2015-09-11 17:51:32 +03:00
|
|
|
/* jshint moz: true, esnext: true */
|
|
|
|
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this file,
|
|
|
|
* You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
|
|
|
|
'use strict';
|
|
|
|
|
2018-01-30 02:20:18 +03:00
|
|
|
ChromeUtils.import('resource://gre/modules/Services.jsm');
|
|
|
|
ChromeUtils.import('resource://gre/modules/XPCOMUtils.jsm');
|
2016-10-05 18:57:52 +03:00
|
|
|
|
|
|
|
XPCOMUtils.defineLazyGetter(this, 'gDOMBundle', () =>
|
|
|
|
Services.strings.createBundle('chrome://global/locale/dom/dom.properties'));
|
|
|
|
|
2018-05-26 03:02:29 +03:00
|
|
|
XPCOMUtils.defineLazyGlobalGetters(this, ['crypto']);
|
2015-09-11 17:51:32 +03:00
|
|
|
|
2018-02-23 22:50:01 +03:00
|
|
|
var EXPORTED_SYMBOLS = ['PushCrypto', 'concatArray'];
|
2015-09-11 17:51:32 +03:00
|
|
|
|
2015-12-08 23:26:42 +03:00
|
|
|
var UTF8 = new TextEncoder('utf-8');
|
2016-03-18 19:01:50 +03:00
|
|
|
|
2015-12-04 00:24:47 +03:00
|
|
|
var ECDH_KEY = { name: 'ECDH', namedCurve: 'P-256' };
|
2016-03-16 12:53:13 +03:00
|
|
|
var ECDSA_KEY = { name: 'ECDSA', namedCurve: 'P-256' };
|
2017-05-10 20:44:51 +03:00
|
|
|
|
2015-12-04 00:24:47 +03:00
|
|
|
// A default keyid with a name that won't conflict with a real keyid.
|
|
|
|
var DEFAULT_KEYID = '';
|
2015-09-11 17:51:32 +03:00
|
|
|
|
2016-10-05 18:57:52 +03:00
|
|
|
/** Localized error property names. */
|
|
|
|
|
|
|
|
// `Encryption` header missing or malformed.
|
|
|
|
const BAD_ENCRYPTION_HEADER = 'PushMessageBadEncryptionHeader';
|
|
|
|
// `Crypto-Key` or legacy `Encryption-Key` header missing.
|
|
|
|
const BAD_CRYPTO_KEY_HEADER = 'PushMessageBadCryptoKeyHeader';
|
|
|
|
const BAD_ENCRYPTION_KEY_HEADER = 'PushMessageBadEncryptionKeyHeader';
|
|
|
|
// `Content-Encoding` header missing or contains unsupported encoding.
|
|
|
|
const BAD_ENCODING_HEADER = 'PushMessageBadEncodingHeader';
|
|
|
|
// `dh` parameter of `Crypto-Key` header missing or not base64url-encoded.
|
|
|
|
const BAD_DH_PARAM = 'PushMessageBadSenderKey';
|
|
|
|
// `salt` parameter of `Encryption` header missing or not base64url-encoded.
|
|
|
|
const BAD_SALT_PARAM = 'PushMessageBadSalt';
|
|
|
|
// `rs` parameter of `Encryption` header not a number or less than pad size.
|
|
|
|
const BAD_RS_PARAM = 'PushMessageBadRecordSize';
|
|
|
|
// Invalid or insufficient padding for encrypted chunk.
|
|
|
|
const BAD_PADDING = 'PushMessageBadPaddingError';
|
|
|
|
// Generic crypto error.
|
|
|
|
const BAD_CRYPTO = 'PushMessageBadCryptoError';
|
|
|
|
|
|
|
|
class CryptoError extends Error {
|
|
|
|
/**
|
|
|
|
* Creates an error object indicating an incoming push message could not be
|
|
|
|
* decrypted.
|
|
|
|
*
|
|
|
|
* @param {String} message A human-readable error message. This is only for
|
|
|
|
* internal module logging, and doesn't need to be localized.
|
|
|
|
* @param {String} property The localized property name from `dom.properties`.
|
|
|
|
* @param {String...} params Substitutions to insert into the localized
|
|
|
|
* string.
|
|
|
|
*/
|
|
|
|
constructor(message, property, ...params) {
|
|
|
|
super(message);
|
|
|
|
this.isCryptoError = true;
|
|
|
|
this.property = property;
|
|
|
|
this.params = params;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Formats a localized string for reporting decryption errors to the Web
|
|
|
|
* Console.
|
|
|
|
*
|
|
|
|
* @param {String} scope The scope of the service worker receiving the
|
|
|
|
* message, prepended to any other substitutions in the string.
|
|
|
|
* @returns {String} The localized string.
