/* This file is part of GNU Taler (C) 2019 GNUnet e.V. GNU Taler is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version. GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with GNU Taler; see the file COPYING. If not, see */ /** * Native implementation of GNU Taler crypto primitives. */ /** * Imports. */ import * as nacl from "./nacl-fast.js"; import { hmacSha256, hmacSha512 } from "./kdf.js"; import bigint from "big-integer"; import { CoinEnvelope, CoinPublicKeyString, DenominationPubKey, DenomKeyType, HashCodeString, } from "./taler-types.js"; import { Logger } from "./logging.js"; import { secretbox } from "./nacl-fast.js"; import * as fflate from "fflate"; import { canonicalJson } from "./helpers.js"; export type Flavor = T & { _flavor?: `taler.${FlavorT}`; }; export type FlavorP = T & { _flavor?: `taler.${FlavorT}`; _size?: S; }; export function getRandomBytes(n: number): Uint8Array { return nacl.randomBytes(n); } export function getRandomBytesF( n: T, ): FlavorP { return nacl.randomBytes(n); } export const useNative = true; /** * Interface of the native Taler runtime library. */ interface NativeTartLib { decodeUtf8(buf: Uint8Array): string; decodeUtf8(str: string): Uint8Array; randomBytes(n: number): Uint8Array; encodeCrock(buf: Uint8Array | ArrayBuffer): string; decodeCrock(str: string): Uint8Array; hash(buf: Uint8Array): Uint8Array; eddsaGetPublic(buf: Uint8Array): Uint8Array; ecdheGetPublic(buf: Uint8Array): Uint8Array; eddsaSign(msg: Uint8Array, priv: Uint8Array): Uint8Array; eddsaVerify(msg: Uint8Array, sig: Uint8Array, pub: Uint8Array): boolean; kdf( outLen: number, ikm: Uint8Array, salt?: Uint8Array, info?: Uint8Array, ): Uint8Array; keyExchangeEcdhEddsa(ecdhPriv: Uint8Array, eddsaPub: Uint8Array): Uint8Array; keyExchangeEddsaEcdh(eddsaPriv: Uint8Array, ecdhPub: Uint8Array): Uint8Array; rsaBlind(hmsg: Uint8Array, bks: Uint8Array, rsaPub: Uint8Array): Uint8Array; rsaUnblind( blindSig: Uint8Array, rsaPub: Uint8Array, bks: Uint8Array, ): Uint8Array; rsaVerify(hmsg: Uint8Array, rsaSig: Uint8Array, rsaPub: Uint8Array): boolean; hashStateInit(): any; hashStateUpdate(st: any, data: Uint8Array): any; hashStateFinish(st: any): Uint8Array; } // @ts-ignore let tart: NativeTartLib | undefined; if (useNative) { // @ts-ignore tart = globalThis._tart; } const encTable = "0123456789ABCDEFGHJKMNPQRSTVWXYZ"; class EncodingError extends Error { constructor() { super("Encoding error"); Object.setPrototypeOf(this, EncodingError.prototype); } } function getValue(chr: string): number { let a = chr; switch (chr) { case "O": case "o": a = "0;"; break; case "i": case "I": case "l": case "L": a = "1"; break; case "u": case "U": a = "V"; } if (a >= "0" && a <= "9") { return a.charCodeAt(0) - "0".charCodeAt(0); } if (a >= "a" && a <= "z") a = a.toUpperCase(); let dec = 0; if (a >= "A" && a <= "Z") { if ("I" < a) dec++; if ("L" < a) dec++; if ("O" < a) dec++; if ("U" < a) dec++; return a.charCodeAt(0) - "A".charCodeAt(0) + 10 - dec; } throw new EncodingError(); } export function encodeCrock(data: ArrayBuffer): string { if (tart) { return tart.encodeCrock(data); } const dataBytes = new Uint8Array(data); let sb = ""; const size = data.byteLength; let bitBuf = 0; let numBits = 0; let pos = 0; while (pos < size || numBits > 0) { if (pos < size && numBits < 5) { const d = dataBytes[pos++]; bitBuf = (bitBuf << 8) | d; numBits += 8; } if (numBits < 5) { // zero-padding bitBuf = bitBuf << (5 - numBits); numBits = 5; } const v = (bitBuf >>> (numBits - 5)) & 31; sb += encTable[v]; numBits -= 5; } return sb; } export function kdf( outputLength: number, ikm: Uint8Array, salt?: Uint8Array, info?: Uint8Array, ): Uint8Array { if (tart) { return tart.kdf(outputLength, ikm, salt, info); } salt = salt ?? new Uint8Array(64); // extract const prk = hmacSha512(salt, ikm); info = info ?? new Uint8Array(0); // expand const N = Math.ceil(outputLength / 32); const output = new Uint8Array(N * 32); for (let i = 0; i < N; i++) { let buf; if (i == 0) { buf = new Uint8Array(info.byteLength + 1); buf.set(info, 0); } else { buf = new Uint8Array(info.byteLength + 1 + 32); for (let j = 0; j < 32; j++) { buf[j] = output[(i - 1) * 32 + j]; } buf.set(info, 32); } buf[buf.length - 1] = i + 1; const chunk = hmacSha256(prk, buf); output.set(chunk, i * 32); } return output.slice(0, outputLength); } /** * HMAC-SHA512-SHA256 (see RFC 5869). */ export function kdfKw(args: { outputLength: number; ikm: Uint8Array; salt?: Uint8Array; info?: Uint8Array; }) { return kdf(args.outputLength, args.ikm, args.salt, args.info); } export function decodeCrock(encoded: string): Uint8Array { if (tart) { return tart.decodeCrock(encoded); } const size = encoded.length; let bitpos = 0; let bitbuf = 0; let readPosition = 0; const outLen = Math.floor((size * 5) / 8); const out = new Uint8Array(outLen); let outPos = 0; while (readPosition < size || bitpos > 0) { if (readPosition < size) { const v = getValue(encoded[readPosition++]); bitbuf = (bitbuf << 5) | v; bitpos += 5; } while (bitpos >= 8) { const d = (bitbuf >>> (bitpos - 8)) & 0xff; out[outPos++] = d; bitpos -= 8; } if (readPosition == size && bitpos > 0) { bitbuf = (bitbuf << (8 - bitpos)) & 0xff; bitpos = bitbuf == 0 ? 