/* This code is part of Freenet. It is distributed under the GNU General
* Public License, version 2 (or at your option any later version). See
* http://www.gnu.org/ for further details of the GPL. */
package freenet.keys;
import org.bouncycastle.crypto.digests.SHA256Digest;
import org.bouncycastle.crypto.params.DSAPrivateKeyParameters;
import org.bouncycastle.crypto.signers.DSASigner;
import org.bouncycastle.crypto.signers.HMacDSAKCalculator;
import java.io.IOException;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.security.MessageDigest;
import java.util.Arrays;
import freenet.crypt.DSAGroup;
import freenet.crypt.DSAPrivateKey;
import freenet.crypt.DSAPublicKey;
import freenet.crypt.Global;
import freenet.crypt.PCFBMode;
import freenet.crypt.RandomSource;
import freenet.crypt.SHA256;
import freenet.crypt.UnsupportedCipherException;
import freenet.crypt.Util;
import freenet.crypt.ciphers.Rijndael;
import freenet.keys.Key.Compressed;
import freenet.support.Logger;
import freenet.support.api.Bucket;
import freenet.support.compress.InvalidCompressionCodecException;
import freenet.support.math.MersenneTwister;
/** A ClientSSK that has a private key and therefore can be inserted. */
public class InsertableClientSSK extends ClientSSK {
private static final long serialVersionUID = 1L;
public final DSAPrivateKey privKey;
private static boolean logMINOR;
static {
Logger.registerClass(InsertableClientSSK.class);
}
public InsertableClientSSK(String docName, byte[] pubKeyHash, DSAPublicKey pubKey, DSAPrivateKey privKey, byte[] cryptoKey, byte cryptoAlgorithm) throws MalformedURLException {
super(docName, pubKeyHash, getExtraBytes(cryptoAlgorithm), pubKey, cryptoKey);
if(pubKey == null) throw new NullPointerException();
this.privKey = privKey;
}
protected InsertableClientSSK() {
// For serialization.
privKey = null;
}
public static InsertableClientSSK create(FreenetURI uri) throws MalformedURLException {
if(uri.getKeyType().equalsIgnoreCase("KSK"))
return ClientKSK.create(uri);
if(uri.getRoutingKey() == null)
throw new MalformedURLException("Insertable SSK URIs must have a private key!: "+uri);
if(uri.getCryptoKey() == null)
throw new MalformedURLException("Insertable SSK URIs must have a private key!: "+uri);
byte keyType;
byte[] extra = uri.getExtra();
if(uri.getKeyType().equals("SSK")) {
if(extra == null)
throw new MalformedURLException("Inserting pre-1010 keys not supported");
// Formatted exactly as ,extra on fetching
if(extra.length < 5)
throw new MalformedURLException("SSK private key ,extra too short");
if(extra[1] != 1) {
throw new MalformedURLException("SSK not a private key");
}
keyType = extra[2];
if(keyType != Key.ALGO_AES_PCFB_256_SHA256)
throw new MalformedURLException("Unrecognized crypto type in SSK private key");
}
else {
throw new MalformedURLException("Not a valid SSK insert URI type: "+uri.getKeyType());
}
// Allow docName="" for SSKs. E.g. GenerateSSK returns these; we want to be consistent.
// However, we recommend that you not use this, especially not for a freesite, as
// SSK@blah,blah,blah//filename is confusing for clients, browsers etc.
if(uri.getDocName() == null)
throw new MalformedURLException("SSK URIs must have a document name (to avoid ambiguity)");
DSAGroup g = Global.DSAgroupBigA;
DSAPrivateKey privKey;
try {
privKey = new DSAPrivateKey(new BigInteger(1, uri.getRoutingKey()), g);
} catch(IllegalArgumentException e) {
// DSAPrivateKey is invalid
Logger.error(InsertableClientSSK.class, "Caught "+e, e);
throw new MalformedURLException("SSK private key (routing key) is invalid: " + e);
}
DSAPublicKey pubKey = new DSAPublicKey(g, privKey);
byte[] pkHash = pubKey.asBytesHash();
return new InsertableClientSSK(uri.getDocName(), pkHash, pubKey, privKey, uri.getCryptoKey(), keyType);
}
public ClientSSKBlock encode(Bucket sourceData, boolean asMetadata, boolean dontCompress, short alreadyCompressedCodec, long sourceLength, RandomSource r, String compressordescriptor, boolean pre1254) throws SSKEncodeException, IOException, InvalidCompressionCodecException {
byte[] compressedData;
short compressionAlgo;
try {
Compressed comp = Key.compress(sourceData, dontCompress, alreadyCompressedCodec, sourceLength, ClientSSKBlock.MAX_DECOMPRESSED_DATA_LENGTH, SSKBlock.DATA_LENGTH, true, compressordescriptor, pre1254);
compressedData = comp.compressedData;
compressionAlgo = comp.compressionAlgorithm;
} catch (KeyEncodeException e) {
throw new SSKEncodeException(e.getMessage(), e);
}
// Pad it
MessageDigest md256 = SHA256.getMessageDigest();
try {
byte[] data;
// First pad it
if (compressedData.length != SSKBlock.DATA_LENGTH) {
// Hash the data
if (compressedData.length != 0)
md256.update(compressedData);
byte[] digest = md256.digest();
MersenneTwister mt = new MersenneTwister(digest);
data = Arrays.copyOf(compressedData, SSKBlock.DATA_LENGTH);
if (compressedData.length > data.length) {
throw new RuntimeException("compressedData.length = " + compressedData.length + " but data.length="
+ data.length);
}
Util.randomBytes(mt, data, compressedData.length, SSKBlock.DATA_LENGTH - compressedData.length);
} else {
data = compressedData;
}
// Implicit hash of data
byte[] origDataHash = md256.digest(data);
Rijndael aes;
try {
aes = new Rijndael(256, 256);
} catch (UnsupportedCipherException e) {
throw new Error("256/256 Rijndael not supported!");
}
// Encrypt data. Data encryption key = H(plaintext data).
