Add support for bidirectional encryption.

.eslintrc.yml

@@ -58,6 +58,8 @@ overrides:
       "@typescript-eslint/require-await": "off"
       "@typescript-eslint/no-unsafe-argument": "off"
       "@typescript-eslint/no-unsafe-assignment": "off"
+      "@typescript-eslint/no-unused-vars": "off"
+
   - files: src/**/*
     env:
       node: false

src/encryptionContext.ts

@@ -1,39 +1,74 @@
 import type { AeadParams } from './interfaces/aeadParams';
+import type { KeyInfo } from './interfaces/keyInfo';
 import type { KdfContext } from './kdfContext';
 
 import { ExporterContext } from './exporterContext';
-import * as errors from './errors';
 import { i2Osp, xor } from './utils';
 
+import * as consts from './consts';
+import * as errors from './errors';
+
 export class EncryptionContext extends ExporterContext {
 
-  protected readonly key: CryptoKey;
-  protected readonly baseNonce: Uint8Array;
-  protected seq: number;
+  /// AEAD algorithm identifier.
+  protected _alg: string;
+  /// The length in bytes of a key for the algorithm.
+  protected _nK: number;
+  /// The length in bytes of a nonce for the algorithm.
+  protected _nN: number;
+  /// The length in bytes of an authentication tag for the algorithm.
+  protected _nT: number;
+  /// Forward key information.
+  protected _f: KeyInfo;
+  /// Reverse key information.
+  protected _r: KeyInfo;
 
   public constructor(crypto: SubtleCrypto, kdf: KdfContext, params: AeadParams) {
     super(crypto, kdf, params.exporterSecret);
 
     if (params.key === undefined || params.baseNonce === undefined || params.seq === undefined) {
       throw new errors.ValidationError('Required parameters are missing');
     }
-    this.key = params.key;
-    this.baseNonce = params.baseNonce;
-    this.seq = params.seq;
+    this._alg = params.alg;
+    this._nK = params.nK;
+    this._nN = params.nN;
+    this._nT = params.nT;
+    this._f = {
+      key: params.key,
+      baseNonce: params.baseNonce,
+      seq: params.seq,
+    };
+    this._r = {
+      key: params.key,
+      baseNonce: consts.EMPTY,
+      seq: 0,
+    };
     return;
   }
 
-  protected computeNonce(): ArrayBuffer {
-    const seqBytes = i2Osp(this.seq, this.baseNonce.byteLength);
-    return xor(this.baseNonce, seqBytes);
+  protected computeNonce(k: KeyInfo): ArrayBuffer {
+    const seqBytes = i2Osp(k.seq, k.baseNonce.byteLength);
+    return xor(k.baseNonce, seqBytes);
   }
 
-  protected incrementSeq() {
+  protected incrementSeq(k: KeyInfo) {
     // if (this.seq >= (1 << (8 * this.baseNonce.byteLength)) - 1) {
-    if (this.seq >= Number.MAX_SAFE_INTEGER) {
+    if (k.seq >= Number.MAX_SAFE_INTEGER) {
       throw new errors.MessageLimitReachedError('Message limit reached');
     }
-    this.seq += 1;
+    k.seq += 1;
     return;
   }
+
+  public async setupBidirectional(keySeed: ArrayBuffer, nonceSeed: ArrayBuffer): Promise<void> {
+    try {
+      this._r.baseNonce = new Uint8Array(await this.export(nonceSeed, this._nN));
+      const key = await this.export(keySeed, this._nK);
+      this._r.key = await this._crypto.importKey('raw', key, { name: this._alg }, true, consts.AEAD_USAGES);
+      this._r.seq = 0;
+    } catch (e: unknown) {
+      this._r.baseNonce = consts.EMPTY;
+      throw e;
+    }
+  }
 }

src/exporterContext.ts

@@ -19,12 +19,16 @@ export class ExporterContext extends WebCrypto implements EncryptionContextInter
     return;
   }
 
-  public async seal(data: ArrayBuffer, aad: ArrayBuffer): Promise<ArrayBuffer> {
-    throw new errors.SealError('Not available on export-only mode');
+  public async seal(_data: ArrayBuffer, _aad: ArrayBuffer): Promise<ArrayBuffer> {
+    throw new errors.NotSupportedError('Not available on export-only mode');
   }
 