|
|
|
|
*/
|
|
|
|
format(scope) {
|
|
|
|
let params = [scope, ...this.params].map(String);
|
|
|
|
return gDOMBundle.formatStringFromName(this.property, params,
|
|
|
|
params.length);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-12-04 00:24:47 +03:00
|
|
|
function getEncryptionKeyParams(encryptKeyField) {
|
2015-12-08 23:26:42 +03:00
|
|
|
if (!encryptKeyField) {
|
|
|
|
return null;
|
|
|
|
}
|
2015-09-17 15:08:50 +03:00
|
|
|
var params = encryptKeyField.split(',');
|
|
|
|
return params.reduce((m, p) => {
|
|
|
|
var pmap = p.split(';').reduce(parseHeaderFieldParams, {});
|
|
|
|
if (pmap.keyid && pmap.dh) {
|
|
|
|
m[pmap.keyid] = pmap.dh;
|
|
|
|
}
|
2015-12-04 00:24:47 +03:00
|
|
|
if (!m[DEFAULT_KEYID] && pmap.dh) {
|
|
|
|
m[DEFAULT_KEYID] = pmap.dh;
|
|
|
|
}
|
2015-09-17 15:08:50 +03:00
|
|
|
return m;
|
|
|
|
}, {});
|
2015-12-04 00:24:47 +03:00
|
|
|
}
|
2015-09-17 15:08:50 +03:00
|
|
|
|
2015-12-04 00:24:47 +03:00
|
|
|
function getEncryptionParams(encryptField) {
|
2016-10-05 18:57:52 +03:00
|
|
|
if (!encryptField) {
|
|
|
|
throw new CryptoError('Missing encryption header',
|
|
|
|
BAD_ENCRYPTION_HEADER);
|
|
|
|
}
|
2015-09-17 15:08:50 +03:00
|
|
|
var p = encryptField.split(',', 1)[0];
|
|
|
|
if (!p) {
|
2016-10-05 18:57:52 +03:00
|
|
|
throw new CryptoError('Encryption header missing params',
|
|
|
|
BAD_ENCRYPTION_HEADER);
|
2015-09-17 15:08:50 +03:00
|
|
|
}
|
|
|
|
return p.split(';').reduce(parseHeaderFieldParams, {});
|
2015-12-04 00:24:47 +03:00
|
|
|
}
|
|
|
|
|
2017-05-12 08:03:26 +03:00
|
|
|
// Extracts the sender public key, salt, and record size from the payload for the
|
|
|
|
// aes128gcm scheme.
|
|
|
|
function getCryptoParamsFromPayload(payload) {
|
|
|
|
if (payload.byteLength < 21) {
|
|
|
|
throw new CryptoError('Truncated header', BAD_CRYPTO);
|
|
|
|
}
|
|
|
|
let rs = (payload[16] << 24) | (payload[17] << 16) | (payload[18] << 8) | payload[19];
|
|
|
|
let keyIdLen = payload[20];
|
|
|
|
if (keyIdLen != 65) {
|
|
|
|
throw new CryptoError('Invalid sender public key', BAD_DH_PARAM);
|
|
|
|
}
|
|
|
|
if (payload.byteLength <= 21 + keyIdLen) {
|
|
|
|
throw new CryptoError('Truncated payload', BAD_CRYPTO);
|
|
|
|
}
|
|
|
|
return {
|
|
|
|
salt: payload.slice(0, 16),
|
|
|
|
rs: rs,
|
|
|
|
senderKey: payload.slice(21, 21 + keyIdLen),
|
|
|
|
ciphertext: payload.slice(21 + keyIdLen),
|
|
|
|
};
|
|
|
|
}
|
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
// Extracts the sender public key, salt, and record size from the `Crypto-Key`,
|
|
|
|
// `Encryption-Key`, and `Encryption` headers for the aesgcm and aesgcm128
|
|
|
|
// schemes.
|
|
|
|
function getCryptoParamsFromHeaders(headers) {
|
2015-12-04 00:24:47 +03:00
|
|
|
if (!headers) {
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
2016-03-18 19:01:50 +03:00
|
|
|
var keymap;
|
|
|
|
if (headers.encoding == AESGCM_ENCODING) {
|
|
|
|
// aesgcm uses the Crypto-Key header, 2 bytes for the pad length, and an
|
|
|
|
// authentication secret.
|
2016-03-23 05:20:36 +03:00
|
|
|
// https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-01
|
2016-03-18 19:01:50 +03:00
|
|
|
keymap = getEncryptionKeyParams(headers.crypto_key);
|
2016-10-05 18:57:52 +03:00
|
|
|
if (!keymap) {
|
|
|
|
throw new CryptoError('Missing Crypto-Key header',
|
|
|
|
BAD_CRYPTO_KEY_HEADER);
|
|
|
|
}
|
2016-03-18 19:01:50 +03:00
|
|
|
} else if (headers.encoding == AESGCM128_ENCODING) {
|
2016-03-23 05:20:36 +03:00
|
|
|
// aesgcm128 uses Encryption-Key, 1 byte for the pad length, and no secret.
|
|
|
|
// https://tools.ietf.org/html/draft-thomson-http-encryption-02
|
|
|
|
keymap = getEncryptionKeyParams(headers.encryption_key);
|
2016-10-05 18:57:52 +03:00
|
|
|
if (!keymap) {
|
|
|
|
throw new CryptoError('Missing Encryption-Key header',
|
|
|
|
BAD_ENCRYPTION_KEY_HEADER);
|
|
|
|
}
|
2016-03-18 19:01:50 +03:00
|
|
|
}
|
|
|
|
|
2015-12-04 00:24:47 +03:00
|
|
|
var enc = getEncryptionParams(headers.encryption);
|
|
|
|
var dh = keymap[enc.keyid || DEFAULT_KEYID];
|
2017-05-10 20:44:51 +03:00
|
|
|
var senderKey = base64URLDecode(dh);
|
|
|
|
if (!senderKey) {
|
|
|
|
throw new CryptoError('Invalid dh parameter', BAD_DH_PARAM);
|
2016-10-05 18:57:52 +03:00
|
|
|
}
|
2017-05-10 20:44:51 +03:00
|
|
|
|
|
|
|
var salt = base64URLDecode(enc.salt);
|
2016-10-05 18:57:52 +03:00
|
|
|
if (!salt) {
|
2017-05-10 20:44:51 +03:00
|
|
|
throw new CryptoError('Invalid salt parameter', BAD_SALT_PARAM);
|
2016-10-05 18:57:52 +03:00
|
|
|
}
|
|
|
|
var rs = enc.rs ? parseInt(enc.rs, 10) : 4096;
|
|
|
|
if (isNaN(rs)) {
|
|
|
|
throw new CryptoError('rs parameter must be a number', BAD_RS_PARAM);
|
|
|
|
}
|
2017-05-10 20:44:51 +03:00
|
|
|
return {
|
|
|
|
salt: salt,
|
|
|
|
rs: rs,
|
|
|
|
senderKey: senderKey,
|
|
|
|
};
|
2015-12-04 00:24:47 +03:00
|
|
|
}
|
2015-09-17 15:08:50 +03:00
|
|
|
|
2016-10-05 18:57:52 +03:00
|
|
|
// Decodes an unpadded, base64url-encoded string.
