feat: lit protocol key exchange (#1052)

## Summary

Add support for retrieving and storing encryption keys via lit-protocol. When enabled we will first try to retrieve / store key using lit protocol, if this doesn't work, we use our own key-exchange system.

## Changes

- All lit-protocol library interactions are encapsulated into class `LitProtocolFacade`. 
- Add new class `GroupKeyManager` that is used to retrieve and store encryption keys. It contains the logic for iterating over different key exchange strategies until a key is found (or successfully generated and stored).
    - Retrieve key: (1) local, (2) lit-protcol, and (3) Streamr key-exchange
    - Store key: (1) generate with lit-protocol, and if that fails, (2) generate locally. We _always_ store encryption key into local store.

## Limitations and future improvements
- lit-protocol is hard coded to work with main net Polygon and pre-defined streamRegistryChainAddress
- no integration tests for lit-protocol
    - implement in future when it becomes possible to run own nodes and override streamRegistryChainAddress and RPC settings
- Since we can't write integration tests for lit-protocol, do we need some automated tests to run against production?
- Combine `encryption` and `decryption` client config blocks

## Checklist before requesting a review

- [x] Is this a breaking change? If it is, be clear in summary.
- [ ] Read through code myself one more time.
- [ ] Make sure any and all `TODO` comments left behind are meant to be left in.
- [x] Has reasonable passing test coverage?
- [x] Updated changelog if applicable.
- [x] Updated documentation if applicable.

Author: Eric Andrews

package-lock.json

@@ -42,6 +42,7 @@
         "husky": "^6.0.0",
         "jest": "^29.4.3",
         "jest-extended": "^3.2.3",
+        "jest-mock-extended": "^3.0.1",
         "lerna": "^4.0.0",
         "node-gyp-build": "^4.3.0",
         "semver": "^7.3.5",

package.json

@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- Add support for experimental encryption key exchange via [Lit Protocol](https://litprotocol.com/). Enabled by
+  setting configuration option `encryption.litProtocolEnabled` to be true.
+
 ### Changed
 
 - All contract providers are used to query the tracker registry, storage node registry and stream storage registry

packages/client/CHANGELOG.md

@@ -97,6 +97,7 @@
     "@ethersproject/transactions": "^5.5.0",
     "@ethersproject/wallet": "^5.5.0",
     "@ethersproject/web": "^5.5.0",
+    "@lit-protocol/lit-node-client": "2.1.38",
     "@streamr/network-node": "7.3.0",
     "@streamr/protocol": "7.3.0",
     "@streamr/utils": "7.3.0",
@@ -107,6 +108,7 @@
     "eventemitter3": "^4.0.7",
     "heap": "^0.2.6",
     "idb-keyval": "^5.1.5",
+    "lit-siwe": "^1.1.8",
     "lodash": "^4.17.21",
     "mem": "^8.1.1",
     "node-fetch": "^2.6.6",

packages/client/package.json

@@ -67,6 +67,21 @@ export interface StreamrClientConfig {
     retryResendAfter?: number
     gapFillTimeout?: number
 
+    encryption?: {
+        /**
+         * Enable experimental Lit Protocol key exchange.
+         *
+         * When enabled encryption key storing and fetching will be primarily done through the Lit Protocol and
+         * secondarily through the standard Streamr key-exchange system.
+         */
+        litProtocolEnabled?: boolean
+
+        /**
+         * Enable log messages of the Lit Protocol library to be printed to stdout.
+         */
+        litProtocolLogging?: boolean
+    }
+
     network?: {
         id?: string
         acceptProxyConnections?: boolean
@@ -140,6 +155,7 @@ export interface StreamrClientConfig {
 export type StrictStreamrClientConfig = MarkOptional<Required<StreamrClientConfig>, 'auth' | 'metrics'> & {
     network: MarkOptional<Exclude<Required<StreamrClientConfig['network']>, undefined>, 'location'>
     contracts: Exclude<Required<StreamrClientConfig['contracts']>, undefined>
+    encryption: Exclude<Required<StreamrClientConfig['encryption']>, undefined>
     decryption: Exclude<Required<StreamrClientConfig['decryption']>, undefined>
     cache: Exclude<Required<StreamrClientConfig['cache']>, undefined>
     _timeouts: Exclude<DeepRequired<StreamrClientConfig['_timeouts']>, undefined>
@@ -158,6 +174,11 @@ export const STREAM_CLIENT_DEFAULTS:
     maxGapRequests: 5,
     retryResendAfter: 5000,
     gapFillTimeout: 5000,
+
+    encryption: {
+        litProtocolEnabled: false,
+        litProtocolLogging: false
+    },
 
     network: {
         acceptProxyConnections: false,

packages/client/src/Config.ts

@@ -35,6 +35,7 @@ import { LoggerFactory } from './utils/LoggerFactory'
 import { convertStreamMessageToMessage, Message } from './Message'
 import { ErrorCode } from './HttpUtil'
 import { omit } from 'lodash'
+import { StreamrClientError } from './StreamrClientError'
 
