionToken?: string, apiVersion?: number): Promise<Uint8Array> {
         this._transmissionKey = await this.getTransmissionKey()
-        return prepareApiRequest(payload, this._transmissionKey, sessionToken, this.locale, apiVersion)
+        return prepareApiRequest({
+            payload, 
+            transmissionKey: this._transmissionKey, 
+            sessionToken, 
+            locale: this.locale, 
+            apiVersion, 
+            useHpkeForTransmissionKey: this.useHpkeForTransmissionKey
+        })
     }
 
     async decryptPushMessage(pushMessageData: Uint8Array): Promise<WssClientResponse> {
@@ -281,7 +311,12 @@ export class KeeperEndpoint {
             "idpSessionId": idpSessionId,
             "username": username
         }
-        const request = await prepareApiRequest(SsoCloud.SsoCloudRequest.encode(payload).finish(), this._transmissionKey, undefined, this.locale)
+        const request = await prepareApiRequest({
+            payload: SsoCloud.SsoCloudRequest.encode(payload).finish(), 
+            transmissionKey: this._transmissionKey, 
+            locale: this.locale,
+            useHpkeForTransmissionKey: this.useHpkeForTransmissionKey
+        })
         return webSafe64FromBytes(request)
     }
 
@@ -325,11 +360,32 @@ export async function getPushConnectionRequest(messageSessionUid: Uint8Array, tr
         deviceTimeStamp: new Date().getTime()
     })
     const connectionRequestBytes = WssConnectionRequest.encode(connectionRequest).finish()
-    const apiRequest = await prepareApiRequest(connectionRequestBytes, transmissionKey, undefined, locale)
+    const apiRequest = await prepareApiRequest({
+        payload: connectionRequestBytes, 
+        transmissionKey, 
+        locale, 
+        useHpkeForTransmissionKey: false // HPKE not currently supported for push
+    })
     return webSafe64FromBytes(apiRequest)
 }
 
-export async function prepareApiRequest(payload: Uint8Array | unknown, transmissionKey: TransmissionKey, sessionToken?: string, locale?: string, apiVersion?: number): Promise<Uint8Array> {
+type PrepareApiRequestParams = {
+    payload: Uint8Array | unknown,
+    transmissionKey: TransmissionKey,
+    sessionToken?: string,
+    locale?: string,
+    apiVersion?: number
+    useHpkeForTransmissionKey?: boolean
+}
+
+export async function prepareApiRequest({
+  payload, 
+  transmissionKey, 
+  sessionToken, 
+  locale, 
+  apiVersion,
+  useHpkeForTransmissionKey
+}: PrepareApiRequestParams): Promise<Uint8Array> {
     const requestPayload = ApiRequestPayload.create()
     if (payload) {
         requestPayload.payload = payload instanceof Uint8Array
@@ -340,14 +396,31 @@ export async function prepareApiRequest(payload: Uint8Array | unknown, transmiss
         requestPayload.encryptedSessionToken = normal64Bytes(sessionToken);
     }
     requestPayload.apiVersion = apiVersion || 0
-    let requestPayloadBytes = ApiRequestPayload.encode(requestPayload).finish()
-    let encryptedRequestPayload = await platform.aesGcmEncrypt(requestPayloadBytes, transmissionKey.key)
-    let apiRequest = ApiRequest.create({
-        encryptedTransmissionKey: transmissionKey.encryptedKey,
-        encryptedPayload: encryptedRequestPayload,
-        publicKeyId: transmissionKey.publicKeyId,
-        locale: locale || 'en_US'
-    })
+    const requestPayloadBytes = ApiRequestPayload.encode(requestPayload).finish()
+    const encryptedRequestPayload = await platform.aesGcmEncrypt(requestPayloadBytes, transmissionKey.key)
+    let apiRequest: Authentication.IApiRequest
+
+    if (useHpkeForTransmissionKey) {
+        const hpkeTransmissionKey = await generateHpkeTransmissionKey(
+            transmissionKey,
+            true  // use optional data
+        )
+        apiRequest = ApiRequest.create({
+            qrcMessageKey: hpkeTransmissionKey.qrcMessageKey,
+            encryptedPayload: encryptedRequestPayload,
+            publicKeyId: hpkeTransmissionKey.mlKemKeyId,
+            encryptedTransmissionKey: hpkeTransmissionKey.optionalData || null,
+            locale: locale || 'en_US'
+        });
+    } else {
+        apiRequest = ApiRequest.create({
+            encryptedTransmissionKey: transmissionKey.ecEncryptedKey,
+            encryptedPayload: encryptedRequestPayload,
+            publicKeyId: transmissionKey.ecKeyId,
+            locale: locale || 'en_US'
+        })
+    }
+
     return ApiRequest.encode(apiRequest).finish()
 }