First commit

packages/core/security/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@core/security",
+  "version": "1.0.0",
+  "description": "Core security SDK for hardware-backed cryptography, DPoP, and contextual encryption",
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
+  "scripts": {
+    "build": "nx build",
+    "test": "nx test",
+    "lint": "nx lint",
+    "typecheck": "nx typecheck"
+  },
+  "dependencies": {
+    "react-native-keychain": "^8.2.0",
+    "react-native-crypto-js": "^1.0.0",
+    "uuid": "^9.0.1"
+  },
+  "devDependencies": {
+    "@types/uuid": "^9.0.7"
+  },
+  "nx": {
+    "tags": ["scope:core", "type:infra", "platform:rn"]
+  }
+}

packages/core/security/src/DPoPService.ts

@@ -0,0 +1,144 @@
+import { v4 as uuidv4 } from 'uuid';
+import type { DPoPProof } from './types';
+
+// Note: This requires a custom Native Module (NativeCryptoModule) capable of 
+// generating ECC keys in the Secure Enclave and signing data with them.
+// This is a placeholder implementation that would need native module integration.
+
+const DPOP_KEY_ALIAS = 'lynkedup.dpop.key.v1';
+
+/**
+ * DPoP (Demonstrating Proof-of-Possession) Service
+ * Implements RFC 9449 for sender-constrained access tokens
+ * 
+ * Features:
+ * - Hardware-backed ECC key generation
+ * - JWT signing with private key in secure enclave
+ * - Request binding via HTTP method and URI
+ */
+export class DPoPService {
+  private publicKey: string | null = null;
+
+  /**
+   * Initialize DPoP key pair in secure enclave
+   * Returns the public key JWK
+   */
+  async initializeKeyPair(): Promise<string> {
+    if (this.publicKey) return this.publicKey;
+
+    // Check if key exists natively using the alias, otherwise generate it
+    // This would call into a native module
+    let pubKey = await this.getPublicKeyFromNative(DPOP_KEY_ALIAS);
+    
+    if (!pubKey) {
+      pubKey = await this.generateHardwareECCKeyPair(DPOP_KEY_ALIAS);
+    }
+    
+    this.publicKey = pubKey;
+    return pubKey;
+  }
+
+  /**
+   * Sign a DPoP proof for HTTP request
+   * @param method HTTP method (GET, POST, etc.)
+   * @param uri Full request URI
+   * @param accessToken Optional access token to bind to request
+   */
+  async signProof(method: string, uri: string, accessToken?: string): Promise<string> {
+    if (!this.publicKey) {
+      await this.initializeKeyPair();
+    }
+
+    // Construct the DPoP JWT payload (htu, htm, jti, ath)
+    const payload = {
+      htm: method, // HTTP Method
+      htu: uri,    // HTTP URI
+      jti: uuidv4(), // Unique identifier for this proof
+      iat: Math.floor(Date.now() / 1000), // Issued at time
+      // Include hash of access token (ath) if present
+      ath: accessToken ? this.base64url(this.sha256(accessToken)) : undefined,
+    };
+
+    // Sign the JWT using the hardware-backed private key via the native module
+    const signedJwt = await this.signJWTWithNative(payload, DPOP_KEY_ALIAS);
+    
+    return signedJwt;
+  }
+
+  /**
+   * Sign arbitrary data with DPoP key
+   */
+  async signData(data: string): Promise<string> {
+    if (!this.publicKey) {
+      await this.initializeKeyPair();
+    }
+
+    const signaturePayload = {
+      data,
+      timestamp: Date.now(),
+      nonce: uuidv4()
+    };
+
+    return this.signJWTWithNative(signaturePayload, DPOP_KEY_ALIAS);
+  }
+
+  /**
+   * Get the current public key
+   */
+  getPublicKey(): string | null {
+    return this.publicKey;
+  }
+
+  // Native module integration methods (would be implemented via bridge)
+  private async getPublicKeyFromNative(keyAlias: string): Promise<string | null> {
+    // This would call into a native module
+    // Example: return NativeCryptoModule.getPublicKey(keyAlias);
+    console.warn('Native module integration required for getPublicKeyFromNative');
+    return null;
+  }
+
+  private async generateHardwareECCKeyPair(keyAlias: string): Promise<string> {
+    // This would call into a native module to generate ECC key in secure enclave
+    // Example: return NativeCryptoModule.generateHardwareECCKeyPair(keyAlias);
+    console.warn('Native module integration required for generateHardwareECCKeyPair');
+    
+    // Mock implementation for development
+    return JSON.stringify({
+      kty: 'EC',
+      crv: 'P-256',
+      x: 'mock-x-coordinate',
+      y: 'mock-y-coordinate',
+      use: 'sig',
+      kid: keyAlias
+    });
+  }
+
+  private async signJWTWithNative(payload: any, keyAlias: string): Promise<string> {
+    // This would call into a native module to sign JWT with hardware key
+    // Example: return NativeCryptoModule.signJWT(payload, keyAlias);
+    console.warn('Native module integration required for signJWTWithNative');
+    
+    // Mock implementation for development
+    const header = { alg: 'ES256', typ: 'dpop+jwt', jwk: JSON.parse(this.publicKey!) };
+    const encodedHeader = this.base64url(JSON.stringify(header));
+    const encodedPayload = this.base64url(JSON.stringify(payload));
+    const signature = 'mock-signature'; // Would be actual signature from secure enclave
+    
+    return `${encodedHeader}.${encodedPayload}.${signature}`;
+  }
+
+  // Utility methods
+  private base64url(str: string): string {
+    return Buffer.from(str)
+      .toString('base64')
+      .replace(/\+/g, '-')
+      .replace(/\//g, '_')
+      .replace(/=/g, '');
+  }
+
+  private sha256(str: string): string {
+    // This would use a proper crypto library
+    console.warn('Proper SHA256 implementation required');
+    return 'mock-hash';
+  }
+}

