1092 lines
31 KiB
Go
1092 lines
31 KiB
Go
package identity
|
|
|
|
import (
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/ed25519"
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"os"
|
|
"sync"
|
|
"time"
|
|
|
|
"git.quad4.io/Networks/Reticulum-Go/pkg/common"
|
|
"git.quad4.io/Networks/Reticulum-Go/pkg/cryptography"
|
|
"git.quad4.io/Networks/Reticulum-Go/pkg/debug"
|
|
"github.com/vmihailenco/msgpack/v5"
|
|
"golang.org/x/crypto/curve25519"
|
|
"golang.org/x/crypto/hkdf"
|
|
)
|
|
|
|
const (
|
|
CURVE = "Curve25519"
|
|
KEYSIZE = 512 // Combined length of encryption key (256) and signing key (256)
|
|
RATCHETSIZE = 256
|
|
RATCHET_EXPIRY = 2592000 // 30 days in seconds
|
|
TRUNCATED_HASHLENGTH = 128
|
|
NAME_HASH_LENGTH = 80
|
|
|
|
// Token constants for Fernet-like spec
|
|
TOKEN_OVERHEAD = 16 // AES block size
|
|
AES128_BLOCKSIZE = 16
|
|
HASHLENGTH = 256
|
|
SIGLENGTH = KEYSIZE
|
|
|
|
RATCHET_ROTATION_INTERVAL = 1800 // Default 30 minutes in seconds
|
|
MAX_RETAINED_RATCHETS = 512 // Maximum number of retained ratchet keys
|
|
)
|
|
|
|
type Identity struct {
|
|
privateKey []byte
|
|
publicKey []byte
|
|
signingSeed []byte // 32-byte Ed25519 seed
|
|
verificationKey ed25519.PublicKey
|
|
hash []byte
|
|
hexHash string
|
|
appData []byte
|
|
|
|
ratchets map[string][]byte
|
|
ratchetExpiry map[string]int64
|
|
mutex *sync.RWMutex
|
|
}
|
|
|
|
var (
|
|
knownDestinations = make(map[string][]interface{})
|
|
knownDestinationsLock sync.RWMutex
|
|
knownRatchets = make(map[string][]byte)
|
|
ratchetPersistLock sync.Mutex
|
|
)
|
|
|
|
func New() (*Identity, error) {
|
|
i := &Identity{
|
|
ratchets: make(map[string][]byte),
|
|
ratchetExpiry: make(map[string]int64),
|
|
mutex: &sync.RWMutex{},
|
|
}
|
|
|
|
// Generate keypairs using cryptography package
|
|
privKey, pubKey, err := cryptography.GenerateKeyPair()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate X25519 keypair: %v", err)
|
|
}
|
|
i.privateKey = privKey
|
|
i.publicKey = pubKey
|
|
|
|
// Generate 32-byte Ed25519 seed
|
|
var ed25519Seed [32]byte
|
|
if _, err := io.ReadFull(rand.Reader, ed25519Seed[:]); err != nil {
|
|
return nil, fmt.Errorf("failed to generate Ed25519 seed: %v", err)
|
|
}
|
|
|
|
// Derive Ed25519 keypair from seed
|
|
privKeyEd := ed25519.NewKeyFromSeed(ed25519Seed[:])
|
|
pubKeyEd := privKeyEd.Public().(ed25519.PublicKey)
|
|
|
|
i.signingSeed = ed25519Seed[:]
|
|
i.verificationKey = pubKeyEd
|
|
|
|
return i, nil
|
|
}
|
|
|
|
func (i *Identity) GetPublicKey() []byte {
|
|
// Combine encryption and signing public keys in correct order
|
|
fullKey := make([]byte, 64)
|
|
copy(fullKey[:32], i.publicKey) // First 32 bytes: X25519 encryption key
|
|
copy(fullKey[32:], i.verificationKey) // Last 32 bytes: Ed25519 verification key
|
|
return fullKey
|
|
}
|
|
|
|
func (i *Identity) GetPrivateKey() []byte {
|
|
return append(i.privateKey, i.signingSeed...)
|
|
}
|
|
|
|
func (i *Identity) Sign(data []byte) []byte {
|
|
// Derive Ed25519 private key from seed
|
|
privKey := ed25519.NewKeyFromSeed(i.signingSeed)
|
|
return cryptography.Sign(privKey, data)
|
|
}
|
|
|
|
func (i *Identity) Verify(data []byte, signature []byte) bool {
|
|
return cryptography.Verify(i.verificationKey, data, signature)
|
|
}
|
|
|
|
func (i *Identity) Encrypt(plaintext []byte, ratchet []byte) ([]byte, error) {
|
|
// Generate ephemeral keypair
|
|
ephemeralPrivKey, ephemeralPubKey, err := cryptography.GenerateKeyPair()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Use ratchet key if provided, otherwise use identity public key
|
|
targetKey := i.publicKey
|
|
if ratchet != nil {
|
|
targetKey = ratchet
|
|
}
|
|
|
|
// Generate shared secret
|
|
sharedSecret, err := cryptography.DeriveSharedSecret(ephemeralPrivKey, targetKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Derive key material (64 bytes: first 32 for HMAC, last 32 for encryption)
|
|
salt := i.GetSalt()
|
|
debug.Log(debug.DEBUG_ALL, "Encrypt: using salt", "salt", fmt.Sprintf("%x", salt), "identity_hash", fmt.Sprintf("%x", i.Hash()))
|
|
key, err := cryptography.DeriveKey(sharedSecret, salt, i.GetContext(), 64)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
hmacKey := key[:32]
|
|
encryptionKey := key[32:64]
|
|
|
|
// Encrypt data
|
|
ciphertext, err := cryptography.EncryptAES256CBC(encryptionKey, plaintext)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Calculate HMAC over ciphertext only (iv + encrypted_data)
|
|
mac := cryptography.ComputeHMAC(hmacKey, ciphertext)
|
|
|
|
// Combine components
|
|
token := make([]byte, 0, len(ephemeralPubKey)+len(ciphertext)+len(mac))
|
|
token = append(token, ephemeralPubKey...)
