2021-10-07 15:09:40 +02:00
|
|
|
import {
|
2021-10-18 19:18:34 +02:00
|
|
|
bytesToString,
|
2021-10-07 15:09:40 +02:00
|
|
|
canonicalJson,
|
|
|
|
decodeCrock,
|
|
|
|
encodeCrock,
|
2021-10-18 19:18:34 +02:00
|
|
|
getRandomBytes,
|
|
|
|
kdf,
|
2021-10-18 21:48:22 +02:00
|
|
|
kdfKw,
|
2021-10-18 19:18:34 +02:00
|
|
|
secretbox,
|
2021-10-18 21:48:22 +02:00
|
|
|
crypto_sign_keyPair_fromSeed,
|
2021-10-07 15:09:40 +02:00
|
|
|
stringToBytes,
|
2021-10-21 13:11:17 +02:00
|
|
|
secretbox_open,
|
2021-11-04 16:53:04 +01:00
|
|
|
hash,
|
2021-11-05 07:29:26 +01:00
|
|
|
Logger,
|
|
|
|
j2s,
|
2021-10-07 15:09:40 +02:00
|
|
|
} from "@gnu-taler/taler-util";
|
2021-10-07 12:01:40 +02:00
|
|
|
import { argon2id } from "hash-wasm";
|
|
|
|
|
2021-10-19 19:54:15 +02:00
|
|
|
export type Flavor<T, FlavorT extends string> = T & {
|
|
|
|
_flavor?: `anastasis.${FlavorT}`;
|
|
|
|
};
|
|
|
|
export type FlavorP<T, FlavorT extends string, S extends number> = T & {
|
|
|
|
_flavor?: `anastasis.${FlavorT}`;
|
2021-10-18 19:18:34 +02:00
|
|
|
_size?: S;
|
|
|
|
};
|
|
|
|
|
|
|
|
export type UserIdentifier = Flavor<string, "UserIdentifier">;
|
|
|
|
export type ServerSalt = Flavor<string, "ServerSalt">;
|
|
|
|
export type PolicySalt = Flavor<string, "PolicySalt">;
|
|
|
|
export type PolicyKey = FlavorP<string, "PolicyKey", 64>;
|
|
|
|
export type KeyShare = Flavor<string, "KeyShare">;
|
|
|
|
export type EncryptedKeyShare = Flavor<string, "EncryptedKeyShare">;
|
|
|
|
export type EncryptedTruth = Flavor<string, "EncryptedTruth">;
|
|
|
|
export type EncryptedCoreSecret = Flavor<string, "EncryptedCoreSecret">;
|
|
|
|
export type EncryptedMasterKey = Flavor<string, "EncryptedMasterKey">;
|
2021-10-18 21:48:22 +02:00
|
|
|
export type EddsaPublicKey = Flavor<string, "EddsaPublicKey">;
|
|
|
|
export type EddsaPrivateKey = Flavor<string, "EddsaPrivateKey">;
|
2021-10-19 19:54:15 +02:00
|
|
|
export type TruthUuid = Flavor<string, "TruthUuid">;
|
|
|
|
export type SecureAnswerHash = Flavor<string, "SecureAnswerHash">;
|
2021-10-19 20:51:31 +02:00
|
|
|
/**
|
|
|
|
* Truth-specific randomness, also called question salt sometimes.
|
|
|
|
*/
|
|
|
|
export type TruthSalt = Flavor<string, "TruthSalt">;
|
2021-10-18 19:18:34 +02:00
|
|
|
/**
|
|
|
|
* Truth key, found in the recovery document.
|
|
|
|
*/
|
|
|
|
export type TruthKey = Flavor<string, "TruthKey">;
|
|
|
|
export type EncryptionNonce = Flavor<string, "EncryptionNonce">;
|
|
|
|
export type OpaqueData = Flavor<string, "OpaqueData">;
|
|
|
|
|
|
|
|
const nonceSize = 24;
|
|
|
|
const masterKeySize = 64;
|
|
|
|
|
2021-10-07 15:09:40 +02:00
|
|
|
export async function userIdentifierDerive(
|
2021-10-07 12:01:40 +02:00
|
|
|
idData: any,
|
2021-10-18 19:18:34 +02:00
|
|
|
serverSalt: ServerSalt,
|
|
|
|
): Promise<UserIdentifier> {
|
2021-10-07 15:09:40 +02:00
|
|
|
const canonIdData = canonicalJson(idData);
|
|
|
|
const hashInput = stringToBytes(canonIdData);
|
|
|
|
const result = await argon2id({
|
|
|
|
hashLength: 64,
|
|
|
|
iterations: 3,
|
|
|
|
memorySize: 1024 /* kibibytes */,
|
|
|
|
parallelism: 1,
|
|
|
|
password: hashInput,
|
|
|
|
salt: decodeCrock(serverSalt),
|
|
|
|
outputType: "binary",
|
|
|
|
});
|
|
|
|
return encodeCrock(result);
|
2021-10-07 12:01:40 +02:00
|
|
|
}
|
|
|
|
|
2021-10-18 21:48:22 +02:00
|
|
|
export interface AccountKeyPair {
|
|
|
|
priv: EddsaPrivateKey;
|
|
|
|
pub: EddsaPublicKey;
|
|
|
|
}
|
|
|
|
|
|
|
|
export function accountKeypairDerive(userId: UserIdentifier): AccountKeyPair {
|
|
|
|
// FIXME: the KDF invocation looks fishy, but that's what the C code presently does.
