public static byte[] KeyDerivation(int keyLengthInBytes, byte[] keyToExpand, int numberOfKeysToDerive)
{
HashAlgorithmName algorithm = HashAlgorithmName.SHA256;
using (var hkdf = new HKDF(HMACFactories.HMACSHA256, keyToExpand))
{
return(hkdf.GetBytes(keyLengthInBytes * numberOfKeysToDerive));
}
}
public static byte[] KeyExpansion(int expandToLength, byte[] keyToExpand, string additionalData = "")
{
HashAlgorithmName algorithm = HashAlgorithmName.SHA256;
using (var hkdf = new HKDF(HMACFactories.HMACSHA256, keyToExpand, additionalData.ToBytes()))
{
return(hkdf.GetBytes(expandToLength));
}
}
private (byte[], byte[]) DeriveKeyAndNonce(byte[] salt, byte[] authSecret, ECPublicKeyParameters senderPublicKey, ECPublicKeyParameters receiverPublicKey, ECPrivateKeyParameters receiverPrivateKey)
{
var(secret, context) = ExtractSecretAndContext(senderPublicKey, receiverPublicKey, receiverPrivateKey);
secret = HKDF.GetBytes(authSecret, secret, authInfoParameter, SHA_256_LENGTH);
byte[] keyInfo = ByteArray.Concat(keyInfoParameter, context);
byte[] nonceInfo = ByteArray.Concat(nonceInfoParameter, context);
byte[] prk = HKDF.Extract(salt, secret);
return(HKDF.Expand(prk, keyInfo, KEY_LENGTH), HKDF.Expand(prk, nonceInfo, NONCE_LENGTH));
}
public void HDKF_Testcase7()
{
using (var hkdf = new HKDF(HMACFactories.HMACSHA1,
ikm: Enumerable.Repeat<byte>(0x0c, 22).ToArray(),
salt: null,
context: new byte[] { }))
{
var result = hkdf.GetBytes(countBytes: 42);
var expected = "2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48".FromBase16();
Assert.IsTrue(Enumerable.SequenceEqual(result, expected)); // "expected" is OKM in the document
}
}//7
public void HDKF_Testcase6()
{
using (var hkdf = new HKDF(HMACFactories.HMACSHA1,
ikm: Enumerable.Repeat<byte>(0x0b, 22).ToArray(),
salt: new byte[] { },
context: new byte[] { }))
{
var result = hkdf.GetBytes(countBytes: 42);
var expected = "0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918".FromBase16();
Assert.IsTrue(Enumerable.SequenceEqual(result, expected)); // "expected" is OKM in the document
}
}//6
public void HDKF_Testcase5()
{
using (var hkdf = new HKDF(HMACFactories.HMACSHA1,
ikm: Enumerable.Range(0x00, 80).Select(i => (byte)i).ToArray(),
salt: Enumerable.Range(0x60, 80).Select(i => (byte)i).ToArray(),
context: Enumerable.Range(0xb0, 80).Select(i => (byte)i).ToArray()))
{
var result = hkdf.GetBytes(countBytes: 82);
var expected = "0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4".FromBase16();
Assert.IsTrue(Enumerable.SequenceEqual(result, expected)); // "expected" is OKM in the document
}
}//5
public void HDKF_Testcase4()
{
using (var hkdf = new HKDF(HMACFactories.HMACSHA1,
ikm: Enumerable.Repeat<byte>(0x0b, 11).ToArray(),
salt: Enumerable.Range(0x00, 13).Select(i => (byte)i).ToArray(),
context: Enumerable.Range(0xf0, 10).Select(i => (byte)i).ToArray()))
{
var result = hkdf.GetBytes(countBytes: 42);
var expected = "085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896".FromBase16();
Assert.IsTrue(Enumerable.SequenceEqual(result, expected)); // "expected" is OKM in the document
}
}//4
public void HDKF_Testcase3()
{
using (var hkdf = new HKDF(HMACFactories.HMACSHA256,
ikm: Enumerable.Repeat<byte>(0x0b, 22).ToArray(),
salt: new byte[] { },
context: new byte[] { }))
{
var result = hkdf.GetBytes(countBytes: 42);
var expected = "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8".FromBase16();
Assert.IsTrue(Enumerable.SequenceEqual(result, expected)); // "expected" is OKM in the document
}
}//3
