bitchat-node 0.1.0

package/src/crypto/noise.ts

@@ -0,0 +1,574 @@
+/**
+ * Noise Protocol Implementation
+ * Implements Noise_XX_25519_ChaChaPoly_SHA256 per the Noise spec
+ * From: bitchat/Noise/NoiseProtocol.swift
+ *
+ * @see http://www.noiseprotocol.org/noise.html
+ */
+
+import * as chacha from '@stablelib/chacha20poly1305';
+import { hmac } from '@stablelib/hmac';
+import { hash, SHA256 } from '@stablelib/sha256';
+import * as x25519 from '@stablelib/x25519';
+
+const PROTOCOL_NAME = 'Noise_XX_25519_ChaChaPoly_SHA256';
+const KEY_SIZE = 32;
+const NONCE_SIZE = 12;
+const TAG_SIZE = 16;
+const NONCE_BYTES_IN_PACKET = 4; // For extracted nonce mode
+
+// -------------------------------------------------------------------
+// HKDF Implementation
+// -------------------------------------------------------------------
+
+function hkdfExtract(chainingKey: Uint8Array, inputKeyMaterial: Uint8Array): Uint8Array {
+  return Uint8Array.from(hmac(SHA256, chainingKey, inputKeyMaterial));
+}
+
+function hkdfExpand(prk: Uint8Array, numOutputs: number): Uint8Array[] {
+  const outputs: Uint8Array[] = [];
+  let prev = new Uint8Array(0);
+
+  for (let i = 0; i < numOutputs; i++) {
+    const input = new Uint8Array(prev.length + 1);
+    input.set(prev);
+    input[prev.length] = i + 1;
+    prev = Uint8Array.from(hmac(SHA256, prk, input));
+    outputs.push(Uint8Array.from(prev));
+  }
+
+  return outputs;
+}
+
+function hkdf(
+  chainingKey: Uint8Array,
+  inputKeyMaterial: Uint8Array,
+  numOutputs: number
+): Uint8Array[] {
+  const tempKey = hkdfExtract(chainingKey, inputKeyMaterial);
+  return hkdfExpand(tempKey, numOutputs);
+}
+
+// -------------------------------------------------------------------
+// Cipher State
+// -------------------------------------------------------------------
+
+/**
+ * Manages symmetric encryption with nonce tracking and replay protection
+ */
+export class CipherState {
+  private key: Uint8Array | null = null;
+  private nonce: bigint = 0n;
+  private readonly useExtractedNonce: boolean;
+
+  // Replay protection (sliding window)
+  private highestReceivedNonce: bigint = 0n;
+  private replayWindow: Uint8Array = new Uint8Array(128); // 1024 bits
+
+  constructor(key?: Uint8Array, useExtractedNonce = false) {
+    if (key) this.key = Uint8Array.from(key);
+    this.useExtractedNonce = useExtractedNonce;
+  }
+
+  initializeKey(key: Uint8Array): void {
+    this.key = Uint8Array.from(key);
+    this.nonce = 0n;
+  }
+
+  hasKey(): boolean {
+    return this.key !== null;
+  }
+
+  private makeNonceBytes(n: bigint): Uint8Array {
+    const bytes = new Uint8Array(NONCE_SIZE);
+    const view = new DataView(bytes.buffer);
+    // Noise spec: 4 zero bytes + 8 bytes little-endian counter
+    view.setBigUint64(4, n, true);
+    return bytes;
+  }
+
+  private isValidNonce(receivedNonce: bigint): boolean {
+    const windowSize = 1024n;
+
+    if (
+      this.highestReceivedNonce >= windowSize &&
+      receivedNonce <= this.highestReceivedNonce - windowSize
+    ) {
+      return false; // Too old
+    }
+
+    if (receivedNonce > this.highestReceivedNonce) {
+      return true; // New
+    }
+
+    // Check window
+    const offset = Number(this.highestReceivedNonce - receivedNonce);
+    const byteIndex = Math.floor(offset / 8);
+    const bitIndex = offset % 8;
+
+    return (this.replayWindow[byteIndex] & (1 << bitIndex)) === 0;
+  }
+
+  private markNonceAsSeen(receivedNonce: bigint): void {
+    if (receivedNonce > this.highestReceivedNonce) {
+      const shift = Number(receivedNonce - this.highestReceivedNonce);
+
+      if (shift >= 1024) {
+        this.replayWindow.fill(0);
+      } else {
+        // Shift window
+        for (let i = this.replayWindow.length - 1; i >= 0; i--) {
+          const sourceByteIndex = i - Math.floor(shift / 8);
+          let newByte = 0;
+
+          if (sourceByteIndex >= 0) {
