public void SrpIntegerToByteArrayConversion()
{
var si = SrpInteger.FromHex("02");
var arr = new byte[] { 0x02 };
Assert.IsTrue(Enumerable.SequenceEqual(arr, si.ToByteArray()));
si = SrpInteger.FromHex("01F2C3A4B506");
arr = new byte[] { 0x01, 0xF2, 0xC3, 0xA4, 0xB5, 0x06 };
Assert.IsTrue(Enumerable.SequenceEqual(arr, si.ToByteArray()));
si = SrpInteger.FromHex("ed3250071433e544b62b5dd0341564825a697357b5379f07aabca795a4e0a109");
arr = new byte[] { 0xed, 0x32, 0x50, 0x07, 0x14, 0x33, 0xe5, 0x44, 0xb6, 0x2b, 0x5d, 0xd0, 0x34, 0x15, 0x64, 0x82, 0x5a, 0x69, 0x73, 0x57, 0xb5, 0x37, 0x9f, 0x07, 0xaa, 0xbc, 0xa7, 0x95, 0xa4, 0xe0, 0xa1, 0x09 };
Assert.IsTrue(Enumerable.SequenceEqual(arr, si.ToByteArray()));
si = new SrpInteger("B0", 10);
arr = new byte[] { 0, 0, 0, 0, 0xb0 };
Assert.IsTrue(Enumerable.SequenceEqual(arr, si.ToByteArray()));
}
public void SrpIntegerFromBytes()
{
var si = SrpInteger.FromByteArray(new byte[] { 0x12 });
Assert.AreEqual("12", si.ToHex());
si = SrpInteger.FromByteArray(new byte[] { 0xff });
Assert.AreEqual("ff", si.ToHex());
si = SrpInteger.FromByteArray(new byte[] { 0x12, 0x34 });
Assert.AreEqual("1234", si.ToHex());
si = SrpInteger.FromByteArray(new byte[] { 0xfa, 0xc3 });
Assert.AreEqual("fac3", si.ToHex());
si = SrpInteger.FromByteArray(null);
Assert.AreEqual(SrpInteger.Zero, si);
si = SrpInteger.FromByteArray(new byte[0]);
Assert.AreEqual(SrpInteger.Zero, si);
}
public void SrpClientDerivesThePrivateKeyAndVerifier()
{
// validate intermediate steps
var userName = "******";
var password = "******";
H H = new SrpHash <SHA256>().ComputeHash;
var step1 = H($"{userName}:{password}");
Assert.AreEqual(SrpInteger.FromHex("ed3250071433e544b62b5dd0341564825a697357b5379f07aabca795a4e0a109"), step1);
// step1.1
var salt = "34ada39bbabfa6e663f1aad3d7814121";
var s = SrpInteger.FromHex(salt);
var step11 = H(s);
Assert.AreEqual(SrpInteger.FromHex("a5acfc1292e1b8e171b7c9a0f7b5bcd9bbcd4a3485c18d9d4fcf4480e8573442"), step11);
// step1.2
var step12 = H(step1);
Assert.AreEqual(SrpInteger.FromHex("446d597ddf0e65ca0395926665e70f10a2b0f8194f633243e71359028895be6f"), step12);
// step2
var step2 = H(s, step1);
Assert.AreEqual(SrpInteger.FromHex("e2db59181003e48e326292b3b307a1173a5f1fd12c6ffde55f7289503065fd6c"), step2);
// private key derivation is deterministic for the same s, I, p
var privateKey = new SrpClient().DerivePrivateKey(salt, userName, password);
Assert.AreEqual("e2db59181003e48e326292b3b307a1173a5f1fd12c6ffde55f7289503065fd6c", privateKey);
// verifier
var verifier = new SrpClient().DeriveVerifier(privateKey);
Assert.AreEqual("622dad56d6c282a949f9d2702941a9866b7dd277af92a6e538b2d7cca42583275a2f4b64bd61369a24b23170223faf212e2f3bdddc529204c61055687c4162aa2cd0fd41ced0186406b8a6dda4802fa941c54f5115ca69953a8e265210349a4cb89dda3febc96c86df08a87823235ff6c87a170cc1618f38ec493e758e2cac4c04db3dcdac8656458296dbcc3599fc1f66cde1e62e477dd1696c65dbeb413d8ed832adc7304e68566b46a7849126eea62c95d5561306f76fe1f8a77a3bd85db85e6b0262064d665890ff46170f96ce403a9b485abe387e91ca85e3522d6276e2fff41754d57a71dee6da62aea614725da100631efd7442cf68a294001d8134e9", verifier);
}
public void SrpIntegetModPowCompatibleWithJsbn()
