Package com.subgraph.orchid.crypto

Source Code of com.subgraph.orchid.crypto.TorTapKeyAgreement

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
package com.subgraph.orchid.crypto;

import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.util.Arrays;

import javax.crypto.KeyAgreement;
import javax.crypto.interfaces.DHPublicKey;
import javax.crypto.spec.DHParameterSpec;
import javax.crypto.spec.DHPublicKeySpec;

import com.subgraph.orchid.TorException;
/**
* The <code>TorKeyAgreement</code> class implements the diffie-hellman key agreement
* protocol using the parameters specified in the main Tor specification (tor-spec.txt).
*
* An instance of this class can only be used to perform a single key agreement operation.
*
* After instantiating the class, a user calls {@link #getPublicValue()} or {@link #getPublicKeyBytes()}
* to retrieve the public value to transmit to the peer in the key agreement operation.  After receiving
* a public value from the peer, this value should be converted into a <code>BigInteger</code> and
* {@link #isValidPublicValue(BigInteger)} should be called to verify that the peer has sent a safe
* and legal public value.  If {@link #isValidPublicValue(BigInteger)} returns true, the peer public
* value is valid and {@link #getSharedSecret(BigInteger)} can be called to complete the key agreement
* protocol and return the shared secret value.
*
*/
public class TorTapKeyAgreement implements TorKeyAgreement {
  public final static int DH_LEN = 128;
  public final static int DH_SEC_LEN = 40;
  /*
   * tor-spec 0.3
   *
   * For Diffie-Hellman, we use a generator (g) of 2.  For the modulus (p), we
     * use the 1024-bit safe prime from rfc2409 section 6.2 whose hex
     * representation is:
   */
  private static final BigInteger P1024 = new BigInteger(
    "00FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08"
    + "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B"
    + "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9"
    + "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6"
    + "49286651ECE65381FFFFFFFFFFFFFFFF", 16);
  private static final BigInteger G = new BigInteger("2");
 
  /*
   * tor-spec 0.3
   *
   * As an optimization, implementations SHOULD choose DH private keys (x) of
     * 320 bits.
   */
  private static final int PRIVATE_KEY_SIZE = 320;
  private static final DHParameterSpec DH_PARAMETER_SPEC = new DHParameterSpec(P1024, G, PRIVATE_KEY_SIZE);
 
  private final KeyAgreement dh;
  private final KeyPair keyPair;
  private final TorPublicKey onionKey;
 
  /**
   * Create a new <code>TorKeyAgreement</code> instance which can be used to perform a single
   * key agreement operation.  A new set of ephemeral Diffie-Hellman parameters are generated
   * when this class is instantiated.
   */
  public TorTapKeyAgreement(TorPublicKey onionKey) {
    this.keyPair = generateKeyPair();
    this.dh = createDH();
    this.onionKey = onionKey;
   
  }
 
  public TorTapKeyAgreement() {
    this(null);
  }
 
  /**
   * Return the generated public value for this key agreement operation as a <code>BigInteger</code>.
   *
   * @return The diffie-hellman public value as a <code>BigInteger</code>.
   */
  public BigInteger getPublicValue() {
    DHPublicKey pubKey = (DHPublicKey) keyPair.getPublic();
    return pubKey.getY();
  }
 
  /**
   * Return the generated public value for this key agreement operation as an array with the value
   * encoded in big-endian byte order.
   *
   * @return A byte array containing the encoded public value for this key agreement operation.
   */
  public byte[] getPublicKeyBytes() {
    final byte[] output = new byte[128];
    final byte[] yBytes = getPublicValue().toByteArray();
    if(yBytes[0] == 0 && yBytes.length == (DH_LEN + 1)) {
      System.arraycopy(yBytes, 1, output, 0, DH_LEN);
    } else if (yBytes.length <= DH_LEN) {
      final int offset = DH_LEN - yBytes.length;
      System.arraycopy(yBytes, 0, output, offset, yBytes.length);
    } else {
      throw new IllegalStateException("Public value is longer than DH_LEN but not because of sign bit");
    }
    return output;
  }
 