|
|
|
|
function base64URLDecode(string) {
|
2017-05-10 20:44:51 +03:00
|
|
|
if (!string) {
|
|
|
|
return null;
|
|
|
|
}
|
2016-10-05 18:57:52 +03:00
|
|
|
try {
|
|
|
|
return ChromeUtils.base64URLDecode(string, {
|
|
|
|
// draft-ietf-httpbis-encryption-encoding-01 prohibits padding.
|
|
|
|
padding: 'reject',
|
|
|
|
});
|
|
|
|
} catch (ex) {}
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
2015-09-17 15:08:50 +03:00
|
|
|
var parseHeaderFieldParams = (m, v) => {
|
|
|
|
var i = v.indexOf('=');
|
|
|
|
if (i >= 0) {
|
|
|
|
// A quoted string with internal quotes is invalid for all the possible
|
|
|
|
// values of this header field.
|
|
|
|
m[v.substring(0, i).trim()] = v.substring(i + 1).trim()
|
2015-12-08 23:26:42 +03:00
|
|
|
.replace(/^"(.*)"$/, '$1');
|
2015-09-17 15:08:50 +03:00
|
|
|
}
|
|
|
|
return m;
|
|
|
|
};
|
|
|
|
|
2015-09-11 17:51:32 +03:00
|
|
|
function chunkArray(array, size) {
|
|
|
|
var start = array.byteOffset || 0;
|
|
|
|
array = array.buffer || array;
|
|
|
|
var index = 0;
|
|
|
|
var result = [];
|
|
|
|
while(index + size <= array.byteLength) {
|
|
|
|
result.push(new Uint8Array(array, start + index, size));
|
|
|
|
index += size;
|
|
|
|
}
|
|
|
|
if (index < array.byteLength) {
|
|
|
|
result.push(new Uint8Array(array, start + index));
|
|
|
|
}
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2018-02-23 22:50:01 +03:00
|
|
|
var concatArray = function(arrays) {
|
2015-09-11 17:51:32 +03:00
|
|
|
var size = arrays.reduce((total, a) => total + a.byteLength, 0);
|
|
|
|
var index = 0;
|
|
|
|
return arrays.reduce((result, a) => {
|
|
|
|
result.set(new Uint8Array(a), index);
|
|
|
|
index += a.byteLength;
|
|
|
|
return result;
|
|
|
|
}, new Uint8Array(size));
|
|
|
|
};
|
|
|
|
|
|
|
|
var HMAC_SHA256 = { name: 'HMAC', hash: 'SHA-256' };
|
|
|
|
|
|
|
|
function hmac(key) {
|
|
|
|
this.keyPromise = crypto.subtle.importKey('raw', key, HMAC_SHA256,
|
|
|
|
false, ['sign']);
|
|
|
|
}
|
|
|
|
|
|
|
|
hmac.prototype.hash = function(input) {
|
|
|
|
return this.keyPromise.then(k => crypto.subtle.sign('HMAC', k, input));
|
|
|
|
};
|
|
|
|
|
|
|
|
function hkdf(salt, ikm) {
|
|
|
|
this.prkhPromise = new hmac(salt).hash(ikm)
|
|
|
|
.then(prk => new hmac(prk));
|
|
|
|
}
|
|
|
|
|
2015-12-08 23:26:42 +03:00
|
|
|
hkdf.prototype.extract = function(info, len) {
|
2015-09-11 17:51:32 +03:00
|
|
|
var input = concatArray([info, new Uint8Array([1])]);
|
|
|
|
return this.prkhPromise
|
|
|
|
.then(prkh => prkh.hash(input))
|
|
|
|
.then(h => {
|
|
|
|
if (h.byteLength < len) {
|
2016-10-05 18:57:52 +03:00
|
|
|
throw new CryptoError('HKDF length is too long', BAD_CRYPTO);
|
2015-09-11 17:51:32 +03:00
|
|
|
}
|
|
|
|
return h.slice(0, len);
|
|
|
|
});
|
|
|
|
};
|
|
|
|
|
2015-12-08 23:26:42 +03:00
|
|
|
/* generate a 96-bit nonce for use in GCM, 48-bits of which are populated */
|
2015-09-11 17:51:32 +03:00
|
|
|
function generateNonce(base, index) {
|
|
|
|
if (index >= Math.pow(2, 48)) {
|
2016-10-05 18:57:52 +03:00
|
|
|
throw new CryptoError('Nonce index is too large', BAD_CRYPTO);
|
2015-09-11 17:51:32 +03:00
|
|
|
}
|
|
|
|
var nonce = base.slice(0, 12);
|
|
|
|
nonce = new Uint8Array(nonce);
|
|
|
|
for (var i = 0; i < 6; ++i) {
|
|
|
|
nonce[nonce.byteLength - 1 - i] ^= (index / Math.pow(256, i)) & 0xff;
|
|
|
|
}
|
|
|
|
return nonce;
|
|
|
|
}
|
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
function encodeLength(buffer) {
|
|
|
|
return new Uint8Array([0, buffer.byteLength]);
|
|
|
|
}
|
2016-03-16 12:53:13 +03:00
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
var NONCE_INFO = UTF8.encode('Content-Encoding: nonce');
|
2015-09-11 17:51:32 +03:00
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
class Decoder {
|
2016-10-05 18:57:52 +03:00
|
|
|
/**
|
2017-05-10 20:44:51 +03:00
|
|
|
* Creates a decoder for decrypting an incoming push message.