|
|
token = append(token, ciphertext...)
|
|
token = append(token, mac...)
|
|
|
|
return token, nil
|
|
}
|
|
|
|
func (i *Identity) Hash() []byte {
|
|
hash := cryptography.Hash(i.GetPublicKey())
|
|
return hash[:TRUNCATED_HASHLENGTH/8]
|
|
}
|
|
|
|
func TruncatedHash(data []byte) []byte {
|
|
h := sha256.New()
|
|
h.Write(data)
|
|
fullHash := h.Sum(nil)
|
|
return fullHash[:TRUNCATED_HASHLENGTH/8]
|
|
}
|
|
|
|
func GetRandomHash() []byte {
|
|
randomData := make([]byte, TRUNCATED_HASHLENGTH/8)
|
|
_, err := rand.Read(randomData) // #nosec G104
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to read random data for hash", "error", err)
|
|
return nil // Or handle the error appropriately
|
|
}
|
|
return TruncatedHash(randomData)
|
|
}
|
|
|
|
func Remember(packet []byte, destHash []byte, publicKey []byte, appData []byte) {
|
|
hashStr := hex.EncodeToString(destHash)
|
|
|
|
// Store destination data as [packet, destHash, identity, appData]
|
|
id := FromPublicKey(publicKey)
|
|
knownDestinationsLock.Lock()
|
|
knownDestinations[hashStr] = []interface{}{
|
|
packet,
|
|
destHash,
|
|
id,
|
|
appData,
|
|
}
|
|
knownDestinationsLock.Unlock()
|
|
}
|
|
|
|
func ValidateAnnounce(packet []byte, destHash []byte, publicKey []byte, signature []byte, appData []byte) bool {
|
|
if len(publicKey) != KEYSIZE/8 {
|
|
return false
|
|
}
|
|
|
|
// Split public key into encryption and verification keys
|
|
announced := &Identity{
|
|
publicKey: publicKey[:KEYSIZE/16],
|
|
verificationKey: publicKey[KEYSIZE/16:],
|
|
}
|
|
|
|
// Verify signature
|
|
signedData := append(destHash, publicKey...)
|
|
signedData = append(signedData, appData...)
|
|
|
|
if !announced.Verify(signedData, signature) {
|
|
return false
|
|
}
|
|
|
|
// Store in known destinations
|
|
Remember(packet, destHash, publicKey, appData)
|
|
return true
|
|
}
|
|
|
|
func FromPublicKey(publicKey []byte) *Identity {
|
|
if len(publicKey) != KEYSIZE/8 {
|
|
return nil
|
|
}
|
|
|
|
id := &Identity{
|
|
publicKey: publicKey[:KEYSIZE/16],
|
|
verificationKey: publicKey[KEYSIZE/16:],
|
|
ratchets: make(map[string][]byte),
|
|
ratchetExpiry: make(map[string]int64),
|
|
mutex: &sync.RWMutex{},
|
|
}
|
|
|
|
hash := cryptography.Hash(id.GetPublicKey())
|
|
id.hash = hash[:TRUNCATED_HASHLENGTH/8]
|
|
|
|
return id
|
|
}
|
|
|
|
func (i *Identity) Hex() string {
|
|
return fmt.Sprintf("%x", i.Hash())
|
|
}
|
|
|
|
func (i *Identity) String() string {
|
|
return i.Hex()
|
|
}
|
|
|
|
func Recall(hash []byte) (*Identity, error) {
|
|
hashStr := hex.EncodeToString(hash)
|
|
|
|
knownDestinationsLock.RLock()
|
|
data, exists := knownDestinations[hashStr]
|
|
knownDestinationsLock.RUnlock()
|
|
|
|
if exists {
|
|
// data is [packet, destHash, identity, appData]
|
|
if len(data) >= 3 {
|
|
if id, ok := data[2].(*Identity); ok {
|
|
return id, nil
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil, fmt.Errorf("identity not found for hash %x", hash)
|
|
}
|
|
|
|
func (i *Identity) GenerateHMACKey() []byte {
|
|
hmacKey := make([]byte, KEYSIZE/8)
|
|
if _, err := io.ReadFull(rand.Reader, hmacKey); err != nil {
|
|
return nil
|
|
}
|
|
return hmacKey
|
|
}
|
|
|
|
func (i *Identity) ComputeHMAC(key, message []byte) []byte {
|
|
h := hmac.New(sha256.New, key)
|
|
h.Write(message)
|
|
return h.Sum(nil)
|
|
}
|
|
|
|
func (i *Identity) ValidateHMAC(key, message, messageHMAC []byte) bool {
|
|
expectedHMAC := i.ComputeHMAC(key, message)
|
|
return hmac.Equal(messageHMAC, expectedHMAC)
|
|
}
|
|
|
|
func (i *Identity) GetCurrentRatchetKey() []byte {
|
|
i.mutex.RLock()
|
|
defer i.mutex.RUnlock()
|
|
|
|
if len(i.ratchets) == 0 {
|
|
// If no ratchets exist, generate one.