0 : 8; } } return out; } export function eddsaGetPublic(eddsaPriv: Uint8Array): Uint8Array { if (tart) { return tart.eddsaGetPublic(eddsaPriv); } const pair = nacl.crypto_sign_keyPair_fromSeed(eddsaPriv); return pair.publicKey; } export function ecdhGetPublic(ecdhePriv: Uint8Array): Uint8Array { if (tart) { return tart.ecdheGetPublic(ecdhePriv); } return nacl.scalarMult_base(ecdhePriv); } export function keyExchangeEddsaEcdh( eddsaPriv: Uint8Array, ecdhPub: Uint8Array, ): Uint8Array { if (tart) { return tart.keyExchangeEddsaEcdh(eddsaPriv, ecdhPub); } const ph = hash(eddsaPriv); const a = new Uint8Array(32); for (let i = 0; i < 32; i++) { a[i] = ph[i]; } const x = nacl.scalarMult(a, ecdhPub); return hash(x); } export function keyExchangeEcdhEddsa( ecdhPriv: Uint8Array & MaterialEcdhePriv, eddsaPub: Uint8Array & MaterialEddsaPub, ): Uint8Array { if (tart) { return tart.keyExchangeEcdhEddsa(ecdhPriv, eddsaPub); } const curve25519Pub = nacl.sign_ed25519_pk_to_curve25519(eddsaPub); const x = nacl.scalarMult(ecdhPriv, curve25519Pub); return hash(x); } interface RsaPub { N: bigint.BigInteger; e: bigint.BigInteger; } /** * KDF modulo a big integer. */ function kdfMod( n: bigint.BigInteger, ikm: Uint8Array, salt: Uint8Array, info: Uint8Array, ): bigint.BigInteger { const nbits = n.bitLength().toJSNumber(); const buflen = Math.floor((nbits - 1) / 8 + 1); const mask = (1 << (8 - (buflen * 8 - nbits))) - 1; let counter = 0; while (true) { const ctx = new Uint8Array(info.byteLength + 2); ctx.set(info, 0); ctx[ctx.length - 2] = (counter >>> 8) & 0xff; ctx[ctx.length - 1] = counter & 0xff; const buf = kdf(buflen, ikm, salt, ctx); const arr = Array.from(buf); arr[0] = arr[0] & mask; const r = bigint.fromArray(arr, 256, false); if (r.lt(n)) { return r; } counter++; } } function csKdfMod( n: bigint.BigInteger, ikm: Uint8Array, salt: Uint8Array, info: Uint8Array, ): Uint8Array { const nbits = n.bitLength().toJSNumber(); const buflen = Math.floor((nbits - 1) / 8 + 1); const mask = (1 << (8 - (buflen * 8 - nbits))) - 1; let counter = 0; while (true) { const ctx = new Uint8Array(info.byteLength + 2); ctx.set(info, 0); ctx[ctx.length - 2] = (counter >>> 8) & 0xff; ctx[ctx.length - 1] = counter & 0xff; const buf = kdf(buflen, ikm, salt, ctx); const arr = Array.from(buf); arr[0] = arr[0] & mask; const r = bigint.fromArray(arr, 256, false); if (r.lt(n)) { return new Uint8Array(arr); } counter++; } } // Newer versions of node have TextEncoder and TextDecoder as a global, // just like modern browsers. // In older versions of node or environments that do not have these // globals, they must be polyfilled (by adding them to globa/globalThis) // before stringToBytes or bytesToString is called the first time. let encoder: any; let decoder: any; export function stringToBytes(s: string): Uint8Array { if (!encoder) { encoder = new TextEncoder(); } return encoder.encode(s); } export function bytesToString(b: Uint8Array): string { if (!decoder) { decoder = new TextDecoder(); } return decoder.decode(b); } function loadBigInt(arr: Uint8Array): bigint.BigInteger { return bigint.fromArray(Array.from(arr), 256, false); } function rsaBlindingKeyDerive( rsaPub: RsaPub, bks: Uint8Array, ): bigint.BigInteger { const salt = stringToBytes("Blinding KDF extractor HMAC key"); const info = stringToBytes("Blinding KDF"); return kdfMod(rsaPub.N, bks, salt, info); } /* * Test for malicious RSA key. * * Assuming n is an RSA modulous and r is generated using a call to * GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a * malicious RSA key designed to deanomize the user. * * @param r KDF result * @param n RSA modulus of the public key */ function rsaGcdValidate(r: bigint.BigInteger, n: bigint.BigInteger): void { const t = bigint.gcd(r, n); if (!t.equals(bigint.one)) { throw Error("malicious RSA public key"); } } function rsaFullDomainHash(hm: Uint8Array, rsaPub: RsaPub): bigint.BigInteger { const info = stringToBytes("RSA-FDA FTpsW!"); const salt = rsaPubEncode(rsaPub); const r = kdfMod(rsaPub.N, hm, salt, info); rsaGcdValidate(r, rsaPub.N); return r; } function rsaPubDecode(rsaPub: Uint8Array): RsaPub { const modulusLength = (rsaPub[0] << 8) | rsaPub[1]; const exponentLength = (rsaPub[2] << 8) | rsaPub[3]; if (4 + exponentLength + modulusLength != rsaPub.length) { throw Error("invalid RSA public key (format wrong)"); } const modulus = rsaPub.slice(4, 4 + modulusLength); const exponent = rsaPub.slice( 4 + modulusLength, 4 + modulusLength + exponentLength, ); const res = { N: loadBigInt(modulus), e: loadBigInt(exponent), }; return res; } function rsaPubEncode(rsaPub: RsaPub): Uint8Array { const mb = rsaPub.N.toArray(256).value; const eb = rsaPub.e.toArray(256).value; const out = new Uint8Array(4 + mb.length + eb.length); out[0] = (mb.length >>> 8) & 0xff; out[1] = mb.length & 0xff; out[2] = (eb.length >>> 8) & 0xff; out[3] = eb.length & 0xff; out.set(mb, 4); out.set(eb, 4 + mb.length); return out; } export function rsaBlind( hm: Uint8Array, bks: Uint8Array, rsaPubEnc: Uint8Array, ): Uint8Array { if (tart) { return tart.rsaBlind(hm, bks, rsaPubEnc); } const rsaPub = rsaPubDecode(rsaPubEnc); const data = rsaFullDomainHash(hm, rsaPub); const r = rsaBlindingKeyDerive(rsaPub, bks); const r_e = r.modPow(rsaPub.e, rsaPub.N); const bm = r_e.multiply(data).mod(rsaPub.N); return new Uint8Array(bm.toArray(256).value); } export function rsaUnblind( sig: Uint8Array, rsaPubEnc: Uint8Array, bks: Uint8Array, ): Uint8Array { if (tart) { return tart.rsaUnblind(sig, rsaPubEnc, bks); } const rsaPub = rsaPubDecode(rsaPubEnc); const blinded_s = loadBigInt(sig); const r = rsaBlindingKeyDerive(rsaPub, bks); const r_inv = r.modInv(rsaPub.N); const s = blinded_s.multiply(r_inv).mod(rsaPub.N); return new Uint8Array(s.toArray(256).value); } export function rsaVerify( hm: Uint8Array, rsaSig: Uint8Array, rsaPubEnc: Uint8Array, ): boolean { if (tart) { return tart.rsaVerify(hm, rsaSig, rsaPubEnc); } const rsaPub = rsaPubDecode(rsaPubEnc); const d = rsaFullDomainHash(hm, rsaPub); const sig = loadBigInt(rsaSig); const sig_e = sig.modPow(rsaPub.e, rsaPub.N); return sig_e.equals(d); } export type CsSignature = { s: Uint8Array; rPub: Uint8Array; }; export type CsBlindSignature = { sBlind: Uint8Array; rPubBlind: Uint8Array; }; export type CsBlindingSecrets = { alpha: [Uint8Array, Uint8Array]; beta: [Uint8Array, Uint8Array]; }; export function typedArrayConcat(chunks: Uint8Array[]): Uint8Array { let payloadLen = 0; for (const c of chunks) { payloadLen += c.byteLength; } const buf = new ArrayBuffer(payloadLen); const u8buf = new Uint8Array(buf); let p = 0; for (const c of chunks) { u8buf.set(c, p); p += c.byteLength; } return u8buf; } /** * Map to scalar subgroup function * perform clamping as described in RFC7748 * @param scalar */ function mtoSS(scalar: Uint8Array): Uint8Array { scalar[0] &= 248; scalar[31] &= 127; scalar[31] |= 64; return scalar; } /** * The function returns the CS blinding secrets from a seed * @param bseed seed to derive blinding secrets * @returns blinding secrets */ export function deriveSecrets(bseed: Uint8Array): CsBlindingSecrets { const outLen = 130; const salt = stringToBytes("alphabeta"); const rndout = kdf(outLen, bseed, salt); const secrets: CsBlindingSecrets = { alpha: [mtoSS(rndout.slice(0, 32)), mtoSS(rndout.slice(64, 96))], beta: [mtoSS(rndout.slice(32, 64)), mtoSS(rndout.slice(96, 128))], }; return secrets; } /** * calculation of the blinded public point R in CS * @param csPub denomination publik key * @param secrets client blinding secrets * @param rPub public R received from /csr API */ export async function calcRBlind( csPub: Uint8Array, secrets: CsBlindingSecrets, rPub: [Uint8Array, Uint8Array], ): Promise<[Uint8Array, Uint8Array]> { const aG0 = nacl.crypto_scalarmult_ed25519_base_noclamp(secrets.alpha[0]); const aG1 = nacl.crypto_scalarmult_ed25519_base_noclamp(secrets.alpha[1]); const bDp0 = nacl.crypto_scalarmult_ed25519_noclamp(secrets.beta[0], csPub); const bDp1 = nacl.crypto_scalarmult_ed25519_noclamp(secrets.beta[1], csPub); const res0 = nacl.crypto_core_ed25519_add(aG0, bDp0); const res1 = nacl.crypto_core_ed25519_add(aG1, bDp1); return [ nacl.crypto_core_ed25519_add(rPub[0], res0), nacl.crypto_core_ed25519_add(rPub[1], res1), ]; } /** * FDH function used in CS * @param hm message hash * @param rPub public R included in FDH * @param csPub denomination public key as context * @returns mapped Curve25519 scalar */ function csFDH( hm: Uint8Array, rPub: Uint8Array, csPub: Uint8Array, ): Uint8Array { const lMod = Array.from( new Uint8Array([ 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7, 0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed, ]), ); const L = bigint.fromArray(lMod, 256, false); const info = stringToBytes("Curve25519FDH"); const preshash = hash(typedArrayConcat([rPub, hm])); return csKdfMod(L, preshash, csPub, info).reverse(); } /** * blinding seed derived from coin private key * @param coinPriv private key of the corresponding coin * @param rPub public R received from /csr API * @returns blinding seed */ export function deriveBSeed( coinPriv: Uint8Array, rPub: [Uint8Array, Uint8Array], ): Uint8Array { const outLen = 32; const salt = stringToBytes("b-seed"); const ikm = typedArrayConcat([coinPriv, rPub[0], rPub[1]]); return kdf(outLen, ikm, salt); } /** * Derive withdraw nonce, used in /csr request * Note: In withdraw protocol, the nonce is chosen randomly * @param coinPriv coin private key * @returns nonce */ export function deriveWithdrawNonce(coinPriv: Uint8Array): Uint8Array { const outLen = 32; const salt = stringToBytes("n"); return kdf(outLen, coinPriv, salt); } /** * Blind operation for CS signatures, used after /csr call * @param bseed blinding seed to derive blinding secrets * @param rPub public R received from /csr * @param csPub denomination public key * @param hm message to blind * @returns two blinded c */ export async function csBlind( bseed: Uint8Array, rPub: [Uint8Array, Uint8Array], csPub: Uint8Array, hm: Uint8Array, ): Promise<[Uint8Array, Uint8Array]> { const secrets = deriveSecrets(bseed); const rPubBlind = await calcRBlind(csPub, secrets, rPub); const c_0 = csFDH(hm, rPubBlind[0], csPub); const c_1 = csFDH(hm, rPubBlind[1], csPub); return [ nacl.crypto_core_ed25519_scalar_add(c_0, secrets.beta[0]), nacl.crypto_core_ed25519_scalar_add(c_1, secrets.beta[1]), ]; } /** * Unblind operation to unblind the signature * @param bseed seed to derive secrets * @param rPub public R received from /csr * @param csPub denomination publick key * @param b returned from exchange to select c * @param csSig blinded signature * @returns unblinded signature */ export async function csUnblind( bseed: Uint8Array, rPub: [Uint8Array, Uint8Array], csPub: Uint8Array, b: number, csSig: CsBlindSignature, ): Promise { if (b != 0 && b != 1) { throw new Error(); } const secrets = deriveSecrets(bseed); const rPubDash = (await calcRBlind(csPub, secrets, rPub))[b]; const sig: CsSignature = { s: nacl.crypto_core_ed25519_scalar_add(csSig.sBlind, secrets.alpha[b]), rPub: rPubDash, }; return sig; } /** * Verification algorithm for CS signatures * @param hm message signed * @param csSig unblinded signature * @param csPub denomination publick key * @returns true if valid, false if invalid */ export async function csVerify( hm: Uint8Array, csSig: CsSignature, csPub: Uint8Array, ): Promise { const cDash = csFDH(hm, csSig.rPub, csPub); const sG = nacl.crypto_scalarmult_ed25519_base_noclamp(csSig.s); const cbDp = nacl.crypto_scalarmult_ed25519_noclamp(cDash, csPub); const sGeq = nacl.crypto_core_ed25519_add(csSig.rPub, cbDp); return nacl.verify(sG, sGeq); } export interface EddsaKeyPair { eddsaPub: Uint8Array; eddsaPriv: Uint8Array; } export interface EcdheKeyPair { ecdhePub: Uint8Array; ecdhePriv: Uint8Array; } export interface Edx25519Keypair { edxPub: string; edxPriv: string; } export function createEddsaKeyPair(): EddsaKeyPair { const eddsaPriv = nacl.randomBytes(32); const eddsaPub = eddsaGetPublic(eddsaPriv); return { eddsaPriv, eddsaPub }; } export function createEcdheKeyPair(): EcdheKeyPair { const ecdhePriv = nacl.randomBytes(32); const ecdhePub = ecdhGetPublic(ecdhePriv); return { ecdhePriv, ecdhePub }; } export function hash(d: Uint8Array): Uint8Array { if (tart) { return tart.hash(d); } return nacl.hash(d); } /** * Hash the input with SHA-512 and truncate the result * to 32 bytes. */ export function hashTruncate32(d: Uint8Array): Uint8Array { const sha512HashCode = hash(d); return sha512HashCode.subarray(0, 32); } export function hashCoinEv( coinEv: CoinEnvelope, denomPubHash: HashCodeString, ): Uint8Array { const hashContext = createHashContext(); hashContext.update(decodeCrock(denomPubHash)); hashCoinEvInner(coinEv, hashContext); return hashContext.finish(); } const logger = new Logger("talerCrypto.ts"); export function hashCoinEvInner( coinEv: CoinEnvelope, hashState: TalerHashState, ): void { const