Move to a |version| parameter

Author: martinthomson

nodejs/decrypt-dh.js

@@ -19,9 +19,9 @@ receiver.generateKeys();
 receiver.setPublicKey(base64.decode(process.argv[4]));
 receiver.setPrivateKey(base64.decode(process.argv[3]));
 var keymap = {};
-keymap[''] = receiver;
 
 var params = {
+  type: 'aes128gcm',
   keyid: '',
   authSecret: process.argv[2],
   dh: process.argv[5],
@@ -34,6 +34,7 @@ if (process.argv.length > 7) {
     params[k] = extra[k];
   });
 }
+keymap[params.keyid] = receiver;
 
 console.log("Params: " + JSON.stringify(params, null, 2));
 var result = ece.decrypt(base64.decode(process.argv[6]), params);

nodejs/decrypt.js

@@ -11,6 +11,7 @@ if (process.argv.length < 4) {
 }
 
 var params = {
+  version: 'aes128gcm',
   key: process.argv[2]
 };
 

nodejs/ece.js

@@ -4,27 +4,26 @@
  *
  * === Note about versions ===
  *
- * This code supports multiple versions of the draft:
+ * This code supports multiple versions of the draft.  This is selected using
+ * the |version| parameter.
  *
  * aes128gcm: The most recent version, the salt, record size and key identifier
- *    are included in a header that is part of the encrypted content coding.  In
- *    order to select this version, the |salt| parameter is omitted from calls
- *    to encrypt() and decrypt().  A value for the salt is automatically
- *    generated by this API when encrypting, which avoids errors.
+ *    are included in a header that is part of the encrypted content coding.
  *
- * aesgcm: The version that is widely deployed with WebPush (as of 2016-10).
- *    This version is selected by default if you provide a |salt| parameter and
- *    either omit the |padSize| parameter, or set it to 2.
+ * aesgcm: The version that is widely deployed with WebPush (as of 2016-11).
+ *    This version is selected by default, unless you specify a |padSize| of 1.
  *
  * aesgcm128: This version is old and will be removed in an upcoming release.
- *     Select this version by providing |salt| and a |padSize| of 1.
+ *     This version is selected by providing a |padSize| parameter of 1.
  */
 
 var crypto = require('crypto');
 var base64 = require('urlsafe-base64');
 
-var savedKeys = {};
-var keyLabels = {};
+var saved = {
+  keymap: {},
+  keylabels: {}
+};
 var AES_GCM = 'aes-128-gcm';
 var PAD_SIZE = { 'aes128gcm': 2, 'aesgcm': 2, 'aesgcm128': 1 };
 var TAG_LENGTH = 16;
@@ -44,6 +43,14 @@ if (process.env.ECE_KEYLOG === '1') {
   keylog = function(m, k) { return k; };
 }
 
+/* Optionally base64 decode something. */
+function decode(b) {
+  if (typeof b === 'string') {
+    return base64.decode(b);
+  }
+  return b;
+}
+
 function HMAC_hash(key, input) {
   var hmac = crypto.createHmac('sha256', key);
   hmac.update(input);
@@ -93,29 +100,30 @@ function lengthPrefix(buffer) {
   return b;
 }
 
