org.turro.push.service.HttpEce Class Reference

Public Member Functions
	HttpEce ()
	HttpEce (Map< String, KeyPair > keys, Map< String, String > labels)
byte[]	encrypt (byte[] plaintext, byte[] salt, byte[] privateKey, String keyid, ECPublicKey dh, byte[] authSecret, Encoding version) throws GeneralSecurityException
byte[]	decrypt (byte[] payload, byte[] salt, byte[] key, String keyid, Encoding version) throws InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, InvalidAlgorithmParameterException, BadPaddingException, NoSuchProviderException, NoSuchPaddingException
byte[][]	parseHeader (byte[] payload)
byte[]	decryptRecord (byte[] ciphertext, byte[] key, byte[] nonce, Encoding version) throws NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException
byte[][]	extractSecretAndContext (byte[] key, String keyId, ECPublicKey dh, byte[] authSecret) throws InvalidKeyException, NoSuchAlgorithmException
byte[][]	deriveKeyAndNonce (byte[] salt, byte[] key, String keyId, ECPublicKey dh, byte[] authSecret, Encoding version, int mode) throws NoSuchAlgorithmException, InvalidKeyException
byte[]	webpushSecret (String keyId, ECPublicKey dh, byte[] authSecret, int mode) throws NoSuchAlgorithmException, InvalidKeyException

Static Public Member Functions
static byte[]	concat (byte[]... arrays)
static int	combinedLength (byte[]... arrays)
static byte[]	toByteArray (int integer, int size)

Static Public Attributes
static final int	KEY_LENGTH = 16
static final int	SHA_256_LENGTH = 32
static final int	TAG_SIZE = 16
static final int	TWO_BYTE_MAX = 65_536
static final String	WEB_PUSH_INFO = "WebPush: info\0"

Static Protected Member Functions
static byte[]	buildInfo (String type, byte[] context)
static byte[]	hkdfExpand (byte[] ikm, byte[] salt, byte[] info, int length)

Detailed Description

Author

Lluis Turró Cutiller lluis.nosp@m.@tur.nosp@m.ro.or.nosp@m.g

Definition at line 52 of file HttpEce.java.

Constructor & Destructor Documentation

HttpEce() [1/2]

org.turro.push.service.HttpEce.HttpEce

(

)

Definition at line 63 of file HttpEce.java.

                   {
    this(new HashMap<String, KeyPair>(), new HashMap<String, String>());
  }

HttpEce() [2/2]

org.turro.push.service.HttpEce.HttpEce	(	Map< String, KeyPair >	keys,
		Map< String, String >	labels
	)

Definition at line 67 of file HttpEce.java.

                                                                        {
    this.keys = keys;
    this.labels = labels;
  }

Member Function Documentation

buildInfo()

static byte [] org.turro.push.service.HttpEce.buildInfo ( String  type, byte[]  context  )

staticprotected

Future versions might require a null-terminated info string?

Parameters

type

Returns

Definition at line 212 of file HttpEce.java.

                                                                 {
    ByteBuffer buffer = ByteBuffer.allocate(19 + type.length() + context.length);
 
    buffer.put("Content-Encoding: ".getBytes(UTF_8), 0, 18);
    buffer.put(type.getBytes(UTF_8), 0, type.length());
    buffer.put(new byte[1], 0, 1);
    buffer.put(context, 0, context.length);
 
    return buffer.array();
  }

Here is the caller graph for this function:

combinedLength()

static int org.turro.push.service.HttpEce.combinedLength ( byte...[]  arrays )

static

Definition at line 488 of file HttpEce.java.

                                                     {
    int combinedLength = 0;
 
    for (byte[] array : arrays) {
      if (array == null) {
        continue;
      }
 
      combinedLength += array.length;
    }
 
    return combinedLength;
  }

Here is the caller graph for this function:

concat()

static byte [] org.turro.push.service.HttpEce.concat ( byte...[]  arrays )

static

Definition at line 470 of file HttpEce.java.