 /**
  * The main API used to interact with Streamr.
@@ -123,6 +124,9 @@ export class StreamrClient {
         if (opts.streamId === undefined) {
             throw new Error('streamId required')
         }
+        if (opts.key !== undefined && this.config.encryption.litProtocolEnabled) {
+            throw new StreamrClientError('cannot pass "key" when Lit Protocol is enabled', 'UNSUPPORTED_OPERATION')
+        }
         const streamId = await this.streamIdBuilder.toStreamID(opts.streamId)
         const queue = await this.publisher.getGroupKeyQueue(streamId)
         if (opts.distributionMethod === 'rotate') {

packages/client/src/StreamrClient.ts

@@ -4,6 +4,7 @@ export type StreamrClientErrorCode =
     'INVALID_ARGUMENT' | 
     'CLIENT_DESTROYED' | 
     'PIPELINE_ERROR' |
+    'UNSUPPORTED_OPERATION' |
     'UNKNOWN_ERROR'
 
 export class StreamrClientError extends Error {

packages/client/src/StreamrClientError.ts

@@ -306,6 +306,21 @@
             },
             "default": {}
         },
+        "encryption": {
+            "type": "object",
+            "additionalProperties": false,
+            "properties": {
+                "litProtocolEnabled": {
+                    "type": "boolean",
+                    "default": false
+                },
+                "litProtocolLogging": {
+                    "type": "boolean",
+                    "default": false
+                }
+            },
+            "default": {}
+        },
         "decryption": {
             "type": "object",
             "additionalProperties": false,

packages/client/src/config.schema.json

@@ -23,9 +23,9 @@ export class GroupKey {
     /** @internal */
     readonly id: string
     /** @internal */
-    readonly data: Uint8Array
+    readonly data: Buffer
 
-    constructor(groupKeyId: string, data: Uint8Array) {
+    constructor(groupKeyId: string, data: Buffer) {
         this.id = groupKeyId
         if (!groupKeyId) {
             throw new GroupKeyError(`groupKeyId must not be falsey ${groupKeyId}`)

packages/client/src/encryption/GroupKey.ts

@@ -0,0 +1,88 @@
+import { LitProtocolFacade } from './LitProtocolFacade'
+import { inject, Lifecycle, scoped } from 'tsyringe'
+import { GroupKeyStore } from './GroupKeyStore'
+import { GroupKey } from './GroupKey'
+import { StreamID, StreamPartID, StreamPartIDUtils } from '@streamr/protocol'
+import { EthereumAddress, waitForEvent } from '@streamr/utils'
+import { SubscriberKeyExchange } from './SubscriberKeyExchange'
+import { ConfigInjectionToken, StrictStreamrClientConfig } from '../Config'
+import { StreamrClientEventEmitter } from '../events'
+import { DestroySignal } from '../DestroySignal'
+import crypto from 'crypto'
+import { uuid } from '../utils/uuid'
+
+@scoped(Lifecycle.ContainerScoped)
+export class GroupKeyManager {
+    private readonly groupKeyStore: GroupKeyStore
+    private readonly litProtocolFacade: LitProtocolFacade
+    private readonly subscriberKeyExchange: SubscriberKeyExchange
+    private readonly eventEmitter: StreamrClientEventEmitter
+    private readonly destroySignal: DestroySignal
+    private readonly config: Pick<StrictStreamrClientConfig, 'decryption' | 'encryption'>
+
+    constructor(
+        groupKeyStore: GroupKeyStore,
+        litProtocolFacade: LitProtocolFacade,
+        subscriberKeyExchange: SubscriberKeyExchange,
+        eventEmitter: StreamrClientEventEmitter,
+        destroySignal: DestroySignal,
+        @inject(ConfigInjectionToken) config: Pick<StrictStreamrClientConfig, 'decryption' | 'encryption'>
+    ) {
+        this.groupKeyStore = groupKeyStore
+        this.litProtocolFacade = litProtocolFacade
+        this.subscriberKeyExchange = subscriberKeyExchange
+        this.eventEmitter = eventEmitter
+        this.destroySignal = destroySignal
+        this.config = config
+    }
+
+    async fetchKey(streamPartId: StreamPartID, groupKeyId: string, publisherId: EthereumAddress): Promise<GroupKey> {
+        const streamId = StreamPartIDUtils.getStreamID(streamPartId)
+
+        // 1st try: local storage
+        let groupKey = await this.groupKeyStore.get(groupKeyId, streamId)
+        if (groupKey !== undefined) {
+            return groupKey
+        }
+
+        // 2nd try: lit-protocol
+        if (this.config.encryption.litProtocolEnabled) {
+            groupKey = await this.litProtocolFacade.get(streamId, groupKeyId)
+            if (groupKey !== undefined) {
+                await this.groupKeyStore.add(groupKey, streamId)
+                return groupKey
+            }
+        }
+
+        // 3rd try: Streamr key-exchange
+        await this.subscriberKeyExchange.requestGroupKey(groupKeyId, publisherId, streamPartId)
+        const groupKeys = await waitForEvent(
+            // TODO remove "as any" type casing in NET-889
+            this.eventEmitter as any,
+            'addGroupKey',
+            this.config.decryption.keyRequestTimeout,
+            (storedGroupKey: GroupKey) => storedGroupKey.id === groupKeyId,
+            this.destroySignal.abortSignal
+        )
+        return groupKeys[0] as GroupKey
+    }
+
+    async storeKey(groupKey: GroupKey | undefined, streamId: StreamID): Promise<GroupKey> { // TODO: name
+        if (groupKey === undefined) {
+            const keyData = crypto.randomBytes(32)
+            // 1st try lit-protocol, if a key cannot be generated and stored, then generate group key locally
+            if (this.config.encryption.litProtocolEnabled) {
+                groupKey = await this.litProtocolFacade.store(streamId, keyData)
+            }
+            if (groupKey === undefined) {
+                groupKey = new GroupKey(uuid('GroupKey'), keyData)
+            }
+        }
+        await this.groupKeyStore.add(groupKey, streamId)
+        return groupKey
+    }
+
+    addKeyToLocalStore(groupKey: GroupKey, streamId: StreamID): Promise<void> {
+        return this.groupKeyStore.add(groupKey, streamId)
+    }
+}