|
2016-10-05 18:57:52 +03:00
|
|
|
*
|
2017-05-10 20:44:51 +03:00
|
|
|
* @param {JsonWebKey} privateKey The static subscription private key.
|
|
|
|
* @param {BufferSource} publicKey The static subscription public key.
|
|
|
|
* @param {BufferSource} authenticationSecret The subscription authentication
|
|
|
|
* secret, or `null` if not used by the scheme.
|
|
|
|
* @param {Object} cryptoParams An object containing the ephemeral sender
|
|
|
|
* public key, salt, and record size.
|
2016-10-05 18:57:52 +03:00
|
|
|
* @param {BufferSource} ciphertext The encrypted message data.
|
|
|
|
*/
|
2017-05-10 20:44:51 +03:00
|
|
|
constructor(privateKey, publicKey, authenticationSecret, cryptoParams,
|
|
|
|
ciphertext) {
|
|
|
|
this.privateKey = privateKey;
|
|
|
|
this.publicKey = publicKey;
|
|
|
|
this.authenticationSecret = authenticationSecret;
|
|
|
|
this.senderKey = cryptoParams.senderKey;
|
|
|
|
this.salt = cryptoParams.salt;
|
|
|
|
this.rs = cryptoParams.rs;
|
|
|
|
this.ciphertext = ciphertext;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Derives the decryption keys and decodes the push message.
|
|
|
|
*
|
|
|
|
* @throws {CryptoError} if decryption fails.
|
|
|
|
* @returns {Uint8Array} The decrypted message data.
|
|
|
|
*/
|
|
|
|
async decode() {
|
|
|
|
if (this.ciphertext.byteLength === 0) {
|
|
|
|
// Zero length messages will be passed as null.
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
try {
|
|
|
|
let ikm = await this.computeSharedSecret();
|
|
|
|
let [gcmBits, nonce] = await this.deriveKeyAndNonce(ikm);
|
|
|
|
let key = await crypto.subtle.importKey('raw', gcmBits, 'AES-GCM', false,
|
|
|
|
['decrypt']);
|
|
|
|
|
|
|
|
let r = await Promise.all(chunkArray(this.ciphertext, this.chunkSize)
|
2017-05-12 08:03:26 +03:00
|
|
|
.map((slice, index, chunks) => this.decodeChunk(slice, index, nonce,
|
|
|
|
key, index >= chunks.length - 1)));
|
2017-05-10 20:44:51 +03:00
|
|
|
|
|
|
|
return concatArray(r);
|
|
|
|
} catch (error) {
|
2016-10-05 18:57:52 +03:00
|
|
|
if (error.isCryptoError) {
|
|
|
|
throw error;
|
|
|
|
}
|
|
|
|
// Web Crypto returns an unhelpful "operation failed for an
|
|
|
|
// operation-specific reason" error if decryption fails. We don't have
|
|
|
|
// context about what went wrong, so we throw a generic error instead.
|
|
|
|
throw new CryptoError('Bad encryption', BAD_CRYPTO);
|
|
|
|
}
|
2017-05-10 20:44:51 +03:00
|
|
|
}
|
2016-03-22 22:09:04 +03:00
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
/**
|
|
|
|
* Computes the ECDH shared secret, used as the input key material for HKDF.
|
|
|
|
*
|
|
|
|
* @throws if the static or ephemeral ECDH keys are invalid.
|
|
|
|
* @returns {ArrayBuffer} The shared secret.
|
|
|
|
*/
|
|
|
|
async computeSharedSecret() {
|
|
|
|
let [appServerKey, subscriptionPrivateKey] = await Promise.all([
|
|
|
|
crypto.subtle.importKey('raw', this.senderKey, ECDH_KEY,
|
2015-12-04 00:24:47 +03:00
|
|
|
false, ['deriveBits']),
|
2017-05-10 20:44:51 +03:00
|
|
|
crypto.subtle.importKey('jwk', this.privateKey, ECDH_KEY,
|
2015-12-04 00:24:47 +03:00
|
|
|
false, ['deriveBits'])
|
2017-05-10 20:44:51 +03:00
|
|
|
]);
|
|
|
|
return crypto.subtle.deriveBits({ name: 'ECDH', public: appServerKey },
|
|
|
|
subscriptionPrivateKey, 256);
|
|
|
|
}
|
2015-12-08 23:26:42 +03:00
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
/**
|
|
|
|
* Derives the content encryption key and nonce.
|
|
|
|
*
|
|
|
|
* @param {BufferSource} ikm The ECDH shared secret.
|
|
|
|
* @returns {Array} A `[gcmBits, nonce]` tuple.
|
|
|
|
*/
|
|
|
|
async deriveKeyAndNonce(ikm) {
|
|
|
|
throw new Error('Missing `deriveKeyAndNonce` implementation');
|
|
|
|
}
|
2015-12-08 23:26:42 +03:00
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
/**
|
|
|
|
* Decrypts and removes padding from an encrypted record.
|
|
|
|
*
|
|
|
|
* @throws {CryptoError} if decryption fails or padding is incorrect.
|
|
|
|
* @param {Uint8Array} slice The encrypted record.
|
|
|
|
* @param {Number} index The record sequence number.
|
|
|
|
* @param {Uint8Array} nonce The nonce base, used to generate the IV.
|
|
|
|
* @param {Uint8Array} key The content encryption key.
|
|
|
|
* @param {Boolean} last Indicates if this is the final record.
|
|
|
|
* @returns {Uint8Array} The decrypted block with padding removed.
