chore(WIP): migrate to @noble/curves and eciesjs

package.json

@@ -69,5 +69,6 @@
     "semver": "https://github.com/RequestNetwork/requestNetwork/security/dependabot/197",
     "json-schema": "https://github.com/RequestNetwork/requestNetwork/security/dependabot/51",
     "json5": "https://github.com/RequestNetwork/requestNetwork/security/dependabot/165"
-  }
+  },
+  "packageManager": "[email protected]+sha1.1959a18351b811cdeedbd484a8f86c3cc3bbaf72"
 }

packages/payment-detection/package.json

@@ -57,7 +57,7 @@
     "@graphql-codegen/cli": "4.0.1",
     "@graphql-codegen/typescript": "4.0.1",
     "@graphql-codegen/typescript-document-nodes": "4.0.1",
-    "@graphql-codegen/typescript-graphql-request": "6.0.1",
+    "@graphql-codegen/typescript-graphql-request": "6.2.0",
     "@graphql-codegen/typescript-operations": "4.0.1",
     "@graphql-codegen/typescript-resolvers": "4.0.1",
     "@jridgewell/gen-mapping": "0.3.2",

packages/payment-detection/src/thegraph/client.ts

@@ -2,9 +2,8 @@
 import { CurrencyTypes } from '@requestnetwork/types';
 import { NearChains } from '@requestnetwork/currency';
 import { GraphQLClient } from 'graphql-request';
-import { Block_Height, Maybe, getSdk } from './generated/graphql';
+import { Block_Height, getSdk, Maybe } from './generated/graphql';
 import { getSdk as getNearSdk } from './generated/graphql-near';
-import { RequestConfig } from 'graphql-request/src/types';
 
 const THE_GRAPH_STUDIO_URL =
   'https://api.studio.thegraph.com/query/67444/request-payments-$NETWORK/version/latest';
@@ -41,6 +40,8 @@ export type TheGraphQueryOptions = {
   blockFilter?: Maybe<Block_Height>;
 };
 
+type RequestConfig = (typeof GraphQLClient.prototype)['requestConfig'];
+
 export type TheGraphClientOptions = RequestConfig & {
   /** constraint to select indexers that have at least parsed this block */
   minIndexedBlock?: number | undefined;

packages/payment-detection/src/thegraph/superfluid.ts

@@ -1,6 +1,5 @@
 import { GraphQLClient } from 'graphql-request';
 import { getSdk } from './generated/graphql-superfluid';
-import { RequestConfig } from 'graphql-request/src/types';
 
 const BASE_URL = `https://subgraph-endpoints.superfluid.dev`;
 const NETWORK_TO_URL: Record<string, string> = {
@@ -22,6 +21,7 @@ const NETWORK_TO_URL: Record<string, string> = {
 /**
  * A GraphQL client to query Superfluid's subgraph.
  */
+type RequestConfig = (typeof GraphQLClient.prototype)['requestConfig'];
 export type TheGraphSuperfluidClient = ReturnType<typeof getSdk>;
 export type TheGraphClientOptions = RequestConfig & {
   baseUrl?: string;

packages/request-node/package.json

@@ -56,7 +56,7 @@
     "@requestnetwork/utils": "0.54.0",
     "chalk": "4.1.0",
     "cors": "2.8.5",
-    "dotenv": "8.2.0",
+    "dotenv": "16.5.0",
     "ethers": "5.7.2",
     "express": "4.21.0",
     "graphql": "16.8.1",

packages/smart-contracts/package.json

@@ -78,7 +78,7 @@
     "@types/mocha": "8.2.3",
     "@types/node": "18.11.9",
     "chai": "4.3.4",
-    "dotenv": "10.0.0",
+    "dotenv": "16.5.0",
     "ethereum-waffle": "3.4.4",
     "ethers": "5.7.2",
     "ganache-cli": "6.12.0",

