chore: Merge branch 'release/v8.1.0'

.github/workflows/ci.yml

@@ -17,6 +17,7 @@ jobs:
         python3 scripts/download_wasm.py
         npm install
       kms-version: 4.3.3
+      findex-cloud-version: 0.1.0
 
   lint:
     needs: build
@@ -33,6 +34,7 @@ jobs:
       subcommands: |
         npm test
       kms-version: 4.3.3
+      findex-cloud-version: 0.1.0
       regression_files: |
         ./node_modules/non_regression_vector.json
         ./node_modules/sqlite.db
@@ -91,6 +93,7 @@ jobs:
         cd ../test
         node chrome.mjs http://localhost:8090 http://kms:9998
       kms-version: 4.3.3
+      findex-cloud-version: 0.1.0
 
   example_reactjs:
     needs: build_in_docker
@@ -105,6 +108,20 @@ jobs:
         cd ../test
         node chrome.mjs http://localhost:8090 http://kms:9998
       kms-version: 4.3.3
+      findex-cloud-version: 0.1.0
+
+  example_browser:
+    needs: build_in_docker
+    uses: ./.github/workflows/js_in_docker.yml
+    with:
+      subcommands: |
+        cd examples/browser
+        npm install
+        python3 -m http.server &
+        sleep 3
+        node test.mjs
+      kms-version: 4.3.3
+      findex-cloud-version: 0.1.0
 
   example_webpack:
     needs: build
@@ -124,6 +141,7 @@ jobs:
         npm install
         node test.mjs 10
       kms-version: 4.3.3
+      findex-cloud-version: 0.1.0
 
   example_imdb:
     needs: build

.github/workflows/js_in_docker.yml

@@ -10,10 +10,13 @@ on:
       kms-version:
         required: true
         type: string
+      findex-cloud-version:
+        required: true
+        type: string
       regression_files:
         required: false
         type: string
-        default: ''
+        default: ""
 
 jobs:
   js-in-docker:
@@ -29,6 +32,9 @@ jobs:
           KMS_PRIVATE_PATH: /tmp
           KMS_SHARED_PATH: /tmp
 
+      findex_cloud:
+        image: ghcr.io/cosmian/findex_cloud:${{ inputs.findex-cloud-version }}
+
       redis:
         image: redis
         options: >-

.pre-commit-config.yaml

@@ -29,15 +29,14 @@ repos:
     rev: v0.32.2
     hooks:
       - id: markdownlint-fix
-        args: [--disable=MD013, --disable=MD024, --disable=MD041]
+        args: [--disable=MD004, --disable=MD013, --disable=MD024, --disable=MD041]
 
   - repo: https://github.com/Lucas-C/pre-commit-hooks-nodejs
     rev: v1.1.2
     hooks:
       - id: htmlhint
       - id: dockerfile_lint
       - id: markdown-toc
-        args: [--bullets="-"]
 
   - repo: https://github.com/jumanjihouse/pre-commit-hook-yamlfmt
     rev: 0.2.2

CHANGELOG.md

@@ -2,6 +2,25 @@
 
 All notable changes to this project will be documented in this file.
 
+## [8.1.0] - 2023-04-06
+
+### Features
+
+- Add Format-Preserving-Encryption (FPE):
+  * add integer and big integers encryption (as string with radix and digits)
+  * add string encryption according to given alphabet
+    - "numeric": 0123456789
+    - "hexa_decimal": 0123456789abcdef
+    - "alpha_lower": abcdefghijklmnopqrstuvwxyz
+    - "alpha_upper": ABCDEFGHIJKLMNOPQRSTUVWXYZ
+    - "alpha": abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
+    - "alpha_numeric": 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ
+    - "utf": creates an Alphabet with the first 63489 (~2^16) Unicode characters
+    - "chinese": creates an Alphabet with the Chinese characters
+    - "latin1sup": creates an Alphabet with the latin-1 and latin1-supplement characters (supports French)
+    - "latin1sup_alphanum": creates an Alphabet with the latin-1 and latin1-supplement characters but without the non alphanumeric characters (supports French)
+  * add float encryption
+
 ## [8.0.0] - 2023-03-08
 
 ### Features

README.md

@@ -30,6 +30,8 @@ policies over these attributes. `CoverCrypt` offers Post-Quantum resistance.
 an untrusted cloud server. Thanks to its encrypted indexes, large databases can
 securely be outsourced without compromising usability.
 
