HttpEce.java

Go to the documentation of this file.

/*
 * Turró i Cutiller Foundation. License notice.
 * Copyright (C) 2022 Lluis Turró Cutiller <http://www.turro.org/>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
package org.turro.push.service;
 
import java.nio.ByteBuffer;
import static java.nio.charset.StandardCharsets.UTF_8;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import static javax.crypto.Cipher.DECRYPT_MODE;
import static javax.crypto.Cipher.ENCRYPT_MODE;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyAgreement;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.generators.HKDFBytesGenerator;
import org.bouncycastle.crypto.params.HKDFParameters;
import org.bouncycastle.jce.interfaces.ECPrivateKey;
import org.bouncycastle.jce.interfaces.ECPublicKey;
import org.turro.push.security.ServerKeys;
 
public class HttpEce {
 
  public static final int KEY_LENGTH = 16;
  public static final int SHA_256_LENGTH = 32;
  public static final int TAG_SIZE = 16;
  public static final int TWO_BYTE_MAX = 65_536;
  public static final String WEB_PUSH_INFO = "WebPush: info\0";
 
  private Map<String, KeyPair> keys;
  private Map<String, String> labels;
 
  public HttpEce() {
    this(new HashMap<String, KeyPair>(), new HashMap<String, String>());
  }
 
  public HttpEce(Map<String, KeyPair> keys, Map<String, String> labels) {
    this.keys = keys;
    this.labels = labels;
  }
 
  public byte[] encrypt(byte[] plaintext, byte[] salt, byte[] privateKey, String keyid, ECPublicKey dh, byte[] authSecret, Encoding version) throws GeneralSecurityException {
    log("encrypt", plaintext);
 
    byte[][] keyAndNonce = deriveKeyAndNonce(salt, privateKey, keyid, dh, authSecret, version, ENCRYPT_MODE);
    byte[] key = keyAndNonce[0];
    byte[] nonce = keyAndNonce[1];
 
    // Note: Cipher adds the tag to the end of the ciphertext
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
    GCMParameterSpec params = new GCMParameterSpec(TAG_SIZE * 8, nonce);
    cipher.init(ENCRYPT_MODE, new SecretKeySpec(key, "AES"), params);
 
    // For AES128GCM suffix {0x02}, for AESGCM prefix {0x00, 0x00}.
    if (version == Encoding.AES128GCM) {
      byte[] header = buildHeader(salt, keyid);
      log("header", header);
 
      byte[] padding = new byte[]{2};
      log("padding", padding);
 
      byte[][] encrypted = {cipher.update(plaintext), cipher.update(padding), cipher.doFinal()};
      log("encrypted", concat(encrypted));
 
      return log("ciphertext", concat(header, concat(encrypted)));
    } else {
      return concat(cipher.update(new byte[2]), cipher.doFinal(plaintext));
    }
  }
 
  public byte[] decrypt(byte[] payload, byte[] salt, byte[] key, String keyid, Encoding version) throws InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, InvalidAlgorithmParameterException, BadPaddingException, NoSuchProviderException, NoSuchPaddingException {
    byte[] body;
 
    // Parse and strip the header
    if (version == Encoding.AES128GCM) {
      byte[][] header = parseHeader(payload);
 
      salt = header[0];
      keyid = new String(header[2]);
      body = header[3];
    } else {
      body = payload;
    }
 
    // Derive key and nonce.
    byte[][] keyAndNonce = deriveKeyAndNonce(salt, key, keyid, null, null, version, DECRYPT_MODE);
 
    return decryptRecord(body, keyAndNonce[0], keyAndNonce[1], version);
  }
 
  public byte[][] parseHeader(byte[] payload) {
    byte[] salt = Arrays.copyOfRange(payload, 0, KEY_LENGTH);
    byte[] recordSize = Arrays.copyOfRange(payload, KEY_LENGTH, 20);
    int keyIdLength = Arrays.copyOfRange(payload, 20, 21)[0];
    byte[] keyId = Arrays.copyOfRange(payload, 21, 21 + keyIdLength);
    byte[] body = Arrays.copyOfRange(payload, 21 + keyIdLength, payload.length);
 
    return new byte[][]{
      salt,
      recordSize,
      keyId,
      body
    };
  }
 
  public byte[] decryptRecord(byte[] ciphertext, byte[] key, byte[] nonce, Encoding version) throws NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
    GCMParameterSpec params = new GCMParameterSpec(TAG_SIZE * 8, nonce);
    cipher.init(DECRYPT_MODE, new SecretKeySpec(key, "AES"), params);
 
    byte[] plaintext = cipher.doFinal(ciphertext);
 
