chore: add AESEncryptString api to trust ring

abose · abose · commit 03225a2a2b67 · 2026-03-11T13:38:32.000+05:30
diff --git a/src/phoenix/trust_ring.js b/src/phoenix/trust_ring.js
@@ -119,6 +119,47 @@ function generateRandomKeyAndIV() {
     return { key, iv };
 }
 
+async function AESEncryptString(val, key, iv) {
+    // Encode string to UTF-8 bytes
+    const data = new TextEncoder().encode(val);
+
+    // Convert hex key to bytes
+    const keyBytes = new Uint8Array(key.length / 2);
+    for (let i = 0; i < key.length; i += 2) {
+        keyBytes[i / 2] = parseInt(key.substr(i, 2), 16);
+    }
+
+    // Convert hex IV to bytes
+    const ivBytes = new Uint8Array(iv.length / 2);
+    for (let i = 0; i < iv.length; i += 2) {
+        ivBytes[i / 2] = parseInt(iv.substr(i, 2), 16);
+    }
+
+    // Import the AES key
+    const cryptoKey = await crypto.subtle.importKey(
+        'raw',
+        keyBytes,
+        { name: 'AES-GCM' },
+        false,
+        ['encrypt']
+    );
+
+    // Encrypt the data
+    const encryptedBuffer = await crypto.subtle.encrypt(
+        {
+            name: 'AES-GCM',
+            iv: ivBytes
+        },
+        cryptoKey,
+        data
+    );
+
+    // Convert encrypted bytes to hex string
+    return Array.from(new Uint8Array(encryptedBuffer))
+        .map(byte => byte.toString(16).padStart(2, '0'))
+        .join('');
+}
+
 async function AESDecryptString(val, key, iv) {
     // Convert hex strings to ArrayBuffers
     const encryptedData = new Uint8Array(val.length / 2);
@@ -472,6 +513,7 @@ window.KernalModeTrust = {
     setCredential,
     getCredential,
     removeCredential,
+    AESEncryptString,
     AESDecryptString,
     generateRandomKeyAndIV,
     dismantleKeyring,
diff --git a/test/spec/trust-ring-test.js b/test/spec/trust-ring-test.js
@@ -156,6 +156,52 @@ define(function (require, exports, module) {
             });
         });
 
+        describe("AESEncryptString and AESDecryptString", function () {
+            it("should encrypt then decrypt roundtrip returning original string", async function () {
+                const {key, iv} = TrustRing.generateRandomKeyAndIV();
+                const original = "hello world";
+                const encrypted = await TrustRing.AESEncryptString(original, key, iv);
+                const decrypted = await TrustRing.AESDecryptString(encrypted, key, iv);
+                expect(decrypted).toBe(original);
+            });
+
+            it("should produce a hex string output", async function () {
+                const {key, iv} = TrustRing.generateRandomKeyAndIV();
+                const encrypted = await TrustRing.AESEncryptString("test", key, iv);
+                expect(encrypted).toMatch(/^[a-f0-9]+$/);
+            });
+
+            it("should produce different ciphertext for different plaintext", async function () {
+                const {key, iv} = TrustRing.generateRandomKeyAndIV();
+                const enc1 = await TrustRing.AESEncryptString("plaintext1", key, iv);
+                const enc2 = await TrustRing.AESEncryptString("plaintext2", key, iv);
+                expect(enc1).not.toBe(enc2);
+            });
+
+            it("should work with empty string", async function () {
+                const {key, iv} = TrustRing.generateRandomKeyAndIV();
+                const encrypted = await TrustRing.AESEncryptString("", key, iv);
+                const decrypted = await TrustRing.AESDecryptString(encrypted, key, iv);
+                expect(decrypted).toBe("");
+            });
+
+            it("should work with unicode characters", async function () {
+                const {key, iv} = TrustRing.generateRandomKeyAndIV();
+                const original = "测试数据 with émojis 🔒🔑";
+                const encrypted = await TrustRing.AESEncryptString(original, key, iv);
+                const decrypted = await TrustRing.AESDecryptString(encrypted, key, iv);
+                expect(decrypted).toBe(original);
+            });
+
+            it("should work with large strings", async function () {
+                const {key, iv} = TrustRing.generateRandomKeyAndIV();
+                const original = "x".repeat(10000);
+                const encrypted = await TrustRing.AESEncryptString(original, key, iv);
+                const decrypted = await TrustRing.AESDecryptString(encrypted, key, iv);
+                expect(decrypted).toBe(original);
+            });
+        });
+
         describe("generateDataSignature and validateDataSignature integration", function () {
             it("should work with JSON data like entitlements", async function () {
                 const entitlements = {