public void HDKF_Testcase2()
{
using (var hkdf = new HKDF(HMACFactories.HMACSHA256,
ikm: Enumerable.Range(0x00, 80).Select(i => (byte)i).ToArray(),
salt: Enumerable.Range(0x60, 80).Select(i => (byte)i).ToArray(),
context: Enumerable.Range(0xb0, 80).Select(i => (byte)i).ToArray()))
{
var result = hkdf.GetBytes(countBytes: 82);
var expected = "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87".FromBase16();
Assert.IsTrue(Enumerable.SequenceEqual(result, expected)); // "expected" is OKM in the document
}
}//2
public void HDKF_Testcase1()
{
using (var hkdf = new HKDF(HMACFactories.HMACSHA256,
ikm: Enumerable.Repeat<byte>(0x0b, 22).ToArray(),
salt: Enumerable.Range(0, 13).Select(i => (byte)i).ToArray(),
context: Enumerable.Range(0xf0, 10).Select(i => (byte)i).ToArray()))
{
var result = hkdf.GetBytes(countBytes: 42);
var expected = "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865".FromBase16();
Assert.IsTrue(Enumerable.SequenceEqual(result, expected)); // "expected" is OKM in the document
}
}//1
//public Task<HttpResponseMessage> Post(byte[] body)
public Tuple <string, byte[]> Post(byte[] body)
{
Debug.WriteLine($"Length of input is {body.Length} bytes");
var parts = TLVParser.Parse(body);
var state = parts.GetTypeAsInt(Constants.State);
Debug.WriteLine($"Pair Setup: Status [{state}]");
if (state == 1)
{
Console.WriteLine("Pair Setup Step 1/6");
Console.WriteLine("SRP Start Response");
Random randomNumber = new Random();
int code = randomNumber.Next(100, 999);
CODE = $"123-45-{code}";
Console.WriteLine($"********************");
Console.WriteLine($"* PIN CODE: {CODE} *");
Console.WriteLine($"********************");
Random rnd = new Random();
salt = new Byte[16];
rnd.NextBytes(salt);
// **** BOUNCY CASTLE CODE - NOT USED ****
//https://www.programcreek.com/java-api-examples/index.php?api=org.bouncycastle.crypto.agreement.srp.SRP6Server
var I = "Pair-Setup";// Program.ID;
var P = CODE;
var hashAlgorithm = SHA512.Create();
var groupParameter = SRP.SRP.Group_3072;
sessionServer = new SRPServer(groupParameter, hashAlgorithm);
server_k = sessionServer.Compute_k();
server_x = sessionServer.Compute_x(salt, I, P);
server_v = sessionServer.Compute_v(server_x.ToBigInteger());
Console.WriteLine($"Verifier [Length={server_v.ToBytes().Length}]");
Console.WriteLine(server_v.ToString("X"));
server_b = new Byte[32];
rnd.NextBytes(server_b);
server_B = sessionServer.Compute_B(server_v, server_k.ToBigInteger(), server_b.ToBigInteger());
Console.WriteLine($"B [Length={server_B.ToBytes().Length}]");
Console.WriteLine(server_B.ToString("X"));
var publicKey = server_B.ToBytes();
TLV responseTLV = new TLV();
responseTLV.AddType(Constants.State, 2);
responseTLV.AddType(Constants.PublicKey, publicKey);
responseTLV.AddType(Constants.Salt, salt);
byte[] output = TLVParser.Serialise(responseTLV);
return(new Tuple <string, byte[]>("application/pairing+tlv8", output));
//ByteArrayContent content = new ByteArrayContent(output);
//content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8");
//return new HttpResponseMessage(System.Net.HttpStatusCode.OK)
//{
// Content = content
//};
}
else if (state == 3)
{
Console.WriteLine("Pair Setup Step 3/6");
Console.WriteLine("SRP Verify Request");
var iOSPublicKey = parts.GetType(Constants.PublicKey); // A
var iOSProof = parts.GetType(Constants.Proof); // M1
Console.WriteLine("A");
Console.WriteLine(ByteArrayToString(iOSPublicKey));
Console.WriteLine("M1 (Client)");
Console.WriteLine(ByteArrayToString(iOSProof));
// Compute the scrambler.
