private byte[] ComputeHkdf(byte[] ikm)
{
var generator = new HkdfBytesGenerator(new Sha256Digest());
var parameters = new HkdfParameters(ikm, null, HkdfInfo);
generator.Init(parameters);
byte[] output = new byte[_hkdfSize];
generator.GenerateBytes(output, 0, _hkdfSize);
return(output);
}
// currently useless, just keep api same, again
public static Span <byte> HKDF(int keylen, Span <byte> master, Span <byte> salt, Span <byte> info)
{
byte[] ret = new byte[keylen];
IDigest degist = new Sha1Digest();
HkdfParameters parameters = new HkdfParameters(master.ToArray(), salt.ToArray(), info.ToArray());
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(degist);
hkdf.Init(parameters);
hkdf.GenerateBytes(ret, 0, keylen);
return(ret.AsSpan());
}
public static byte[] HKDF(int keylen, byte[] master, byte[] salt, byte[] info)
{
byte[] ret = new byte[keylen];
IDigest degist = new Sha1Digest();
HkdfParameters parameters = new HkdfParameters(master, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(degist);
hkdf.Init(parameters);
hkdf.GenerateBytes(ret, 0, keylen);
return(ret);
}
private byte[] DeriveKey(string serviceAccountId)
{
var generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(HkdfParameters.SkipExtractParameters(mKey, Encoding.UTF8.GetBytes(serviceAccountId)));
var derivedKey = new byte[derivedKeySize];
generator.GenerateBytes(derivedKey, 0, derivedKeySize);
return(derivedKey);
}
public static IEnumerable <byte> GenerateAesKey(string sharedKey, IEnumerable <byte> salt)
{
var hkdfBytesGenerator = new HkdfBytesGenerator(new Sha256Digest());
var hkdfParameters = new HkdfParameters(GetByteFromBase64(sharedKey).ToArray(),
salt.ToArray(),
null);
hkdfBytesGenerator.Init(hkdfParameters);
var aesKey = new byte[32];
hkdfBytesGenerator.GenerateBytes(aesKey, 0, 32);
return(aesKey);
}
public static byte[] X3DhKdf(byte[] input, byte[] info)
{
byte[] ikm = ThirtyTwoFFs.Concat(input).ToArray();
HkdfParameters parameters = new HkdfParameters(ikm, ThirtyTwoZeros, info);
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(parameters);
byte[] output = new byte[256 / 8];
generator.GenerateBytes(output, 0, output.Length);
return(output);
}
private static byte[] GeneratePrivateKeyBytes(int numBytes, byte[] masterKeyBytes, long keyIntervalNumber, int counter)
{
var keyIntervalBytes = BitConverter.GetBytes(keyIntervalNumber);
var counterBytes = BitConverter.GetBytes(counter);
var ikm = masterKeyBytes;
var salt = keyIntervalBytes.Concat(counterBytes).ToArray();
var hkdf = new HkdfBytesGenerator(new Sha256Digest());
var hParams = new HkdfParameters(ikm, salt, null);
hkdf.Init(hParams);
byte[] keyBytes = new byte[numBytes];
hkdf.GenerateBytes(keyBytes, 0, numBytes);
return(keyBytes);
}
// Returns null on HMAC mismatch
public static byte[] DecryptWithMessageKey(byte[] messageKey, byte[] cipherTextWithHmac, byte[] associatedData = null)
{
HkdfParameters parameters = new HkdfParameters(messageKey, ThirtyTwoZeros, MessageProtocolInfo);
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(parameters);
byte[] encryptionKey = new byte[32];
byte[] authenticationKey = new byte[32];
byte[] iv = new byte[16];
generator.GenerateBytes(encryptionKey, 0, encryptionKey.Length);
generator.GenerateBytes(authenticationKey, 0, authenticationKey.Length);
generator.GenerateBytes(iv, 0, iv.Length);
return(DecryptWithHmac(new AES256Key(encryptionKey), iv, new AES256Key(authenticationKey), cipherTextWithHmac,
associatedData));
}
// Returns a tuple of (new root key, new chain key)