-function extractDH(keyid, share, mode) {
-  if (!savedKeys[keyid]) {
-    throw new Error('No known DH key for ' + keyid);
+function extractDH(header, mode) {
+  if (!header.keymap[header.keyid]) {
+    throw new Error('No known DH key for ' + header.keyid);
   }
-  if (!keyLabels[keyid]) {
-    throw new Error('No known DH key label for ' + keyid);
+  if (!header.keylabels[header.keyid]) {
+    throw new Error('No known DH key label for ' + header.keyid);
   }
-  var key = savedKeys[keyid];
+  var key = header.keymap[header.keyid];
   var senderPubKey, receiverPubKey;
   if (mode === MODE_ENCRYPT) {
     senderPubKey = key.getPublicKey();
-    receiverPubKey = share;
+    receiverPubKey = header.dh;
   } else if (mode === MODE_DECRYPT) {
-    senderPubKey = share;
+    senderPubKey = header.dh;
     receiverPubKey = key.getPublicKey();
   } else {
     throw new Error('Unknown mode only ' + MODE_ENCRYPT +
                     ' and ' + MODE_DECRYPT + ' supported');
   }
   return {
-    secret: key.computeSecret(share),
+    secret: key.computeSecret(header.dh),
     context: Buffer.concat([
-      keyLabels[keyid],
+      decode(header.keylabels[header.keyid]),
+      Buffer.from([0]),
       lengthPrefix(receiverPubKey),
       lengthPrefix(senderPubKey)
     ])
@@ -130,9 +138,9 @@ function extractSecretAndContext(header, mode) {
       throw new Error('An explicit key must be ' + KEY_LENGTH + ' bytes');
     }
   } else if (header.dh) { // receiver/decrypt
-    result = extractDH(header.keyid, header.dh, mode);
+    result = extractDH(header, mode);
   } else if (header.keyid) {
-    result.secret = savedKeys[header.keyid];
+    result.secret = header.keymap[header.keyid];
   }
   if (!result.secret) {
     throw new Error('Unable to determine key');
@@ -192,29 +200,29 @@ function extractSecret(header, mode) {
 
 function deriveKeyAndNonce(header, mode) {
   if (!header.salt) {
-    throw new Error('must include a salt parameter for ' + header.type);
+    throw new Error('must include a salt parameter for ' + header.version);
   }
   var keyInfo;
   var nonceInfo;
   var secret;
-  if (header.type === 'aesgcm128') {
+  if (header.version === 'aesgcm128') {
     // really old
     keyInfo = 'Content-Encoding: aesgcm128';
     nonceInfo = 'Content-Encoding: nonce';
     secret = extractSecretAndContext(header, mode).secret;
-  } else if (header.type === 'aesgcm') {
+  } else if (header.version === 'aesgcm') {
     // old
     var s = extractSecretAndContext(header, mode);
     keyInfo = info('aesgcm', s.context);
     nonceInfo = info('nonce', s.context);
     secret = s.secret;
-  } else if (header.type === 'aes128gcm') {
+  } else if (header.version === 'aes128gcm') {
     // latest
     keyInfo = Buffer.from('Content-Encoding: aes128gcm\0');
     nonceInfo = Buffer.from('Content-Encoding: nonce\0');
     secret = extractSecret(header, mode);
   } else {
-    throw new Error('Unable to set context for mode ' + params.type);
+    throw new Error('Unable to set context for mode ' + params.version);
   }
   var prk = HKDF_extract(header.salt, secret);
   var result = {
@@ -227,55 +235,47 @@ function deriveKeyAndNonce(header, mode) {
 }
 
 function fillCommonParams(header, params) {
-  if (params.key) {
-    header.key = base64.decode(params.key);
-  }
-  header.keymap = params.keymap;
-  if (params.dh) {
-    header.dh = base64.decode(params.dh);
-  }
-  if (params.authSecret) {
-    header.authSecret = base64.decode(params.authSecret);
-  }
   return header;
 }
 