{
// jsbn results:
// 5 ^ 3 % 1000 = <SRPInteger 7d> = 125
// -5 ^ 3 % 1000 = <SRPInteger f83> = 0x1000-0x7d
// 5 ^ 33 % 1000 = <SRPInteger 2bd> = 701
//-5 ^ 33 % 1000 = <SRPInteger d43> = 0x1000-0x2bd,
// 5 ^ 90 % 1000 = <SRPInteger dc1>
//-5 ^ 90 % 1000 = <SRPInteger dc1>
var p5 = SrpInteger.FromHex("5");
var n5 = SrpInteger.FromHex("-5");
var x3 = SrpInteger.FromHex("3");
var x33 = SrpInteger.FromHex("33");
var x90 = SrpInteger.FromHex("90");
var m = SrpInteger.FromHex("1000");
var result = p5.ModPow(x3, m);
Assert.AreEqual("007d", result.ToHex());
result = p5.ModPow(x33, m);
Assert.AreEqual("02bd", result.ToHex());
result = p5.ModPow(x90, m);
Assert.AreEqual("0dc1", result.ToHex());
result = n5.ModPow(x3, m);
Assert.AreEqual("0f83", result.ToHex());
result = n5.ModPow(x33, m);
Assert.AreEqual("0d43", result.ToHex());
result = n5.ModPow(x90, m);
Assert.AreEqual("0dc1", result.ToHex());
}
internal Tlv HandlePairSetupM5Raw(ConnectionSession session, out KeyPair keyPair)
{
var hdkf = new HkdfSha512();
var accessory = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(session.ServerSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Info"), 32);
keyPair = KeyGenerator.GenerateNewPair();
var serverUsername = Encoding.UTF8.GetBytes(HapControllerServer.HapControllerId);
var material = accessory.Concat(serverUsername).Concat(keyPair.PublicKey).ToArray();
var signature = Chaos.NaCl.Ed25519.Sign(material, keyPair.PrivateKey);
var encoder = new Tlv();
encoder.AddType(Constants.Identifier, serverUsername);
encoder.AddType(Constants.PublicKey, keyPair.PublicKey);
encoder.AddType(Constants.Signature, signature);
return(encoder);
}
public void SrpIntegerSubtract()
{
var result = SrpInteger.FromHex("5340") - SrpInteger.FromHex("5181");
Assert.AreEqual("01bf", result.ToHex());
}
public void SrpIntegerAdd()
{
var result = SrpInteger.FromHex("353") + SrpInteger.FromHex("181");
Assert.AreEqual("4d4", result.ToHex());
}
public void SrpIntegerModulo()
{
var result = SrpInteger.FromHex("10") % SrpInteger.FromHex("9");
Assert.AreEqual("7", result.ToHex());
}
internal PairSetupReturn HandlePairSetupM5(Tlv parts, ConnectionSession session)
{
_logger.LogDebug("Pair Setup Step 5/5");
_logger.LogDebug("Exchange Response");
try
{
var iOsEncryptedData = parts.GetType(Constants.EncryptedData).AsSpan(); // A
var zeros = new byte[] { 0, 0, 0, 0 };
var nonce = new Nonce(zeros, Encoding.UTF8.GetBytes("PS-Msg05"));
var hdkf = new HkdfSha512();
var hkdfEncKey = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(session.ServerSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Info"), 32);
var decrypt = AeadAlgorithm.ChaCha20Poly1305.Decrypt(
Key.Import(AeadAlgorithm.ChaCha20Poly1305, hkdfEncKey, KeyBlobFormat.RawSymmetricKey), nonce,
new byte[0], iOsEncryptedData, out var output);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 6);
if (!decrypt)
{
responseTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairSetupReturn
{
State = 5,
TlvData = responseTlv,
Ok = false
});
}
var subData = TlvParser.Parse(output);
byte[] username = subData.GetType(Constants.Identifier);
byte[] ltpk = subData.GetType(Constants.PublicKey);