//
var u = sessionServer.Compute_u(iOSPublicKey, server_B.ToBytes());
Console.WriteLine("U (Scramber)");
Console.WriteLine(ByteArrayToString(u));
// Compute the premaster secret
//
var server_S = sessionServer.Compute_S(iOSPublicKey.ToBigInteger(), server_v, u.ToBigInteger(), server_b.ToBigInteger());
Console.WriteLine("S");
Console.WriteLine(server_S.ToString("X"));
// Compute the session key
//
server_K = sessionServer.Compute_K(server_S.ToBytes());
Console.WriteLine("K (Session Key)");
Console.WriteLine(ByteArrayToString(server_K));
// Compute the client's proof
//
var client_M1 = sessionServer.Compute_M1("Pair-Setup", salt, iOSPublicKey, server_B.ToBytes(), server_K);
Console.WriteLine("M1 (Server)");
Console.WriteLine(ByteArrayToString(client_M1));
// Check the proof matches what was sent to us
//
bool isValid = iOSProof.CheckEquals(client_M1);
TLV responseTLV = new TLV();
responseTLV.AddType(Constants.State, 4);
if (isValid)
{
Console.WriteLine("Verification was successful. Generating Server Proof (M2)");
var server_M2 = sessionServer.Compute_M2(iOSPublicKey, client_M1, server_K);
File.WriteAllBytes("SRPProof", server_M2);
responseTLV.AddType(Constants.Proof, server_M2);
}
else
{
Console.WriteLine("Verification failed as iOS provided code was incorrect");
responseTLV.AddType(Constants.Error, ErrorCodes.Authentication);
}
byte[] output = TLVParser.Serialise(responseTLV);
return(new Tuple <string, byte[]>("application/pairing+tlv8", output));
//ByteArrayContent content = new ByteArrayContent(output);
//content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8");
//return new HttpResponseMessage(System.Net.HttpStatusCode.OK)
//{
// Content = content
//};
}
else if (state == 5)
{
Debug.WriteLine("Pair Setup Step 5/6");
Debug.WriteLine("Exchange Response");
var iOSEncryptedData = parts.GetType(Constants.EncryptedData); // A
int messageDataLength = iOSEncryptedData.Length - 16;
byte[] messageData = new byte[messageDataLength];
Buffer.BlockCopy(iOSEncryptedData, 0, messageData, 0, messageDataLength);
byte[] authTag = new byte[16];
Buffer.BlockCopy(iOSEncryptedData, messageDataLength, authTag, 0, 16);
HKDF g = new HKDF(() => { return(new HMACSHA512()); }, server_K, Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Salt"), Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Info"));
var outputKey = g.GetBytes(32);
var hkdfEncKey = outputKey;
//var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0");
var testKey = StringToByteArray("bd f0 4a a9 5c e4 de 89 95 b1 4b b6 a1 8f ec af 26 47 8f 50 c0 54 f5 63 db c0 a2 1e 26 15 72 aa");
var testNonce = StringToByteArray("00 00 00 00 01 02 03 04 05 06 07 08");
var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" +
"5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" +
"4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" +
"bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" +
"33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" +
"14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" +
"97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" +
"36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" +
"b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" +
"90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" +
"af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" +
"0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" +
"0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" +
"ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" +
"49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" +
"30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" +
"a6 ad 5c b4 02 2b 02 70 9b");
//var tag1 = Aead.Mac(testKey, testNonce, testCipherText, Aead.Algorithm.Chacha20_Poly1305);
//Console.WriteLine("Tag: " + ByteArrayToString(tag1));
//Console.WriteLine("");
//byte[] pt, ct, key, nonce, tag, aad;
//key = Cnv.FromHex("1c9240a5eb55d38af333888604f6b5f0473917c1402b80099dca5cbc207075c0");
//ct = Cnv.FromHex("64a0861575861af460f062c79be643bd5e805cfd345cf389f108670ac76c8cb24c6cfc18755d43eea09ee94e382d26b0bdb7b73c321b0100d4f03b7f355894cf332f830e710b97ce98c8a84abd0b948114ad176e008d33bd60f982b1ff37c8559797a06ef4f0ef61c186324e2b3506383606907b6a7c02b0f9f6157b53c867e4b9166c767b804d46a59b5216cde7a4e99040c5a40433225ee282a1b0a06c523eaf4534d7f83fa1155b0047718cbc546a0d072b04b3564eea1b422273f548271a0bb2316053fa76991955ebd63159434ecebb4e466dae5a1073a6727627097a1049e617d91d361094fa68f0ff77987130305beaba2eda04df997b714d6c6f2c29a6ad5cb4022b02709b");
//nonce = Cnv.FromHex("000000000102030405060708");
//aad = Cnv.FromHex("f33388860000000000004e91");
//tag = Cnv.FromHex("eead9d67890cbb22392336fea1851f39");
//pt = Aead.Decrypt(ct, key, nonce, aad, tag, Aead.Algorithm.Chacha20_Poly1305);
//Console.WriteLine("P:" + Cnv.ToHex(pt));
//// This is UTF-8-encoded text, so display it
//string Str = Encoding.UTF8.GetString(pt);
//Console.WriteLine(Str);
//Console.WriteLine(General.ErrorCode());
//Console.WriteLine("");
/*
* var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0");
* var nonce = StringToByteArray("00 00 00 00 01 02 03 04 05 06 07 08");
*
* var testChacha = new ChaCha20Poly1305();