public static (byte[], byte[]) RatchetRootKey(byte[] rootKey, byte[] dhOutput)
{
HkdfParameters parameters = new HkdfParameters(dhOutput, rootKey, RkRatchetProtocolInfo);
HkdfBytesGenerator generator = new HkdfBytesGenerator(new Sha256Digest());
generator.Init(parameters);
byte[] newRootKey = new byte[rootKey.Length];
generator.GenerateBytes(newRootKey, 0, newRootKey.Length);
HkdfParameters parameters2 = new HkdfParameters(dhOutput, rootKey, CkRatchetProtocolInfo);
generator.Init(parameters2);
byte[] newChainKey = new byte[rootKey.Length];
generator.GenerateBytes(newChainKey, 0, newChainKey.Length);
return(newRootKey, newChainKey);
}
public virtual void Init(IDerivationParameters parameters)
{
if (!(parameters is HkdfParameters))
{
throw new ArgumentException("HKDF parameters required for HkdfBytesGenerator", "parameters");
}
HkdfParameters hkdfParameters = (HkdfParameters)parameters;
if (hkdfParameters.SkipExtract)
{
// use IKM directly as PRK
hMacHash.Init(new KeyParameter(hkdfParameters.GetIkm()));
}
else
{
hMacHash.Init(Extract(hkdfParameters.GetSalt(), hkdfParameters.GetIkm()));
}
info = hkdfParameters.GetInfo();
generatedBytes = 0;
currentT = new byte[hashLen];
}
public override void PerformTest()
{
{
// === A.1. Test Case 1 - Basic test case with SHA-256 ===
IDigest hash = new Sha256Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = Hex.Decode("000102030405060708090a0b0c");
byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9");
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(1, okm, Hex.Decode(
"3cb25f25faacd57a90434f64d0362f2a" +
"2d2d0a90cf1a5a4c5db02d56ecc4c5bf" +
"34007208d5b887185865"));
}
// === A.2. Test Case 2 - Test with SHA-256 and longer inputs/outputs
// ===
{
IDigest hash = new Sha256Digest();
byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f"
+ "101112131415161718191a1b1c1d1e1f"
+ "202122232425262728292a2b2c2d2e2f"
+ "303132333435363738393a3b3c3d3e3f"
+ "404142434445464748494a4b4c4d4e4f");
byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f"
+ "707172737475767778797a7b7c7d7e7f"
+ "808182838485868788898a8b8c8d8e8f"
+ "909192939495969798999a9b9c9d9e9f"
+ "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf");
byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+ "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+ "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+ "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+ "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
int l = 82;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(2, okm, Hex.Decode(
"b11e398dc80327a1c8e7f78c596a4934" +
"4f012eda2d4efad8a050cc4c19afa97c" +
"59045a99cac7827271cb41c65e590e09" +
"da3275600c2f09b8367793a9aca3db71" +
"cc30c58179ec3e87c14c01d5c1f3434f" +
"1d87"));
}
{
// === A.3. Test Case 3 - Test with SHA-256 and zero-length
// salt/info ===
// setting salt to an empty byte array means that the salt is set to
// HashLen zero valued bytes
// setting info to null generates an empty byte array as info
// structure
IDigest hash = new Sha256Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = new byte[0];
byte[] info = null;
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(3, okm, Hex.Decode(
"8da4e775a563c18f715f802a063c5a31" +
"b8a11f5c5ee1879ec3454e5f3c738d2d" +
"9d201395faa4b61a96c8"));
}
{
// === A.4. Test Case 4 - Basic test case with SHA-1 ===
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = Hex.Decode("000102030405060708090a0b0c");
byte[] info = Hex.Decode("f0f1f2f3f4f5f6f7f8f9");