+- [FPE](https://github.com/Cosmian/cloudproof_rust/tree/main/crates/fpe) provides `Format Preserving Encryption` (FPE) techniques for use in a zero-trust environment. These techniques are based on FPE-FF1 which is described in [NIST:800-38G](https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-38g.pdf).
+
 ## Getting started
 
 Please [check the online documentation](https://docs.cosmian.com/cloudproof_encryption/use_cases_benefits/) for details on using the CloudProof APIs.
@@ -75,3 +77,4 @@ From the version 8.0.0, `cloudproof_js` depends on [cloudproof_rust](https://git
 | `cloudproof_js` | Cloudproof Rust lib |
 |-----------------|---------------------|
 | 8.0.0           | 1.0.0               |
+| 8.1.0           | 1.1.0               |

docker-compose.yml

@@ -13,6 +13,10 @@ services:
       - KMS_SHARED_PATH=/tmp
     ports:
       - 9998:9998
+  findex_cloud:
+    image: ghcr.io/cosmian/findex_cloud:0.1.0
+    ports:
+      - 8080:8080
   redis:
     image: redis:latest
     ports:

examples/README.md

@@ -6,3 +6,4 @@ This folder contains multiple examples to get started with CloudproofJS.
 - **If you want to use search (Findex) and encryption (CoverCrypt / KMS), and you know ReactJS** go to [the ReactJS example](./reactjs)
 - **If you want to use only encryption (CoverCrypt / KMS)** go to [the NodeJS example](./nodejs)
 - **If you want to use only search (Findex)** go to [the IMDB example](./nodejs_search_imdb/index.mjs) or [the Full text search example](./full_text_search/index.mjs)
+- **If you want to use Cloudproof inside the browser without build step** go to [browser example](./browser) (the code inside the example is minimal but all Cloudproof features are supported inside the browser)

examples/browser/index.html

@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>CloudproofJS in browser</title>
+    <link rel="icon" href="data:,">
+</head>
+<body>
+    <p>This demo should work without any JS build.</p>
+
+    <script src="node_modules/cloudproof_js/dist/umd/index.js"></script>
+    <script>
+        const { CoverCrypt } = window.cloudproof_js;
+
+        (async () => {
+            const { Policy, PolicyAxis, generateMasterKeys, generateUserSecretKey, encrypt, decrypt } = await CoverCrypt();
+
+            const policy = new Policy([
+                new PolicyAxis(
+                    "Security Level",
+                    [
+                    { name: "Low", isHybridized: false },
+                    { name: "Medium", isHybridized: false },
+                    { name: "High", isHybridized: true },
+                    ],
+                    true,
+                ),
+                new PolicyAxis(
+                    "Department",
+                    [
+                    { name: "R&D", isHybridized: false },
+                    { name: "HR", isHybridized: false },
+                    ],
+                    false,
+                ),
+            ]);
+
+            const masterKeys = generateMasterKeys(policy);
+            console.log(masterKeys);
+
+            const highSecretAllDepartmentsDecryptionKey = generateUserSecretKey(masterKeys.secretKey, "Security Level::High && Department::R&D && Department::HR", policy)
+            const lowSecretHRDepartmentDecryptionKey = generateUserSecretKey(masterKeys.secretKey, "Security Level::Low && Department::HR", policy)
+
+            const secret = encrypt(policy, masterKeys.publicKey, "Security Level::High && Department::HR", new TextEncoder().encode("My secret!"));
+            console.log(secret);
+
+            const decrypted = decrypt(highSecretAllDepartmentsDecryptionKey, secret);
+            const decryptedMessage = new TextDecoder().decode(decrypted.plaintext);
+            console.log(decryptedMessage);
+
+            if (decryptedMessage !== "My secret!") {
+                throw new Error("Incorrect decrypted message");
+            }
+
+            try {
+                decrypt(lowSecretHRDepartmentDecryptionKey, secret);
+            } catch {
+                // should fail
+            }
+
+            const element = document.createElement('div')
+            element.id = "done"
+            document.body.appendChild(element)
+        })();
+
+    </script>
+</body>
+</html>

examples/browser/package.json

@@ -0,0 +1,14 @@
+{
+  "name": "browser",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "",
+  "license": "ISC",
+  "devDependencies": {
+    "cloudproof_js": "file:../.."
+  }
+}

examples/browser/test.mjs

@@ -0,0 +1,51 @@
+import { exit } from "process"
+import puppeteer from "puppeteer"
+
+const host = "http://localhost:8000"
+
+const browser = await puppeteer.launch({
+  headless: process.env.CI !== undefined,
+  args: ["--no-sandbox"],
+})
+const page = await browser.newPage()
+await page.setViewport({
+  width: 1920,
+  height: 1080,
+})
+page.on("pageerror", async (err) => {
+  await reportError(page, `[PAGE ERROR] ${err.toString()}`)
+})
+page.on("error", async (err) => {
+  await reportError(page, `[PAGE ERROR] ${err.toString()}`)
+})
+page.on("console", (msg) => {
+  // This is an expected error when trying to decrypt something we don't have the correct rights
+  if (
+    msg.text() !==
+    "Failed to load resource: the server responded with a status of 422 (Unprocessable Entity)"
+  ) {
+    console.log(`[PAGE LOG] ${msg.text()}`)
+  }
+})
+page.on("requestfailed", async (request) =>
+  console.log(
+    `[PAGE HTTP ERROR] ${request.failure().errorText} ${request.url()}`,
+  ),
+)
+
+try {
+  await page.goto(host)
+} catch {
+  // In case of random error, try again.
+  console.error("Cannot navigate to the example, trying again one time…")
+  await page.goto(host)
+}
+
+await page.waitForSelector("#done", { timeout: 500 })
+
+exit(0)
+
+async function reportError(page, message) {
+  await page.screenshot({ path: "error.png", fullPage: true })
+  throw new Error(message)
+}