* var testParameters = new ParametersWithIV(new KeyParameter(testKey), nonce);
* testChacha.Init(false, testParameters);
*
* KeyParameter testMacKey = InitRecordMAC(testChacha);
*
* Console.WriteLine("MAC From Test Vectors");
* Console.WriteLine(ByteArrayToString(testMacKey.GetKey()));
*
* var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" +
* "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" +
* "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" +
* "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" +
* "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" +
* "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" +
* "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" +
* "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" +
* "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" +
* "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" +
* "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" +
* "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" +
* "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" +
* "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" +
* "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" +
* "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" +
* "a6 ad 5c b4 02 2b 02 70 9b");
*
*
* var testPoly = new ChaCha20Poly1305.Poly1305();
*
* testPoly.Init(new KeyParameter(testKey));
*
* var aad = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91");
*
* var polyInput = new byte[0];
*
* var aadPadding = new byte[0];
* var cipherTextPadding = new byte[0];
*
* if (aad.Length % 16 != 0)
* {
* int bytesRequiredForRounding = 16 - (aad.Length % 16);
* aadPadding = new byte[bytesRequiredForRounding];
* }
*
* if (testCipherText.Length % 16 != 0)
* {
* int bytesRequiredForRounding = 16 - (testCipherText.Length % 16);
* cipherTextPadding = new byte[bytesRequiredForRounding];
* }
*
* //polyInput = aad.Concat(aadPadding).Concat(testCipherText).Concat(cipherTextPadding).Concat(BitConverter.GetBytes(aad.LongLength)).Concat(BitConverter.GetBytes(testCipherText.LongLength)).ToArray();
* polyInput = aad.Concat(aadPadding).Concat(testCipherText).Concat(cipherTextPadding).Concat(BitConverter.GetBytes(aad.LongLength)).Concat(BitConverter.GetBytes(testCipherText.LongLength)).ToArray();
*
* var expectedPolyInput = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00" +
* "64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" +
* "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" +
* "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" +
* "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" +
* "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" +
* "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" +
* "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" +
* "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" +
* "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" +
* "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" +
* "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" +
* "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" +
* "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" +
* "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" +
* "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" +
* "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" +
* "a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00" +
* "0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00");
*
* var polyMatchesExpectedValue = polyInput.SequenceEqual(expectedPolyInput);
*
* Debug.WriteLine("Test Poly AEAD Input");
* Debug.WriteLine(ByteArrayToString(polyInput));
*
* testPoly.BlockUpdate(polyInput, 0, polyInput.Length);
*
* byte[] testCalculatedTag = new byte[testPoly.GetMacSize()];
* testPoly.DoFinal(testCalculatedTag, 0);
*
* Debug.WriteLine("Test Tag");
* Debug.WriteLine(ByteArrayToString(testCalculatedTag));
*
* Debug.Write("H");
*/
// *****************************************
// NaCl test code
//
/*
* var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0");
* var testNonce = StringToByteArray("01 02 03 04 05 06 07 08");
*
* var testChacha = new ChaChaEngine(20);
* var testParameters = new ParametersWithIV(new KeyParameter(testKey), testNonce);
* testChacha.Init(false, testParameters);
*
* KeyParameter testMacKey = InitRecordMAC(testChacha);
*
* var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" +
* "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" +
* "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" +
* "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" +
* "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" +
* "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" +
* "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" +
* "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" +
* "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" +
* "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" +
* "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" +
* "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" +
* "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" +
* "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" +