packages/core/security/src/SecurityCore.ts

@@ -0,0 +1,165 @@
+import { DPoPService } from './DPoPService';
+import { CryptoService } from './CryptoService';
+import { KeyManagementService } from './KeyManagementService';
+import type { SecurityConfig, EncryptionResult, KeyReference } from './types';
+
+/**
+ * Core Security SDK
+ * Provides hardware-backed cryptography, DPoP implementation, and contextual encryption
+ * 
+ * Key Features (per FRD):
+ * - F.SC.001: Cryptographic utilities (AES-GCM envelope encryption)
+ * - F.SC.002: Hardware-backed key storage (Keychain/StrongBox)
+ * - F.SC.003: Certificate Pinning logic
+ * - F.SC.004: DPoP proof generation
+ * - F.SC.005: Organizational Data Encryption Keys (DEKs) management
+ * - F.SC.006: Secure wipe/cryptographic erasure
+ * - F.SC.007: Device attestation integration
+ */
+export class SecurityCore {
+  private config: SecurityConfig;
+  private dpopService: DPoPService;
+  private cryptoService: CryptoService;
+  private keyManagement: KeyManagementService;
+  private initialized = false;
+
+  constructor(config: SecurityConfig) {
+    this.config = config;
+    this.dpopService = new DPoPService();
+    this.cryptoService = new CryptoService();
+    this.keyManagement = new KeyManagementService(config);
+  }
+
+  /**
+   * Initialize the Security Core
+   * Must be called before any other operations
+   */
+  async initialize(): Promise<void> {
+    if (this.initialized) return;
+
+    await this.keyManagement.initialize();
+    await this.dpopService.initializeKeyPair();
+    
+    this.initialized = true;
+  }
+
+  /**
+   * F.SC.004: Generate DPoP proof for request authentication
+   */
+  async signDPoPProof(method: string, uri: string, accessToken?: string): Promise<string> {
+    this.ensureInitialized();
+    return this.dpopService.signProof(method, uri, accessToken);
+  }
+
+  /**
+   * F.SC.001: Encrypt data using organizational DEK (envelope encryption)
+   */
+  async encryptForOrganization(data: string, orgId: string): Promise<EncryptionResult> {
+    this.ensureInitialized();
+    
+    // Get or create organizational DEK
+    const orgKeyRef = await this.keyManagement.getOrganizationalKey(orgId);
+    
+    // Generate random file encryption key
+    const fileKey = await this.cryptoService.generateKey();
+    
+    // Encrypt data with file key
+    const encryptedData = await this.cryptoService.encrypt(data, fileKey);
+    
+    // Wrap file key with organizational DEK
+    const wrappedKey = await this.cryptoService.wrapKey(fileKey, orgKeyRef.keyId);
+    
+    return {
+      encryptedData: encryptedData.ciphertext,
+      keyReference: {
+        keyId: wrappedKey,
+        orgId,
+        keyType: 'dek',
+        createdAt: new Date().toISOString()
+      },
+      iv: encryptedData.iv,
+      authTag: encryptedData.authTag
+    };
+  }
+
+  /**
+   * Decrypt data using organizational DEK
+   */
+  async decryptForOrganization(encryptedData: string, keyReference: KeyReference): Promise<string> {
+    this.ensureInitialized();
+    
+    if (!keyReference.orgId) {
+      throw new Error('Organization ID required for decryption');
+    }
+
+    // Get organizational DEK
+    const orgKeyRef = await this.keyManagement.getOrganizationalKey(keyReference.orgId);
+    
+    // Unwrap file key
+    const fileKey = await this.cryptoService.unwrapKey(keyReference.keyId, orgKeyRef.keyId);
+    
+    // Decrypt data
+    return this.cryptoService.decrypt(encryptedData, fileKey);
+  }
+
+  /**
+   * F.SC.002: Get database master key from secure storage
+   */
+  async getDatabaseMasterKey(): Promise<string> {
+    this.ensureInitialized();
+    return this.keyManagement.getDatabaseMasterKey();
+  }
+
+  /**
+   * F.SC.005: Store authentication tokens securely
+   */
+  async storeAuthTokens(accessToken: string, refreshToken: string): Promise<void> {
+    this.ensureInitialized();
+    await this.keyManagement.storeSecureValue('auth.access_token', accessToken);
+    await this.keyManagement.storeSecureValue('auth.refresh_token', refreshToken);
+  }
+
+  /**
+   * Get stored authentication tokens
+   */
+  async getAuthTokens(): Promise<{ accessToken?: string; refreshToken?: string }> {
+    this.ensureInitialized();
+    
+    const [accessToken, refreshToken] = await Promise.all([
+      this.keyManagement.getSecureValue('auth.access_token'),
+      this.keyManagement.getSecureValue('auth.refresh_token')
+    ]);
+
+    return { accessToken, refreshToken };
+  }
+
+  /**
+   * F.SC.006: Cryptographic erasure - delete organizational keys
+   */
+  async performCryptographicErasure(orgId: string): Promise<void> {
+    this.ensureInitialized();
+    await this.keyManagement.deleteOrganizationalKeys(orgId);
+  }
+
+  /**
+   * F.SC.006: Complete secure wipe - delete all keys
+   */
+  async performSecureWipe(): Promise<void> {
+    this.ensureInitialized();
+    await this.keyManagement.secureWipe();
+  }
+
+  /**
+   * Sign arbitrary data with identity key
+   */
+  async signData(data: string): Promise<string> {
+    this.ensureInitialized();
+    return this.dpopService.signData(data);
+  }
+
+  private ensureInitialized(): void {
+    if (!this.initialized) {
+      throw new Error('SecurityCore must be initialized before use');
+    }
+  }
+}

