1 files changed, 105 insertions, 0 deletions

diff --git a/packages/taler-util/src/http-client/officer-account.ts b/packages/taler-util/src/http-client/officer-account.ts
new file mode 100644
index 000000000..2c1426be2
--- /dev/null
+++ b/packages/taler-util/src/http-client/officer-account.ts
@@ -0,0 +1,105 @@
+/*
+ This file is part of GNU Taler
+ (C) 2022-2024 Taler Systems S.A.
+
+ GNU Taler is free software; you can redistribute it and/or modify it under the
+ terms of the GNU General Public License as published by the Free Software
+ Foundation; either version 3, or (at your option) any later version.
+
+ GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
+ A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License along with
+ GNU Taler; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+import {
+  EncryptionNonce,
+  LockedAccount,
+  OfficerAccount,
+  OfficerId,
+  SigningKey,
+  createEddsaKeyPair,
+  decodeCrock,
+  decryptWithDerivedKey,
+  eddsaGetPublic,
+  encodeCrock,
+  encryptWithDerivedKey,
+  getRandomBytesF,
+  kdf,
+  stringToBytes,
+} from "@gnu-taler/taler-util";
+
+/**
+ * Restore previous session and unlock account with password
+ *
+ * @param salt string from which crypto params will be derived
+ * @param key secured private key
+ * @param password password for the private key
+ * @returns
+ */
+export async function unlockOfficerAccount(
+  account: LockedAccount,
+  password: string,
+): Promise<OfficerAccount> {
+  const rawKey = decodeCrock(account);
+  const rawPassword = stringToBytes(password);
+
+  const signingKey = (await decryptWithDerivedKey(
+    rawKey,
+    rawPassword,
+    password,
+  ).catch((e: Error) => {
+    throw new UnwrapKeyError(e.message);
+  })) as SigningKey;
+
+  const publicKey = eddsaGetPublic(signingKey);
+
+  const accountId = encodeCrock(publicKey) as OfficerId;
+
+  return { id: accountId, signingKey };
+}
+
+/**
+ * Create new account (secured private key)
+ * secured with the given password
+ *
+ * @param sessionId
+ * @param password
+ * @returns
+ */
+export async function createNewOfficerAccount(
+  password: string,
+  extraNonce: EncryptionNonce,
+): Promise<OfficerAccount & { safe: LockedAccount }> {
+  const { eddsaPriv, eddsaPub } = createEddsaKeyPair();
+
+  const key = stringToBytes(password);
+
+  const localRnd = getRandomBytesF(24);
+  const mergedRnd: EncryptionNonce = extraNonce
+    ? kdf(24, stringToBytes("aml-officer"), extraNonce, localRnd)
+    : localRnd;
+
+  const protectedPrivKey = await encryptWithDerivedKey(
+    mergedRnd,
+    key,
+    eddsaPriv,
+    password,
+  );
+
+  const signingKey = eddsaPriv as SigningKey;
+  const accountId = encodeCrock(eddsaPub) as OfficerId;
+  const safe = encodeCrock(protectedPrivKey) as LockedAccount;
+
+  return { id: accountId, signingKey, safe };
+}
+
+export class UnwrapKeyError extends Error {
+  public cause: string;
+  constructor(cause: string) {
+    super(`Recovering private key failed on: ${cause}`);
+    this.cause = cause;
+  }
+}