* "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" +
* "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" +
* "a6 ad 5c b4 02 2b 02 70 9b");
*
* var testReceivedTag = StringToByteArray("ee ad 9d 67 89 0c bb 22 39 23 36 fe a1 85 1f 38");
* var testChaChaKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0");
* bool verified = OneTimeAuth.Poly1305.Verify(testReceivedTag, testCipherText, testChaChaKey);
* var testLongNonce = StringToByteArray("00 00 00 00 01 02 03 04 05 06 07 08");
* var decryptedTest = XSalsa20Poly1305.TryDecrypt(testCipherText, testKey, testLongNonce);
*
* Console.WriteLine(verified);
*/
// COSE
//**************************************
// TEST CODE FOR BouncyCastle POLY1305
/*
* var testKey = StringToByteArray("1c 92 40 a5 eb 55 d3 8a f3 33 88 86 04 f6 b5 f0 47 39 17 c1 40 2b 80 09 9d ca 5c bc 20 70 75 c0");
* var nonce = StringToByteArray("01 02 03 04 05 06 07 08");
*
* var testChacha = new ChaChaEngine(20);
* var testParameters = new ParametersWithIV(new KeyParameter(testKey), nonce);
* testChacha.Init(false, testParameters);
*
* KeyParameter testMacKey = InitRecordMAC(testChacha);
*
* Console.WriteLine("MAC From Test Vectors");
* Console.WriteLine(ByteArrayToString(testMacKey.GetKey()));
*
* var testCipherText = StringToByteArray("64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" +
* "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" +
* "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" +
* "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" +
* "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" +
* "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" +
* "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" +
* "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" +
* "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" +
* "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" +
* "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" +
* "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" +
* "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" +
* "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" +
* "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" +
* "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" +
* "a6 ad 5c b4 02 2b 02 70 9b");
*
*
* var testPoly = new Org.BouncyCastle.Crypto.Macs.Poly1305();
*
* testPoly.Init(testMacKey);
*
* var aad = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91");
*
* var polyInput = new byte[0];
*
* var aadPadding = new byte[0];
* var cipherTextPadding = new byte[0];
*
* if (aad.Length % 16 != 0)
* {
* int bytesRequiredForRounding = 16 - (aad.Length % 16);
* aadPadding = new byte[bytesRequiredForRounding];
* }
*
* if (testCipherText.Length % 16 != 0)
* {
* int bytesRequiredForRounding = 16 - (testCipherText.Length % 16);
* cipherTextPadding = new byte[bytesRequiredForRounding];
* }
*
* polyInput = aad.Concat(aadPadding).Concat(testCipherText).Concat(cipherTextPadding).Concat(BitConverter.GetBytes(aad.LongLength)).Concat(BitConverter.GetBytes(testCipherText.LongLength)).ToArray();
*
* var expectedPolyInput = StringToByteArray("f3 33 88 86 00 00 00 00 00 00 4e 91 00 00 00 00" +
* "64 a0 86 15 75 86 1a f4 60 f0 62 c7 9b e6 43 bd" +
* "5e 80 5c fd 34 5c f3 89 f1 08 67 0a c7 6c 8c b2" +
* "4c 6c fc 18 75 5d 43 ee a0 9e e9 4e 38 2d 26 b0" +
* "bd b7 b7 3c 32 1b 01 00 d4 f0 3b 7f 35 58 94 cf" +
* "33 2f 83 0e 71 0b 97 ce 98 c8 a8 4a bd 0b 94 81" +
* "14 ad 17 6e 00 8d 33 bd 60 f9 82 b1 ff 37 c8 55" +
* "97 97 a0 6e f4 f0 ef 61 c1 86 32 4e 2b 35 06 38" +
* "36 06 90 7b 6a 7c 02 b0 f9 f6 15 7b 53 c8 67 e4" +
* "b9 16 6c 76 7b 80 4d 46 a5 9b 52 16 cd e7 a4 e9" +
* "90 40 c5 a4 04 33 22 5e e2 82 a1 b0 a0 6c 52 3e" +
* "af 45 34 d7 f8 3f a1 15 5b 00 47 71 8c bc 54 6a" +
* "0d 07 2b 04 b3 56 4e ea 1b 42 22 73 f5 48 27 1a" +
* "0b b2 31 60 53 fa 76 99 19 55 eb d6 31 59 43 4e" +
* "ce bb 4e 46 6d ae 5a 10 73 a6 72 76 27 09 7a 10" +
* "49 e6 17 d9 1d 36 10 94 fa 68 f0 ff 77 98 71 30" +
* "30 5b ea ba 2e da 04 df 99 7b 71 4d 6c 6f 2c 29" +
* "a6 ad 5c b4 02 2b 02 70 9b 00 00 00 00 00 00 00" +
* "0c 00 00 00 00 00 00 00 09 01 00 00 00 00 00 00");
*
* var polyMatchesExpectedValue = polyInput.SequenceEqual(expectedPolyInput);
*
* Debug.WriteLine("Test Poly AEAD Input");
* Debug.WriteLine(ByteArrayToString(polyInput));
*
* //byte[] testCalculatedTag = new byte[testPoly.GetMacSize()];
*
* testPoly.BlockUpdate(polyInput, 0, polyInput.Length);
*
*
* byte[] testCalculatedTag = new byte[100];
*
* for (int i = 0; i < 84; i++)
* {
* testPoly.DoFinal(testCalculatedTag, i);
*
* Debug.WriteLine("Test Tag");
* Debug.WriteLine(ByteArrayToString(testCalculatedTag));
* }
*
*
*
*
* Debug.Write("H");
*
* testPoly = new Org.BouncyCastle.Crypto.Macs.Poly1305();
*
* testPoly.Init(testMacKey);
*
* // The AAD
* //
* testPoly.BlockUpdate(aad, 0, aad.Length);
*
* // The AAD padding
* //
* if (aad.Length % 16 != 0)
* {
* int bytesRequiredForRounding = 16 - (aad.Length % 16);
* testPoly.BlockUpdate(new byte[bytesRequiredForRounding], 0, bytesRequiredForRounding);
* }
*
* // The ciphertext.
* //
* testPoly.BlockUpdate(testCipherText, 0, testCipherText.Length);
*
* // The ciphertext padding length.
