Bulk encryption decryption

.github/workflows/ci.yml

@@ -16,7 +16,7 @@ jobs:
       subcommands: |
         python3 scripts/download_wasm.py
         npm install
-      kms-version: 4.5.0
+      kms-version: bulk
       findex-cloud-version: 0.3.1
 
   lint:
@@ -33,7 +33,7 @@ jobs:
     with:
       subcommands: |
         npm test
-      kms-version: 4.5.0
+      kms-version: bulk
       kms-jwe-key: '{"kty": "OKP","d": "MPEVJwdRqGM_qhJOUb5hR0Xr9EvwMLZGnkf-eDj5fU8","use": "enc","crv": "X25519","kid": "DX3GC+Fx3etxfRJValQNbqaB0gs=","x":
         "gdF-1TtAjsFqNWr9nwhGUlFG38qrDUqYgcILgtYrpTY","alg": "ECDH-ES"}'
       findex-cloud-version: 0.3.1
@@ -50,7 +50,7 @@ jobs:
       extension: so
       destination: linux-x86-64
       os: ubuntu-20.04
-      kms-version: 4.5.0
+      kms-version: bulk
       findex-cloud-version: 0.3.1
       copy_fresh_build: false
       copy_regression_files: |
@@ -64,7 +64,7 @@ jobs:
     with:
       branch: develop
       target: x86_64-unknown-linux-gnu
-      kms-version: 4.5.0
+      kms-version: bulk
       copy_fresh_build: false
       copy_regression_files: |
         cp ./cloudproof_js/non_regression_vector.json tests/data/cover_crypt/non_regression/js_non_regression_vector.json
@@ -95,7 +95,7 @@ jobs:
         sleep 5
         cd ../test
         node chrome.mjs http://localhost:8090 http://kms:9998
-      kms-version: 4.5.0
+      kms-version: bulk
       findex-cloud-version: 0.3.1
 
   example_reactjs:
@@ -110,7 +110,7 @@ jobs:
         sleep 5
         cd ../test
         node chrome.mjs http://localhost:8090 http://kms:9998
-      kms-version: 4.5.0
+      kms-version: bulk
       findex-cloud-version: 0.3.1
 
   example_browser:
@@ -123,7 +123,7 @@ jobs:
         python3 -m http.server &
         sleep 3
         node test.mjs
-      kms-version: 4.5.0
+      kms-version: bulk
       findex-cloud-version: 0.3.1
 
   example_webpack:
@@ -143,7 +143,7 @@ jobs:
         cd examples/nodejs
         npm install
         node test.mjs 10
-      kms-version: 4.5.0
+      kms-version: bulk
       findex-cloud-version: 0.3.1
 
   example_imdb:

docker-compose.yml

@@ -5,12 +5,11 @@ version: '3'
 services:
   kms:
     container_name: kms
-    image: ghcr.io/cosmian/kms:4.5.0
+    image: ghcr.io/cosmian/kms:bulk
     ports:
       - 9998:9998
     environment:
-      JWK_PRIVATE_KEY: '{"kty": "OKP","d": "MPEVJwdRqGM_qhJOUb5hR0Xr9EvwMLZGnkf-eDj5fU8","use": "enc","crv": "X25519","kid": "DX3GC+Fx3etxfRJValQNbqaB0gs=","x":
-        "gdF-1TtAjsFqNWr9nwhGUlFG38qrDUqYgcILgtYrpTY","alg": "ECDH-ES"}'
+      JWK_PRIVATE_KEY: '{"kty": "OKP","d": "MPEVJwdRqGM_qhJOUb5hR0Xr9EvwMLZGnkf-eDj5fU8","use": "enc","crv": "X25519","kid": "DX3GC+Fx3etxfRJValQNbqaB0gs=","x": "gdF-1TtAjsFqNWr9nwhGUlFG38qrDUqYgcILgtYrpTY","alg": "ECDH-ES"}'
   findex_cloud:
     image: ghcr.io/cosmian/findex_cloud:0.1.0
     ports:

package.json

@@ -61,7 +61,7 @@
     "eslint-plugin-n": "^15.2.5",
     "eslint-plugin-promise": "^6.0.1",
     "prettier": "2.7.1",
-    "puppeteer": "^19.2.0",
+    "puppeteer": "^19.11.1",
     "redis": "^4.3.1",
     "rollup": "^3.3.0",
     "typescript": "^4.9.0",

src/kms/kms.ts

@@ -15,6 +15,7 @@ import { ReKeyKeyPair } from "./requests/ReKeyKeyPair"
 import { Revoke } from "./requests/Revoke"
 import {
   Attributes,
+  CryptographicParameters,
   Link,
   LinkType,
   VendorAttributes,
@@ -697,7 +698,7 @@ export class KmsClient {
   public async coverCryptEncrypt(
     uniqueIdentifier: string,
     accessPolicy: string,
-    data: Uint8Array,
+    data: Uint8Array | Uint8Array[],
     options: {
       headerMetadata?: Uint8Array
       authenticationData?: Uint8Array
@@ -713,6 +714,26 @@ export class KmsClient {
       headerMetadata = options.headerMetadata
     }
 
