@freesignal/protocol 0.1.0 → 0.1.5

package/x3dh.d.ts

@@ -17,58 +17,28 @@
  * along with this program.  If not, see <https://www.gnu.org/licenses/>
  */
 import crypto from "./crypto";
-type BoxKeyPair = crypto.KeyPair;
-type SignKeyPair = crypto.KeyPair;
-type ExportedX3DH = [
-    SignKeyPair,
-    [
-        Array<[string, BoxKeyPair]>,
-        Array<[string, BoxKeyPair]>
-    ]
-];
-interface SynMessage {
-    readonly version: number;
-    readonly PK: string;
-    readonly IK: string;
-    readonly SPK: string;
-    readonly SPKsign: string;
-    readonly OPK: string;
-}
-interface AckMessage {
-    readonly version: number;
-    readonly PK: string;
-    readonly IK: string;
-    readonly EK: string;
-    readonly SPKhash: string;
-    readonly OPKhash: string;
-    readonly AD: string;
-}
-export interface Bundle {
-    readonly version: number;
-    readonly PK: string;
-    readonly IK: string;
-    readonly SPK: string;
-    readonly SPKsign: string;
-    readonly OPK: string[];
-}
-export declare class X3DH {
+import { KeyExchangeData, KeyExchangeDataBundle, KeyExchangeSynMessage, LocalStorage } from "./types";
+import { KeySession } from "./double-ratchet";
+export declare class KeyExchange {
     static readonly version = 1;
     private static readonly hkdfInfo;
     private static readonly maxOPK;
-    private readonly PK;
-    private readonly IK;
+    private readonly _signatureKey;
+    private readonly _identityKey;
     private readonly bundleStore;
-    constructor(signKeyPair: SignKeyPair, instance?: [Iterable<[string, BoxKeyPair]>, Iterable<[string, BoxKeyPair]>]);
+    constructor(signSecretKey: Uint8Array, boxSecretKey: Uint8Array, bundleStore?: LocalStorage<string, crypto.KeyPair>);
+    get signatureKey(): Uint8Array;
+    get identityKey(): Uint8Array;
     private generateSPK;
     private generateOPK;
-    generateBundle(length?: number): Bundle;
-    generateSyn(): SynMessage;
-    digestSyn(message: SynMessage, encrypter?: (msg: Uint8Array, key: Uint8Array) => Uint8Array): {
-        rootKey: Uint8Array;
-        ackMessage: AckMessage;
+    generateBundle(length?: number): KeyExchangeDataBundle;
+    generateData(): KeyExchangeData;
+    digestData(message: KeyExchangeData): {
+        session: KeySession;
+        message: KeyExchangeSynMessage;
+    };
+    digestMessage(message: KeyExchangeSynMessage): {
+        session: KeySession;
+        cleartext: Uint8Array;
     };
-    digestAck(message: AckMessage, verifier?: (ciphertext: Uint8Array, key: Uint8Array) => boolean): Uint8Array | undefined;
-    export(): ExportedX3DH;
-    static import(input: ExportedX3DH): X3DH;
 }
-export {};

package/x3dh.js

@@ -21,116 +21,112 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.X3DH = void 0;
+exports.KeyExchange = void 0;
 const crypto_1 = __importDefault(require("./crypto"));
 const double_ratchet_1 = require("./double-ratchet");
 const utils_1 = require("./utils");
-class X3DH {
-    constructor(signKeyPair, instance) {
-        this.PK = signKeyPair;
-        this.IK = crypto_1.default.ECDH.keyPair(crypto_1.default.hash(signKeyPair.secretKey));
-        this.bundleStore = {
-            SPK: new Map(instance ? instance[0] : []),
-            OPK: new Map(instance ? instance[1] : [])
-        };
+class KeyExchange {
+    constructor(signSecretKey, boxSecretKey, bundleStore) {
+        this._signatureKey = crypto_1.default.EdDSA.keyPair(signSecretKey);
+        this._identityKey = crypto_1.default.ECDH.keyPair(boxSecretKey);
+        this.bundleStore = bundleStore !== null && bundleStore !== void 0 ? bundleStore : new Map();
     }
+    get signatureKey() { return this._signatureKey.publicKey; }
+    get identityKey() { return this._identityKey.publicKey; }
     generateSPK() {
-        const SPK = crypto_1.default.ECDH.keyPair();
