feat: encrypt sms factor key before sending it to web3auth's service

safe-global · Nov 28, 2023 · c1a8f4a · c1a8f4a
1 parent 805e129
commit c1a8f4a
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 2 deletions.
diff --git a/src/services/mpc/EncryptionUtil.ts b/src/services/mpc/EncryptionUtil.ts
@@ -0,0 +1,32 @@
+import { getPubKeyPoint, encrypt, type EncryptedMessage, decrypt, toPrivKeyECC } from '@tkey-mpc/common-types'
+import { Point } from '@web3auth/mpc-core-kit'
+import type BN from 'bn.js'
+
+/**
+ * Util class to encrypt and decrypt data using i.e. the postbox key of the torus storage
+ */
+export default class EncryptionUtil {
+  private privateKey: BN
+
+  constructor(privateKey: BN) {
+    this.privateKey = privateKey
+  }
+
+  public async encrypt<T>(data: T): Promise<string> {
+    const oAuthKeyBN = this.privateKey
+    const oAuthPubKey = getPubKeyPoint(oAuthKeyBN)
+    const payload = JSON.stringify(data)
+    const encryptedMessage = await encrypt(
+      Point.fromTkeyPoint(oAuthPubKey).toBufferSEC1(false),
+      Buffer.from(payload, 'utf-8'),
+    )
+
+    return JSON.stringify(encryptedMessage)
+  }
+
+  public async decrypt<T>(data: string): Promise<T> {
+    const encryptedData = JSON.parse(data) as EncryptedMessage
+    const decryptedDataBuffer = await decrypt(toPrivKeyECC(this.privateKey), encryptedData)
+    return JSON.parse(decryptedDataBuffer.toString('utf-8')) as T
+  }
+}
diff --git a/src/services/mpc/recovery/SmsOtpRecovery.ts b/src/services/mpc/recovery/SmsOtpRecovery.ts
@@ -10,6 +10,7 @@ import { BN } from 'bn.js'
 import { ecsign, keccak256 } from 'ethereumjs-util'
 import { hexZeroPad } from 'ethers/lib/utils'
 import { SOCIAL_WALLET_OPTIONS } from '../config'
+import EncryptionUtil from '../EncryptionUtil'
 
 type SmsOtpStoreData = {
   number: string
@@ -209,11 +210,20 @@ export class SmsOtpRecovery {
       code,
       tracking_id,
     }
+    // We need the oAuthKey to encrypt / decrypt
+    const oAuthKey = this.mpcCoreKit.state.oAuthKey
+    if (!oAuthKey) {
+      throw new Error('Cannot create factor without oAuthKey')
+    }
+    const encryptionUtil = new EncryptionUtil(new BN(oAuthKey, 'hex'))
 
     if (isFirstTime) {
       // create a new factor key to setup data in the database.
       const newFactorKey = generateFactorKey()
-      data.data = JSON.stringify({ factorKey: newFactorKey.private.toString(16, 64) })
+
+      // Encrypt the key with the torus postbox key
+      const payload = { factorKey: newFactorKey.private.toString(16, 64) }
+      data.data = await encryptionUtil.encrypt(payload)
     }
 
     const response = await fetch(`${SmsOtpRecovery.BASE_URL}/api/v1/sms/verify`, {
@@ -231,7 +241,8 @@ export class SmsOtpRecovery {
     })
 
     // if successfull, add this factorKey and share info in tkey instance.
-    const storedFactorKey = JSON.parse(response.data)?.factorKey
+    const decryptedData = await encryptionUtil.decrypt<{ factorKey: string }>(response.data)
+    const storedFactorKey = decryptedData?.factorKey
     if (storedFactorKey) {
       const newFactorKey = new BN(storedFactorKey, 'hex')
       if (isFirstTime) {