diff options
Diffstat (limited to 'packages/taler-wallet-core/src/crypto')
18 files changed, 4407 insertions, 0 deletions
diff --git a/packages/taler-wallet-core/src/crypto/primitives/kdf.d.ts.map b/packages/taler-wallet-core/src/crypto/primitives/kdf.d.ts.map new file mode 100644 index 000000000..0495859a5 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/primitives/kdf.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"kdf.d.ts","sourceRoot":"","sources":["kdf.ts"],"names":[],"mappings":"AAmBA,wBAAgB,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAEnD;AAED,wBAAgB,IAAI,CAClB,MAAM,EAAE,CAAC,CAAC,EAAE,UAAU,KAAK,UAAU,EACrC,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,UAAU,EACf,OAAO,EAAE,UAAU,GAClB,UAAU,CAuBZ;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,UAAU,CAE3E;AAED,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,OAAO,EAAE,UAAU,GAAG,UAAU,CAE3E;AAED,wBAAgB,GAAG,CACjB,YAAY,EAAE,MAAM,EACpB,GAAG,EAAE,UAAU,EACf,IAAI,EAAE,UAAU,EAChB,IAAI,EAAE,UAAU,GACf,UAAU,CAyBZ"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/primitives/kdf.ts b/packages/taler-wallet-core/src/crypto/primitives/kdf.ts new file mode 100644 index 000000000..edc681bc1 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/primitives/kdf.ts @@ -0,0 +1,92 @@ +/* + This file is part of GNU Taler + (C) 2019 GNUnet e.V. + + GNU Taler is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. + + GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with + GNU Taler; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ + +import * as nacl from "./nacl-fast"; +import { sha256 } from "./sha256"; + +export function sha512(data: Uint8Array): Uint8Array { + return nacl.hash(data); +} + +export function hmac( + digest: (d: Uint8Array) => Uint8Array, + blockSize: number, + key: Uint8Array, + message: Uint8Array, +): Uint8Array { + if (key.byteLength > blockSize) { + key = digest(key); + } + if (key.byteLength < blockSize) { + const k = key; + key = new Uint8Array(blockSize); + key.set(k, 0); + } + const okp = new Uint8Array(blockSize); + const ikp = new Uint8Array(blockSize); + for (let i = 0; i < blockSize; i++) { + ikp[i] = key[i] ^ 0x36; + okp[i] = key[i] ^ 0x5c; + } + const b1 = new Uint8Array(blockSize + message.byteLength); + b1.set(ikp, 0); + b1.set(message, blockSize); + const h0 = digest(b1); + const b2 = new Uint8Array(blockSize + h0.length); + b2.set(okp, 0); + b2.set(h0, blockSize); + return digest(b2); +} + +export function hmacSha512(key: Uint8Array, message: Uint8Array): Uint8Array { + return hmac(sha512, 128, key, message); +} + +export function hmacSha256(key: Uint8Array, message: Uint8Array): Uint8Array { + return hmac(sha256, 64, key, message); +} + +export function kdf( + outputLength: number, + ikm: Uint8Array, + salt: Uint8Array, + info: Uint8Array, +): Uint8Array { + // extract + const prk = hmacSha512(salt, ikm); + + // expand + const N = Math.ceil(outputLength / 32); + const output = new Uint8Array(N * 32); + for (let i = 0; i < N; i++) { + let buf; + if (i == 0) { + buf = new Uint8Array(info.byteLength + 1); + buf.set(info, 0); + } else { + buf = new Uint8Array(info.byteLength + 1 + 32); + for (let j = 0; j < 32; j++) { + buf[j] = output[(i - 1) * 32 + j]; + } + buf.set(info, 32); + } + buf[buf.length - 1] = i + 1; + const chunk = hmacSha256(prk, buf); + output.set(chunk, i * 32); + } + + return output.slice(0, outputLength); +} diff --git a/packages/taler-wallet-core/src/crypto/primitives/nacl-fast.d.ts.map b/packages/taler-wallet-core/src/crypto/primitives/nacl-fast.d.ts.map new file mode 100644 index 000000000..6dab0be11 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/primitives/nacl-fast.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"nacl-fast.d.ts","sourceRoot":"","sources":["nacl-fast.ts"],"names":[],"mappings":"AA8zCA;;GAEG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,EAAE,CAAqB;IAC/B,OAAO,CAAC,EAAE,CAAqB;IAE/B,OAAO,CAAC,IAAI,CAAuB;IACnC,OAAO,CAAC,CAAC,CAAK;IACd,OAAO,CAAC,KAAK,CAAK;;IAsBlB,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,SAAS;IAuBnC,MAAM,IAAI,UAAU;CAgBrB;AAqTD,wBAAgB,WAAW,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAIjD;AAED,wBAAgB,UAAU,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,UAAU,CAOnE;AAED,wBAAgB,eAAe,CAAC,CAAC,EAAE,UAAU,GAAG,UAAU,CAMzD;AAED,eAAO,MAAM,uBAAuB,KAAgC,CAAC;AACrE,eAAO,MAAM,6BAA6B,KAA0B,CAAC;AAErE,wBAAgB,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAOvE;AAED,wBAAgB,SAAS,CACvB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,UAAU,GACpB,UAAU,GAAG,IAAI,CAUnB;AAED,wBAAgB,aAAa,CAC3B,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,UAAU,GACpB,UAAU,CAKZ;AAED,wBAAgB,oBAAoB,CAClC,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,UAAU,GACpB,OAAO,CAWT;AAED,wBAAgB,YAAY,IAAI;IAC9B,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;CACvB,CAKA;AAED,wBAAgB,oCAAoC,CAClD,SAAS,EAAE,UAAU,GACpB,UAAU,CAmBZ;AAED,wBAAgB,0BAA0B,CACxC,SAAS,EAAE,UAAU,GACpB;IACD,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;CACvB,CAOA;AAED,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,UAAU,GACf;IACD,SAAS,EAAE,UAAU,CAAC;IACtB,SAAS,EAAE,UAAU,CAAC;CACvB,CAQA;AAED,eAAO,MAAM,oBAAoB,KAA6B,CAAC;AAC/D,eAAO,MAAM,oBAAoB,KAA6B,CAAC;AAC/D,eAAO,MAAM,eAAe,KAAwB,CAAC;AACrD,eAAO,MAAM,oBAAoB,KAAoB,CAAC;AAEtD,wBAAgB,IAAI,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAKhD;AAED,eAAO,MAAM,eAAe,KAAoB,CAAC;AAEjD,wBAAgB,MAAM,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,GAAG,OAAO,CAM5D;AAED,wBAAgB,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,MAAM,KAAK,IAAI,GAAG,IAAI,CAEpE;AAED,wBAAgB,6BAA6B,CAC3C,UAAU,EAAE,UAAU,GACrB,UAAU,CAqBZ"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/primitives/nacl-fast.ts b/packages/taler-wallet-core/src/crypto/primitives/nacl-fast.ts new file mode 100644 index 000000000..c2d40691a --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/primitives/nacl-fast.ts @@ -0,0 +1,1941 @@ +// Ported in 2014 by Dmitry Chestnykh and Devi Mandiri. +// TypeScript port in 2019 by Florian Dold. +// Public domain. +// +// Implementation derived from TweetNaCl version 20140427. +// See for details: http://tweetnacl.cr.yp.to/ + +const gf = function (init: number[] = []): Float64Array { + const r = new Float64Array(16); + if (init) for (let i = 0; i < init.length; i++) r[i] = init[i]; + return r; +}; + +// Pluggable, initialized in high-level API below. +let randombytes = function (x: Uint8Array, n: number): void { + throw new Error("no PRNG"); +}; + +const _9 = new Uint8Array(32); +_9[0] = 9; + +// prettier-ignore +const gf0 = gf(); +const gf1 = gf([1]); +const _121665 = gf([0xdb41, 1]); +const D = gf([ + 0x78a3, + 0x1359, + 0x4dca, + 0x75eb, + 0xd8ab, + 0x4141, + 0x0a4d, + 0x0070, + 0xe898, + 0x7779, + 0x4079, + 0x8cc7, + 0xfe73, + 0x2b6f, + 0x6cee, + 0x5203, +]); +const D2 = gf([ + 0xf159, + 0x26b2, + 0x9b94, + 0xebd6, + 0xb156, + 0x8283, + 0x149a, + 0x00e0, + 0xd130, + 0xeef3, + 0x80f2, + 0x198e, + 0xfce7, + 0x56df, + 0xd9dc, + 0x2406, +]); +const X = gf([ + 0xd51a, + 0x8f25, + 0x2d60, + 0xc956, + 0xa7b2, + 0x9525, + 0xc760, + 0x692c, + 0xdc5c, + 0xfdd6, + 0xe231, + 0xc0a4, + 0x53fe, + 0xcd6e, + 0x36d3, + 0x2169, +]); +const Y = gf([ + 0x6658, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, + 0x6666, +]); +const I = gf([ + 0xa0b0, + 0x4a0e, + 0x1b27, + 0xc4ee, + 0xe478, + 0xad2f, + 0x1806, + 0x2f43, + 0xd7a7, + 0x3dfb, + 0x0099, + 0x2b4d, + 0xdf0b, + 0x4fc1, + 0x2480, + 0x2b83, +]); + +function ts64(x: Uint8Array, i: number, h: number, l: number): void { + x[i] = (h >> 24) & 0xff; + x[i + 1] = (h >> 16) & 0xff; + x[i + 2] = (h >> 8) & 0xff; + x[i + 3] = h & 0xff; + x[i + 4] = (l >> 24) & 0xff; + x[i + 5] = (l >> 16) & 0xff; + x[i + 6] = (l >> 8) & 0xff; + x[i + 7] = l & 0xff; +} + +function vn( + x: Uint8Array, + xi: number, + y: Uint8Array, + yi: number, + n: number, +): number { + let i, + d = 0; + for (i = 0; i < n; i++) d |= x[xi + i] ^ y[yi + i]; + return (1 & ((d - 1) >>> 8)) - 1; +} + +function crypto_verify_32( + x: Uint8Array, + xi: number, + y: Uint8Array, + yi: number, +): number { + return vn(x, xi, y, yi, 32); +} + +function set25519(r: Float64Array, a: Float64Array): void { + let i; + for (i = 0; i < 16; i++) r[i] = a[i] | 0; +} + +function car25519(o: Float64Array): void { + let i, + v, + c = 1; + for (i = 0; i < 16; i++) { + v = o[i] + c + 65535; + c = Math.floor(v / 65536); + o[i] = v - c * 65536; + } + o[0] += c - 1 + 37 * (c - 1); +} + +function sel25519(p: Float64Array, q: Float64Array, b: number): void { + let t; + const c = ~(b - 1); + for (let i = 0; i < 16; i++) { + t = c & (p[i] ^ q[i]); + p[i] ^= t; + q[i] ^= t; + } +} + +function pack25519(o: Uint8Array, n: Float64Array): void { + let i, j, b; + const m = gf(), + t = gf(); + for (i = 0; i < 16; i++) t[i] = n[i]; + car25519(t); + car25519(t); + car25519(t); + for (j = 0; j < 2; j++) { + m[0] = t[0] - 0xffed; + for (i = 1; i < 15; i++) { + m[i] = t[i] - 0xffff - ((m[i - 1] >> 16) & 1); + m[i - 1] &= 0xffff; + } + m[15] = t[15] - 0x7fff - ((m[14] >> 16) & 1); + b = (m[15] >> 16) & 1; + m[14] &= 0xffff; + sel25519(t, m, 1 - b); + } + for (i = 0; i < 16; i++) { + o[2 * i] = t[i] & 0xff; + o[2 * i + 1] = t[i] >> 8; + } +} + +function neq25519(a: Float64Array, b: Float64Array): number { + const c = new Uint8Array(32), + d = new Uint8Array(32); + pack25519(c, a); + pack25519(d, b); + return crypto_verify_32(c, 0, d, 0); +} + +function par25519(a: Float64Array): number { + const d = new Uint8Array(32); + pack25519(d, a); + return d[0] & 1; +} + +function unpack25519(o: Float64Array, n: Uint8Array): void { + let i; + for (i = 0; i < 16; i++) o[i] = n[2 * i] + (n[2 * i + 1] << 8); + o[15] &= 0x7fff; +} + +function A(o: Float64Array, a: Float64Array, b: Float64Array): void { + for (let i = 0; i < 16; i++) o[i] = a[i] + b[i]; +} + +function Z(o: Float64Array, a: Float64Array, b: Float64Array): void { + for (let i = 0; i < 16; i++) o[i] = a[i] - b[i]; +} + +function M(o: Float64Array, a: Float64Array, b: Float64Array): void { + let v, + c, + t0 = 0, + t1 = 0, + t2 = 0, + t3 = 0, + t4 = 0, + t5 = 0, + t6 = 0, + t7 = 0, + t8 = 0, + t9 = 0, + t10 = 0, + t11 = 0, + t12 = 0, + t13 = 0, + t14 = 0, + t15 = 0, + t16 = 0, + t17 = 0, + t18 = 0, + t19 = 0, + t20 = 0, + t21 = 0, + t22 = 0, + t23 = 0, + t24 = 0, + t25 = 0, + t26 = 0, + t27 = 0, + t28 = 0, + t29 = 0, + t30 = 0; + const b0 = b[0], + b1 = b[1], + b2 = b[2], + b3 = b[3], + b4 = b[4], + b5 = b[5], + b6 = b[6], + b7 = b[7], + b8 = b[8], + b9 = b[9], + b10 = b[10], + b11 = b[11], + b12 = b[12], + b13 = b[13], + b14 = b[14], + b15 = b[15]; + + v = a[0]; + t0 += v * b0; + t1 += v * b1; + t2 += v * b2; + t3 += v * b3; + t4 += v * b4; + t5 += v * b5; + t6 += v * b6; + t7 += v * b7; + t8 += v * b8; + t9 += v * b9; + t10 += v * b10; + t11 += v * b11; + t12 += v * b12; + t13 += v * b13; + t14 += v * b14; + t15 += v * b15; + v = a[1]; + t1 += v * b0; + t2 += v * b1; + t3 += v * b2; + t4 += v * b3; + t5 += v * b4; + t6 += v * b5; + t7 += v * b6; + t8 += v * b7; + t9 += v * b8; + t10 += v * b9; + t11 += v * b10; + t12 += v * b11; + t13 += v * b12; + t14 += v * b13; + t15 += v * b14; + t16 += v * b15; + v = a[2]; + t2 += v * b0; + t3 += v * b1; + t4 += v * b2; + t5 += v * b3; + t6 += v * b4; + t7 += v * b5; + t8 += v * b6; + t9 += v * b7; + t10 += v * b8; + t11 += v * b9; + t12 += v * b10; + t13 += v * b11; + t14 += v * b12; + t15 += v * b13; + t16 += v * b14; + t17 += v * b15; + v = a[3]; + t3 += v * b0; + t4 += v * b1; + t5 += v * b2; + t6 += v * b3; + t7 += v * b4; + t8 += v * b5; + t9 += v * b6; + t10 += v * b7; + t11 += v * b8; + t12 += v * b9; + t13 += v * b10; + t14 += v * b11; + t15 += v * b12; + t16 += v * b13; + t17 += v * b14; + t18 += v * b15; + v = a[4]; + t4 += v * b0; + t5 += v * b1; + t6 += v * b2; + t7 += v * b3; + t8 += v * b4; + t9 += v * b5; + t10 += v * b6; + t11 += v * b7; + t12 += v * b8; + t13 += v * b9; + t14 += v * b10; + t15 += v * b11; + t16 += v * b12; + t17 += v * b13; + t18 += v * b14; + t19 += v * b15; + v = a[5]; + t5 += v * b0; + t6 += v * b1; + t7 += v * b2; + t8 += v * b3; + t9 += v * b4; + t10 += v * b5; + t11 += v * b6; + t12 += v * b7; + t13 += v * b8; + t14 += v * b9; + t15 += v * b10; + t16 += v * b11; + t17 += v * b12; + t18 += v * b13; + t19 += v * b14; + t20 += v * b15; + v = a[6]; + t6 += v * b0; + t7 += v * b1; + t8 += v * b2; + t9 += v * b3; + t10 += v * b4; + t11 += v * b5; + t12 += v * b6; + t13 += v * b7; + t14 += v * b8; + t15 += v * b9; + t16 += v * b10; + t17 += v * b11; + t18 += v * b12; + t19 += v * b13; + t20 += v * b14; + t21 += v * b15; + v = a[7]; + t7 += v * b0; + t8 += v * b1; + t9 += v * b2; + t10 += v * b3; + t11 += v * b4; + t12 += v * b5; + t13 += v * b6; + t14 += v * b7; + t15 += v * b8; + t16 += v * b9; + t17 += v * b10; + t18 += v * b11; + t19 += v * b12; + t20 += v * b13; + t21 += v * b14; + t22 += v * b15; + v = a[8]; + t8 += v * b0; + t9 += v * b1; + t10 += v * b2; + t11 += v * b3; + t12 += v * b4; + t13 += v * b5; + t14 += v * b6; + t15 += v * b7; + t16 += v * b8; + t17 += v * b9; + t18 += v * b10; + t19 += v * b11; + t20 += v * b12; + t21 += v * b13; + t22 += v * b14; + t23 += v * b15; + v = a[9]; + t9 += v * b0; + t10 += v * b1; + t11 += v * b2; + t12 += v * b3; + t13 += v * b4; + t14 += v * b5; + t15 += v * b6; + t16 += v * b7; + t17 += v * b8; + t18 += v * b9; + t19 += v * b10; + t20 += v * b11; + t21 += v * b12; + t22 += v * b13; + t23 += v * b14; + t24 += v * b15; + v = a[10]; + t10 += v * b0; + t11 += v * b1; + t12 += v * b2; + t13 += v * b3; + t14 += v * b4; + t15 += v * b5; + t16 += v * b6; + t17 += v * b7; + t18 += v * b8; + t19 += v * b9; + t20 += v * b10; + t21 += v * b11; + t22 += v * b12; + t23 += v * b13; + t24 += v * b14; + t25 += v * b15; + v = a[11]; + t11 += v * b0; + t12 += v * b1; + t13 += v * b2; + t14 += v * b3; + t15 += v * b4; + t16 += v * b5; + t17 += v * b6; + t18 += v * b7; + t19 += v * b8; + t20 += v * b9; + t21 += v * b10; + t22 += v * b11; + t23 += v * b12; + t24 += v * b13; + t25 += v * b14; + t26 += v * b15; + v = a[12]; + t12 += v * b0; + t13 += v * b1; + t14 += v * b2; + t15 += v * b3; + t16 += v * b4; + t17 += v * b5; + t18 += v * b6; + t19 += v * b7; + t20 += v * b8; + t21 += v * b9; + t22 += v * b10; + t23 += v * b11; + t24 += v * b12; + t25 += v * b13; + t26 += v * b14; + t27 += v * b15; + v = a[13]; + t13 += v * b0; + t14 += v * b1; + t15 += v * b2; + t16 += v * b3; + t17 += v * b4; + t18 += v * b5; + t19 += v * b6; + t20 += v * b7; + t21 += v * b8; + t22 += v * b9; + t23 += v * b10; + t24 += v * b11; + t25 += v * b12; + t26 += v * b13; + t27 += v * b14; + t28 += v * b15; + v = a[14]; + t14 += v * b0; + t15 += v * b1; + t16 += v * b2; + t17 += v * b3; + t18 += v * b4; + t19 += v * b5; + t20 += v * b6; + t21 += v * b7; + t22 += v * b8; + t23 += v * b9; + t24 += v * b10; + t25 += v * b11; + t26 += v * b12; + t27 += v * b13; + t28 += v * b14; + t29 += v * b15; + v = a[15]; + t15 += v * b0; + t16 += v * b1; + t17 += v * b2; + t18 += v * b3; + t19 += v * b4; + t20 += v * b5; + t21 += v * b6; + t22 += v * b7; + t23 += v * b8; + t24 += v * b9; + t25 += v * b10; + t26 += v * b11; + t27 += v * b12; + t28 += v * b13; + t29 += v * b14; + t30 += v * b15; + + t0 += 38 * t16; + t1 += 38 * t17; + t2 += 38 * t18; + t3 += 38 * t19; + t4 += 38 * t20; + t5 += 38 * t21; + t6 += 38 * t22; + t7 += 38 * t23; + t8 += 38 * t24; + t9 += 38 * t25; + t10 += 38 * t26; + t11 += 38 * t27; + t12 += 38 * t28; + t13 += 38 * t29; + t14 += 38 * t30; + // t15 left as is + + // first car + c = 1; + v = t0 + c + 65535; + c = Math.floor(v / 65536); + t0 = v - c * 65536; + v = t1 + c + 65535; + c = Math.floor(v / 65536); + t1 = v - c * 65536; + v = t2 + c + 65535; + c = Math.floor(v / 65536); + t2 = v - c * 65536; + v = t3 + c + 65535; + c = Math.floor(v / 65536); + t3 = v - c * 65536; + v = t4 + c + 65535; + c = Math.floor(v / 65536); + t4 = v - c * 65536; + v = t5 + c + 65535; + c = Math.floor(v / 65536); + t5 = v - c * 65536; + v = t6 + c + 65535; + c = Math.floor(v / 65536); + t6 = v - c * 65536; + v = t7 + c + 65535; + c = Math.floor(v / 65536); + t7 = v - c * 65536; + v = t8 + c + 65535; + c = Math.floor(v / 65536); + t8 = v - c * 65536; + v = t9 + c + 65535; + c = Math.floor(v / 65536); + t9 = v - c * 65536; + v = t10 + c + 65535; + c = Math.floor(v / 65536); + t10 = v - c * 65536; + v = t11 + c + 65535; + c = Math.floor(v / 65536); + t11 = v - c * 65536; + v = t12 + c + 65535; + c = Math.floor(v / 65536); + t12 = v - c * 65536; + v = t13 + c + 65535; + c = Math.floor(v / 65536); + t13 = v - c * 65536; + v = t14 + c + 65535; + c = Math.floor(v / 65536); + t14 = v - c * 65536; + v = t15 + c + 65535; + c = Math.floor(v / 65536); + t15 = v - c * 65536; + t0 += c - 1 + 37 * (c - 1); + + // second car + c = 1; + v = t0 + c + 65535; + c = Math.floor(v / 65536); + t0 = v - c * 65536; + v = t1 + c + 65535; + c = Math.floor(v / 65536); + t1 = v - c * 65536; + v = t2 + c + 65535; + c = Math.floor(v / 65536); + t2 = v - c * 65536; + v = t3 + c + 65535; + c = Math.floor(v / 65536); + t3 = v - c * 65536; + v = t4 + c + 65535; + c = Math.floor(v / 65536); + t4 = v - c * 65536; + v = t5 + c + 65535; + c = Math.floor(v / 65536); + t5 = v - c * 65536; + v = t6 + c + 65535; + c = Math.floor(v / 65536); + t6 = v - c * 65536; + v = t7 + c + 65535; + c = Math.floor(v / 65536); + t7 = v - c * 65536; + v = t8 + c + 65535; + c = Math.floor(v / 65536); + t8 = v - c * 65536; + v = t9 + c + 65535; + c = Math.floor(v / 65536); + t9 = v - c * 65536; + v = t10 + c + 65535; + c = Math.floor(v / 65536); + t10 = v - c * 65536; + v = t11 + c + 65535; + c = Math.floor(v / 65536); + t11 = v - c * 65536; + v = t12 + c + 65535; + c = Math.floor(v / 65536); + t12 = v - c * 65536; + v = t13 + c + 65535; + c = Math.floor(v / 65536); + t13 = v - c * 65536; + v = t14 + c + 65535; + c = Math.floor(v / 65536); + t14 = v - c * 65536; + v = t15 + c + 65535; + c = Math.floor(v / 65536); + t15 = v - c * 65536; + t0 += c - 1 + 37 * (c - 1); + + o[0] = t0; + o[1] = t1; + o[2] = t2; + o[3] = t3; + o[4] = t4; + o[5] = t5; + o[6] = t6; + o[7] = t7; + o[8] = t8; + o[9] = t9; + o[10] = t10; + o[11] = t11; + o[12] = t12; + o[13] = t13; + o[14] = t14; + o[15] = t15; +} + +function S(o: Float64Array, a: Float64Array): void { + M(o, a, a); +} + +function inv25519(o: Float64Array, i: Float64Array): void { + const c = gf(); + let a; + for (a = 0; a < 16; a++) c[a] = i[a]; + for (a = 253; a >= 0; a--) { + S(c, c); + if (a !== 2 && a !== 4) M(c, c, i); + } + for (a = 0; a < 16; a++) o[a] = c[a]; +} + +function pow2523(o: Float64Array, i: Float64Array): void { + const c = gf(); + let a; + for (a = 0; a < 16; a++) c[a] = i[a]; + for (a = 250; a >= 0; a--) { + S(c, c); + if (a !== 1) M(c, c, i); + } + for (a = 0; a < 16; a++) o[a] = c[a]; +} + +function crypto_scalarmult( + q: Uint8Array, + n: Uint8Array, + p: Uint8Array, +): number { + const z = new Uint8Array(32); + const x = new Float64Array(80); + let r; + let i; + const a = gf(), + b = gf(), + c = gf(), + d = gf(), + e = gf(), + f = gf(); + for (i = 0; i < 31; i++) z[i] = n[i]; + z[31] = (n[31] & 127) | 64; + z[0] &= 248; + unpack25519(x, p); + for (i = 0; i < 16; i++) { + b[i] = x[i]; + d[i] = a[i] = c[i] = 0; + } + a[0] = d[0] = 1; + for (i = 254; i >= 0; --i) { + r = (z[i >>> 3] >>> (i & 7)) & 1; + sel25519(a, b, r); + sel25519(c, d, r); + A(e, a, c); + Z(a, a, c); + A(c, b, d); + Z(b, b, d); + S(d, e); + S(f, a); + M(a, c, a); + M(c, b, e); + A(e, a, c); + Z(a, a, c); + S(b, a); + Z(c, d, f); + M(a, c, _121665); + A(a, a, d); + M(c, c, a); + M(a, d, f); + M(d, b, x); + S(b, e); + sel25519(a, b, r); + sel25519(c, d, r); + } + for (i = 0; i < 16; i++) { + x[i + 16] = a[i]; + x[i + 32] = c[i]; + x[i + 48] = b[i]; + x[i + 64] = d[i]; + } + const x32 = x.subarray(32); + const x16 = x.subarray(16); + inv25519(x32, x32); + M(x16, x16, x32); + pack25519(q, x16); + return 0; +} + +function crypto_scalarmult_base(q: Uint8Array, n: Uint8Array): number { + return crypto_scalarmult(q, n, _9); +} + +// prettier-ignore +const K = [ + 0x428a2f98, 0xd728ae22, 0x71374491, 0x23ef65cd, + 0xb5c0fbcf, 0xec4d3b2f, 0xe9b5dba5, 0x8189dbbc, + 0x3956c25b, 0xf348b538, 0x59f111f1, 0xb605d019, + 0x923f82a4, 0xaf194f9b, 0xab1c5ed5, 0xda6d8118, + 0xd807aa98, 0xa3030242, 0x12835b01, 0x45706fbe, + 0x243185be, 0x4ee4b28c, 0x550c7dc3, 0xd5ffb4e2, + 0x72be5d74, 0xf27b896f, 0x80deb1fe, 0x3b1696b1, + 0x9bdc06a7, 0x25c71235, 0xc19bf174, 0xcf692694, + 0xe49b69c1, 0x9ef14ad2, 0xefbe4786, 0x384f25e3, + 0x0fc19dc6, 0x8b8cd5b5, 0x240ca1cc, 0x77ac9c65, + 0x2de92c6f, 0x592b0275, 0x4a7484aa, 0x6ea6e483, + 0x5cb0a9dc, 0xbd41fbd4, 0x76f988da, 0x831153b5, + 0x983e5152, 0xee66dfab, 0xa831c66d, 0x2db43210, + 0xb00327c8, 0x98fb213f, 0xbf597fc7, 0xbeef0ee4, + 0xc6e00bf3, 0x3da88fc2, 0xd5a79147, 0x930aa725, + 0x06ca6351, 0xe003826f, 0x14292967, 0x0a0e6e70, + 0x27b70a85, 0x46d22ffc, 0x2e1b2138, 0x5c26c926, + 0x4d2c6dfc, 0x5ac42aed, 0x53380d13, 0x9d95b3df, + 0x650a7354, 0x8baf63de, 0x766a0abb, 0x3c77b2a8, + 0x81c2c92e, 0x47edaee6, 0x92722c85, 0x1482353b, + 0xa2bfe8a1, 0x4cf10364, 0xa81a664b, 0xbc423001, + 0xc24b8b70, 0xd0f89791, 0xc76c51a3, 0x0654be30, + 0xd192e819, 0xd6ef5218, 0xd6990624, 0x5565a910, + 0xf40e3585, 0x5771202a, 0x106aa070, 0x32bbd1b8, + 0x19a4c116, 0xb8d2d0c8, 0x1e376c08, 0x5141ab53, + 0x2748774c, 0xdf8eeb99, 0x34b0bcb5, 0xe19b48a8, + 0x391c0cb3, 0xc5c95a63, 0x4ed8aa4a, 0xe3418acb, + 0x5b9cca4f, 0x7763e373, 0x682e6ff3, 0xd6b2b8a3, + 0x748f82ee, 0x5defb2fc, 0x78a5636f, 0x43172f60, + 0x84c87814, 0xa1f0ab72, 0x8cc70208, 0x1a6439ec, + 0x90befffa, 0x23631e28, 0xa4506ceb, 0xde82bde9, + 0xbef9a3f7, 0xb2c67915, 0xc67178f2, 0xe372532b, + 0xca273ece, 0xea26619c, 0xd186b8c7, 0x21c0c207, + 0xeada7dd6, 0xcde0eb1e, 0xf57d4f7f, 0xee6ed178, + 0x06f067aa, 0x72176fba, 0x0a637dc5, 0xa2c898a6, + 0x113f9804, 0xbef90dae, 0x1b710b35, 0x131c471b, + 0x28db77f5, 0x23047d84, 0x32caab7b, 0x40c72493, + 0x3c9ebe0a, 0x15c9bebc, 0x431d67c4, 0x9c100d4c, + 0x4cc5d4be, 0xcb3e42b6, 0x597f299c, 0xfc657e2a, + 0x5fcb6fab, 0x3ad6faec, 0x6c44198c, 0x4a475817 +]; + +function crypto_hashblocks_hl( + hh: Int32Array, + hl: Int32Array, + m: Uint8Array, + n: number, +): number { + const wh = new Int32Array(16), + wl = new Int32Array(16); + let bh0, + bh1, + bh2, + bh3, + bh4, + bh5, + bh6, + bh7, + bl0, + bl1, + bl2, + bl3, + bl4, + bl5, + bl6, + bl7, + th, + tl, + i, + j, + h, + l, + a, + b, + c, + d; + + let ah0 = hh[0], + ah1 = hh[1], + ah2 = hh[2], + ah3 = hh[3], + ah4 = hh[4], + ah5 = hh[5], + ah6 = hh[6], + ah7 = hh[7], + al0 = hl[0], + al1 = hl[1], + al2 = hl[2], + al3 = hl[3], + al4 = hl[4], + al5 = hl[5], + al6 = hl[6], + al7 = hl[7]; + + let pos = 0; + while (n >= 128) { + for (i = 0; i < 16; i++) { + j = 8 * i + pos; + wh[i] = (m[j + 0] << 24) | (m[j + 1] << 16) | (m[j + 2] << 8) | m[j + 3]; + wl[i] = (m[j + 4] << 24) | (m[j + 5] << 16) | (m[j + 6] << 8) | m[j + 7]; + } + for (i = 0; i < 80; i++) { + bh0 = ah0; + bh1 = ah1; + bh2 = ah2; + bh3 = ah3; + bh4 = ah4; + bh5 = ah5; + bh6 = ah6; + bh7 = ah7; + + bl0 = al0; + bl1 = al1; + bl2 = al2; + bl3 = al3; + bl4 = al4; + bl5 = al5; + bl6 = al6; + bl7 = al7; + + // add + h = ah7; + l = al7; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + // Sigma1 + h = + ((ah4 >>> 14) | (al4 << (32 - 14))) ^ + ((ah4 >>> 18) | (al4 << (32 - 18))) ^ + ((al4 >>> (41 - 32)) | (ah4 << (32 - (41 - 32)))); + l = + ((al4 >>> 14) | (ah4 << (32 - 14))) ^ + ((al4 >>> 18) | (ah4 << (32 - 18))) ^ + ((ah4 >>> (41 - 32)) | (al4 << (32 - (41 - 32)))); + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + // Ch + h = (ah4 & ah5) ^ (~ah4 & ah6); + l = (al4 & al5) ^ (~al4 & al6); + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + // K + h = K[i * 2]; + l = K[i * 2 + 1]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + // w + h = wh[i % 16]; + l = wl[i % 16]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + th = (c & 0xffff) | (d << 16); + tl = (a & 0xffff) | (b << 16); + + // add + h = th; + l = tl; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + // Sigma0 + h = + ((ah0 >>> 28) | (al0 << (32 - 28))) ^ + ((al0 >>> (34 - 32)) | (ah0 << (32 - (34 - 32)))) ^ + ((al0 >>> (39 - 32)) | (ah0 << (32 - (39 - 32)))); + l = + ((al0 >>> 28) | (ah0 << (32 - 28))) ^ + ((ah0 >>> (34 - 32)) | (al0 << (32 - (34 - 32)))) ^ + ((ah0 >>> (39 - 32)) | (al0 << (32 - (39 - 32)))); + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + // Maj + h = (ah0 & ah1) ^ (ah0 & ah2) ^ (ah1 & ah2); + l = (al0 & al1) ^ (al0 & al2) ^ (al1 & al2); + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + bh7 = (c & 0xffff) | (d << 16); + bl7 = (a & 0xffff) | (b << 16); + + // add + h = bh3; + l = bl3; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = th; + l = tl; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + bh3 = (c & 0xffff) | (d << 16); + bl3 = (a & 0xffff) | (b << 16); + + ah1 = bh0; + ah2 = bh1; + ah3 = bh2; + ah4 = bh3; + ah5 = bh4; + ah6 = bh5; + ah7 = bh6; + ah0 = bh7; + + al1 = bl0; + al2 = bl1; + al3 = bl2; + al4 = bl3; + al5 = bl4; + al6 = bl5; + al7 = bl6; + al0 = bl7; + + if (i % 16 === 15) { + for (j = 0; j < 16; j++) { + // add + h = wh[j]; + l = wl[j]; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = wh[(j + 9) % 16]; + l = wl[(j + 9) % 16]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + // sigma0 + th = wh[(j + 1) % 16]; + tl = wl[(j + 1) % 16]; + h = + ((th >>> 1) | (tl << (32 - 1))) ^ + ((th >>> 8) | (tl << (32 - 8))) ^ + (th >>> 7); + l = + ((tl >>> 1) | (th << (32 - 1))) ^ + ((tl >>> 8) | (th << (32 - 8))) ^ + ((tl >>> 7) | (th << (32 - 7))); + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + // sigma1 + th = wh[(j + 14) % 16]; + tl = wl[(j + 14) % 16]; + h = + ((th >>> 19) | (tl << (32 - 19))) ^ + ((tl >>> (61 - 32)) | (th << (32 - (61 - 32)))) ^ + (th >>> 6); + l = + ((tl >>> 19) | (th << (32 - 19))) ^ + ((th >>> (61 - 32)) | (tl << (32 - (61 - 32)))) ^ + ((tl >>> 6) | (th << (32 - 6))); + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + wh[j] = (c & 0xffff) | (d << 16); + wl[j] = (a & 0xffff) | (b << 16); + } + } + } + + // add + h = ah0; + l = al0; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[0]; + l = hl[0]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[0] = ah0 = (c & 0xffff) | (d << 16); + hl[0] = al0 = (a & 0xffff) | (b << 16); + + h = ah1; + l = al1; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[1]; + l = hl[1]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[1] = ah1 = (c & 0xffff) | (d << 16); + hl[1] = al1 = (a & 0xffff) | (b << 16); + + h = ah2; + l = al2; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[2]; + l = hl[2]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[2] = ah2 = (c & 0xffff) | (d << 16); + hl[2] = al2 = (a & 0xffff) | (b << 16); + + h = ah3; + l = al3; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[3]; + l = hl[3]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[3] = ah3 = (c & 0xffff) | (d << 16); + hl[3] = al3 = (a & 0xffff) | (b << 16); + + h = ah4; + l = al4; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[4]; + l = hl[4]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[4] = ah4 = (c & 0xffff) | (d << 16); + hl[4] = al4 = (a & 0xffff) | (b << 16); + + h = ah5; + l = al5; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[5]; + l = hl[5]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[5] = ah5 = (c & 0xffff) | (d << 16); + hl[5] = al5 = (a & 0xffff) | (b << 16); + + h = ah6; + l = al6; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[6]; + l = hl[6]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[6] = ah6 = (c & 0xffff) | (d << 16); + hl[6] = al6 = (a & 0xffff) | (b << 16); + + h = ah7; + l = al7; + + a = l & 0xffff; + b = l >>> 16; + c = h & 0xffff; + d = h >>> 16; + + h = hh[7]; + l = hl[7]; + + a += l & 0xffff; + b += l >>> 16; + c += h & 0xffff; + d += h >>> 16; + + b += a >>> 16; + c += b >>> 16; + d += c >>> 16; + + hh[7] = ah7 = (c & 0xffff) | (d << 16); + hl[7] = al7 = (a & 0xffff) | (b << 16); + + pos += 128; + n -= 128; + } + + return n; +} + +function crypto_hash(out: Uint8Array, m: Uint8Array, n: number): number { + const hh = new Int32Array(8); + const hl = new Int32Array(8); + const x = new Uint8Array(256); + const b = n; + + hh[0] = 0x6a09e667; + hh[1] = 0xbb67ae85; + hh[2] = 0x3c6ef372; + hh[3] = 0xa54ff53a; + hh[4] = 0x510e527f; + hh[5] = 0x9b05688c; + hh[6] = 0x1f83d9ab; + hh[7] = 0x5be0cd19; + + hl[0] = 0xf3bcc908; + hl[1] = 0x84caa73b; + hl[2] = 0xfe94f82b; + hl[3] = 0x5f1d36f1; + hl[4] = 0xade682d1; + hl[5] = 0x2b3e6c1f; + hl[6] = 0xfb41bd6b; + hl[7] = 0x137e2179; + + crypto_hashblocks_hl(hh, hl, m, n); + n %= 128; + + for (let i = 0; i < n; i++) x[i] = m[b - n + i]; + x[n] = 128; + + n = 256 - 128 * (n < 112 ? 