-        const SPKhash = crypto_1.default.hash(SPK.publicKey);
-        this.bundleStore.SPK.set((0, utils_1.encodeBase64)(SPKhash), SPK);
-        return { SPK, SPKhash };
+        const signedPreKey = crypto_1.default.ECDH.keyPair();
+        const signedPreKeyHash = crypto_1.default.hash(signedPreKey.publicKey);
+        this.bundleStore.set((0, utils_1.encodeBase64)(signedPreKeyHash), signedPreKey);
+        return { signedPreKey, signedPreKeyHash };
     }
     generateOPK(spkHash) {
-        const OPK = crypto_1.default.ECDH.keyPair();
-        const OPKhash = crypto_1.default.hash(OPK.publicKey);
-        this.bundleStore.OPK.set((0, utils_1.encodeBase64)(spkHash).concat((0, utils_1.encodeBase64)(OPKhash)), OPK);
-        return { OPK, OPKhash };
+        const onetimePreKey = crypto_1.default.ECDH.keyPair();
+        const onetimePreKeyHash = crypto_1.default.hash(onetimePreKey.publicKey);
+        this.bundleStore.set((0, utils_1.encodeBase64)(spkHash).concat((0, utils_1.encodeBase64)(onetimePreKeyHash)), onetimePreKey);
+        return { onetimePreKey, onetimePreKeyHash };
     }
     generateBundle(length) {
-        const { SPK, SPKhash } = this.generateSPK();
-        const OPK = new Array(length !== null && length !== void 0 ? length : X3DH.maxOPK).fill(0).map(() => this.generateOPK(SPKhash).OPK);
+        const { signedPreKey, signedPreKeyHash } = this.generateSPK();
+        const onetimePreKey = new Array(length !== null && length !== void 0 ? length : KeyExchange.maxOPK).fill(0).map(() => this.generateOPK(signedPreKeyHash).onetimePreKey);
         return {
-            version: X3DH.version,
-            PK: (0, utils_1.encodeBase64)(this.PK.publicKey),
-            IK: (0, utils_1.encodeBase64)(this.IK.publicKey),
-            SPK: (0, utils_1.encodeBase64)(SPK.publicKey),
-            SPKsign: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign((0, utils_1.concatUint8Array)(crypto_1.default.hash(this.IK.publicKey), SPKhash), this.PK.secretKey)),
-            OPK: OPK.map(opk => (0, utils_1.encodeBase64)(opk.publicKey))
+            version: KeyExchange.version,
+            publicKey: (0, utils_1.encodeBase64)(this._signatureKey.publicKey),
+            identityKey: (0, utils_1.encodeBase64)(this._identityKey.publicKey),
+            signedPreKey: (0, utils_1.encodeBase64)(signedPreKey.publicKey),
+            signature: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign(signedPreKeyHash, this._signatureKey.secretKey)),
+            onetimePreKey: onetimePreKey.map(opk => (0, utils_1.encodeBase64)(opk.publicKey))
         };
     }
-    generateSyn() {
-        const { SPK, SPKhash } = this.generateSPK();
-        const { OPK } = this.generateOPK(SPKhash);
+    generateData() {
+        const { signedPreKey, signedPreKeyHash } = this.generateSPK();
+        const { onetimePreKey } = this.generateOPK(signedPreKeyHash);
         return {
-            version: X3DH.version,
-            PK: (0, utils_1.encodeBase64)(this.PK.publicKey),
-            IK: (0, utils_1.encodeBase64)(this.IK.publicKey),
-            SPK: (0, utils_1.encodeBase64)(SPK.publicKey),
-            SPKsign: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign((0, utils_1.concatUint8Array)(crypto_1.default.hash(this.IK.publicKey), SPKhash), this.PK.secretKey)),
-            OPK: (0, utils_1.encodeBase64)(OPK.publicKey)
+            version: KeyExchange.version,
+            publicKey: (0, utils_1.encodeBase64)(this._signatureKey.publicKey),
+            identityKey: (0, utils_1.encodeBase64)(this._identityKey.publicKey),
+            signedPreKey: (0, utils_1.encodeBase64)(signedPreKey.publicKey),
+            signature: (0, utils_1.encodeBase64)(crypto_1.default.EdDSA.sign(signedPreKeyHash, this._signatureKey.secretKey)),