+            newByte = this.replayWindow[sourceByteIndex] >> (shift % 8);
+            if (sourceByteIndex > 0 && shift % 8 !== 0) {
+              newByte |= this.replayWindow[sourceByteIndex - 1] << (8 - (shift % 8));
+            }
+          }
+
+          this.replayWindow[i] = newByte;
+        }
+      }
+
+      this.highestReceivedNonce = receivedNonce;
+      this.replayWindow[0] |= 1;
+    } else {
+      const offset = Number(this.highestReceivedNonce - receivedNonce);
+      const byteIndex = Math.floor(offset / 8);
+      const bitIndex = offset % 8;
+      this.replayWindow[byteIndex] |= 1 << bitIndex;
+    }
+  }
+
+  encrypt(plaintext: Uint8Array, ad: Uint8Array = new Uint8Array()): Uint8Array {
+    if (!this.key) throw new Error('Cipher not initialized');
+
+    const currentNonce = this.nonce;
+    this.nonce += 1n;
+
+    const nonceBytes = this.makeNonceBytes(currentNonce);
+    const cipher = new chacha.ChaCha20Poly1305(this.key);
+    const ciphertext = cipher.seal(nonceBytes, plaintext, ad);
+
+    if (this.useExtractedNonce) {
+      // Prepend 4-byte nonce (big-endian)
+      const result = new Uint8Array(NONCE_BYTES_IN_PACKET + ciphertext.length);
+      const view = new DataView(result.buffer);
+      view.setUint32(0, Number(currentNonce), false);
+      result.set(ciphertext, NONCE_BYTES_IN_PACKET);
+      return result;
+    }
+
+    return ciphertext;
+  }
+
+  decrypt(ciphertext: Uint8Array, ad: Uint8Array = new Uint8Array()): Uint8Array {
+    if (!this.key) throw new Error('Cipher not initialized');
+
+    let actualCiphertext: Uint8Array;
+    let decryptionNonce: bigint;
+
+    if (this.useExtractedNonce) {
+      if (ciphertext.length < NONCE_BYTES_IN_PACKET + TAG_SIZE) {
+        throw new Error('Ciphertext too short');
+      }
+      const view = new DataView(ciphertext.buffer, ciphertext.byteOffset);
+      decryptionNonce = BigInt(view.getUint32(0, false));
+      actualCiphertext = ciphertext.subarray(NONCE_BYTES_IN_PACKET);
+
+      if (!this.isValidNonce(decryptionNonce)) {
+        throw new Error('Replay detected');
+      }
+    } else {
+      decryptionNonce = this.nonce;
+      this.nonce += 1n;
+      actualCiphertext = ciphertext;
+    }
+
+    const nonceBytes = this.makeNonceBytes(decryptionNonce);
+    const cipher = new chacha.ChaCha20Poly1305(this.key);
+    const plaintext = cipher.open(nonceBytes, actualCiphertext, ad);
+
+    if (!plaintext) {
+      throw new Error('Decryption failed');
+    }
+
+    if (this.useExtractedNonce) {
+      this.markNonceAsSeen(decryptionNonce);
+    }
+
+    return plaintext;
+  }
+
+  clear(): void {
+    if (this.key) {
+      this.key.fill(0);
+      this.key = null;
+    }
+    this.nonce = 0n;
+    this.highestReceivedNonce = 0n;
+    this.replayWindow.fill(0);
+  }
+}
+
+// -------------------------------------------------------------------
+// Symmetric State
+// -------------------------------------------------------------------
+
+class SymmetricState {
+  private cipherState: CipherState;
+  private chainingKey: Uint8Array;
+  private h: Uint8Array;
+
+  constructor(protocolName: string) {
+    this.cipherState = new CipherState();
+
+    const nameBytes = new TextEncoder().encode(protocolName);
+    if (nameBytes.length <= 32) {
+      this.h = new Uint8Array(32);
+      this.h.set(nameBytes);
+    } else {
+      this.h = hash(nameBytes);
+    }
+    this.chainingKey = Uint8Array.from(this.h);
+  }
+
+  mixKey(inputKeyMaterial: Uint8Array): void {
+    const outputs = hkdf(this.chainingKey, inputKeyMaterial, 2);
+    this.chainingKey = outputs[0];
+    this.cipherState.initializeKey(outputs[1]);
+  }
+
+  mixHash(data: Uint8Array): void {
+    const combined = new Uint8Array(this.h.length + data.length);
+    combined.set(this.h);
+    combined.set(data, this.h.length);
+    this.h = hash(combined);
+  }
+
+  getHandshakeHash(): Uint8Array {