|
|
|
|
const d = kdfKw({
|
|
|
|
outputLength: 32,
|
2021-10-19 18:39:38 +02:00
|
|
|
ikm: decodeCrock(userId),
|
|
|
|
info: stringToBytes("ver"),
|
2021-10-18 21:48:22 +02:00
|
|
|
});
|
|
|
|
const pair = crypto_sign_keyPair_fromSeed(d);
|
|
|
|
return {
|
2021-10-19 18:39:38 +02:00
|
|
|
priv: encodeCrock(d),
|
2021-10-18 21:48:22 +02:00
|
|
|
pub: encodeCrock(pair.publicKey),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2021-10-19 23:26:29 +02:00
|
|
|
/**
|
|
|
|
* Encrypt the recovery document.
|
2021-10-21 13:11:17 +02:00
|
|
|
*
|
2021-10-19 23:26:29 +02:00
|
|
|
* The caller should first compress the recovery doc.
|
|
|
|
*/
|
2021-10-18 21:48:22 +02:00
|
|
|
export async function encryptRecoveryDocument(
|
|
|
|
userId: UserIdentifier,
|
2021-10-19 23:26:29 +02:00
|
|
|
recoveryDocData: OpaqueData,
|
2021-10-18 21:48:22 +02:00
|
|
|
): Promise<OpaqueData> {
|
|
|
|
const nonce = encodeCrock(getRandomBytes(nonceSize));
|
2021-10-21 13:11:17 +02:00
|
|
|
return anastasisEncrypt(nonce, asOpaque(userId), recoveryDocData, "erd");
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Encrypt the recovery document.
|
|
|
|
*
|
|
|
|
* The caller should first compress the recovery doc.
|
|
|
|
*/
|
|
|
|
export async function decryptRecoveryDocument(
|
|
|
|
userId: UserIdentifier,
|
|
|
|
recoveryDocData: OpaqueData,
|
|
|
|
): Promise<OpaqueData> {
|
|
|
|
return anastasisDecrypt(asOpaque(userId), recoveryDocData, "erd");
|
2021-10-18 21:48:22 +02:00
|
|
|
}
|
|
|
|
|
2021-10-19 23:26:29 +02:00
|
|
|
export function typedArrayConcat(chunks: Uint8Array[]): Uint8Array {
|
2021-10-18 19:18:34 +02:00
|
|
|
let payloadLen = 0;
|
|
|
|
for (const c of chunks) {
|
|
|
|
payloadLen += c.byteLength;
|
|
|
|
}
|
|
|
|
const buf = new ArrayBuffer(payloadLen);
|
|
|
|
const u8buf = new Uint8Array(buf);
|
|
|
|
let p = 0;
|
|
|
|
for (const c of chunks) {
|
|
|
|
u8buf.set(c, p);
|
|
|
|
p += c.byteLength;
|
|
|
|
}
|
|
|
|
return u8buf;
|
|
|
|
}
|
2021-10-07 12:01:40 +02:00
|
|
|
|
2021-10-18 19:18:34 +02:00
|
|
|
export async function policyKeyDerive(
|
|
|
|
keyShares: KeyShare[],
|
|
|
|
policySalt: PolicySalt,
|
|
|
|
): Promise<PolicyKey> {
|
|
|
|
const chunks = keyShares.map((x) => decodeCrock(x));
|
2021-10-19 19:54:15 +02:00
|
|
|
const polKey = kdfKw({
|
|
|
|
outputLength: 64,
|
2021-10-19 23:26:29 +02:00
|
|
|
ikm: typedArrayConcat(chunks),
|
2021-10-19 19:54:15 +02:00
|
|
|
salt: decodeCrock(policySalt),
|
|
|
|
info: stringToBytes("anastasis-policy-key-derive"),
|
|
|
|
});
|
|
|
|
|
2021-10-18 19:18:34 +02:00
|
|
|
return encodeCrock(polKey);
|
|
|
|
}
|
|
|
|
|
|
|
|
async function deriveKey(
|
|
|
|
keySeed: OpaqueData,
|
|
|
|
nonce: EncryptionNonce,
|
|
|
|
salt: string,
|
|
|
|
): Promise<Uint8Array> {
|
2021-10-19 19:54:15 +02:00
|
|
|
return kdfKw({
|
|
|
|
outputLength: 32,
|
|
|
|
salt: decodeCrock(nonce),
|
|
|
|
ikm: decodeCrock(keySeed),
|
|
|
|
info: stringToBytes(salt),
|
|
|
|
});