byte[] proof = subData.GetType(Constants.Signature);
var okm = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(session.ServerSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Info"), 32);
var completeData = okm.Concat(username).Concat(ltpk).ToArray();
if (!SignatureAlgorithm.Ed25519.Verify(
PublicKey.Import(SignatureAlgorithm.Ed25519, ltpk, KeyBlobFormat.RawPublicKey), completeData,
proof))
{
var errorTlv = new Tlv();
errorTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairSetupReturn
{
State = 5,
TlvData = errorTlv,
Ok = false
});
}
var m5Response = HandlePairSetupM5Raw(session, out var keyPair);
var plaintext = TlvParser.Serialize(m5Response);
_logger.LogDebug($"Decrypted payload {Automatica.Core.Driver.Utility.Utils.ByteArrayToString(plaintext.AsSpan())}");
var nonce6 = new Nonce(zeros, Encoding.UTF8.GetBytes("PS-Msg06"));
var encryptedOutput = AeadAlgorithm.ChaCha20Poly1305.Encrypt(
Key.Import(AeadAlgorithm.ChaCha20Poly1305, hkdfEncKey, KeyBlobFormat.RawSymmetricKey), nonce6,
new byte[0], plaintext);
responseTlv.AddType(Constants.EncryptedData, encryptedOutput);
return(new PairSetupReturn
{
State = 5,
TlvData = responseTlv,
Ok = true,
Ltsk = ByteArrayToString(keyPair.PrivateKey),
Ltpk = ByteArrayToString(ltpk)
});
}
catch (Exception e)
{
_logger.LogError(e, $"{e}, Could not exchange request");
throw;
}
}
public void SrpIntegerMultiply()
{
var result = SrpInteger.FromHex("CAFE") * SrpInteger.FromHex("babe");
Assert.AreEqual("94133484", result.ToHex(8));
}
public PairSetupReturn Post(Tlv parts)
{
var customParams = SrpParameters.Create3072 <SHA512>();
var state = parts.GetTypeAsInt(Constants.State);
if (state == 1) //srp sign up
{
var rnd = new Random();
_salt = new byte[16];
rnd.NextBytes(_salt);
_saltInt = SrpInteger.FromByteArray(_salt);
var srp = new SrpClient(customParams);
_privateKey = srp.DerivePrivateKey(_saltInt.ToHex(), Username, _code);
_verifier = srp.DeriveVerifier(_privateKey);
_server = new SrpServer(customParams);
_serverEphemeral = _server.GenerateEphemeral(_verifier);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 2);
responseTlv.AddType(Constants.PublicKey, StringToByteArray(_serverEphemeral.Public));
responseTlv.AddType(Constants.Salt, _salt);
return(new PairSetupReturn
{
State = 1,
TlvData = responseTlv,
Ok = true
});
}
if (state == 3) //srp authenticate
{
_logger.LogDebug("Pair Setup Step 3/6");
_logger.LogDebug("SRP Verify Request");
var pubKey = parts.GetType(Constants.PublicKey);
var proof = parts.GetType(Constants.Proof);
var iOsPublicKey = SrpInteger.FromByteArray(pubKey);
var iOsProof = SrpInteger.FromByteArray(proof);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 4);
var ok = true;
try
{
_serverSession = _server.DeriveSession(_serverEphemeral.Secret, iOsPublicKey.ToHex(), _saltInt.ToHex(), Username, _verifier,
iOsProof.ToHex());
_logger.LogInformation("Verification was successful. Generating Server Proof (M2)");
responseTlv.AddType(Constants.Proof, StringToByteArray(_serverSession.Proof));
}
catch (Exception)
{
ok = false;
_logger.LogError("Verification failed as iOS provided code was incorrect");