|
|
// This should ideally be handled by an explicit setup process.
|
|
debug.Log(debug.DEBUG_TRACE, "No ratchets found, generating a new one on-the-fly")
|
|
// Temporarily unlock to call RotateRatchet, which locks internally.
|
|
i.mutex.RUnlock()
|
|
newRatchet, err := i.RotateRatchet()
|
|
i.mutex.RLock()
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to generate initial ratchet key", "error", err)
|
|
return nil
|
|
}
|
|
return newRatchet
|
|
}
|
|
|
|
// Return the most recently generated ratchet key
|
|
var latestKey []byte
|
|
var latestTime int64
|
|
for id, expiry := range i.ratchetExpiry {
|
|
if expiry > latestTime {
|
|
latestTime = expiry
|
|
latestKey = i.ratchets[id]
|
|
}
|
|
}
|
|
|
|
if latestKey == nil {
|
|
debug.Log(debug.DEBUG_ERROR, "Could not determine the latest ratchet key", "ratchet_count", len(i.ratchets))
|
|
}
|
|
|
|
return latestKey
|
|
}
|
|
|
|
func (i *Identity) Decrypt(ciphertextToken []byte, ratchets [][]byte, enforceRatchets bool, ratchetIDReceiver *common.RatchetIDReceiver) ([]byte, error) {
|
|
if i.privateKey == nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Decryption failed: identity has no private key")
|
|
return nil, errors.New("decryption failed because identity does not hold a private key")
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Starting decryption for identity", "hash", i.GetHexHash())
|
|
if len(ratchets) > 0 {
|
|
debug.Log(debug.DEBUG_ALL, "Attempting decryption with ratchets", "count", len(ratchets))
|
|
}
|
|
|
|
if len(ciphertextToken) <= KEYSIZE/8/2 {
|
|
return nil, errors.New("decryption failed because the token size was invalid")
|
|
}
|
|
|
|
// Extract components: ephemeralPubKey(32) + ciphertext + mac(32)
|
|
if len(ciphertextToken) < 32+32+32 { // minimum sizes
|
|
return nil, errors.New("token too short")
|
|
}
|
|
|
|
peerPubBytes := ciphertextToken[:32]
|
|
ciphertext := ciphertextToken[32 : len(ciphertextToken)-32]
|
|
mac := ciphertextToken[len(ciphertextToken)-32:]
|
|
|
|
// Try decryption with ratchets first if provided
|
|
if len(ratchets) > 0 {
|
|
for _, ratchet := range ratchets {
|
|
if decrypted, ratchetID, err := i.tryRatchetDecryption(peerPubBytes, ciphertext, mac, ratchet); err == nil {
|
|
if ratchetIDReceiver != nil {
|
|
ratchetIDReceiver.LatestRatchetID = ratchetID
|
|
}
|
|
return decrypted, nil
|
|
}
|
|
}
|
|
|
|
if enforceRatchets {
|
|
if ratchetIDReceiver != nil {
|
|
ratchetIDReceiver.LatestRatchetID = nil
|
|
}
|
|
return nil, errors.New("decryption with ratchet enforcement failed")
|
|
}
|
|
}
|
|
|
|
// Try normal decryption if ratchet decryption failed or wasn't requested
|
|
sharedKey, err := curve25519.X25519(i.privateKey, peerPubBytes)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate shared key: %v", err)
|
|
}
|
|
|
|
// Derive key material (64 bytes: first 32 for HMAC, last 32 for encryption)
|
|
salt := i.GetSalt()
|
|
debug.Log(debug.DEBUG_ALL, "Decrypt: using salt", "salt", fmt.Sprintf("%x", salt), "identity_hash", fmt.Sprintf("%x", i.Hash()))
|
|
hkdfReader := hkdf.New(sha256.New, sharedKey, salt, i.GetContext())
|
|
derivedKey := make([]byte, 64)
|
|
if _, err := io.ReadFull(hkdfReader, derivedKey); err != nil {
|
|
return nil, fmt.Errorf("failed to derive key: %v", err)
|
|
}
|
|
|
|
hmacKey := derivedKey[:32]
|
|
encryptionKey := derivedKey[32:64]
|
|
|
|
// Validate HMAC over ciphertext only (iv + encrypted_data)
|
|
if !cryptography.ValidateHMAC(hmacKey, ciphertext, mac) {
|
|
return nil, errors.New("invalid HMAC")
|
|
}
|
|
|
|
// Create AES cipher
|
|
block, err := aes.NewCipher(encryptionKey)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create cipher: %v", err)
|
|
}
|
|
|
|
// Extract IV and decrypt
|
|
if len(ciphertext) < aes.BlockSize {
|
|
return nil, errors.New("ciphertext too short")
|
|
}
|
|
|
|
iv := ciphertext[:aes.BlockSize]
|
|
actualCiphertext := ciphertext[aes.BlockSize:]
|
|
|
|
if len(actualCiphertext)%aes.BlockSize != 0 {
|
|
return nil, errors.New("ciphertext is not a multiple of block size")
|
|
}
|
|
|
|
mode := cipher.NewCBCDecrypter(block, iv)
|
|
plaintext := make([]byte, len(actualCiphertext))
|
|
mode.CryptBlocks(plaintext, actualCiphertext)
|
|
|
|
// Remove PKCS7 padding
|
|
padding := int(plaintext[len(plaintext)-1])
|
|
if padding > aes.BlockSize || padding == 0 {