1 : 0); + x[n - 9] = 0; + ts64(x, n - 8, (b / 0x20000000) | 0, b << 3); + crypto_hashblocks_hl(hh, hl, x, n); + + for (let i = 0; i < 8; i++) ts64(out, 8 * i, hh[i], hl[i]); + + return 0; +} + +/** + * Incremental version of crypto_hash. + */ +export class HashState { + private hh = new Int32Array(8); + private hl = new Int32Array(8); + + private next = new Uint8Array(128); + private p = 0; + private total = 0; + + constructor() { + this.hh[0] = 0x6a09e667; + this.hh[1] = 0xbb67ae85; + this.hh[2] = 0x3c6ef372; + this.hh[3] = 0xa54ff53a; + this.hh[4] = 0x510e527f; + this.hh[5] = 0x9b05688c; + this.hh[6] = 0x1f83d9ab; + this.hh[7] = 0x5be0cd19; + + this.hl[0] = 0xf3bcc908; + this.hl[1] = 0x84caa73b; + this.hl[2] = 0xfe94f82b; + this.hl[3] = 0x5f1d36f1; + this.hl[4] = 0xade682d1; + this.hl[5] = 0x2b3e6c1f; + this.hl[6] = 0xfb41bd6b; + this.hl[7] = 0x137e2179; + } + + update(data: Uint8Array): HashState { + this.total += data.length; + let i = 0; + while (i < data.length) { + const r = 128 - this.p; + if (r > data.length - i) { + for (let j = 0; i + j < data.length; j++) { + this.next[this.p + j] = data[i + j]; + } + this.p += data.length - i; + break; + } else { + for (let j = 0; this.p + j < 128; j++) { + this.next[this.p + j] = data[i + j]; + } + crypto_hashblocks_hl(this.hh, this.hl, this.next, 128); + i += 128 - this.p; + this.p = 0; + } + } + return this; + } + + finish(): Uint8Array { + const out = new Uint8Array(64); + let n = this.p; + const x = new Uint8Array(256); + const b = this.total; + for (let i = 0; i < n; i++) x[i] = this.next[i]; + x[n] = 128; + + n = 256 - 128 * (n < 112 ? 1 : 0); + x[n - 9] = 0; + ts64(x, n - 8, (b / 0x20000000) | 0, b << 3); + crypto_hashblocks_hl(this.hh, this.hl, x, n); + + for (let i = 0; i < 8; i++) ts64(out, 8 * i, this.hh[i], this.hl[i]); + return out; + } +} + +function add(p: Float64Array[], q: Float64Array[]): void { + const a = gf(), + b = gf(), + c = gf(), + d = gf(), + e = gf(), + f = gf(), + g = gf(), + h = gf(), + t = gf(); + + Z(a, p[1], p[0]); + Z(t, q[1], q[0]); + M(a, a, t); + A(b, p[0], p[1]); + A(t, q[0], q[1]); + M(b, b, t); + M(c, p[3], q[3]); + M(c, c, D2); + M(d, p[2], q[2]); + A(d, d, d); + Z(e, b, a); + Z(f, d, c); + A(g, d, c); + A(h, b, a); + + M(p[0], e, f); + M(p[1], h, g); + M(p[2], g, f); + M(p[3], e, h); +} + +function cswap(p: Float64Array[], q: Float64Array[], b: number): void { + let i; + for (i = 0; i < 4; i++) { + sel25519(p[i], q[i], b); + } +} + +function pack(r: Uint8Array, p: Float64Array[]): void { + const tx = gf(), + ty = gf(), + zi = gf(); + inv25519(zi, p[2]); + M(tx, p[0], zi); + M(ty, p[1], zi); + pack25519(r, ty); + r[31] ^= par25519(tx) << 7; +} + +function scalarmult(p: Float64Array[], q: Float64Array[], s: Uint8Array): void { + let b, i; + set25519(p[0], gf0); + set25519(p[1], gf1); + set25519(p[2], gf1); + set25519(p[3], gf0); + for (i = 255; i >= 0; --i) { + b = (s[(i / 8) | 0] >> (i & 7)) & 1; + cswap(p, q, b); + add(q, p); + add(p, p); + cswap(p, q, b); + } +} + +function scalarbase(p: Float64Array[], s: Uint8Array): void { + const q = [gf(), gf(), gf(), gf()]; + set25519(q[0], X); + set25519(q[1], Y); + set25519(q[2], gf1); + M(q[3], X, Y); + scalarmult(p, q, s); +} + +function crypto_sign_keypair( + pk: Uint8Array, + sk: Uint8Array, + seeded: boolean, +): number { + const d = new Uint8Array(64); + const p = [gf(), gf(), gf(), gf()]; + + if (!seeded) randombytes(sk, 32); + crypto_hash(d, sk, 32); + d[0] &= 248; + d[31] &= 127; + d[31] |= 64; + + scalarbase(p, d); + pack(pk, p); + + for (let i = 0; i < 32; i++) sk[i + 32] = pk[i]; + return 0; +} + +const L = new Float64Array([ + 0xed, + 0xd3, + 0xf5, + 0x5c, + 0x1a, + 0x63, + 0x12, + 0x58, + 0xd6, + 0x9c, + 0xf7, + 0xa2, + 0xde, + 0xf9, + 0xde, + 0x14, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0, + 0x10, +]); + +function modL(r: Uint8Array, x: Float64Array): void { + let carry, i, j, k; + for (i = 63; i >= 32; --i) { + carry = 0; + for (j = i - 32, k = i - 12; j < k; ++j) { + x[j] += carry - 16 * x[i] * L[j - (i - 32)]; + carry = (x[j] + 128) >> 8; + x[j] -= carry * 256; + } + x[j] += carry; + x[i] = 0; + } + carry = 0; + for (j = 0; j < 32; j++) { + x[j] += carry - (x[31] >> 4) * L[j]; + carry = x[j] >> 8; + x[j] &= 255; + } + for (j = 0; j < 32; j++) x[j] -= carry * L[j]; + for (i = 0; i < 32; i++) { + x[i + 1] += x[i] >> 8; + r[i] = x[i] & 255; + } +} + +function reduce(r: Uint8Array): void { + const x = new Float64Array(64); + for (let i = 0; i < 64; i++) x[i] = r[i]; + for (let i = 0; i < 64; i++) r[i] = 0; + modL(r, x); +} + +// Note: difference from C - smlen returned, not passed as argument. +function crypto_sign( + sm: Uint8Array, + m: Uint8Array, + n: number, + sk: Uint8Array, +): number { + const d = new Uint8Array(64), + h = new Uint8Array(64), + r = new Uint8Array(64); + let i, j; + const x = new Float64Array(64); + const p = [gf(), gf(), gf(), gf()]; + + crypto_hash(d, sk, 32); + d[0] &= 248; + d[31] &= 127; + d[31] |= 64; + + const smlen = n + 64; + for (i = 0; i < n; i++) sm[64 + i] = m[i]; + for (i = 0; i < 32; i++) sm[32 + i] = d[32 + i]; + + crypto_hash(r, sm.subarray(32), n + 32); + reduce(r); + scalarbase(p, r); + pack(sm, p); + + for (i = 32; i < 64; i++) sm[i] = sk[i]; + crypto_hash(h, sm, n + 64); + reduce(h); + + for (i = 0; i < 64; i++) x[i] = 0; + for (i = 0; i < 32; i++) x[i] = r[i]; + for (i = 0; i < 32; i++) { + for (j = 0; j < 32; j++) { + x[i + j] += h[i] * d[j]; + } + } + + modL(sm.subarray(32), x); + return smlen; +} + +function unpackneg(r: Float64Array[], p: Uint8Array): number { + const t = gf(); + const chk = gf(); + const num = gf(); + const den = gf(); + const den2 = gf(); + const den4 = gf(); + const den6 = gf(); + + set25519(r[2], gf1); + unpack25519(r[1], p); + S(num, r[1]); + M(den, num, D); + Z(num, num, r[2]); + A(den, r[2], den); + + S(den2, den); + S(den4, den2); + M(den6, den4, den2); + M(t, den6, num); + M(t, t, den); + + pow2523(t, t); + M(t, t, num); + M(t, t, den); + M(t, t, den); + M(r[0], t, den); + + S(chk, r[0]); + M(chk, chk, den); + if (neq25519(chk, num)) M(r[0], r[0], I); + + S(chk, r[0]); + M(chk, chk, den); + if (neq25519(chk, num)) return -1; + + if (par25519(r[0]) === p[31] >> 7) Z(r[0], gf0, r[0]); + + M(r[3], r[0], r[1]); + return 0; +} + +function crypto_sign_open( + m: Uint8Array, + sm: Uint8Array, + n: number, + pk: Uint8Array, +): number { + let i, mlen; + const t = new Uint8Array(32), + h = new Uint8Array(64); + const p = [gf(), gf(), gf(), gf()], + q = [gf(), gf(), gf(), gf()]; + + mlen = -1; + if (n < 64) return -1; + + if (unpackneg(q, pk)) return -1; + + for (i = 0; i < n; i++) m[i] = sm[i]; + for (i = 0; i < 32; i++) m[i + 32] = pk[i]; + crypto_hash(h, m, n); + reduce(h); + scalarmult(p, q, h); + + scalarbase(q, sm.subarray(32)); + add(p, q); + pack(t, p); + + n -= 64; + if (crypto_verify_32(sm, 0, t, 0)) { + for (i = 0; i < n; i++) m[i] = 0; + return -1; + } + + for (i = 0; i < n; i++) m[i] = sm[i + 64]; + mlen = n; + return mlen; +} + +const crypto_scalarmult_BYTES = 32, + crypto_scalarmult_SCALARBYTES = 32, + crypto_sign_BYTES = 64, + crypto_sign_PUBLICKEYBYTES = 32, + crypto_sign_SECRETKEYBYTES = 64, + crypto_sign_SEEDBYTES = 32, + crypto_hash_BYTES = 64; + +/* High-level API */ + +function checkArrayTypes(...args: Uint8Array[]): void { + for (let i = 0; i < args.length; i++) { + if (!(args[i] instanceof Uint8Array)) + throw new TypeError("unexpected type, use Uint8Array"); + } +} + +function cleanup(arr: Uint8Array): void { + for (let i = 0; i < arr.length; i++) arr[i] = 0; +} + +export function randomBytes(n: number): Uint8Array { + const b = new Uint8Array(n); + randombytes(b, n); + return b; +} + +export function scalarMult(n: Uint8Array, p: Uint8Array): Uint8Array { + checkArrayTypes(n, p); + if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error("bad n size"); + if (p.length !== crypto_scalarmult_BYTES) throw new Error("bad p size"); + const q = new Uint8Array(crypto_scalarmult_BYTES); + crypto_scalarmult(q, n, p); + return q; +} + +export function scalarMult_base(n: Uint8Array): Uint8Array { + checkArrayTypes(n); + if (n.length !== crypto_scalarmult_SCALARBYTES) throw new Error("bad n size"); + const q = new Uint8Array(crypto_scalarmult_BYTES); + crypto_scalarmult_base(q, n); + return q; +} + +export const scalarMult_scalarLength = crypto_scalarmult_SCALARBYTES; +export const scalarMult_groupElementLength = crypto_scalarmult_BYTES; + +export function sign(msg: Uint8Array, secretKey: Uint8Array): Uint8Array { + checkArrayTypes(msg, secretKey); + if (secretKey.length !== crypto_sign_SECRETKEYBYTES) + throw new Error("bad secret key size"); + const signedMsg = new Uint8Array(crypto_sign_BYTES + msg.length); + crypto_sign(signedMsg, msg, msg.length, secretKey); + return signedMsg; +} + +export function sign_open( + signedMsg: Uint8Array, + publicKey: Uint8Array, +): Uint8Array | null { + checkArrayTypes(signedMsg, publicKey); + if (publicKey.length !== crypto_sign_PUBLICKEYBYTES) + throw new Error("bad public key size"); + const tmp = new Uint8Array(signedMsg.length); + const mlen = crypto_sign_open(tmp, signedMsg, signedMsg.length, publicKey); + if (mlen < 0) return null; + const m = new Uint8Array(mlen); + for (let i = 0; i < m.length; i++) m[i] = tmp[i]; + return m; +} + +export function sign_detached( + msg: Uint8Array, + secretKey: Uint8Array, +): Uint8Array { + const signedMsg = sign(msg, secretKey); + const sig = new Uint8Array(crypto_sign_BYTES); + for (let i = 0; i < sig.length; i++) sig[i] = signedMsg[i]; + return sig; +} + +export function sign_detached_verify( + msg: Uint8Array, + sig: Uint8Array, + publicKey: Uint8Array, +): boolean { + checkArrayTypes(msg, sig, publicKey); + if (sig.length !== crypto_sign_BYTES) throw new Error("bad signature size"); + if (publicKey.length !== crypto_sign_PUBLICKEYBYTES) + throw new Error("bad public key size"); + const sm = new Uint8Array(crypto_sign_BYTES + msg.length); + const m = new Uint8Array(crypto_sign_BYTES + msg.length); + let i; + for (i = 0; i < crypto_sign_BYTES; i++) sm[i] = sig[i]; + for (i = 0; i < msg.length; i++) sm[i + crypto_sign_BYTES] = msg[i]; + return crypto_sign_open(m, sm, sm.length, publicKey) >= 0; +} + +export function sign_keyPair(): { + publicKey: Uint8Array; + secretKey: Uint8Array; +} { + const pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); + const sk = new Uint8Array(crypto_sign_SECRETKEYBYTES); + crypto_sign_keypair(pk, sk, false); + return { publicKey: pk, secretKey: sk }; +} + +export function x25519_edwards_keyPair_fromSecretKey( + secretKey: Uint8Array, +): Uint8Array { + const p = [gf(), gf(), gf(), gf()]; + const pk = new Uint8Array(32); + + const d = new Uint8Array(64); + if (secretKey.length != 32) { + throw new Error("bad secret key size"); + } + d.set(secretKey, 0); + //crypto_hash(d, secretKey, 32); + + d[0] &= 248; + d[31] &= 127; + d[31] |= 64; + + scalarbase(p, d); + pack(pk, p); + + return pk; +} + +export function sign_keyPair_fromSecretKey( + secretKey: Uint8Array, +): { + publicKey: Uint8Array; + secretKey: Uint8Array; +} { + checkArrayTypes(secretKey); + if (secretKey.length !== crypto_sign_SECRETKEYBYTES) + throw new Error("bad secret key size"); + const pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); + for (let i = 0; i < pk.length; i++) pk[i] = secretKey[32 + i]; + return { publicKey: pk, secretKey: new Uint8Array(secretKey) }; +} + +export function sign_keyPair_fromSeed( + seed: Uint8Array, +): { + publicKey: Uint8Array; + secretKey: Uint8Array; +} { + checkArrayTypes(seed); + if (seed.length !== crypto_sign_SEEDBYTES) throw new Error("bad seed size"); + const pk = new Uint8Array(crypto_sign_PUBLICKEYBYTES); + const sk = new Uint8Array(crypto_sign_SECRETKEYBYTES); + for (let i = 0; i < 32; i++) sk[i] = seed[i]; + crypto_sign_keypair(pk, sk, true); + return { publicKey: pk, secretKey: sk }; +} + +export const sign_publicKeyLength = crypto_sign_PUBLICKEYBYTES; +export const sign_secretKeyLength = crypto_sign_SECRETKEYBYTES; +export const sign_seedLength = crypto_sign_SEEDBYTES; +export const sign_signatureLength = crypto_sign_BYTES; + +export function hash(msg: Uint8Array): Uint8Array { + checkArrayTypes(msg); + const h = new Uint8Array(crypto_hash_BYTES); + crypto_hash(h, msg, msg.length); + return h; +} + +export const hash_hashLength = crypto_hash_BYTES; + +export function verify(x: Uint8Array, y: Uint8Array): boolean { + checkArrayTypes(x, y); + // Zero length arguments are considered not equal. + if (x.length === 0 || y.length === 0) return false; + if (x.length !== y.length) return false; + return vn(x, 0, y, 0, x.length) === 0 ? true : false; +} + +export function setPRNG(fn: (x: Uint8Array, n: number) => void): void { + randombytes = fn; +} + +export function sign_ed25519_pk_to_curve25519( + ed25519_pk: Uint8Array, +): Uint8Array { + const ge_a = [gf(), gf(), gf(), gf()]; + const x = gf(); + const one_minus_y = gf(); + const x25519_pk = new Uint8Array(32); + + if (unpackneg(ge_a, ed25519_pk)) { + throw Error("invalid public key"); + } + + set25519(one_minus_y, gf1); + Z(one_minus_y, one_minus_y, ge_a[1]); + + set25519(x, gf1); + A(x, x, ge_a[1]); + + inv25519(one_minus_y, one_minus_y); + M(x, x, one_minus_y); + pack25519(x25519_pk, x); + + return x25519_pk; +} + +(function () { + // Initialize PRNG if environment provides CSPRNG. + // If not, methods calling randombytes will throw. + // @ts-ignore-error + const cr = typeof self !== "undefined" ? self.crypto || self.msCrypto : null; + if (cr && cr.getRandomValues) { + // Browsers. + const QUOTA = 65536; + setPRNG(function (x: Uint8Array, n: number) { + let i; + const v = new Uint8Array(n); + for (i = 0; i < n; i += QUOTA) { + cr.getRandomValues(v.subarray(i, i + Math.min(n - i, QUOTA))); + } + for (i = 0; i < n; i++) x[i] = v[i]; + cleanup(v); + }); + } else if (typeof require !== "undefined") { + // Node.js. + // eslint-disable-next-line @typescript-eslint/no-var-requires + const cr = require("crypto"); + if (cr && cr.randomBytes) { + setPRNG(function (x: Uint8Array, n: number) { + const v = cr.randomBytes(n); + for (let i = 0; i < n; i++) x[i] = v[i]; + cleanup(v); + }); + } + } +})(); diff --git a/packages/taler-wallet-core/src/crypto/primitives/sha256.d.ts.map b/packages/taler-wallet-core/src/crypto/primitives/sha256.d.ts.map new file mode 100644 index 000000000..91ebcd392 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/primitives/sha256.