laantungir
/
nostr-tools
mirror of https://github.com/nbd-wtf/nostr-tools.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

nip44: make the api less classy.

This commit is contained in:
fiatjaf 2024-05-19 14:40:23 -03:00
parent 44efd49bc0
commit 5876acd67a
2 changed files with 113 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
nip44.test.ts
View File

@ -7,7 +7,7 @@ const v2vec = vec.v2
test('get_conversation_key', () => { test('get_conversation_key', () => {
for (const v of v2vec.valid.get_conversation_key) { for (const v of v2vec.valid.get_conversation_key) {
const key = v2.utils.getConversationKey(v.sec1, v.pub2) const key = v2.utils.getConversationKey(hexToBytes(v.sec1), v.pub2)
expect(bytesToHex(key)).toEqual(v.conversation_key) expect(bytesToHex(key)).toEqual(v.conversation_key)
} }
}) })
@ -15,7 +15,7 @@ test('get_conversation_key', () => {
test('encrypt_decrypt', () => { test('encrypt_decrypt', () => {
for (const v of v2vec.valid.encrypt_decrypt) { for (const v of v2vec.valid.encrypt_decrypt) {
const pub2 = bytesToHex(schnorr.getPublicKey(v.sec2)) const pub2 = bytesToHex(schnorr.getPublicKey(v.sec2))
const key = v2.utils.getConversationKey(v.sec1, pub2) const key = v2.utils.getConversationKey(hexToBytes(v.sec1), pub2)
expect(bytesToHex(key)).toEqual(v.conversation_key) expect(bytesToHex(key)).toEqual(v.conversation_key)
const ciphertext = v2.encrypt(v.plaintext, key, hexToBytes(v.nonce)) const ciphertext = v2.encrypt(v.plaintext, key, hexToBytes(v.nonce))
expect(ciphertext).toEqual(v.payload) expect(ciphertext).toEqual(v.payload)
@ -39,6 +39,8 @@ test('decrypt', async () => {
test('get_conversation_key', async () => { test('get_conversation_key', async () => {
for (const v of v2vec.invalid.get_conversation_key) { for (const v of v2vec.invalid.get_conversation_key) {
expect(() => v2.utils.getConversationKey(v.sec1, v.pub2)).toThrow(/(Point is not on curve|Cannot find square root)/) expect(() => v2.utils.getConversationKey(hexToBytes(v.sec1), v.pub2)).toThrow(
/(Point is not on curve|Cannot find square root)/,
)
} }
}) })

