private static IdentityKeyPair generateIdentityKeyPair()
{
ECKeyPair identityKeyPairKeys = Curve.generateKeyPair();
return(new IdentityKeyPair(new IdentityKey(identityKeyPairKeys.getPublicKey()),
identityKeyPairKeys.getPrivateKey()));
}
private SenderCertificate CreateCertificateFor(ECKeyPair trustRoot, String sender, int deviceId, ECPublicKey identityKey, long expires)
{
ECKeyPair serverKey = Curve.generateKeyPair();
byte[] serverCertificateBytes = new libsignalmetadata.protobuf.ServerCertificate.Types.Certificate()
{
Id = 1,
Key = ByteString.CopyFrom(serverKey.getPublicKey().serialize())
}.ToByteArray();
byte[] serverCertificateSignature = Curve.calculateSignature(trustRoot.getPrivateKey(), serverCertificateBytes);
ServerCertificate serverCertificate = new ServerCertificate(new libsignalmetadata.protobuf.ServerCertificate()
{
Certificate = ByteString.CopyFrom(serverCertificateBytes),
Signature = ByteString.CopyFrom(serverCertificateSignature)
}.ToByteArray());
byte[] senderCertificateBytes = new libsignalmetadata.protobuf.SenderCertificate.Types.Certificate
{
Sender = sender,
SenderDevice = (uint)deviceId,
IdentityKey = ByteString.CopyFrom(identityKey.serialize()),
Expires = (ulong)expires,
Signer = libsignalmetadata.protobuf.ServerCertificate.Parser.ParseFrom(serverCertificate.Serialized)
}.ToByteArray();
byte[] senderCertificateSignature = Curve.calculateSignature(serverKey.getPrivateKey(), senderCertificateBytes);
return(new SenderCertificate(new libsignalmetadata.protobuf.SenderCertificate()
{
Certificate = ByteString.CopyFrom(senderCertificateBytes),
Signature = ByteString.CopyFrom(senderCertificateSignature)
}.ToByteArray()));
}
/// <summary>
/// Generate an identity key pair. Clients should only do this once, at install time.
/// </summary>
/// <returns>the generated IdentityKeyPair.</returns>
public static IdentityKeyPair generateIdentityKeyPair()
{
ECKeyPair keyPair = Curve.generateKeyPair();
IdentityKey publicKey = new IdentityKey(keyPair.getPublicKey());
return(new IdentityKeyPair(publicKey, keyPair.getPrivateKey()));
}
public void TestExpiredSignature()
{
ECKeyPair serverKey = Curve.generateKeyPair();
ECKeyPair key = Curve.generateKeyPair();
byte[] certificateBytes = new libsignalmetadata.protobuf.SenderCertificate.Types.Certificate()
{
Sender = "+14152222222",
SenderDevice = 1,
Expires = 31337,
IdentityKey = ByteString.CopyFrom(key.getPublicKey().serialize()),
Signer = GetServerCertificate(serverKey)
}.ToByteArray();
byte[] certificateSignature = Curve.calculateSignature(serverKey.getPrivateKey(), certificateBytes);
SenderCertificate senderCertificate = new SenderCertificate(new libsignalmetadata.protobuf.SenderCertificate()
{
Certificate = ByteString.CopyFrom(certificateBytes),
Signature = ByteString.CopyFrom(certificateSignature)
}.ToByteArray());
try
{
new CertificateValidator(TrustRoot.getPublicKey()).Validate(senderCertificate, 31338);
throw new Exception();
}
catch (InvalidCertificateException)
{
// good
}
}
private void initializeSessionsV2(SessionState aliceSessionState, SessionState bobSessionState)
{
ECKeyPair aliceIdentityKeyPair = Curve.generateKeyPair();
IdentityKeyPair aliceIdentityKey = new IdentityKeyPair(new IdentityKey(aliceIdentityKeyPair.getPublicKey()),
aliceIdentityKeyPair.getPrivateKey());
ECKeyPair aliceBaseKey = Curve.generateKeyPair();
ECKeyPair aliceEphemeralKey = Curve.generateKeyPair();
ECKeyPair bobIdentityKeyPair = Curve.generateKeyPair();