responseTlv.AddType(Constants.Error, ErrorCodes.Authentication);
}
return(new PairSetupReturn
{
State = 3,
Ok = ok,
TlvData = responseTlv
});
}
if (state == 5)
{
_logger.LogDebug("Pair Setup Step 5/6");
_logger.LogDebug("Exchange Response");
try
{
var iOsEncryptedData = parts.GetType(Constants.EncryptedData).AsSpan(); // A
var zeros = new byte[] { 0, 0, 0, 0 };
var nonce = new Nonce(zeros, Encoding.UTF8.GetBytes("PS-Msg05"));
var hdkf = new HkdfSha512();
var hkdfEncKey = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(_serverSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Encrypt-Info"), 32);
var decrypt = AeadAlgorithm.ChaCha20Poly1305.Decrypt(
Key.Import(AeadAlgorithm.ChaCha20Poly1305, hkdfEncKey, KeyBlobFormat.RawSymmetricKey), nonce,
new byte[0], iOsEncryptedData, out var output);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 6);
if (!decrypt)
{
responseTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairSetupReturn
{
State = 5,
TlvData = responseTlv,
Ok = false
});
}
var subData = TlvParser.Parse(output);
byte[] username = subData.GetType(Constants.Identifier);
byte[] ltpk = subData.GetType(Constants.PublicKey);
byte[] proof = subData.GetType(Constants.Signature);
var okm = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(_serverSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Controller-Sign-Info"), 32);
var completeData = okm.Concat(username).Concat(ltpk).ToArray();
if (!SignatureAlgorithm.Ed25519.Verify(
PublicKey.Import(SignatureAlgorithm.Ed25519, ltpk, KeyBlobFormat.RawPublicKey), completeData,
proof))
{
var errorTlv = new Tlv();
errorTlv.AddType(Constants.Error, ErrorCodes.Authentication);
return(new PairSetupReturn
{
State = 5,
TlvData = errorTlv,
Ok = false
});
}
var accessory = hdkf.DeriveBytes(
SharedSecret.Import(SrpInteger.FromHex(_serverSession.Key).ToByteArray()),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Salt"),
Encoding.UTF8.GetBytes("Pair-Setup-Accessory-Sign-Info"), 32);
var seed = new byte[32];
RandomNumberGenerator.Create().GetBytes(seed);
Chaos.NaCl.Ed25519.KeyPairFromSeed(out var accessoryLtpk, out var accessoryLtsk, seed);
var serverUsername = Encoding.UTF8.GetBytes(HapControllerServer.HapControllerId);
var material = accessory.Concat(serverUsername).Concat(accessoryLtpk).ToArray();
var signature = Chaos.NaCl.Ed25519.Sign(material, accessoryLtsk);
var encoder = new Tlv();
encoder.AddType(Constants.Identifier, serverUsername);
encoder.AddType(Constants.PublicKey, accessoryLtpk);
encoder.AddType(Constants.Signature, signature);
var plaintext = TlvParser.Serialise(encoder);
var nonce6 = new Nonce(zeros, Encoding.UTF8.GetBytes("PS-Msg06"));
var encryptedOutput = AeadAlgorithm.ChaCha20Poly1305.Encrypt(
Key.Import(AeadAlgorithm.ChaCha20Poly1305, hkdfEncKey, KeyBlobFormat.RawSymmetricKey), nonce6,
new byte[0], plaintext);
responseTlv.AddType(Constants.EncryptedData, encryptedOutput);
return(new PairSetupReturn
{
State = 5,
TlvData = responseTlv,
Ok = true,
Ltsk = ByteArrayToString(accessoryLtsk),
Ltpk = ByteArrayToString(ltpk)
});
}
catch (Exception e)
{
_logger.LogError(e, "Could not exchange request");
throw;
}
}
return(null);
}
public byte[] GenerateSalt(int length)
