// tslint:disable no-bitwise no-default-export import { ByteBufferClass } from '../window.d'; const PROFILE_IV_LENGTH = 12; // bytes const PROFILE_KEY_LENGTH = 32; // bytes const PROFILE_TAG_LENGTH = 128; // bits const PROFILE_NAME_PADDED_LENGTH = 53; // bytes function verifyDigest(data: ArrayBuffer, theirDigest: ArrayBuffer) { return window.crypto.subtle .digest({ name: 'SHA-256' }, data) .then(ourDigest => { const a = new Uint8Array(ourDigest); const b = new Uint8Array(theirDigest); let result = 0; for (let i = 0; i < theirDigest.byteLength; i += 1) { result |= a[i] ^ b[i]; } if (result !== 0) { throw new Error('Bad digest'); } }); } function calculateDigest(data: ArrayBuffer) { return window.crypto.subtle.digest({ name: 'SHA-256' }, data); } const Crypto = { // Decrypts message into a raw string async decryptWebsocketMessage( message: ByteBufferClass, signalingKey: ArrayBuffer ) { const decodedMessage = message.toArrayBuffer(); if (signalingKey.byteLength !== 52) { throw new Error('Got invalid length signalingKey'); } if (decodedMessage.byteLength < 1 + 16 + 10) { throw new Error('Got invalid length message'); } if (new Uint8Array(decodedMessage)[0] !== 1) { throw new Error( `Got bad version number: ${new Uint8Array(decodedMessage)[0]}` ); } const aesKey = signalingKey.slice(0, 32); const macKey = signalingKey.slice(32, 32 + 20); const iv = decodedMessage.slice(1, 1 + 16); const ciphertext = decodedMessage.slice( 1 + 16, decodedMessage.byteLength - 10 ); const ivAndCiphertext = decodedMessage.slice( 0, decodedMessage.byteLength - 10 ); const mac = decodedMessage.slice( decodedMessage.byteLength - 10, decodedMessage.byteLength ); return window.libsignal.crypto .verifyMAC(ivAndCiphertext, macKey, mac, 10) .then(async () => window.libsignal.crypto.decrypt(aesKey, ciphertext, iv) ); }, async decryptAttachment( encryptedBin: ArrayBuffer, keys: ArrayBuffer, theirDigest: ArrayBuffer ) { if (keys.byteLength !== 64) { throw new Error('Got invalid length attachment keys'); } if (encryptedBin.byteLength < 16 + 32) { throw new Error('Got invalid length attachment'); } const aesKey = keys.slice(0, 32); const macKey = keys.slice(32, 64); const iv = encryptedBin.slice(0, 16); const ciphertext = encryptedBin.slice(16, encryptedBin.byteLength - 32); const ivAndCiphertext = encryptedBin.slice(0, encryptedBin.byteLength - 32); const mac = encryptedBin.slice( encryptedBin.byteLength - 32, encryptedBin.byteLength ); return window.libsignal.crypto .verifyMAC(ivAndCiphertext, macKey, mac, 32) .then(async () => { if (theirDigest) { return verifyDigest(encryptedBin, theirDigest); } return null; }) .then(async () => window.libsignal.crypto.decrypt(aesKey, ciphertext, iv) ); }, async encryptAttachment( plaintext: ArrayBuffer, keys: ArrayBuffer, iv: ArrayBuffer ) { if (!(plaintext instanceof ArrayBuffer) && !ArrayBuffer.isView(plaintext)) { throw new TypeError( `\`plaintext\` must be an \`ArrayBuffer\` or \`ArrayBufferView\`; got: ${typeof plaintext}` ); } if (keys.byteLength !== 64) { throw new Error('Got invalid length attachment keys'); } if (iv.byteLength !