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(4, okm, Hex.Decode(
"085a01ea1b10f36933068b56efa5ad81" +
"a4f14b822f5b091568a9cdd4f155fda2" +
"c22e422478d305f3f896"));
}
// === A.5. Test Case 5 - Test with SHA-1 and longer inputs/outputs ===
{
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("000102030405060708090a0b0c0d0e0f"
+ "101112131415161718191a1b1c1d1e1f"
+ "202122232425262728292a2b2c2d2e2f"
+ "303132333435363738393a3b3c3d3e3f"
+ "404142434445464748494a4b4c4d4e4f");
byte[] salt = Hex.Decode("606162636465666768696a6b6c6d6e6f"
+ "707172737475767778797a7b7c7d7e7f"
+ "808182838485868788898a8b8c8d8e8f"
+ "909192939495969798999a9b9c9d9e9f"
+ "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf");
byte[] info = Hex.Decode("b0b1b2b3b4b5b6b7b8b9babbbcbdbebf"
+ "c0c1c2c3c4c5c6c7c8c9cacbcccdcecf"
+ "d0d1d2d3d4d5d6d7d8d9dadbdcdddedf"
+ "e0e1e2e3e4e5e6e7e8e9eaebecedeeef"
+ "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff");
int l = 82;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(5, okm, Hex.Decode(
"0bd770a74d1160f7c9f12cd5912a06eb" +
"ff6adcae899d92191fe4305673ba2ffe" +
"8fa3f1a4e5ad79f3f334b3b202b2173c" +
"486ea37ce3d397ed034c7f9dfeb15c5e" +
"927336d0441f4c4300e2cff0d0900b52" +
"d3b4"));
}
{
// === A.6. Test Case 6 - Test with SHA-1 and zero-length salt/info
// ===
// setting salt to null should generate a new salt of HashLen zero
// valued bytes
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b");
byte[] salt = null;
byte[] info = new byte[0];
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(6, okm, Hex.Decode(
"0ac1af7002b3d761d1e55298da9d0506" +
"b9ae52057220a306e07b6b87e8df21d0" +
"ea00033de03984d34918"));
}
{
// === A.7. Test Case 7 - Test with SHA-1, salt not provided,
// zero-length info ===
// (salt defaults to HashLen zero octets)
// this test is identical to test 6 in all ways bar the IKM value
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c");
byte[] salt = null;
byte[] info = new byte[0];
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = new HkdfParameters(ikm, salt, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(7, okm, Hex.Decode(
"2c91117204d745f3500d636a62f64f0a" +
"b3bae548aa53d423b0d1f27ebba6f5e5" +
"673a081d70cce7acfc48"));
}
{
// === A.101. Additional Test Case - Test with SHA-1, skipping extract
// zero-length info ===
// (salt defaults to HashLen zero octets)
// this test is identical to test 7 in all ways bar the IKM value
// which is set to the PRK value
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd");
byte[] info = new byte[0];
int l = 42;
byte[] okm = new byte[l];
HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
CompareOkm(101, okm, Hex.Decode(
"2c91117204d745f3500d636a62f64f0a" +
"b3bae548aa53d423b0d1f27ebba6f5e5" +
"673a081d70cce7acfc48"));
}
{
// === A.102. Additional Test Case - Test with SHA-1, maximum output ===
// (salt defaults to HashLen zero octets)
// this test is identical to test 7 in all ways bar the IKM value
IDigest hash = new Sha1Digest();
byte[] ikm = Hex.Decode("2adccada18779e7c2077ad2eb19d3f3e731385dd");
byte[] info = new byte[0];
int l = 255 * hash.GetDigestSize();
byte[] okm = new byte[l];
HkdfParameters parameters = HkdfParameters.SkipExtractParameters(ikm, info);
HkdfBytesGenerator hkdf = new HkdfBytesGenerator(hash);
hkdf.Init(parameters);
hkdf.GenerateBytes(okm, 0, l);
int zeros = 0;
for (int i = 0; i < hash.GetDigestSize(); i++)
{
if (okm[i] == 0)
{
zeros++;
}
}
if (zeros == hash.GetDigestSize())
{
Fail("HKDF failed generator test " + 102);
}
}
}
