Basic support for encrypted push-based attachments.

1) Move the attachment structures into the encrypted message body. 2) Encrypt attachments with symmetric keys transmitted in the encryptd attachment pointer structure. 3) Correctly handle asynchronous decryption and categorization of encrypted push messages. TODO: Correct notification process and network/interruption retries.
2025-12-31 12:26:14 +00:00 · 2013-09-08 18:19:05 -07:00
parent cddba2738f
commit 0dd36c64a4
47 changed files with 2381 additions and 1003 deletions
--- a/library/src/org/whispersystems/textsecure/crypto/AttachmentCipher.java
+++ b/library/src/org/whispersystems/textsecure/crypto/AttachmentCipher.java
@@ -0,0 +1,156 @@
+/**
+ * Copyright (C) 2013 Open Whisper Systems
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+package org.whispersystems.textsecure.crypto;
+
+import android.util.Log;
+
+import org.whispersystems.textsecure.util.Hex;
+import org.whispersystems.textsecure.util.Util;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.Mac;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Arrays;
+
+/**
+ * Encrypts push attachments.
+ *
+ * @author Moxie Marlinspike
+ */
+public class AttachmentCipher {
+
+  static final int CIPHER_KEY_SIZE = 32;
+  static final int MAC_KEY_SIZE    = 20;
+
+  private final SecretKeySpec cipherKey;
+  private final SecretKeySpec macKey;
+  private final Cipher        cipher;
+  private final Mac           mac;
+
+  public AttachmentCipher() {
+    this.cipherKey = initializeRandomCipherKey();
+    this.macKey    = initializeRandomMacKey();
+    this.cipher    = initializeCipher();
+    this.mac       = initializeMac();
+  }
+
+  public AttachmentCipher(byte[] combinedKeyMaterial) {
+    byte[][] parts = Util.split(combinedKeyMaterial, CIPHER_KEY_SIZE, MAC_KEY_SIZE);
+    this.cipherKey = new SecretKeySpec(parts[0], "AES");
+    this.macKey    = new SecretKeySpec(parts[1], "HmacSHA1");
+    this.cipher    = initializeCipher();
+    this.mac       = initializeMac();
+  }
+
+  public byte[] getCombinedKeyMaterial() {
+    return Util.combine(this.cipherKey.getEncoded(), this.macKey.getEncoded());
+  }
+
+  public byte[] encrypt(byte[] plaintext) {
+    try {
+      this.cipher.init(Cipher.ENCRYPT_MODE, this.cipherKey);
+      this.mac.init(this.macKey);
+
+      byte[] ciphertext = this.cipher.doFinal(plaintext);
+      byte[] iv         = this.cipher.getIV();
+      byte[] mac        = this.mac.doFinal(Util.combine(iv, ciphertext));
+
+      return Util.combine(iv, ciphertext, mac);
+    } catch (IllegalBlockSizeException e) {
+      throw new AssertionError(e);
+    } catch (BadPaddingException e) {
+      throw new AssertionError(e);
+    } catch (InvalidKeyException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  public byte[] decrypt(byte[] ciphertext)
+      throws InvalidMacException, InvalidMessageException
+  {
+    try {
+      if (ciphertext.length <= cipher.getBlockSize() + mac.getMacLength()) {
+        throw new InvalidMessageException("Message too short!");
+      }
+
+      byte[][] ciphertextParts = Util.split(ciphertext,
+                                            this.cipher.getBlockSize(),
+                                            ciphertext.length - this.cipher.getBlockSize() - this.mac.getMacLength(),
+                                            this.mac.getMacLength());
+
+      this.mac.update(ciphertext, 0, ciphertext.length - mac.getMacLength());
+      byte[] ourMac = this.mac.doFinal();
+
+      if (!Arrays.equals(ourMac, ciphertextParts[2])) {
+        throw new InvalidMacException("Mac doesn't match!");
+      }
+
+      this.cipher.init(Cipher.DECRYPT_MODE, this.cipherKey,
+                       new IvParameterSpec(ciphertextParts[0]));
+
+      return cipher.doFinal(ciphertextParts[1]);
+    } catch (InvalidKeyException e) {
+      throw new AssertionError(e);
+    } catch (InvalidAlgorithmParameterException e) {
+      throw new AssertionError(e);
+    } catch (IllegalBlockSizeException e) {
+      throw new AssertionError(e);
+    } catch (BadPaddingException e) {
+      throw new InvalidMessageException(e);
+    }
+  }
+
+  private Mac initializeMac() {
+    try {
+      Mac mac = Mac.getInstance("HmacSHA1");
+      return mac;
+    } catch (NoSuchAlgorithmException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  private Cipher initializeCipher() {
+    try {
+      Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
+      return cipher;
+    } catch (NoSuchAlgorithmException e) {
+      throw new AssertionError(e);
+    } catch (NoSuchPaddingException e) {
+      throw new AssertionError(e);
+    }
+  }
+
+  private SecretKeySpec initializeRandomCipherKey() {
+    byte[] key = new byte[CIPHER_KEY_SIZE];
+    Util.getSecureRandom().nextBytes(key);
+    return new SecretKeySpec(key, "AES");
+  }
+
+  private SecretKeySpec initializeRandomMacKey() {
+    byte[] key = new byte[MAC_KEY_SIZE];
+    Util.getSecureRandom().nextBytes(key);
+    return new SecretKeySpec(key, "HmacSHA1");
+  }
+
+}