feat: add support for large file encryption

src/decrypt-capability.js

@@ -1,5 +1,9 @@
+import { CID } from 'multiformats'
+import * as dagJSON from '@ipld/dag-json'
+import { extract } from '@ucanto/core/delegation'
+import { Signer } from '@ucanto/principal/ed25519'
 import { ok, Schema, DID, fail } from '@ucanto/validator'
-import { capability } from '@ucanto/server'
+import { DID as DIDParser, capability } from '@ucanto/server'
 
 const Decrypt = capability({
   can: 'space/content/decrypt',
@@ -20,4 +24,34 @@ const Decrypt = capability({
   }
 })
 
+/**
+ *
+ * @param {Buffer<ArrayBufferLike>} delegationCarBuffer
+ * @param {import('./types.js').DecryptInvocationArgs} param1
+ */
+export async function createDecryptWrappedInvocation(
+  delegationCarBuffer,
+  { issuer, audienceDid, spaceDid, resourceCid, expiration }
+) {
+  const delegation = /** @type {Signer.Delegation<Signer.Capabilities>} */ (
+    (await extract(delegationCarBuffer)).ok
+  )
+
+  const invocationOptions = {
+    issuer,
+    audience: DIDParser.parse(audienceDid),
+    with: spaceDid,
+    nb: {
+      resource: CID.parse(resourceCid)
+    },
+    expiration: expiration,
+    proofs: [delegation]
+  }
+
+  const decryptWrappedInvocation = await Decrypt.invoke(invocationOptions).delegate()
+
+  const { ok: carEncoded } = await decryptWrappedInvocation.archive()
+  return dagJSON.stringify(carEncoded)
+}
+
 export default Decrypt

src/lib.js

@@ -1,10 +1,12 @@
-import { Blob } from 'buffer'
+import * as fs from 'fs'
 import { ethers } from 'ethers'
-import { promises as fs } from 'fs'
-import { LIT_ABILITY, LIT_NETWORK, LIT_RPC } from '@lit-protocol/constants'
-import { encryptFile } from '@lit-protocol/encryption'
-import { LitNodeClient } from '@lit-protocol/lit-node-client'
+import { Readable } from 'node:stream'
+import { pipeline } from 'node:stream/promises'
 import { LitContracts } from '@lit-protocol/contracts-sdk'
+import { LitNodeClient } from '@lit-protocol/lit-node-client'
+import { encryptFile, encryptString } from '@lit-protocol/encryption'
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto'
+import { LIT_ABILITY, LIT_NETWORK, LIT_RPC } from '@lit-protocol/constants'
 import {
   generateAuthSig,
   LitActionResource,
@@ -14,6 +16,8 @@ import {
 
 import env from './env.js'
 
+const ENCRYPTION_ALGORITHM = 'aes-256-cbc'
+
 export async function getLit() {
   const litNodeClient = new LitNodeClient({
     litNetwork: env.LIT_NETWORK,
@@ -47,11 +51,76 @@ export async function getLitContracts(wallet) {
  */
 export async function encrypt(filePath, accessControlConditions, chain = 'ethereum') {
   const litClient = await getLit()
+  const fileContent = await fs.promises.readFile(filePath)
+  const blob = new Blob([fileContent])
+  return await encryptFile({ file: blob, accessControlConditions, chain }, litClient)
+}
+
+/**
+ *
+ * @param {string} filePath
+ * @param {import('@lit-protocol/types').AccessControlConditions} accessControlConditions
+ */
+export async function encryptLargeFile(filePath, accessControlConditions) {
+  const stat = await fs.promises.stat(filePath)
 
-  const fileContent = await fs.readFile(filePath)
-  let blob = new Blob([fileContent])
+  // Generate a random symmetric key and initialization vector
+  const symmetricKey = randomBytes(32) // 256 bits for AES-256
+  const initializationVector = randomBytes(16) // 16 bytes for AES
+  // Combine key and initializationVector for Lit encryption
+  const dataToEncrypt = Buffer.concat([symmetricKey, initializationVector]).toString('base64')
+  const chunkSize = 64 * 1024 // 64KB chunks
 
-  return encryptFile({ file: blob, accessControlConditions, chain }, litClient)
+  // createEncryptedStream
+  const cipher = createCipheriv(ENCRYPTION_ALGORITHM, symmetricKey, initializationVector)
+  const fileStream = fs.createReadStream(filePath, { highWaterMark: chunkSize }) // Read from local file
+  const encryptedStream = fileStream.pipe(cipher) // Encrypt the stream
+
+  const litClient = await getLit()
+  const { ciphertext, dataToEncryptHash } = await encryptString(
+    {
+      dataToEncrypt,
+      accessControlConditions
+    },
+    litClient
+  )
+
+  return {
+    ciphertext,
+    dataToEncryptHash,
+    encryptedBlobLike: {
+      name: filePath,
+      stream: () =>
+        /** @type {ReadableStream} */
+        (Readable.toWeb(encryptedStream)),
+      size: stat.size
+    } // Convert to Web ReadableStream
+  }
+}
+
+/**
+ *
+ * @param {string} combinedKey
+ * @param {Readable} content
+ * @param {string} fileName
+ */
+export async function decryptWithKeyTo(combinedKey, content, fileName) {
+  // Split the decrypted data back into key and initializationVector
+  const decryptedKeyData = Buffer.from(combinedKey, 'base64')
+  const symmetricKey = decryptedKeyData.subarray(0, 32)
+  const initializationVector = decryptedKeyData.subarray(32)
+
+  const decipher = createDecipheriv(ENCRYPTION_ALGORITHM, symmetricKey, initializationVector)
+
+  // Create a Writable stream for the decrypted output
+  const writeStream = fs.createWriteStream(fileName)
+
+  try {
+    await pipeline(content, decipher, writeStream)
+    console.log('File successfully decrypted')
+  } catch (err) {
+    console.error('Pipeline failed', err)
+  }
 }
 
