fix: derivate encryption pemPublicKey from provided pemPrivateKey

PierreJeanjacquot · PierreJeanjacquot · commit 543a548fb4b6 · 2025-10-23T15:06:00.000+02:00
diff --git a/packages/sdk/src/lib/dataProtectorCore/processProtectedData.ts b/packages/sdk/src/lib/dataProtectorCore/processProtectedData.ts
@@ -15,7 +15,10 @@ import {
   filterWorkerpoolOrders,
 } from '../../utils/processProtectedData.models.js';
 import { pushRequesterSecret } from '../../utils/pushRequesterSecret.js';
-import { getFormattedKeyPair } from '../../utils/rsa.js';
+import {
+  getPemFormattedKeyPair,
+  formatPemPublicKeyForSMS,
+} from '../../utils/rsa.js';
 import {
   addressOrEnsSchema,
   addressSchema,
@@ -298,18 +301,17 @@ export const processProtectedData = async <
           isDone: false,
         });
       }
-      const { publicKey, privateKey: generatedPrivateKey } =
-        await getFormattedKeyPair({
-          pemPrivateKey: vPemPrivateKey,
-        });
-      privateKey = generatedPrivateKey;
+      const pemKeyPair = await getPemFormattedKeyPair({
+        pemPrivateKey: vPemPrivateKey,
+      });
+      privateKey = pemKeyPair.pemPrivateKey;
       // Notify user if a new key was generated
       if (!vPemPrivateKey) {
         vOnStatusUpdate({
           title: 'GENERATE_ENCRYPTION_KEY',
           isDone: true,
           payload: {
-            pemPrivateKey: generatedPrivateKey,
+            pemPrivateKey: pemKeyPair.pemPrivateKey,
           },
         });
       }
@@ -318,19 +320,22 @@ export const processProtectedData = async <
         title: 'PUSH_ENCRYPTION_KEY',
         isDone: false,
         payload: {
-          publicKey,
+          pemPublicKey: pemKeyPair.pemPublicKey,
         },
       });
 
-      await iexec.result.pushResultEncryptionKey(publicKey, {
-        forceUpdate: true,
-      });
+      await iexec.result.pushResultEncryptionKey(
+        formatPemPublicKeyForSMS(pemKeyPair.pemPublicKey),
+        {
+          forceUpdate: true,
+        }
+      );
 
       vOnStatusUpdate({
         title: 'PUSH_ENCRYPTION_KEY',
         isDone: true,
         payload: {
-          publicKey,
+          pemPublicKey: pemKeyPair.pemPublicKey,
         },
       });
     }
diff --git a/packages/sdk/src/lib/dataProtectorSharing/consumeProtectedData.ts b/packages/sdk/src/lib/dataProtectorSharing/consumeProtectedData.ts
@@ -7,7 +7,10 @@ import {
 } from '../../utils/errors.js';
 import { getEventFromLogs } from '../../utils/getEventFromLogs.js';
 import { resolveENS } from '../../utils/resolveENS.js';
-import { getFormattedKeyPair } from '../../utils/rsa.js';
+import {
+  getPemFormattedKeyPair,
+  formatPemPublicKeyForSMS,
+} from '../../utils/rsa.js';
 import {
   addressOrEnsSchema,
   throwIfMissing,
@@ -42,7 +45,6 @@ export const consumeProtectedData = async ({
   path,
   workerpool,
   maxPrice = DEFAULT_MAX_PRICE,
-  pemPublicKey,
   pemPrivateKey,
   onStatusUpdate = () => {},
 }: IExecConsumer &
@@ -62,9 +64,6 @@ export const consumeProtectedData = async ({
     .label('workerpool')
     .default(defaultWorkerpool)
     .validateSync(workerpool);
-  const vPemPublicKey = string()
-    .label('pemPublicKey')
-    .validateSync(pemPublicKey);
   const vPemPrivateKey = string()
     .label('pemPrivateKey')
     .validateSync(pemPrivateKey);
@@ -138,21 +137,29 @@ export const consumeProtectedData = async ({
       isDone: true,
     });
 
-    const { publicKey, privateKey } = await getFormattedKeyPair({
-      pemPublicKey: vPemPublicKey,
+    const pemKeyPair = await getPemFormattedKeyPair({
       pemPrivateKey: vPemPrivateKey,
     });
 
     vOnStatusUpdate({
       title: 'PUSH_ENCRYPTION_KEY',
       isDone: false,
+      payload: {
+        pemPublicKey: pemKeyPair.pemPublicKey,
+      },
     });
-    await iexec.result.pushResultEncryptionKey(publicKey, {
-      forceUpdate: true,
-    });
+    await iexec.result.pushResultEncryptionKey(
+      formatPemPublicKeyForSMS(pemKeyPair.pemPublicKey),
+      {
+        forceUpdate: true,
+      }
+    );
     vOnStatusUpdate({
       title: 'PUSH_ENCRYPTION_KEY',
       isDone: true,
+      payload: {
+        pemPublicKey: pemKeyPair.pemPublicKey,
+      },
     });
 