+            onetimePreKey: (0, utils_1.encodeBase64)(onetimePreKey.publicKey)
         };
     }
-    digestSyn(message, encrypter) {
-        const EK = crypto_1.default.ECDH.keyPair();
-        const SPK = (0, utils_1.decodeBase64)(message.SPK);
-        const IK = (0, utils_1.decodeBase64)(message.IK);
-        const OPK = message.OPK ? (0, utils_1.decodeBase64)(message.OPK) : undefined;
-        const spkHash = crypto_1.default.hash(SPK);
-        const opkHash = OPK ? crypto_1.default.hash(OPK) : new Uint8Array();
+    digestData(message) {
+        const ephemeralKey = crypto_1.default.ECDH.keyPair();
+        const signedPreKey = (0, utils_1.decodeBase64)(message.signedPreKey);
+        if (!crypto_1.default.EdDSA.verify(signedPreKey, (0, utils_1.decodeBase64)(message.signature), (0, utils_1.decodeBase64)(message.publicKey)))
+            throw new Error("Signature verification failed");
+        const identityKey = (0, utils_1.decodeBase64)(message.identityKey);
+        const onetimePreKey = message.onetimePreKey ? (0, utils_1.decodeBase64)(message.onetimePreKey) : undefined;
+        const signedPreKeyHash = crypto_1.default.hash(signedPreKey);
+        const onetimePreKeyHash = onetimePreKey ? crypto_1.default.hash(onetimePreKey) : new Uint8Array();
         const rootKey = crypto_1.default.hkdf(new Uint8Array([
-            ...crypto_1.default.scalarMult(this.IK.secretKey, SPK),
-            ...crypto_1.default.scalarMult(EK.secretKey, IK),
-            ...crypto_1.default.scalarMult(EK.secretKey, SPK),
-            ...OPK ? crypto_1.default.scalarMult(EK.secretKey, OPK) : new Uint8Array()
-        ]), new Uint8Array(double_ratchet_1.Session.rootKeyLength).fill(0), X3DH.hkdfInfo, double_ratchet_1.Session.rootKeyLength);
-        if (!encrypter)
-            encrypter = (msg, key) => crypto_1.default.box.encrypt(msg, new Uint8Array(crypto_1.default.box.nonceLength).fill(0), key);
+            ...crypto_1.default.scalarMult(this._identityKey.secretKey, signedPreKey),
+            ...crypto_1.default.scalarMult(ephemeralKey.secretKey, identityKey),
+            ...crypto_1.default.scalarMult(ephemeralKey.secretKey, signedPreKey),
+            ...onetimePreKey ? crypto_1.default.scalarMult(ephemeralKey.secretKey, onetimePreKey) : new Uint8Array()
+        ]), new Uint8Array(double_ratchet_1.KeySession.rootKeyLength).fill(0), KeyExchange.hkdfInfo, double_ratchet_1.KeySession.rootKeyLength);
+        const session = new double_ratchet_1.KeySession({ remoteKey: identityKey, rootKey });
+        const cyphertext = session.encrypt((0, utils_1.concatUint8Array)(crypto_1.default.hash(this._identityKey.publicKey), crypto_1.default.hash(identityKey)));
+        if (!cyphertext)
+            throw new Error();
         return {
-            rootKey,
-            ackMessage: {
-                version: X3DH.version,
-                PK: (0, utils_1.encodeBase64)(this.PK.publicKey),
-                IK: (0, utils_1.encodeBase64)(this.IK.publicKey),
-                EK: (0, utils_1.encodeBase64)(EK.publicKey),
-                SPKhash: (0, utils_1.encodeBase64)(spkHash),
-                OPKhash: (0, utils_1.encodeBase64)(opkHash),
-                AD: (0, utils_1.encodeBase64)(encrypter((0, utils_1.concatUint8Array)(crypto_1.default.hash(this.IK.publicKey), crypto_1.default.hash(IK)), rootKey))
+            session,
+            message: {
+                version: KeyExchange.version,
+                publicKey: (0, utils_1.encodeBase64)(this._signatureKey.publicKey),
+                identityKey: (0, utils_1.encodeBase64)(this._identityKey.publicKey),
+                ephemeralKey: (0, utils_1.encodeBase64)(ephemeralKey.publicKey),
+                signedPreKeyHash: (0, utils_1.encodeBase64)(signedPreKeyHash),
