From 0c002036a40803ad04104c05fe790efd30f0084c Mon Sep 17 00:00:00 2001
From: Tony Garnock-Jones <tonyg@leastfixedpoint.com>
Date: Mon, 6 Feb 2023 17:34:15 +0100
Subject: [PATCH] Switch to HMAC-BLAKE2s

---
 .../server-config/standard-dataspace.pr       |  2 +-
 examples/example-simple-chat/src/index.ts     |  2 +-
 packages/core/package.json                    |  3 +-
 packages/core/src/transport/cryptography.ts   | 31 ++++---------------
 packages/core/stubs/crypto.js                 |  1 -
 packages/create/template/src/index.ts         |  2 +-
 6 files changed, 11 insertions(+), 30 deletions(-)

diff --git a/examples/example-simple-chat/server-config/standard-dataspace.pr b/examples/example-simple-chat/server-config/standard-dataspace.pr
index 72f5f81..72e5bec 100644
--- a/examples/example-simple-chat/server-config/standard-dataspace.pr
+++ b/examples/example-simple-chat/server-config/standard-dataspace.pr
@@ -1,6 +1,6 @@
 let ?ds = dataspace
 
-; Connect using <route [<ws "...">] <ref "syndicate" [] #[pkgN9TBmEd3Q04grVG4Zdw]>>
+; Connect using <route [<ws "...">] <ref "syndicate" [] #[acowDB2/oI+6aSEC3YIxGg]>>
 <bind "syndicate" #x"" $ds>
 
 ; Connect using <route [<ws "...">] <noise { service: "syndicate", key: #x"21f6cd4e11e7e37711d6b3084ff18cded8fc8abf293aa47d43e8bb86dda65516" }>>
diff --git a/examples/example-simple-chat/src/index.ts b/examples/example-simple-chat/src/index.ts
index 27f9b4b..a7ae14e 100644
--- a/examples/example-simple-chat/src/index.ts
+++ b/examples/example-simple-chat/src/index.ts
@@ -114,7 +114,7 @@ function setDataspaceAddress() {
         //         Sturdy.SturdyRef({
         //             "oid": "syndicate",
         //             "caveatChain": [],
-        //             "sig": Bytes.fromHex('a6480df5306611ddd0d3882b546e1977'),
+        //             "sig": Bytes.fromHex('69ca300c1dbfa08fba692102dd82311a'),
         //         }))],
         // }));
         //
diff --git a/packages/core/package.json b/packages/core/package.json
index 4f36bed..bbad040 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -30,6 +30,7 @@
   "author": "Tony Garnock-Jones <tonyg@leastfixedpoint.com>",
   "dependencies": {
     "@preserves/core": ">=0.20.2",
-    "@preserves/schema": ">=0.21.2"
+    "@preserves/schema": ">=0.21.2",
+    "salty-crypto": "0.3"
   }
 }
diff --git a/packages/core/src/transport/cryptography.ts b/packages/core/src/transport/cryptography.ts
index 048968b..35ef014 100644
--- a/packages/core/src/transport/cryptography.ts
+++ b/packages/core/src/transport/cryptography.ts
@@ -3,6 +3,7 @@
 
 import { Bytes, underlying } from '@preserves/core';
 import * as node_crypto from 'crypto';
+import { makeHMAC, BLAKE2s } from 'salty-crypto';
 
 export const KEY_LENGTH = 16; // 128 bits
 
@@ -15,28 +16,8 @@ export const newKey: () => Promise<Bytes> =
     })
     : (async () => Bytes.from(node_crypto.randomBytes(KEY_LENGTH)));
 
-export const mac: (secretKey: Bytes, data: Bytes) => Promise<Bytes> =
-    (typeof crypto !== 'undefined' && 'subtle' in crypto)
-    ? (async (secretKey, data) => {
-        if (secretKey.length !== KEY_LENGTH) throw new Error("Invalid key length");
-        const k = await window.crypto.subtle.importKey(
-            "raw",
-            underlying(secretKey),
-            {
-                hash: 'SHA-256',
-                name: 'HMAC',
-            },
-            false,
-            ['sign']);
-        const bs = await window.crypto.subtle.sign({ name: 'HMAC' }, k, underlying(data));
-        return Bytes.from(new Uint8Array(bs, 0, KEY_LENGTH));
-    })
-    : (typeof node_crypto.createHmac !== 'undefined')
-    ? (async (secretKey, data) => {
-        const hmac = node_crypto.createHmac('sha256', underlying(secretKey));
-        hmac.update(underlying(data));
-        return Bytes.from(hmac.digest().subarray(0, KEY_LENGTH));
-    })
-    : (async (_secretKey, _data) => {
-        throw new Error('No HMAC SHA-256 available');
-    });
+const HMAC_BLAKE2s = makeHMAC(BLAKE2s);
+
+export async function mac(secretKey: Bytes, data: Bytes): Promise<Bytes> {
+    return Bytes.from(HMAC_BLAKE2s(underlying(secretKey), underlying(data)));
+}
diff --git a/packages/core/stubs/crypto.js b/packages/core/stubs/crypto.js
index e83fe5a..0f18876 100644
--- a/packages/core/stubs/crypto.js
+++ b/packages/core/stubs/crypto.js
@@ -2,4 +2,3 @@
 /// SPDX-FileCopyrightText: Copyright © 2016-2023 Tony Garnock-Jones <tonyg@leastfixedpoint.com>
 
 export const randomBytes = void 0;
-export const createHmac = void 0;
diff --git a/packages/create/template/src/index.ts b/packages/create/template/src/index.ts
index 11b6ded..1c69986 100644
--- a/packages/create/template/src/index.ts
+++ b/packages/create/template/src/index.ts
@@ -29,7 +29,7 @@ function bootApp(ds: Ref) {
                 "transports": [fromJS(Schemas.transportAddress.WebSocket(
                     `ws://${document.location.hostname}:9001/`))],
                 "steps": [wsRelay.Noise.RouteStep.GatekeeperStep(Sturdy.asSturdyRef(
-                    new Reader<Ref>('<ref "syndicate" [] #[pkgN9TBmEd3Q04grVG4Zdw==]>').next()))],
+                    new Reader<Ref>('<ref "syndicate" [] #[acowDB2/oI+6aSEC3YIxGg==]>').next()))],
             });
 
             during wsRelay.Resolved({