mirror of
https://github.com/oxen-io/session-android.git
synced 2024-11-27 12:05:22 +00:00
Split HKDF secret derivation and parsing.
This commit is contained in:
parent
f29d1e6269
commit
6326ef73f3
@ -2,7 +2,6 @@ package org.whispersystems.test.kdf;
|
|||||||
|
|
||||||
import android.test.AndroidTestCase;
|
import android.test.AndroidTestCase;
|
||||||
|
|
||||||
import org.whispersystems.libaxolotl.kdf.DerivedSecrets;
|
|
||||||
import org.whispersystems.libaxolotl.kdf.HKDF;
|
import org.whispersystems.libaxolotl.kdf.HKDF;
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
@ -20,24 +19,19 @@ public class HKDFTest extends AndroidTestCase {
|
|||||||
byte[] info = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, (byte) 0xf4,
|
byte[] info = {(byte) 0xf0, (byte) 0xf1, (byte) 0xf2, (byte) 0xf3, (byte) 0xf4,
|
||||||
(byte) 0xf5, (byte) 0xf6, (byte) 0xf7, (byte) 0xf8, (byte) 0xf9};
|
(byte) 0xf5, (byte) 0xf6, (byte) 0xf7, (byte) 0xf8, (byte) 0xf9};
|
||||||
|
|
||||||
byte[] expectedOutputOne = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa,
|
byte[] okm = {(byte) 0x3c, (byte) 0xb2, (byte) 0x5f, (byte) 0x25, (byte) 0xfa,
|
||||||
(byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43,
|
(byte) 0xac, (byte) 0xd5, (byte) 0x7a, (byte) 0x90, (byte) 0x43,
|
||||||
(byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f,
|
(byte) 0x4f, (byte) 0x64, (byte) 0xd0, (byte) 0x36, (byte) 0x2f,
|
||||||
(byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90,
|
(byte) 0x2a, (byte) 0x2d, (byte) 0x2d, (byte) 0x0a, (byte) 0x90,
|
||||||
(byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d,
|
(byte) 0xcf, (byte) 0x1a, (byte) 0x5a, (byte) 0x4c, (byte) 0x5d,
|
||||||
(byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4,
|
(byte) 0xb0, (byte) 0x2d, (byte) 0x56, (byte) 0xec, (byte) 0xc4,
|
||||||
(byte) 0xc5, (byte) 0xbf};
|
(byte) 0xc5, (byte) 0xbf, (byte) 0x34, (byte) 0x00, (byte) 0x72,
|
||||||
|
(byte) 0x08, (byte) 0xd5, (byte) 0xb8, (byte) 0x87, (byte) 0x18,
|
||||||
|
(byte) 0x58, (byte) 0x65};
|
||||||
|
|
||||||
byte[] expectedOutputTwo = {(byte) 0x34, (byte) 0x00, (byte) 0x72, (byte) 0x08, (byte) 0xd5,
|
byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 42);
|
||||||
(byte) 0xb8, (byte) 0x87, (byte) 0x18, (byte) 0x58, (byte) 0x65};
|
|
||||||
|
|
||||||
DerivedSecrets derivedSecrets = HKDF.createFor(3).deriveSecrets(ikm, salt, info);
|
assertTrue(Arrays.equals(okm, actualOutput));
|
||||||
|
|
||||||
byte[] truncatedMacKey = new byte[expectedOutputTwo.length];
|
|
||||||
System.arraycopy(derivedSecrets.getMacKey().getEncoded(), 0, truncatedMacKey, 0, truncatedMacKey.length);
|
|
||||||
|
|
||||||
assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne));
|
|
||||||
assertTrue(Arrays.equals(expectedOutputTwo, truncatedMacKey));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testVectorLongV3() {
|
public void testVectorLongV3() {
|
||||||
@ -109,6 +103,9 @@ public class HKDFTest extends AndroidTestCase {
|
|||||||
