package identity import ( "crypto/aes" "crypto/cipher" "crypto/ed25519" "crypto/hmac" "crypto/rand" "crypto/sha256" "encoding/hex" "encoding/json" "errors" "fmt" "io" "log" "os" "sync" "time" "github.com/Sudo-Ivan/reticulum-go/pkg/common" "github.com/Sudo-Ivan/reticulum-go/pkg/cryptography" "golang.org/x/crypto/curve25519" "golang.org/x/crypto/hkdf" ) const ( CURVE = "Curve25519" KEYSIZE = 512 // Combined length of encryption key (256) and signing key (256) RATCHETSIZE = 256 RATCHET_EXPIRY = 2592000 // 30 days in seconds TRUNCATED_HASHLENGTH = 128 NAME_HASH_LENGTH = 80 // Token constants for Fernet-like spec TOKEN_OVERHEAD = 16 // AES block size AES128_BLOCKSIZE = 16 HASHLENGTH = 256 SIGLENGTH = KEYSIZE RATCHET_ROTATION_INTERVAL = 1800 // Default 30 minutes in seconds MAX_RETAINED_RATCHETS = 512 // Maximum number of retained ratchet keys ) type Identity struct { privateKey []byte publicKey []byte signingSeed []byte // 32-byte Ed25519 seed (compatible with Python RNS) verificationKey ed25519.PublicKey hash []byte hexHash string appData []byte ratchets map[string][]byte ratchetExpiry map[string]int64 mutex *sync.RWMutex } var ( knownDestinations = make(map[string][]interface{}) knownRatchets = make(map[string][]byte) ratchetPersistLock sync.Mutex ) func New() (*Identity, error) { i := &Identity{ ratchets: make(map[string][]byte), ratchetExpiry: make(map[string]int64), mutex: &sync.RWMutex{}, } // Generate keypairs using cryptography package privKey, pubKey, err := cryptography.GenerateKeyPair() if err != nil { return nil, fmt.Errorf("failed to generate X25519 keypair: %v", err) } i.privateKey = privKey i.publicKey = pubKey // Generate 32-byte Ed25519 seed (compatible with Python RNS) var ed25519Seed [32]byte if _, err := io.ReadFull(rand.Reader, ed25519Seed[:]); err != nil { return nil, fmt.Errorf("failed to generate Ed25519 seed: %v", err) } // Derive Ed25519 keypair from seed privKeyEd := ed25519.NewKeyFromSeed(ed25519Seed[:]) pubKeyEd := privKeyEd.Public().(ed25519.PublicKey) i.signingSeed = ed25519Seed[:] i.verificationKey = pubKeyEd return i, nil } func (i *Identity) GetPublicKey() []byte { // Combine encryption and signing public keys in correct order fullKey := make([]byte, 64) copy(fullKey[:32], i.publicKey) // First 32 bytes: X25519 encryption key copy(fullKey[32:], i.verificationKey) // Last 32 bytes: Ed25519 verification key return fullKey } func (i *Identity) GetPrivateKey() []byte { return append(i.privateKey, i.signingSeed...) } func (i *Identity) Sign(data []byte) []byte { // Derive Ed25519 private key from seed (compatible with Python RNS) privKey := ed25519.NewKeyFromSeed(i.signingSeed) return cryptography.Sign(privKey, data) } func (i *Identity) Verify(data []byte, signature []byte) bool { return cryptography.Verify(i.verificationKey, data, signature) } func (i *Identity) Encrypt(plaintext []byte, ratchet []byte) ([]byte, error) { // Generate ephemeral keypair ephemeralPrivKey, ephemeralPubKey, err := cryptography.GenerateKeyPair() if err != nil { return nil, err } // Use ratchet key if provided, otherwise use identity public key targetKey := i.publicKey if ratchet != nil { targetKey = ratchet } // Generate shared secret sharedSecret, err := cryptography.DeriveSharedSecret(ephemeralPrivKey, targetKey) if err != nil { return nil, err } // Derive encryption key key, err := cryptography.DeriveKey(sharedSecret, i.GetSalt(), i.GetContext(), 32) if err != nil { return nil, err } // Encrypt data ciphertext, err := cryptography.EncryptAES256CBC(key[:32], plaintext) if err != nil { return nil, err } // Calculate HMAC mac := cryptography.ComputeHMAC(key, append(ephemeralPubKey, ciphertext...)) // Combine components token := make([]byte, 0, len(ephemeralPubKey)+len(ciphertext)+len(mac)) token = append(token, ephemeralPubKey...) token = append(token, ciphertext...) token = append(token, mac...) return token, nil } func (i *Identity) Hash() []byte { hash := cryptography.Hash(i.GetPublicKey()) return hash[:TRUNCATED_HASHLENGTH/8] } func TruncatedHash(data []byte) []byte { h := sha256.New() h.Write(data) fullHash := h.Sum(nil) return fullHash[:TRUNCATED_HASHLENGTH/8] } func GetRandomHash() []byte { randomData := make([]byte, TRUNCATED_HASHLENGTH/8) _, err := rand.Read(randomData) // #nosec G104 if err != nil { log.Printf("[DEBUG-1] Failed to read random data for hash: %v", err) return nil // Or handle the error appropriately } return TruncatedHash(randomData) } func Remember(packet []byte, destHash []byte, publicKey []byte, appData []byte) { hashStr := hex.EncodeToString(destHash) // Store destination data as [packet, destHash, identity, appData] id := FromPublicKey(publicKey) knownDestinations[hashStr] = []interface{}{ packet, destHash, id, appData, } } func ValidateAnnounce(packet []byte, destHash []byte, publicKey []byte, signature []byte, appData []byte) bool { if len(publicKey) != KEYSIZE/8 { return false } // Split public key into encryption and verification keys announced := &Identity{ publicKey: publicKey[:KEYSIZE/16], verificationKey: publicKey[KEYSIZE/16:], } // Verify signature signedData := append(destHash, publicKey...) signedData = append(signedData, appData...) if !announced.Verify(signedData, signature) { return false } // Store in known destinations Remember(packet, destHash, publicKey, appData) return true } func FromPublicKey(publicKey []byte) *Identity { if len(publicKey) != KEYSIZE/8 { return nil } return &Identity{ publicKey: publicKey[:KEYSIZE/16], verificationKey: publicKey[KEYSIZE/16:], ratchets: make(map[string][]byte), ratchetExpiry: make(map[string]int64), mutex: &sync.RWMutex{}, } } func (i *Identity) Hex() string { return fmt.Sprintf("%x", i.Hash()) } func (i *Identity) String() string { return i.Hex() } func Recall(hash []byte) (*Identity, error) { // TODO: Implement persistence // For now just create new identity return New() } func (i *Identity) GenerateHMACKey() []byte { hmacKey := make([]byte, KEYSIZE/8) if _, err := io.ReadFull(rand.Reader, hmacKey); err != nil { return nil } return hmacKey } func (i *Identity) ComputeHMAC(key, message []byte) []byte { h := hmac.New(sha256.New, key) h.Write(message) return h.Sum(nil) } func (i *Identity) ValidateHMAC(key, message, messageHMAC []byte) bool { expectedHMAC := i.ComputeHMAC(key, message) return hmac.Equal(messageHMAC, expectedHMAC) } func (i *Identity) GetCurrentRatchetKey() []byte { i.mutex.RLock() defer i.mutex.RUnlock() if len(i.ratchets) == 0 { // If no ratchets exist, generate one. // This should ideally be handled by an explicit setup process. log.Println("[DEBUG-5] No ratchets found, generating a new one on-the-fly.") // Temporarily unlock to call RotateRatchet, which locks internally. i.mutex.RUnlock() newRatchet, err := i.RotateRatchet() i.mutex.RLock() if err != nil { log.Printf("[DEBUG-1] Failed to generate initial ratchet key: %v", err) return nil } return newRatchet } // Return the most recently generated ratchet key var latestKey []byte var latestTime int64 = 0 for id, expiry := range i.ratchetExpiry { if expiry > latestTime { latestTime = expiry latestKey = i.ratchets[id] } } if latestKey == nil { log.Printf("[DEBUG-2] Could not determine the latest ratchet key from %d