-  public async open(data: ArrayBuffer, aad: ArrayBuffer): Promise<ArrayBuffer> {
-    throw new errors.OpenError('Not available on export-only mode');
+  public async open(_data: ArrayBuffer, _aad: ArrayBuffer): Promise<ArrayBuffer> {
+    throw new errors.NotSupportedError('Not available on export-only mode');
+  }
+
+  public async setupBidirectional(_keySeed: ArrayBuffer, _nonceSeed: ArrayBuffer): Promise<void> {
+    throw new errors.NotSupportedError('Not available on export-only mode');
   }
 
   public async export(info: ArrayBuffer, len: number): Promise<ArrayBuffer> {

src/interfaces/aeadParams.ts

@@ -3,6 +3,21 @@
  */
 export interface AeadParams {
 
+  /** The algorithm identifier */
+  alg: string;
+
+  /** The length in bytes of a key for the algorithm */
+  nK: number;
+
+  /** The length in bytes of a nonce for the algorithm */
+  nN: number;
+
+  /** The length in bytes of an authentication tag for the algorithm */
+  nT: number;
+
+  /** A secret used for the secret export interface */
+  exporterSecret: ArrayBuffer;
+
   /** A secret key */
   key?: CryptoKey;
 
@@ -11,7 +26,4 @@ export interface AeadParams {
 
   /** A sequence number */
   seq?: number;
-
-  /** A secret used for the secret export interface */
-  exporterSecret: ArrayBuffer;
 }

src/interfaces/encryptionContextInterface.ts

@@ -18,6 +18,13 @@ export interface EncryptionContextInterface extends Exporter {
    * data using a symmetric key and a nonce.
    */
   open(data: ArrayBuffer, aad?: ArrayBuffer): Promise<ArrayBuffer>;
+
+  /**
+   * Sets up bi-directional encryption to allow a recipient to send
+   * encrypted messages to a sender.
+   */
+  setupBidirectional(keySeed: ArrayBuffer, nonceSeed: ArrayBuffer): Promise<void>;
+
 }
 
 /**

src/interfaces/keyInfo.ts

@@ -0,0 +1,5 @@
+export interface KeyInfo {
+  key: CryptoKey;
+  baseNonce: Uint8Array;
+  seq: number;
+}

src/kdfCommon.ts

@@ -1,5 +1,4 @@
 import { WebCrypto } from './webCrypto';
-import { concat } from './utils';
 
 import * as consts from './consts';
 

src/kdfContext.ts

@@ -100,6 +100,10 @@ export class KdfContext extends KdfCommon {
 
     if (this._algAead === '') {
       return {
+        alg: this._algAead,
+        nK: this._nK,
+        nN: this._nN,
+        nT: this._nT,
         exporterSecret: exporterSecret,
       };
     }
@@ -111,10 +115,14 @@ export class KdfContext extends KdfCommon {
     const baseNonce = await this.extractAndExpand(sharedSecret, ikm, baseNonceInfo, this._nN);
 
     return {
+      alg: this._algAead,
+      nK: this._nK,
+      nN: this._nN,
+      nT: this._nT,
+      exporterSecret: exporterSecret,
       key: await this._crypto.importKey('raw', key, { name: this._algAead }, true, consts.AEAD_USAGES),
       baseNonce: new Uint8Array(baseNonce),
       seq: 0,
-      exporterSecret: exporterSecret,
     };
   }
 }

src/recipientContext.ts

@@ -6,22 +6,37 @@ import * as errors from './errors';
 export class RecipientContext extends EncryptionContext {
 
   public async seal(data: ArrayBuffer, aad: ArrayBuffer = EMPTY): Promise<ArrayBuffer> {
-    throw new errors.NotSupportedError('Bidirectional encryption not supported');
+    if (this._r.baseNonce.length === 0) {
+      throw new errors.SealError("Bidirectional encryption is not setup");
+    }
+    let ct: ArrayBuffer;
+    try {
+      const alg = {
+        name: this._alg,
+        iv: this.computeNonce(this._r),
+        additionalData: aad,
+      };
+      ct = await this._crypto.encrypt(alg, this._r.key, data);
+    } catch (e: unknown) {
+      throw new errors.SealError(e);
+    }
+    this.incrementSeq(this._r);
+    return ct;
   }
 