{
return(SrpInteger.FromHex("deff10eeac3d2c5cf370a2dae3310a4f").ToByteArray());
}
public void M5SetupTest()
{
var clientPubKey = FixedSaltGenerator.ExpectedClientPubKey;
var clientProof = FixedSaltGenerator.ExpectedClientProof;
var inputData =
"059ac2e1aa3fef6c4bc067cd9d26a05b53fa6ad29f953af80c90968757a18fcb270118987a5c26e50f2f8e274750584929d5d5a176a62af5ef0d4002ed6333ee75b0f75d0ee4dbef345f6ae15345cfdcb97e3300d18bf8f827701f6dfcc6cc213dff5ae1cffa03235853df30d8eb6ceec068dc64e9ef8049ce3d9396bbd32c7b2e329005023cf06ed8a60e3e51491b7f7193a807f1f244369a5ee9fd060105";
var expectedTlvHexReponse =
"0601060587b0e4a7aa382866e824db4159cc0ecd24900136be360fd6ae64481bf799b1ecc918ecb887285a8dcd5b6f90aa410253451fd1bc638cae716cbab166f763108633555a6bfa311662986ea2d1eb83b76d195724b9bbddf7902dfd3a16e1bbd5bb8e5a5a6e3a56e8eec21c3f06ed2cce21ea17426407d0a1b35c9d692f5a5ee15ecb7ac662ade25ab7";
var tlv = TlvParser.Parse(Automatica.Core.Driver.Utility.Utils.StringToByteArray(inputData));
var fixedSrpGenerator = new FixedSaltGenerator();
var session = new ConnectionSession
{
Salt = fixedSrpGenerator.GenerateSalt(16),
Verifier = FixedSaltGenerator.ExpectedVerifier,
ServerEphemeral = fixedSrpGenerator.GenerateServerEphemeral(FixedSaltGenerator.ExpectedVerifier)
};
session.ServerSession = fixedSrpGenerator.DeriveServerSession(session.ServerEphemeral.Secret, clientPubKey, SrpInteger.FromByteArray(session.Salt).ToHex(), "Pair-Setup", session.Verifier, clientProof);
var setupController = new PairSetupController(NullLogger.Instance, "031-45-154")
{
SrpGenerator = fixedSrpGenerator, KeyGenerator = new FixedEd25519KeyGenerator()
};
var ret = setupController.Post(tlv, session);
var expectedTlvResponse =
TlvParser.Parse(Automatica.Core.Driver.Utility.Utils.StringToByteArray(expectedTlvHexReponse));
var decryptedPayload = TlvParser.Parse(Automatica.Core.Driver.Utility.Utils.StringToByteArray(
"011146433a32323a33443a45333a43453a4632032083e6d70e7064effd0c6df6d19451b1ded53f7e2d0dd86e33d4aa1993f5e9cded0a402ac3063b1d193c4d365c546019c51cac8299a23a99c9f8eb2348c46af24b185a53f1f75a92d57193bdeb4dfbc47ccadccc4f9f4e3dc8191eef364d15cd921207"));
var raw = setupController.HandlePairSetupM5Raw(session, out _);
Assert.Equal(decryptedPayload.GetType(Constants.Identifier), raw.GetType(Constants.Identifier));
Assert.Equal(decryptedPayload.GetType(Constants.PublicKey), raw.GetType(Constants.PublicKey));
Assert.Equal(decryptedPayload.GetType(Constants.Signature), raw.GetType(Constants.Signature));
var expectedEncryptedData =
Automatica.Core.Driver.Utility.Utils.ByteArrayToString(expectedTlvResponse.GetType(Constants.EncryptedData).AsSpan());
var retEncryptedData =
Automatica.Core.Driver.Utility.Utils.ByteArrayToString(ret.TlvData.GetType(Constants.EncryptedData).AsSpan());
Assert.Equal(expectedEncryptedData, retEncryptedData);
Assert.Equal(expectedTlvResponse.GetType(Constants.State), ret.TlvData.GetType(Constants.State));
Assert.Equal(expectedTlvResponse.GetType(Constants.EncryptedData), ret.TlvData.GetType(Constants.EncryptedData));
var expectedHttpResponse =
