feat: add NIP 44 encryption support

package.json

@@ -64,6 +64,7 @@
     "lodash.merge": "^4.6.2",
     "lodash.pick": "^4.4.0",
     "lodash.snakecase": "^4.1.1",
+    "nostr-tools": "^2.1.0",
     "pubsub-js": "^1.9.4",
     "react": "^18.2.0",
     "react-confetti": "^6.1.0",

src/common/utils/lruCache.ts

@@ -0,0 +1,33 @@
+export class LRUCache<T, U> {
+  map = new Map<T, U>();
+  keys: T[] = [];
+
+  constructor(readonly maxSize: number) {}
+
+  has(k: T) {
+    return this.map.has(k);
+  }
+
+  get(k: T) {
+    const v = this.map.get(k);
+
+    if (v !== undefined) {
+      this.keys.push(k as T);
+
+      if (this.keys.length > this.maxSize * 2) {
+        this.keys.splice(-this.maxSize);
+      }
+    }
+
+    return v;
+  }
+
+  set(k: T, v: U) {
+    this.map.set(k, v);
+    this.keys.push(k);
+
+    if (this.map.size > this.maxSize) {
+      this.map.delete(this.keys.shift() as T);
+    }
+  }
+}

src/extension/background-script/actions/nostr/index.ts

@@ -8,6 +8,8 @@ import getPrivateKey from "./getPrivateKey";
 import getPublicKeyOrPrompt from "./getPublicKeyOrPrompt";
 import getRelays from "./getRelays";
 import isEnabled from "./isEnabled";
+import nip44DecryptOrPrompt from "./nip44DecryptOrPrompt";
+import nip44EncryptOrPrompt from "./nip44EncryptOrPrompt";
 import removePrivateKey from "./removePrivateKey";
 import setPrivateKey from "./setPrivateKey";
 import signEventOrPrompt from "./signEventOrPrompt";
@@ -23,6 +25,8 @@ export {
   getPublicKeyOrPrompt,
   getRelays,
   isEnabled,
+  nip44DecryptOrPrompt,
+  nip44EncryptOrPrompt,
   removePrivateKey,
   setPrivateKey,
   signEventOrPrompt,

src/extension/background-script/actions/nostr/nip44DecryptOrPrompt.ts

@@ -0,0 +1,68 @@
+import { USER_REJECTED_ERROR } from "~/common/constants";
+import utils from "~/common/lib/utils";
+import { getHostFromSender } from "~/common/utils/helpers";
+import {
+  addPermissionFor,
+  hasPermissionFor,
+} from "~/extension/background-script/permissions";
+import state from "~/extension/background-script/state";
+import { MessageNip44DecryptGet, PermissionMethodNostr, Sender } from "~/types";
+
+const nip44DecryptOrPrompt = async (
+  message: MessageNip44DecryptGet,
+  sender: Sender
+) => {
+  const host = getHostFromSender(sender);
+  if (!host) return;
+
+  try {
+    const hasPermission = await hasPermissionFor(
+      PermissionMethodNostr["NOSTR_NIP44DECRYPT"],
+      host
+    );
+
+    if (hasPermission) {
+      const nostr = await state.getState().getNostr();
+      const response = await nostr.nip44Decrypt(
+        message.args.peer,
+        message.args.ciphertext
+      );
+
+      return { data: response };
+    } else {
+      const promptResponse = await utils.openPrompt<{
+        confirm: boolean;
+        rememberPermission: boolean;
+      }>({
+        ...message,
+        action: "public/nostr/confirmDecrypt",
+      });
+
+      // add permission to db only if user decided to always allow this request
+      if (promptResponse.data.rememberPermission) {
+        await addPermissionFor(
+          PermissionMethodNostr["NOSTR_NIP44DECRYPT"],
+          host
+        );
+      }
+      if (promptResponse.data.confirm) {
+        const nostr = await state.getState().getNostr();
+        const response = await nostr.nip44Decrypt(
+          message.args.peer,
+          message.args.ciphertext
+        );
+
+        return { data: response };
+      } else {
+        return { error: USER_REJECTED_ERROR };
+      }
+    }
+  } catch (e) {
+    console.error("decrypt failed", e);
+    if (e instanceof Error) {
+      return { error: e.message };
+    }
+  }
+};
+
+export default nip44DecryptOrPrompt;