-/* Used when decrypting aes128gcm to populate the header values. */
-function readHeader(buffer, params) {
-  var idsz = buffer.readUIntBE(20, 1);
-  var header = {
-    type: 'aes128gcm',
-    salt: buffer.slice(0, KEY_LENGTH),
-    rs: buffer.readUIntBE(KEY_LENGTH, 4),
-    keyid: buffer.slice(21, 21 + idsz).toString('utf-8'),
-    headerLength: 21 + idsz
-  };
-  return fillCommonParams(header, params);
-}
-
-/* Used when decrypting to populate the header values for aesgcm[128]. Used also
- * to parse the |param| argument when encrypting. */
+/* Parse command-line arguments. */
 function parseParams(params) {
-  var header = {
-    type: (params.padSize === 1) ? 'aesgcm128' : 'aesgcm',
-    keyid: params.keyid,
-    headerLength: 0
-  };
+  var header = {};
+  if (params.version) {
+    header.version = params.version;
+  } else {
+    header.version = (params.padSize === 1) ? 'aesgcm128' : 'aesgcm';
+  }
+
   header.rs = parseInt(params.rs, 10);
   if (isNaN(header.rs)) {
     header.rs = 4096;
   }
-  if (header.rs <= PAD_SIZE[header.type]) {
+  if (header.rs <= PAD_SIZE[header.version]) {
     throw new Error('The rs parameter has to be greater than ' +
-                    PAD_SIZE[header.type]);
+                    PAD_SIZE[header.version]);
   }
+
   if (params.salt) {
-    header.salt = base64.decode(params.salt);
+    header.salt = decode(params.salt);
     if (header.salt.length !== KEY_LENGTH) {
       throw new Error('The salt parameter must be ' + KEY_LENGTH + ' bytes');
     }
   }
-  return fillCommonParams(header, params);
+  header.keyid = params.keyid;
+  if (params.key) {
+    header.key = decode(params.key);
+  } else {
+    header.keymap = params.keymap || saved.keymap;
+    header.keylabels = params.keylabels || saved.keylabels;
+    if (params.dh) {
+      header.dh = decode(params.dh);
+    }
+  }
+  if (params.authSecret) {
+    header.authSecret = decode(params.authSecret);
+  }
+  return header;
 }
 
 function generateNonce(base, counter) {
@@ -288,6 +288,16 @@ function generateNonce(base, counter) {
   return nonce;
 }
 
+/* Used when decrypting aes128gcm to populate the header values. Modifies the
+ * header values in place and returns the size of the header. */
+function readHeader(buffer, header) {
+  var idsz = buffer.readUIntBE(20, 1);
+  header.salt = buffer.slice(0, KEY_LENGTH);
+  header.rs = buffer.readUIntBE(KEY_LENGTH, 4);
+  header.keyid = buffer.slice(21, 21 + idsz).toString('utf-8');
+  return 21 + idsz;
+}
+
 function decryptRecord(key, counter, buffer, header) {
   keylog('decrypt', buffer);
   var nonce = generateNonce(key.nonce, counter);
@@ -296,11 +306,12 @@ function decryptRecord(key, counter, buffer, header) {
   var data = gcm.update(buffer.slice(0, buffer.length - TAG_LENGTH));
   data = Buffer.concat([data, gcm.final()]);
   keylog('decrypted', data);
-  var padSize = PAD_SIZE[header.type];
+  var padSize = PAD_SIZE[header.version];
   var pad = data.readUIntBE(0, padSize);
   if (pad + padSize > data.length) {
     throw new Error('padding exceeds block size');
   }
+  keylog('padding', data.slice(0, padSize + pad));
   var padCheck = new Buffer(pad);
   padCheck.fill(0);
   if (padCheck.compare(data.slice(padSize, padSize + pad)) !== 0) {
@@ -315,6 +326,11 @@ function decryptRecord(key, counter, buffer, header) {
  * Decrypt some bytes.  This uses the parameters to determine the key and block
  * size, which are described in the draft.  Binary values are base64url encoded.
  *
+ * |params.version| contains the version of encoding to use: aes128gcm is the latest,
+ * but aesgcm and aesgcm128 are also accepted (though the latter two might
+ * disappear in a future release).  If omitted, assume aesgcm, unless
+ * |params.padSize| is set to 1, which means aesgcm128.
+ *
  * If |params.key| is specified, that value is used as the key.
  *
  * If |params.keyid| is specified without |params.dh|, the keyid value is used
@@ -324,14 +340,12 @@ function decryptRecord(key, counter, buffer, header) {
  * pair used to decrypt is looked up using |params.keymap[params.keyid]|.
  */
 function decrypt(buffer, params) {
-  var header;
-  if (params.salt) {
-    header = parseParams(params);
-  } else {
-    header = readHeader(buffer, params);
+  var header = parseParams(params);
+  if (header.version === 'aes128gcm') {
+    var headerLength = readHeader(buffer, header);
+    buffer = buffer.slice(headerLength);
   }
   var key = deriveKeyAndNonce(header, MODE_DECRYPT);
-  buffer = buffer.slice(header.headerLength || 0);
   var start = 0;
   var result = new Buffer(0);
 