"485454502F312E3120323030204F4B0D0A436F6E74656E742D4C656E6774683A203134300D0A436F6E74656E742D547970653A206170706C69636174696F6E2F70616972696E672B746C76380D0A446174653A2053756E2C203139204A616E20323032302031353A33313A313320474D540D0A436F6E6E656374696F6E3A206B6565702D616C6976650D0A0D0A0601060587B0E4A7AA382866E824DB4159CC0ECD24900136BE360FD6AE64481BF799B1ECC918ECB887285A8DCD5B6F90AA410253451FD1BC638CAE716CBAB166F763108633555A6BFA311662986EA2D1EB83B76D195724B9BBDDF7902DFD3A16E1BBD5BB8E5A5A6E3A56E8EEC21C3F06ED2CCE21EA17426407D0A1B35C9D692F5A5EE15ECB7AC662ADE25AB7";
var expectedHttpResponseArray =
Automatica.Core.Driver.Utility.Utils.StringToByteArray(expectedHttpResponse);
var requestTime = new DateTime(2020, 01, 19, 15, 31, 13, DateTimeKind.Utc);
var httpResponse =
HttpServerConnection.GetHttpResponse("HTTP/1.1", PairSetupReturn.ContentType, TlvParser.Serialize(ret.TlvData), requestTime);
Assert.Equal(expectedHttpResponseArray, httpResponse);
}
public static string ToB64(string hex) => Convert.ToBase64String(SrpInteger.FromHex(hex).ToByteArray());
public PairSetupReturn Post(Tlv parts, ConnectionSession session)
{
var state = parts.GetTypeAsInt(Constants.State);
if (session.Salt == null)
{
session.Salt = SrpGenerator.GenerateSalt(16);
}
_logger.LogDebug($"State is {state}");
if (state == 1) //srp sign up
{
var saltInt = SrpInteger.FromByteArray(session.Salt);
var privateKey = SrpGenerator.DerivePrivateKey(saltInt.ToHex(), Username, _code);
session.Verifier = SrpGenerator.DeriveVerifier(privateKey);
session.ServerEphemeral = SrpGenerator.GenerateServerEphemeral(session.Verifier);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 2);
responseTlv.AddType(Constants.PublicKey, StringToByteArray(session.ServerEphemeral.Public));
responseTlv.AddType(Constants.Salt, session.Salt);
_logger.LogDebug($"return salt {saltInt.ToHex()}, pub {session.ServerEphemeral.Public} and state 2");
return(new PairSetupReturn
{
State = 1,
TlvData = responseTlv,
Ok = true
});
}
if (state == 3) //srp authenticate
{
_logger.LogDebug("Pair Setup Step 3/5");
_logger.LogDebug("SRP Verify Request");
var pubKey = parts.GetType(Constants.PublicKey);
var proof = parts.GetType(Constants.Proof);
var iOsPublicKey = SrpInteger.FromByteArray(pubKey);
var iOsProof = SrpInteger.FromByteArray(proof);
var responseTlv = new Tlv();
responseTlv.AddType(Constants.State, 4);
var ok = true;
try
{
session.ServerSession = SrpGenerator.DeriveServerSession(session.ServerEphemeral.Secret, iOsPublicKey.ToHex(), SrpInteger.FromByteArray(session.Salt).ToHex(), Username, session.Verifier,
iOsProof.ToHex());
_logger.LogInformation("Verification was successful. Generating Server Proof (M2)");
responseTlv.AddType(Constants.Proof, StringToByteArray(session.ServerSession.Proof));
_logger.LogDebug($"return proof {session.ServerSession.Proof}, secret {session.ServerEphemeral.Secret} and state 4");
}
catch (Exception e)
{
ok = false;
_logger.LogError(e, "Verification failed as iOS provided code was incorrect");
responseTlv.AddType(Constants.Error, ErrorCodes.Authentication);
}
return(new PairSetupReturn
{
State = 3,
Ok = ok,
TlvData = responseTlv
});
}
if (state == 5)
{
return(HandlePairSetupM5(parts, session));
}
return(null);
}
public void HardcodedVersionOfRfc5054TestVector()