                                                {
    int lastPos = 0;
 
    byte[] combined = new byte[combinedLength(arrays)];
 
    for (byte[] array : arrays) {
      if (array == null) {
        continue;
      }
 
      System.arraycopy(array, 0, combined, lastPos, array.length);
 
      lastPos += array.length;
    }
 
    return combined;
  }

Here is the call graph for this function:

Here is the caller graph for this function:

decrypt()

byte [] org.turro.push.service.HttpEce.decrypt	(	byte[]	payload,
		byte[]	salt,
		byte[]	key,
		String	keyid,
		Encoding	version
	)		throws InvalidKeyException, NoSuchAlgorithmException, IllegalBlockSizeException, InvalidAlgorithmParameterException, BadPaddingException, NoSuchProviderException, NoSuchPaddingException

Decrypt the payload.

Parameters

payload	Header and body (ciphertext)
salt	May be null when version is AES128GCM; the salt is extracted from the header.
version	AES128GCM or AESGCM.

Returns

Definition at line 126 of file HttpEce.java.

                                                                                                                                                                                                                                                                                           {
    byte[] body;
 
    // Parse and strip the header
    if (version == Encoding.AES128GCM) {
      byte[][] header = parseHeader(payload);
 
      salt = header[0];
      keyid = new String(header[2]);
      body = header[3];
    } else {
      body = payload;
    }
 
    // Derive key and nonce.
    byte[][] keyAndNonce = deriveKeyAndNonce(salt, key, keyid, null, null, version, DECRYPT_MODE);
 
    return decryptRecord(body, keyAndNonce[0], keyAndNonce[1], version);
  }

Here is the call graph for this function:

decryptRecord()

byte [] org.turro.push.service.HttpEce.decryptRecord	(	byte[]	ciphertext,
		byte[]	key,
		byte[]	nonce,
		Encoding	version
	)		throws NoSuchPaddingException, NoSuchAlgorithmException, NoSuchProviderException, InvalidAlgorithmParameterException, InvalidKeyException, BadPaddingException, IllegalBlockSizeException

Definition at line 161 of file HttpEce.java.

                                                                                                                                                                                                                                                                                       {
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
    GCMParameterSpec params = new GCMParameterSpec(TAG_SIZE * 8, nonce);
    cipher.init(DECRYPT_MODE, new SecretKeySpec(key, "AES"), params);
 
    byte[] plaintext = cipher.doFinal(ciphertext);
 
    if (version == Encoding.AES128GCM) {
      // Remove one byte of padding at the end
      return Arrays.copyOfRange(plaintext, 0, plaintext.length - 1);
    } else {
      // Remove two bytes of padding at the start
      return Arrays.copyOfRange(plaintext, 2, plaintext.length);
    }
  }

Here is the caller graph for this function:

deriveKeyAndNonce()

byte [][] org.turro.push.service.HttpEce.deriveKeyAndNonce	(	byte[]	salt,
		byte[]	key,
		String	keyId,
		ECPublicKey	dh,
		byte[]	authSecret,
		Encoding	version,
		int	mode
	)		throws NoSuchAlgorithmException, InvalidKeyException

Definition at line 274 of file HttpEce.java.

                                                                                                                                                                                               {
    byte[] secret;
    byte[] keyInfo;
    byte[] nonceInfo;
 
    if (version == Encoding.AESGCM) {
      byte[][] secretAndContext = extractSecretAndContext(key, keyId, dh, authSecret);
      secret = secretAndContext[0];
 
      keyInfo = buildInfo("aesgcm", secretAndContext[1]);
      nonceInfo = buildInfo("nonce", secretAndContext[1]);
    } else if (version == Encoding.AES128GCM) {
      keyInfo = "Content-Encoding: aes128gcm\0".getBytes();
      nonceInfo = "Content-Encoding: nonce\0".getBytes();
 
      secret = extractSecret(key, keyId, dh, authSecret, mode);
    } else {
      throw new IllegalStateException("Unknown version: " + version);
    }
 
    byte[] hkdf_key = hkdfExpand(secret, salt, keyInfo, 16);
    byte[] hkdf_nonce = hkdfExpand(secret, salt, nonceInfo, 12);
 
    log("key", hkdf_key);
    log("nonce", hkdf_nonce);
 
    return new byte[][]{
      hkdf_key,
      hkdf_nonce
    };
  }

Here is the call graph for this function:

Here is the caller graph for this function:

encrypt()

byte [] org.turro.push.service.HttpEce.encrypt	(	byte[]	plaintext,
		byte[]	salt,
		byte[]	privateKey,
		String	keyid,
		ECPublicKey	dh,
		byte[]	authSecret,
		Encoding	version
	)		throws GeneralSecurityException

Encrypt the given plaintext.