|
|
|
|
*/
|
2017-05-12 08:03:26 +03:00
|
|
|
async decodeChunk(slice, index, nonce, key, last) {
|
2015-12-08 23:26:42 +03:00
|
|
|
let params = {
|
|
|
|
name: 'AES-GCM',
|
2017-05-10 20:44:51 +03:00
|
|
|
iv: generateNonce(nonce, index)
|
2015-12-08 23:26:42 +03:00
|
|
|
};
|
2017-05-10 20:44:51 +03:00
|
|
|
let decoded = await crypto.subtle.decrypt(params, key, slice);
|
2017-05-12 08:03:26 +03:00
|
|
|
return this.unpadChunk(new Uint8Array(decoded), last);
|
2017-05-10 20:44:51 +03:00
|
|
|
}
|
2016-03-18 19:01:50 +03:00
|
|
|
|
|
|
|
/**
|
2017-05-10 20:44:51 +03:00
|
|
|
* Removes padding from a decrypted block.
|
2016-03-18 19:01:50 +03:00
|
|
|
*
|
2017-05-10 20:44:51 +03:00
|
|
|
* @throws {CryptoError} if padding is missing or invalid.
|
|
|
|
* @param {Uint8Array} chunk The decrypted block with padding.
|
|
|
|
* @returns {Uint8Array} The block with padding removed.
|
2016-03-18 19:01:50 +03:00
|
|
|
*/
|
2017-05-10 20:44:51 +03:00
|
|
|
unpadChunk(chunk, last) {
|
|
|
|
throw new Error('Missing `unpadChunk` implementation');
|
|
|
|
}
|
|
|
|
|
|
|
|
/** The record chunking size. */
|
|
|
|
get chunkSize() {
|
|
|
|
throw new Error('Missing `chunkSize` implementation');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
class OldSchemeDecoder extends Decoder {
|
|
|
|
async decode() {
|
|
|
|
// For aesgcm and aesgcm128, the ciphertext length can't fall on a record
|
|
|
|
// boundary.
|
|
|
|
if (this.ciphertext.byteLength > 0 &&
|
|
|
|
this.ciphertext.byteLength % this.chunkSize === 0) {
|
|
|
|
throw new CryptoError('Encrypted data truncated', BAD_CRYPTO);
|
2016-03-18 19:01:50 +03:00
|
|
|
}
|
2017-05-10 20:44:51 +03:00
|
|
|
return super.decode();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* For aesgcm, the padding length is a 16-bit unsigned big endian integer.
|
|
|
|
* For aesgcm128, the padding is an 8-bit integer.
|
|
|
|
*/
|
|
|
|
unpadChunk(decoded) {
|
|
|
|
if (decoded.length < this.padSize) {
|
2016-10-07 21:48:58 +03:00
|
|
|
throw new CryptoError('Decoded array is too short!', BAD_PADDING);
|
2016-03-18 19:01:50 +03:00
|
|
|
}
|
2017-05-10 20:44:51 +03:00
|
|
|
var pad = decoded[0]
|
|
|
|
if (this.padSize == 2) {
|
2016-03-18 19:01:50 +03:00
|
|
|
pad = (pad << 8) | decoded[1];
|
|
|
|
}
|
2017-05-10 20:44:51 +03:00
|
|
|
if (pad > decoded.length - this.padSize) {
|
2016-10-07 21:48:58 +03:00
|
|
|
throw new CryptoError('Padding is wrong!', BAD_PADDING);
|
2016-03-18 19:01:50 +03:00
|
|
|
}
|
|
|
|
// All padded bytes must be zero except the first one.
|
2017-05-10 20:44:51 +03:00
|
|
|
for (var i = this.padSize; i < this.padSize + pad; i++) {
|
2016-03-18 19:01:50 +03:00
|
|
|
if (decoded[i] !== 0) {
|
2016-10-07 21:48:58 +03:00
|
|
|
throw new CryptoError('Padding is wrong!', BAD_PADDING);
|
2016-03-18 19:01:50 +03:00
|
|
|
}
|
|
|
|
}
|
2017-05-10 20:44:51 +03:00
|
|
|
return decoded.slice(pad + this.padSize);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* aesgcm and aesgcm128 don't account for the authentication tag as part of
|
|
|
|
* the record size.
|
|
|
|
*/
|
|
|
|
get chunkSize() {
|
|
|
|
return this.rs + 16;
|
|
|
|
}
|
|
|
|
|
|
|
|
get padSize() {
|
|
|
|
throw new Error('Missing `padSize` implementation');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-05-12 08:03:26 +03:00
|
|
|
/** New encryption scheme (draft-ietf-httpbis-encryption-encoding-06). */
|
|
|
|
|
|
|
|
var AES128GCM_ENCODING = 'aes128gcm';
|
|
|
|
var AES128GCM_KEY_INFO = UTF8.encode('Content-Encoding: aes128gcm\0');
|
|
|
|
var AES128GCM_AUTH_INFO = UTF8.encode('WebPush: info\0');
|
2018-02-20 04:01:08 +03:00
|
|
|
var AES128GCM_NONCE_INFO = UTF8.encode('Content-Encoding: nonce\0');
|
2017-05-12 08:03:26 +03:00
|
|
|
|
|
|
|
class aes128gcmDecoder extends Decoder {
|
|
|
|
/**
|
|
|
|
* Derives the aes128gcm decryption key and nonce. The PRK info string for
|
|
|
|
* HKDF is "WebPush: info\0", followed by the unprefixed receiver and sender
|
|
|
|
* public keys.