IdentityKeyPair bobIdentityKey = new IdentityKeyPair(new IdentityKey(bobIdentityKeyPair.getPublicKey()),
bobIdentityKeyPair.getPrivateKey());
ECKeyPair bobBaseKey = Curve.generateKeyPair();
ECKeyPair bobEphemeralKey = bobBaseKey;
AliceAxolotlParameters aliceParameters = AliceAxolotlParameters.newBuilder()
.setOurIdentityKey(aliceIdentityKey)
.setOurBaseKey(aliceBaseKey)
.setTheirIdentityKey(bobIdentityKey.getPublicKey())
.setTheirSignedPreKey(bobEphemeralKey.getPublicKey())
.setTheirRatchetKey(bobEphemeralKey.getPublicKey())
.setTheirOneTimePreKey(May <ECPublicKey> .NoValue)
.create();
BobAxolotlParameters bobParameters = BobAxolotlParameters.newBuilder()
.setOurIdentityKey(bobIdentityKey)
.setOurOneTimePreKey(May <ECKeyPair> .NoValue)
.setOurRatchetKey(bobEphemeralKey)
.setOurSignedPreKey(bobBaseKey)
.setTheirBaseKey(aliceBaseKey.getPublicKey())
.setTheirIdentityKey(aliceIdentityKey.getPublicKey())
.create();
RatchetingSession.initializeSession(aliceSessionState, 2, aliceParameters);
RatchetingSession.initializeSession(bobSessionState, 2, bobParameters);
}
private void GenerateKey(IDataStore dataStore, object context)
{
keyPair = Curve.generateKeyPair();
dataStore.SetString(context, "privateKey", Convert.ToBase64String(keyPair.getPrivateKey().serialize()));
dataStore.SetString(context, "publicKey", Convert.ToBase64String(keyPair.getPublicKey().serialize()));
}
public PreKeyRecord(uint id, ECKeyPair keyPair)
{
this.structure = new PreKeyRecordStructure
{
Id = id,
PublicKey = ByteString.CopyFrom(keyPair.getPublicKey().serialize()),
PrivateKey = ByteString.CopyFrom(keyPair.getPrivateKey().serialize())
};
}
public PreKeyRecord(uint id, ECKeyPair keyPair)
{
this.structure = PreKeyRecordStructure.CreateBuilder()
.SetId(id)
.SetPublicKey(ByteString.CopyFrom(keyPair.getPublicKey()
.serialize()))
.SetPrivateKey(ByteString.CopyFrom(keyPair.getPrivateKey()
.serialize()))
.Build();
}
public SignedPreKeyRecord(uint id, ulong timestamp, ECKeyPair keyPair, byte[] signature)
{
this.structure = new SignedPreKeyRecordStructure
{
Id = id,
PublicKey = ByteString.CopyFrom(keyPair.getPublicKey().serialize()),
PrivateKey = ByteString.CopyFrom(keyPair.getPrivateKey().serialize()),
Signature = ByteString.CopyFrom(signature),
Timestamp = timestamp
};
}
public static void generateCurve25519IdentityKeys()
{
//MasterCipher masterCipher = new MasterCipher(masterSecret);
ECKeyPair djbKeyPair = Curve.generateKeyPair();
IdentityKey djbIdentityKey = new IdentityKey(djbKeyPair.getPublicKey());
byte[] djbPrivateKey = /*masterCipher.encryptKey(*/ djbKeyPair.getPrivateKey().serialize() /*)*/;
save(IDENTITY_PUBLIC_KEY_DJB_PREF, System.Convert.ToBase64String(djbIdentityKey.serialize()));
save(IDENTITY_PRIVATE_KEY_DJB_PREF, System.Convert.ToBase64String(djbPrivateKey));
}
public SignedPreKeyRecord(uint id, ulong timestamp, ECKeyPair keyPair, byte[] signature)
{
structure = SignedPreKeyRecordStructure.CreateBuilder()
.SetId(id)
.SetPublicKey(ByteString.CopyFrom(keyPair.getPublicKey()
.serialize()))
.SetPrivateKey(ByteString.CopyFrom(keyPair.getPrivateKey()
.serialize()))
.SetSignature(ByteString.CopyFrom(signature))
.SetTimestamp(timestamp)
.Build();
}
public void testRandomAgreements()
{
for (int i = 0; i < 50; i++)
{
ECKeyPair alice = Curve.generateKeyPair();
ECKeyPair bob = Curve.generateKeyPair();
byte[] sharedAlice = Curve.calculateAgreement(bob.getPublicKey(), alice.getPrivateKey());
byte[] sharedBob = Curve.calculateAgreement(alice.getPublicKey(), bob.getPrivateKey());