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"sha256.d.ts","sourceRoot":"","sources":["sha256.ts"],"names":[],"mappings":"AAaA,eAAO,MAAM,YAAY,KAAK,CAAC;AAC/B,eAAO,MAAM,SAAS,KAAK,CAAC;AAwK5B,qBAAa,UAAU;IACrB,YAAY,EAAE,MAAM,CAAgB;IACpC,SAAS,EAAE,MAAM,CAAa;IAG9B,OAAO,CAAC,KAAK,CAAiC;IAC9C,OAAO,CAAC,IAAI,CAAkC;IAC9C,OAAO,CAAC,MAAM,CAAmC;IACjD,OAAO,CAAC,YAAY,CAAK;IACzB,OAAO,CAAC,WAAW,CAAK;IAExB,QAAQ,UAAS;;IAQjB,KAAK,IAAI,IAAI;IAgBb,KAAK,IAAI,IAAI;IAiBb,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,GAAE,MAAoB,GAAG,IAAI;IA8BhE,MAAM,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI;IAqC7B,MAAM,IAAI,UAAU;IAOpB,UAAU,CAAC,GAAG,EAAE,WAAW,GAAG,IAAI;IAOlC,aAAa,CAAC,IAAI,EAAE,WAAW,EAAE,WAAW,EAAE,MAAM,GAAG,IAAI;CAQ5D;AAGD,qBAAa,IAAI;IACf,OAAO,CAAC,KAAK,CAAgC;IAC7C,OAAO,CAAC,KAAK,CAAgC;IAE7C,SAAS,EAAE,MAAM,CAAwB;IACzC,YAAY,EAAE,MAAM,CAA2B;IAI/C,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,MAAM,CAAc;gBAEhB,GAAG,EAAE,UAAU;IAiC3B,KAAK,IAAI,IAAI;IAOb,KAAK,IAAI,IAAI;IASb,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,IAAI;IAM9B,MAAM,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI;IAW7B,MAAM,IAAI,UAAU;CAKrB;AAGD,wBAAgB,MAAM,CAAC,IAAI,EAAE,UAAU,GAAG,UAAU,CAKnD;AAGD,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,GAAG,UAAU,CAKxE"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/primitives/sha256.ts b/packages/taler-wallet-core/src/crypto/primitives/sha256.ts new file mode 100644 index 000000000..97723dbfc --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/primitives/sha256.ts @@ -0,0 +1,426 @@ +// SHA-256 for JavaScript. +// +// Written in 2014-2016 by Dmitry Chestnykh. +// Public domain, no warranty. +// +// Functions (accept and return Uint8Arrays): +// +// sha256(message) -> hash +// sha256.hmac(key, message) -> mac +// +// Classes: +// +// new sha256.Hash() +export const digestLength = 32; +export const blockSize = 64; + +// SHA-256 constants +const K = new Uint32Array([ + 0x428a2f98, + 0x71374491, + 0xb5c0fbcf, + 0xe9b5dba5, + 0x3956c25b, + 0x59f111f1, + 0x923f82a4, + 0xab1c5ed5, + 0xd807aa98, + 0x12835b01, + 0x243185be, + 0x550c7dc3, + 0x72be5d74, + 0x80deb1fe, + 0x9bdc06a7, + 0xc19bf174, + 0xe49b69c1, + 0xefbe4786, + 0x0fc19dc6, + 0x240ca1cc, + 0x2de92c6f, + 0x4a7484aa, + 0x5cb0a9dc, + 0x76f988da, + 0x983e5152, + 0xa831c66d, + 0xb00327c8, + 0xbf597fc7, + 0xc6e00bf3, + 0xd5a79147, + 0x06ca6351, + 0x14292967, + 0x27b70a85, + 0x2e1b2138, + 0x4d2c6dfc, + 0x53380d13, + 0x650a7354, + 0x766a0abb, + 0x81c2c92e, + 0x92722c85, + 0xa2bfe8a1, + 0xa81a664b, + 0xc24b8b70, + 0xc76c51a3, + 0xd192e819, + 0xd6990624, + 0xf40e3585, + 0x106aa070, + 0x19a4c116, + 0x1e376c08, + 0x2748774c, + 0x34b0bcb5, + 0x391c0cb3, + 0x4ed8aa4a, + 0x5b9cca4f, + 0x682e6ff3, + 0x748f82ee, + 0x78a5636f, + 0x84c87814, + 0x8cc70208, + 0x90befffa, + 0xa4506ceb, + 0xbef9a3f7, + 0xc67178f2, +]); + +function hashBlocks( + w: Int32Array, + v: Int32Array, + p: Uint8Array, + pos: number, + len: number, +): number { + let a: number, + b: number, + c: number, + d: number, + e: number, + f: number, + g: number, + h: number, + u: number, + i: number, + j: number, + t1: number, + t2: number; + while (len >= 64) { + a = v[0]; + b = v[1]; + c = v[2]; + d = v[3]; + e = v[4]; + f = v[5]; + g = v[6]; + h = v[7]; + + for (i = 0; i < 16; i++) { + j = pos + i * 4; + w[i] = + ((p[j] & 0xff) << 24) | + ((p[j + 1] & 0xff) << 16) | + ((p[j + 2] & 0xff) << 8) | + (p[j + 3] & 0xff); + } + + for (i = 16; i < 64; i++) { + u = w[i - 2]; + t1 = + ((u >>> 17) | (u << (32 - 17))) ^ + ((u >>> 19) | (u << (32 - 19))) ^ + (u >>> 10); + + u = w[i - 15]; + t2 = + ((u >>> 7) | (u << (32 - 7))) ^ + ((u >>> 18) | (u << (32 - 18))) ^ + (u >>> 3); + + w[i] = ((t1 + w[i - 7]) | 0) + ((t2 + w[i - 16]) | 0); + } + + for (i = 0; i < 64; i++) { + t1 = + ((((((e >>> 6) | (e << (32 - 6))) ^ + ((e >>> 11) | (e << (32 - 11))) ^ + ((e >>> 25) | (e << (32 - 25)))) + + ((e & f) ^ (~e & g))) | + 0) + + ((h + ((K[i] + w[i]) | 0)) | 0)) | + 0; + + t2 = + ((((a >>> 2) | (a << (32 - 2))) ^ + ((a >>> 13) | (a << (32 - 13))) ^ + ((a >>> 22) | (a << (32 - 22)))) + + ((a & b) ^ (a & c) ^ (b & c))) | + 0; + + h = g; + g = f; + f = e; + e = (d + t1) | 0; + d = c; + c = b; + b = a; + a = (t1 + t2) | 0; + } + + v[0] += a; + v[1] += b; + v[2] += c; + v[3] += d; + v[4] += e; + v[5] += f; + v[6] += g; + v[7] += h; + + pos += 64; + len -= 64; + } + return pos; +} + +// Hash implements SHA256 hash algorithm. +export class HashSha256 { + digestLength: number = digestLength; + blockSize: number = blockSize; + + // Note: Int32Array is used instead of Uint32Array for performance reasons. + private state: Int32Array = new Int32Array(8); // hash state + private temp: Int32Array = new Int32Array(64); // temporary state + private buffer: Uint8Array = new Uint8Array(128); // buffer for data to hash + private bufferLength = 0; // number of bytes in buffer + private bytesHashed = 0; // number of total bytes hashed + + finished = false; // indicates whether the hash was finalized + + constructor() { + this.reset(); + } + + // Resets hash state making it possible + // to re-use this instance to hash other data. + reset(): this { + this.state[0] = 0x6a09e667; + this.state[1] = 0xbb67ae85; + this.state[2] = 0x3c6ef372; + this.state[3] = 0xa54ff53a; + this.state[4] = 0x510e527f; + this.state[5] = 0x9b05688c; + this.state[6] = 0x1f83d9ab; + this.state[7] = 0x5be0cd19; + this.bufferLength = 0; + this.bytesHashed = 0; + this.finished = false; + return this; + } + + // Cleans internal buffers and re-initializes hash state. + clean(): void { + for (let i = 0; i < this.buffer.length; i++) { + this.buffer[i] = 0; + } + for (let i = 0; i < this.temp.length; i++) { + this.temp[i] = 0; + } + this.reset(); + } + + // Updates hash state with the given data. + // + // Optionally, length of the data can be specified to hash + // fewer bytes than data.length. + // + // Throws error when trying to update already finalized hash: + // instance must be reset to use it again. + update(data: Uint8Array, dataLength: number = data.length): this { + if (this.finished) { + throw new Error("SHA256: can't update because hash was finished."); + } + let dataPos = 0; + this.bytesHashed += dataLength; + if (this.bufferLength > 0) { + while (this.bufferLength < 64 && dataLength > 0) { + this.buffer[this.bufferLength++] = data[dataPos++]; + dataLength--; + } + if (this.bufferLength === 64) { + hashBlocks(this.temp, this.state, this.buffer, 0, 64); + this.bufferLength = 0; + } + } + if (dataLength >= 64) { + dataPos = hashBlocks(this.temp, this.state, data, dataPos, dataLength); + dataLength %= 64; + } + while (dataLength > 0) { + this.buffer[this.bufferLength++] = data[dataPos++]; + dataLength--; + } + return this; + } + + // Finalizes hash state and puts hash into out. + // + // If hash was already finalized, puts the same value. + finish(out: Uint8Array): this { + if (!this.finished) { + const bytesHashed = this.bytesHashed; + const left = this.bufferLength; + const bitLenHi = (bytesHashed / 0x20000000) | 0; + const bitLenLo = bytesHashed << 3; + const padLength = bytesHashed % 64 < 56 ? 64 : 128; + + this.buffer[left] = 0x80; + for (let i = left + 1; i < padLength - 8; i++) { + this.buffer[i] = 0; + } + this.buffer[padLength - 8] = (bitLenHi >>> 24) & 0xff; + this.buffer[padLength - 7] = (bitLenHi >>> 16) & 0xff; + this.buffer[padLength - 6] = (bitLenHi >>> 8) & 0xff; + this.buffer[padLength - 5] = (bitLenHi >>> 0) & 0xff; + this.buffer[padLength - 4] = (bitLenLo >>> 24) & 0xff; + this.buffer[padLength - 3] = (bitLenLo >>> 16) & 0xff; + this.buffer[padLength - 2] = (bitLenLo >>> 8) & 0xff; + this.buffer[padLength - 1] = (bitLenLo >>> 0) & 0xff; + + hashBlocks(this.temp, this.state, this.buffer, 0, padLength); + + this.finished = true; + } + + for (let i = 0; i < 8; i++) { + out[i * 4 + 0] = (this.state[i] >>> 24) & 0xff; + out[i * 4 + 1] = (this.state[i] >>> 16) & 0xff; + out[i * 4 + 2] = (this.state[i] >>> 8) & 0xff; + out[i * 4 + 3] = (this.state[i] >>> 0) & 0xff; + } + + return this; + } + + // Returns the final hash digest. + digest(): Uint8Array { + const out = new Uint8Array(this.digestLength); + this.finish(out); + return out; + } + + // Internal function for use in HMAC for optimization. + _saveState(out: Uint32Array): void { + for (let i = 0; i < this.state.length; i++) { + out[i] = this.state[i]; + } + } + + // Internal function for use in HMAC for optimization. + _restoreState(from: Uint32Array, bytesHashed: number): void { + for (let i = 0; i < this.state.length; i++) { + this.state[i] = from[i]; + } + this.bytesHashed = bytesHashed; + this.finished = false; + this.bufferLength = 0; + } +} + +// HMAC implements HMAC-SHA256 message authentication algorithm. +export class HMAC { + private inner: HashSha256 = new HashSha256(); + private outer: HashSha256 = new HashSha256(); + + blockSize: number = this.inner.blockSize; + digestLength: number = this.inner.digestLength; + + // Copies of hash states after keying. + // Need for quick reset without hashing they key again. + private istate: Uint32Array; + private ostate: Uint32Array; + + constructor(key: Uint8Array) { + const pad = new Uint8Array(this.blockSize); + if (key.length > this.blockSize) { + new HashSha256().update(key).finish(pad).clean(); + } else { + for (let i = 0; i < key.length; i++) { + pad[i] = key[i]; + } + } + for (let i = 0; i < pad.length; i++) { + pad[i] ^= 0x36; + } + this.inner.update(pad); + + for (let i = 0; i < pad.length; i++) { + pad[i] ^= 0x36 ^ 0x5c; + } + this.outer.update(pad); + + this.istate = new Uint32Array(8); + this.ostate = new Uint32Array(8); + + this.inner._saveState(this.istate); + this.outer._saveState(this.ostate); + + for (let i = 0; i < pad.length; i++) { + pad[i] = 0; + } + } + + // Returns HMAC state to the state initialized with key + // to make it possible to run HMAC over the other data with the same + // key without creating a new instance. + reset(): this { + this.inner._restoreState(this.istate, this.inner.blockSize); + this.outer._restoreState(this.ostate, this.outer.blockSize); + return this; + } + + // Cleans HMAC state. + clean(): void { + for (let i = 0; i < this.istate.length; i++) { + this.ostate[i] = this.istate[i] = 0; + } + this.inner.clean(); + this.outer.clean(); + } + + // Updates state with provided data. + update(data: Uint8Array): this { + this.inner.update(data); + return this; + } + + // Finalizes HMAC and puts the result in out. + finish(out: Uint8Array): this { + if (this.outer.finished) { + this.outer.finish(out); + } else { + this.inner.finish(out); + this.outer.update(out, this.digestLength).finish(out); + } + return this; + } + + // Returns message authentication code. + digest(): Uint8Array { + const out = new Uint8Array(this.digestLength); + this.finish(out); + return out; + } +} + +// Returns SHA256 hash of data. +export function sha256(data: Uint8Array): Uint8Array { + const h = new HashSha256().update(data); + const digest = h.digest(); + h.clean(); + return digest; +} + +// Returns HMAC-SHA256 of data under the key. +export function hmacSha256(key: Uint8Array, data: Uint8Array): Uint8Array { + const h = new HMAC(key).update(data); + const digest = h.digest(); + h.clean(); + return digest; +} diff --git a/packages/taler-wallet-core/src/crypto/talerCrypto-test.ts b/packages/taler-wallet-core/src/crypto/talerCrypto-test.ts new file mode 100644 index 000000000..b273b0188 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/talerCrypto-test.ts @@ -0,0 +1,197 @@ +/* + This file is part of GNU Taler + (C) 2019 GNUnet e.V. + + GNU Taler is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. + + GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with + GNU Taler; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ + +/** + * Imports + */ +import test from "ava"; +import { + encodeCrock, + decodeCrock, + ecdheGetPublic, + eddsaGetPublic, + keyExchangeEddsaEcdhe, + keyExchangeEcdheEddsa, + rsaBlind, + rsaUnblind, + stringToBytes, + bytesToString, + rsaVerify, +} from "./talerCrypto"; +import { sha512, kdf } from "./primitives/kdf"; +import * as nacl from "./primitives/nacl-fast"; + +test("encoding", (t) => { + const s = "Hello, World"; + const encStr = encodeCrock(stringToBytes(s)); + const outBuf = decodeCrock(encStr); + const sOut = bytesToString(outBuf); + t.deepEqual(s, sOut); +}); + +test("taler-exchange-tvg hash code", (t) => { + const input = "91JPRV3F5GG4EKJN41A62V35E8"; + const output = + "CW96WR74JS8T53EC8GKSGD49QKH4ZNFTZXDAWMMV5GJ1E4BM6B8GPN5NVHDJ8ZVXNCW7Q4WBYCV61HCA3PZC2YJD850DT29RHHN7ESR"; + + const myOutput = encodeCrock(sha512(decodeCrock(input))); + + t.deepEqual(myOutput, output); +}); + +test("taler-exchange-tvg ecdhe key", (t) => { + const priv1 = "X4T4N0M8PVQXQEBW2BA7049KFSM7J437NSDFC6GDNM3N5J9367A0"; + const pub1 = "M997P494MS6A95G1P0QYWW2VNPSHSX5Q6JBY5B9YMNYWP0B50X3G"; + const priv2 = "14A0MMQ64DCV8HE0CS3WBC9DHFJAHXRGV7NEARFJPC5R5E1697E0"; + const skm = + "NXRY2YCY7H9B6KM928ZD55WG964G59YR0CPX041DYXKBZZ85SAWNPQ8B30QRM5FMHYCXJAN0EAADJYWEF1X3PAC2AJN28626TR5A6AR"; + + const myPub1 = nacl.scalarMult_base(decodeCrock(priv1)); + t.deepEqual(encodeCrock(myPub1), pub1); + + const mySkm = nacl.hash( + nacl.scalarMult(decodeCrock(priv2), decodeCrock(pub1)), + ); + t.deepEqual(encodeCrock(mySkm), skm); +}); + +test("taler-exchange-tvg eddsa key", (t) => { + const priv = "9TM70AKDTS57AWY9JK2J4TMBTMW6K62WHHGZWYDG0VM5ABPZKD40"; + const pub = "8GSJZ649T2PXMKZC01Y4ANNBE7MF14QVK9SQEC4E46ZHKCVG8AS0"; + + const pair = nacl.sign_keyPair_fromSeed(decodeCrock(priv)); + t.deepEqual(encodeCrock(pair.publicKey), pub); +}); + +test("taler-exchange-tvg kdf", (t) => { + const salt = "94KPT83PCNS7J83KC5P78Y8"; + const ikm = "94KPT83MD1JJ0WV5CDS6AX10D5Q70XBM41NPAY90DNGQ8SBJD5GPR"; + const ctx = + "94KPT83141HPYVKMCNW78833D1TPWTSC41GPRWVF41NPWVVQDRG62WS04XMPWSKF4WG6JVH0EHM6A82J8S1G"; + const outLen = 64; + const out = + "GTMR4QT05Z9WF5HKVG0WK9RPXGHSMHJNW377G9GJXCA8B0FEKPF4D27RJMSJZYWSQNTBJ5EYVV7ZW18B48Z0JVJJ80RHB706Y96Q358"; + + const myOut = kdf( + outLen, + decodeCrock(ikm), + decodeCrock(salt), + decodeCrock(ctx), + ); + + t.deepEqual(encodeCrock(myOut), out); +}); + +test("taler-exchange-tvg eddsa_ecdh", (t) => { + const priv_ecdhe = "4AFZWMSGTVCHZPQ0R81NWXDCK4N58G7SDBBE5KXE080Y50370JJG"; + const pub_ecdhe = "FXFN5GPAFTKVPWJDPVXQ87167S8T82T5ZV8CDYC0NH2AE14X0M30"; + const priv_eddsa = "1KG54M8T3X8BSFSZXCR3SQBSR7Y9P53NX61M864S7TEVMJ2XVPF0"; + const pub_eddsa = "7BXWKG6N224C57RTDV8XEAHR108HG78NMA995BE8QAT5GC1S7E80"; + const key_material = + "PKZ42Z56SVK2796HG1QYBRJ6ZQM2T9QGA3JA4AAZ8G7CWK9FPX175Q9JE5P0ZAX3HWWPHAQV4DPCK10R9X3SAXHRV0WF06BHEC2ZTKR"; + + const myEcdhePub = ecdheGetPublic(decodeCrock(priv_ecdhe)); + t.deepEqual(encodeCrock(myEcdhePub), pub_ecdhe); + + const myEddsaPub = eddsaGetPublic(decodeCrock(priv_eddsa)); + t.deepEqual(encodeCrock(myEddsaPub), pub_eddsa); + + const myKm1 = keyExchangeEddsaEcdhe( + decodeCrock(priv_eddsa), + decodeCrock(pub_ecdhe), + ); + t.deepEqual(encodeCrock(myKm1), key_material); + + const myKm2 = keyExchangeEcdheEddsa( + decodeCrock(priv_ecdhe), + decodeCrock(pub_eddsa), + ); + t.deepEqual(encodeCrock(myKm2), key_material); +}); + +test("taler-exchange-tvg blind signing", (t) => { + const messageHash = + "TT1R28D79EJEJ9PC35AQS35CCG85DSXSZ508MV2HS2FN4ME6AHESZX5WP485R8A75KG53FN6F1YNW95008663TKAPWB81420VG17BY8"; + const rsaPublicKey = + "040000Y62RSDDKZXTE7GDVA302ZZR0DY224RSDT6WDWR1XGT8E3YG80XV6TMT3ZCNP8XC84W0N6MSZ0EF8S3YB1JJ2AXY9JQZW3MCA0CG38ER4YE2RY4Q2666DEZSNKT29V6CKZVCDHXSAKY8W6RPEKEQ5YSBYQK23MRK3CQTNNJXQFDKEMRHEC5Y6RDHAC5RJCV8JJ8BF18VPKZ2Q7BB14YN1HJ22H8EZGW0RDGG9YPEWA9183BHEQ651PP81J514TJ9K8DH23AJ50SZFNS429HQ390VRP5E4MQ7RK7ZJXXTSZAQSRTC0QF28P23PD37C17QFQB0BBC54MB8MDH7RW104STG6VN0J22P39JP4EXPVGK5D9AX5W869MDQ6SRD42ZYK5H20227Q8CCWSQ6C3132WP0F0H04002"; + const bks = "7QD31RPJH0W306RJWBRG646Z2FTA1F89BKSXPDAG7YM0N5Z0B610"; + const bm = + "GA8PC6YH9VF5MW6P2DKTV0W0ZTQ24DZ9EAN5QH3SQXRH7SCZHFMM21ZY05F0BS7MFW8TSEP4SEB280BYP5ACHNQWGE10PCXDDMK7ECXJDPHJ224JBCV4KYNWG6NBR3SC9HK8FXVFX55GFBJFNQHNZGEB8DB0KN9MSVYFDXN45KPMSNY03FVX0JZ0R3YG9XQ8XVGB5SYZCF0QSHWH61MT0Q10CZD2V114BT64D3GD86EJ5S9WBMYG51SDN5CSKEJ734YAJ4HCEWW0RDN8GXA9ZMA18SKVW8T3TTBCPJRF2Y77JGQ08GF35SYGA2HWFV1HGVS8RCTER6GB9SZHRG4T7919H9C1KFAP50G2KSV6X42D6KNJANNSGKQH649TJ00YJQXPHPNFBSS198RY2C243D4B4W"; + const bs = + "5VW0MS5PRBA3W8TPATSTDA2YRFQM1Z7F2DWKQ8ATMZYYY768Q3STZ3HGNVYQ6JB5NKP80G5HGE58616FPA70SX9PTW7EN8EJ23E26FASBWZBP8E2RWQQ5E0F72B2PWRP5ZCA2J3AB3F6P86XK4PZYT64RF94MDGHY0GSDSSBH5YSFB3VM0KVXA52H2Y2G9S85AVCSD3BTMHQRF5BJJ8JE00T4GK70PSTVCGMRKRNA7DGW7GD2F35W55AXF7R2YJC8PAGNSJYWKC3PC75A5N8H69K299AK5PM3CDDHNS4BMRNGF7K49CR4ZBFRXDAWMB3X6T05Q4NKSG0F1KP5JA0XBMF2YJK7KEPRD1EWCHJE44T9YXBTK4W9CV77X7Z9P407ZC6YB3M2ARANZXHJKSM3XC33M"; + const sig = + "PFT6WQJGCM9DE6264DJS6RMG4XDMCDBJKZGSXAF3BEXWZ979Q13NETKK05S1YV91CX3Y034FSS86SSHZTTE8097RRESQP52EKFGTWJXKHZJEQJ49YHMBNQDHW4CFBJECNJSV2PMHWVGXV7HB84R6P0S3ES559HWQX01Q9MYDEGRNHKW87QR2BNSG951D5NQGAKEJ2SSJBE18S6WYAC24FAP8TT8ANECH5371J0DJY0YR0VWAFWVJDV8XQSFXWMJ80N3A80SPSHPYJY3WZZXW63WQ46WHYY56ZSNE5G1RZ5CR0XYV2ECKPM8R0FS58EV16WTRAM1ABBFVNAT3CAEFAZCWP3XHPVBQY5NZVTD5QS2Q8SKJQ2XB30E11CWDN9KTV5CBK4DN72EVG73F3W3BATAKHG"; + + const myBm = rsaBlind( + decodeCrock(messageHash), + decodeCrock(bks), + decodeCrock(rsaPublicKey), + ); + t.deepEqual(encodeCrock(myBm), bm); + + const mySig = rsaUnblind( + decodeCrock(bs), + decodeCrock(rsaPublicKey), + decodeCrock(bks), + ); + t.deepEqual(encodeCrock(mySig), sig); + + const v = rsaVerify( + decodeCrock(messageHash), + decodeCrock(sig), + decodeCrock(rsaPublicKey), + ); + t.true(v); +}); + +test("incremental hashing #1", (t) => { + const n = 1024; + const d = nacl.randomBytes(n); + + const h1 = nacl.hash(d); + const h2 = new nacl.HashState().update(d).finish(); + + const s = new nacl.HashState(); + for (let i = 0; i < n; i++) { + const b = new Uint8Array(1); + b[0] = d[i]; + s.update(b); + } + + const h3 = s.finish(); + + t.deepEqual(encodeCrock(h1), encodeCrock(h2)); + t.deepEqual(encodeCrock(h1), encodeCrock(h3)); +}); + +test("incremental hashing #2", (t) => { + const n = 10; + const d = nacl.randomBytes(n); + + const h1 = nacl.hash(d); + const h2 = new nacl.HashState().update(d).finish(); + const s = new nacl.HashState(); + for (let i = 0; i < n; i++) { + const b = new Uint8Array(1); + b[0] = d[i]; + s.update(b); + } + + const h3 = s.finish(); + + t.deepEqual(encodeCrock(h1), encodeCrock(h3)); + t.deepEqual(encodeCrock(h1), encodeCrock(h2)); +}); diff --git a/packages/taler-wallet-core/src/crypto/talerCrypto.d.ts.map b/packages/taler-wallet-core/src/crypto/talerCrypto.d.ts.map new file mode 100644 index 000000000..cbc5ba16c --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/talerCrypto.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"talerCrypto.d.ts","sourceRoot":"","sources":["talerCrypto.ts"],"names":[],"mappings":"AAgBA;;GAEG;AAEH,OAAO,KAAK,IAAI,MAAM,wBAAwB,CAAC;AAgB/C,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAEpD;AA6CD,wBAAgB,WAAW,CAAC,IAAI,EAAE,WAAW,GAAG,MAAM,CAuBrD;AAED,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CA0BvD;AAED,wBAAgB,cAAc,CAAC,SAAS,EAAE,UAAU,GAAG,UAAU,CAGhE;AAED,wBAAgB,cAAc,CAAC,SAAS,EAAE,UAAU,GAAG,UAAU,CAEhE;AAED,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE,UAAU,GACnB,UAAU,CAQZ;AAED,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,UAAU,EACrB,QAAQ,EAAE,UAAU,GACnB,UAAU,CAIZ;AAwCD,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,UAAU,CAEnD;AAED,wBAAgB,aAAa,CAAC,CAAC,EAAE,UAAU,GAAG,MAAM,CAEnD;AAuED,wBAAgB,QAAQ,CACtB,EAAE,EAAE,UAAU,EACd,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,UAAU,GACpB,UAAU,CAOZ;AAED,wBAAgB,UAAU,CACxB,GAAG,EAAE,UAAU,EACf,SAAS,EAAE,UAAU,EACrB,GAAG,EAAE,UAAU,GACd,UAAU,CAOZ;AAED,wBAAgB,SAAS,CACvB,EAAE,EAAE,UAAU,EACd,MAAM,EAAE,UAAU,EAClB,SAAS,EAAE,UAAU,GACpB,OAAO,CAMT;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,UAAU,CAAC;IACrB,SAAS,EAAE,UAAU,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,UAAU,CAAC;IACrB,SAAS,EAAE,UAAU,CAAC;CACvB;AAED,wBAAgB,kBAAkB,IAAI,YAAY,CAIjD;AAED,wBAAgB,kBAAkB,IAAI,YAAY,CAIjD;AAED,wBAAgB,uBAAuB,IAAI,UAAU,CAEpD;AAED,wBAAgB,IAAI,CAAC,CAAC,EAAE,UAAU,GAAG,UAAU,CAE9C;AAED,wBAAgB,SAAS,CAAC,GAAG,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,GAAG,UAAU,CAG5E;AAED,wBAAgB,WAAW,CACzB,GAAG,EAAE,UAAU,EACf,GAAG,EAAE,UAAU,EACf,QAAQ,EAAE,UAAU,GACnB,OAAO,CAET;AAED,wBAAgB,iBAAiB,IAAI,IAAI,CAAC,SAAS,CAElD;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,UAAU,CAAC;IACpB,QAAQ,EAAE,UAAU,CAAC;IACrB,GAAG,EAAE,UAAU,CAAC;CACjB;AAED,wBAAgB,oBAAoB,CAClC,UAAU,EAAE,UAAU,EACtB,UAAU,EAAE,MAAM,GACjB,SAAS,CAcX"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/talerCrypto.ts b/packages/taler-wallet-core/src/crypto/talerCrypto.ts new file mode 100644 index 000000000..3ce5491c1 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/talerCrypto.ts @@ -0,0 +1,391 @@ +/* + This file is part of GNU Taler + (C) 2019 GNUnet e.V. + + GNU Taler is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. + + GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with + GNU Taler; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ + +/** + * Native implementation of GNU Taler crypto. + */ + +import * as nacl from "./primitives/nacl-fast"; +import bigint from "big-integer"; +import { kdf } from "./primitives/kdf"; + +// @ts-ignore +const decoder = new TextDecoder(); +if (typeof decoder !== "object") { + throw Error("FATAL: TextDecoder not available"); +} + +// @ts-ignore +const encoder = new TextEncoder(); +if (typeof encoder !== "object") { + throw Error("FATAL: TextEncoder not available"); +} + +export function getRandomBytes(n: number): Uint8Array { + return nacl.randomBytes(n); +} + +const encTable = "0123456789ABCDEFGHJKMNPQRSTVWXYZ"; + +class EncodingError extends Error { + constructor() { + super("Encoding error"); + Object.setPrototypeOf(this, EncodingError.prototype); + } +} + +function getValue(chr: string): number { + let a = chr; + switch (chr) { + case "O": + case "o": + a = "0;"; + break; + case "i": + case "I": + case "l": + case "L": + a = "1"; + break; + case "u": + case "U": + a = "V"; + } + + if (a >= "0" && a <= "9") { + return a.charCodeAt(0) - "0".charCodeAt(0); + } + + if (a >= "a" && a <= "z") a = a.toUpperCase(); + let dec = 0; + if (a >= "A" && a <= "Z") { + if ("I" < a) dec++; + if ("L" < a) dec++; + if ("O" < a) dec++; + if ("U" < a) dec++; + return a.charCodeAt(0) - "A".charCodeAt(0) + 10 - dec; + } + throw new EncodingError(); +} + +export function encodeCrock(data: ArrayBuffer): string { + const dataBytes = new Uint8Array(data); + let sb = ""; + const size = data.byteLength; + let bitBuf = 0; + let numBits = 0; + let pos = 0; + while (pos < size || numBits > 0) { + if (pos < size && numBits < 5) { + const d = dataBytes[pos++]; + bitBuf = (bitBuf << 8) | d; + numBits += 8; + } + if (numBits < 5) { + // zero-padding + bitBuf = bitBuf << (5 - numBits); + numBits = 5; + } + const v = (bitBuf >>> (numBits - 5)) & 31; + sb += encTable[v]; + numBits -= 5; + } + return sb; +} + +export function decodeCrock(encoded: string): Uint8Array { + const size = encoded.length; + let bitpos = 0; + let bitbuf = 0; + let readPosition = 0; + const outLen = Math.floor((size * 5) / 8); + const out = new Uint8Array(outLen); + let outPos = 0; + + while (readPosition < size || bitpos > 0) { + if (readPosition < size) { + const v = getValue(encoded[readPosition++]); + bitbuf = (bitbuf << 5) | v; + bitpos += 5; + } + while (bitpos >= 8) { + const d = (bitbuf >>> (bitpos - 8)) & 0xff; + out[outPos++] = d; + bitpos -= 8; + } + if (readPosition == size && bitpos > 0) { + bitbuf = (bitbuf << (8 - bitpos)) & 0xff; + bitpos = bitbuf == 0 ? 0 : 8; + } + } + return out; +} + +export function eddsaGetPublic(eddsaPriv: Uint8Array): Uint8Array { + const pair = nacl.sign_keyPair_fromSeed(eddsaPriv); + return pair.publicKey; +} + +export function ecdheGetPublic(ecdhePriv: Uint8Array): Uint8Array { + return nacl.scalarMult_base(ecdhePriv); +} + +export function keyExchangeEddsaEcdhe( + eddsaPriv: Uint8Array, + ecdhePub: Uint8Array, +): Uint8Array { + const ph = nacl.hash(eddsaPriv); + const a = new Uint8Array(32); + for (let i = 0; i < 32; i++) { + a[i] = ph[i]; + } + const x = nacl.scalarMult(a, ecdhePub); + return nacl.hash(x); +} + +export function keyExchangeEcdheEddsa( + ecdhePriv: Uint8Array, + eddsaPub: Uint8Array, +): Uint8Array { + const curve25519Pub = nacl.sign_ed25519_pk_to_curve25519(eddsaPub); + const x = nacl.scalarMult(ecdhePriv, curve25519Pub); + return nacl.hash(x); +} + +interface RsaPub { + N: bigint.BigInteger; + e: bigint.BigInteger; +} + +interface RsaBlindingKey { + r: bigint.BigInteger; +} + +/** + * KDF modulo a big integer. + */ +function kdfMod( + n: bigint.BigInteger, + ikm: Uint8Array, + salt: Uint8Array, + info: Uint8Array, +): bigint.BigInteger { + const nbits = n.bitLength().toJSNumber(); + const buflen = Math.floor((nbits - 1) / 8 + 1); + const mask = (1 << (8 - (buflen * 8 - nbits))) - 1; + let counter = 0; + while (true) { + const ctx = new Uint8Array(info.byteLength + 2); + ctx.set(info, 0); + ctx[ctx.length - 2] = (counter >>> 8) & 0xff; + ctx[ctx.length - 1] = counter & 0xff; + const buf = kdf(buflen, ikm, salt, ctx); + const arr = Array.from(buf); + arr[0] = arr[0] & mask; + const r = bigint.fromArray(arr, 256, false); + if (r.lt(n)) { + return r; + } + counter++; + } +} + +export function stringToBytes(s: string): Uint8Array { + return encoder.encode(s); +} + +export function bytesToString(b: Uint8Array): string { + return decoder.decode(b); +} + +function loadBigInt(arr: Uint8Array): bigint.BigInteger { + return bigint.fromArray(Array.from(arr), 256, false); +} + +function rsaBlindingKeyDerive( + rsaPub: RsaPub, + bks: Uint8Array, +): bigint.BigInteger { + const salt = stringToBytes("Blinding KDF extrator HMAC key"); + const info = stringToBytes("Blinding KDF"); + return kdfMod(rsaPub.N, bks, salt, info); +} + +/* + * Test for malicious RSA key. + * + * Assuming n is an RSA modulous and r is generated using a call to + * GNUNET_CRYPTO_kdf_mod_mpi, if gcd(r,n) != 1 then n must be a + * malicious RSA key designed to deanomize the user. + * + * @param r KDF result + * @param n RSA modulus of the public key + */ +function rsaGcdValidate(r: bigint.BigInteger, n: bigint.BigInteger): void { + const t = bigint.gcd(r, n); + if (!t.equals(bigint.one)) { + throw Error("malicious RSA public key"); + } +} + +function rsaFullDomainHash(hm: Uint8Array, rsaPub: RsaPub): bigint.BigInteger { + const info = stringToBytes("RSA-FDA FTpsW!"); + const salt = rsaPubEncode(rsaPub); + const r = kdfMod(rsaPub.N, hm, salt, info); + rsaGcdValidate(r, rsaPub.N); + return r; +} + +function rsaPubDecode(rsaPub: Uint8Array): RsaPub { + const modulusLength = (rsaPub[0] << 8) | rsaPub[1]; + const exponentLength = (rsaPub[2] << 8) | rsaPub[3]; + if (4 + exponentLength + modulusLength != rsaPub.length) { + throw Error("invalid RSA public key (format wrong)"); + } + const modulus = rsaPub.slice(4, 4 + modulusLength); + const exponent = rsaPub.slice( + 4 + modulusLength, + 4 + modulusLength + exponentLength, + ); + const res = { + N: loadBigInt(modulus), + e: loadBigInt(exponent), + }; + return res; +} + +function rsaPubEncode(rsaPub: RsaPub): Uint8Array { + const mb = rsaPub.N.toArray(256).value; + const eb = rsaPub.e.toArray(256).value; + const out = new Uint8Array(4 + mb.length + eb.length); + out[0] = (mb.length >>> 8) & 0xff; + out[1] = mb.length & 0xff; + out[2] = (eb.length >>> 8) & 0xff; + out[3] = eb.length & 0xff; + out.set(mb, 4); + out.set(eb, 4 + mb.length); + return out; +} + +export function rsaBlind( + hm: Uint8Array, + bks: Uint8Array, + rsaPubEnc: Uint8Array, +): Uint8Array { + const rsaPub = rsaPubDecode(rsaPubEnc); + const data = rsaFullDomainHash(hm, rsaPub); + const r = rsaBlindingKeyDerive(rsaPub, bks); + const r_e = r.modPow(rsaPub.e, rsaPub.N); + const bm = r_e.multiply(data).mod(rsaPub.N); + return new Uint8Array(bm.toArray(256).value); +} + +export function rsaUnblind( + sig: Uint8Array, + rsaPubEnc: Uint8Array, + bks: Uint8Array, +): Uint8Array { + const rsaPub = rsaPubDecode(rsaPubEnc); + const blinded_s = loadBigInt(sig); + const r = rsaBlindingKeyDerive(rsaPub, bks); + const r_inv = r.modInv(rsaPub.N); + const s = blinded_s.multiply(r_inv).mod(rsaPub.N); + return new Uint8Array(s.toArray(256).value); +} + +export function rsaVerify( + hm: Uint8Array, + rsaSig: Uint8Array, + rsaPubEnc: Uint8Array, +): boolean { + const rsaPub = rsaPubDecode(rsaPubEnc); + const d = rsaFullDomainHash(hm, rsaPub); + const sig = loadBigInt(rsaSig); + const sig_e = sig.modPow(rsaPub.e, rsaPub.N); + return sig_e.equals(d); +} + +export interface EddsaKeyPair { + eddsaPub: Uint8Array; + eddsaPriv: Uint8Array; +} + +export interface EcdheKeyPair { + ecdhePub: Uint8Array; + ecdhePriv: Uint8Array; +} + +export function createEddsaKeyPair(): EddsaKeyPair { + const eddsaPriv = nacl.randomBytes(32); + const eddsaPub = eddsaGetPublic(eddsaPriv); + return { eddsaPriv, eddsaPub }; +} + +export function createEcdheKeyPair(): EcdheKeyPair { + const ecdhePriv = nacl.randomBytes(32); + const ecdhePub = ecdheGetPublic(ecdhePriv); + return { ecdhePriv, ecdhePub }; +} + +export function createBlindingKeySecret(): Uint8Array { + return nacl.randomBytes(32); +} + +export function hash(d: Uint8Array): Uint8Array { + return nacl.hash(d); +} + +export function eddsaSign(msg: Uint8Array, eddsaPriv: Uint8Array): Uint8Array { + const pair = nacl.sign_keyPair_fromSeed(eddsaPriv); + return nacl.sign_detached(msg, pair.secretKey); +} + +export function eddsaVerify( + msg: Uint8Array, + sig: Uint8Array, + eddsaPub: Uint8Array, +): boolean { + return nacl.sign_detached_verify(msg, sig, eddsaPub); +} + +export function createHashContext(): nacl.HashState { + return new nacl.HashState(); +} + +export interface FreshCoin { + coinPub: Uint8Array; + coinPriv: Uint8Array; + bks: Uint8Array; +} + +export function setupRefreshPlanchet( + secretSeed: Uint8Array, + coinNumber: number, +): FreshCoin { + const info = stringToBytes("taler-coin-derivation"); + const saltArrBuf = new ArrayBuffer(4); + const salt = new Uint8Array(saltArrBuf); + const saltDataView = new DataView(saltArrBuf); + saltDataView.setUint32(0, coinNumber); + const out = kdf(64, secretSeed, salt, info); + const coinPriv = out.slice(0, 32); + const bks = out.slice(32, 64); + return { + bks, + coinPriv, + coinPub: eddsaGetPublic(coinPriv), + }; +} diff --git a/packages/taler-wallet-core/src/crypto/workers/cryptoApi.d.ts.map b/packages/taler-wallet-core/src/crypto/workers/cryptoApi.d.ts.map new file mode 100644 index 000000000..d8ab05823 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/cryptoApi.