{
// https://www.ietf.org/rfc/rfc5054.txt
var N = SrpInteger.FromHex(@"EEAF0AB9 ADB38DD6 9C33F80A FA8FC5E8 60726187 75FF3C0B 9EA2314C
9C256576 D674DF74 96EA81D3 383B4813 D692C6E0 E0D5D8E2 50B98BE4
8E495C1D 6089DAD1 5DC7D7B4 6154D6B6 CE8EF4AD 69B15D49 82559B29
7BCF1885 C529F566 660E57EC 68EDBC3C 05726CC0 2FD4CBF4 976EAA9A
FD5138FE 8376435B 9FC61D2F C0EB06E3" );
var g = SrpInteger.FromHex("02");
var p = SrpParameters.Create <SHA1>(N, g);
var H = p.Hash;
var k = p.Multiplier;
var kx = SrpInteger.FromHex(@"7556AA04 5AEF2CDD 07ABAF0F 665C3E81 8913186F");
Assert.AreEqual(kx, k);
// prepare known parameters
var I = "alice";
var P = "password123";
var s = SrpInteger.FromHex(@"BEB25379 D1A8581E B5A72767 3A2441EE").ToHex();
var client = new SrpClient(p);
var server = new SrpServer(p);
// validate the private key
var x = SrpInteger.FromHex(client.DerivePrivateKey(s, I, P));
var xx = SrpInteger.FromHex(@"94B7555A ABE9127C C58CCF49 93DB6CF8 4D16C124");
Assert.AreEqual(xx, x);
// validate the verifier
var v = SrpInteger.FromHex(client.DeriveVerifier(x));
var vx = SrpInteger.FromHex(@"
7E273DE8 696FFC4F 4E337D05 B4B375BE B0DDE156 9E8FA00A 9886D812
9BADA1F1 822223CA 1A605B53 0E379BA4 729FDC59 F105B478 7E5186F5
C671085A 1447B52A 48CF1970 B4FB6F84 00BBF4CE BFBB1681 52E08AB5
EA53D15C 1AFF87B2 B9DA6E04 E058AD51 CC72BFC9 033B564E 26480D78
E955A5E2 9E7AB245 DB2BE315 E2099AFB" );
Assert.AreEqual(vx, v);
// client ephemeral
var a = SrpInteger.FromHex("60975527 035CF2AD 1989806F 0407210B C81EDC04 E2762A56 AFD529DD DA2D4393");
var A = client.ComputeA(a);
var Ax = SrpInteger.FromHex(@"
61D5E490 F6F1B795 47B0704C 436F523D D0E560F0 C64115BB 72557EC4
4352E890 3211C046 92272D8B 2D1A5358 A2CF1B6E 0BFCF99F 921530EC
8E393561 79EAE45E 42BA92AE ACED8251 71E1E8B9 AF6D9C03 E1327F44
BE087EF0 6530E69F 66615261 EEF54073 CA11CF58 58F0EDFD FE15EFEA
B349EF5D 76988A36 72FAC47B 0769447B" );
Assert.AreEqual(Ax, A);
var clientEphemeral = new SrpEphemeral {
Public = A, Secret = a
};
// server ephemeral
var b = SrpInteger.FromHex("E487CB59 D31AC550 471E81F0 0F6928E0 1DDA08E9 74A004F4 9E61F5D1 05284D20");
var B = server.ComputeB(v, b);
var Bx = SrpInteger.FromHex(@"
BD0C6151 2C692C0C B6D041FA 01BB152D 4916A1E7 7AF46AE1 05393011
BAF38964 DC46A067 0DD125B9 5A981652 236F99D9 B681CBF8 7837EC99
6C6DA044 53728610 D0C6DDB5 8B318885 D7D82C7F 8DEB75CE 7BD4FBAA
37089E6F 9C6059F3 88838E7A 00030B33 1EB76840 910440B1 B27AAEAE
EB4012B7 D7665238 A8E3FB00 4B117B58" );
Assert.AreEqual(Bx, B);
var serverEphemeral = new SrpEphemeral {
Public = B, Secret = a
};
// u
var u = client.ComputeU(A, B);
var ux = SrpInteger.FromHex("CE38B959 3487DA98 554ED47D 70A7AE5F 462EF019");
Assert.AreEqual(ux, u);
// premaster secret — client version
var S = client.ComputeS(a, B, u, x);
var Sx = SrpInteger.FromHex(@"
B0DC82BA BCF30674 AE450C02 87745E79 90A3381F 63B387AA F271A10D
233861E3 59B48220 F7C4693C 9AE12B0A 6F67809F 0876E2D0 13800D6C
41BB59B6 D5979B5C 00A172B4 A2A5903A 0BDCAF8A 709585EB 2AFAFA8F
3499B200 210DCC1F 10EB3394 3CD67FC8 8A2F39A4 BE5BEC4E C0A3212D
C346D7E4 74B29EDE 8A469FFE CA686E5A" );
Assert.AreEqual(Sx, S);
// premaster secret — server version