ratchets.", len(i.ratchets)) } return latestKey } func (i *Identity) Decrypt(ciphertextToken []byte, ratchets [][]byte, enforceRatchets bool, ratchetIDReceiver *common.RatchetIDReceiver) ([]byte, error) { if i.privateKey == nil { log.Printf("[DEBUG-1] Decryption failed: identity has no private key") return nil, errors.New("decryption failed because identity does not hold a private key") } log.Printf("[DEBUG-7] Starting decryption for identity %s", i.GetHexHash()) if len(ratchets) > 0 { log.Printf("[DEBUG-7] Attempting decryption with %d ratchets", len(ratchets)) } if len(ciphertextToken) <= KEYSIZE/8/2 { return nil, errors.New("decryption failed because the token size was invalid") } // Extract components: ephemeralPubKey(32) + ciphertext + mac(32) if len(ciphertextToken) < 32+32+32 { // minimum sizes return nil, errors.New("token too short") } peerPubBytes := ciphertextToken[:32] ciphertext := ciphertextToken[32 : len(ciphertextToken)-32] mac := ciphertextToken[len(ciphertextToken)-32:] // Try decryption with ratchets first if provided if len(ratchets) > 0 { for _, ratchet := range ratchets { if decrypted, ratchetID, err := i.tryRatchetDecryption(peerPubBytes, ciphertext, ratchet); err == nil { if ratchetIDReceiver != nil { ratchetIDReceiver.LatestRatchetID = ratchetID } return decrypted, nil } } if enforceRatchets { if ratchetIDReceiver != nil { ratchetIDReceiver.LatestRatchetID = nil } return nil, errors.New("decryption with ratchet enforcement failed") } } // Try normal decryption if ratchet decryption failed or wasn't requested sharedKey, err := curve25519.X25519(i.privateKey, peerPubBytes) if err != nil { return nil, fmt.Errorf("failed to generate shared key: %v", err) } // Derive key using HKDF hkdfReader := hkdf.New(sha256.New, sharedKey, i.GetSalt(), i.GetContext()) derivedKey := make([]byte, 32) if _, err := io.ReadFull(hkdfReader, derivedKey); err != nil { return nil, fmt.Errorf("failed to derive key: %v", err) } // Validate HMAC if !cryptography.ValidateHMAC(derivedKey, append(peerPubBytes, ciphertext...), mac) { return nil, errors.New("invalid HMAC") } // Create AES cipher block, err := aes.NewCipher(derivedKey) if err != nil { return nil, fmt.Errorf("failed to create cipher: %v", err) } // Extract IV and decrypt if len(ciphertext) < aes.BlockSize { return nil, errors.New("ciphertext too short") } iv := ciphertext[:aes.BlockSize] actualCiphertext := ciphertext[aes.BlockSize:] if len(actualCiphertext)%aes.BlockSize != 0 { return nil, errors.New("ciphertext is not a multiple of block size") } mode := cipher.NewCBCDecrypter(block, iv) plaintext := make([]byte, len(actualCiphertext)) mode.CryptBlocks(plaintext, actualCiphertext) // Remove PKCS7 padding padding := int(plaintext[len(plaintext)-1]) if padding > aes.BlockSize || padding == 0 { return nil, errors.New("invalid padding") } for i := len(plaintext) - padding; i < len(plaintext); i++ { if plaintext[i] != byte(padding) { return nil, errors.New("invalid padding") } } if ratchetIDReceiver != nil { ratchetIDReceiver.LatestRatchetID = nil } log.Printf("[DEBUG-7] Decryption completed successfully") return plaintext[:len(plaintext)-padding], nil } // Helper function to attempt decryption using a ratchet func (i *Identity) tryRatchetDecryption(peerPubBytes, ciphertext, ratchet []byte) ([]byte, []byte, error) { // Convert ratchet to private key ratchetPriv := ratchet // Get ratchet ID ratchetPubBytes, err := curve25519.X25519(ratchetPriv, cryptography.GetBasepoint()) if err != nil { log.Printf("[DEBUG-7] Failed to generate ratchet public key: %v", err) return nil, nil, err } ratchetID := i.GetRatchetID(ratchetPubBytes) sharedSecret, err := cryptography.DeriveSharedSecret(ratchet, peerPubBytes) if err != nil { return nil, nil, err } key, err := cryptography.DeriveKey(sharedSecret, i.GetSalt(), i.GetContext(), 32) if err != nil { return nil, nil, err } plaintext, err := cryptography.DecryptAES256CBC(key, ciphertext) if err != nil { return nil, nil, err } return plaintext, ratchetID, nil } func (i *Identity) EncryptWithHMAC(plaintext []byte, key []byte) ([]byte, error) { ciphertext, err := cryptography.EncryptAES256CBC(key, plaintext) if err != nil { return nil, err } mac := cryptography.ComputeHMAC(key, ciphertext) return append(ciphertext, mac...), nil } func (i *Identity) DecryptWithHMAC(data []byte, key []byte) ([]byte, error) { if len(data) < cryptography.SHA256Size { return nil, errors.New("data too short") } macStart := len(data) - cryptography.SHA256Size ciphertext := data[:macStart] messageMAC := data[macStart:] if !cryptography.ValidateHMAC(key, ciphertext, messageMAC) { return nil, errors.New("invalid HMAC") } return cryptography.DecryptAES256CBC(key, ciphertext) } func (i *Identity) ToFile(path string) error { log.Printf("[DEBUG-7] Saving identity %s to file: %s", i.GetHexHash(), path) // Persist ratchets to a separate file ratchetPath := path + ".ratchets" if err := i.saveRatchets(ratchetPath); err != nil { log.Printf("[DEBUG-1] Failed to save ratchets: %v", err) // Continue saving the main identity file even if ratchets fail } data := map[string]interface{}{ "private_key": i.privateKey, "public_key": i.publicKey, "signing_seed": i.signingSeed, "verification_key": i.verificationKey, "app_data": i.appData, } file, err := os.Create(path) // #nosec G304 if err != nil { log.Printf("[DEBUG-1] Failed to create identity file: %v", err) return err } defer file.Close() if err := json.NewEncoder(file).Encode(data); err != nil { log.Printf("[DEBUG-1] Failed to encode identity data: %v", err) return err } log.Printf("[DEBUG-7] Identity saved successfully") return nil } func (i *Identity) saveRatchets(path string) error { i.mutex.RLock() defer i.mutex.RUnlock() if len(i.ratchets) == 0 { return nil // Nothing to save } log.Printf("[DEBUG-6] Saving %d ratchets to %s", len(i.ratchets), path) data := map[string]interface{}{ "ratchets": i.ratchets, "ratchet_expiry": i.ratchetExpiry, } file, err := os.Create(path) // #nosec G304 if err != nil { return fmt.Errorf("failed to create ratchet file: %w", err) } defer file.Close() return json.NewEncoder(file).Encode(data) } func RecallIdentity(path string) (*Identity, error) { log.Printf("[DEBUG-7] Attempting to recall identity from: %s", path) file, err := os.Open(path) // #nosec G304 if err != nil { log.Printf("[DEBUG-1] Failed to open identity file: %v", err) return nil, err } defer file.Close() var data map[string]interface{} if err := json.NewDecoder(file).Decode(&data); err != nil { log.Printf("[DEBUG-1] Failed to decode identity data: %v", err) return nil, err } var signingSeed []byte var verificationKey ed25519.PublicKey if seedData, exists := data["signing_seed"]; exists { signingSeed = seedData.([]byte) verificationKey = data["verification_key"].(ed25519.PublicKey) } else if keyData, exists := data["signing_key"]; exists { oldKey := keyData.(ed25519.PrivateKey) signingSeed = oldKey[:32] verificationKey = data["verification_key"].(ed25519.PublicKey) } else { return nil, fmt.Errorf("no signing key data found in identity file") } id := &Identity{ privateKey: data["private_key"].([]byte), publicKey: data["public_key"].([]byte), signingSeed: signingSeed, verificationKey: verificationKey, appData: data["app_data"].