packages/core/security/src/index.ts

@@ -0,0 +1,11 @@
+export { SecurityCore } from './SecurityCore';
+export { DPoPService } from './DPoPService';
+export { CryptoService } from './CryptoService';
+export { KeyManagementService } from './KeyManagementService';
+export type {
+  SecurityConfig,
+  DPoPProof,
+  EncryptionResult,
+  KeyReference,
+  SecurityLevel
+} from './types';

packages/core/security/src/types.ts

@@ -0,0 +1,39 @@
+export interface SecurityConfig {
+  enableHardwareBackedStorage: boolean;
+  requireSecureEnclave: boolean;
+  enableCertificatePinning: boolean;
+  allowDebugging: boolean;
+}
+
+export interface DPoPProof {
+  jwt: string;
+  publicKey: string;
+  algorithm: string;
+}
+
+export interface EncryptionResult {
+  encryptedData: string;
+  keyReference: KeyReference;
+  iv: string;
+  authTag: string;
+}
+
+export interface KeyReference {
+  keyId: string;
+  orgId?: string;
+  keyType: 'master' | 'dek' | 'dpop' | 'identity';
+  createdAt: string;
+}
+
+export enum SecurityLevel {
+  SOFTWARE = 'software',
+  SECURE_HARDWARE = 'secure_hardware',
+  SECURE_ENCLAVE = 'secure_enclave'
+}
+
+export interface AttestationResult {
+  status: 'VALID' | 'INVALID' | 'UNKNOWN';
+  deviceCheck?: any;
+  playIntegrity?: any;
+  timestamp: string;
+}