 
 
  /**
   * Return <code>true</code> if the specified value is a legal public
   * value rather than a dangerous degenerate or confined subgroup value. 
   *
   * tor-spec 5.2
   * Before computing g^xy, both client and server MUST verify that
   * the received g^x or g^y value is not degenerate; that is, it must
   * be strictly greater than 1 and strictly less than p-1 where p is
   * the DH modulus.  Implementations MUST NOT complete a handshake
   * with degenerate keys.
   */
  public static boolean isValidPublicValue(BigInteger publicValue) {
    if(publicValue.signum() < 1 || publicValue.equals(BigInteger.ONE))
      return false;
    if(publicValue.compareTo(P1024.subtract(BigInteger.ONE)) >= 0)
      return false;
    return true;
  }

  /**
   * Complete the key agreement protocol with the peer public value
   * <code>otherPublic</code> and return the calculated shared secret.
   *
   * @param otherPublic The peer public value.
   * @return The shared secret value produced by the protocol.
   */
  public byte[] getSharedSecret(BigInteger otherPublic) {
    try {
      KeyFactory factory = KeyFactory.getInstance("DH");
      DHPublicKeySpec pub = new DHPublicKeySpec(otherPublic, P1024, G);
      PublicKey key = factory.generatePublic(pub);
      dh.doPhase(key, true);
      return dh.generateSecret();
    } catch (GeneralSecurityException e) {
      throw new TorException(e);
    }
  }
  private final KeyAgreement createDH() {
    try {
      KeyAgreement dh = KeyAgreement.getInstance("DH");
      dh.init(keyPair.getPrivate());
      return dh;
    } catch (GeneralSecurityException e) {
      throw new TorException(e);
    }
  }
 
  private final KeyPair generateKeyPair() {
    try {
      KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DH");
      keyGen.initialize(DH_PARAMETER_SPEC);
      return keyGen.generateKeyPair()
    } catch (GeneralSecurityException e) {
      throw new TorException(e);
    }
  }

  public byte[] createOnionSkin() {
    final byte[] yBytes = getPublicKeyBytes();
    final HybridEncryption hybrid = new HybridEncryption();
    return hybrid.encrypt(yBytes, onionKey);
  }

  public boolean deriveKeysFromHandshakeResponse(byte[] handshakeResponse,
      byte[] keyMaterialOut, byte[] verifyHashOut) {
    ByteBuffer bb = ByteBuffer.wrap(handshakeResponse);
    byte[] dhPublic = new byte[DH_LEN];
    byte[] keyHash = new byte[TorMessageDigest.TOR_DIGEST_SIZE];
    bb.get(dhPublic);
    bb.get(keyHash);
    BigInteger peerPublic = new BigInteger(1, dhPublic);
    return deriveKeysFromDHPublicAndHash(peerPublic, keyHash, keyMaterialOut, verifyHashOut);
  }
 
  public boolean deriveKeysFromDHPublicAndHash(BigInteger peerPublic, byte[] keyHash, byte[] keyMaterialOut, byte[] verifyHashOut) {
    if(!isValidPublicValue(peerPublic)) {
      throw new TorException("Illegal DH public value");
    }
    final byte[] sharedSecret = getSharedSecret(peerPublic);
    final TorKeyDerivation kdf = new TorKeyDerivation(sharedSecret);
    kdf.deriveKeys(keyMaterialOut, verifyHashOut);
    return Arrays.equals(verifyHashOut, keyHash);
  }
}
TOP

Related Classes of com.subgraph.orchid.crypto.TorTapKeyAgreement

  • com.subgraph.orchid.circuits.hs.RendezvousCircuitBuilder
  • com.subgraph.orchid.circuits.TapCircuitExtender
  • java.security.KeyFactory
  • java.nio.ByteBuffer
  • java.security.PublicKey
  • java.math.BigInteger
  • javax.crypto.spec.DHPublicKeySpec
  • javax.crypto.interfaces.DHPublicKey
  • javax.crypto.KeyAgreement
  • java.security.KeyPairGenerator
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.