|
|
|
|
*/
|
|
|
|
async deriveKeyAndNonce(ikm) {
|
|
|
|
let authKdf = new hkdf(this.authenticationSecret, ikm);
|
|
|
|
let authInfo = concatArray([
|
|
|
|
AES128GCM_AUTH_INFO,
|
|
|
|
this.publicKey,
|
|
|
|
this.senderKey
|
|
|
|
]);
|
|
|
|
let prk = await authKdf.extract(authInfo, 32);
|
|
|
|
let prkKdf = new hkdf(this.salt, prk);
|
|
|
|
return Promise.all([
|
|
|
|
prkKdf.extract(AES128GCM_KEY_INFO, 16),
|
2018-02-20 04:01:08 +03:00
|
|
|
prkKdf.extract(AES128GCM_NONCE_INFO, 12)
|
2017-05-12 08:03:26 +03:00
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
|
|
|
unpadChunk(decoded, last) {
|
|
|
|
let length = decoded.length;
|
|
|
|
while (length--) {
|
|
|
|
if (decoded[length] === 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
let recordPad = last ? 2 : 1;
|
|
|
|
if (decoded[length] != recordPad) {
|
|
|
|
throw new CryptoError('Padding is wrong!', BAD_PADDING);
|
|
|
|
}
|
|
|
|
return decoded.slice(0, length);
|
|
|
|
}
|
|
|
|
throw new CryptoError('Zero plaintext', BAD_PADDING);
|
|
|
|
}
|
|
|
|
|
|
|
|
/** aes128gcm accounts for the authentication tag in the record size. */
|
|
|
|
get chunkSize() {
|
|
|
|
return this.rs;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
/** Older encryption scheme (draft-ietf-httpbis-encryption-encoding-01). */
|
|
|
|
|
|
|
|
var AESGCM_ENCODING = 'aesgcm';
|
|
|
|
var AESGCM_KEY_INFO = UTF8.encode('Content-Encoding: aesgcm\0');
|
|
|
|
var AESGCM_AUTH_INFO = UTF8.encode('Content-Encoding: auth\0'); // note nul-terminus
|
|
|
|
var AESGCM_P256DH_INFO = UTF8.encode('P-256\0');
|
|
|
|
|
|
|
|
class aesgcmDecoder extends OldSchemeDecoder {
|
|
|
|
/**
|
|
|
|
* Derives the aesgcm decryption key and nonce. We mix the authentication
|
|
|
|
* secret with the ikm using HKDF. The context string for the PRK is
|
|
|
|
* "Content-Encoding: auth\0". The context string for the key and nonce is
|
|
|
|
* "Content-Encoding: <blah>\0P-256\0" then the length and value of both the
|
|
|
|
* receiver key and sender key.
|
|
|
|
*/
|
|
|
|
async deriveKeyAndNonce(ikm) {
|
|
|
|
// Since we are using an authentication secret, we need to run an extra
|
|
|
|
// round of HKDF with the authentication secret as salt.
|
|
|
|
let authKdf = new hkdf(this.authenticationSecret, ikm);
|
|
|
|
let prk = await authKdf.extract(AESGCM_AUTH_INFO, 32);
|
|
|
|
let prkKdf = new hkdf(this.salt, prk);
|
|
|
|
let keyInfo = concatArray([
|
|
|
|
AESGCM_KEY_INFO, AESGCM_P256DH_INFO,
|
|
|
|
encodeLength(this.publicKey), this.publicKey,
|
|
|
|
encodeLength(this.senderKey), this.senderKey
|
|
|
|
]);
|
|
|
|
let nonceInfo = concatArray([
|
|
|
|
NONCE_INFO, new Uint8Array([0]), AESGCM_P256DH_INFO,
|
|
|
|
encodeLength(this.publicKey), this.publicKey,
|
|
|
|
encodeLength(this.senderKey), this.senderKey
|
|
|
|
]);
|
|
|
|
return Promise.all([
|
|
|
|
prkKdf.extract(keyInfo, 16),
|
|
|
|
prkKdf.extract(nonceInfo, 12)
|
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
|
|
|
get padSize() {
|
|
|
|
return 2;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Oldest encryption scheme (draft-thomson-http-encryption-02). */
|
|
|
|
|
|
|
|
var AESGCM128_ENCODING = 'aesgcm128';
|
|
|
|
var AESGCM128_KEY_INFO = UTF8.encode('Content-Encoding: aesgcm128');
|
|
|
|
|
|
|
|
class aesgcm128Decoder extends OldSchemeDecoder {
|
|
|
|
constructor(privateKey, publicKey, cryptoParams, ciphertext) {
|
|
|
|
super(privateKey, publicKey, null, cryptoParams, ciphertext);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The aesgcm128 scheme ignores the authentication secret, and uses
|
|
|
|
* "Content-Encoding: <blah>" for the context string. It should eventually
|
|
|
|
* be removed: bug 1230038.
|
|
|
|
*/
|
|
|
|
deriveKeyAndNonce(ikm) {
|
|
|
|
let prkKdf = new hkdf(this.salt, ikm);
|
|
|
|
return Promise.all([
|
|
|
|
prkKdf.extract(AESGCM128_KEY_INFO, 16),
|
|
|
|
prkKdf.extract(NONCE_INFO, 12)
|
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
|
|
|
get padSize() {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-23 22:50:01 +03:00
|
|
|
var PushCrypto = {
|
2017-05-10 20:44:51 +03:00
|
|
|
|
|
|
|
generateAuthenticationSecret() {
|
|
|
|
return crypto.getRandomValues(new Uint8Array(16));
|
|
|
|
},
|
|
|
|
|
|
|
|
validateAppServerKey(key) {
|
|
|
|
return crypto.subtle.importKey('raw', key, ECDSA_KEY,
|
|
|
|
true, ['verify'])
|
|
|
|
.then(_ => key);
|
|
|
|
},
|
|
|
|
|
|
|
|
generateKeys() {
|
|
|
|
return crypto.subtle.generateKey(ECDH_KEY, true, ['deriveBits'])
|
|
|
|
.then(cryptoKey =>
|
|
|
|
Promise.all([
|
|
|
|
crypto.subtle.exportKey('raw', cryptoKey.publicKey),
|
|
|
|
crypto.subtle.exportKey('jwk', cryptoKey.privateKey)
|
|
|
|
]));
|
|
|
|
},
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Decrypts a push message.