   public async open(data: ArrayBuffer, aad: ArrayBuffer = EMPTY): Promise<ArrayBuffer> {
     let pt: ArrayBuffer;
     try {
       const alg = {
-        name: 'AES-GCM',
-        iv: this.computeNonce(),
+        name: this._alg,
+        iv: this.computeNonce(this._f),
         additionalData: aad,
       };
-      pt = await this._crypto.decrypt(alg, this.key, data);
+      pt = await this._crypto.decrypt(alg, this._f.key, data);
     } catch (e: unknown) {
       throw new errors.OpenError(e);
     }
-    this.incrementSeq();
+    this.incrementSeq(this._f);
     return pt;
   }
 }

src/senderContext.ts

@@ -21,19 +21,34 @@ export class SenderContext extends EncryptionContext implements Encapsulator {
     let ct: ArrayBuffer;
     try {
       const alg = {
-        name: 'AES-GCM',
-        iv: this.computeNonce(),
+        name: this._alg,
+        iv: this.computeNonce(this._f),
         additionalData: aad,
       };
-      ct = await this._crypto.encrypt(alg, this.key, data);
+      ct = await this._crypto.encrypt(alg, this._f.key, data);
     } catch (e: unknown) {
       throw new errors.SealError(e);
     }
-    this.incrementSeq();
+    this.incrementSeq(this._f);
     return ct;
   }
 
   public async open(data: ArrayBuffer, aad: ArrayBuffer = EMPTY): Promise<ArrayBuffer> {
-    throw new errors.NotSupportedError('Bidirectional encryption not supported');
+    if (this._r.baseNonce.length === 0) {
+      throw new errors.SealError('Bidirectional encryption is not setup');
+    }
+    let pt: ArrayBuffer;
+    try {
+      const alg = {
+        name: this._alg,
+        iv: this.computeNonce(this._r),
+        additionalData: aad,
+      };
+      pt = await this._crypto.decrypt(alg, this._r.key, data);
+    } catch (e: unknown) {
+      throw new errors.OpenError(e);
+    }
+    this.incrementSeq(this._r);
+    return pt;
   }
 }

test/cipherSuite.test.ts

@@ -318,4 +318,48 @@ describe('CipherSuite', () => {
     });
   });
 
+  describe('bidirectional seal and open', () => {
+    it('should work normally', async () => {
+
+      const te = new TextEncoder();
+
+      // setup
+      const suite = new CipherSuite({
+        kem: Kem.DhkemP256HkdfSha256,
+        kdf: Kdf.HkdfSha256,
+        aead: Aead.Aes128Gcm,
+      });
+      const rkp = await suite.generateKeyPair();
+
+      const sender = await suite.createSenderContext({
+        recipientPublicKey: rkp.publicKey,
+      });
+
+      const recipient = await suite.createRecipientContext({
+        recipientKey: rkp,
+        enc: sender.enc,
+      });
+
+      // setup bidirectional encryption
+      await sender.setupBidirectional(te.encode('seed-for-key'), te.encode('seed-for-nonce'));
+      await recipient.setupBidirectional(te.encode('seed-for-key'), te.encode('seed-for-nonce'));
+
+      // encrypt
+      const ct = await sender.seal(te.encode('my-secret-message'));
+
+      // decrypt
+      const pt = await recipient.open(ct);
+
+      // encrypt reversely
+      const rct = await recipient.seal(te.encode('my-secret-message'));
+
+      // decrypt reversely
+      const rpt = await sender.open(rct);
+
+      // assert
+      expect(new TextDecoder().decode(pt)).toEqual('my-secret-message');
+      expect(new TextDecoder().decode(rpt)).toEqual('my-secret-message');
+    });
+  });
+
 });

test/conformanceTester.ts

@@ -51,8 +51,10 @@ export class ConformanceTester extends WebCrypto {
     const suite = new CipherSuite({ kem: v.kem_id, kdf: v.kdf_id, aead: v.aead_id });
 
     // deriveKeyPair
-    const derived = await suite.deriveKey(ikmR.buffer);
-    expect(new Uint8Array(derived)).toEqual(skRm);
+    const derivedR = await suite.deriveKey(ikmR.buffer);
+    expect(new Uint8Array(derivedR)).toEqual(skRm);
+    const derivedE = await suite.deriveKey(ikmE.buffer);
+    expect(new Uint8Array(derivedE)).toEqual(skEm);
 
     const sender = await suite.createSenderContext({
       info: info,