+    return Uint8Array.from(this.h);
+  }
+
+  hasCipherKey(): boolean {
+    return this.cipherState.hasKey();
+  }
+
+  encryptAndHash(plaintext: Uint8Array): Uint8Array {
+    if (this.cipherState.hasKey()) {
+      const ciphertext = this.cipherState.encrypt(plaintext, this.h);
+      this.mixHash(ciphertext);
+      return ciphertext;
+    } else {
+      this.mixHash(plaintext);
+      return plaintext;
+    }
+  }
+
+  decryptAndHash(ciphertext: Uint8Array): Uint8Array {
+    if (this.cipherState.hasKey()) {
+      const plaintext = this.cipherState.decrypt(ciphertext, this.h);
+      this.mixHash(ciphertext);
+      return plaintext;
+    } else {
+      this.mixHash(ciphertext);
+      return ciphertext;
+    }
+  }
+
+  split(useExtractedNonce: boolean): [CipherState, CipherState] {
+    const outputs = hkdf(this.chainingKey, new Uint8Array(), 2);
+
+    const c1 = new CipherState(outputs[0], useExtractedNonce);
+    const c2 = new CipherState(outputs[1], useExtractedNonce);
+
+    // Clear sensitive state
+    this.chainingKey.fill(0);
+    this.h.fill(0);
+
+    return [c1, c2];
+  }
+}
+
+// -------------------------------------------------------------------
+// Handshake State
+// -------------------------------------------------------------------
+
+export type NoiseRole = 'initiator' | 'responder';
+
+type Token = 'e' | 's' | 'ee' | 'es' | 'se' | 'ss';
+const XX_PATTERNS: Token[][] = [['e'], ['e', 'ee', 's', 'es'], ['s', 'se']];
+
+export interface NoiseKeyPair {
+  publicKey: Uint8Array;
+  secretKey: Uint8Array;
+}
+
+/**
+ * Orchestrates the XX handshake
+ */
+export class HandshakeState {
+  private readonly role: NoiseRole;
+  private readonly symmetricState: SymmetricState;
+  private currentPattern = 0;
+
+  private localStaticPrivate: Uint8Array;
+  private localStaticPublic: Uint8Array;
+  private localEphemeralPrivate?: Uint8Array;
+  private localEphemeralPublic?: Uint8Array;
+  private remoteStaticPublic?: Uint8Array;
+  private remoteEphemeralPublic?: Uint8Array;
+
+  constructor(
+    role: NoiseRole,
+    localStaticKeyPair: NoiseKeyPair,
+    prologue: Uint8Array = new Uint8Array()
+  ) {
+    this.role = role;
+    this.localStaticPrivate = localStaticKeyPair.secretKey;
+    this.localStaticPublic = localStaticKeyPair.publicKey;
+
+    this.symmetricState = new SymmetricState(PROTOCOL_NAME);
+    this.symmetricState.mixHash(prologue);
+  }
+
+  writeMessage(payload: Uint8Array = new Uint8Array()): Uint8Array {
+    if (this.currentPattern >= XX_PATTERNS.length) {
+      throw new Error('Handshake already complete');
+    }
+
+    const parts: Uint8Array[] = [];
+    const pattern = XX_PATTERNS[this.currentPattern];
+
+    for (const token of pattern) {
+      switch (token) {
+        case 'e': {
+          const kp = x25519.generateKeyPair();
+          this.localEphemeralPrivate = kp.secretKey;
+          this.localEphemeralPublic = kp.publicKey;
+          parts.push(Uint8Array.from(this.localEphemeralPublic));
+          this.symmetricState.mixHash(this.localEphemeralPublic);
+          break;
+        }
+        case 's': {
+          const encrypted = this.symmetricState.encryptAndHash(this.localStaticPublic);
+          parts.push(encrypted);
+          break;
+        }
+        case 'ee': {
+          if (!this.localEphemeralPrivate || !this.remoteEphemeralPublic) {
+            throw new Error('Missing ephemeral keys for ee');
+          }
+          const shared = x25519.sharedKey(this.localEphemeralPrivate, this.remoteEphemeralPublic);
+          this.symmetricState.mixKey(shared);
+          break;
+        }
+        case 'es': {
+          const [localKey, remoteKey] =
+            this.role === 'initiator'
+              ? [this.localEphemeralPrivate, this.remoteStaticPublic]
+              : [this.localStaticPrivate, this.remoteEphemeralPublic];
+          if (!localKey || !remoteKey) throw new Error('Missing keys for es');