221
nip44.ts
View File

@ -4,129 +4,124 @@ import { secp256k1 } from '@noble/curves/secp256k1'
import { extract as hkdf_extract, expand as hkdf_expand } from '@noble/hashes/hkdf' import { extract as hkdf_extract, expand as hkdf_expand } from '@noble/hashes/hkdf'
import { hmac } from '@noble/hashes/hmac' import { hmac } from '@noble/hashes/hmac'
import { sha256 } from '@noble/hashes/sha256' import { sha256 } from '@noble/hashes/sha256'
import { concatBytes, randomBytes, utf8ToBytes } from '@noble/hashes/utils' import { concatBytes, randomBytes } from '@noble/hashes/utils'
import { base64 } from '@scure/base' import { base64 } from '@scure/base'
const decoder = new TextDecoder() import { utf8Decoder, utf8Encoder } from './utils.ts'
class u { const minPlaintextSize = 0x0001 // 1b msg => padded to 32b
static minPlaintextSize = 0x0001 // 1b msg => padded to 32b const maxPlaintextSize = 0xffff // 65535 (64kb-1) => padded to 64kb
static maxPlaintextSize = 0xffff // 65535 (64kb-1) => padded to 64kb
static utf8Encode = utf8ToBytes export function getConversationKey(privkeyA: Uint8Array, pubkeyB: string): Uint8Array {
const sharedX = secp256k1.getSharedSecret(privkeyA, '02' + pubkeyB).subarray(1, 33)
return hkdf_extract(sha256, sharedX, 'nip44-v2')
}
static utf8Decode(bytes: Uint8Array): string { function getMessageKeys(
return decoder.decode(bytes) conversationKey: Uint8Array,
} nonce: Uint8Array,
): { chacha_key: Uint8Array; chacha_nonce: Uint8Array; hmac_key: Uint8Array } {
static getConversationKey(privkeyA: string, pubkeyB: string): Uint8Array { const keys = hkdf_expand(sha256, conversationKey, nonce, 76)
const sharedX = secp256k1.getSharedSecret(privkeyA, '02' + pubkeyB).subarray(1, 33) return {
return hkdf_extract(sha256, sharedX, 'nip44-v2') chacha_key: keys.subarray(0, 32),
} chacha_nonce: keys.subarray(32, 44),
hmac_key: keys.subarray(44, 76),
static getMessageKeys(
conversationKey: Uint8Array,
nonce: Uint8Array,
): { chacha_key: Uint8Array; chacha_nonce: Uint8Array; hmac_key: Uint8Array } {
const keys = hkdf_expand(sha256, conversationKey, nonce, 76)
return {
chacha_key: keys.subarray(0, 32),
chacha_nonce: keys.subarray(32, 44),
hmac_key: keys.subarray(44, 76),
}
}
static calcPaddedLen(len: number): number {
if (!Number.isSafeInteger(len) || len < 1) throw new Error('expected positive integer')
if (len <= 32) return 32
const nextPower = 1 << (Math.floor(Math.log2(len - 1)) + 1)
const chunk = nextPower <= 256 ? 32 : nextPower / 8
return chunk * (Math.floor((len - 1) / chunk) + 1)
}
static writeU16BE(num: number): Uint8Array {
if (!Number.isSafeInteger(num) || num < u.minPlaintextSize || num > u.maxPlaintextSize)
throw new Error('invalid plaintext size: must be between 1 and 65535 bytes')
const arr = new Uint8Array(2)
new DataView(arr.buffer).setUint16(0, num, false)
return arr
}
static pad(plaintext: string): Uint8Array {
const unpadded = u.utf8Encode(plaintext)
const unpaddedLen = unpadded.length
const prefix = u.writeU16BE(unpaddedLen)
const suffix = new Uint8Array(u.calcPaddedLen(unpaddedLen) - unpaddedLen)
return concatBytes(prefix, unpadded, suffix)
}
static unpad(padded: Uint8Array): string {
const unpaddedLen = new DataView(padded.buffer).getUint16(0)
const unpadded = padded.subarray(2, 2 + unpaddedLen)
if (
unpaddedLen < u.minPlaintextSize ||
unpaddedLen > u.maxPlaintextSize ||
unpadded.length !== unpaddedLen ||
padded.length !== 2 + u.calcPaddedLen(unpaddedLen)
)
throw new Error('invalid padding')
return u.utf8Decode(unpadded)
}
static hmacAad(key: Uint8Array, message: Uint8Array, aad: Uint8Array): Uint8Array {
if (aad.length !== 32) throw new Error('AAD associated data must be 32 bytes')
const combined = concatBytes(aad, message)
return hmac(sha256, key, combined)
}
// metadata: always 65b (version: 1b, nonce: 32b, max: 32b)
// plaintext: 1b to 0xffff
// padded plaintext: 32b to 0xffff
// ciphertext: 32b+2 to 0xffff+2
// raw payload: 99 (65+32+2) to 65603 (65+0xffff+2)
// compressed payload (base64): 132b to 87472b
static decodePayload(payload: string): { nonce: Uint8Array; ciphertext: Uint8Array; mac: Uint8Array } {
if (typeof payload !== 'string') throw new Error('payload must be a valid string')
const plen = payload.length
if (plen < 132 || plen > 87472) throw new Error('invalid payload length: ' + plen)
if (payload[0] === '#') throw new Error('unknown encryption version')
let data: Uint8Array
try {
data = base64.decode(payload)
} catch (error) {
throw new Error('invalid base64: ' + (error as any).message)
}
const dlen = data.length
if (dlen < 99 || dlen > 65603) throw new Error('invalid data length: ' + dlen)
const vers = data[0]