|
|
return nil, errors.New("invalid padding")
|
|
}
|
|
|
|
for i := len(plaintext) - padding; i < len(plaintext); i++ {
|
|
if plaintext[i] != byte(padding) {
|
|
return nil, errors.New("invalid padding")
|
|
}
|
|
}
|
|
|
|
if ratchetIDReceiver != nil {
|
|
ratchetIDReceiver.LatestRatchetID = nil
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Decryption completed successfully")
|
|
return plaintext[:len(plaintext)-padding], nil
|
|
}
|
|
|
|
// Helper function to attempt decryption using a ratchet
|
|
func (i *Identity) tryRatchetDecryption(peerPubBytes, ciphertext, mac, ratchet []byte) (plaintext, ratchetID []byte, err error) {
|
|
// Convert ratchet to private key
|
|
ratchetPriv := ratchet
|
|
|
|
// Get ratchet ID
|
|
ratchetPubBytes, err := curve25519.X25519(ratchetPriv, cryptography.GetBasepoint())
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_ALL, "Failed to generate ratchet public key", "error", err)
|
|
return nil, nil, err
|
|
}
|
|
ratchetID = i.GetRatchetID(ratchetPubBytes)
|
|
|
|
sharedSecret, err := cryptography.DeriveSharedSecret(ratchet, peerPubBytes)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
key, err := cryptography.DeriveKey(sharedSecret, i.GetSalt(), i.GetContext(), 64)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
hmacKey := key[:32]
|
|
encryptionKey := key[32:64]
|
|
|
|
// Validate HMAC over ciphertext only (iv + encrypted_data)
|
|
if !cryptography.ValidateHMAC(hmacKey, ciphertext, mac) {
|
|
return nil, nil, errors.New("invalid HMAC")
|
|
}
|
|
|
|
plaintext, err = cryptography.DecryptAES256CBC(encryptionKey, ciphertext)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
return plaintext, ratchetID, nil
|
|
}
|
|
|
|
func (i *Identity) EncryptWithHMAC(plaintext []byte, key []byte) ([]byte, error) {
|
|
var hmacKey, encryptionKey []byte
|
|
if len(key) == 64 {
|
|
hmacKey = key[:32]
|
|
encryptionKey = key[32:64]
|
|
} else if len(key) == 32 {
|
|
hmacKey = key[:16]
|
|
encryptionKey = key[16:32]
|
|
} else {
|
|
return nil, errors.New("invalid key length for EncryptWithHMAC")
|
|
}
|
|
|
|
ciphertext, err := cryptography.EncryptAES256CBC(encryptionKey, plaintext)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
mac := cryptography.ComputeHMAC(hmacKey, ciphertext)
|
|
return append(ciphertext, mac...), nil
|
|
}
|
|
|
|
func (i *Identity) DecryptWithHMAC(data []byte, key []byte) ([]byte, error) {
|
|
if len(data) < cryptography.SHA256Size {
|
|
return nil, errors.New("data too short")
|
|
}
|
|
|
|
var hmacKey, encryptionKey []byte
|
|
if len(key) == 64 {
|
|
hmacKey = key[:32]
|
|
encryptionKey = key[32:64]
|
|
} else if len(key) == 32 {
|
|
hmacKey = key[:16]
|
|
encryptionKey = key[16:32]
|
|
} else {
|
|
return nil, errors.New("invalid key length for DecryptWithHMAC")
|
|
}
|
|
|
|
macStart := len(data) - cryptography.SHA256Size
|
|
ciphertext := data[:macStart]
|
|
messageMAC := data[macStart:]
|
|
|
|
if !cryptography.ValidateHMAC(hmacKey, ciphertext, messageMAC) {
|
|
return nil, errors.New("invalid HMAC")
|
|
}
|
|
|
|
return cryptography.DecryptAES256CBC(encryptionKey, ciphertext)
|
|
}
|
|
|
|
func (i *Identity) ToFile(path string) error {
|
|
debug.Log(debug.DEBUG_ALL, "Saving identity to file", "hash", i.GetHexHash(), "path", path)
|
|
|
|
if i.privateKey == nil || i.signingSeed == nil {
|
|
return errors.New("cannot save identity without private keys")
|
|
}
|
|
|
|
// Store private keys as raw bytes
|
|
// Format: [X25519 PrivKey (32 bytes)][Ed25519 PrivKey (32 bytes)]
|
|
// Total: 64 bytes
|
|
privateKeyBytes := make([]byte, 64)
|
|
copy(privateKeyBytes[:32], i.privateKey)
|
|
copy(privateKeyBytes[32:], i.signingSeed)
|
|
|
|
// Write raw bytes to file
|
|
file, err := os.Create(path) // #nosec G304
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to create identity file", "error", err)
|
|
return err
|
|
}
|
|
defer file.Close()
|
|
|
|
if _, err := file.Write(privateKeyBytes); err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to write identity data", "error", err)
|
|
return err
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Identity saved successfully", "bytes", len(privateKeyBytes))
|
|
return nil
|
|
}
|
|
|
|
func FromFile(path string) (*Identity, error) {
|
|
debug.Log(debug.DEBUG_ALL, "Loading identity from file", "path", path)