+    const cryptographicParameters = new CryptographicParameters()
+    cryptographicParameters.cryptographicAlgorithm =
+      CryptographicAlgorithm.CoverCryptBulk
+
+    if (data instanceof Uint8Array) {
+      data = Uint8Array.from([...encode(1), ...encode(data.length), ...data])
+    } else {
+      let plaintext = encode(data.length)
+
+      for (const chunk of data) {
+        plaintext = Uint8Array.from([
+          ...plaintext,
+          ...encode(chunk.length),
+          ...chunk,
+        ])
+      }
+
+      data = plaintext
+    }
+
     const dataToEncrypt = Uint8Array.from([
       ...accessPolicySize,
       ...accessPolicyBytes,
@@ -721,12 +742,32 @@ export class KmsClient {
       ...data,
     ])
 
-    const encrypt = new Encrypt(uniqueIdentifier, dataToEncrypt)
+    const encrypt = new Encrypt(
+      uniqueIdentifier,
+      dataToEncrypt,
+      cryptographicParameters,
+    )
     if (typeof options.authenticationData !== "undefined") {
       encrypt.authenticatedEncryptionAdditionalData = options.authenticationData
     }
 
-    return (await this.post(encrypt)).data
+    const encryptedData = (await this.post(encrypt)).data
+
+    let { result: nbChunks, tail: tailPlaintext } = decode(encryptedData)
+
+    let encryptedChunks = Uint8Array.from([])
+    for (let i = 0; i < nbChunks; i++) {
+      const { result: chunkSize, tail } = decode(tailPlaintext)
+      const chunk = tail.slice(0, chunkSize)
+      tailPlaintext = tail.slice(chunkSize)
+
+      encryptedChunks = Uint8Array.from([
+        ...encryptedChunks,
+        ...Uint8Array.from([...chunk]),
+      ])
+    }
+
+    return encryptedChunks
   }
 
   /**
@@ -738,11 +779,31 @@ export class KmsClient {
    */
   public async coverCryptDecrypt(
     uniqueIdentifier: string,
-    data: Uint8Array,
+    data: Uint8Array | Uint8Array[],
     options: {
       authenticationData?: Uint8Array
     } = {},
   ): Promise<{ headerMetadata: Uint8Array; plaintext: Uint8Array }> {
+    const cryptographicParameters = new CryptographicParameters()
+    cryptographicParameters.cryptographicAlgorithm =
+      CryptographicAlgorithm.CoverCryptBulk
+
+    if (data instanceof Uint8Array) {
+      data = Uint8Array.from([...encode(1), ...encode(data.length), ...data])
+    } else {
+      let ciphertext = encode(data.length)
+
+      for (const chunk of data) {
+        ciphertext = Uint8Array.from([
+          ...ciphertext,
+          ...encode(chunk.length),
+          ...chunk,
+        ])
+      }
+
+      data = ciphertext
+    }
+
     const decrypt = new Decrypt(uniqueIdentifier, data)
     if (typeof options.authenticationData !== "undefined") {
       decrypt.authenticatedEncryptionAdditionalData = options.authenticationData
@@ -754,6 +815,19 @@ export class KmsClient {
     const headerMetadata = tail.slice(0, headerMetadataLength)
     const plaintext = tail.slice(headerMetadataLength)
 
+    let { result: nbChunks, tail: tailPlaintext } = decode(plaintext)
+    let decryptedChunks = Uint8Array.from([])
+    for (let i = 0; i < nbChunks; i++) {
+      const { result: chunkSize, tail } = decode(tailPlaintext)
+      const chunk = tail.slice(0, chunkSize)
+      tailPlaintext = tail.slice(chunkSize)
+
+      decryptedChunks = Uint8Array.from([
+        ...decryptedChunks,
+        ...Uint8Array.from([...chunk]),
+      ])
+    }
+
     return { headerMetadata, plaintext }
   }
 

src/kms/structs/object_data_structures.ts

@@ -102,7 +102,7 @@ export enum CryptographicAlgorithm {
   TFHE = 0x8880_0002,
   ABE = 0x8880_0003,
   CoverCrypt = 0x8880_0004,
-  FPEFF1 = 0x8880_0005,
+  CoverCryptBulk = 0x8880_0005,
 }
 
 export class KeyBlock {