@@ -360,6 +374,7 @@ function encryptRecord(key, counter, buffer, pad, padSize) {
   var padding = new Buffer(pad + padSize);
   padding.fill(0);
   padding.writeUIntBE(pad, 0, padSize);
+  keylog('padding', padding);
   var epadding = gcm.update(padding);
   var ebuffer = gcm.update(buffer);
   gcm.final();
@@ -370,9 +385,9 @@ function encryptRecord(key, counter, buffer, pad, padSize) {
   return keylog('encrypted', Buffer.concat([epadding, ebuffer, tag]));
 }
 
-function encodeHeader(header) {
+function writeHeader(header) {
   var ints = new Buffer(5);
-  var keyid = Buffer.from(header.keyid || '');
+  var keyid = Buffer.from(header.keyid || []);
   if (keyid.length > 255) {
     throw new Error('keyid is too large');
   }
@@ -385,6 +400,11 @@ function encodeHeader(header) {
  * Encrypt some bytes.  This uses the parameters to determine the key and block
  * size, which are described in the draft.
  *
+ * |params.version| contains the version of encoding to use: aes128gcm is the latest,
+ * but aesgcm and aesgcm128 are also accepted (though the latter two might
+ * disappear in a future release).  If omitted, assume aesgcm, unless
+ * |params.padSize| is set to 1, which means aesgcm128.
+ *
  * If |params.key| is specified, that value is used as the key.
  *
  * If |params.keyid| is specified without |params.dh|, the keyid value is used
@@ -398,20 +418,22 @@ function encrypt(buffer, params) {
   if (!Buffer.isBuffer(buffer)) {
     throw new Error('buffer argument must be a Buffer');
   }
+  var header = parseParams(params);
+  if (!header.salt) {
+    header.salt = crypto.randomBytes(KEY_LENGTH);
+  }
+
   var result;
-  var header;
-  header = parseParams(params);
-  if (params.salt) { // old versions
-    result = new Buffer(0);
+  if (header.version === 'aes128gcm') {
+    result = writeHeader(header);
   } else {
-    header.type = 'aes128gcm';
-    header.salt = crypto.randomBytes(KEY_LENGTH);
-    result = encodeHeader(header);
+    // No header on other versions
+    result = new Buffer(0);
   }
 
   var key = deriveKeyAndNonce(header, MODE_ENCRYPT);
   var start = 0;
-  var padSize = PAD_SIZE[header.type];
+  var padSize = PAD_SIZE[header.version];
   var pad = isNaN(parseInt(params.pad, 10)) ? 0 : parseInt(params.pad, 10);
 
   // Note the <= here ensures that we write out a padding-only block at the end
@@ -435,19 +457,12 @@ function encrypt(buffer, params) {
 }
 
 /**
- * This function saves a key under the provided identifier.  This is only used
- * by aesgcm and aesgcm128 codings.  For the aes128gcm coding, use the |keymap|
- * parameter to encrypt() and decrypt().
- *
- * This is used to save the keys that are used to decrypt and encrypt blobs that
- * are identified by a 'keyid'.  DH or ECDH keys that are used with the 'dh'
- * parameter need to include a label (included in 'dhLabel') that identifies
- * them.
+ * Deprecated.  Use the keymap and keylabels arguments to encrypt()/decrypt().
  */
 function saveKey(id, key, dhLabel) {
-  savedKeys[id] = key;
+  saved.keymap[id] = key;
   if (dhLabel) {
-    keyLabels[id] = new Buffer(dhLabel + '\0', 'ascii');
+    saved.keylabels[id] = dhLabel;
   }
 }