+          const shared = x25519.sharedKey(localKey, remoteKey);
+          this.symmetricState.mixKey(shared);
+          break;
+        }
+        case 'se': {
+          const [localKey, remoteKey] =
+            this.role === 'initiator'
+              ? [this.localStaticPrivate, this.remoteEphemeralPublic]
+              : [this.localEphemeralPrivate, this.remoteStaticPublic];
+          if (!localKey || !remoteKey) throw new Error('Missing keys for se');
+          const shared = x25519.sharedKey(localKey, remoteKey);
+          this.symmetricState.mixKey(shared);
+          break;
+        }
+        case 'ss': {
+          if (!this.remoteStaticPublic) throw new Error('Missing remote static for ss');
+          const shared = x25519.sharedKey(this.localStaticPrivate, this.remoteStaticPublic);
+          this.symmetricState.mixKey(shared);
+          break;
+        }
+      }
+    }
+
+    const encryptedPayload = this.symmetricState.encryptAndHash(payload);
+    parts.push(encryptedPayload);
+
+    this.currentPattern++;
+
+    // Concatenate
+    const totalLength = parts.reduce((sum, p) => sum + p.length, 0);
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const part of parts) {
+      result.set(part, offset);
+      offset += part.length;
+    }
+
+    return result;
+  }
+
+  readMessage(message: Uint8Array): Uint8Array {
+    if (this.currentPattern >= XX_PATTERNS.length) {
+      throw new Error('Handshake already complete');
+    }
+
+    let offset = 0;
+    const pattern = XX_PATTERNS[this.currentPattern];
+
+    for (const token of pattern) {
+      switch (token) {
+        case 'e': {
+          if (offset + KEY_SIZE > message.length) {
+            throw new Error('Message too short for ephemeral key');
+          }
+          this.remoteEphemeralPublic = Uint8Array.from(message.subarray(offset, offset + KEY_SIZE));
+          this.symmetricState.mixHash(this.remoteEphemeralPublic);
+          offset += KEY_SIZE;
+          break;
+        }
+        case 's': {
+          const keyLen = this.symmetricState.hasCipherKey() ? KEY_SIZE + TAG_SIZE : KEY_SIZE;
+          if (offset + keyLen > message.length) {
+            throw new Error('Message too short for static key');
+          }
+          const staticData = message.subarray(offset, offset + keyLen);
+          const decrypted = this.symmetricState.decryptAndHash(staticData);
+          this.remoteStaticPublic = Uint8Array.from(decrypted);
+          offset += keyLen;
+          break;
+        }
+        case 'ee':
+        case 'es':
+        case 'se':
+        case 'ss': {
+          this.performDH(token);
+          break;
+        }
+      }
+    }
+
+    const encryptedPayload = message.subarray(offset);
+    const payload = this.symmetricState.decryptAndHash(encryptedPayload);
+
+    this.currentPattern++;
+    return payload;
+  }
+
+  private performDH(token: Token): void {
+    let localKey: Uint8Array | undefined;
+    let remoteKey: Uint8Array | undefined;
+
+    switch (token) {
+      case 'ee':
+        localKey = this.localEphemeralPrivate;
+        remoteKey = this.remoteEphemeralPublic;
+        break;
+      case 'es':
+        if (this.role === 'initiator') {
+          localKey = this.localEphemeralPrivate;
+          remoteKey = this.remoteStaticPublic;
+        } else {
+          localKey = this.localStaticPrivate;
+          remoteKey = this.remoteEphemeralPublic;
+        }
+        break;
+      case 'se':
+        if (this.role === 'initiator') {
+          localKey = this.localStaticPrivate;
+          remoteKey = this.remoteEphemeralPublic;
+        } else {
+          localKey = this.localEphemeralPrivate;
+          remoteKey = this.remoteStaticPublic;
+        }
+        break;
+      case 'ss':
+        localKey = this.localStaticPrivate;
+        remoteKey = this.remoteStaticPublic;
+        break;