CollectionAssert.AreEqual(sharedAlice, sharedBob);
}
}
public void setSenderChain(ECKeyPair senderRatchetKeyPair, ChainKey chainKey)
{
Chain.Types.ChainKey chainKeyStructure = Chain.Types.ChainKey.CreateBuilder()
.SetKey(ByteString.CopyFrom(chainKey.getKey()))
.SetIndex(chainKey.getIndex())
.Build();
Chain senderChain = Chain.CreateBuilder()
.SetSenderRatchetKey(ByteString.CopyFrom(senderRatchetKeyPair.getPublicKey().serialize()))
.SetSenderRatchetKeyPrivate(ByteString.CopyFrom(senderRatchetKeyPair.getPrivateKey().serialize()))
.SetChainKey(chainKeyStructure)
.Build();
this.sessionStructure = this.sessionStructure.ToBuilder().SetSenderChain(senderChain).Build();
}
private libsignalmetadata.protobuf.ServerCertificate GetServerCertificate(ECKeyPair serverKey)
{
byte[] certificateBytes = new libsignalmetadata.protobuf.ServerCertificate.Types.Certificate()
{
Id = 1,
Key = ByteString.CopyFrom(serverKey.getPublicKey().serialize())
}.ToByteArray();
byte[] certificateSignature = Curve.calculateSignature(TrustRoot.getPrivateKey(), certificateBytes);
return(new libsignalmetadata.protobuf.ServerCertificate()
{
Certificate = ByteString.CopyFrom(certificateBytes),
Signature = ByteString.CopyFrom(certificateSignature)
});
}
public void testSignatureOverflow()
{
ECKeyPair keys = Curve.generateKeyPair();
byte[] message = new byte[4096];
try
{
byte[] signature = Curve.calculateSignature(keys.getPrivateKey(), message);
throw new InvalidKeyException("Should have asserted!");
}
catch (InvalidKeyException)
{
// Success!
}
}
public void setPendingKeyExchange(uint sequence,
ECKeyPair ourBaseKey,
ECKeyPair ourRatchetKey,
IdentityKeyPair ourIdentityKey)
{
PendingKeyExchange structure = new PendingKeyExchange
{
LocalBaseKey = ByteString.CopyFrom(ourBaseKey.getPublicKey().serialize()),
LocalBaseKeyPrivate = ByteString.CopyFrom(ourBaseKey.getPrivateKey().serialize()),
LocalRatchetKey = ByteString.CopyFrom(ourRatchetKey.getPublicKey().serialize()),
LocalRatchetKeyPrivate = ByteString.CopyFrom(ourRatchetKey.getPrivateKey().serialize()),
LocalIdentityKey = ByteString.CopyFrom(ourIdentityKey.getPublicKey().serialize()),
LocalIdentityKeyPrivate = ByteString.CopyFrom(ourIdentityKey.getPrivateKey().serialize())
};
this.sessionStructure.PendingKeyExchange = structure;
}
public void setSenderChain(ECKeyPair senderRatchetKeyPair, ChainKey chainKey)
{
Chain.Types.ChainKey chainKeyStructure = new Chain.Types.ChainKey
{
Key = ByteString.CopyFrom(chainKey.getKey()),
Index = chainKey.getIndex()
};
Chain senderChain = new Chain
{
SenderRatchetKey = ByteString.CopyFrom(senderRatchetKeyPair.getPublicKey().serialize()),
SenderRatchetKeyPrivate = ByteString.CopyFrom(senderRatchetKeyPair.getPrivateKey().serialize()),
ChainKey = chainKeyStructure
};
this.sessionStructure.SenderChain = senderChain;
}
public void TestBadSignature()
{
ECKeyPair serverKey = Curve.generateKeyPair();
ECKeyPair key = Curve.generateKeyPair();
byte[] certificateBytes = new libsignalmetadata.protobuf.SenderCertificate.Types.Certificate()
{
Sender = "+14152222222",
SenderDevice = 1,
Expires = 31337,
IdentityKey = ByteString.CopyFrom(key.getPublicKey().serialize()),
Signer = GetServerCertificate(serverKey)
}.ToByteArray();
byte[] certificateSignature = Curve.calculateSignature(serverKey.getPrivateKey(), certificateBytes);
for (int i = 0; i < certificateSignature.Length; i++)
{
for (int b = 0; b < 8; b++)
{
byte[] badSignature = new byte[certificateSignature.Length];