     // Make a deal
@@ -218,7 +225,7 @@ export const consumeProtectedData = async ({
       iexec,
       taskId,
       path: vPath,
-      pemPrivateKey: privateKey,
+      pemPrivateKey: pemKeyPair.pemPrivateKey,
       onStatusUpdate: vOnStatusUpdate,
     });
 
@@ -227,7 +234,7 @@ export const consumeProtectedData = async ({
       dealId,
       taskId,
       result,
-      pemPrivateKey: privateKey,
+      pemPrivateKey: pemKeyPair.pemPrivateKey,
     };
   } catch (e) {
     handleIfProtocolError(e);
diff --git a/packages/sdk/src/lib/types/sharingTypes.ts b/packages/sdk/src/lib/types/sharingTypes.ts
@@ -107,7 +107,6 @@ export type ConsumeProtectedDataParams = {
   path?: string;
   workerpool?: AddressOrENS;
   maxPrice?: number;
-  pemPublicKey?: string;
   pemPrivateKey?: string;
   onStatusUpdate?: OnStatusUpdateFn<ConsumeProtectedDataStatuses>;
 };
diff --git a/packages/sdk/src/utils/indexedDb.ts b/packages/sdk/src/utils/indexedDb.ts
@@ -1,6 +1,6 @@
 let db: IDBDatabase;
 
-export async function storeKeyPair(publicKey: string, privateKey: CryptoKey) {
+export async function storeKeyPair(keyPair: CryptoKeyPair) {
   if (typeof window === 'undefined' || !('indexedDB' in window)) {
     return;
   }
@@ -10,11 +10,8 @@ export async function storeKeyPair(publicKey: string, privateKey: CryptoKey) {
       .transaction('keyPair', 'readwrite')
       .objectStore('keyPair')
       .add({
-        keyPairName: 'keyPair01',
-        keyPair: {
-          publicKey,
-          privateKey,
-        },
+        keyPairName: 'CryptoKeyPair',
+        keyPair,
       });
 
     writeRequest.onerror = (err) => {
@@ -32,7 +29,7 @@ export async function storeKeyPair(publicKey: string, privateKey: CryptoKey) {
 export async function getSavedKeyPair(): Promise<
   | {
       keyPairName: string;
-      keyPair: { publicKey: string; privateKey: CryptoKey };
+      keyPair: CryptoKeyPair;
     }
   | undefined
 > {
@@ -51,7 +48,7 @@ export async function getSavedKeyPair(): Promise<
       const readRequest = db
         .transaction('keyPair')
         .objectStore('keyPair')
-        .get('keyPair01');
+        .get('CryptoKeyPair');
 
       readRequest.onerror = (err) => {
         console.error('[indexedDB] readRequest() ERROR', err);
@@ -75,7 +72,7 @@ export async function getSavedKeyPair(): Promise<
         const readKeyPairRequest = db
           .transaction('keyPair', 'readonly')
           .objectStore('keyPair')
-          .get('keyPair');
+          .get('CryptoKeyPair');
 
         readKeyPairRequest.onerror = (event) => {
           console.log('[indexedDB] readKeyPairRequest() ERROR', event);
diff --git a/packages/sdk/src/utils/rsa.ts b/packages/sdk/src/utils/rsa.ts
@@ -1,47 +1,48 @@
 import { getSavedKeyPair, storeKeyPair } from './indexedDb.js';
 
-export async function getFormattedKeyPair({
-  pemPublicKey,
+export async function getPemFormattedKeyPair({
   pemPrivateKey,
 }: {
-  pemPublicKey?: string;
   pemPrivateKey?: string;
-}) {
-  // Keypair is given, use it
-  if (pemPublicKey && pemPrivateKey) {
-    return {
-      publicKey: toBase64(pemPublicKey),
-      privateKey: pemPrivateKey,
-    };
+}): Promise<{
+  pemPublicKey: string;
+  pemPrivateKey: string;
+}> {
+  if (pemPrivateKey) {
+    return loadKeyPair(pemPrivateKey);
   }
-
-  // Get keypair from indexedDB (if available) or generate a new one
   return getOrGenerateKeyPair();
 }
 