hashInputBuf = new ArrayBuffer(4); const uint8ArrayBuf = new Uint8Array(hashInputBuf); const dv = new DataView(hashInputBuf); dv.setUint32(0, DenomKeyType.toIntTag(coinEv.cipher)); hashState.update(uint8ArrayBuf); switch (coinEv.cipher) { case DenomKeyType.Rsa: hashState.update(decodeCrock(coinEv.rsa_blinded_planchet)); return; default: throw new Error(); } } export function hashCoinPub( coinPub: CoinPublicKeyString, ach?: HashCodeString, ): Uint8Array { if (!ach) { return hash(decodeCrock(coinPub)); } return hash(typedArrayConcat([decodeCrock(coinPub), decodeCrock(ach)])); } /** * Hash a denomination public key. */ export function hashDenomPub(pub: DenominationPubKey): Uint8Array { if (pub.cipher === DenomKeyType.Rsa) { const pubBuf = decodeCrock(pub.rsa_public_key); const hashInputBuf = new ArrayBuffer(pubBuf.length + 4 + 4); const uint8ArrayBuf = new Uint8Array(hashInputBuf); const dv = new DataView(hashInputBuf); dv.setUint32(0, pub.age_mask ?? 0); dv.setUint32(4, DenomKeyType.toIntTag(pub.cipher)); uint8ArrayBuf.set(pubBuf, 8); return hash(uint8ArrayBuf); } else if (pub.cipher === DenomKeyType.ClauseSchnorr) { const pubBuf = decodeCrock(pub.cs_public_key); const hashInputBuf = new ArrayBuffer(pubBuf.length + 4 + 4); const uint8ArrayBuf = new Uint8Array(hashInputBuf); const dv = new DataView(hashInputBuf); dv.setUint32(0, pub.age_mask ?? 0); dv.setUint32(4, DenomKeyType.toIntTag(pub.cipher)); uint8ArrayBuf.set(pubBuf, 8); return hash(uint8ArrayBuf); } else { throw Error( `unsupported cipher (${ (pub as DenominationPubKey).cipher }), unable to hash`, ); } } export function eddsaSign(msg: Uint8Array, eddsaPriv: Uint8Array): Uint8Array { if (tart) { return tart.eddsaSign(msg, eddsaPriv); } const pair = nacl.crypto_sign_keyPair_fromSeed(eddsaPriv); return nacl.sign_detached(msg, pair.secretKey); } export function eddsaVerify( msg: Uint8Array, sig: Uint8Array, eddsaPub: Uint8Array, ): boolean { if (tart) { return tart.eddsaVerify(msg, sig, eddsaPub); } return nacl.sign_detached_verify(msg, sig, eddsaPub); } export interface TalerHashState { update(data: Uint8Array): void; finish(): Uint8Array; } export function createHashContext(): TalerHashState { if (tart) { const t = tart; const st = tart.hashStateInit(); return { finish: () => t.hashStateFinish(st), update: (d) => t.hashStateUpdate(st, d), }; } return new nacl.HashState(); } export interface FreshCoin { coinPub: Uint8Array; coinPriv: Uint8Array; bks: Uint8Array; maxAge: number; ageCommitmentProof: AgeCommitmentProof | undefined; } export function bufferForUint32(n: number): Uint8Array { const arrBuf = new ArrayBuffer(4); const buf = new Uint8Array(arrBuf); const dv = new DataView(arrBuf); dv.setUint32(0, n); return buf; } /** * This makes the assumption that the uint64 fits a float, * which should be true for all Taler protocol messages. */ export function bufferForUint64(n: number): Uint8Array { const arrBuf = new ArrayBuffer(8); const buf = new Uint8Array(arrBuf); const dv = new DataView(arrBuf); if (n < 0 || !Number.isInteger(n)) { throw Error("non-negative integer expected"); } dv.setBigUint64(0, BigInt(n)); return buf; } export function bufferForUint8(n: number): Uint8Array { const arrBuf = new ArrayBuffer(1); const buf = new Uint8Array(arrBuf); const dv = new DataView(arrBuf); dv.setUint8(0, n); return buf; } export async function setupTipPlanchet( secretSeed: Uint8Array, denomPub: DenominationPubKey, coinNumber: number, ): Promise { const info = stringToBytes("taler-tip-coin-derivation"); const saltArrBuf = new ArrayBuffer(4); const salt = new Uint8Array(saltArrBuf); const saltDataView = new DataView(saltArrBuf); saltDataView.setUint32(0, coinNumber); const out = kdf(64, secretSeed, salt, info); const coinPriv = out.slice(0, 32); const bks = out.slice(32, 64); let maybeAcp: AgeCommitmentProof | undefined; if (denomPub.age_mask != 0) { maybeAcp = await AgeRestriction.restrictionCommitSeeded( denomPub.age_mask, AgeRestriction.AGE_UNRESTRICTED, secretSeed, ); } return { bks, coinPriv, coinPub: eddsaGetPublic(coinPriv), maxAge: AgeRestriction.AGE_UNRESTRICTED, ageCommitmentProof: maybeAcp, }; } /** * * @param paytoUri * @param salt 16-byte salt * @returns */ export function hashWire(paytoUri: string, salt: string): string { const r = kdf( 64, stringToBytes(paytoUri + "\0"), decodeCrock(salt), stringToBytes("merchant-wire-signature"), ); return encodeCrock(r); } export enum TalerSignaturePurpose { MERCHANT_TRACK_TRANSACTION = 1103, WALLET_RESERVE_WITHDRAW = 1200, WALLET_COIN_DEPOSIT = 1201, GLOBAL_FEES = 1022, MASTER_DENOMINATION_KEY_VALIDITY = 1025, MASTER_WIRE_FEES = 1028, MASTER_WIRE_DETAILS = 1030, WALLET_COIN_MELT = 1202, TEST = 4242, MERCHANT_PAYMENT_OK = 1104, MERCHANT_CONTRACT = 1101, MERCHANT_REFUND = 1102, WALLET_COIN_RECOUP = 1203, WALLET_COIN_LINK = 1204, WALLET_COIN_RECOUP_REFRESH = 1206, WALLET_AGE_ATTESTATION = 1207, WALLET_PURSE_CREATE = 1210, WALLET_PURSE_DEPOSIT = 1211, WALLET_PURSE_MERGE = 1213, WALLET_ACCOUNT_MERGE = 1214, WALLET_PURSE_ECONTRACT = 1216, EXCHANGE_CONFIRM_RECOUP = 1039, EXCHANGE_CONFIRM_RECOUP_REFRESH = 1041, ANASTASIS_POLICY_UPLOAD = 1400, ANASTASIS_POLICY_DOWNLOAD = 1401, SYNC_BACKUP_UPLOAD = 1450, } export const enum WalletAccountMergeFlags { /** * Not a legal mode! */ None = 0, /** * We are merging a fully paid-up purse into a reserve. */ MergeFullyPaidPurse = 1, CreateFromPurseQuota = 2, CreateWithPurseFee = 3, } export class SignaturePurposeBuilder { private chunks: Uint8Array[] = []; constructor(private purposeNum: number) {} put(bytes: Uint8Array): SignaturePurposeBuilder { this.chunks.push(Uint8Array.from(bytes)); return this; } build(): Uint8Array { let payloadLen = 0; for (const c of this.chunks) { payloadLen += c.byteLength; } const buf = new ArrayBuffer(4 + 4 + payloadLen); const u8buf = new Uint8Array(buf); let p = 8; for (const c of this.chunks) { u8buf.set(c, p); p += c.byteLength; } const dvbuf = new DataView(buf); dvbuf.setUint32(0, payloadLen + 4 + 4); dvbuf.setUint32(4, this.purposeNum); return u8buf; } } export function buildSigPS(purposeNum: number): SignaturePurposeBuilder { return new SignaturePurposeBuilder(purposeNum); } export type OpaqueData = Flavor; export type Edx25519PublicKey = FlavorP; export type Edx25519PrivateKey = FlavorP; export type Edx25519Signature = FlavorP; export type Edx25519PublicKeyEnc = FlavorP; export type Edx25519PrivateKeyEnc = FlavorP< string, "Edx25519PrivateKeyEnc", 64 >; /** * Convert a big integer to a fixed-size, little-endian array. */ export function bigintToNaclArr( x: bigint.BigInteger, size: number, ): Uint8Array { const byteArr = new Uint8Array(size); const arr = x.toArray(256).value.reverse(); byteArr.set(arr, 0); return byteArr; } export function bigintFromNaclArr(arr: Uint8Array): bigint.BigInteger { let rev = new Uint8Array(arr); rev = rev.reverse(); return bigint.fromArray(Array.from(rev), 256, false); } export namespace Edx25519 { const revL = [ 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10, ]; const L = bigint.fromArray(revL.reverse(), 256, false); export async function keyCreateFromSeed( seed: OpaqueData, ): Promise { return nacl.crypto_edx25519_private_key_create_from_seed(seed); } export async function keyCreate(): Promise { return nacl.crypto_edx25519_private_key_create(); } export async function getPublic( priv: Edx25519PrivateKey, ): Promise { return nacl.crypto_edx25519_get_public(priv); } export function sign( msg: OpaqueData, key: Edx25519PrivateKey, ): Promise { throw Error("not implemented"); } async function deriveFactor( pub: Edx25519PublicKey, seed: OpaqueData, ): Promise { const res = kdfKw({ outputLength: 64, salt: seed, ikm: pub, info: stringToBytes("edx25519-derivation"), }); return res; } export async function privateKeyDerive( priv: Edx25519PrivateKey, seed: OpaqueData, ): Promise { const pub = await getPublic(priv); const privDec = priv; const a = bigintFromNaclArr(privDec.subarray(0, 32)); const factorEnc = await deriveFactor(pub, seed); const factorModL = bigintFromNaclArr(factorEnc).mod(L); const aPrime = a.divide(8).multiply(factorModL).mod(L).multiply(8).mod(L); const bPrime = nacl .hash(typedArrayConcat([privDec.subarray(32, 64), factorEnc])) .subarray(0, 32); const newPriv = typedArrayConcat([bigintToNaclArr(aPrime, 32), bPrime]); return newPriv; } export async function publicKeyDerive( pub: Edx25519PublicKey, seed: OpaqueData, ): Promise { const factorEnc = await deriveFactor(pub, seed); const factorReduced = nacl.crypto_core_ed25519_scalar_reduce(factorEnc); const res = nacl.crypto_scalarmult_ed25519_noclamp(factorReduced, pub); return res; } } export interface AgeCommitment { mask: number; /** * Public keys, one for each age group specified in the age mask. */ publicKeys: Edx25519PublicKeyEnc[]; } export interface AgeProof { /** * Private keys. Typically smaller than the number of public keys, * because we drop private keys from age groups that are restricted. */ privateKeys: Edx25519PrivateKeyEnc[]; } export interface AgeCommitmentProof { commitment: AgeCommitment; proof: AgeProof; } function