([]byte), ratchets: make(map[string][]byte), ratchetExpiry: make(map[string]int64), mutex: &sync.RWMutex{}, } // Load ratchets if they exist ratchetPath := path + ".ratchets" if err := id.loadRatchets(ratchetPath); err != nil { log.Printf("[DEBUG-2] Could not load ratchets for identity %s: %v", id.GetHexHash(), err) // This is not a fatal error, the identity can still function } log.Printf("[DEBUG-7] Successfully recalled identity with hash: %s", id.GetHexHash()) return id, nil } func (i *Identity) loadRatchets(path string) error { i.mutex.Lock() defer i.mutex.Unlock() file, err := os.Open(path) // #nosec G304 if err != nil { if os.IsNotExist(err) { log.Printf("[DEBUG-6] No ratchet file found at %s, skipping.", path) return nil } return fmt.Errorf("failed to open ratchet file: %w", err) } defer file.Close() var data map[string]interface{} if err := json.NewDecoder(file).Decode(&data); err != nil { return fmt.Errorf("failed to decode ratchet data: %w", err) } if ratchets, ok := data["ratchets"].(map[string]interface{}); ok { for id, key := range ratchets { if keyStr, ok := key.(string); ok { i.ratchets[id] = []byte(keyStr) } } } if expiry, ok := data["ratchet_expiry"].(map[string]interface{}); ok { for id, timeVal := range expiry { if timeFloat, ok := timeVal.(float64); ok { i.ratchetExpiry[id] = int64(timeFloat) } } } log.Printf("[DEBUG-6] Loaded %d ratchets from %s", len(i.ratchets), path) return nil } func HashFromString(hash string) ([]byte, error) { if len(hash) != 32 { return nil, fmt.Errorf("invalid hash length: expected 32, got %d", len(hash)) } return hex.DecodeString(hash) } func (i *Identity) GetSalt() []byte { return i.hash } func (i *Identity) GetContext() []byte { return nil } func (i *Identity) GetRatchetID(ratchetPubBytes []byte) []byte { hash := cryptography.Hash(ratchetPubBytes) return hash[:NAME_HASH_LENGTH/8] } func GetKnownDestination(hash string) ([]interface{}, bool) { if data, exists := knownDestinations[hash]; exists { return data, true } return nil, false } func (i *Identity) GetHexHash() string { if i.hexHash == "" { i.hexHash = hex.EncodeToString(i.Hash()) } return i.hexHash } func (i *Identity) GetRatchetKey(id string) ([]byte, bool) { ratchetPersistLock.Lock() defer ratchetPersistLock.Unlock() key, exists := knownRatchets[id] return key, exists } func (i *Identity) SetRatchetKey(id string, key []byte) { ratchetPersistLock.Lock() defer ratchetPersistLock.Unlock() knownRatchets[id] = key } // NewIdentity creates a new Identity instance with fresh keys func NewIdentity() (*Identity, error) { // Generate 32-byte Ed25519 seed (compatible with Python RNS) var ed25519Seed [32]byte if _, err := io.ReadFull(rand.Reader, ed25519Seed[:]); err != nil { return nil, fmt.Errorf("failed to generate Ed25519 seed: %v", err) } // Derive Ed25519 keypair from seed privKey := ed25519.NewKeyFromSeed(ed25519Seed[:]) pubKey := privKey.Public().(ed25519.PublicKey) // Generate X25519 encryption keypair var encPrivKey [32]byte if _, err := io.ReadFull(rand.Reader, encPrivKey[:]); err != nil { return nil, fmt.Errorf("failed to generate X25519 private key: %v", err) } encPubKey, err := curve25519.X25519(encPrivKey[:], curve25519.Basepoint) if err != nil { return nil, fmt.Errorf("failed to generate X25519 public key: %v", err) } i := &Identity{ privateKey: encPrivKey[:], publicKey: encPubKey, signingSeed: ed25519Seed[:], verificationKey: pubKey, ratchets: make(map[string][]byte), ratchetExpiry: make(map[string]int64), mutex: &sync.RWMutex{}, } // Generate hash combinedPub := make([]byte, KEYSIZE/8) copy(combinedPub[:KEYSIZE/16], i.publicKey) copy(combinedPub[KEYSIZE/16:], i.verificationKey) hash := sha256.Sum256(combinedPub) i.hash = hash[:] return i, nil } func (i *Identity) RotateRatchet() ([]byte, error) { i.mutex.Lock() defer i.mutex.Unlock() log.Printf("[DEBUG-7] Rotating ratchet for identity %s", i.GetHexHash()) // Generate new ratchet key newRatchet := make([]byte, RATCHETSIZE/8) if _, err := io.ReadFull(rand.Reader, newRatchet); err != nil { log.Printf("[DEBUG-1] Failed to generate new ratchet: %v", err) return nil, err } // Get public key for ratchet ID ratchetPub, err := curve25519.X25519(newRatchet, curve25519.Basepoint) if err != nil { log.Printf("[DEBUG-1] Failed to generate ratchet public key: %v", err) return nil, err } ratchetID := i.GetRatchetID(ratchetPub) expiry := time.Now().Unix() + RATCHET_EXPIRY // Store new ratchet i.ratchets[string(ratchetID)] = newRatchet i.ratchetExpiry[string(ratchetID)] = expiry log.Printf("[DEBUG-7] New ratchet generated with ID: %x, expiry: %d", ratchetID, expiry) // Cleanup old ratchets if we exceed max retained if len(i.ratchets) > MAX_RETAINED_RATCHETS { var oldestID string oldestTime := time.Now().Unix() for id, exp := range i.ratchetExpiry { if exp < oldestTime { oldestTime = exp oldestID = id } } delete(i.ratchets, oldestID) delete(i.ratchetExpiry, oldestID) log.Printf("[DEBUG-7] Cleaned up oldest ratchet with ID: %x", []byte(oldestID)) } log.Printf("[DEBUG-7] Current number of active ratchets: %d", len(i.ratchets)) return newRatchet, nil } func (i *Identity) GetRatchets() [][]byte { i.mutex.RLock() defer i.mutex.RUnlock() log.Printf("[DEBUG-7] Getting ratchets for identity %s", i.GetHexHash()) ratchets := make([][]byte, 0, len(i.ratchets)) now := time.Now().Unix() expired := 0 // Return only non-expired ratchets for id, expiry := range i.ratchetExpiry { if expiry > now { ratchets = append(ratchets, i.ratchets[id]) } else { // Clean up expired ratchets delete(i.ratchets, id) delete(i.ratchetExpiry, id) expired++ } } log.Printf("[DEBUG-7] Retrieved %d active ratchets, cleaned up %d expired", len(ratchets), expired) return ratchets } func (i *Identity) CleanupExpiredRatchets() { i.mutex.Lock() defer i.mutex.Unlock() log.Printf("[DEBUG-7] Starting ratchet cleanup for identity %s", i.GetHexHash()) now := time.Now().Unix() cleaned := 0 for id, expiry := range i.ratchetExpiry { if expiry <= now { delete(i.ratchets, id) delete(i.ratchetExpiry, id) cleaned++ } } log.Printf("[DEBUG-7] Cleaned up %d expired ratchets, %d remaining", cleaned, len(i.ratchets)) } // ValidateAnnounce validates an announce packet's signature func (i *Identity) ValidateAnnounce(data []byte, destHash []byte, appData []byte) bool { if i == nil || len(data) < ed25519.SignatureSize { return false } signatureStart := len(data) - ed25519.SignatureSize signature := data[signatureStart:] signedData := append(destHash, i.GetPublicKey()...) signedData = append(signedData, appData...) return ed25519.Verify(i.verificationKey, signedData, signature) } // GetNameHash returns a 10-byte hash derived from the identity's public key func (i *Identity) GetNameHash() []byte { if i == nil || i.publicKey == nil { return nil } // Generate hash from combined public key h := sha256.New() h.Write(i.GetPublicKey()) fullHash := h.Sum(nil) // Return first 10 bytes (NAME_HASH_LENGTH/8) return fullHash[:NAME_HASH_LENGTH/8] } // GetEncryptionKey returns the X25519 public key used for encryption func (i *Identity) GetEncryptionKey() []byte { return i.publicKey } // GetSigningKey returns the Ed25519 public key used for signing func (i *Identity) GetSigningKey() []byte { return i.verificationKey }