+export function formatPemPublicKeyForSMS(pemPublicKey: string) {
+  return toBase64(pemPublicKey);
+}
+
 export async function getOrGenerateKeyPair() {
-  let publicKey: string;
-  let privateKey: CryptoKey;
+  let keyPair: CryptoKeyPair;
   const existingKeyPair = await getSavedKeyPair();
   if (existingKeyPair) {
-    publicKey = existingKeyPair.keyPair.publicKey;
-    privateKey = existingKeyPair.keyPair.privateKey;
+    keyPair = existingKeyPair.keyPair;
   } else {
-    const { publicKey: genPublicKey, privateKey: genPrivateKey } =
-      await generateKeyPair();
-    publicKey = genPublicKey;
-    privateKey = genPrivateKey;
-
-    await storeKeyPair(publicKey, privateKey);
+    keyPair = await generateKeyPair();
+    await storeKeyPair(keyPair);
   }
+  return formatKeyPairAsPem(keyPair);
+}
+
+export async function loadKeyPair(pem: string) {
+  const keyPair = await cryptoKeyPairFromPem(pem);
+  return formatKeyPairAsPem(keyPair);
+}
+
+async function formatKeyPairAsPem(keyPair: CryptoKeyPair) {
   return {
-    publicKey,
-    privateKey: await privateAsPem(privateKey),
+    pemPublicKey: await publicAsPem(keyPair.publicKey),
+    pemPrivateKey: await privateAsPem(keyPair.privateKey),
   };
 }
 
 export async function generateKeyPair() {
-  const isExtractable = true;
   const { crypto } = await getCrypto();
   const keyPair = await crypto.subtle.generateKey(
     {
@@ -50,16 +51,10 @@ export async function generateKeyPair() {
       publicExponent: new Uint8Array([1, 0, 1]),
       hash: 'SHA-256',
     },
-    isExtractable,
+    true, // extractable
     ['encrypt', 'decrypt']
   );
-
-  const formattedPublicKey = await formatPublicKeyForSMS(keyPair.publicKey);
-
-  return {
-    publicKey: formattedPublicKey, // <- PEM key encoded in base64
-    privateKey: keyPair.privateKey,
-  };
+  return keyPair;
 }
 
 export async function getCrypto() {
@@ -75,18 +70,11 @@ export async function getCrypto() {
   };
 }
 
-async function formatPublicKeyForSMS(publicKey: CryptoKey) {
-  const publicKeyAsPem = await publicAsPem(publicKey);
-  return toBase64(publicKeyAsPem);
-}
-
 async function publicAsPem(publicKey: CryptoKey) {
   const { crypto } = await getCrypto();
   const publicKeyAsBuffer = await crypto.subtle.exportKey('spki', publicKey);
-
   let body = btoa(String.fromCharCode(...new Uint8Array(publicKeyAsBuffer)));
   body = body.match(/.{1,64}/g).join('\n');
-
   return `-----BEGIN PUBLIC KEY-----\n${body}\n-----END PUBLIC KEY-----`;
 }
 
@@ -98,6 +86,57 @@ export async function privateAsPem(privateKey: CryptoKey) {
   return `-----BEGIN PRIVATE KEY-----\n${body}\n-----END PRIVATE KEY-----`;
 }
 
+export async function cryptoKeyPairFromPem(
+  pemPrivateKey: string
+): Promise<CryptoKeyPair> {
+  const { crypto } = await getCrypto();
+  function pemToArrayBuffer(pem: string): ArrayBuffer {
+    const b64Lines = pem
+      .replace('-----BEGIN PRIVATE KEY-----', '')
+      .replace('-----END PRIVATE KEY-----', '')
+      .replace(/\s/g, '');
+    const bStr = atob(b64Lines);
+    const bytes = new Uint8Array(bStr.length);
+    for (let i = 0; i < bStr.length; i++) {
+      bytes[i] = bStr.charCodeAt(i);
+    }
+    return bytes.buffer;
+  }
+  // Import the private key
+  const privateKey = await crypto.subtle.importKey(
+    'pkcs8',
+    pemToArrayBuffer(pemPrivateKey),
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256',
+    },
+    true, // extractable
+    ['decrypt']
+  );
+  // Transform to JWK to derive the public key
+  const jwk = await crypto.subtle.exportKey('jwk', privateKey);
+  // Remove private components to create public JWK
+  const publicJwk = {
+    kty: jwk.kty,
+    n: jwk.n,
+    e: jwk.e,
+    alg: jwk.alg,
+    ext: true,
+    key_ops: ['encrypt'],
+  };
+  const publicKey = await crypto.subtle.importKey(
+    'jwk',
+    publicJwk,
+    {
+      name: 'RSA-OAEP',
+      hash: 'SHA-256',
+    },
+    true,
+    ['encrypt']
+  );
+  return { privateKey, publicKey };
+}
+
 function toBase64(publicKeyAsPem: string) {
   return btoa(publicKeyAsPem);
 }
diff --git a/packages/sdk/tests/e2e/dataProtectorCore/processProtectedData.test.ts b/packages/sdk/tests/e2e/dataProtectorCore/processProtectedData.test.ts