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"cryptoApi.d.ts","sourceRoot":"","sources":["cryptoApi.ts"],"names":[],"mappings":"AAgBA;;;GAGG;AAEH;;GAEG;AACH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,OAAO,EACL,UAAU,EACV,kBAAkB,EAClB,oBAAoB,EACpB,WAAW,EACX,OAAO,EACP,yBAAyB,EAC1B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAE9E,OAAO,EACL,eAAe,EACf,sBAAsB,EACtB,uBAAuB,EACvB,WAAW,EACZ,MAAM,yBAAyB,CAAC;AAEjC,OAAO,KAAK,KAAK,MAAM,kBAAkB,CAAC;AAK1C;;GAEG;AACH,UAAU,WAAW;IACnB;;OAEG;IACH,CAAC,EAAE,YAAY,GAAG,IAAI,CAAC;IAEvB;;OAEG;IACH,eAAe,EAAE,QAAQ,GAAG,IAAI,CAAC;IAEjC;;OAEG;IACH,sBAAsB,EAAE,KAAK,CAAC,WAAW,GAAG,IAAI,CAAC;CAClD;AAED,UAAU,QAAQ;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,GAAG,EAAE,CAAC;IACZ,OAAO,EAAE,GAAG,CAAC;IACb,MAAM,EAAE,GAAG,CAAC;IAEZ;;OAEG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;CACnB;AAQD,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,WAAW,IAAI,YAAY,CAAC;IAE5B;;;OAGG;IACH,cAAc,IAAI,MAAM,CAAC;CAC1B;AAED;;;GAGG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,SAAS,CAAK;IACtB,OAAO,CAAC,OAAO,CAAgB;IAC/B,OAAO,CAAC,UAAU,CAAe;IAEjC,OAAO,CAAC,aAAa,CAAsB;IAE3C;;OAEG;IACH,OAAO,CAAC,OAAO,CAAK;IAEpB;;OAEG;IACH,OAAO,CAAC,OAAO,CAAS;IAExB;;OAEG;IACH,gBAAgB,IAAI,IAAI;IAkBxB,IAAI,IAAI,IAAI;IAKZ;;OAEG;IACH,IAAI,CAAC,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE,QAAQ,GAAG,IAAI;IA8B3C,kBAAkB,CAAC,EAAE,EAAE,WAAW,GAAG,IAAI;IAezC,iBAAiB,CAAC,EAAE,EAAE,WAAW,EAAE,CAAC,EAAE,GAAG,GAAG,IAAI;IA0BhD,OAAO,CAAC,QAAQ;IAehB,mBAAmB,CAAC,EAAE,EAAE,WAAW,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI;gBAsBxC,aAAa,EAAE,mBAAmB;IAkB9C,OAAO,CAAC,KAAK;IAuCb,cAAc,CACZ,GAAG,EAAE,uBAAuB,GAC3B,OAAO,CAAC,sBAAsB,CAAC;IAIlC,iBAAiB,CAAC,KAAK,EAAE,kBAAkB,GAAG,OAAO,CAAC,WAAW,CAAC;IAIlE,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIxC,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIlD,YAAY,CAAC,KAAK,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAI5E,cAAc,CACZ,IAAI,EAAE,MAAM,EACZ,EAAE,EAAE,OAAO,EACX,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC;IAInB,uBAAuB,CACrB,GAAG,EAAE,MAAM,EACX,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,OAAO,CAAC;IAUnB,qBAAqB,CACnB,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC,qBAAqB,CAAC;IAQjC,kBAAkB,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE,CAAC;IAI5D,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAIhE,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIhE,kBAAkB,CAChB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC;IAUnB,mBAAmB,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC;IAI7D,oBAAoB,CAClB,eAAe,EAAE,MAAM,EACvB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,UAAU,EACpB,aAAa,EAAE,yBAAyB,EACxC,OAAO,EAAE,UAAU,GAClB,OAAO,CAAC,oBAAoB,CAAC;IAYhC,YAAY,CACV,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC;IAYlB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;CAGzD"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/workers/cryptoApi.ts b/packages/taler-wallet-core/src/crypto/workers/cryptoApi.ts new file mode 100644 index 000000000..a272d5724 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/cryptoApi.ts @@ -0,0 +1,446 @@ +/* + This file is part of TALER + (C) 2016 GNUnet e.V. + + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. + + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with + TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ + +/** + * API to access the Taler crypto worker thread. + * @author Florian Dold + */ + +/** + * Imports. + */ +import { AmountJson } from "../../util/amounts"; + +import { + CoinRecord, + DenominationRecord, + RefreshSessionRecord, + TipPlanchet, + WireFee, + DenominationSelectionInfo, +} from "../../types/dbTypes"; + +import { CryptoWorker } from "./cryptoWorker"; + +import { RecoupRequest, CoinDepositPermission } from "../../types/talerTypes"; + +import { + BenchmarkResult, + PlanchetCreationResult, + PlanchetCreationRequest, + DepositInfo, +} from "../../types/walletTypes"; + +import * as timer from "../../util/timer"; +import { Logger } from "../../util/logging"; + +const logger = new Logger("cryptoApi.ts"); + +/** + * State of a crypto worker. + */ +interface WorkerState { + /** + * The actual worker thread. + */ + w: CryptoWorker | null; + + /** + * Work we're currently executing or null if not busy. + */ + currentWorkItem: WorkItem | null; + + /** + * Timer to terminate the worker if it's not busy enough. + */ + terminationTimerHandle: timer.TimerHandle | null; +} + +interface WorkItem { + operation: string; + args: any[]; + resolve: any; + reject: any; + + /** + * Serial id to identify a matching response. + */ + rpcId: number; + + /** + * Time when the work was submitted to a (non-busy) worker thread. + */ + startTime: number; +} + +/** + * Number of different priorities. Each priority p + * must be 0 <= p < NUM_PRIO. + */ +const NUM_PRIO = 5; + +export interface CryptoWorkerFactory { + /** + * Start a new worker. + */ + startWorker(): CryptoWorker; + + /** + * Query the number of workers that should be + * run at the same time. + */ + getConcurrency(): number; +} + +/** + * Crypto API that interfaces manages a background crypto thread + * for the execution of expensive operations. + */ +export class CryptoApi { + private nextRpcId = 1; + private workers: WorkerState[]; + private workQueues: WorkItem[][]; + + private workerFactory: CryptoWorkerFactory; + + /** + * Number of busy workers. + */ + private numBusy = 0; + + /** + * Did we stop accepting new requests? + */ + private stopped = false; + + /** + * Terminate all worker threads. + */ + terminateWorkers(): void { + for (const worker of this.workers) { + if (worker.w) { + logger.trace("terminating worker"); + worker.w.terminate(); + if (worker.terminationTimerHandle) { + worker.terminationTimerHandle.clear(); + worker.terminationTimerHandle = null; + } + if (worker.currentWorkItem) { + worker.currentWorkItem.reject(Error("explicitly terminated")); + worker.currentWorkItem = null; + } + worker.w = null; + } + } + } + + stop(): void { + this.terminateWorkers(); + this.stopped = true; + } + + /** + * Start a worker (if not started) and set as busy. + */ + wake(ws: WorkerState, work: WorkItem): void { + if (this.stopped) { + logger.trace("cryptoApi is stopped"); + return; + } + if (ws.currentWorkItem !== null) { + throw Error("assertion failed"); + } + ws.currentWorkItem = work; + this.numBusy++; + let worker: CryptoWorker; + if (!ws.w) { + worker = this.workerFactory.startWorker(); + worker.onmessage = (m: any) => this.handleWorkerMessage(ws, m); + worker.onerror = (e: any) => this.handleWorkerError(ws, e); + ws.w = worker; + } else { + worker = ws.w; + } + + const msg: any = { + args: work.args, + id: work.rpcId, + operation: work.operation, + }; + this.resetWorkerTimeout(ws); + work.startTime = timer.performanceNow(); + setTimeout(() => worker.postMessage(msg), 0); + } + + resetWorkerTimeout(ws: WorkerState): void { + if (ws.terminationTimerHandle !== null) { + ws.terminationTimerHandle.clear(); + ws.terminationTimerHandle = null; + } + const destroy = (): void => { + // terminate worker if it's idle + if (ws.w && ws.currentWorkItem === null) { + ws.w.terminate(); + ws.w = null; + } + }; + ws.terminationTimerHandle = timer.after(15 * 1000, destroy); + } + + handleWorkerError(ws: WorkerState, e: any): void { + if (ws.currentWorkItem) { + console.error( + `error in worker during ${ws.currentWorkItem.operation}`, + e, + ); + } else { + console.error("error in worker", e); + } + console.error(e.message); + try { + if (ws.w) { + ws.w.terminate(); + ws.w = null; + } + } catch (e) { + console.error(e); + } + if (ws.currentWorkItem !== null) { + ws.currentWorkItem.reject(e); + ws.currentWorkItem = null; + this.numBusy--; + } + this.findWork(ws); + } + + private findWork(ws: WorkerState): void { + // try to find more work for this worker + for (let i = 0; i < NUM_PRIO; i++) { + const q = this.workQueues[NUM_PRIO - i - 1]; + if (q.length !== 0) { + const work: WorkItem | undefined = q.shift(); + if (!work) { + continue; + } + this.wake(ws, work); + return; + } + } + } + + handleWorkerMessage(ws: WorkerState, msg: any): void { + const id = msg.data.id; + if (typeof id !== "number") { + console.error("rpc id must be number"); + return; + } + const currentWorkItem = ws.currentWorkItem; + ws.currentWorkItem = null; + this.numBusy--; + this.findWork(ws); + if (!currentWorkItem) { + console.error("unsolicited response from worker"); + return; + } + if (id !== currentWorkItem.rpcId) { + console.error(`RPC with id ${id} has no registry entry`); + return; + } + + currentWorkItem.resolve(msg.data.result); + } + + constructor(workerFactory: CryptoWorkerFactory) { + this.workerFactory = workerFactory; + this.workers = new Array<WorkerState>(workerFactory.getConcurrency()); + + for (let i = 0; i < this.workers.length; i++) { + this.workers[i] = { + currentWorkItem: null, + terminationTimerHandle: null, + w: null, + }; + } + + this.workQueues = []; + for (let i = 0; i < NUM_PRIO; i++) { + this.workQueues.push([]); + } + } + + private doRpc<T>( + operation: string, + priority: number, + ...args: any[] + ): Promise<T> { + const p: Promise<T> = new Promise<T>((resolve, reject) => { + const rpcId = this.nextRpcId++; + const workItem: WorkItem = { + operation, + args, + resolve, + reject, + rpcId, + startTime: 0, + }; + + if (this.numBusy === this.workers.length) { + const q = this.workQueues[priority]; + if (!q) { + throw Error("assertion failed"); + } + this.workQueues[priority].push(workItem); + return; + } + + for (const ws of this.workers) { + if (ws.currentWorkItem !== null) { + continue; + } + this.wake(ws, workItem); + return; + } + + throw Error("assertion failed"); + }); + + return p; + } + + createPlanchet( + req: PlanchetCreationRequest, + ): Promise<PlanchetCreationResult> { + return this.doRpc<PlanchetCreationResult>("createPlanchet", 1, req); + } + + createTipPlanchet(denom: DenominationRecord): Promise<TipPlanchet> { + return this.doRpc<TipPlanchet>("createTipPlanchet", 1, denom); + } + + hashString(str: string): Promise<string> { + return this.doRpc<string>("hashString", 1, str); + } + + hashEncoded(encodedBytes: string): Promise<string> { + return this.doRpc<string>("hashEncoded", 1, encodedBytes); + } + + isValidDenom(denom: DenominationRecord, masterPub: string): Promise<boolean> { + return this.doRpc<boolean>("isValidDenom", 2, denom, masterPub); + } + + isValidWireFee( + type: string, + wf: WireFee, + masterPub: string, + ): Promise<boolean> { + return this.doRpc<boolean>("isValidWireFee", 2, type, wf, masterPub); + } + + isValidPaymentSignature( + sig: string, + contractHash: string, + merchantPub: string, + ): Promise<boolean> { + return this.doRpc<boolean>( + "isValidPaymentSignature", + 1, + sig, + contractHash, + merchantPub, + ); + } + + signDepositPermission( + depositInfo: DepositInfo, + ): Promise<CoinDepositPermission> { + return this.doRpc<CoinDepositPermission>( + "signDepositPermission", + 3, + depositInfo, + ); + } + + createEddsaKeypair(): Promise<{ priv: string; pub: string }> { + return this.doRpc<{ priv: string; pub: string }>("createEddsaKeypair", 1); + } + + rsaUnblind(sig: string, bk: string, pk: string): Promise<string> { + return this.doRpc<string>("rsaUnblind", 4, sig, bk, pk); + } + + rsaVerify(hm: string, sig: string, pk: string): Promise<boolean> { + return this.doRpc<boolean>("rsaVerify", 4, hm, sig, pk); + } + + isValidWireAccount( + paytoUri: string, + sig: string, + masterPub: string, + ): Promise<boolean> { + return this.doRpc<boolean>( + "isValidWireAccount", + 4, + paytoUri, + sig, + masterPub, + ); + } + + createRecoupRequest(coin: CoinRecord): Promise<RecoupRequest> { + return this.doRpc<RecoupRequest>("createRecoupRequest", 1, coin); + } + + createRefreshSession( + exchangeBaseUrl: string, + kappa: number, + meltCoin: CoinRecord, + newCoinDenoms: DenominationSelectionInfo, + meltFee: AmountJson, + ): Promise<RefreshSessionRecord> { + return this.doRpc<RefreshSessionRecord>( + "createRefreshSession", + 4, + exchangeBaseUrl, + kappa, + meltCoin, + newCoinDenoms, + meltFee, + ); + } + + signCoinLink( + oldCoinPriv: string, + newDenomHash: string, + oldCoinPub: string, + transferPub: string, + coinEv: string, + ): Promise<string> { + return this.doRpc<string>( + "signCoinLink", + 4, + oldCoinPriv, + newDenomHash, + oldCoinPub, + transferPub, + coinEv, + ); + } + + benchmark(repetitions: number): Promise<BenchmarkResult> { + return this.doRpc<BenchmarkResult>("benchmark", 1, repetitions); + } +} diff --git a/packages/taler-wallet-core/src/crypto/workers/cryptoImplementation.d.ts.map b/packages/taler-wallet-core/src/crypto/workers/cryptoImplementation.d.ts.map new file mode 100644 index 000000000..192c54d05 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/cryptoImplementation.