S = server.ComputeS(A, b, u, v);
Assert.AreEqual(Sx, S);
// client session
var clientSession = client.DeriveSession(a, B, s, I, x);
Assert.AreEqual("017eefa1cefc5c2e626e21598987f31e0f1b11bb", clientSession.Key);
Assert.AreEqual("3f3bc67169ea71302599cf1b0f5d408b7b65d347", clientSession.Proof);
// server session
var serverSession = server.DeriveSession(b, A, s, I, v, clientSession.Proof);
Assert.AreEqual("017eefa1cefc5c2e626e21598987f31e0f1b11bb", serverSession.Key);
Assert.AreEqual("9cab3c575a11de37d3ac1421a9f009236a48eb55", serverSession.Proof);
// verify server session
client.VerifySession(A, clientSession, serverSession.Proof);
}
private void VerifyTestVector(TestVectorSet.TestVector testVector)
{
// prepare parameters
var parameters = testVector.CreateParameters();
if (parameters == null)
{
// not supported hash function
Assert.Warn($"Unsupported hash function, skipping: {testVector.H}");
return;
}
var N = parameters.Prime;
var g = parameters.Generator;
var H = parameters.Hash;
// validate the multiplier parameter
var k = parameters.Multiplier;
var kx = SrpInteger.FromHex(testVector.k);
Assert.AreEqual(kx, k);
// prepare user name, password and salt
var I = testVector.I;
var P = testVector.P;
var s = SrpInteger.FromHex(testVector.s).ToHex();
var client = new SrpClient(parameters);
var server = new SrpServer(parameters);
// validate the private key
var x = SrpInteger.FromHex(client.DerivePrivateKey(s, I, P));
var xx = SrpInteger.FromHex(testVector.x);
Assert.AreEqual(xx, x);
// validate the verifier
var v = SrpInteger.FromHex(client.DeriveVerifier(x));
var vx = SrpInteger.FromHex(testVector.v);
Assert.AreEqual(vx, v);
// client ephemeral
var a = SrpInteger.FromHex(testVector.a);
var A = client.ComputeA(a);
var Ax = SrpInteger.FromHex(testVector.A);
Assert.AreEqual(Ax, A);
var clientEphemeral = new SrpEphemeral {
Public = A, Secret = a
};
// server ephemeral
var b = SrpInteger.FromHex(testVector.b);
var B = server.ComputeB(v, b);
var Bx = SrpInteger.FromHex(testVector.B);
Assert.AreEqual(Bx, B);
var serverEphemeral = new SrpEphemeral {
Public = B, Secret = a
};
// validate u
var u = client.ComputeU(A, B);
var ux = SrpInteger.FromHex(testVector.u);
Assert.AreEqual(ux, u);
// premaster secret — client version
var S = client.ComputeS(a, B, u, x);
var Sx = SrpInteger.FromHex(testVector.S);
Assert.AreEqual(Sx, S);
// premaster secret — server version
S = server.ComputeS(A, b, u, v);
Assert.AreEqual(Sx, S);
// client session
var clientSession = client.DeriveSession(a, B, s, I, x);
if (testVector.M1 != null)
{
Assert.AreEqual(testVector.M1, clientSession.Proof);
}
// server session
var serverSession = server.DeriveSession(b, A, s, I, v, clientSession.Proof);
Assert.AreEqual(clientSession.Key, serverSession.Key);
if (testVector.M2 != null)
{
Assert.AreEqual(testVector.M2, serverSession.Proof);
}
// verify server session
client.VerifySession(A, clientSession, serverSession.Proof);
if (testVector.K != null)
{
Assert.AreEqual(testVector.K, serverSession.Key);
}
}
public void SrpIntegerDivide()
{
var result = SrpInteger.FromHex("faced") / SrpInteger.FromHex("BABE");
Assert.AreEqual("00015", result.ToHex());
}