+                onetimePreKeyHash: (0, utils_1.encodeBase64)(onetimePreKeyHash),
+                associatedData: (0, utils_1.encodeBase64)(cyphertext.encode())
             }
         };
     }
-    digestAck(message, verifier) {
-        const SPK = this.bundleStore.SPK.get(message.SPKhash);
-        const OPK = this.bundleStore.OPK.get(message.SPKhash.concat(message.OPKhash));
-        if (!SPK || !OPK || !message.IK || !message.EK)
-            return;
-        const IK = (0, utils_1.decodeBase64)(message.IK);
-        const EK = (0, utils_1.decodeBase64)(message.EK);
+    digestMessage(message) {
+        const signedPreKey = this.bundleStore.get(message.signedPreKeyHash);
+        const hash = message.signedPreKeyHash.concat(message.onetimePreKeyHash);
+        const onetimePreKey = this.bundleStore.get(hash);
+        if (!signedPreKey || !onetimePreKey || !message.identityKey || !message.ephemeralKey)
+            throw new Error("ACK message malformed");
+        if (!this.bundleStore.delete(hash))
+            throw new Error("Bundle store deleting error");
+        const identityKey = (0, utils_1.decodeBase64)(message.identityKey);
+        const ephemeralKey = (0, utils_1.decodeBase64)(message.ephemeralKey);
         const rootKey = crypto_1.default.hkdf(new Uint8Array([
-            ...crypto_1.default.scalarMult(SPK.secretKey, IK),
-            ...crypto_1.default.scalarMult(this.IK.secretKey, EK),
-            ...crypto_1.default.scalarMult(SPK.secretKey, EK),
-            ...OPK ? crypto_1.default.scalarMult(OPK.secretKey, EK) : new Uint8Array()
-        ]), new Uint8Array(double_ratchet_1.Session.rootKeyLength).fill(0), X3DH.hkdfInfo, double_ratchet_1.Session.rootKeyLength);
-        if (!verifier)
-            verifier = (ciphertext, key) => (0, utils_1.verifyUint8Array)(crypto_1.default.box.decrypt(ciphertext, new Uint8Array(crypto_1.default.box.nonceLength).fill(0), key), (0, utils_1.concatUint8Array)(crypto_1.default.hash(IK), crypto_1.default.hash(this.IK.publicKey)));
-        if (!verifier((0, utils_1.decodeBase64)(message.AD), rootKey))
-            return;
-        return rootKey;
-    }
-    export() {
-        return [
-            this.IK,
-            [
-                Array.from(this.bundleStore.SPK.entries()),
-                Array.from(this.bundleStore.OPK.entries())
-            ]
-        ];
-    }
-    static import(input) {
-        return new X3DH(...input);
+            ...crypto_1.default.scalarMult(signedPreKey.secretKey, identityKey),
+            ...crypto_1.default.scalarMult(this._identityKey.secretKey, ephemeralKey),
+            ...crypto_1.default.scalarMult(signedPreKey.secretKey, ephemeralKey),
+            ...onetimePreKey ? crypto_1.default.scalarMult(onetimePreKey.secretKey, ephemeralKey) : new Uint8Array()
+        ]), new Uint8Array(double_ratchet_1.KeySession.rootKeyLength).fill(0), KeyExchange.hkdfInfo, double_ratchet_1.KeySession.rootKeyLength);
+        const session = new double_ratchet_1.KeySession({ secretKey: this._identityKey.secretKey, rootKey });
+        const cleartext = session.decrypt((0, utils_1.decodeBase64)(message.associatedData));
+        if (!cleartext)
+            throw new Error("Error decrypting ACK message");
+        if (!(0, utils_1.verifyUint8Array)(cleartext, (0, utils_1.concatUint8Array)(crypto_1.default.hash(identityKey), crypto_1.default.hash(this._identityKey.publicKey))))
+            throw new Error("Error verifing Associated Data");
+        return { session, cleartext };
     }
 }
-exports.X3DH = X3DH;
-X3DH.version = 1;
-X3DH.hkdfInfo = (0, utils_1.decodeUTF8)("freesignal/x3dh/" + X3DH.version);
-X3DH.maxOPK = 10;
+exports.KeyExchange = KeyExchange;
+KeyExchange.version = 1;
+KeyExchange.hkdfInfo = (0, utils_1.decodeUTF8)("freesignal/x3dh/" + KeyExchange.version);
+KeyExchange.maxOPK = 10;