+    }
+
+    if (!localKey || !remoteKey) {
+      throw new Error(`Missing keys for ${token}`);
+    }
+
+    const shared = x25519.sharedKey(localKey, remoteKey);
+    this.symmetricState.mixKey(shared);
+  }
+
+  isComplete(): boolean {
+    return this.currentPattern >= XX_PATTERNS.length;
+  }
+
+  getRemoteStaticPublicKey(): Uint8Array | undefined {
+    return this.remoteStaticPublic;
+  }
+
+  getHandshakeHash(): Uint8Array {
+    return this.symmetricState.getHandshakeHash();
+  }
+
+  split(useExtractedNonce = true): { send: CipherState; receive: CipherState; hash: Uint8Array } {
+    if (!this.isComplete()) {
+      throw new Error('Handshake not complete');
+    }
+
+    const handshakeHash = this.symmetricState.getHandshakeHash();
+    const [c1, c2] = this.symmetricState.split(useExtractedNonce);
+
+    const ciphers =
+      this.role === 'initiator' ? { send: c1, receive: c2 } : { send: c2, receive: c1 };
+
+    return { ...ciphers, hash: handshakeHash };
+  }
+}
+
+// -------------------------------------------------------------------
+// Session
+// -------------------------------------------------------------------
+
+/**
+ * An established Noise session for transport encryption
+ */
+export class NoiseSession {
+  private sendCipher: CipherState;
+  private receiveCipher: CipherState;
+  readonly handshakeHash: Uint8Array;
+  readonly remotePublicKey: Uint8Array;
+
+  constructor(
+    sendCipher: CipherState,
+    receiveCipher: CipherState,
+    handshakeHash: Uint8Array,
+    remotePublicKey: Uint8Array
+  ) {
+    this.sendCipher = sendCipher;
+    this.receiveCipher = receiveCipher;
+    this.handshakeHash = Uint8Array.from(handshakeHash);
+    this.remotePublicKey = Uint8Array.from(remotePublicKey);
+  }
+
+  encrypt(plaintext: Uint8Array): Uint8Array {
+    return this.sendCipher.encrypt(plaintext);
+  }
+
+  decrypt(ciphertext: Uint8Array): Uint8Array {
+    return this.receiveCipher.decrypt(ciphertext);
+  }
+
+  clear(): void {
+    this.sendCipher.clear();
+    this.receiveCipher.clear();
+  }
+}
+
+// -------------------------------------------------------------------
+// Key Generation
+// -------------------------------------------------------------------
+
+export function generateKeyPair(): NoiseKeyPair {
+  return x25519.generateKeyPair();
+}

package/src/crypto/signing.ts

@@ -0,0 +1,66 @@
+/**
+ * Ed25519 Signing Utilities
+ * Used for packet authentication and identity binding
+ */
+
+import * as ed25519 from '@stablelib/ed25519';
+import { hash } from '@stablelib/sha256';
+
+export interface SigningKeyPair {
+  publicKey: Uint8Array;
+  secretKey: Uint8Array;
+}
+
+/**
+ * Generate a new Ed25519 signing key pair
+ */
+export function generateSigningKeyPair(): SigningKeyPair {
+  return ed25519.generateKeyPair();
+}
+
+/**
+ * Sign a message with Ed25519
+ */
+export function sign(message: Uint8Array, secretKey: Uint8Array): Uint8Array {
+  return ed25519.sign(secretKey, message);
+}
+
+/**
+ * Verify an Ed25519 signature
+ */
+export function verify(message: Uint8Array, signature: Uint8Array, publicKey: Uint8Array): boolean {
+  try {
+    return ed25519.verify(publicKey, message, signature);
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * SHA-256 hash
+ */
+export function sha256(data: Uint8Array): Uint8Array {
+  return hash(data);
+}
+
+/**
+ * Derive a fingerprint from a public key
+ * Used for identity verification
+ */
+export function fingerprint(publicKey: Uint8Array): string {
+  const h = sha256(publicKey);
+  return Array.from(h)
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('');
+}
+
+/**
+ * Format fingerprint for display (colon-separated groups)
+ */
+export function formatFingerprint(fp: string): string {
+  const groups: string[] = [];
+  for (let i = 0; i < fp.length; i += 4) {
+    groups.push(fp.slice(i, i + 4));
+  }
+  return groups.join(':').toUpperCase();
+}