Simplify crypto logic.

Author: Half-Shot

src/datastore/DataStore.ts

@@ -175,6 +175,8 @@ export interface DataStore extends ProvisioningStore {
 
     removePass(userId: string, domain: string): Promise<void>;
 
+    removeClientCert(userId: string, domain: string): Promise<void>;
+
     getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined>;
 
     getCountForUsernamePrefix(domain: string, usernamePrefix: string): Promise<number>;

src/datastore/StringCrypto.ts

@@ -48,19 +48,41 @@ export class StringCrypto {
     }
 
     public encrypt(plaintext: string): string {
+        if (plaintext.includes(' ')) {
+            throw Error('Cannot encode spaces')
+        }
         const salt = crypto.randomBytes(16).toString('base64');
         return crypto.publicEncrypt(
             this.privateKey,
             Buffer.from(salt + ' ' + plaintext)
         ).toString('base64');
     }
 
+    public encryptLargeString(plaintext: string): string {
+        const cryptoParts = [];
+        while (plaintext.length > 0) {
+            const part = plaintext.slice(0, 64);
+            cryptoParts.push(this.encrypt(part));
+            plaintext = plaintext.slice(64);
+        }
+        return 'lg:' + cryptoParts.join(',');
+    }
+
+
     public decrypt(encryptedString: string): string {
         const decryptedPass = crypto.privateDecrypt(
             this.privateKey,
             Buffer.from(encryptedString, 'base64')
         ).toString();
         // Extract the password by removing the prefixed salt and seperating space
-        return decryptedPass.split(' ')[1];
+        return decryptedPass.slice(17)[1];
+    }
+
+    public decryptLargeString(encryptedString: string): string {
+        if (encryptedString !== 'lg:') {
+            throw Error('Not a large string');
+        }
+        encryptedString = encryptedString.slice(3);
+        return encryptedString.split(',').map(v => this.decrypt(v)).join('');
     }
 }

src/datastore/postgres/PgDataStore.ts

@@ -536,8 +536,7 @@ export class PgDataStore implements DataStore, ProvisioningStore {
         const cryptoStore = this.cryptoStore;
         if (config.certificate && row.key && cryptoStore) {
             try {
-                const keyParts = row.key.split(',').map(v => cryptoStore.decrypt(v));
-                config.certificate.key = `-----BEGIN PRIVATE KEY-----\n${keyParts.join('')}-----END PRIVATE KEY-----\n`;
+                config.certificate.key = cryptoStore.decryptLargeString(row.key);
             }
             catch (ex) {
                 log.warn(`Failed to decrypt TLS key for ${userId} ${domain}`, ex);
@@ -565,16 +564,7 @@ export class PgDataStore implements DataStore, ProvisioningStore {
 
         if (config.certificate && this.cryptoStore) {
             keypair.cert = config.certificate.cert;
-            const cryptoParts = [];
-            let key = config.certificate.key;
-            // We can't store these as our encryption system doesn't support spaces.
-            key = key.replace('-----BEGIN PRIVATE KEY-----\n', '').replace('-----END PRIVATE KEY-----\n', '');
-            while (key.length > 0) {
-                const part = key.slice(0, 64);
-                cryptoParts.push(this.cryptoStore.encrypt(part));
-                key = key.slice(64);
-            }
-            keypair.key = cryptoParts.join(',');
+            keypair.key = this.cryptoStore.encryptLargeString(config.certificate.key);
         }
         const parameters = {
             user_id: userId,
@@ -679,6 +669,12 @@ export class PgDataStore implements DataStore, ProvisioningStore {
             [userId, domain]);
     }
 
+    public async removeClientCert(userId: string, domain: string): Promise<void> {
+        await this.pgPool.query(
+            "UPDATE client_config SET cert = NULL AND key = NULL WHERE user_id = $1 AND domain = $2",
+            [userId, domain]);
+    }
+
     public async getMatrixUserByUsername(domain: string, username: string): Promise<MatrixUser|undefined> {
         // This will need a join
         const res = await this.pgPool.query(