Array.Copy(certificateSignature, 0, badSignature, 0, certificateSignature.Length);
badSignature[i] = (byte)(badSignature[i] ^ 1 << b);
SenderCertificate senderCertificate = new SenderCertificate(new libsignalmetadata.protobuf.SenderCertificate()
{
Certificate = ByteString.CopyFrom(certificateBytes),
Signature = ByteString.CopyFrom(badSignature)
}.ToByteArray());
try
{
new CertificateValidator(TrustRoot.getPublicKey()).Validate(senderCertificate, 31336);
throw new Exception();
}
catch (InvalidCertificateException)
{
// good
}
}
}
}
public byte[] encrypt(ProvisionMessage message)// throws InvalidKeyException
{
ECKeyPair ourKeyPair = Curve.generateKeyPair();
byte[] sharedSecret = Curve.calculateAgreement(theirPublicKey, ourKeyPair.getPrivateKey());
byte[] derivedSecret = new HKDFv3().deriveSecrets(sharedSecret, Encoding.UTF8.GetBytes("TextSecure Provisioning Message"), 64);
byte[][] parts = Util.split(derivedSecret, 32, 32);
byte[] version = { 0x01 };
byte[] ciphertext = getCiphertext(parts[0], message.ToByteArray());
byte[] mac = getMac(parts[1], Util.join(version, ciphertext));
byte[] body = Util.join(version, ciphertext, mac);
return(ProvisionEnvelope.CreateBuilder()
.SetPublicKey(ByteString.CopyFrom(ourKeyPair.getPublicKey().serialize()))
.SetBody(ByteString.CopyFrom(body))
.Build()
.ToByteArray());
}
public void setPendingKeyExchange(uint sequence,
ECKeyPair ourBaseKey,
ECKeyPair ourRatchetKey,
IdentityKeyPair ourIdentityKey)
{
PendingKeyExchange structure =
PendingKeyExchange.CreateBuilder()
.SetSequence(sequence)
.SetLocalBaseKey(ByteString.CopyFrom(ourBaseKey.getPublicKey().serialize()))
.SetLocalBaseKeyPrivate(ByteString.CopyFrom(ourBaseKey.getPrivateKey().serialize()))
.SetLocalRatchetKey(ByteString.CopyFrom(ourRatchetKey.getPublicKey().serialize()))
.SetLocalRatchetKeyPrivate(ByteString.CopyFrom(ourRatchetKey.getPrivateKey().serialize()))
.SetLocalIdentityKey(ByteString.CopyFrom(ourIdentityKey.getPublicKey().serialize()))
.SetLocalIdentityKeyPrivate(ByteString.CopyFrom(ourIdentityKey.getPrivateKey().serialize()))
.Build();
this.sessionStructure = this.sessionStructure.ToBuilder()
.SetPendingKeyExchange(structure)
.Build();
}
public byte[] Encrypt(SignalProtocolAddress destinationAddress, SenderCertificate senderCertificate, byte[] paddedPlaintext)
{
CiphertextMessage message = new SessionCipher(SignalProtocolStore, destinationAddress).encrypt(paddedPlaintext);
IdentityKeyPair ourIdentity = SignalProtocolStore.GetIdentityKeyPair();
ECPublicKey theirIdentity = SignalProtocolStore.GetIdentity(destinationAddress).getPublicKey();
ECKeyPair ephemeral = Curve.generateKeyPair();
byte[] ephemeralSalt = ByteUtil.combine(Encoding.ASCII.GetBytes("UnidentifiedDelivery"), theirIdentity.serialize(), ephemeral.getPublicKey().serialize());
EphemeralKeys ephemeralKeys = CalculateEphemeralKeys(theirIdentity, ephemeral.getPrivateKey(), ephemeralSalt);
byte[] staticKeyCiphertext = Encrypt(ephemeralKeys.CipherKey, ephemeralKeys.MacKey, ourIdentity.getPublicKey().getPublicKey().serialize());
byte[] staticSalt = ByteUtil.combine(ephemeralKeys.ChainKey, staticKeyCiphertext);
StaticKeys staticKeys = CalculateStaticKeys(theirIdentity, ourIdentity.getPrivateKey(), staticSalt);
UnidentifiedSenderMessageContent content = new UnidentifiedSenderMessageContent((int)message.getType(), senderCertificate, message.serialize());
byte[] messageBytes = Encrypt(staticKeys.CipherKey, staticKeys.MacKey, content.Serialized);