packages/thegraph-data-access/package.json

@@ -45,7 +45,7 @@
     "@requestnetwork/types": "0.54.0",
     "@requestnetwork/utils": "0.54.0",
     "ethers": "5.7.2",
-    "graphql-request": "7.1.2",
+    "graphql-request": "6.1.0",
     "tslib": "2.5.0"
   },
   "devDependencies": {

packages/thegraph-data-access/src/subgraph-client.ts

@@ -1,5 +1,5 @@
 import { DataAccessTypes, StorageTypes } from '@requestnetwork/types';
-import { GraphQLClient } from 'graphql-request';
+import { GraphQLClient, Variables } from 'graphql-request';
 import {
   GetBlockQuery,
   GetTransactionByDataHashQuery,
@@ -10,12 +10,12 @@ import {
   Transaction,
   TransactionsBody,
 } from './queries';
-import { Variables } from 'graphql-request/build/cjs/types';
-import { RequestConfig } from 'graphql-request/build/legacy/helpers/types';
 
 // Max Int value (as supported by grapqhl types)
 const MAX_INT_VALUE = 0x7fffffff;
 
+type RequestConfig = (typeof GraphQLClient.prototype)['requestConfig'];
+
 type ClientConfig = Omit<RequestConfig, 'headers'> & { headers?: Record<string, string> };
 
 export class SubgraphClient implements StorageTypes.IIndexer {

packages/thegraph-data-access/src/types.ts

@@ -1,6 +1,8 @@
 import { StorageTypes } from '@requestnetwork/types';
 import { DataAccessBaseOptions } from '@requestnetwork/data-access';
-import { RequestConfig } from 'graphql-request/build/legacy/helpers/types';
+import { GraphQLClient } from 'graphql-request';
+
+type RequestConfig = (typeof GraphQLClient.prototype)['requestConfig'];
 
 export type TheGraphDataAccessOptions = DataAccessBaseOptions & {
   graphql: { url: string } & Omit<RequestConfig, 'headers'> & { headers?: Record<string, string> };

packages/utils/package.json

@@ -40,10 +40,12 @@
     "test:watch": "yarn test --watch"
   },
   "dependencies": {
+    "@ecies/ciphers": "0.2.3",
+    "@noble/curves": "1.8.1",
+    "@noble/hashes": "1.7.1",
     "@requestnetwork/types": "0.54.0",
-    "@toruslabs/eccrypto": "4.0.0",
+    "eciesjs": "0.4.14",
     "ethers": "5.7.2",
-    "secp256k1": "4.0.4",
     "tslib": "2.5.0"
   },
   "devDependencies": {

packages/utils/src/crypto.ts

@@ -10,10 +10,10 @@ import {
 import {
   ecDecrypt,
   ecEncrypt,
-  getAddressFromPrivateKey,
-  getAddressFromPublicKey,
   ecRecover,
   ecSign,
+  getAddressFromPrivateKey,
+  getAddressFromPublicKey,
 } from './crypto/ec-utils';
 import { deepSort } from './utils';
 

packages/utils/src/crypto/crypto-wrapper.ts

@@ -1,7 +1,7 @@
 import { createCipheriv, createDecipheriv, randomBytes as cryptoRandomBytes } from 'crypto';
 
 /**
- * Functions to manage native crypto functions of nodeJs
+ * Functions to manage native crypto functions of Node.js
  */
 export {
   decryptWithAes256cbc,
@@ -77,7 +77,7 @@ async function encryptWithAes256gcm(data: Buffer, key: Buffer): Promise<Buffer>
 /**
  * Decrypts an encrypted buffer using AES-256-cbc plus a random Initialization Vector (IV)
  *
- * @param encrypted the data to decrypt
+ * @param encryptedAndIv the data to decrypt
  * @param key key of the encryption
  *
  * @returns Promise resolving a buffer containing the data decrypted