 const litNetworkToChainRpc = {

src/scripts/decrypt-large-file.js

@@ -0,0 +1,113 @@
+import * as fs from 'fs'
+import { ethers } from 'ethers'
+import { Readable } from 'stream'
+import { Signer } from '@ucanto/principal/ed25519'
+
+import env from '../env.js'
+import { getLit, getSessionSigs, getCapacityCredits, decryptWithKeyTo } from '../lib.js'
+import { createDecryptWrappedInvocation } from '../decrypt-capability.js'
+
+/**
+ * rootCid - The CID of the encrypted data file uploaded to Storacha.
+ * delegationFilePath - Path to the delegation CAR file
+ * outputPath - output file to write the decrypted content
+ * capacityTokenId - If you already have a capacity credit token ID (optional)
+ */
+async function main() {
+  const rootCid = process.argv[2]
+  const delegationFilePath = process.argv[3]
+  const outputPath = process.argv[4]
+  /**@type {string | null} */
+  let capacityTokenId = process.argv[5]
+
+  const response = await fetch(`https://${rootCid}.ipfs.w3s.link`)
+  if (!response.ok) {
+    throw new Error(`Failed to fetch: ${response.status} ${response.statusText}`)
+  }
+
+  let encryptedContent = await response.text()
+  console.log('Encrypted content retrieved successfully:', encryptedContent)
+  const { encryptedDataCid, ciphertext, dataToEncryptHash, accessControlConditions } =
+    JSON.parse(encryptedContent)
+
+  const encryptedDataResponse = await fetch(`https://${encryptedDataCid}.ipfs.w3s.link`)
+  if (!encryptedDataResponse.ok || !encryptedDataResponse.body) {
+    throw new Error(`Failed to fetch encrypted data: ${response.status} ${response.statusText}`)
+  }
+
+  const spaceDID = accessControlConditions[0].parameters[1]
+
+  const litNodeClient = await getLit()
+  const controllerWallet = new ethers.Wallet(env.WALLET_PK)
+
+  if (!capacityTokenId) {
+    console.log('🔄 No Capacity Credit provided, minting a new one...')
+    capacityTokenId = await getCapacityCredits(controllerWallet, env.LIT_NETWORK)
+    console.log(`✅ Minted new Capacity Credit with ID: ${capacityTokenId}`)
+  } else {
+    console.log(`ℹ️  Using provided Capacity Credit with ID: ${capacityTokenId}`)
+  }
+
+  // ========== SESSION SIGNATURES  ===========
+  // TODO: store the session signature (https://developer.litprotocol.com/intro/first-request/generating-session-sigs#nodejs)
+  const sessionSigs = await getSessionSigs({
+    wallet: controllerWallet,
+    accessControlConditions,
+    dataToEncryptHash,
+    expiration: new Date(Date.now() + 1000 * 60 * 5).toISOString() // 5 min,
+  })
+
+  // ==========  EXECUTE LIT ACTION TO DECRYPT ===========
+
+  console.log('🔄 Setting UCAN delegation...')
+  // read bytes from delegation file
+  const delegationCarBuffer = fs.readFileSync(delegationFilePath)
+
+  const decryptSigner = Signer.parse(env.DELEGATEE_AGENT_PK)
+  console.log('Issuer:', decryptSigner.did())
+
+  const invocation = await createDecryptWrappedInvocation(delegationCarBuffer, {
+    issuer: decryptSigner,
+    audienceDid: env.AUTHORITY_DID_WEB,
+    spaceDid: spaceDID,
+    resourceCid: rootCid,
+    expiration: new Date(Date.now() + 1000 * 60 * 10).getTime() // 10 min
+  })
+
+  console.log('🔄 Executing Lit Action to validate UCAN and decrypt the file...')
+
+  const litActionResponse = await litNodeClient.executeJs({
+    sessionSigs,
+    ipfsId: env.STORACHA_LIT_ACTION_CID,
+    jsParams: {
+      spaceDID,
+      ciphertext,
+      dataToEncryptHash,
+      accessControlConditions,
+      invocation
+    }
+  })
+  console.log(litActionResponse)
+  console.log('✅ Executed the Lit Action')
+
+  if (!litActionResponse.response) {
+    throw new Error('Error getting lit action response.')
+  }
+  const parsedResponse = JSON.parse(/** @type string*/ (litActionResponse.response))
+  const decryptedData = parsedResponse.decryptedString
+  if (!decryptedData) {
+    throw new Error('Decrypted data does not exist!')
+  }
+
+  const readStream = Readable.fromWeb(
+    /** @type {import("stream/web").ReadableStream<any>}**/ (encryptedDataResponse.body)
+  )
+  await decryptWithKeyTo(decryptedData, readStream, outputPath)
+}
+
+main()
+  .then(() => process.exit(0))
+  .catch(err => {
+    console.error(err)
+    process.exit(1)
+  })