|
|
|
|
// Read the private key bytes from file
|
|
// bearer:disable go_gosec_filesystem_filereadtaint
|
|
data, err := os.ReadFile(path) // #nosec G304
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to read identity file: %w", err)
|
|
}
|
|
|
|
if len(data) != 64 {
|
|
return nil, fmt.Errorf("invalid identity file: expected 64 bytes, got %d", len(data))
|
|
}
|
|
|
|
// Parse the private keys
|
|
// Format: [X25519 PrivKey (32 bytes)][Ed25519 PrivKey (32 bytes)]
|
|
privateKey := data[:32]
|
|
signingSeed := data[32:64]
|
|
|
|
// Create identity with initialized maps and mutex
|
|
ident := &Identity{
|
|
ratchets: make(map[string][]byte),
|
|
ratchetExpiry: make(map[string]int64),
|
|
mutex: &sync.RWMutex{},
|
|
}
|
|
|
|
if err := ident.loadPrivateKey(privateKey, signingSeed); err != nil {
|
|
return nil, fmt.Errorf("failed to load private key: %w", err)
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_INFO, "Identity loaded from file", "hash", ident.GetHexHash())
|
|
return ident, nil
|
|
}
|
|
|
|
func LoadOrCreateTransportIdentity() (*Identity, error) {
|
|
storagePath := os.Getenv("RETICULUM_STORAGE_PATH")
|
|
if storagePath == "" {
|
|
homeDir, err := os.UserHomeDir()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get home directory: %w", err)
|
|
}
|
|
storagePath = fmt.Sprintf("%s/.reticulum/storage", homeDir)
|
|
}
|
|
|
|
if err := os.MkdirAll(storagePath, 0700); err != nil {
|
|
return nil, fmt.Errorf("failed to create storage directory: %w", err)
|
|
}
|
|
|
|
transportIdentityPath := fmt.Sprintf("%s/transport_identity", storagePath)
|
|
|
|
if ident, err := FromFile(transportIdentityPath); err == nil {
|
|
debug.Log(debug.DEBUG_INFO, "Loaded transport identity from storage")
|
|
return ident, nil
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_INFO, "No valid transport identity in storage, creating new one")
|
|
ident, err := New()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to create transport identity: %w", err)
|
|
}
|
|
|
|
if err := ident.ToFile(transportIdentityPath); err != nil {
|
|
return nil, fmt.Errorf("failed to save transport identity: %w", err)
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_INFO, "Created and saved transport identity")
|
|
return ident, nil
|
|
}
|
|
|
|
func (i *Identity) loadPrivateKey(privateKey, signingSeed []byte) error {
|
|
if len(privateKey) != 32 || len(signingSeed) != 32 {
|
|
return errors.New("invalid private key length")
|
|
}
|
|
|
|
// Load X25519 private key
|
|
i.privateKey = make([]byte, 32)
|
|
copy(i.privateKey, privateKey)
|
|
|
|
// Load Ed25519 signing seed
|
|
i.signingSeed = make([]byte, 32)
|
|
copy(i.signingSeed, signingSeed)
|
|
|
|
// Derive public keys from private keys
|
|
var err error
|
|
i.publicKey, err = curve25519.X25519(i.privateKey, curve25519.Basepoint)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to derive X25519 public key: %w", err)
|
|
}
|
|
|
|
signingKey := ed25519.NewKeyFromSeed(i.signingSeed)
|
|
i.verificationKey = signingKey.Public().(ed25519.PublicKey)
|
|
|
|
publicKeyBytes := make([]byte, 0, len(i.publicKey)+len(i.verificationKey))
|
|
publicKeyBytes = append(publicKeyBytes, i.publicKey...)
|
|
publicKeyBytes = append(publicKeyBytes, i.verificationKey...)
|
|
i.hash = TruncatedHash(publicKeyBytes)[:TRUNCATED_HASHLENGTH/8]
|
|
i.hexHash = hex.EncodeToString(i.hash)
|
|
|
|
debug.Log(debug.DEBUG_VERBOSE, "Private key loaded successfully", "hash", i.GetHexHash())
|
|
return nil
|
|
}
|
|
|
|
func (i *Identity) saveRatchets(path string) error {
|
|
i.mutex.RLock()
|
|
defer i.mutex.RUnlock()
|
|
|
|
if len(i.ratchets) == 0 {
|
|
return nil // Nothing to save
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_PACKETS, "Saving ratchets", "count", len(i.ratchets), "path", path)
|
|
|
|
// Convert ratchets to list format for msgpack
|
|
ratchetList := make([][]byte, 0, len(i.ratchets))
|
|
for _, ratchet := range i.ratchets {
|
|
ratchetList = append(ratchetList, ratchet)
|
|
}
|
|
|
|
// Pack ratchets using msgpack
|
|
packedRatchets, err := msgpack.Marshal(ratchetList)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to pack ratchets: %w", err)
|
|
}
|
|
|
|
// Sign the packed ratchets
|
|
signature := i.Sign(packedRatchets)
|
|
|
|
// Create structure: {"signature": ..., "ratchets": ...}
|