(byte) 0x3e, (byte) 0x87, (byte) 0xc1, (byte) 0x4c, (byte) 0x01,
|
(byte) 0x3e, (byte) 0x87, (byte) 0xc1, (byte) 0x4c, (byte) 0x01,
|
||||||
(byte) 0xd5, (byte) 0xc1, (byte) 0xf3, (byte) 0x43, (byte) 0x4f,
|
(byte) 0xd5, (byte) 0xc1, (byte) 0xf3, (byte) 0x43, (byte) 0x4f,
|
||||||
(byte) 0x1d, (byte) 0x87};
|
(byte) 0x1d, (byte) 0x87};
|
||||||
|
|
||||||
|
byte[] actualOutput = HKDF.createFor(3).deriveSecrets(ikm, salt, info, 82);
|
||||||
|
assertTrue(Arrays.equals(okm, actualOutput));
|
||||||
}
|
}
|
||||||
|
|
||||||
public void testVectorV2() {
|
public void testVectorV2() {
|
||||||
@ -122,25 +119,21 @@ public class HKDFTest extends AndroidTestCase {
|
|||||||
byte[] info = {(byte)0xf0, (byte)0xf1, (byte)0xf2, (byte)0xf3, (byte)0xf4,
|
byte[] info = {(byte)0xf0, (byte)0xf1, (byte)0xf2, (byte)0xf3, (byte)0xf4,
|
||||||
(byte)0xf5, (byte)0xf6, (byte)0xf7, (byte)0xf8, (byte)0xf9};
|
(byte)0xf5, (byte)0xf6, (byte)0xf7, (byte)0xf8, (byte)0xf9};
|
||||||
|
|
||||||
byte[] expectedOutputOne = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d,
|
byte[] okm = {(byte)0x6e, (byte)0xc2, (byte)0x55, (byte)0x6d, (byte)0x5d,
|
||||||
(byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4,
|
(byte)0x7b, (byte)0x1d, (byte)0x81, (byte)0xde, (byte)0xe4,
|
||||||
(byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36,
|
(byte)0x22, (byte)0x2a, (byte)0xd7, (byte)0x48, (byte)0x36,
|
||||||
(byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f,
|
(byte)0x95, (byte)0xdd, (byte)0xc9, (byte)0x8f, (byte)0x4f,
|
||||||
(byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20,
|
(byte)0x5f, (byte)0xab, (byte)0xc0, (byte)0xe0, (byte)0x20,
|
||||||
(byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52,
|
(byte)0x5d, (byte)0xc2, (byte)0xef, (byte)0x87, (byte)0x52,
|
||||||
(byte)0xd4, (byte)0x1e};
|
(byte)0xd4, (byte)0x1e, (byte)0x04, (byte)0xe2, (byte)0xe2,
|
||||||
|
(byte)0x11, (byte)0x01, (byte)0xc6, (byte)0x8f, (byte)0xf0,
|
||||||
|
(byte)0x93, (byte)0x94, (byte)0xb8, (byte)0xad, (byte)0x0b,
|
||||||
|
(byte)0xdc, (byte)0xb9, (byte)0x60, (byte)0x9c, (byte)0xd4,
|
||||||
|
(byte)0xee, (byte)0x82, (byte)0xac, (byte)0x13, (byte)0x19,
|
||||||
|
(byte)0x9b, (byte)0x4a, (byte)0xa9, (byte)0xfd, (byte)0xa8,
|
||||||
|
(byte)0x99, (byte)0xda, (byte)0xeb, (byte)0xec};
|
||||||
|
|
||||||
byte[] expectedOutputTwo = {(byte)0x04, (byte)0xe2, (byte)0xe2, (byte)0x11, (byte)0x01,
|
byte[] actualOutput = HKDF.createFor(2).deriveSecrets(ikm, salt, info, 64);
|
||||||
(byte)0xc6, (byte)0x8f, (byte)0xf0, (byte)0x93, (byte)0x94,
|
assertTrue(Arrays.equals(okm, actualOutput));
|
||||||
(byte)0xb8, (byte)0xad, (byte)0x0b, (byte)0xdc, (byte)0xb9,
|
|
||||||
(byte)0x60, (byte)0x9c, (byte)0xd4, (byte)0xee, (byte)0x82,
|
|
||||||
(byte)0xac, (byte)0x13, (byte)0x19, (byte)0x9b, (byte)0x4a,
|
|
||||||
(byte)0xa9, (byte)0xfd, (byte)0xa8, (byte)0x99, (byte)0xda,
|
|
||||||
(byte)0xeb, (byte)0xec};
|
|
||||||
|
|
||||||
DerivedSecrets derivedSecrets = HKDF.createFor(2).deriveSecrets(ikm, salt, info);
|
|
||||||
|
|
||||||