* //
* if (testCipherText.Length % 16 != 0)
* {
* int bytesRequiredForRounding = 16 - (testCipherText.Length % 16);
* testPoly.BlockUpdate(new byte[bytesRequiredForRounding], 0, bytesRequiredForRounding);
* }
*
* // The length of the AAD
* //
* testPoly.BlockUpdate(BitConverter.GetBytes(aad.LongLength), 0, 8);
*
* // The length of the ciphertext
* //
* testPoly.BlockUpdate(BitConverter.GetBytes(testCipherText.LongLength), 0, 8);
*
* // Compute the final key
* //
* byte[] alternativeTestCalculatedTag = new byte[testPoly.GetMacSize()];
* testPoly.DoFinal(alternativeTestCalculatedTag, 0);
*
* Debug.WriteLine("Alternative Test Tag");
* Debug.WriteLine(ByteArrayToString(alternativeTestCalculatedTag));
*
* // Decrypt
* //
* var testOutput = new byte[testCipherText.Length];
* testChacha.ProcessBytes(testCipherText, 0, testCipherText.Length, testOutput, 0);
*
* Debug.WriteLine("Decrypted Test CipherText");
* Debug.WriteLine(ByteArrayToString(testOutput));
*
*/
// END OF BouncyCastle Poly1305 Test Code
//********************************************
//var chacha = new ChaChaEngine(20);
//var parameters = new ParametersWithIV(new KeyParameter(outputKey), Encoding.UTF8.GetBytes("PS-Msg05"));
//chacha.Init(false, parameters);
//KeyParameter macKey = InitRecordMAC(chacha);
//var iOSPoly = new Org.BouncyCastle.Crypto.Macs.Poly1305();
#region OLD POLY
/*
* iOSPoly.Init(macKey);
*
* // The AAD padding length.
* //
* //iOSPoly.BlockUpdate(new byte[4], 0, 4);
*
* // The ciphertext.
* //
* iOSPoly.BlockUpdate(messageData, 0, messageData.Length);
*
* // The ciphertext padding length.
* //
* if (messageData.Length % 16 != 0)
* {
* int bytesRequiredForRounding = 16 - (messageData.Length % 16);
* iOSPoly.BlockUpdate(new byte[bytesRequiredForRounding], 0, bytesRequiredForRounding);
* }
*
* // The length of the AAD
* //
* iOSPoly.BlockUpdate(new byte[8], 0, 8);
*
* // The length of the ciphertext
* //
* iOSPoly.BlockUpdate(BitConverter.GetBytes(messageData.LongLength), 0, 8);
*
* // Compute the final key
* //
* byte[] calculatedMAC = new byte[iOSPoly.GetMacSize()];
* iOSPoly.DoFinal(calculatedMAC, 0);
*
* // Verify this calculatedMac matches the iOS authTag.
* // This is failing, which implies the way I'm generating the MAC is incorrect.
* //
* //bool isAuthTagValid = CryptoBytes.ConstantTimeEquals(authTag, calculatedMAC);
* //if (!isAuthTagValid)
* //{
* // return new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
* //}
*/
#endregion
//byte[] output = new byte[messageData.Length];
//chacha.ProcessBytes(messageData, 0, messageData.Length, output, 0);
byte[] output, ct, key, nonce, tag, aad;
key = outputKey;
ct = messageData;
nonce = Cnv.FromHex("00000000").Concat(Encoding.UTF8.GetBytes("PS-Msg05")).ToArray();
aad = new byte[0];
tag = authTag;
output = Aead.Decrypt(ct, key, nonce, aad, tag, Aead.Algorithm.Chacha20_Poly1305);
Console.WriteLine("P:" + Cnv.ToHex(output));
// This is UTF-8-encoded text, so display it
string Str = Encoding.UTF8.GetString(output);
Console.WriteLine(Str);
Console.WriteLine(General.ErrorCode());
Console.WriteLine("");
Debug.WriteLine("Decrypted TLV");
Debug.WriteLine(ByteArrayToString(output));
var subData = TLVParser.Parse(output);
byte[] username = subData.GetType(Constants.Identifier);
byte[] ltpk = subData.GetType(Constants.PublicKey);
byte[] proof = subData.GetType(Constants.Signature);
Console.WriteLine("iOSDeviceInfo");
Console.WriteLine($"Username [{username.Length}]: {Encoding.UTF8.GetString(username)}");
Console.WriteLine($"LTPK [{ltpk.Length}]: {ByteArrayToString(ltpk)}");
Console.WriteLine($"Proof [{proof.Length}]: {ByteArrayToString(proof)}");
// Verify the proof matches the INFO
//
HKDF hkdf = new HKDF(() => { return(new HMACSHA512()); }, server_K, Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Salt"), Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Info"));
byte[] okm = hkdf.GetBytes(32);
byte[] completeData = okm.Concat(username).Concat(ltpk).ToArray();
if (!Ed25519.Verify(proof, completeData, ltpk))
{