|
2021-10-18 19:18:34 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
async function anastasisEncrypt(
|
|
|
|
nonce: EncryptionNonce,
|
|
|
|
keySeed: OpaqueData,
|
|
|
|
plaintext: OpaqueData,
|
|
|
|
salt: string,
|
|
|
|
): Promise<OpaqueData> {
|
|
|
|
const key = await deriveKey(keySeed, nonce, salt);
|
|
|
|
const nonceBuf = decodeCrock(nonce);
|
|
|
|
const cipherText = secretbox(decodeCrock(plaintext), decodeCrock(nonce), key);
|
2021-10-19 23:26:29 +02:00
|
|
|
return encodeCrock(typedArrayConcat([nonceBuf, cipherText]));
|
2021-10-18 19:18:34 +02:00
|
|
|
}
|
2021-10-07 12:01:40 +02:00
|
|
|
|
2021-10-21 13:11:17 +02:00
|
|
|
async function anastasisDecrypt(
|
|
|
|
keySeed: OpaqueData,
|
|
|
|
ciphertext: OpaqueData,
|
|
|
|
salt: string,
|
|
|
|
): Promise<OpaqueData> {
|
|
|
|
const ctBuf = decodeCrock(ciphertext);
|
|
|
|
const nonceBuf = ctBuf.slice(0, nonceSize);
|
|
|
|
const enc = ctBuf.slice(nonceSize);
|
|
|
|
const key = await deriveKey(keySeed, encodeCrock(nonceBuf), salt);
|
|
|
|
const cipherText = secretbox_open(enc, nonceBuf, key);
|
|
|
|
if (!cipherText) {
|
|
|
|
throw Error("could not decrypt");
|
|
|
|
}
|
|
|
|
return encodeCrock(cipherText);
|
|
|
|
}
|
|
|
|
|
2021-10-19 20:51:31 +02:00
|
|
|
export const asOpaque = (x: string): OpaqueData => x;
|
2021-10-18 19:18:34 +02:00
|
|
|
const asEncryptedKeyShare = (x: OpaqueData): EncryptedKeyShare => x as string;
|
|
|
|
const asEncryptedTruth = (x: OpaqueData): EncryptedTruth => x as string;
|
2021-10-21 18:51:19 +02:00
|
|
|
const asKeyShare = (x: OpaqueData): KeyShare => x as string;
|
2021-10-18 19:18:34 +02:00
|
|
|
|
|
|
|
export async function encryptKeyshare(
|
|
|
|
keyShare: KeyShare,
|
|
|
|
userId: UserIdentifier,
|
|
|
|
answerSalt?: string,
|
|
|
|
): Promise<EncryptedKeyShare> {
|
|
|
|
const s = answerSalt ?? "eks";
|
|
|
|
const nonce = encodeCrock(getRandomBytes(24));
|
|
|
|
return asEncryptedKeyShare(
|
|
|
|
await anastasisEncrypt(nonce, asOpaque(userId), asOpaque(keyShare), s),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2021-10-21 18:51:19 +02:00
|
|
|
export async function decryptKeyShare(
|
|
|
|
encKeyShare: EncryptedKeyShare,
|
|
|
|
userId: UserIdentifier,
|
|
|
|
answerSalt?: string,
|
|
|
|
): Promise<KeyShare> {
|
|
|
|
const s = answerSalt ?? "eks";
|
|
|
|
return asKeyShare(
|
|
|
|
await anastasisDecrypt(asOpaque(userId), asOpaque(encKeyShare), s),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2021-10-18 19:18:34 +02:00
|
|
|
export async function encryptTruth(
|
|
|
|
nonce: EncryptionNonce,
|
|
|
|
truthEncKey: TruthKey,
|
|
|
|
truth: OpaqueData,
|
|
|
|
): Promise<EncryptedTruth> {
|
|
|
|
const salt = "ect";
|
|
|
|
return asEncryptedTruth(
|
|
|
|
await anastasisEncrypt(nonce, asOpaque(truthEncKey), truth, salt),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2021-10-21 13:11:17 +02:00
|
|
|
export async function decryptTruth(
|
|
|
|
truthEncKey: TruthKey,
|
|
|
|