== 16) { throw new Error('Got invalid length attachment iv'); } const aesKey = keys.slice(0, 32); const macKey = keys.slice(32, 64); return window.libsignal.crypto .encrypt(aesKey, plaintext, iv) .then(async ciphertext => { const ivAndCiphertext = new Uint8Array(16 + ciphertext.byteLength); ivAndCiphertext.set(new Uint8Array(iv)); ivAndCiphertext.set(new Uint8Array(ciphertext), 16); return window.libsignal.crypto .calculateMAC(macKey, ivAndCiphertext.buffer as ArrayBuffer) .then(async mac => { const encryptedBin = new Uint8Array( 16 + ciphertext.byteLength + 32 ); encryptedBin.set(ivAndCiphertext); encryptedBin.set(new Uint8Array(mac), 16 + ciphertext.byteLength); return calculateDigest(encryptedBin.buffer as ArrayBuffer).then( digest => ({ ciphertext: encryptedBin.buffer, digest, }) ); }); }); }, async encryptProfile(data: ArrayBuffer, key: ArrayBuffer) { const iv = window.libsignal.crypto.getRandomBytes(PROFILE_IV_LENGTH); if (key.byteLength !== PROFILE_KEY_LENGTH) { throw new Error('Got invalid length profile key'); } if (iv.byteLength !== PROFILE_IV_LENGTH) { throw new Error('Got invalid length profile iv'); } return window.crypto.subtle .importKey('raw', key, { name: 'AES-GCM' } as any, false, ['encrypt']) .then(async keyForEncryption => window.crypto.subtle .encrypt( { name: 'AES-GCM', iv, tagLength: PROFILE_TAG_LENGTH }, keyForEncryption, data ) .then(ciphertext => { const ivAndCiphertext = new Uint8Array( PROFILE_IV_LENGTH + ciphertext.byteLength ); ivAndCiphertext.set(new Uint8Array(iv)); ivAndCiphertext.set(new Uint8Array(ciphertext), PROFILE_IV_LENGTH); return ivAndCiphertext.buffer; }) ); }, async decryptProfile(data: ArrayBuffer, key: ArrayBuffer) { if (data.byteLength < 12 + 16 + 1) { throw new Error(`Got too short input: ${data.byteLength}`); } const iv = data.slice(0, PROFILE_IV_LENGTH); const ciphertext = data.slice(PROFILE_IV_LENGTH, data.byteLength); if (key.byteLength !== PROFILE_KEY_LENGTH) { throw new Error('Got invalid length profile key'); } if (iv.byteLength !== PROFILE_IV_LENGTH) { throw new Error('Got invalid length profile iv'); } const error = new Error(); // save stack return window.crypto.subtle .importKey('raw', key, { name: 'AES-GCM' } as any, false, ['decrypt']) .then(async keyForEncryption => window.crypto.subtle .decrypt( { name: 'AES-GCM', iv, tagLength: PROFILE_TAG_LENGTH }, keyForEncryption, ciphertext ) // Typescript says that there's no .catch() available here // @ts-ignore .catch((e: Error) => { if (e.name === 'OperationError') { // bad mac, basically. error.message = 'Failed to decrypt profile data. Most likely the profile key has changed.'; error.name = 'ProfileDecryptError'; throw error; } }) ); }, async encryptProfileName(name: ArrayBuffer, key: ArrayBuffer) { const padded = new Uint8Array(PROFILE_NAME_PADDED_LENGTH); padded.set(new Uint8Array(name)); return Crypto.encryptProfile(padded.buffer as ArrayBuffer, key); }, async decryptProfileName(encryptedProfileName: string, key: ArrayBuffer) { const data = window.dcodeIO.ByteBuffer.wrap( encryptedProfileName, 'base64' ).toArrayBuffer(); return Crypto.decryptProfile(data, key).then(decrypted => { const padded = new Uint8Array(decrypted); // Given name is the start of the string to the first null character let givenEnd; for (givenEnd = 0; givenEnd < padded.length; givenEnd += 1) { if (padded[givenEnd] === 0x00) { break; } } // Family name is the next chunk of non-null characters after that first null let familyEnd; for ( familyEnd = givenEnd + 1; familyEnd < padded.length; familyEnd += 1 ) { if (padded[familyEnd] === 0x00) { break; } } const foundFamilyName = familyEnd > givenEnd + 1; return { given: window.dcodeIO.ByteBuffer.wrap(padded) .slice(0, givenEnd) .toArrayBuffer(), family: foundFamilyName ? window.dcodeIO.ByteBuffer.wrap(padded) .slice(givenEnd + 1, familyEnd) .toArrayBuffer() : null, }; }); }, getRandomBytes(size: number) { return window.libsignal.crypto.getRandomBytes(size); }, }; export default Crypto;