Console.WriteLine("Verification failed as iOS provided code was incorrect");
var errorTLV = new TLV();
errorTLV.AddType(Constants.Error, ErrorCodes.Authentication);
byte[] errorOutput = TLVParser.Serialise(errorTLV);
return(new Tuple <string, byte[]>("application/pairing+tlv8", errorOutput));
//var errorContent = new ByteArrayContent(output);
//errorContent.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8");
//return new HttpResponseMessage(System.Net.HttpStatusCode.OK)
//{
// Content = errorContent
//};
}
Console.WriteLine("Step 5/6 is complete.");
Console.WriteLine("Pair Setup Step 6/6");
Console.WriteLine("Response Generation");
g = new HKDF(() => { return(new HMACSHA512()); }, server_K, Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Salt"), Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Info"));
outputKey = g.GetBytes(32);
// Create the AccessoryLTPK
//
byte[] accessoryLTSK;
byte[] accessoryLTPK;
var seed = new byte[32];
RandomNumberGenerator.Create().GetBytes(seed);
Ed25519.KeyPairFromSeed(out accessoryLTPK, out accessoryLTSK, seed);
File.WriteAllBytes("PrivateKey", accessoryLTSK);
var serverUsername = Encoding.UTF8.GetBytes(Program.ID);
byte[] material = outputKey.Concat(serverUsername).Concat(accessoryLTPK).ToArray();
byte[] signature = Ed25519.Sign(material, accessoryLTSK);
Console.WriteLine("AccessoryDeviceInfo");
Console.WriteLine($"Username [{serverUsername.Length}]: {ByteArrayToString(serverUsername)}");
Console.WriteLine($"LTPK [{accessoryLTPK.Length}]: {ByteArrayToString(accessoryLTPK)}");
Console.WriteLine($"Proof [{signature.Length}]: {ByteArrayToString(signature)}");
TLV encoder = new TLV();
encoder.AddType(Constants.Identifier, serverUsername);
encoder.AddType(Constants.PublicKey, accessoryLTPK);
encoder.AddType(Constants.Signature, signature);
// Verify our own signature
//
Ed25519.Verify(signature, material, accessoryLTPK);
byte[] plaintext = TLVParser.Serialise(encoder);
//chacha = new ChaChaEngine(20);
//parameters = new ParametersWithIV(new KeyParameter(hkdfEncKey), Encoding.UTF8.GetBytes("PS-Msg06"));
//chacha.Init(true, parameters);
//macKey = InitRecordMAC(chacha);
//byte[] ciphertext = new byte[plaintext.Length];
//chacha.ProcessBytes(plaintext, 0, plaintext.Length, ciphertext, 0);
//var poly = new Poly1305();
//iOSPoly.Init(macKey);
//iOSPoly.BlockUpdate
//iOSPoly.BlockUpdate(ciphertext, 0, ciphertext.Length);
//iOSPoly.BlockUpdate(BitConverter.GetBytes((long)ciphertext.Length), 0, 8);
//var accessoryCalculatedMAC = new byte[iOSPoly.GetMacSize()];
//iOSPoly.DoFinal(accessoryCalculatedMAC, 0);
//var accessoryCalculatedMAC = Sodium.OneTimeAuth.Sign(Encoding.UTF8.GetString(ciphertext), macKey.GetKey());
//var verifyMac = Sodium.OneTimeAuth.Verify(ciphertext, accessoryCalculatedMAC, macKey.GetKey());
//byte[] pt, ct, key, nonce, tag, aad;
//key = Cnv.FromHex("071b113b 0ca743fe cccf3d05 1f737382");
//nonce = Cnv.FromHex("f0761e8d cd3d0001 76d457ed");
//aad = Cnv.FromHex("e20106d7 cd0df076 1e8dcd3d 88e54c2a 76d457ed");
//pt = Cnv.FromHex("08000f10 11121314 15161718 191a1b1c 1d1e1f20 21222324 25262728 292a2b2c 2d2e2f30 31323334 0004");
//tag = new byte[0]; // Do this to avoid "before it has been assigned a value" error
//ct = Aead.Encrypt(out tag, pt, key, nonce, aad, Aead.Algorithm.Aes_128_Gcm);
//Console.WriteLine("C: " + Cnv.ToHex(ct));
//Console.WriteLine("T: " + Cnv.ToHex(tag));
//byte[] ret = ciphertext.Concat(accessoryCalculatedMAC).ToArray();
//TLV responseTLV = new TLV();
//responseTLV.AddType(Constants.State, 6);
//responseTLV.AddType(Constants.EncryptedData, ret);
//output = TLVParser.Serialise(responseTLV);
//ByteArrayContent content = new ByteArrayContent(output);
//content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8");
//Console.WriteLine("Step 6/6 is complete.");
//return new HttpResponseMessage(System.Net.HttpStatusCode.OK)
//{
// Content = content
//};
nonce = Cnv.FromHex("00000000").Concat(Encoding.UTF8.GetBytes("PS-Msg06")).ToArray();
aad = new byte[0];
byte[] outputTag = new byte[0];
