clientside implementation of block signing and encryption

2018-06-19 16:38:49 +02:00 · 2018-06-19 16:38:49 +02:00 · 577dea4c75
parent 0365092aaf
commit 577dea4c75
6 changed files with 115 additions and 8 deletions
--- a/.gitignore
+++ b/.gitignore
@ -14,5 +14,6 @@ data
 npm-debug.log
 pins/
 blob/
+block/
 blobstage/
 privileged.conf
--- a/customize.dist/login.js
+++ b/customize.dist/login.js
@ -105,7 +105,7 @@ define([
            return void cb('PASS_TOO_SHORT');
        }

-        Cred.deriveFromPassphrase(uname, passwd, 128, function (bytes) {
+        Cred.deriveFromPassphrase(uname, passwd, 192, function (bytes) {
            // results...
            var res = {
                register: isRegister,
--- a/rpc.js
+++ b/rpc.js
@ -1342,7 +1342,6 @@ var validateLoginBlock = function (Env, publicKey, signature, block, cb) {
    try {
        u8_block = Nacl.util.decodeBase64(block);
    } catch (e) {
-        // TODO print to console
        return void cb('E_INVALID_BLOCK');
    }

@ -1432,8 +1431,6 @@ var writeLoginBlock = function (Env, msg, cb) {

 */
 var removeLoginBlock = function (Env, msg, cb) {
-    console.log(msg); // XXX
-
    var publicKey = msg[0];
    var signature = msg[1];
    var block = Nacl.util.decodeUTF8('DELETE_BLOCK'); // clients and the server will have to agree on this constant
@ -1854,9 +1851,12 @@ RPC.create = function (
                    Respond(e);
                });
            case 'WRITE_LOGIN_BLOCK':
-                return void writeLoginBlock(Env, msg, function (e) {
-                    // TODO handle response
-                    e = e;
+                return void writeLoginBlock(Env, msg[1], function (e) {
+                    if (e) {
+                        WARN(e, 'WRITE_LOGIN_BLOCK');
+                        return void Respond(e);
+                    }
+                    Respond(e);
                });
            case 'REMOVE_LOGIN_BLOCK':
                return void removeLoginBlock(Env, msg, function (e) {
--- a/www/common/common-util.js
+++ b/www/common/common-util.js
@ -83,6 +83,21 @@ define([], function () {
        }).join('');
    };

+    // given an array of Uint8Arrays, return a new Array with all their values
+    Util.uint8ArrayJoin = function (AA) {
+        var l = 0;
+        var i = 0;
+        for (; i < AA.length; i++) { l += AA[i].length; }
+        var C = new Uint8Array(l);
+
+        i = 0;
+        for (var offset = 0; i < AA.length; i++) {
+            C.set(AA[i], offset);
+            offset += AA[i].length;
+        }
+        return C;
+    };
+
    Util.deduplicateString = function (array) {
        var a = array.slice();
        for(var i=0; i<a.length; i++) {
--- a/www/common/outer/login-block.js
+++ b/www/common/outer/login-block.js
@ -0,0 +1,79 @@
+define([
+    '/common/common-util.js',
+    '/bower_components/tweetnacl/nacl-fast.min.js',
+], function (Util) {
+    var Nacl = window.nacl;
+
+    var Block = {};
+
+    Block.join = Util.uint8ArrayJoin;
+
+    // publickey <base64 string>
+
+    // signature <base64 string>
+
+    // block <base64 string>
+
+    // [b64_public, b64_sig, b64_block [version, nonce, content]]
+
+    Block.seed = function () {
+        return Nacl.hash(Nacl.util.decodeUTF8('pewpewpew'));
+    };
+
+    // should be deterministic from a seed...
+    Block.genkeys = function (seed) {
+        if (!seed || typeof(seed.length) !== 'number' || seed.length < 64) {
+            throw new Error('INVALID_SEED_LENGTH');
+        }
+
+        var signSeed = seed.subarray(0, Nacl.sign.seedLength);
+        var symmetric = seed.subarray(Nacl.sign.seedLength,
+            Nacl.sign.seedLength + Nacl.secretbox.keyLength);
+
+        return {
+            sign: Nacl.sign.keyPair.fromSeed(signSeed), // 32 bytes
+            symmetric: symmetric,
+        };
+    };
+
+    // (UTF8 content, keys object) => Uint8Array block
+    Block.encrypt = function (version, content, keys) {
+        var u8 = Nacl.util.decodeUTF8(content);
+        var nonce = Nacl.randomBytes(Nacl.secretbox.nonceLength);
+        return Block.join([
+            [0],
+            nonce,
+            Nacl.secretbox(u8, nonce, keys.symmetric)
+        ]);
+    };
+
+    // (uint8Array block) => payload object
+    Block.decrypt = function (u8_content, keys) {
+        // version is currently ignored since there is only one
+        var nonce = u8_content.subarray(1, 1 + Nacl.secretbox.nonceLength);
+        var box = content.subarray(1 + Nacl.secretbox.nonceLength);
+        return Nacl.secretbox.open(box, nonce, keys.symmetric);
+    };
+
+    // (Uint8Array block) => signature
+    Block.sign = function (ciphertext, keys) {
+        return Nacl.sign.detached(Nacl.hash(ciphertext), keys.sign.secretKey);
+    };
+
+    Block.serialize = function (content, keys) {
+        // encrypt the content
+        var ciphertext = Block.encrypt(0, content, keys);
+
+        // generate a detached signature
+        var sig = Block.sign(ciphertext, keys);
+
+        // serialize {publickey, sig, ciphertext}
+        return {
+            publicKey: Nacl.util.encodeBase64(keys.sign.publicKey),
+            signature: Nacl.util.encodeBase64(sig),
+            ciphertext: Nacl.util.encodeBase64(ciphertext),
+        };
+    };
+
+    return Block;
+});
--- a/www/common/pinpad.js
+++ b/www/common/pinpad.js
@ -222,7 +222,19 @@ define([
            };

            exp.writeLoginBlock = function (data, cb) {
-                cb();
+                if (!data) { return void cb('NO_DATA'); }
+                if (!data.publicKey || !data.signature || !data.ciphertext) {
+                    console.log(data);
+                    return void cb("MISSING_PARAMETERS");
+                }
+
+                rpc.send('WRITE_LOGIN_BLOCK', [
+                    data.publicKey,
+                    data.signature,
+                    data.ciphertext
+                ], function (e) {
+                    cb(e);
+                });
            };

            cb(e, exp);