|
persistedData := map[string][]byte{
|
|
"signature": signature,
|
|
"ratchets": packedRatchets,
|
|
}
|
|
|
|
// Pack the entire structure
|
|
finalData, err := msgpack.Marshal(persistedData)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to pack ratchet data: %w", err)
|
|
}
|
|
|
|
// Write to temporary file first, then rename (atomic operation)
|
|
tempPath := path + ".tmp"
|
|
file, err := os.Create(tempPath) // #nosec G304
|
|
if err != nil {
|
|
return fmt.Errorf("failed to create temp ratchet file: %w", err)
|
|
}
|
|
|
|
if _, err := file.Write(finalData); err != nil {
|
|
// #nosec G104 - Error already being handled, cleanup errors are non-critical
|
|
file.Close()
|
|
// #nosec G104 - Error already being handled, cleanup errors are non-critical
|
|
os.Remove(tempPath)
|
|
return fmt.Errorf("failed to write ratchet data: %w", err)
|
|
}
|
|
// #nosec G104 - File is being closed after successful write, error is non-critical
|
|
file.Close()
|
|
|
|
// Atomic rename
|
|
if err := os.Rename(tempPath, path); err != nil {
|
|
// #nosec G104 - Error already being handled, cleanup errors are non-critical
|
|
os.Remove(tempPath)
|
|
return fmt.Errorf("failed to rename ratchet file: %w", err)
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_PACKETS, "Ratchets saved successfully")
|
|
return nil
|
|
}
|
|
|
|
func RecallIdentity(path string) (*Identity, error) {
|
|
debug.Log(debug.DEBUG_ALL, "Attempting to recall identity", "path", path)
|
|
|
|
// bearer:disable go_gosec_filesystem_filereadtaint
|
|
file, err := os.Open(path) // #nosec G304
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to open identity file", "error", err)
|
|
return nil, err
|
|
}
|
|
defer file.Close()
|
|
|
|
// Read raw bytes
|
|
// Format: [X25519 PrivKey (32 bytes)][Ed25519 PrivKey (32 bytes)]
|
|
privateKeyBytes := make([]byte, 64)
|
|
n, err := io.ReadFull(file, privateKeyBytes)
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to read identity data", "error", err)
|
|
return nil, err
|
|
}
|
|
if n != 64 {
|
|
return nil, fmt.Errorf("invalid identity file: expected 64 bytes, got %d", n)
|
|
}
|
|
|
|
// Extract keys
|
|
x25519PrivKey := privateKeyBytes[:32]
|
|
ed25519Seed := privateKeyBytes[32:]
|
|
|
|
// Derive public keys
|
|
x25519PubKey, err := curve25519.X25519(x25519PrivKey, curve25519.Basepoint)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to derive X25519 public key: %v", err)
|
|
}
|
|
|
|
ed25519PrivKey := ed25519.NewKeyFromSeed(ed25519Seed)
|
|
ed25519PubKey := ed25519PrivKey.Public().(ed25519.PublicKey)
|
|
|
|
id := &Identity{
|
|
privateKey: x25519PrivKey,
|
|
publicKey: x25519PubKey,
|
|
signingSeed: ed25519Seed,
|
|
verificationKey: ed25519PubKey,
|
|
ratchets: make(map[string][]byte),
|
|
ratchetExpiry: make(map[string]int64),
|
|
mutex: &sync.RWMutex{},
|
|
}
|
|
|
|
// Generate hash
|
|
combinedPub := make([]byte, KEYSIZE/8)
|
|
copy(combinedPub[:KEYSIZE/16], id.publicKey)
|
|
copy(combinedPub[KEYSIZE/16:], id.verificationKey)
|
|
hash := sha256.Sum256(combinedPub)
|
|
id.hash = hash[:TRUNCATED_HASHLENGTH/8]
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Successfully recalled identity", "hash", id.GetHexHash())
|
|
return id, nil
|
|
}
|
|
|
|
func (i *Identity) loadRatchets(path string) error {
|
|
i.mutex.Lock()
|
|
defer i.mutex.Unlock()
|
|
|
|
// bearer:disable go_gosec_filesystem_filereadtaint
|
|
file, err := os.Open(path) // #nosec G304
|
|
if err != nil {
|
|
if os.IsNotExist(err) {
|
|
debug.Log(debug.DEBUG_PACKETS, "No ratchet file found, skipping", "path", path)
|
|
return nil
|
|
}
|
|
return fmt.Errorf("failed to open ratchet file: %w", err)
|
|
}
|
|
defer file.Close()
|
|
|
|
// Read all data
|
|
fileData, err := io.ReadAll(file)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to read ratchet file: %w", err)
|
|
}
|
|
|
|
// Unpack outer structure: {"signature": ..., "ratchets": ...}
|
|
var persistedData map[string][]byte
|
|
if err := msgpack.Unmarshal(fileData, &persistedData); err != nil {
|
|
return fmt.Errorf("failed to unpack ratchet data: %w", err)
|
|
}
|
|
|
|
signature, hasSignature := persistedData["signature"]
|
|
packedRatchets, hasRatchets := persistedData["ratchets"]
|
|
|
|
if !hasSignature || !hasRatchets {
|
|
return fmt.Errorf("invalid ratchet file format: missing signature or ratchets")