assertTrue(Arrays.equals(derivedSecrets.getCipherKey().getEncoded(), expectedOutputOne));
|
|
||||||
assertTrue(Arrays.equals(derivedSecrets.getMacKey().getEncoded(), expectedOutputTwo));
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -21,12 +21,27 @@ import javax.crypto.spec.SecretKeySpec;
|
|||||||
|
|
||||||
public class DerivedSecrets {
|
public class DerivedSecrets {
|
||||||
|
|
||||||
|
public static final int SIZE = 64;
|
||||||
|
private static final int CIPHER_KEYS_OFFSET = 0;
|
||||||
|
private static final int MAC_KEYS_OFFSET = 32;
|
||||||
|
|
||||||
private final SecretKeySpec cipherKey;
|
private final SecretKeySpec cipherKey;
|
||||||
private final SecretKeySpec macKey;
|
private final SecretKeySpec macKey;
|
||||||
|
|
||||||
public DerivedSecrets(SecretKeySpec cipherKey, SecretKeySpec macKey) {
|
public DerivedSecrets(byte[] okm) {
|
||||||
this.cipherKey = cipherKey;
|
this.cipherKey = deriveCipherKey(okm);
|
||||||
this.macKey = macKey;
|
this.macKey = deriveMacKey(okm);
|
||||||
|
}
|
||||||
|
private SecretKeySpec deriveCipherKey(byte[] okm) {
|
||||||
|
byte[] cipherKey = new byte[32];
|
||||||
|
System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length);
|
||||||
|
return new SecretKeySpec(cipherKey, "AES");
|
||||||
|
}
|
||||||
|
|
||||||
|
private SecretKeySpec deriveMacKey(byte[] okm) {
|
||||||
|
byte[] macKey = new byte[32];
|
||||||
|
System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length);
|
||||||
|
return new SecretKeySpec(macKey, "HmacSHA256");
|
||||||
}
|
}
|
||||||
|
|
||||||
public SecretKeySpec getCipherKey() {
|
public SecretKeySpec getCipherKey() {
|
||||||
|
@ -27,10 +27,6 @@ import javax.crypto.spec.SecretKeySpec;
|
|||||||
public abstract class HKDF {
|
public abstract class HKDF {
|
||||||
|
|
||||||
private static final int HASH_OUTPUT_SIZE = 32;
|
private static final int HASH_OUTPUT_SIZE = 32;
|
||||||
private static final int KEY_MATERIAL_SIZE = 64;
|
|
||||||
|
|
||||||
private static final int CIPHER_KEYS_OFFSET = 0;
|
|
||||||
private static final int MAC_KEYS_OFFSET = 32;
|
|
||||||
|
|
||||||
public static HKDF createFor(int messageVersion) {
|
public static HKDF createFor(int messageVersion) {
|
||||||
switch (messageVersion) {
|
switch (messageVersion) {
|
||||||
@ -40,31 +36,14 @@ public abstract class HKDF {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] info) {
|
public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] info, int outputLength) {
|
||||||
byte[] salt = new byte[HASH_OUTPUT_SIZE];
|
byte[] salt = new byte[HASH_OUTPUT_SIZE];
|
||||||
return deriveSecrets(inputKeyMaterial, salt, info);
|
return deriveSecrets(inputKeyMaterial, salt, info, outputLength);
|
||||||
}
|
}
|
||||||
|
|
||||||
public DerivedSecrets deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info) {
|
public byte[] deriveSecrets(byte[] inputKeyMaterial, byte[] salt, byte[] info, int outputLength) {
|
||||||
byte[] prk = extract(salt, inputKeyMaterial);
|
byte[] prk = extract(salt, inputKeyMaterial);
|
||||||