aes.initialize(origDataHash);
PCFBMode pcfb = PCFBMode.create(aes, origDataHash);
pcfb.blockEncipher(data, 0, data.length);
byte[] encryptedDataHash = md256.digest(data);
// Create headers
byte[] headers = new byte[SSKBlock.TOTAL_HEADERS_LENGTH];
// First two bytes = hash ID
int x = 0;
headers[x++] = (byte) (KeyBlock.HASH_SHA256 >> 8);
headers[x++] = (byte) (KeyBlock.HASH_SHA256);
// Then crypto ID
headers[x++] = (byte) (Key.ALGO_AES_PCFB_256_SHA256 >> 8);
headers[x++] = Key.ALGO_AES_PCFB_256_SHA256;
// Then E(H(docname))
// Copy to headers
System.arraycopy(ehDocname, 0, headers, x, ehDocname.length);
x += ehDocname.length;
// Now the encrypted headers
byte[] encryptedHeaders = Arrays.copyOf(origDataHash, SSKBlock.ENCRYPTED_HEADERS_LENGTH);
int y = origDataHash.length;
short len = (short) compressedData.length;
if (asMetadata)
len |= 32768;
encryptedHeaders[y++] = (byte) (len >> 8);
encryptedHeaders[y++] = (byte) len;
encryptedHeaders[y++] = (byte) (compressionAlgo >> 8);
encryptedHeaders[y++] = (byte) compressionAlgo;
if (encryptedHeaders.length != y)
throw new IllegalStateException("Have more bytes to generate encoding SSK");
aes.initialize(cryptoKey);
pcfb.reset(ehDocname);
pcfb.blockEncipher(encryptedHeaders, 0, encryptedHeaders.length);
System.arraycopy(encryptedHeaders, 0, headers, x, encryptedHeaders.length);
x += encryptedHeaders.length;
// Generate implicit overall hash.
md256.update(headers, 0, x);
md256.update(encryptedDataHash);
byte[] overallHash = md256.digest();
// Now sign it
DSASigner dsa = new DSASigner(new HMacDSAKCalculator(new SHA256Digest()));
dsa.init(true, new DSAPrivateKeyParameters(privKey.getX(), Global.getDSAgroupBigAParameters()));
BigInteger[] sig = dsa.generateSignature(Global.truncateHash(overallHash));
// Pack R and S into 32 bytes each, and copy to headers.
// Then create and return the ClientSSKBlock.
byte[] rBuf = truncate(sig[0].toByteArray(), SSKBlock.SIG_R_LENGTH);
byte[] sBuf = truncate(sig[1].toByteArray(), SSKBlock.SIG_S_LENGTH);
System.arraycopy(rBuf, 0, headers, x, rBuf.length);
x += rBuf.length;
System.arraycopy(sBuf, 0, headers, x, sBuf.length);
x += sBuf.length;
if (x != SSKBlock.TOTAL_HEADERS_LENGTH)
throw new IllegalStateException("Too long");
try {
return new ClientSSKBlock(data, headers, this, !logMINOR);
} catch (SSKVerifyException e) {
throw (AssertionError)new AssertionError("Impossible encoding error").initCause(e);
}
} finally {
SHA256.returnMessageDigest(md256);
}
}
private byte[] truncate(byte[] bs, int len) {
if(bs.length == len)
return bs;
else if (bs.length < len) {
byte[] buf = new byte[len];
System.arraycopy(bs, 0, buf, len - bs.length, bs.length);
return buf;
} else { // if (bs.length > len) {
for(int i=0;i<(bs.length-len);i++) {
if(bs[i] != 0)
throw new IllegalStateException("Cannot truncate");
}
return Arrays.copyOfRange(bs, bs.length-len, bs.length);
}
}
public static InsertableClientSSK createRandom(RandomSource r, String docName) {
byte[] ckey = new byte[CRYPTO_KEY_LENGTH];
r.nextBytes(ckey);
DSAGroup g = Global.DSAgroupBigA;
DSAPrivateKey privKey = new DSAPrivateKey(g, r);
DSAPublicKey pubKey = new DSAPublicKey(g, privKey);
try {
byte[] pkHash = SHA256.digest(pubKey.asBytes());
return new InsertableClientSSK(docName, pkHash, pubKey, privKey, ckey,
Key.ALGO_AES_PCFB_256_SHA256);
} catch (MalformedURLException e) {
throw new Error(e);
}
}
public FreenetURI getInsertURI() {
return new FreenetURI("SSK", docName, privKey.getX().toByteArray(), cryptoKey, getInsertExtraBytes());
}
private byte[] getInsertExtraBytes() {
byte[] extra = getExtraBytes();
extra[1] = 1; // insert
return extra;
}
public DSAGroup getCryptoGroup() {
return Global.DSAgroupBigA;
}
}