|
|
|
|
*
|
|
|
|
* @throws {CryptoError} if decryption fails.
|
|
|
|
* @param {JsonWebKey} privateKey The ECDH private key of the subscription
|
|
|
|
* receiving the message, in JWK form.
|
|
|
|
* @param {BufferSource} publicKey The ECDH public key of the subscription
|
|
|
|
* receiving the message, in raw form.
|
|
|
|
* @param {BufferSource} authenticationSecret The 16-byte shared
|
|
|
|
* authentication secret of the subscription receiving the message.
|
|
|
|
* @param {Object} headers The encryption headers from the push server.
|
2017-05-12 08:03:26 +03:00
|
|
|
* @param {BufferSource} payload The encrypted message payload.
|
2017-05-10 20:44:51 +03:00
|
|
|
* @returns {Uint8Array} The decrypted message data.
|
|
|
|
*/
|
2017-05-12 08:03:26 +03:00
|
|
|
async decrypt(privateKey, publicKey, authenticationSecret, headers, payload) {
|
|
|
|
if (!headers) {
|
2017-05-10 20:44:51 +03:00
|
|
|
return null;
|
|
|
|
}
|
2017-05-12 08:03:26 +03:00
|
|
|
|
|
|
|
let encoding = headers.encoding;
|
|
|
|
if (!headers.encoding) {
|
|
|
|
throw new CryptoError('Missing Content-Encoding header',
|
|
|
|
BAD_ENCODING_HEADER);
|
|
|
|
}
|
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
let decoder;
|
2017-05-12 08:03:26 +03:00
|
|
|
if (encoding == AES128GCM_ENCODING) {
|
|
|
|
// aes128gcm includes the salt, record size, and sender public key in a
|
|
|
|
// binary header preceding the ciphertext.
|
|
|
|
let cryptoParams = getCryptoParamsFromPayload(new Uint8Array(payload));
|
|
|
|
decoder = new aes128gcmDecoder(privateKey, publicKey,
|
|
|
|
authenticationSecret, cryptoParams,
|
|
|
|
cryptoParams.ciphertext);
|
|
|
|
} else if (encoding == AESGCM128_ENCODING || encoding == AESGCM_ENCODING) {
|
|
|
|
// aesgcm and aesgcm128 include the salt, record size, and sender public
|
|
|
|
// key in the `Crypto-Key` and `Encryption` HTTP headers.
|
|
|
|
let cryptoParams = getCryptoParamsFromHeaders(headers);
|
|
|
|
if (headers.encoding == AESGCM_ENCODING) {
|
|
|
|
decoder = new aesgcmDecoder(privateKey, publicKey, authenticationSecret,
|
|
|
|
cryptoParams, payload);
|
|
|
|
} else {
|
|
|
|
decoder = new aesgcm128Decoder(privateKey, publicKey, cryptoParams,
|
|
|
|
payload);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!decoder) {
|
|
|
|
throw new CryptoError('Unsupported Content-Encoding: ' + encoding,
|
|
|
|
BAD_ENCODING_HEADER);
|
2017-05-10 20:44:51 +03:00
|
|
|
}
|
2017-05-12 08:03:26 +03:00
|
|
|
|
2017-05-10 20:44:51 +03:00
|
|
|
return decoder.decode();
|
2016-03-18 19:01:50 +03:00
|
|
|
},
|
2018-02-20 04:01:08 +03:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Encrypts a payload suitable for using in a push message. The encryption
|
|
|
|
* is always done with a record size of 4096 and no padding.
|
|
|
|
*
|
|
|
|
* @throws {CryptoError} if encryption fails.
|
|
|
|
* @param {plaintext} Uint8Array The plaintext to encrypt.
|
|
|
|
* @param {receiverPublicKey} Uint8Array The public key of the recipient
|
|
|
|
* of the message as a buffer.
|
|
|
|
* @param {receiverAuthSecret} Uint8Array The auth secret of the of the
|
|
|
|
* message recipient as a buffer.
|
|
|
|
* @param {options} Object Encryption options, used for tests.
|
|
|
|
* @returns {ciphertext, encoding} The encrypted payload and encoding.
|
|
|
|
*/
|
|
|
|
async encrypt(plaintext, receiverPublicKey, receiverAuthSecret, options={}) {
|
|
|
|
const encoding = options.encoding || AES128GCM_ENCODING;
|
|
|
|
// We only support one encoding type.
|
|
|
|
if (encoding != AES128GCM_ENCODING) {
|
|
|
|
throw new CryptoError(`Only ${AES128GCM_ENCODING} is supported`,
|
|
|
|
BAD_ENCODING_HEADER);
|
|
|
|
}
|
|
|
|
// We typically use an ephemeral key for this message, but for testing
|
|
|
|
// purposes we allow it to be specified.
|
|
|
|
const senderKeyPair = options.senderKeyPair ||
|
|
|
|
await crypto.subtle.generateKey(ECDH_KEY, true, ["deriveBits"]);
|
|
|
|
// allowing a salt to be specified is useful for tests.
|
|
|
|
const salt = options.salt || crypto.getRandomValues(new Uint8Array(16));
|
|
|
|
const rs = options.rs === undefined ? 4096 : options.rs;
|
|
|
|
|
|
|
|
const encoder = new aes128gcmEncoder(plaintext, receiverPublicKey,
|
|
|
|
receiverAuthSecret, senderKeyPair,
|
|
|
|
salt, rs);
|
|
|
|
return encoder.encode();
|
|
|
|
},
|
2015-09-11 17:51:32 +03:00
|
|
|
};
|
2018-02-20 04:01:08 +03:00
|
|
|
|
|
|
|
// A class for aes128gcm encryption - the only kind we support.