invariant(cond: boolean): asserts cond { if (!cond) { throw Error("invariant failed"); } } export namespace AgeRestriction { /** * Smallest age value that the protocol considers "unrestricted". */ export const AGE_UNRESTRICTED = 32; export function hashCommitment(ac: AgeCommitment): HashCodeString { const hc = new nacl.HashState(); for (const pub of ac.publicKeys) { hc.update(decodeCrock(pub)); } return encodeCrock(hc.finish().subarray(0, 32)); } export function countAgeGroups(mask: number): number { let count = 0; let m = mask; while (m > 0) { count += m & 1; m = m >> 1; } return count; } /** * Get the starting points for age groups in the mask. */ export function getAgeGroupsFromMask(mask: number): number[] { const groups: number[] = []; let age = 1; let m = mask >> 1; while (m > 0) { if (m & 1) { groups.push(age); } m = m >> 1; age++; } return groups; } export function getAgeGroupIndex(mask: number, age: number): number { invariant((mask & 1) === 1); let i = 0; let m = mask; let a = age; while (m > 0) { if (a <= 0) { break; } m = m >> 1; i += m & 1; a--; } return i; } export function ageGroupSpecToMask(ageGroupSpec: string): number { throw Error("not implemented"); } export async function restrictionCommit( ageMask: number, age: number, ): Promise { invariant((ageMask & 1) === 1); const numPubs = countAgeGroups(ageMask) - 1; const numPrivs = getAgeGroupIndex(ageMask, age); const pubs: Edx25519PublicKey[] = []; const privs: Edx25519PrivateKey[] = []; for (let i = 0; i < numPubs; i++) { const priv = await Edx25519.keyCreate(); const pub = await Edx25519.getPublic(priv); pubs.push(pub); if (i < numPrivs) { privs.push(priv); } } return { commitment: { mask: ageMask, publicKeys: pubs.map((x) => encodeCrock(x)), }, proof: { privateKeys: privs.map((x) => encodeCrock(x)), }, }; } export async function restrictionCommitSeeded( ageMask: number, age: number, seed: Uint8Array, ): Promise { invariant((ageMask & 1) === 1); const numPubs = countAgeGroups(ageMask) - 1; const numPrivs = getAgeGroupIndex(ageMask, age); const pubs: Edx25519PublicKey[] = []; const privs: Edx25519PrivateKey[] = []; for (let i = 0; i < numPubs; i++) { const privSeed = await kdfKw({ outputLength: 32, ikm: seed, info: stringToBytes("age-restriction-commit"), salt: bufferForUint32(i), }); const priv = await Edx25519.keyCreateFromSeed(privSeed); const pub = await Edx25519.getPublic(priv); pubs.push(pub); if (i < numPrivs) { privs.push(priv); } } return { commitment: { mask: ageMask, publicKeys: pubs.map((x) => encodeCrock(x)), }, proof: { privateKeys: privs.map((x) => encodeCrock(x)), }, }; } /** * Check that c1 = c2*salt */ export async function commitCompare( c1: AgeCommitment, c2: AgeCommitment, salt: OpaqueData, ): Promise { if (c1.publicKeys.length != c2.publicKeys.length) { return false; } for (let i = 0; i < c1.publicKeys.length; i++) { const k1 = decodeCrock(c1.publicKeys[i]); const k2 = await Edx25519.publicKeyDerive( decodeCrock(c2.publicKeys[i]), salt, ); if (k1 != k2) { return false; } } return true; } export async function commitmentDerive( commitmentProof: AgeCommitmentProof, salt: OpaqueData, ): Promise { const newPrivs: Edx25519PrivateKey[] = []; const newPubs: Edx25519PublicKey[] = []; for (const oldPub of commitmentProof.commitment.publicKeys) { newPubs.push(await Edx25519.publicKeyDerive(decodeCrock(oldPub), salt)); } for (const oldPriv of commitmentProof.proof.privateKeys) { newPrivs.push( await Edx25519.privateKeyDerive(decodeCrock(oldPriv), salt), ); } return { commitment: { mask: commitmentProof.commitment.mask, publicKeys: newPubs.map((x) => encodeCrock(x)), }, proof: { privateKeys: newPrivs.map((x) => encodeCrock(x)), }, }; } export function commitmentAttest( commitmentProof: AgeCommitmentProof, age: number, ): Edx25519Signature { const d = buildSigPS(TalerSignaturePurpose.WALLET_AGE_ATTESTATION) .put(bufferForUint32(commitmentProof.commitment.mask)) .put(bufferForUint32(age)) .build(); const group = getAgeGroupIndex(commitmentProof.commitment.mask, age); if (group === 0) { // No attestation required. return new Uint8Array(64); } const priv = commitmentProof.proof.privateKeys[group - 1]; const pub = commitmentProof.commitment.publicKeys[group - 1]; const sig = nacl.crypto_edx25519_sign_detached( d, decodeCrock(priv), decodeCrock(pub), ); return sig; } export function commitmentVerify( commitment: AgeCommitment, sig: string, age: number, ): boolean { const d = buildSigPS(TalerSignaturePurpose.WALLET_AGE_ATTESTATION) .put(bufferForUint32(commitment.mask)) .put(bufferForUint32(age)) .build(); const