Parameters

plaintext	Payload to encrypt.
salt	A random 16-byte buffer
privateKey	A private key to encrypt this message with (Web Push: the local private key)
keyid	An identifier for the local key. Only applies to AESGCM. For AES128GCM, the header contains the keyid.
dh	An Elliptic curve Diffie-Hellman public privateKey on the P-256 curve (Web Push: the user's keys.p256dh)
authSecret	An authentication secret (Web Push: the user's keys.auth)
version

Returns

Exceptions

GeneralSecurityException

Definition at line 88 of file HttpEce.java.

                                                                                                                                                                             {
    log("encrypt", plaintext);
 
    byte[][] keyAndNonce = deriveKeyAndNonce(salt, privateKey, keyid, dh, authSecret, version, ENCRYPT_MODE);
    byte[] key = keyAndNonce[0];
    byte[] nonce = keyAndNonce[1];
 
    // Note: Cipher adds the tag to the end of the ciphertext
    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding", "BC");
    GCMParameterSpec params = new GCMParameterSpec(TAG_SIZE * 8, nonce);
    cipher.init(ENCRYPT_MODE, new SecretKeySpec(key, "AES"), params);
 
    // For AES128GCM suffix {0x02}, for AESGCM prefix {0x00, 0x00}.
    if (version == Encoding.AES128GCM) {
      byte[] header = buildHeader(salt, keyid);
      log("header", header);
 
      byte[] padding = new byte[]{2};
      log("padding", padding);
 
      byte[][] encrypted = {cipher.update(plaintext), cipher.update(padding), cipher.doFinal()};
      log("encrypted", concat(encrypted));
 
      return log("ciphertext", concat(header, concat(encrypted)));
    } else {
      return concat(cipher.update(new byte[2]), cipher.doFinal(plaintext));
    }
  }

extractSecretAndContext()

byte [][] org.turro.push.service.HttpEce.extractSecretAndContext	(	byte[]	key,
		String	keyId,
		ECPublicKey	dh,
		byte[]	authSecret
	)		throws InvalidKeyException, NoSuchAlgorithmException

Definition at line 243 of file HttpEce.java.

                                                                                                                                                            {
    byte[] secret = null;
    byte[] context = null;
 
    if (key != null) {
      secret = key;
      if (secret.length != KEY_LENGTH) {
        throw new IllegalStateException("An explicit key must be " + KEY_LENGTH + " bytes.");
      }
    } else if (dh != null) {
      byte[][] bytes = extractDH(keyId, dh);
      secret = bytes[0];
      context = bytes[1];
    } else if (keyId != null) {
      secret = keys.get(keyId).getPublic().getEncoded();
    }
 
    if (secret == null) {
      throw new IllegalStateException("Unable to determine key.");
    }
 
    if (authSecret != null) {
      secret = hkdfExpand(secret, authSecret, buildInfo("auth", new byte[0]), SHA_256_LENGTH);
    }
 
    return new byte[][]{
      secret,
      context
    };
  }

Here is the call graph for this function:

Here is the caller graph for this function:

hkdfExpand()

static byte [] org.turro.push.service.HttpEce.hkdfExpand ( byte[]  ikm, byte[]  salt, byte[]  info, int  length  )

staticprotected

Convenience method for computing the HMAC Key Derivation Function. The real work is offloaded to BouncyCastle.

Definition at line 227 of file HttpEce.java.

                                                                                       {
    log("salt", salt);
    log("ikm", ikm);
    log("info", info);
 
    HKDFBytesGenerator hkdf = new HKDFBytesGenerator(new SHA256Digest());
    hkdf.init(new HKDFParameters(ikm, salt, info));
 
    byte[] okm = new byte[length];
    hkdf.generateBytes(okm, 0, length);
 
    log("expand", okm);
 
    return okm;
  }

Here is the caller graph for this function:

parseHeader()

byte [][] org.turro.push.service.HttpEce.parseHeader

(

byte[]

payload

)

Definition at line 146 of file HttpEce.java.

