/* * Copyright (c) 2013-2022, The PurpleI2P Project * * This file is part of Purple i2pd project and licensed under BSD3 * * See full license text in LICENSE file at top of project tree */ #include // for crc32 #include #include #include #include #include "Base.h" #include "Crypto.h" #include "Log.h" #include "Timestamp.h" #include "I2PEndian.h" #include "Ed25519.h" #include "Signature.h" #include "Blinding.h" namespace i2p { namespace data { static EC_POINT *BlindPublicKeyECDSA(const EC_GROUP *group, const EC_POINT *pub, const uint8_t *seed) { BN_CTX *ctx = BN_CTX_new(); BN_CTX_start(ctx); BIGNUM *q = BN_CTX_get(ctx); EC_GROUP_get_order(group, q, ctx); // calculate alpha = seed mod q BIGNUM *alpha = BN_CTX_get(ctx); BN_bin2bn(seed, 64, alpha); // seed is in BigEndian BN_mod(alpha, alpha, q, ctx); // % q // A' = BLIND_PUBKEY(A, alpha) = A + DERIVE_PUBLIC(alpha) auto p = EC_POINT_new(group); EC_POINT_mul(group, p, alpha, nullptr, nullptr, ctx); // B*alpha EC_POINT_add(group, p, pub, p, ctx); // pub + B*alpha BN_CTX_end(ctx); BN_CTX_free(ctx); return p; } static void BlindPrivateKeyECDSA(const EC_GROUP *group, const BIGNUM *priv, const uint8_t *seed, BIGNUM *blindedPriv) { BN_CTX *ctx = BN_CTX_new(); BN_CTX_start(ctx); BIGNUM *q = BN_CTX_get(ctx); EC_GROUP_get_order(group, q, ctx); // calculate alpha = seed mod q BIGNUM *alpha = BN_CTX_get(ctx); BN_bin2bn(seed, 64, alpha); // seed is in BigEndian BN_mod(alpha, alpha, q, ctx); // % q BN_add(alpha, alpha, priv); // alpha = alpha + priv // a' = BLIND_PRIVKEY(a, alpha) = (a + alpha) mod q BN_mod(blindedPriv, alpha, q, ctx); // % q BN_CTX_end(ctx); BN_CTX_free(ctx); } static void BlindEncodedPublicKeyECDSA(size_t publicKeyLen, const EC_GROUP *group, const uint8_t *pub, const uint8_t *seed, uint8_t *blindedPub) { BIGNUM *x = BN_bin2bn(pub, publicKeyLen / 2, NULL); BIGNUM *y = BN_bin2bn(pub + publicKeyLen / 2, publicKeyLen / 2, NULL); EC_POINT *p = EC_POINT_new(group); EC_POINT_set_affine_coordinates_GFp(group, p, x, y, NULL); EC_POINT *p1 = BlindPublicKeyECDSA(group, p, seed); EC_POINT_free(p); EC_POINT_get_affine_coordinates_GFp(group, p1, x, y, NULL); EC_POINT_free(p1); i2p::crypto::bn2buf(x, blindedPub, publicKeyLen / 2); i2p::crypto::bn2buf(y, blindedPub + publicKeyLen / 2, publicKeyLen / 2); BN_free(x); BN_free(y); } static void BlindEncodedPrivateKeyECDSA(size_t publicKeyLen, const EC_GROUP *group, const uint8_t *priv, const uint8_t *seed, uint8_t *blindedPriv, uint8_t *blindedPub) { BIGNUM *a = BN_bin2bn(priv, publicKeyLen / 2, NULL); BIGNUM *a1 = BN_new(); BlindPrivateKeyECDSA(group, a, seed, a1); BN_free(a); i2p::crypto::bn2buf(a1, blindedPriv, publicKeyLen / 2); auto p = EC_POINT_new(group); BN_CTX *ctx = BN_CTX_new(); EC_POINT_mul(group, p, a1, nullptr, nullptr, ctx); // B*a1 BN_CTX_free(ctx); BN_free(a1); BIGNUM *x = BN_new(), *y = BN_new(); EC_POINT_get_affine_coordinates_GFp(group, p, x, y, NULL); EC_POINT_free(p); i2p::crypto::bn2buf(x, blindedPub, publicKeyLen / 2); i2p::crypto::bn2buf(y, blindedPub + publicKeyLen / 2, publicKeyLen / 2); BN_free(x); BN_free(y); } template static size_t BlindECDSA(i2p::data::SigningKeyType sigType, const uint8_t *key, const uint8_t *seed, Fn blind, Args &&...args) // blind is BlindEncodedPublicKeyECDSA or BlindEncodedPrivateKeyECDSA { size_t publicKeyLength = 0; EC_GROUP *group = nullptr; switch (sigType) { case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256: { publicKeyLength = i2p::crypto::ECDSAP256_KEY_LENGTH; group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1); break; } case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA384_P384: { publicKeyLength = i2p::crypto::ECDSAP384_KEY_LENGTH; group = EC_GROUP_new_by_curve_name(NID_secp384r1); break; } case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA512_P521: { publicKeyLength = i2p::crypto::ECDSAP521_KEY_LENGTH; group = EC_GROUP_new_by_curve_name(NID_secp521r1); break; } default: LogPrint(eLogError, "Blinding: Signature type ", (int) sigType, " is not ECDSA"); } if (group) { blind(publicKeyLength, group, key, seed, std::forward(args)...); EC_GROUP_free(group); } return publicKeyLength; } //---------------------------------------------------------- const uint8_t B33_TWO_BYTES_SIGTYPE_FLAG = 0x01; const uint8_t B33_PER_SECRET_FLAG = 0x02; // not used for now const uint8_t B33_PER_CLIENT_AUTH_FLAG = 0x04; BlindedPublicKey::BlindedPublicKey(std::shared_ptr identity, bool clientAuth) : m_IsClientAuth(clientAuth) { if (!identity) return; auto len = identity->GetSigningPublicKeyLen(); m_PublicKey.resize(len); memcpy(m_PublicKey.data(), identity->GetSigningPublicKeyBuffer(), len); m_SigType = identity->GetSigningKeyType(); if (m_SigType == i2p::data::SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519) m_BlindedSigType = i2p::data::SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519; // 7 -> 11 else m_BlindedSigType = m_SigType; } BlindedPublicKey::BlindedPublicKey(const std::string &b33) : m_SigType(0) // 0 means invalid, we can't blind DSA, set it later { uint8_t addr[40]; // TODO: define length from b33 size_t l = i2p::data::Base32ToByteStream(b33.c_str(), b33.length(), addr, 40); if (l < 32) { LogPrint(eLogError, "Blinding: Malformed b33 ", b33); return; } uint32_t checksum = crc32(0, addr + 3, l - 3); // checksum is Little Endian addr[0] ^= checksum; addr[1] ^= (checksum >> 8); addr[2] ^= (checksum >> 16); uint8_t flags = addr[0]; size_t offset = 1; if (flags & B33_TWO_BYTES_SIGTYPE_FLAG) // two bytes signatures { m_SigType = bufbe16toh(addr + offset); offset += 2; m_BlindedSigType = bufbe16toh(addr + offset); offset += 2; } else // one byte sig { m_SigType = addr[offset]; offset++; m_BlindedSigType = addr[offset]; offset++; } m_IsClientAuth = flags & B33_PER_CLIENT_AUTH_FLAG; std::unique_ptr blindedVerifier(i2p::data::IdentityEx::CreateVerifier(m_SigType)); if (blindedVerifier) { auto len = blindedVerifier->GetPublicKeyLen(); if (offset + len <= l) { m_PublicKey.resize(len); memcpy(m_PublicKey.data(), addr + offset, len); } else LogPrint(eLogError, "Blinding: Public key in b33 address is too short for signature type ", (int) m_SigType); } else LogPrint(eLogError, "Blinding: Unknown signature type ", (int) m_SigType, " in b33"); } std::string BlindedPublicKey::ToB33() const { if (m_PublicKey.size() > 32) return ""; // assume 25519 uint8_t addr[35]; char str[60]; // TODO: define actual length uint8_t flags = 0; if (m_IsClientAuth) flags |= B33_PER_CLIENT_AUTH_FLAG; addr[0] = flags; // flags addr[1] = m_SigType; // sig type addr[2] = m_BlindedSigType; // blinded sig type memcpy(addr + 3, m_PublicKey.data(), m_PublicKey.size()); uint32_t checksum = crc32(0, addr + 3, m_PublicKey.size()); // checksum is Little Endian addr[0] ^= checksum; addr[1] ^= (checksum >> 8); addr[2] ^= (checksum >> 16); auto l = ByteStreamToBase32(addr, m_PublicKey.size() + 3, str, 60); return std::string(str, str + l); } void BlindedPublicKey::GetCredential(uint8_t *credential) const { // A = destination's signing public key // stA = signature type of A, 2 bytes big endian uint16_t stA = htobe16(GetSigType()); // stA1 = signature type of blinded A, 2 bytes big endian uint16_t stA1 = htobe16(GetBlindedSigType()); // credential = H("credential", A || stA || stA1) H("credential", {{GetPublicKey(), GetPublicKeyLen()}, {(const uint8_t *) &stA, 2}, {(const uint8_t *) &stA1, 2}}, credential); } void BlindedPublicKey::GetSubcredential(const uint8_t *blinded, size_t len, uint8_t *subcredential) const { uint8_t credential[32]; GetCredential(credential); // subcredential = H("subcredential", credential || blindedPublicKey) H("subcredential", {{credential, 32}, {blinded, len}}, subcredential); } void BlindedPublicKey::GenerateAlpha(const char *date, uint8_t *seed) const { uint16_t stA = htobe16(GetSigType()), stA1 = htobe16(GetBlindedSigType()); uint8_t salt[32]; //seed = HKDF(H("I2PGenerateAlpha", keydata), datestring || secret, "i2pblinding1", 64) H("I2PGenerateAlpha", {{GetPublicKey(), GetPublicKeyLen()}, {(const uint8_t *) &stA, 2}, {(const uint8_t *) &stA1, 2}}, salt); i2p::crypto::HKDF(salt, (const uint8_t *) date, 8, "i2pblinding1", seed); } size_t BlindedPublicKey::GetBlindedKey(const char *date, uint8_t *blindedKey) const { uint8_t seed[64]; GenerateAlpha(date, seed); size_t publicKeyLength = 0; switch (m_SigType) { case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256: case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA384_P384: case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA512_P521: publicKeyLength = BlindECDSA(m_SigType, GetPublicKey(), seed, BlindEncodedPublicKeyECDSA, blindedKey); break; case i2p::data::SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519: case i2p::data::SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519: i2p::crypto::GetEd25519()->BlindPublicKey(GetPublicKey(), seed, blindedKey); publicKeyLength = i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH; break; default: LogPrint(eLogError, "Blinding: Can't blind signature type ", (int) m_SigType); } return publicKeyLength; } size_t BlindedPublicKey::BlindPrivateKey(const uint8_t *priv, const char *date, uint8_t *blindedPriv, uint8_t *blindedPub) const { uint8_t seed[64]; GenerateAlpha(date, seed); size_t publicKeyLength = 0; switch (m_SigType) { case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256: case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA384_P384: case i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA512_P521: publicKeyLength = BlindECDSA(m_SigType, priv, seed, BlindEncodedPrivateKeyECDSA, blindedPriv, blindedPub); break; case i2p::data::SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519: i2p::crypto::GetEd25519()->BlindPrivateKey(priv, seed, blindedPriv, blindedPub); publicKeyLength = i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH; break; case i2p::data::SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519: { uint8_t exp[64]; i2p::crypto::Ed25519::ExpandPrivateKey(priv, exp); i2p::crypto::GetEd25519()->BlindPrivateKey(exp, seed, blindedPriv, blindedPub); publicKeyLength = i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH; break; } default: LogPrint(eLogError, "Blinding: Can't blind signature type ", (int) m_SigType); } return publicKeyLength; } void BlindedPublicKey::H(const std::string &p, const std::vector > &bufs, uint8_t *hash) const { SHA256_CTX ctx; SHA256_Init(&ctx); SHA256_Update(&ctx, p.c_str(), p.length()); for (const auto &it: bufs) SHA256_Update(&ctx, it.first, it.second); SHA256_Final(hash, &ctx); } i2p::data::IdentHash BlindedPublicKey::GetStoreHash(const char *date) const { i2p::data::IdentHash hash; uint8_t blinded[128]; size_t publicKeyLength = 0; if (date) publicKeyLength = GetBlindedKey(date, blinded); else { char currentDate[9]; i2p::util::GetCurrentDate(currentDate); publicKeyLength = GetBlindedKey(currentDate, blinded); } if (publicKeyLength) { auto stA1 = htobe16(m_BlindedSigType); SHA256_CTX ctx; SHA256_Init(&ctx); SHA256_Update(&ctx, (const uint8_t *) &stA1, 2); SHA256_Update(&ctx, blinded, publicKeyLength); SHA256_Final((uint8_t *) hash, &ctx); } else LogPrint(eLogError, "Blinding: Blinded key type ", (int) m_BlindedSigType, " is not supported"); return hash; } } }