group = getAgeGroupIndex(commitment.mask, age); if (group === 0) { // No attestation required. return true; } const pub = commitment.publicKeys[group - 1]; return nacl.crypto_edx25519_sign_detached_verify( d, decodeCrock(sig), decodeCrock(pub), ); } } // FIXME: make it a branded type! type EncryptionNonce = FlavorP; async function deriveKey( keySeed: OpaqueData, nonce: EncryptionNonce, salt: string, ): Promise { return kdfKw({ outputLength: 32, salt: nonce, ikm: keySeed, info: stringToBytes(salt), }); } export async function encryptWithDerivedKey( nonce: EncryptionNonce, keySeed: OpaqueData, plaintext: OpaqueData, salt: string, ): Promise { const key = await deriveKey(keySeed, nonce, salt); const cipherText = secretbox(plaintext, nonce, key); return typedArrayConcat([nonce, cipherText]); } const nonceSize = 24; export async function decryptWithDerivedKey( ciphertext: OpaqueData, keySeed: OpaqueData, salt: string, ): Promise { const ctBuf = ciphertext; const nonceBuf = ctBuf.slice(0, nonceSize); const enc = ctBuf.slice(nonceSize); const key = await deriveKey(keySeed, nonceBuf, salt); const clearText = nacl.secretbox_open(enc, nonceBuf, key); if (!clearText) { throw Error("could not decrypt"); } return clearText; } enum ContractFormatTag { PaymentOffer = 0, PaymentRequest = 1, } type MaterialEddsaPub = { _materialType?: "eddsa-pub"; _size?: 32; }; type MaterialEddsaPriv = { _materialType?: "ecdhe-priv"; _size?: 32; }; type MaterialEcdhePub = { _materialType?: "ecdhe-pub"; _size?: 32; }; type MaterialEcdhePriv = { _materialType?: "ecdhe-priv"; _size?: 32; }; type PursePublicKey = FlavorP & MaterialEddsaPub; type ContractPrivateKey = FlavorP & MaterialEcdhePriv; type MergePrivateKey = FlavorP & MaterialEddsaPriv; const mergeSalt = "p2p-merge-contract"; const depositSalt = "p2p-deposit-contract"; export function encryptContractForMerge( pursePub: PursePublicKey, contractPriv: ContractPrivateKey, mergePriv: MergePrivateKey, contractTerms: any, ): Promise { const contractTermsCanon = canonicalJson(contractTerms) + "\0"; const contractTermsBytes = stringToBytes(contractTermsCanon); const contractTermsCompressed = fflate.zlibSync(contractTermsBytes); const data = typedArrayConcat([ bufferForUint32(ContractFormatTag.PaymentOffer), bufferForUint32(contractTermsBytes.length), mergePriv, contractTermsCompressed, ]); const key = keyExchangeEcdhEddsa(contractPriv, pursePub); return encryptWithDerivedKey(getRandomBytesF(24), key, data, mergeSalt); } export function encryptContractForDeposit( pursePub: PursePublicKey, contractPriv: ContractPrivateKey, contractTerms: any, ): Promise { const contractTermsCanon = canonicalJson(contractTerms) + "\0"; const contractTermsBytes = stringToBytes(contractTermsCanon); const contractTermsCompressed = fflate.zlibSync(contractTermsBytes); const data = typedArrayConcat([ bufferForUint32(ContractFormatTag.PaymentRequest), bufferForUint32(contractTermsBytes.length), contractTermsCompressed, ]); const key = keyExchangeEcdhEddsa(contractPriv, pursePub); return encryptWithDerivedKey(getRandomBytesF(24), key, data, depositSalt); } export interface DecryptForMergeResult { contractTerms: any; mergePriv: Uint8Array; } export interface DecryptForDepositResult { contractTerms: any; } export async function decryptContractForMerge( enc: OpaqueData, pursePub: PursePublicKey, contractPriv: ContractPrivateKey, ): Promise { const key = keyExchangeEcdhEddsa(contractPriv, pursePub); const dec = await decryptWithDerivedKey(enc, key, mergeSalt); const mergePriv = dec.slice(8, 8 + 32); const contractTermsCompressed = dec.slice(8 + 32); const contractTermsBuf = fflate.unzlibSync(contractTermsCompressed); // Slice of the '\0' at the end and decode to a string const contractTermsString = bytesToString( contractTermsBuf.slice(0, contractTermsBuf.length - 1), ); return { mergePriv: mergePriv, contractTerms: JSON.parse(contractTermsString), }; } export async function decryptContractForDeposit( enc: OpaqueData, pursePub: PursePublicKey, contractPriv: ContractPrivateKey, ): Promise { const key = keyExchangeEcdhEddsa(contractPriv, pursePub); const dec = await decryptWithDerivedKey(enc, key, depositSalt); const contractTermsCompressed = dec.slice(8); const contractTermsBuf = fflate.unzlibSync(contractTermsCompressed); // Slice of the '\0' at the end and decode to a string const contractTermsString = bytesToString( contractTermsBuf.slice(0, contractTermsBuf.length - 1), ); return { contractTerms: JSON.parse(contractTermsString), }; }