    if (version == Encoding.AES128GCM) {
      // Remove one byte of padding at the end
      return Arrays.copyOfRange(plaintext, 0, plaintext.length - 1);
    } else {
      // Remove two bytes of padding at the start
      return Arrays.copyOfRange(plaintext, 2, plaintext.length);
    }
  }
 
  private byte[] buildHeader(byte[] salt, String keyid) {
    byte[] keyIdBytes;
 
    if (keyid == null) {
      keyIdBytes = new byte[0];
    } else {
      keyIdBytes = ServerKeys.encode(getPublicKey(keyid));
    }
 
    if (keyIdBytes.length > 255) {
      throw new IllegalArgumentException("They keyid is too large.");
    }
 
    byte[] rs = toByteArray(4096, 4);
    byte[] idlen = new byte[]{(byte) keyIdBytes.length};
 
    return concat(salt, rs, idlen, keyIdBytes);
  }
 
  protected static byte[] buildInfo(String type, byte[] context) {
    ByteBuffer buffer = ByteBuffer.allocate(19 + type.length() + context.length);
 
    buffer.put("Content-Encoding: ".getBytes(UTF_8), 0, 18);
    buffer.put(type.getBytes(UTF_8), 0, type.length());
    buffer.put(new byte[1], 0, 1);
    buffer.put(context, 0, context.length);
 
    return buffer.array();
  }
 
  protected static byte[] hkdfExpand(byte[] ikm, byte[] salt, byte[] info, int length) {
    log("salt", salt);
    log("ikm", ikm);
    log("info", info);
 
    HKDFBytesGenerator hkdf = new HKDFBytesGenerator(new SHA256Digest());
    hkdf.init(new HKDFParameters(ikm, salt, info));
 
    byte[] okm = new byte[length];
    hkdf.generateBytes(okm, 0, length);
 
    log("expand", okm);
 
    return okm;
  }
 
  public byte[][] extractSecretAndContext(byte[] key, String keyId, ECPublicKey dh, byte[] authSecret) throws InvalidKeyException, NoSuchAlgorithmException {
    byte[] secret = null;
    byte[] context = null;
 
    if (key != null) {
      secret = key;
      if (secret.length != KEY_LENGTH) {
        throw new IllegalStateException("An explicit key must be " + KEY_LENGTH + " bytes.");
      }
    } else if (dh != null) {
      byte[][] bytes = extractDH(keyId, dh);
      secret = bytes[0];
      context = bytes[1];
    } else if (keyId != null) {
      secret = keys.get(keyId).getPublic().getEncoded();
    }
 
    if (secret == null) {
      throw new IllegalStateException("Unable to determine key.");
    }
 
    if (authSecret != null) {
      secret = hkdfExpand(secret, authSecret, buildInfo("auth", new byte[0]), SHA_256_LENGTH);
    }
 
    return new byte[][]{
      secret,
      context
    };
  }
 
  public byte[][] deriveKeyAndNonce(byte[] salt, byte[] key, String keyId, ECPublicKey dh, byte[] authSecret, Encoding version, int mode) throws NoSuchAlgorithmException, InvalidKeyException {
    byte[] secret;
    byte[] keyInfo;
    byte[] nonceInfo;
 
    if (version == Encoding.AESGCM) {
      byte[][] secretAndContext = extractSecretAndContext(key, keyId, dh, authSecret);
      secret = secretAndContext[0];
 
      keyInfo = buildInfo("aesgcm", secretAndContext[1]);
      nonceInfo = buildInfo("nonce", secretAndContext[1]);
    } else if (version == Encoding.AES128GCM) {
      keyInfo = "Content-Encoding: aes128gcm\0".getBytes();
      nonceInfo = "Content-Encoding: nonce\0".getBytes();
 
      secret = extractSecret(key, keyId, dh, authSecret, mode);
    } else {
      throw new IllegalStateException("Unknown version: " + version);
    }
 
    byte[] hkdf_key = hkdfExpand(secret, salt, keyInfo, 16);
    byte[] hkdf_nonce = hkdfExpand(secret, salt, nonceInfo, 12);
 
    log("key", hkdf_key);
    log("nonce", hkdf_nonce);
 
    return new byte[][]{
      hkdf_key,
      hkdf_nonce
    };
  }
 
  private byte[] extractSecret(byte[] key, String keyId, ECPublicKey dh, byte[] authSecret, int mode) throws InvalidKeyException, NoSuchAlgorithmException {
    if (key != null) {
      if (key.length != KEY_LENGTH) {
        throw new IllegalArgumentException("An explicit key must be " + KEY_LENGTH + " bytes.");
      }
      return key;
    }
 