byte[] okm = expand(prk, info, KEY_MATERIAL_SIZE);
|
return expand(prk, info, outputLength);
|
||||||
|
|
||||||
SecretKeySpec cipherKey = deriveCipherKey(okm);
|
|
||||||
SecretKeySpec macKey = deriveMacKey(okm);
|
|
||||||
|
|
||||||
return new DerivedSecrets(cipherKey, macKey);
|
|
||||||
}
|
|
||||||
|
|
||||||
private SecretKeySpec deriveCipherKey(byte[] okm) {
|
|
||||||
byte[] cipherKey = new byte[32];
|
|
||||||
System.arraycopy(okm, CIPHER_KEYS_OFFSET, cipherKey, 0, cipherKey.length);
|
|
||||||
return new SecretKeySpec(cipherKey, "AES");
|
|
||||||
}
|
|
||||||
|
|
||||||
private SecretKeySpec deriveMacKey(byte[] okm) {
|
|
||||||
byte[] macKey = new byte[32];
|
|
||||||
System.arraycopy(okm, MAC_KEYS_OFFSET, macKey, 0, macKey.length);
|
|
||||||
return new SecretKeySpec(macKey, "HmacSHA256");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private byte[] extract(byte[] salt, byte[] inputKeyMaterial) {
|
private byte[] extract(byte[] salt, byte[] inputKeyMaterial) {
|
||||||
@ -79,9 +58,10 @@ public abstract class HKDF {
|
|||||||
|
|
||||||
private byte[] expand(byte[] prk, byte[] info, int outputSize) {
|
private byte[] expand(byte[] prk, byte[] info, int outputSize) {
|
||||||
try {
|
try {
|
||||||
int iterations = (int)Math.ceil((double)outputSize/(double)HASH_OUTPUT_SIZE);
|
int iterations = (int) Math.ceil((double) outputSize / (double) HASH_OUTPUT_SIZE);
|
||||||
byte[] mixin = new byte[0];
|
byte[] mixin = new byte[0];
|
||||||
ByteArrayOutputStream results = new ByteArrayOutputStream();
|
ByteArrayOutputStream results = new ByteArrayOutputStream();
|
||||||
|
int remainingBytes = outputSize;
|
||||||
|
|
||||||
for (int i= getIterationStartOffset();i<iterations + getIterationEndOffset();i++) {
|
for (int i= getIterationStartOffset();i<iterations + getIterationEndOffset();i++) {
|
||||||
Mac mac = Mac.getInstance("HmacSHA256");
|
Mac mac = Mac.getInstance("HmacSHA256");
|
||||||
@ -94,9 +74,12 @@ public abstract class HKDF {
|
|||||||
mac.update((byte)i);
|
mac.update((byte)i);
|
||||||
|
|
||||||
byte[] stepResult = mac.doFinal();
|
byte[] stepResult = mac.doFinal();
|
||||||
results.write(stepResult, 0, stepResult.length);
|
int stepSize = Math.min(remainingBytes, stepResult.length);
|
||||||
|
|
||||||
mixin = stepResult;
|
results.write(stepResult, 0, stepSize);
|
||||||
|
|
||||||
|
mixin = stepResult;
|
||||||
|
remainingBytes -= stepSize;
|
||||||
}
|
}
|
||||||
|
|
||||||
return results.toByteArray();
|
return results.toByteArray();
|
||||||
|
@ -56,7 +56,8 @@ public class ChainKey {
|
|||||||
|
|
||||||
public MessageKeys getMessageKeys() {
|
public MessageKeys getMessageKeys() {
|
||||||
byte[] inputKeyMaterial = getBaseMaterial(MESSAGE_KEY_SEED);
|
byte[] inputKeyMaterial = getBaseMaterial(MESSAGE_KEY_SEED);
|
||||||
DerivedSecrets keyMaterial = kdf.deriveSecrets(inputKeyMaterial, "WhisperMessageKeys".getBytes());
|
byte[] keyMaterialBytes = kdf.deriveSecrets(inputKeyMaterial, "WhisperMessageKeys".getBytes(), DerivedSecrets.SIZE);
|
||||||
|