return(new UnidentifiedSenderMessage(ephemeral.getPublicKey(), staticKeyCiphertext, messageBytes).Serialized);
}
public void TestSignature()
{
ECKeyPair trustRoot = Curve.generateKeyPair();
ECKeyPair keyPair = Curve.generateKeyPair();
var certificate = new libsignalmetadata.protobuf.ServerCertificate.Types.Certificate()
{
Id = 1,
Key = ByteString.CopyFrom(keyPair.getPublicKey().serialize())
};
byte[] certificateBytes = certificate.ToByteArray();
byte[] certificateSignature = Curve.calculateSignature(trustRoot.getPrivateKey(), certificateBytes);
byte[] serialized = new libsignalmetadata.protobuf.ServerCertificate()
{
Certificate = ByteString.CopyFrom(certificateBytes),
Signature = ByteString.CopyFrom(certificateSignature)
}.ToByteArray();
new CertificateValidator(trustRoot.getPublicKey()).Validate(new ServerCertificate(serialized));
}
public Pair <RootKey, ChainKey> createChain(ECPublicKey theirRatchetKey, ECKeyPair ourRatchetKey)
{
byte[] sharedSecret = Curve.calculateAgreement(theirRatchetKey, ourRatchetKey.getPrivateKey());
byte[] derivedSecretBytes = kdf.deriveSecrets(sharedSecret, key, Encoding.UTF8.GetBytes("WhisperRatchet"), DerivedRootSecrets.SIZE);
DerivedRootSecrets derivedSecrets = new DerivedRootSecrets(derivedSecretBytes);
RootKey newRootKey = new RootKey(kdf, derivedSecrets.getRootKey());
ChainKey newChainKey = new ChainKey(kdf, derivedSecrets.getChainKey(), 0);
return(new Pair <RootKey, ChainKey>(newRootKey, newChainKey));
}
public SenderKeyState(uint id, uint iteration, byte[] chainKey, ECKeyPair signatureKey)
: this(id, iteration, chainKey, signatureKey.getPublicKey(), new May <ECPrivateKey>(signatureKey.getPrivateKey()))
{
}
public void TestBadSignature()
{
ECKeyPair trustRoot = Curve.generateKeyPair();
ECKeyPair keyPair = Curve.generateKeyPair();
var certificate = new libsignalmetadata.protobuf.ServerCertificate.Types.Certificate()
{
Id = 1,
Key = ByteString.CopyFrom(keyPair.getPublicKey().serialize())
};
byte[] certificateBytes = certificate.ToByteArray();
byte[] certificateSignature = Curve.calculateSignature(trustRoot.getPrivateKey(), certificateBytes);
for (int i = 0; i < certificateSignature.Length; i++)
{
for (int b = 0; b < 8; b++)
{
byte[] badSignature = new byte[certificateSignature.Length];
Array.Copy(certificateSignature, 0, badSignature, 0, badSignature.Length);
badSignature[i] = (byte)(badSignature[i] ^ (1 << b));
byte[] serialized = new libsignalmetadata.protobuf.ServerCertificate()
{
Certificate = ByteString.CopyFrom(certificateBytes),
Signature = ByteString.CopyFrom(badSignature)
}.ToByteArray();
try
{
new CertificateValidator(trustRoot.getPublicKey()).Validate(new ServerCertificate(serialized));
throw new Exception();
}
catch (InvalidCertificateException)
{
// good
}
}
}
for (int i = 0; i < certificateBytes.Length; i++)
{
for (int b = 0; b < 8; b++)
{
byte[] badCertificate = new byte[certificateBytes.Length];
Array.Copy(certificateBytes, 0, badCertificate, 0, badCertificate.Length);
badCertificate[i] = (byte)(badCertificate[i] ^ (1 << b));
byte[] serialized = new libsignalmetadata.protobuf.ServerCertificate()
{
Certificate = ByteString.CopyFrom(badCertificate),
Signature = ByteString.CopyFrom(certificateSignature)
}.ToByteArray();
try
{
new CertificateValidator(trustRoot.getPublicKey()).Validate(new ServerCertificate(serialized));
throw new Exception();
}
catch (InvalidCertificateException)
{
// good
}
}
}
}
public byte[] CalculateSignature(byte[] data)
{
return(Curve.calculateSignature(keyPair.getPrivateKey(), data));
}