packages/utils/src/crypto/ec-utils-legacy.ts

@@ -0,0 +1,81 @@
+import { PrivateKey, PublicKey } from 'eciesjs';
+import { secp256k1 } from '@noble/curves/secp256k1';
+import { sha256, sha512 } from '@noble/hashes/sha2';
+import { aes256cbc } from '@ecies/ciphers/aes';
+import { hmac } from '@noble/hashes/hmac';
+
+/**
+ * Decrypt the `eccrypto` way: using ECIES with AES-CBC-MAC and SHA-512 derivation.
+ * Migrated from https://github.com/torusresearch/eccrypto/blob/923ebc03e5be016a7ee27a04d8c3b496ee949bfa/src/index.ts#L264
+ * but using `@noble/curves` instead of `elliptics`
+ */
+export const ecDecryptLegacy = (privateKey: string, dataHex: string, padding = false): string => {
+  const { iv, ephemPublicKey, mac, ciphertext } = legacyAes256CbcMacSplit(dataHex);
+  const receiverPrivateKey = PrivateKey.fromHex(privateKey.replace(/^0x/, ''));
+  const sharedKey = deriveSharedKeyWithSha512(receiverPrivateKey, ephemPublicKey, padding);
+  const encryptionKey = sharedKey.subarray(0, 32);
+  const macKey = sharedKey.subarray(32);
+  const dataToMac = Buffer.concat([iv, ephemPublicKey.toBytes(false), ciphertext]);
+  const macGood = hmacSha256Verify(macKey, dataToMac, mac);
+  if (!macGood) {
+    if (!padding) {
+      return ecDecryptLegacy(privateKey, dataHex, true);
+    }
+    throw new Error('The encrypted data is not well formatted');
+  }
+  const decrypted = aes256cbc(encryptionKey, iv).decrypt(ciphertext);
+  return Buffer.from(decrypted).toString();
+};
+
+const hmacSha256Verify = (key: Uint8Array, msg: Uint8Array, sig: Uint8Array): boolean => {
+  const expectedSig = hmac(sha256, key, msg);
+  return equalConstTime(expectedSig, sig);
+};
+
+// Compare two buffers in constant time to prevent timing attacks.
+const equalConstTime = (b1: Uint8Array, b2: Uint8Array): boolean => {
+  if (b1.length !== b2.length) {
+    return false;
+  }
+  let res = 0;
+  for (let i = 0; i < b1.length; i++) {
+    res |= b1[i] ^ b2[i];
+  }
+  return res === 0;
+};
+
+const deriveSharedKeyWithSha512 = (
+  privateKey: PrivateKey,
+  publicKey: PublicKey,
+  padding = false,
+): Uint8Array => {
+  const sharedPoint = secp256k1.getSharedSecret(privateKey.secret, publicKey.toBytes());
+  const paddedBytes = padding ? sharedPoint.subarray(1) : sharedPoint.subarray(2);
+  const hash = sha512.create().update(paddedBytes).digest();
+  return new Uint8Array(hash);
+};
+
+/**
+ * Split a legacy-encrypted hex string to its AES-CBC-MAC params.
+ * See legacy way of generating an encrypted strings with the `@toruslabs/eccrypto` > `elliptic` library:
+ * https://github.com/RequestNetwork/requestNetwork/blob/4597d373b0284787273471cf306dd9b849c9f76a/packages/utils/src/crypto/ec-utils.ts#L141
+ */
+const legacyAes256CbcMacSplit = (dataHex: string) => {
+  const buffer = Buffer.from(dataHex, 'hex');
+
+  const ivSize = 16;
+  const ephemPublicKeySize = 33;
+  const ephemPublicKeyEnd = ivSize + ephemPublicKeySize;
+  const macSize = 32;
+  const macEnd = ephemPublicKeyEnd + macSize;
+
+  const ephemPublicKeyStr = buffer.subarray(ivSize, ephemPublicKeyEnd);
+  const ephemPublicKey = new PublicKey(ephemPublicKeyStr);
+
+  return {
+    iv: buffer.subarray(0, ivSize),
+    ephemPublicKey,
+    mac: buffer.subarray(ephemPublicKeyEnd, macEnd),
+    ciphertext: buffer.subarray(macEnd),
+  };
+};