|
|
}
|
|
|
|
// Verify signature
|
|
if !i.Verify(packedRatchets, signature) {
|
|
return fmt.Errorf("invalid ratchet file signature")
|
|
}
|
|
|
|
// Unpack ratchet list
|
|
var ratchetList [][]byte
|
|
if err := msgpack.Unmarshal(packedRatchets, &ratchetList); err != nil {
|
|
return fmt.Errorf("failed to unpack ratchet list: %w", err)
|
|
}
|
|
|
|
// Store ratchets with generated IDs
|
|
now := time.Now().Unix()
|
|
for _, ratchet := range ratchetList {
|
|
// Generate ratchet public key to create ID
|
|
ratchetPub, err := curve25519.X25519(ratchet, curve25519.Basepoint)
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_ERROR, "Failed to generate ratchet public key", "error", err)
|
|
continue
|
|
}
|
|
ratchetID := i.GetRatchetID(ratchetPub)
|
|
i.ratchets[string(ratchetID)] = ratchet
|
|
i.ratchetExpiry[string(ratchetID)] = now + RATCHET_EXPIRY
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_PACKETS, "Loaded ratchets", "count", len(i.ratchets), "path", path)
|
|
return nil
|
|
}
|
|
|
|
func HashFromString(hash string) ([]byte, error) {
|
|
if len(hash) != 32 {
|
|
return nil, fmt.Errorf("invalid hash length: expected 32, got %d", len(hash))
|
|
}
|
|
|
|
return hex.DecodeString(hash)
|
|
}
|
|
|
|
func (i *Identity) GetSalt() []byte {
|
|
return i.hash
|
|
}
|
|
|
|
func (i *Identity) GetContext() []byte {
|
|
return nil
|
|
}
|
|
|
|
func (i *Identity) GetRatchetID(ratchetPubBytes []byte) []byte {
|
|
hash := cryptography.Hash(ratchetPubBytes)
|
|
return hash[:NAME_HASH_LENGTH/8]
|
|
}
|
|
|
|
func GetKnownDestination(hash string) ([]interface{}, bool) {
|
|
knownDestinationsLock.RLock()
|
|
data, exists := knownDestinations[hash]
|
|
knownDestinationsLock.RUnlock()
|
|
if exists {
|
|
return data, true
|
|
}
|
|
return nil, false
|
|
}
|
|
|
|
func (i *Identity) GetHexHash() string {
|
|
if i.hexHash == "" {
|
|
i.hexHash = hex.EncodeToString(i.Hash())
|
|
}
|
|
return i.hexHash
|
|
}
|
|
|
|
func (i *Identity) GetRatchetKey(id string) ([]byte, bool) {
|
|
ratchetPersistLock.Lock()
|
|
defer ratchetPersistLock.Unlock()
|
|
|
|
key, exists := knownRatchets[id]
|
|
return key, exists
|
|
}
|
|
|
|
func (i *Identity) SetRatchetKey(id string, key []byte) {
|
|
ratchetPersistLock.Lock()
|
|
defer ratchetPersistLock.Unlock()
|
|
|
|
knownRatchets[id] = key
|
|
}
|
|
|
|
// NewIdentity creates a new Identity instance with fresh keys
|
|
func NewIdentity() (*Identity, error) {
|
|
// Generate 32-byte Ed25519 seed
|
|
var ed25519Seed [32]byte
|
|
if _, err := io.ReadFull(rand.Reader, ed25519Seed[:]); err != nil {
|
|
return nil, fmt.Errorf("failed to generate Ed25519 seed: %v", err)
|
|
}
|
|
|
|
// Derive Ed25519 keypair from seed
|
|
privKey := ed25519.NewKeyFromSeed(ed25519Seed[:])
|
|
pubKey := privKey.Public().(ed25519.PublicKey)
|
|
|
|
// Generate X25519 encryption keypair
|
|
var encPrivKey [32]byte
|
|
if _, err := io.ReadFull(rand.Reader, encPrivKey[:]); err != nil {
|
|
return nil, fmt.Errorf("failed to generate X25519 private key: %v", err)
|
|
}
|
|
|
|
encPubKey, err := curve25519.X25519(encPrivKey[:], curve25519.Basepoint)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate X25519 public key: %v", err)
|
|
}
|
|
|
|
i := &Identity{
|
|
privateKey: encPrivKey[:],
|
|
publicKey: encPubKey,
|
|
signingSeed: ed25519Seed[:],
|
|
verificationKey: pubKey,
|
|
ratchets: make(map[string][]byte),
|
|
ratchetExpiry: make(map[string]int64),
|
|
mutex: &sync.RWMutex{},
|
|
}
|
|
|
|
// Generate hash
|
|
combinedPub := make([]byte, KEYSIZE/8)
|
|
copy(combinedPub[:KEYSIZE/16], i.publicKey)
|
|
copy(combinedPub[KEYSIZE/16:], i.verificationKey)
|
|
hash := sha256.Sum256(combinedPub)
|
|
i.hash = hash[:TRUNCATED_HASHLENGTH/8]
|
|
|
|
return i, nil
|
|
}
|
|
|
|
// FromBytes creates an Identity from a 64-byte private key representation
|
|
func FromBytes(data []byte) (*Identity, error) {
|
|
if len(data) != 64 {
|
|
return nil, fmt.Errorf("invalid identity data: expected 64 bytes, got %d", len(data))
|
|
}
|
|
|
|
privateKey := data[:32]
|
|
signingSeed := data[32:64]
|
|
|
|
ident := &Identity{
|
|
ratchets: make(map[string][]byte),
|
|
ratchetExpiry: make(map[string]int64),
|
|
mutex: &sync.RWMutex{},
|
|
}
|
|
|
|
if err := ident.loadPrivateKey(privateKey, signingSeed); err != nil {
|
|