    if (dh == null) {
      KeyPair keyPair = keys.get(keyId);
 
      if (keyPair == null) {
        throw new IllegalArgumentException("No saved key for keyid '" + keyId + "'.");
      }
 
      return ServerKeys.encode((ECPublicKey) keyPair.getPublic());
    }
 
    return webpushSecret(keyId, dh, authSecret, mode);
  }
 
  public byte[] webpushSecret(String keyId, ECPublicKey dh, byte[] authSecret, int mode) throws NoSuchAlgorithmException, InvalidKeyException {
    ECPublicKey senderPubKey;
    ECPublicKey remotePubKey;
    ECPublicKey receiverPubKey;
 
    if (mode == ENCRYPT_MODE) {
      senderPubKey = getPublicKey(keyId);
      remotePubKey = dh;
      receiverPubKey = dh;
    } else if (mode == DECRYPT_MODE) {
      remotePubKey = getPublicKey(keyId);
      senderPubKey = remotePubKey;
      receiverPubKey = dh;
    } else {
      throw new IllegalArgumentException("Unsupported mode: " + mode);
    }
 
    log("remote pubkey", ServerKeys.encode(remotePubKey));
    log("sender pubkey", ServerKeys.encode(senderPubKey));
    log("receiver pubkey", ServerKeys.encode(receiverPubKey));
 
    KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
    keyAgreement.init(getPrivateKey(keyId));
    keyAgreement.doPhase(remotePubKey, true);
    byte[] secret = keyAgreement.generateSecret();
 
    byte[] ikm = secret;
    byte[] salt = authSecret;
    byte[] info = concat(WEB_PUSH_INFO.getBytes(), ServerKeys.encode(receiverPubKey), ServerKeys.encode(senderPubKey));
 
    return hkdfExpand(ikm, salt, info, SHA_256_LENGTH);
  }
 
  private byte[][] extractDH(String keyid, ECPublicKey publicKey) throws NoSuchAlgorithmException, InvalidKeyException {
    ECPublicKey senderPubKey = getPublicKey(keyid);
 
    KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
    keyAgreement.init(getPrivateKey(keyid));
    keyAgreement.doPhase(publicKey, true);
 
    byte[] secret = keyAgreement.generateSecret();
    byte[] context = concat(labels.get(keyid).getBytes(UTF_8), new byte[1], lengthPrefix(publicKey), lengthPrefix(senderPubKey));
 
    return new byte[][]{
      secret,
      context
    };
  }
 
  private ECPublicKey getPublicKey(String keyid) {
    return (ECPublicKey) keys.get(keyid).getPublic();
  }
 
  private ECPrivateKey getPrivateKey(String keyid) {
    return (ECPrivateKey) keys.get(keyid).getPrivate();
  }
 
  private static byte[] lengthPrefix(ECPublicKey publicKey) {
    byte[] bytes = ServerKeys.encode(publicKey);
 
    return concat(intToBytes(bytes.length), bytes);
  }
 
  private static byte[] intToBytes(int number) {
    if (number < 0) {
      throw new IllegalArgumentException("Cannot convert a negative number, " + number + " given.");
    }
 
    if (number >= TWO_BYTE_MAX) {
      throw new IllegalArgumentException("Cannot convert an integer larger than " + (TWO_BYTE_MAX - 1) + " to two bytes.");
    }
 
    byte[] bytes = new byte[2];
    bytes[1] = (byte) (number & 0xff);
    bytes[0] = (byte) (number >> 8);
 
    return bytes;
  }
 
  private static byte[] log(String info, byte[] array) {
    if ("1".equals(System.getenv("ECE_KEYLOG"))) {
      System.out.println(info + " [" + array.length + "]: " + Base64.encodeBase64URLSafeString(array));
    }
 
    return array;
  }
 
  public static byte[] concat(byte[]... arrays) {
    int lastPos = 0;
 
    byte[] combined = new byte[combinedLength(arrays)];
 
    for (byte[] array : arrays) {
      if (array == null) {
        continue;
      }
 
      System.arraycopy(array, 0, combined, lastPos, array.length);
 
      lastPos += array.length;
    }
 
    return combined;
  }
 
  public static int combinedLength(byte[]... arrays) {
    int combinedLength = 0;
 
    for (byte[] array : arrays) {
      if (array == null) {
        continue;
      }
 
      combinedLength += array.length;
    }
 
    return combinedLength;
  }
 
  public static byte[] toByteArray(int integer, int size) {
    ByteBuffer buffer = ByteBuffer.allocate(size);
    buffer.putInt(integer);
 
    return buffer.array();
  }
  
}