                                              {
    byte[] salt = Arrays.copyOfRange(payload, 0, KEY_LENGTH);
    byte[] recordSize = Arrays.copyOfRange(payload, KEY_LENGTH, 20);
    int keyIdLength = Arrays.copyOfRange(payload, 20, 21)[0];
    byte[] keyId = Arrays.copyOfRange(payload, 21, 21 + keyIdLength);
    byte[] body = Arrays.copyOfRange(payload, 21 + keyIdLength, payload.length);
 
    return new byte[][]{
      salt,
      recordSize,
      keyId,
      body
    };
  }

Here is the caller graph for this function:

toByteArray()

static byte [] org.turro.push.service.HttpEce.toByteArray ( int  integer, int  size  )

static

Definition at line 502 of file HttpEce.java.

                                                          {
    ByteBuffer buffer = ByteBuffer.allocate(size);
    buffer.putInt(integer);
 
    return buffer.array();
  }

webpushSecret()

byte [] org.turro.push.service.HttpEce.webpushSecret	(	String	keyId,
		ECPublicKey	dh,
		byte[]	authSecret,
		int	mode
	)		throws NoSuchAlgorithmException, InvalidKeyException

Combine Shared and Authentication Secrets

See https://tools.ietf.org/html/draft-ietf-webpush-encryption-09#section-3.3.

Parameters

keyId
dh
authSecret
mode

Returns

Exceptions

NoSuchAlgorithmException
InvalidKeyException

Definition at line 341 of file HttpEce.java.

                                                                                                                                              {
    ECPublicKey senderPubKey;
    ECPublicKey remotePubKey;
    ECPublicKey receiverPubKey;
 
    if (mode == ENCRYPT_MODE) {
      senderPubKey = getPublicKey(keyId);
      remotePubKey = dh;
      receiverPubKey = dh;
    } else if (mode == DECRYPT_MODE) {
      remotePubKey = getPublicKey(keyId);
      senderPubKey = remotePubKey;
      receiverPubKey = dh;
    } else {
      throw new IllegalArgumentException("Unsupported mode: " + mode);
    }
 
    log("remote pubkey", ServerKeys.encode(remotePubKey));
    log("sender pubkey", ServerKeys.encode(senderPubKey));
    log("receiver pubkey", ServerKeys.encode(receiverPubKey));
 
    KeyAgreement keyAgreement = KeyAgreement.getInstance("ECDH");
    keyAgreement.init(getPrivateKey(keyId));
    keyAgreement.doPhase(remotePubKey, true);
    byte[] secret = keyAgreement.generateSecret();
 
    byte[] ikm = secret;
    byte[] salt = authSecret;
    byte[] info = concat(WEB_PUSH_INFO.getBytes(), ServerKeys.encode(receiverPubKey), ServerKeys.encode(senderPubKey));
 
    return hkdfExpand(ikm, salt, info, SHA_256_LENGTH);
  }

Here is the call graph for this function:

Member Data Documentation

KEY_LENGTH

final int org.turro.push.service.HttpEce.KEY_LENGTH = 16

static

Definition at line 54 of file HttpEce.java.

SHA_256_LENGTH

final int org.turro.push.service.HttpEce.SHA_256_LENGTH = 32

static

Definition at line 55 of file HttpEce.java.

TAG_SIZE

final int org.turro.push.service.HttpEce.TAG_SIZE = 16

static

Definition at line 56 of file HttpEce.java.

TWO_BYTE_MAX

final int org.turro.push.service.HttpEce.TWO_BYTE_MAX = 65_536

static

Definition at line 57 of file HttpEce.java.

WEB_PUSH_INFO

final String org.turro.push.service.HttpEce.WEB_PUSH_INFO = "WebPush: info\0"

static

Definition at line 58 of file HttpEce.java.

---

The documentation for this class was generated from the following file:

• HttpEce.java