return nil, fmt.Errorf("failed to load private key: %w", err)
|
|
}
|
|
|
|
return ident, nil
|
|
}
|
|
|
|
func (i *Identity) RotateRatchet() ([]byte, error) {
|
|
i.mutex.Lock()
|
|
defer i.mutex.Unlock()
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Rotating ratchet for identity", "hash", i.GetHexHash())
|
|
|
|
// Generate new ratchet key
|
|
newRatchet := make([]byte, RATCHETSIZE/8)
|
|
if _, err := io.ReadFull(rand.Reader, newRatchet); err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to generate new ratchet", "error", err)
|
|
return nil, err
|
|
}
|
|
|
|
// Get public key for ratchet ID
|
|
ratchetPub, err := curve25519.X25519(newRatchet, curve25519.Basepoint)
|
|
if err != nil {
|
|
debug.Log(debug.DEBUG_CRITICAL, "Failed to generate ratchet public key", "error", err)
|
|
return nil, err
|
|
}
|
|
|
|
ratchetID := i.GetRatchetID(ratchetPub)
|
|
expiry := time.Now().Unix() + RATCHET_EXPIRY
|
|
|
|
// Store new ratchet
|
|
i.ratchets[string(ratchetID)] = newRatchet
|
|
i.ratchetExpiry[string(ratchetID)] = expiry
|
|
|
|
debug.Log(debug.DEBUG_ALL, "New ratchet generated", "id", fmt.Sprintf("%x", ratchetID), "expiry", expiry)
|
|
|
|
// Cleanup old ratchets if we exceed max retained
|
|
if len(i.ratchets) > MAX_RETAINED_RATCHETS {
|
|
var oldestID string
|
|
oldestTime := time.Now().Unix()
|
|
|
|
for id, exp := range i.ratchetExpiry {
|
|
if exp < oldestTime {
|
|
oldestTime = exp
|
|
oldestID = id
|
|
}
|
|
}
|
|
|
|
delete(i.ratchets, oldestID)
|
|
delete(i.ratchetExpiry, oldestID)
|
|
debug.Log(debug.DEBUG_ALL, "Cleaned up oldest ratchet", "id", fmt.Sprintf("%x", []byte(oldestID)))
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Current number of active ratchets", "count", len(i.ratchets))
|
|
return newRatchet, nil
|
|
}
|
|
|
|
func (i *Identity) GetRatchets() [][]byte {
|
|
i.mutex.RLock()
|
|
defer i.mutex.RUnlock()
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Getting ratchets for identity", "hash", i.GetHexHash())
|
|
|
|
ratchets := make([][]byte, 0, len(i.ratchets))
|
|
now := time.Now().Unix()
|
|
expired := 0
|
|
|
|
// Return only non-expired ratchets
|
|
for id, expiry := range i.ratchetExpiry {
|
|
if expiry > now {
|
|
ratchets = append(ratchets, i.ratchets[id])
|
|
} else {
|
|
// Clean up expired ratchets
|
|
delete(i.ratchets, id)
|
|
delete(i.ratchetExpiry, id)
|
|
expired++
|
|
}
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Retrieved active ratchets", "active", len(ratchets), "expired", expired)
|
|
return ratchets
|
|
}
|
|
|
|
func (i *Identity) CleanupExpiredRatchets() {
|
|
i.mutex.Lock()
|
|
defer i.mutex.Unlock()
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Starting ratchet cleanup for identity", "hash", i.GetHexHash())
|
|
|
|
now := time.Now().Unix()
|
|
cleaned := 0
|
|
for id, expiry := range i.ratchetExpiry {
|
|
if expiry <= now {
|
|
delete(i.ratchets, id)
|
|
delete(i.ratchetExpiry, id)
|
|
cleaned++
|
|
}
|
|
}
|
|
|
|
debug.Log(debug.DEBUG_ALL, "Cleaned up expired ratchets", "cleaned", cleaned, "remaining", len(i.ratchets))
|
|
}
|
|
|
|
// ValidateAnnounce validates an announce packet's signature
|
|
func (i *Identity) ValidateAnnounce(data []byte, destHash []byte, appData []byte) bool {
|
|
if i == nil || len(data) < ed25519.SignatureSize {
|
|
return false
|
|
}
|
|
|
|
signatureStart := len(data) - ed25519.SignatureSize
|
|
signature := data[signatureStart:]
|
|
signedData := append(destHash, i.GetPublicKey()...)
|
|
signedData = append(signedData, appData...)
|
|
|
|
return ed25519.Verify(i.verificationKey, signedData, signature)
|
|
}
|
|
|
|
// GetNameHash returns a 10-byte hash derived from the identity's public key
|
|
func (i *Identity) GetNameHash() []byte {
|
|
if i == nil || i.publicKey == nil {
|
|
return nil
|
|
}
|
|
|
|
// Generate hash from combined public key
|
|
h := sha256.New()
|
|
h.Write(i.GetPublicKey())
|
|
fullHash := h.Sum(nil)
|
|
|
|
// Return first 10 bytes (NAME_HASH_LENGTH/8)
|
|
return fullHash[:NAME_HASH_LENGTH/8]
|
|
}
|
|
|
|
// GetEncryptionKey returns the X25519 public key used for encryption
|
|
func (i *Identity) GetEncryptionKey() []byte {
|
|
return i.publicKey
|
|
}
|
|
|
|
// GetSigningKey returns the Ed25519 public key used for signing
|
|
func (i *Identity) GetSigningKey() []byte {
|
|
return i.verificationKey
|
|
}
|