truthEnc: EncryptedTruth,
|
|
|
|
): Promise<OpaqueData> {
|
|
|
|
const salt = "ect";
|
|
|
|
return await anastasisDecrypt(
|
|
|
|
asOpaque(truthEncKey),
|
|
|
|
asOpaque(truthEnc),
|
|
|
|
salt,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2021-10-18 19:18:34 +02:00
|
|
|
export interface CoreSecretEncResult {
|
|
|
|
encCoreSecret: EncryptedCoreSecret;
|
|
|
|
encMasterKeys: EncryptedMasterKey[];
|
|
|
|
}
|
|
|
|
|
2021-10-21 18:51:19 +02:00
|
|
|
export async function coreSecretRecover(args: {
|
|
|
|
encryptedMasterKey: OpaqueData;
|
|
|
|
policyKey: PolicyKey;
|
|
|
|
encryptedCoreSecret: OpaqueData;
|
|
|
|
}): Promise<OpaqueData> {
|
|
|
|
const masterKey = await anastasisDecrypt(
|
|
|
|
asOpaque(args.policyKey),
|
|
|
|
args.encryptedMasterKey,
|
|
|
|
"emk",
|
|
|
|
);
|
|
|
|
return await anastasisDecrypt(masterKey, args.encryptedCoreSecret, "cse");
|
|
|
|
}
|
|
|
|
|
2021-10-18 19:18:34 +02:00
|
|
|
export async function coreSecretEncrypt(
|
|
|
|
policyKeys: PolicyKey[],
|
|
|
|
coreSecret: OpaqueData,
|
|
|
|
): Promise<CoreSecretEncResult> {
|
|
|
|
const masterKey = getRandomBytes(masterKeySize);
|
|
|
|
const nonce = encodeCrock(getRandomBytes(nonceSize));
|
|
|
|
const coreSecretEncSalt = "cse";
|
|
|
|
const masterKeyEncSalt = "emk";
|
|
|
|
const encCoreSecret = (await anastasisEncrypt(
|
|
|
|
nonce,
|
|
|
|
encodeCrock(masterKey),
|
|
|
|
coreSecret,
|
|
|
|
coreSecretEncSalt,
|
|
|
|
)) as string;
|
|
|
|
const encMasterKeys: EncryptedMasterKey[] = [];
|
|
|
|
for (let i = 0; i < policyKeys.length; i++) {
|
|
|
|
const polNonce = encodeCrock(getRandomBytes(nonceSize));
|
|
|
|
const encMasterKey = await anastasisEncrypt(
|
|
|
|
polNonce,
|
|
|
|
asOpaque(policyKeys[i]),
|
|
|
|
encodeCrock(masterKey),
|
|
|
|
masterKeyEncSalt,
|
|
|
|
);
|
|
|
|
encMasterKeys.push(encMasterKey as string);
|
|
|
|
}
|
|
|
|
return {
|
|
|
|
encCoreSecret,
|
|
|
|
encMasterKeys,
|
|
|
|
};
|
|
|
|
}
|
2021-10-19 19:54:15 +02:00
|
|
|
|
2021-11-04 16:53:04 +01:00
|
|
|
export async function pinAnswerHash(pin: number): Promise<SecureAnswerHash> {
|
|
|
|
return encodeCrock(hash(stringToBytes(pin.toString())));
|
|
|
|
}
|
|
|
|
|
2021-10-19 19:54:15 +02:00
|
|
|
export async function secureAnswerHash(
|
|
|
|
answer: string,
|
|
|
|
truthUuid: TruthUuid,
|
2021-10-19 20:51:31 +02:00
|
|
|
questionSalt: TruthSalt,
|
2021-10-19 19:54:15 +02:00
|
|
|
): Promise<SecureAnswerHash> {
|
|
|
|
const powResult = await argon2id({
|
|
|
|
hashLength: 64,
|
|
|
|
iterations: 3,
|
|
|
|
memorySize: 1024 /* kibibytes */,
|
|
|
|
parallelism: 1,
|
|
|
|
password: stringToBytes(answer),
|
|
|
|
salt: decodeCrock(questionSalt),
|
|
|
|
outputType: "binary",
|
|
|
|
});
|
|
|
|
const kdfResult = kdfKw({
|
|
|
|
outputLength: 64,
|
|
|
|
salt: decodeCrock(truthUuid),
|
|
|
|
ikm: powResult,
|
|
|
|
info: stringToBytes("anastasis-secure-question-hashing"),
|
|
|
|
});
|
|
|
|
return encodeCrock(kdfResult);
|
|
|
|
}
|