DerivedSecrets keyMaterial = new DerivedSecrets(keyMaterialBytes);
|
||||||
|
|
||||||
return new MessageKeys(keyMaterial.getCipherKey(), keyMaterial.getMacKey(), index);
|
return new MessageKeys(keyMaterial.getCipherKey(), keyMaterial.getMacKey(), index);
|
||||||
}
|
}
|
||||||
|
@ -131,7 +131,8 @@ public class RatchetingSession {
|
|||||||
secrets.write(Curve.calculateAgreement(theirPreKey, ourPreKey.getPrivateKey()));
|
secrets.write(Curve.calculateAgreement(theirPreKey, ourPreKey.getPrivateKey()));
|
||||||
}
|
}
|
||||||
|
|
||||||
DerivedSecrets derivedSecrets = kdf.deriveSecrets(secrets.toByteArray(), "WhisperText".getBytes());
|
byte[] derivedSecretBytes = kdf.deriveSecrets(secrets.toByteArray(), "WhisperText".getBytes(), DerivedSecrets.SIZE);
|
||||||
|
DerivedSecrets derivedSecrets = new DerivedSecrets(derivedSecretBytes);
|
||||||
|
|
||||||
return new Pair<>(new RootKey(kdf, derivedSecrets.getCipherKey().getEncoded()),
|
return new Pair<>(new RootKey(kdf, derivedSecrets.getCipherKey().getEncoded()),
|
||||||
new ChainKey(kdf, derivedSecrets.getMacKey().getEncoded(), 0));
|
new ChainKey(kdf, derivedSecrets.getMacKey().getEncoded(), 0));
|
||||||
|
@ -22,6 +22,7 @@ import org.whispersystems.libaxolotl.ecc.ECKeyPair;
|
|||||||
import org.whispersystems.libaxolotl.ecc.ECPublicKey;
|
import org.whispersystems.libaxolotl.ecc.ECPublicKey;
|
||||||
import org.whispersystems.libaxolotl.kdf.DerivedSecrets;
|
import org.whispersystems.libaxolotl.kdf.DerivedSecrets;
|
||||||
import org.whispersystems.libaxolotl.kdf.HKDF;
|
import org.whispersystems.libaxolotl.kdf.HKDF;
|
||||||
|
import org.whispersystems.libaxolotl.util.ByteUtil;
|
||||||
import org.whispersystems.libaxolotl.util.Pair;
|
import org.whispersystems.libaxolotl.util.Pair;
|
||||||
|
|
||||||
public class RootKey {
|
public class RootKey {
|
||||||
@ -41,10 +42,12 @@ public class RootKey {
|
|||||||
public Pair<RootKey, ChainKey> createChain(ECPublicKey theirEphemeral, ECKeyPair ourEphemeral)
|
public Pair<RootKey, ChainKey> createChain(ECPublicKey theirEphemeral, ECKeyPair ourEphemeral)
|
||||||
throws InvalidKeyException
|
throws InvalidKeyException
|
||||||
{
|
{
|
||||||
byte[] sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey());
|
byte[] sharedSecret = Curve.calculateAgreement(theirEphemeral, ourEphemeral.getPrivateKey());
|
||||||
DerivedSecrets keys = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes());
|
byte[] keyBytes = kdf.deriveSecrets(sharedSecret, key, "WhisperRatchet".getBytes(), 64);
|
||||||
RootKey newRootKey = new RootKey(kdf, keys.getCipherKey().getEncoded());
|
byte[][] keys = ByteUtil.split(keyBytes, 32, 32);
|
||||||
ChainKey newChainKey = new ChainKey(kdf, keys.getMacKey().getEncoded(), 0);
|
|
||||||
|
RootKey newRootKey = new RootKey(kdf, keys[0]);
|
||||||
|
ChainKey newChainKey = new ChainKey(kdf, keys[1], 0);
|
||||||
|
|
||||||
return new Pair<>(newRootKey, newChainKey);
|
return new Pair<>(newRootKey, newChainKey);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user