src/scripts/download-and-decrypt.js

@@ -1,44 +1,10 @@
 import * as fs from 'fs'
 import { ethers } from 'ethers'
-import { CID } from 'multiformats'
-import { DID } from '@ucanto/server'
-import * as dagJSON from '@ipld/dag-json'
 import { Signer } from '@ucanto/principal/ed25519'
-import { extract } from '@ucanto/core/delegation'
 
 import env from '../env.js'
-import Decrypt from '../decrypt-capability.js'
 import { getLit, getSessionSigs, getCapacityCredits } from '../lib.js'
-
-/**
- *
- * @param {Buffer<ArrayBufferLike>} delegationCarBuffer
- * @param {import('../types.js').DecryptInvocationArgs} param1
- */
-async function createDecryptWrappedInvocation(
-  delegationCarBuffer,
-  { issuer, audienceDid, spaceDid, resourceCid, expiration }
-) {
-  const delegation = /** @type {Signer.Delegation<Signer.Capabilities>} */ (
-    (await extract(delegationCarBuffer)).ok
-  )
-
-  const invocationOptions = {
-    issuer,
-    audience: DID.parse(audienceDid),
-    with: spaceDid,
-    nb: {
-      resource: CID.parse(resourceCid)
-    },
-    expiration: expiration,
-    proofs: [delegation]
-  }
-
-  const decryptWrappedInvocation = await Decrypt.invoke(invocationOptions).delegate()
-
-  const { ok: carEncoded } = await decryptWrappedInvocation.archive()
-  return dagJSON.stringify(carEncoded)
-}
+import { createDecryptWrappedInvocation } from '../decrypt-capability.js'
 
 /**
  * rootCid - The CID of the encrypted data file uploaded to Storacha.

src/scripts/encrypt-large-file.js

@@ -0,0 +1,71 @@
+import * as fs from 'fs'
+import * as Client from '@web3-storage/w3up-client'
+import * as Signer from '@ucanto/principal/ed25519'
+import { StoreMemory } from '@web3-storage/w3up-client/stores/memory'
+
+import env from '../env.js'
+import { encryptLargeFile } from '../lib.js'
+import { parseProof } from '../utils.js'
+
+async function main() {
+  const filePath = process.argv[2]
+
+  if (!fs.existsSync(filePath)) {
+    throw new Error(`The path ${filePath} does not exist`)
+  }
+
+  // set up storacha client with a new agent
+  const principal = Signer.parse(env.AGENT_PK)
+  const store = new StoreMemory()
+  const client = await Client.create({ principal, store })
+
+  // now give Agent the delegation from the Space
+  const proof = await parseProof(env.PROOF)
+  const space = await client.addSpace(proof)
+  await client.setCurrentSpace(space.did())
+
+  // encrypt using lit
+  /** @type import('@lit-protocol/types').AccessControlConditions */
+  const accessControlConditions = [
+    {
+      contractAddress: '',
+      standardContractType: '',
+      chain: 'ethereum',
+      method: '',
+      parameters: [':currentActionIpfsId', space.did()],
+      returnValueTest: {
+        comparator: '=',
+        value: env.STORACHA_LIT_ACTION_CID
+      }
+    }
+  ]
+
+  console.log('🔄 Encrypting...')
+  const { ciphertext, dataToEncryptHash, encryptedBlobLike } = await encryptLargeFile(
+    filePath,
+    accessControlConditions
+  )
+  console.log(`✅ Encrypted file!`)
+  console.log(`Uploading encrypted data to storacha...`)
+  const rootEncryptedDataCid = await client.uploadFile(encryptedBlobLike)
+  console.log(`✅ Encrypted data root cid: ${rootEncryptedDataCid}`)
+
+  // upload to storacha
+  const uploadData = {
+    encryptedDataCid: rootEncryptedDataCid.toString(),
+    ciphertext,
+    dataToEncryptHash,
+    accessControlConditions
+  }
+  const blob = new Blob([JSON.stringify(uploadData)])
+  console.log('🔄 Uploading metadata to Storacha...')
+  const rootCid = await client.uploadFile(blob)
+  console.log(`✅ Metadata root cid: ${rootCid}`)
+}
+
+main()
+  .then(() => process.exit(0))
+  .catch(err => {
+    console.error(err)
+    process.exit(1)
+  })