src/extension/background-script/actions/nostr/nip44EncryptOrPrompt.ts

@@ -0,0 +1,72 @@
+import { USER_REJECTED_ERROR } from "~/common/constants";
+import nostr from "~/common/lib/nostr";
+import utils from "~/common/lib/utils";
+import { getHostFromSender } from "~/common/utils/helpers";
+import {
+  addPermissionFor,
+  hasPermissionFor,
+} from "~/extension/background-script/permissions";
+import state from "~/extension/background-script/state";
+import { MessageNip44EncryptGet, PermissionMethodNostr, Sender } from "~/types";
+
+const nip44EncryptOrPrompt = async (
+  message: MessageNip44EncryptGet,
+  sender: Sender
+) => {
+  const host = getHostFromSender(sender);
+  if (!host) return;
+
+  try {
+    const hasPermission = await hasPermissionFor(
+      PermissionMethodNostr["NOSTR_NIP44ENCRYPT"],
+      host
+    );
+
+    if (hasPermission) {
+      const response = (await state.getState().getNostr()).nip44Encrypt(
+        message.args.peer,
+        message.args.plaintext
+      );
+      return { data: response };
+    } else {
+      const promptResponse = await utils.openPrompt<{
+        confirm: boolean;
+        rememberPermission: boolean;
+      }>({
+        ...message,
+        action: "public/nostr/confirmEncrypt",
+        args: {
+          encrypt: {
+            recipientNpub: nostr.hexToNip19(message.args.peer, "npub"),
+            message: message.args.plaintext,
+          },
+        },
+      });
+
+      // add permission to db only if user decided to always allow this request
+      if (promptResponse.data.rememberPermission) {
+        await addPermissionFor(
+          PermissionMethodNostr["NOSTR_NIP44ENCRYPT"],
+          host
+        );
+      }
+      if (promptResponse.data.confirm) {
+        const response = (await state.getState().getNostr()).nip44Encrypt(
+          message.args.peer,
+          message.args.plaintext
+        );
+
+        return { data: response };
+      } else {
+        return { error: USER_REJECTED_ERROR };
+      }
+    }
+  } catch (e) {
+    console.error("encrypt failed", e);
+    if (e instanceof Error) {
+      return { error: e.message };
+    }
+  }
+};
+
+export default nip44EncryptOrPrompt;

src/extension/background-script/nostr/__test__/nostr.test.ts

@@ -18,7 +18,7 @@ const carol = {
   publicKey: "a8c7d70a7d2e2826ce519a0a490fb953464c9d130235c321282983cd73be333f",
 };
 
-describe("nostr", () => {
+describe("nostr.nip04", () => {
   test("encrypt & decrypt", async () => {
     const aliceNostr = new Nostr(alice.privateKey);
 
@@ -50,3 +50,36 @@ describe("nostr", () => {
     expect(decrypted).not.toMatch(message);
   });
 });
+
+describe("nostr.nip44", () => {
+  test("encrypt & decrypt", async () => {
+    const aliceNostr = new Nostr(alice.privateKey);
+
+    const message = "Secret message that is sent from Alice to Bob";
+    const encrypted = aliceNostr.nip44Encrypt(bob.publicKey, message);
+
+    const bobNostr = new Nostr(bob.privateKey);
+
+    const decrypted = await bobNostr.nip44Decrypt(alice.publicKey, encrypted);
+
+    expect(decrypted).toMatch(message);
+  });
+
+  test("Carol can't decrypt Alice's message for Bob", async () => {
+    const aliceNostr = new Nostr(alice.privateKey);
+
+    const message = "Secret message that is sent from Alice to Bob";
+    const encrypted = aliceNostr.nip44Encrypt(bob.publicKey, message);
+
+    const carolNostr = new Nostr(carol.privateKey);
+
+    let decrypted;
+    try {
+      decrypted = await carolNostr.nip44Decrypt(alice.publicKey, encrypted);
+    } catch (e) {
+      decrypted = "error decrypting message";
+    }
+
+    expect(decrypted).not.toMatch(message);
+  });
+});

src/extension/background-script/nostr/index.ts

@@ -1,20 +1,33 @@
 import { schnorr } from "@noble/curves/secp256k1";
 import * as secp256k1 from "@noble/secp256k1";
+import { nip44 } from "nostr-tools";
 import { Buffer } from "buffer";
 import * as CryptoJS from "crypto-js";
 import { AES } from "crypto-js";
 import Base64 from "crypto-js/enc-base64";
 import Hex from "crypto-js/enc-hex";
 import Utf8 from "crypto-js/enc-utf8";
+import { LRUCache } from "~/common/utils/lruCache";
 import { Event } from "~/extension/providers/nostr/types";
 
 import { getEventHash, signEvent } from "../actions/nostr/helpers";
 
 class Nostr {
-  privateKey: string;
+  nip44SharedSecretCache = new LRUCache<string, Uint8Array>(100);
 