if (vers !== 2) throw new Error('unknown encryption version ' + vers)
return {
nonce: data.subarray(1, 33),
ciphertext: data.subarray(33, -32),
mac: data.subarray(-32),
}
} }
} }
export class v2 { function calcPaddedLen(len: number): number {
static utils = u if (!Number.isSafeInteger(len) || len < 1) throw new Error('expected positive integer')
if (len <= 32) return 32
const nextPower = 1 << (Math.floor(Math.log2(len - 1)) + 1)
const chunk = nextPower <= 256 ? 32 : nextPower / 8
return chunk * (Math.floor((len - 1) / chunk) + 1)
}
static encrypt(plaintext: string, conversationKey: Uint8Array, nonce: Uint8Array = randomBytes(32)): string { function writeU16BE(num: number): Uint8Array {
const { chacha_key, chacha_nonce, hmac_key } = u.getMessageKeys(conversationKey, nonce) if (!Number.isSafeInteger(num) || num < minPlaintextSize || num > maxPlaintextSize)
const padded = u.pad(plaintext) throw new Error('invalid plaintext size: must be between 1 and 65535 bytes')
const ciphertext = chacha20(chacha_key, chacha_nonce, padded) const arr = new Uint8Array(2)
const mac = u.hmacAad(hmac_key, ciphertext, nonce) new DataView(arr.buffer).setUint16(0, num, false)
return base64.encode(concatBytes(new Uint8Array([2]), nonce, ciphertext, mac)) return arr
}
function pad(plaintext: string): Uint8Array {
const unpadded = utf8Encoder.encode(plaintext)
const unpaddedLen = unpadded.length
const prefix = writeU16BE(unpaddedLen)
const suffix = new Uint8Array(calcPaddedLen(unpaddedLen) - unpaddedLen)
return concatBytes(prefix, unpadded, suffix)
}
function unpad(padded: Uint8Array): string {
const unpaddedLen = new DataView(padded.buffer).getUint16(0)
const unpadded = padded.subarray(2, 2 + unpaddedLen)
if (
unpaddedLen < minPlaintextSize ||
unpaddedLen > maxPlaintextSize ||
unpadded.length !== unpaddedLen ||
padded.length !== 2 + calcPaddedLen(unpaddedLen)
)
throw new Error('invalid padding')
return utf8Decoder.decode(unpadded)
}
function hmacAad(key: Uint8Array, message: Uint8Array, aad: Uint8Array): Uint8Array {
if (aad.length !== 32) throw new Error('AAD associated data must be 32 bytes')
const combined = concatBytes(aad, message)
return hmac(sha256, key, combined)
}
// metadata: always 65b (version: 1b, nonce: 32b, max: 32b)
// plaintext: 1b to 0xffff
// padded plaintext: 32b to 0xffff
// ciphertext: 32b+2 to 0xffff+2
// raw payload: 99 (65+32+2) to 65603 (65+0xffff+2)
// compressed payload (base64): 132b to 87472b
function decodePayload(payload: string): { nonce: Uint8Array; ciphertext: Uint8Array; mac: Uint8Array } {
if (typeof payload !== 'string') throw new Error('payload must be a valid string')
const plen = payload.length
if (plen < 132 || plen > 87472) throw new Error('invalid payload length: ' + plen)
if (payload[0] === '#') throw new Error('unknown encryption version')
let data: Uint8Array
try {
data = base64.decode(payload)
} catch (error) {
throw new Error('invalid base64: ' + (error as any).message)
} }
const dlen = data.length
static decrypt(payload: string, conversationKey: Uint8Array): string { if (dlen < 99 || dlen > 65603) throw new Error('invalid data length: ' + dlen)
const { nonce, ciphertext, mac } = u.decodePayload(payload) const vers = data[0]
const { chacha_key, chacha_nonce, hmac_key } = u.getMessageKeys(conversationKey, nonce) if (vers !== 2) throw new Error('unknown encryption version ' + vers)
const calculatedMac = u.hmacAad(hmac_key, ciphertext, nonce) return {
if (!equalBytes(calculatedMac, mac)) throw new Error('invalid MAC') nonce: data.subarray(1, 33),
const padded = chacha20(chacha_key, chacha_nonce, ciphertext) ciphertext: data.subarray(33, -32),
return u.unpad(padded) mac: data.subarray(-32),
} }
} }
export default { v2 } export function encrypt(plaintext: string, conversationKey: Uint8Array, nonce: Uint8Array = randomBytes(32)): string {
const { chacha_key, chacha_nonce, hmac_key } = getMessageKeys(conversationKey, nonce)
const padded = pad(plaintext)
const ciphertext = chacha20(chacha_key, chacha_nonce, padded)
const mac = hmacAad(hmac_key, ciphertext, nonce)
return base64.encode(concatBytes(new Uint8Array([2]), nonce, ciphertext, mac))
}
export function decrypt(payload: string, conversationKey: Uint8Array): string {
const { nonce, ciphertext, mac } = decodePayload(payload)
const { chacha_key, chacha_nonce, hmac_key } = getMessageKeys(conversationKey, nonce)
const calculatedMac = hmacAad(hmac_key, ciphertext, nonce)
if (!equalBytes(calculatedMac, mac)) throw new Error('invalid MAC')
const padded = chacha20(chacha_key, chacha_nonce, ciphertext)
return unpad(padded)
}
export const v2 = {
utils: {
getConversationKey,
calcPaddedLen,
},
encrypt,
decrypt,
}