1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/reporting/encryption/primitives.h"
#include <array>
#include <cstddef>
#include <cstdint>
#include <memory>
#include <string>
#include <string_view>
#include "base/check_op.h"
#include "crypto/aead.h"
#include "third_party/boringssl/src/include/openssl/curve25519.h"
#include "third_party/boringssl/src/include/openssl/digest.h"
#include "third_party/boringssl/src/include/openssl/hkdf.h"
namespace reporting {
static_assert(X25519_PRIVATE_KEY_LEN == kKeySize, "X25519 mismatch");
static_assert(X25519_PUBLIC_VALUE_LEN == kKeySize, "X25519 mismatch");
static_assert(X25519_SHARED_KEY_LEN == kKeySize, "X25519 mismatch");
static_assert(ED25519_PRIVATE_KEY_LEN == kSignKeySize, "ED25519 mismatch");
static_assert(ED25519_PUBLIC_KEY_LEN == kKeySize, "ED25519 mismatch");
static_assert(ED25519_SIGNATURE_LEN == kSignatureSize, "ED25519 mismatch");
// TODO(https://issues.chromium.org/issues/431824286): use crypto/keyexchange.
bool ComputeSharedSecret(base::span<const uint8_t, kKeySize> peer_public_value,
base::span<uint8_t, kKeySize> shared_secret,
base::span<uint8_t, kKeySize> generated_public_value) {
// Generate new pair of private key and public value.
std::array<uint8_t, kKeySize> out_private_key;
X25519_keypair(generated_public_value.data(), out_private_key.data());
// Compute shared secret.
return X25519(shared_secret.data(), out_private_key.data(),
peer_public_value.data()) == 1;
}
bool ProduceSymmetricKey(base::span<const uint8_t, kKeySize> shared_secret,
base::span<uint8_t, kKeySize> symmetric_key) {
// Produce symmetric key from shared secret using HKDF.
// Since the original keys were only used once, no salt and context is needed.
// Since the keys above are only used once, no salt and context is provided.
return HKDF(symmetric_key.data(), symmetric_key.size(),
/*digest=*/EVP_sha256(), shared_secret.data(),
shared_secret.size(), /*salt=*/nullptr, /*salt_len=*/0,
/*info=*/nullptr, /*info_len=*/0) == 1;
}
bool PerformSymmetricEncryption(base::span<const uint8_t, kKeySize> key,
std::string_view input_data,
std::string* output_data) {
// Encrypt the data with symmetric key using AEAD interface.
crypto::Aead aead(crypto::Aead::CHACHA20_POLY1305);
CHECK_EQ(aead.KeyLength(), kKeySize);
// Use the symmetric key for data encryption.
aead.Init(key);
// Set nonce to 0s, since a symmetric key is only used once.
// Note: if we ever start reusing the same symmetric key, we will need
// to generate new nonce for every record and transfer it to the peer.
CHECK_EQ(aead.NonceLength(), kNonceSize);
std::string nonce(kNonceSize, 0);
// Encrypt the whole record.
if (1 != aead.Seal(input_data, nonce, std::string(), output_data)) {
return false;
}
// Success. Attach nonce at the head, for compatibility with Tink.
output_data->insert(0, nonce);
return true;
}
bool VerifySignature(base::span<const uint8_t, kKeySize> verification_key,
std::string_view message,
base::span<const uint8_t, kSignatureSize> signature) {
// Verify message
base::span<const uint8_t> message_span = base::as_byte_span(message);
return ED25519_verify(message_span.data(), message_span.size(),
signature.data(), verification_key.data()) == 1;
}
} // namespace reporting
|
