Web Crypto APIs

[zone117x]

Description

Closes #691

The goal of this PR is to make the cryptographic operations performed by blockstack.js more efficient -- less CPU & memory intensive and smaller file size (especially for mobile).

This primarily improves the performance of storage and authentication functions.

This PR includes a refactor of all usages of applicable cryptographic operations to use the W3C native Web Crypto APIs.

This includes:

• aes-256-cbc encrypt & decrypt
• sha-256 and sha-512 hash digests
• hmac-sha256 digest
• pbkdf2-sha256 and pbkdf2-sha512 password derivation

The ripemd160 hash digest is not available in the Web Crypto API, however, it has been converted to use a minimal and relatively fast JS lib as opposed to the large node.js crypto module polyfill.

The triplesec lib is no longer a direct blockstack.js dependency. It must now be provided by the consumer application. It was responsible for ~250KB of the blockstack.js dist, but is used only for decrypting legacy mnemonics. AFAIK no regular apps built on Blockstack use this. Only a few consumer apps use this function (e.g. blockstack-cli, blockstack-browser, wallet[?]). It has been made trivial for consumer apps to import the triplesec lib and pass it to blockstack.js.

The cheerio html parsing lib has the same treatment as above. It is used for social proofs, which is not directly used by typical apps. Consumer apps (e.g. Gaia, blockstack-browser) must import this dependency themselves.

The dist bundle size is now down to 550KB.

The linter rules were tightened up, especially around Promise/async/await handling. This helped catch several instance of bugs like `some_string_${promise_variable}` -> `some_string_${await promise_variable}`. The stricter rules also ended up requiring minor changes to some code that is not necessarily related to cryptographic operations.

For updates on our effected consumer apps, see:

• Use blockstack.js W3C crypto stacks-archive/blockstack-browser#1966
• w3c crypto stacks-archive/keychain#10
• [Do not merge] Blockstack.js async crypto stacks-archive/cli-blockstack#27
• [Do not merge] Blockstack.js async crypto stacks-archive/gaia#272

Type of Change

• New feature
• API reference/documentation update

Does this introduce a breaking change?

This is a breaking change and requires a major version update.

Note: the Web Crypto APIs only provide async functions, so the changes to use these propagated up to several other functions in the call graphs.

I kept a list of all functions that were previously synchronous which now return promises. Most of these are not public API functions. These have been listed in the CHANGELOG:

handleSignedEncryptedContents
makeAuthResponse
encryptECIES
decryptECIES
encryptPrivateKey
decryptPrivateKey
encryptContent
decryptContent
aes256CbcEncrypt
aes256CbcDecrypt
hmacSha256

Are documentation updates required?

Possibly -- the API reference docs will be auto updated, but any tutorials referencing the above functions may need updated.

Checklist

• Code is commented where needed
• Unit test coverage for new or modified code paths
• npm run test passes
• Changelog is updated
• Tag 1 of @yknl or @zone117x for review

Extra TODO

• Ensure working on all supported browsers: Chrome, Firefox, Safari, Edge
  • (?) Determine minimum supported versions for each browser.

[codecov]

Codecov Report

Merging #737 into develop will increase coverage by 0.53%.
The diff coverage is 77.7%.

@@             Coverage Diff             @@
##           develop     #737      +/-   ##
===========================================
+ Coverage    68.62%   69.15%   +0.53%     
===========================================
  Files           57       65       +8     
  Lines         3429     3693     +264     
  Branches       623      658      +35     
===========================================
+ Hits          2353     2554     +201     
- Misses         778      821      +43     
- Partials       298      318      +20

Impacted Files	Coverage Δ
src/auth/userSession.ts	49.43% <ø> (ø)	⬆️
src/fetchUtil.ts	100% <ø> (ø)	⬆️
src/profiles/services/index.ts	100% <ø> (ø)	⬆️
src/profiles/profileSchemas/organization.ts	35.71% <0%> (ø)	⬆️
src/auth/protocolEchoDetection.ts	15.62% <0%> (-4.38%)	⬇️
src/profiles/profileSchemas/person.ts	90% <0%> (ø)	⬆️
src/profiles/profileSchemas/creativework.ts	35.71% <0%> (ø)	⬆️
src/auth/authSession.ts	9.43% <0%> (-1.68%)	⬇️
src/profiles/services/twitter.ts	83.33% <100%> (+10.6%)	⬆️
src/encryption/cryptoRandom.ts	100% <100%> (ø)
... and 44 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2018ea7...783ccaa. Read the comment docs.

[yknl]

Thanks @zone117x for all the work on this PR. It looks mostly good for me, but I think the latest changes broke some of the tests. I'm getting 12 failed tests right now, mostly on the RIPEMD160 and SHA2 hash tests.

[zone117x]

@yknl If you are still running into test failures, can you ensure Node.js >=10 is being used, and try wiping your node_modules directory and re-running npm i.
I just tested with both Node v10 and v12, and all tests are passing. Also just pushed a fix for v8 which allows all tests to pass.

[yknl]

LGTM

[diwakergupta]

@zone117x looks like this has been approved a while back, any other blockers to merging?