var encryptedOutput = Aead.Encrypt(out outputTag, plaintext, hkdfEncKey, nonce, aad, Aead.Algorithm.Chacha20_Poly1305);
Console.WriteLine($"EncryptionStatus: {General.ErrorCode()}");
// Test the decryption
//
Aead.Decrypt(encryptedOutput, hkdfEncKey, nonce, aad, outputTag, Aead.Algorithm.Chacha20_Poly1305);
Console.WriteLine($"DecryptionStatus: {General.ErrorCode()}");
byte[] ret = encryptedOutput.Concat(outputTag).ToArray();
TLV responseTLV = new TLV();
responseTLV.AddType(Constants.State, 6);
responseTLV.AddType(Constants.EncryptedData, ret);
output = TLVParser.Serialise(responseTLV);
return(new Tuple <string, byte[]>("application/pairing+tlv8", output));
//ByteArrayContent content = new ByteArrayContent(output);
//content.Headers.ContentType = new System.Net.Http.Headers.MediaTypeHeaderValue("application/pairing+tlv8");
//Console.WriteLine("Step 6/6 is complete.");
//return new HttpResponseMessage(System.Net.HttpStatusCode.OK)
//{
// Content = content
//};
}
return(null);
//return new HttpResponseMessage(System.Net.HttpStatusCode.BadRequest);
}
public Tuple <string, byte[]> Post(byte[] body, ControllerSession session)
{
var parts = TLVParser.Parse(body);
var state = parts.GetTypeAsInt(Constants.State);
if (state == 1)
{
Console.WriteLine("* Pair Verify Step 1/4");
Console.WriteLine("* Verify Start Request");
var clientPublicKey = parts.GetType(Constants.PublicKey);
byte[] privateKey = new byte[32];
SecureRandom random = new SecureRandom();
random.NextBytes(privateKey);
var publicKey = Curve25519.GetPublicKey(privateKey);
var sharedSecret = Curve25519.GetSharedSecret(privateKey, clientPublicKey);
var serverUsername = Encoding.UTF8.GetBytes(Program.ID);
byte[] material = publicKey.Concat(serverUsername).Concat(clientPublicKey).ToArray();
var accessoryLTSK = File.ReadAllBytes("PrivateKey");
byte[] proof = Ed25519.Sign(material, accessoryLTSK);
HKDF g = new HKDF(() => { return(new HMACSHA512()); }, sharedSecret, Encoding.UTF8.GetBytes("Pair-Verify-Encrypt-Salt"), Encoding.UTF8.GetBytes("Pair-Verify-Encrypt-Info"));
var outputKey = g.GetBytes(32);
TLV encoder = new TLV();
encoder.AddType(Constants.Identifier, serverUsername);
encoder.AddType(Constants.Signature, proof);
byte[] plaintext = TLVParser.Serialise(encoder);
var nonce = Cnv.FromHex("00000000").Concat(Encoding.UTF8.GetBytes("PV-Msg02")).ToArray();
var aad = new byte[0];
byte[] outputTag = new byte[0];
var encryptedOutput = Aead.Encrypt(out outputTag, plaintext, outputKey, nonce, aad, Aead.Algorithm.Chacha20_Poly1305);
byte[] ret = encryptedOutput.Concat(outputTag).ToArray();
TLV responseTLV = new TLV();
responseTLV.AddType(Constants.State, 2);
responseTLV.AddType(Constants.PublicKey, publicKey);
responseTLV.AddType(Constants.EncryptedData, ret);
// Store the details on the session.
//
session.ClientPublicKey = clientPublicKey;
session.PrivateKey = privateKey;
session.PublicKey = publicKey;
session.SharedSecret = sharedSecret;
session.HkdfPairEncKey = outputKey;
var encSalt = Encoding.UTF8.GetBytes("Control-Salt");
var infoRead = Encoding.UTF8.GetBytes("Control-Read-Encryption-Key");
var infoWrite = Encoding.UTF8.GetBytes("Control-Write-Encryption-Key");
g = new HKDF(() => { return(new HMACSHA512()); }, sharedSecret, encSalt, infoRead);
session.AccessoryToControllerKey = g.GetBytes(32);
g = new HKDF(() => { return(new HMACSHA512()); }, sharedSecret, encSalt, infoWrite);
session.ControllerToAccessoryKey = g.GetBytes(32);
var output = TLVParser.Serialise(responseTLV);
return(new Tuple <string, byte[]>("application/pairing+tlv8", output));
}
else if (state == 3)
{
Console.WriteLine("* Pair Verify Step 3/4");
Console.WriteLine("* Verify Start Request");
// We're looking good here. Need to set the encryption/settings on this session.
//
session.IsVerified = true;
session.SkipFirstEncryption = true;
TLV responseTLV = new TLV();
responseTLV.AddType(Constants.State, 4);
var output = TLVParser.Serialise(responseTLV);
return(new Tuple <string, byte[]>("application/pairing+tlv8", output));
}
return(null);
}