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"cryptoImplementation.d.ts","sourceRoot":"","sources":["cryptoImplementation.ts"],"names":[],"mappings":"AAgBA;;;;;;GAMG;AAEH;;GAEG;AAEH,OAAO,EACL,UAAU,EACV,kBAAkB,EAElB,oBAAoB,EACpB,WAAW,EACX,OAAO,EAEP,yBAAyB,EAC1B,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EAAE,qBAAqB,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAC9E,OAAO,EACL,eAAe,EACf,sBAAsB,EACtB,uBAAuB,EACvB,WAAW,EACZ,MAAM,yBAAyB,CAAC;AACjC,OAAO,EAAE,UAAU,EAAW,MAAM,oBAAoB,CAAC;AAgGzD,qBAAa,oBAAoB;IAC/B,MAAM,CAAC,aAAa,UAAS;IAE7B;;;OAGG;IACH,cAAc,CAAC,GAAG,EAAE,uBAAuB,GAAG,sBAAsB;IAoCpE;;OAEG;IACH,iBAAiB,CAAC,KAAK,EAAE,kBAAkB,GAAG,WAAW;IAmBzD;;OAEG;IACH,mBAAmB,CAAC,IAAI,EAAE,UAAU,GAAG,aAAa;IAoBpD;;OAEG;IACH,uBAAuB,CACrB,GAAG,EAAE,MAAM,EACX,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,GAClB,OAAO;IASV;;OAEG;IACH,cAAc,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAarE;;OAEG;IACH,YAAY,CAAC,KAAK,EAAE,kBAAkB,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO;IAmBnE,kBAAkB,CAChB,QAAQ,EAAE,MAAM,EAChB,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,GAChB,OAAO;IAWV;;OAEG;IACH,kBAAkB,IAAI;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAA;KAAE;IAQnD;;OAEG;IACH,UAAU,CAAC,UAAU,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,MAAM;IAS9D;;OAEG;IACH,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,GAAG,OAAO;IAIvD;;;OAGG;IACH,qBAAqB,CAAC,WAAW,EAAE,WAAW,GAAG,qBAAqB;IAyBtE;;OAEG;IACH,oBAAoB,CAClB,eAAe,EAAE,MAAM,EACvB,KAAK,EAAE,MAAM,EACb,QAAQ,EAAE,UAAU,EACpB,aAAa,EAAE,yBAAyB,EACxC,OAAO,EAAE,UAAU,GAClB,oBAAoB;IA2HvB;;OAEG;IACH,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IAK/B;;OAEG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM;IAIzC,YAAY,CACV,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,GACb,MAAM;IAaT,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,eAAe;CAsDhD"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/workers/cryptoImplementation.ts b/packages/taler-wallet-core/src/crypto/workers/cryptoImplementation.ts new file mode 100644 index 000000000..4195ebded --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/cryptoImplementation.ts @@ -0,0 +1,579 @@ +/* + This file is part of GNU Taler + (C) 2019-2020 Taler Systems SA + + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. + + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with + TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ + +/** + * Synchronous implementation of crypto-related functions for the wallet. + * + * The functionality is parameterized over an Emscripten environment. + * + * @author Florian Dold <dold@taler.net> + */ + +/** + * Imports. + */ + +import { + CoinRecord, + DenominationRecord, + RefreshPlanchetRecord, + RefreshSessionRecord, + TipPlanchet, + WireFee, + CoinSourceType, + DenominationSelectionInfo, +} from "../../types/dbTypes"; + +import { CoinDepositPermission, RecoupRequest } from "../../types/talerTypes"; +import { + BenchmarkResult, + PlanchetCreationResult, + PlanchetCreationRequest, + DepositInfo, +} from "../../types/walletTypes"; +import { AmountJson, Amounts } from "../../util/amounts"; +import * as timer from "../../util/timer"; +import { + encodeCrock, + decodeCrock, + createEddsaKeyPair, + createBlindingKeySecret, + hash, + rsaBlind, + eddsaVerify, + eddsaSign, + rsaUnblind, + stringToBytes, + createHashContext, + createEcdheKeyPair, + keyExchangeEcdheEddsa, + setupRefreshPlanchet, + rsaVerify, +} from "../talerCrypto"; +import { randomBytes } from "../primitives/nacl-fast"; +import { kdf } from "../primitives/kdf"; +import { + Timestamp, + getTimestampNow, + timestampTruncateToSecond, +} from "../../util/time"; + +enum SignaturePurpose { + WALLET_RESERVE_WITHDRAW = 1200, + WALLET_COIN_DEPOSIT = 1201, + MASTER_DENOMINATION_KEY_VALIDITY = 1025, + MASTER_WIRE_FEES = 1028, + MASTER_WIRE_DETAILS = 1030, + WALLET_COIN_MELT = 1202, + TEST = 4242, + MERCHANT_PAYMENT_OK = 1104, + WALLET_COIN_RECOUP = 1203, + WALLET_COIN_LINK = 1204, + EXCHANGE_CONFIRM_RECOUP = 1039, + EXCHANGE_CONFIRM_RECOUP_REFRESH = 1041, +} + +function amountToBuffer(amount: AmountJson): Uint8Array { + const buffer = new ArrayBuffer(8 + 4 + 12); + const dvbuf = new DataView(buffer); + const u8buf = new Uint8Array(buffer); + const curr = stringToBytes(amount.currency); + dvbuf.setBigUint64(0, BigInt(amount.value)); + dvbuf.setUint32(8, amount.fraction); + u8buf.set(curr, 8 + 4); + + return u8buf; +} + +function timestampRoundedToBuffer(ts: Timestamp): Uint8Array { + const b = new ArrayBuffer(8); + const v = new DataView(b); + const tsRounded = timestampTruncateToSecond(ts); + const s = BigInt(tsRounded.t_ms) * BigInt(1000); + v.setBigUint64(0, s); + return new Uint8Array(b); +} + +class SignaturePurposeBuilder { + private chunks: Uint8Array[] = []; + + constructor(private purposeNum: number) {} + + put(bytes: Uint8Array): SignaturePurposeBuilder { + this.chunks.push(Uint8Array.from(bytes)); + return this; + } + + build(): Uint8Array { + let payloadLen = 0; + for (const c of this.chunks) { + payloadLen += c.byteLength; + } + const buf = new ArrayBuffer(4 + 4 + payloadLen); + const u8buf = new Uint8Array(buf); + let p = 8; + for (const c of this.chunks) { + u8buf.set(c, p); + p += c.byteLength; + } + const dvbuf = new DataView(buf); + dvbuf.setUint32(0, payloadLen + 4 + 4); + dvbuf.setUint32(4, this.purposeNum); + return u8buf; + } +} + +function buildSigPS(purposeNum: number): SignaturePurposeBuilder { + return new SignaturePurposeBuilder(purposeNum); +} + +export class CryptoImplementation { + static enableTracing = false; + + /** + * Create a pre-coin of the given denomination to be withdrawn from then given + * reserve. + */ + createPlanchet(req: PlanchetCreationRequest): PlanchetCreationResult { + const reservePub = decodeCrock(req.reservePub); + const reservePriv = decodeCrock(req.reservePriv); + const denomPub = decodeCrock(req.denomPub); + const coinKeyPair = createEddsaKeyPair(); + const blindingFactor = createBlindingKeySecret(); + const coinPubHash = hash(coinKeyPair.eddsaPub); + const ev = rsaBlind(coinPubHash, blindingFactor, denomPub); + const amountWithFee = Amounts.add(req.value, req.feeWithdraw).amount; + const denomPubHash = hash(denomPub); + const evHash = hash(ev); + + const withdrawRequest = buildSigPS(SignaturePurpose.WALLET_RESERVE_WITHDRAW) + .put(reservePub) + .put(amountToBuffer(amountWithFee)) + .put(denomPubHash) + .put(evHash) + .build(); + + const sig = eddsaSign(withdrawRequest, reservePriv); + + const planchet: PlanchetCreationResult = { + blindingKey: encodeCrock(blindingFactor), + coinEv: encodeCrock(ev), + coinPriv: encodeCrock(coinKeyPair.eddsaPriv), + coinPub: encodeCrock(coinKeyPair.eddsaPub), + coinValue: req.value, + denomPub: encodeCrock(denomPub), + denomPubHash: encodeCrock(denomPubHash), + reservePub: encodeCrock(reservePub), + withdrawSig: encodeCrock(sig), + coinEvHash: encodeCrock(evHash), + }; + return planchet; + } + + /** + * Create a planchet used for tipping, including the private keys. + */ + createTipPlanchet(denom: DenominationRecord): TipPlanchet { + const denomPub = decodeCrock(denom.denomPub); + const coinKeyPair = createEddsaKeyPair(); + const blindingFactor = createBlindingKeySecret(); + const coinPubHash = hash(coinKeyPair.eddsaPub); + const ev = rsaBlind(coinPubHash, blindingFactor, denomPub); + + const tipPlanchet: TipPlanchet = { + blindingKey: encodeCrock(blindingFactor), + coinEv: encodeCrock(ev), + coinPriv: encodeCrock(coinKeyPair.eddsaPriv), + coinPub: encodeCrock(coinKeyPair.eddsaPub), + coinValue: denom.value, + denomPub: encodeCrock(denomPub), + denomPubHash: encodeCrock(hash(denomPub)), + }; + return tipPlanchet; + } + + /** + * Create and sign a message to recoup a coin. + */ + createRecoupRequest(coin: CoinRecord): RecoupRequest { + const p = buildSigPS(SignaturePurpose.WALLET_COIN_RECOUP) + .put(decodeCrock(coin.coinPub)) + .put(decodeCrock(coin.denomPubHash)) + .put(decodeCrock(coin.blindingKey)) + .build(); + + const coinPriv = decodeCrock(coin.coinPriv); + const coinSig = eddsaSign(p, coinPriv); + const paybackRequest: RecoupRequest = { + coin_blind_key_secret: coin.blindingKey, + coin_pub: coin.coinPub, + coin_sig: encodeCrock(coinSig), + denom_pub_hash: coin.denomPubHash, + denom_sig: coin.denomSig, + refreshed: coin.coinSource.type === CoinSourceType.Refresh, + }; + return paybackRequest; + } + + /** + * Check if a payment signature is valid. + */ + isValidPaymentSignature( + sig: string, + contractHash: string, + merchantPub: string, + ): boolean { + const p = buildSigPS(SignaturePurpose.MERCHANT_PAYMENT_OK) + .put(decodeCrock(contractHash)) + .build(); + const sigBytes = decodeCrock(sig); + const pubBytes = decodeCrock(merchantPub); + return eddsaVerify(p, sigBytes, pubBytes); + } + + /** + * Check if a wire fee is correctly signed. + */ + isValidWireFee(type: string, wf: WireFee, masterPub: string): boolean { + const p = buildSigPS(SignaturePurpose.MASTER_WIRE_FEES) + .put(hash(stringToBytes(type + "\0"))) + .put(timestampRoundedToBuffer(wf.startStamp)) + .put(timestampRoundedToBuffer(wf.endStamp)) + .put(amountToBuffer(wf.wireFee)) + .put(amountToBuffer(wf.closingFee)) + .build(); + const sig = decodeCrock(wf.sig); + const pub = decodeCrock(masterPub); + return eddsaVerify(p, sig, pub); + } + + /** + * Check if the signature of a denomination is valid. + */ + isValidDenom(denom: DenominationRecord, masterPub: string): boolean { + const p = buildSigPS(SignaturePurpose.MASTER_DENOMINATION_KEY_VALIDITY) + .put(decodeCrock(masterPub)) + .put(timestampRoundedToBuffer(denom.stampStart)) + .put(timestampRoundedToBuffer(denom.stampExpireWithdraw)) + .put(timestampRoundedToBuffer(denom.stampExpireDeposit)) + .put(timestampRoundedToBuffer(denom.stampExpireLegal)) + .put(amountToBuffer(denom.value)) + .put(amountToBuffer(denom.feeWithdraw)) + .put(amountToBuffer(denom.feeDeposit)) + .put(amountToBuffer(denom.feeRefresh)) + .put(amountToBuffer(denom.feeRefund)) + .put(decodeCrock(denom.denomPubHash)) + .build(); + const sig = decodeCrock(denom.masterSig); + const pub = decodeCrock(masterPub); + return eddsaVerify(p, sig, pub); + } + + isValidWireAccount( + paytoUri: string, + sig: string, + masterPub: string, + ): boolean { + const h = kdf( + 64, + stringToBytes("exchange-wire-signature"), + stringToBytes(paytoUri + "\0"), + new Uint8Array(0), + ); + const p = buildSigPS(SignaturePurpose.MASTER_WIRE_DETAILS).put(h).build(); + return eddsaVerify(p, decodeCrock(sig), decodeCrock(masterPub)); + } + + /** + * Create a new EdDSA key pair. + */ + createEddsaKeypair(): { priv: string; pub: string } { + const pair = createEddsaKeyPair(); + return { + priv: encodeCrock(pair.eddsaPriv), + pub: encodeCrock(pair.eddsaPub), + }; + } + + /** + * Unblind a blindly signed value. + */ + rsaUnblind(blindedSig: string, bk: string, pk: string): string { + const denomSig = rsaUnblind( + decodeCrock(blindedSig), + decodeCrock(pk), + decodeCrock(bk), + ); + return encodeCrock(denomSig); + } + + /** + * Unblind a blindly signed value. + */ + rsaVerify(hm: string, sig: string, pk: string): boolean { + return rsaVerify(hash(decodeCrock(hm)), decodeCrock(sig), decodeCrock(pk)); + } + + /** + * Generate updated coins (to store in the database) + * and deposit permissions for each given coin. + */ + signDepositPermission(depositInfo: DepositInfo): CoinDepositPermission { + const d = buildSigPS(SignaturePurpose.WALLET_COIN_DEPOSIT) + .put(decodeCrock(depositInfo.contractTermsHash)) + .put(decodeCrock(depositInfo.wireInfoHash)) + .put(decodeCrock(depositInfo.denomPubHash)) + .put(timestampRoundedToBuffer(depositInfo.timestamp)) + .put(timestampRoundedToBuffer(depositInfo.refundDeadline)) + .put(amountToBuffer(depositInfo.spendAmount)) + .put(amountToBuffer(depositInfo.feeDeposit)) + .put(decodeCrock(depositInfo.merchantPub)) + .put(decodeCrock(depositInfo.coinPub)) + .build(); + const coinSig = eddsaSign(d, decodeCrock(depositInfo.coinPriv)); + + const s: CoinDepositPermission = { + coin_pub: depositInfo.coinPub, + coin_sig: encodeCrock(coinSig), + contribution: Amounts.stringify(depositInfo.spendAmount), + h_denom: depositInfo.denomPubHash, + exchange_url: depositInfo.exchangeBaseUrl, + ub_sig: depositInfo.denomSig, + }; + return s; + } + + /** + * Create a new refresh session. + */ + createRefreshSession( + exchangeBaseUrl: string, + kappa: number, + meltCoin: CoinRecord, + newCoinDenoms: DenominationSelectionInfo, + meltFee: AmountJson, + ): RefreshSessionRecord { + const currency = newCoinDenoms.selectedDenoms[0].denom.value.currency; + let valueWithFee = Amounts.getZero(currency); + + for (const ncd of newCoinDenoms.selectedDenoms) { + const t = Amounts.add(ncd.denom.value, ncd.denom.feeWithdraw).amount; + valueWithFee = Amounts.add( + valueWithFee, + Amounts.mult(t, ncd.count).amount, + ).amount; + } + + // melt fee + valueWithFee = Amounts.add(valueWithFee, meltFee).amount; + + const sessionHc = createHashContext(); + + const transferPubs: string[] = []; + const transferPrivs: string[] = []; + + const planchetsForGammas: RefreshPlanchetRecord[][] = []; + + for (let i = 0; i < kappa; i++) { + const transferKeyPair = createEcdheKeyPair(); + sessionHc.update(transferKeyPair.ecdhePub); + transferPrivs.push(encodeCrock(transferKeyPair.ecdhePriv)); + transferPubs.push(encodeCrock(transferKeyPair.ecdhePub)); + } + + for (const denomSel of newCoinDenoms.selectedDenoms) { + for (let i = 0; i < denomSel.count; i++) { + const r = decodeCrock(denomSel.denom.denomPub); + sessionHc.update(r); + } + } + + sessionHc.update(decodeCrock(meltCoin.coinPub)); + sessionHc.update(amountToBuffer(valueWithFee)); + + for (let i = 0; i < kappa; i++) { + const planchets: RefreshPlanchetRecord[] = []; + for (let j = 0; j < newCoinDenoms.selectedDenoms.length; j++) { + const denomSel = newCoinDenoms.selectedDenoms[j]; + for (let k = 0; k < denomSel.count; k++) { + const coinNumber = planchets.length; + const transferPriv = decodeCrock(transferPrivs[i]); + const oldCoinPub = decodeCrock(meltCoin.coinPub); + const transferSecret = keyExchangeEcdheEddsa( + transferPriv, + oldCoinPub, + ); + const fresh = setupRefreshPlanchet(transferSecret, coinNumber); + const coinPriv = fresh.coinPriv; + const coinPub = fresh.coinPub; + const blindingFactor = fresh.bks; + const pubHash = hash(coinPub); + const denomPub = decodeCrock(denomSel.denom.denomPub); + const ev = rsaBlind(pubHash, blindingFactor, denomPub); + const planchet: RefreshPlanchetRecord = { + blindingKey: encodeCrock(blindingFactor), + coinEv: encodeCrock(ev), + privateKey: encodeCrock(coinPriv), + publicKey: encodeCrock(coinPub), + }; + planchets.push(planchet); + sessionHc.update(ev); + } + } + planchetsForGammas.push(planchets); + } + + const sessionHash = sessionHc.finish(); + + const confirmData = buildSigPS(SignaturePurpose.WALLET_COIN_MELT) + .put(sessionHash) + .put(decodeCrock(meltCoin.denomPubHash)) + .put(amountToBuffer(valueWithFee)) + .put(amountToBuffer(meltFee)) + .put(decodeCrock(meltCoin.coinPub)) + .build(); + + const confirmSig = eddsaSign(confirmData, decodeCrock(meltCoin.coinPriv)); + + let valueOutput = Amounts.getZero(currency); + for (const denomSel of newCoinDenoms.selectedDenoms) { + const denom = denomSel.denom; + for (let i = 0; i < denomSel.count; i++) { + valueOutput = Amounts.add(valueOutput, denom.value).amount; + } + } + + const newDenoms: string[] = []; + const newDenomHashes: string[] = []; + + for (const denomSel of newCoinDenoms.selectedDenoms) { + const denom = denomSel.denom; + for (let i = 0; i < denomSel.count; i++) { + newDenoms.push(denom.denomPub); + newDenomHashes.push(denom.denomPubHash); + } + } + + const refreshSession: RefreshSessionRecord = { + confirmSig: encodeCrock(confirmSig), + exchangeBaseUrl, + hash: encodeCrock(sessionHash), + meltCoinPub: meltCoin.coinPub, + newDenomHashes, + newDenoms, + norevealIndex: undefined, + planchetsForGammas: planchetsForGammas, + transferPrivs, + transferPubs, + amountRefreshOutput: valueOutput, + amountRefreshInput: valueWithFee, + timestampCreated: getTimestampNow(), + finishedTimestamp: undefined, + lastError: undefined, + }; + + return refreshSession; + } + + /** + * Hash a string including the zero terminator. + */ + hashString(str: string): string { + const b = stringToBytes(str + "\0"); + return encodeCrock(hash(b)); + } + + /** + * Hash a crockford encoded value. + */ + hashEncoded(encodedBytes: string): string { + return encodeCrock(hash(decodeCrock(encodedBytes))); + } + + signCoinLink( + oldCoinPriv: string, + newDenomHash: string, + oldCoinPub: string, + transferPub: string, + coinEv: string, + ): string { + const coinEvHash = hash(decodeCrock(coinEv)); + const coinLink = buildSigPS(SignaturePurpose.WALLET_COIN_LINK) + .put(decodeCrock(newDenomHash)) + .put(decodeCrock(oldCoinPub)) + .put(decodeCrock(transferPub)) + .put(coinEvHash) + .build(); + const coinPriv = decodeCrock(oldCoinPriv); + const sig = eddsaSign(coinLink, coinPriv); + return encodeCrock(sig); + } + + benchmark(repetitions: number): BenchmarkResult { + let time_hash = 0; + for (let i = 0; i < repetitions; i++) { + const start = timer.performanceNow(); + this.hashString("hello world"); + time_hash += timer.performanceNow() - start; + } + + let time_hash_big = 0; + for (let i = 0; i < repetitions; i++) { + const ba = randomBytes(4096); + const start = timer.performanceNow(); + hash(ba); + time_hash_big += timer.performanceNow() - start; + } + + let time_eddsa_create = 0; + for (let i = 0; i < repetitions; i++) { + const start = timer.performanceNow(); + createEddsaKeyPair(); + time_eddsa_create += timer.performanceNow() - start; + } + + let time_eddsa_sign = 0; + const p = randomBytes(4096); + + const pair = createEddsaKeyPair(); + + for (let i = 0; i < repetitions; i++) { + const start = timer.performanceNow(); + eddsaSign(p, pair.eddsaPriv); + time_eddsa_sign += timer.performanceNow() - start; + } + + const sig = eddsaSign(p, pair.eddsaPriv); + + let time_eddsa_verify = 0; + for (let i = 0; i < repetitions; i++) { + const start = timer.performanceNow(); + eddsaVerify(p, sig, pair.eddsaPub); + time_eddsa_verify += timer.performanceNow() - start; + } + + return { + repetitions, + time: { + hash_small: time_hash, + hash_big: time_hash_big, + eddsa_create: time_eddsa_create, + eddsa_sign: time_eddsa_sign, + eddsa_verify: time_eddsa_verify, + }, + }; + } +} diff --git a/packages/taler-wallet-core/src/crypto/workers/cryptoWorker.d.ts.map b/packages/taler-wallet-core/src/crypto/workers/cryptoWorker.d.ts.map new file mode 100644 index 000000000..cfdedef09 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/cryptoWorker.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"cryptoWorker.d.ts","sourceRoot":"","sources":["cryptoWorker.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,WAAW,CAAC,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC;IAEhC,SAAS,IAAI,IAAI,CAAC;IAElB,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC,GAAG,SAAS,CAAC;IAC1C,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,KAAK,IAAI,CAAC,GAAG,SAAS,CAAC;CACzC"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/workers/cryptoWorker.ts b/packages/taler-wallet-core/src/crypto/workers/cryptoWorker.ts new file mode 100644 index 000000000..9f3ee6f50 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/cryptoWorker.ts @@ -0,0 +1,8 @@ +export interface CryptoWorker { + postMessage(message: any): void; + + terminate(): void; + + onmessage: ((m: any) => void) | undefined; + onerror: ((m: any) => void) | undefined; +} diff --git a/packages/taler-wallet-core/src/crypto/workers/nodeThreadWorker.d.ts.map b/packages/taler-wallet-core/src/crypto/workers/nodeThreadWorker.d.ts.map new file mode 100644 index 000000000..d89774cd5 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/nodeThreadWorker.d.ts.map @@ -0,0 +1 @@ +{"version":3,"file":"nodeThreadWorker.d.ts","sourceRoot":"","sources":["nodeThreadWorker.ts"],"names":[],"mappings":"AAgBA;;GAEG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAiC9C;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,IAAI,CA6ClD;AAED,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,KAAK,GAAG,IAAI,CAEhD;AAED,qBAAa,6BAA8B,YAAW,mBAAmB;IACvE,WAAW,IAAI,YAAY;IAO3B,cAAc,IAAI,MAAM;CAGzB"}
\ No newline at end of file diff --git a/packages/taler-wallet-core/src/crypto/workers/nodeThreadWorker.ts b/packages/taler-wallet-core/src/crypto/workers/nodeThreadWorker.ts new file mode 100644 index 000000000..6c9dfc569 --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/nodeThreadWorker.ts @@ -0,0 +1,183 @@ +/* + This file is part of TALER + (C) 2016 GNUnet e.V. + + TALER is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. + + TALER is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with + TALER; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ + +/** + * Imports + */ +import { CryptoWorkerFactory } from "./cryptoApi"; +import { CryptoWorker } from "./cryptoWorker"; +import os from "os"; +import { CryptoImplementation } from "./cryptoImplementation"; + +const f = __filename; + +const workerCode = ` + // Try loading the glue library for Android + try { + require("akono"); + } catch (e) { + // Probably we're not on Android ... + } + const worker_threads = require('worker_threads'); + const parentPort = worker_threads.parentPort; + let tw; + try { + tw = require("${f}"); + } catch (e) { + console.log("could not load from ${f}"); + } + if (!tw) { + try { + tw = require("taler-wallet-android"); + } catch (e) { + console.log("could not load taler-wallet-android either"); + throw e; + } + } + parentPort.on("message", tw.handleWorkerMessage); + parentPort.on("error", tw.handleWorkerError); +`; + +/** + * This function is executed in the worker thread to handle + * a message. + */ +export function handleWorkerMessage(msg: any): void { + const args = msg.args; + if (!Array.isArray(args)) { + console.error("args must be array"); + return; + } + const id = msg.id; + if (typeof id !== "number") { + console.error("RPC id must be number"); + return; + } + const operation = msg.operation; + if (typeof operation !== "string") { + console.error("RPC operation must be string"); + return; + } + + const handleRequest = async (): Promise<void> => { + const impl = new CryptoImplementation(); + + if (!(operation in impl)) { + console.error(`crypto operation '${operation}' not found`); + return; + } + + try { + const result = (impl as any)[operation](...args); + // eslint-disable-next-line @typescript-eslint/no-var-requires + const worker_threads = require("worker_threads"); + const p = worker_threads.parentPort; + worker_threads.parentPort?.postMessage; + if (p) { + p.postMessage({ data: { result, id } }); + } else { + console.error("parent port not available (not running in thread?"); + } + } catch (e) { + console.error("error during operation", e); + return; + } + }; + + handleRequest().catch((e) => { + console.error("error in node worker", e); + }); +} + +export function handleWorkerError(e: Error): void { + console.log("got error from worker", e); +} + +export class NodeThreadCryptoWorkerFactory implements CryptoWorkerFactory { + startWorker(): CryptoWorker { + if (typeof require === "undefined") { + throw Error("cannot make worker, require(...) not defined"); + } + return new NodeThreadCryptoWorker(); + } + + getConcurrency(): number { + return Math.max(1, os.cpus().length - 1); + } +} + +/** + * Worker implementation that uses node subprocesses. + */ +class NodeThreadCryptoWorker implements CryptoWorker { + /** + * Function to be called when we receive a message from the worker thread. + */ + onmessage: undefined | ((m: any) => void); + + /** + * Function to be called when we receive an error from the worker thread. + */ + onerror: undefined | ((m: any) => void); + + private nodeWorker: import("worker_threads").Worker; + + constructor() { + // eslint-disable-next-line @typescript-eslint/no-var-requires + const worker_threads = require("worker_threads"); + this.nodeWorker = new worker_threads.Worker(workerCode, { eval: true }); + this.nodeWorker.on("error", (err: Error) => { + console.error("error in node worker:", err); + if (this.onerror) { + this.onerror(err); + } + }); + this.nodeWorker.on("message", (v: any) => { + if (this.onmessage) { + this.onmessage(v); + } + }); + this.nodeWorker.unref(); + } + + /** + * Add an event listener for either an "error" or "message" event. + */ + addEventListener(event: "message" | "error", fn: (x: any) => void): void { + switch (event) { + case "message": + this.onmessage = fn; + break; + case "error": + this.onerror = fn; + break; + } + } + + /** + * Send a message to the worker thread. + */ + postMessage(msg: any): void { + this.nodeWorker.postMessage(msg); + } + + /** + * Forcibly terminate the worker thread. + */ + terminate(): void { + this.nodeWorker.terminate(); + } +} diff --git a/packages/taler-wallet-core/src/crypto/workers/synchronousWorker.ts b/packages/taler-wallet-core/src/crypto/workers/synchronousWorker.ts new file mode 100644 index 000000000..5327670bd --- /dev/null +++ b/packages/taler-wallet-core/src/crypto/workers/synchronousWorker.ts @@ -0,0 +1,136 @@ +/* + This file is part of GNU Taler + (C) 2019 GNUnet e.V. + + GNU Taler is free software; you can redistribute it and/or modify it under the + terms of the GNU General Public License as published by the Free Software + Foundation; either version 3, or (at your option) any later version. + + GNU Taler is distributed in the hope that it will be useful, but WITHOUT ANY + WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along with + GNU Taler; see the file COPYING. If not, see <http://www.gnu.org/licenses/> + */ + +import { CryptoImplementation } from "./cryptoImplementation"; + +import { CryptoWorkerFactory } from "./cryptoApi"; +import { CryptoWorker } from "./cryptoWorker"; + +/** + * The synchronous crypto worker produced by this factory doesn't run in the + * background, but actually blocks the caller until the operation is done. + */ +export class SynchronousCryptoWorkerFactory implements CryptoWorkerFactory { + startWorker(): CryptoWorker { + if (typeof require === "undefined") { + throw Error("cannot make worker, require(...) not defined"); + } + return new SynchronousCryptoWorker(); + } + + getConcurrency(): number { + return 1; + } +} + +/** + * Worker implementation that uses node subprocesses. + */ +export class SynchronousCryptoWorker { + /** + * Function to be called when we receive a message from the worker thread. + */ + onmessage: undefined | ((m: any) => void); + + /** + * Function to be called when we receive an error from the worker thread. + */ + onerror: undefined | ((m: any) => void); + + constructor() { + this.onerror = undefined; + this.onmessage = undefined; + } + + /** + * Add an event listener for either an "error" or "message" event. + */ + addEventListener(event: "message" | "error", fn: (x: any) => void): void { + switch (event) { + case "message": + this.onmessage = fn; + break; + case "error": + this.onerror = fn; + break; + } + } + + private dispatchMessage(msg: any): void { + if (this.onmessage) { + this.onmessage({ data: msg }); + } + } + + private async handleRequest( + operation: string, + id: number, + args: string[], + ): Promise<void> { + const impl = new CryptoImplementation(); + + if (!(operation in impl)) { + console.error(`crypto operation '${operation}' not found`); + return; + } + + let result: any; + try { + result = (impl as any)[operation](...args); + } catch (e) { + console.log("error during operation", e); + return; + } + + try { + setTimeout(() => this.dispatchMessage({ result, id }), 0); + } catch (e) { + console.log("got error during dispatch", e); + } + } + + /** + * Send a message to the worker thread. + */ + postMessage(msg: any): void { + const args = msg.args; + if (!Array.isArray(args)) { + console.error("args must be array"); + return; + } + const id = msg.id; + if (typeof id !== "number") { + console.error("RPC id must be number"); + return; + } + const operation = msg.operation; + if (typeof operation !== "string") { + console.error("RPC operation must be string"); + return; + } + + this.handleRequest(operation, id, args).catch((e) => { + console.error("Error while handling crypto request:", e); + }); + } + + /** + * Forcibly terminate the worker thread. + */ + terminate(): void { + // This is a no-op. + } +} |