-  constructor(privateKey: string) {
-    this.privateKey = privateKey;
+  constructor(readonly privateKey: string) {}
+
+  // Deriving shared secret is an expensive computation
+  getNip44SharedSecret(peerPubkey: string) {
+    let key = this.nip44SharedSecretCache.get(peerPubkey);
+
+    if (!key) {
+      key = nip44.v2.utils.getConversationKey(this.privateKey, peerPubkey);
+
+      this.nip44SharedSecretCache.set(peerPubkey, key);
+    }
+
+    return key;
   }
 
   getPublicKey() {
@@ -69,6 +82,14 @@ class Nostr {
     return Utf8.stringify(decrypted);
   }
 
+  nip44Encrypt(peer: string, plaintext: string) {
+    return nip44.v2.encrypt(plaintext, this.getNip44SharedSecret(peer));
+  }
+
+  nip44Decrypt(peer: string, ciphertext: string) {
+    return nip44.v2.decrypt(ciphertext, this.getNip44SharedSecret(peer));
+  }
+
   getEventHash(event: Event) {
     return getEventHash(event);
   }

src/extension/background-script/router.ts

@@ -128,6 +128,8 @@ const routes = {
       getRelays: nostr.getRelays,
       encryptOrPrompt: nostr.encryptOrPrompt,
       decryptOrPrompt: nostr.decryptOrPrompt,
+      nip44EncryptOrPrompt: nostr.nip44EncryptOrPrompt,
+      nip44DecryptOrPrompt: nostr.nip44DecryptOrPrompt,
     },
   },
 };

src/extension/content-script/nostr.js

@@ -13,6 +13,8 @@ const nostrCalls = [
   "nostr/enable",
   "nostr/encryptOrPrompt",
   "nostr/decryptOrPrompt",
+  "nostr/nip44EncryptOrPrompt",
+  "nostr/nip44DecryptOrPrompt",
   "nostr/on",
   "nostr/off",
   "nostr/emit",

src/extension/providers/nostr/index.ts

@@ -10,6 +10,7 @@ declare global {
 
 export default class NostrProvider extends ProviderBase {
   nip04 = new Nip04(this);
+  nip44 = new Nip44(this);
 
   constructor() {
     super("nostr");
@@ -70,3 +71,27 @@ class Nip04 {
     });
   }
 }
+
+class Nip44 {
+  provider: NostrProvider;
+
+  constructor(provider: NostrProvider) {
+    this.provider = provider;
+  }
+
+  async encrypt(peer: string, plaintext: string) {
+    await this.provider.enable();
+    return this.provider.execute("nip44EncryptOrPrompt", {
+      peer,
+      plaintext,
+    });
+  }
+
+  async decrypt(peer: string, ciphertext: string) {
+    await this.provider.enable();
+    return this.provider.execute("nip44DecryptOrPrompt", {
+      peer,
+      ciphertext,
+    });
+  }
+}

src/i18n/locales/cs/translation.json

@@ -831,6 +831,9 @@
     "nostr": {
       "getpublickey": "Přečíst svůj veřejný klíč",
       "nip04decrypt": "Dešifrovat data",
+      "nip04encrypt": "Zašifrovat data",
+      "nip44decrypt": "Dešifrovat data",
+      "nip44encrypt": "Zašifrovat data",
       "signmessage": "Podepsat zprávu klíčem"
     },
     "lnc": {

src/i18n/locales/da/translation.json

@@ -699,6 +699,9 @@
     "nostr": {
       "getpublickey": "Læs din offentlige nøgle",
       "nip04decrypt": "De-krypter data",
+      "nip04encrypt": "Krypter data",
+      "nip44decrypt": "De-krypter data",
+      "nip44encrypt": "Krypter data",
       "signmessage": "Underskriv meddelelse med din nøgle"
     },
     "commando": {

src/i18n/locales/de/translation.json

@@ -1214,6 +1214,9 @@
     "nostr": {
       "getpublickey": "Lese deinen öffentlichen Schlüssel",
       "nip04decrypt": "Daten entschlüsseln",
+      "nip04encrypt": "Daten verschlüsseln",
+      "nip44decrypt": "Daten entschlüsseln",
+      "nip44encrypt": "Daten verschlüsseln",
       "signmessage": "Unterschreibe deine Nachricht mit deinem Schlüssel"
     },
     "lnc": {