|
|
|
|
class aes128gcmEncoder {
|
|
|
|
constructor(plaintext ,receiverPublicKey, receiverAuthSecret, senderKeyPair, salt, rs) {
|
|
|
|
this.receiverPublicKey = receiverPublicKey;
|
|
|
|
this.receiverAuthSecret = receiverAuthSecret;
|
|
|
|
this.senderKeyPair = senderKeyPair;
|
|
|
|
this.salt = salt;
|
|
|
|
this.rs = rs;
|
|
|
|
this.plaintext = plaintext;
|
|
|
|
}
|
|
|
|
|
|
|
|
async encode() {
|
|
|
|
const sharedSecret = await this.computeSharedSecret(this.receiverPublicKey,
|
|
|
|
this.senderKeyPair.privateKey);
|
|
|
|
|
|
|
|
const rawSenderPublicKey = await crypto.subtle.exportKey("raw", this.senderKeyPair.publicKey);
|
|
|
|
const [gcmBits, nonce] = await this.deriveKeyAndNonce(sharedSecret,
|
|
|
|
rawSenderPublicKey)
|
|
|
|
|
|
|
|
const contentEncryptionKey = await crypto.subtle.importKey("raw", gcmBits,
|
|
|
|
"AES-GCM", false,
|
|
|
|
["encrypt"]);
|
|
|
|
const payloadHeader = this.createHeader(rawSenderPublicKey);
|
|
|
|
|
|
|
|
const ciphertextChunks = await this.encrypt(contentEncryptionKey, nonce);
|
|
|
|
return {ciphertext: concatArray([payloadHeader, ...ciphertextChunks]),
|
|
|
|
encoding: "aes128gcm"};
|
|
|
|
}
|
|
|
|
|
|
|
|
// Perform the actual encryption of the payload.
|
|
|
|
async encrypt(key, nonce) {
|
|
|
|
if (this.rs < 18) {
|
|
|
|
throw new CryptoError("recordsize is too small", BAD_RS_PARAM);
|
|
|
|
}
|
|
|
|
|
|
|
|
let chunks;
|
|
|
|
if (this.plaintext.byteLength === 0) {
|
|
|
|
// Send an authentication tag for empty messages.
|
|
|
|
chunks = [await crypto.subtle.encrypt({
|
|
|
|
name: "AES-GCM",
|
|
|
|
iv: generateNonce(nonce, 0)
|
|
|
|
}, key, new Uint8Array([2]))];
|
|
|
|
} else {
|
|
|
|
// Use specified recordsize, though we burn 1 for padding and 16 byte
|
|
|
|
// overhead.
|
|
|
|
let inChunks = chunkArray(this.plaintext, this.rs - 1 - 16);
|
|
|
|
chunks = await Promise.all(inChunks.map(async function (slice, index) {
|
|
|
|
let isLast = index == inChunks.length - 1;
|
|
|
|
let padding = new Uint8Array([isLast ? 2 : 1]);
|
|
|
|
let input = concatArray([slice, padding]);
|
|
|
|
return await crypto.subtle.encrypt({
|
|
|
|
name: "AES-GCM",
|
|
|
|
iv: generateNonce(nonce, index),
|
|
|
|
}, key, input);
|
|
|
|
}));
|
|
|
|
}
|
|
|
|
return chunks;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Note: this is a dupe of aes128gcmDecoder.deriveKeyAndNonce, but tricky
|
|
|
|
// to rationalize without a larger refactor.
|
|
|
|
async deriveKeyAndNonce(sharedSecret, senderPublicKey) {
|
|
|
|
const authKdf = new hkdf(this.receiverAuthSecret, sharedSecret);
|
|
|
|
const authInfo = concatArray([AES128GCM_AUTH_INFO,
|
|
|
|
this.receiverPublicKey,
|
|
|
|
senderPublicKey]);
|
|
|
|
const prk = await authKdf.extract(authInfo, 32);
|
|
|
|
const prkKdf = new hkdf(this.salt, prk);
|
|
|
|
return Promise.all([
|
|
|
|
prkKdf.extract(AES128GCM_KEY_INFO, 16),
|
|
|
|
prkKdf.extract(AES128GCM_NONCE_INFO, 12),
|
|
|
|
]);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Note: this duplicates some of Decoder.computeSharedSecret, but the key
|
|
|
|
// management is slightly different.
|
|
|
|
async computeSharedSecret(receiverPublicKey, senderPrivateKey) {
|
|
|
|
const receiverPublicCryptoKey = await crypto.subtle.importKey("raw", receiverPublicKey,
|
|
|
|
ECDH_KEY, false, ["deriveBits"]);
|
|
|
|
|
|
|
|
return crypto.subtle.deriveBits({name: "ECDH", public: receiverPublicCryptoKey},
|
|
|
|
senderPrivateKey, 256);
|
|
|
|
}
|
|
|
|
|
|
|
|
// create aes128gcm's header.
|
|
|
|
createHeader(key) {
|
|
|
|
// layout is "salt|32-bit-int|8-bit-int|key"
|
|
|
|
if (key.byteLength != 65) {
|
|
|
|
throw new CryptoError("Invalid key length for header", BAD_DH_PARAM);
|
|
|
|
}
|
|
|
|
// the 2 ints
|
|
|
|
let ints = new Uint8Array(5);
|
|
|
|
let intsv = new DataView(ints.buffer);
|
|
|
|
intsv.setUint32(0, this.rs); // bigendian
|
|
|
|
intsv.setUint8(4, key.byteLength);
|
|
|
|
return concatArray([this.salt, ints, key]);
|
|
|
|
}
|
|
|
|
}
|