147 lines
4.5 KiB
TypeScript
147 lines
4.5 KiB
TypeScript
// Copyright (C) 2019 Kyle Den Hartog
|
|
// MIT License. See LICENSE file for details.
|
|
|
|
/**
|
|
* Package xchacha20poly1305 implements XChaCha20-Poly1305 AEAD.
|
|
*/
|
|
|
|
import type { AEAD } from "@stablelib/aead";
|
|
import { hchacha } from "@stablelib/xchacha20";
|
|
import { ChaCha20Poly1305 } from "@stablelib/chacha20poly1305";
|
|
import { wipe } from "@stablelib/wipe";
|
|
|
|
export const KEY_LENGTH = 32;
|
|
export const NONCE_LENGTH = 24;
|
|
export const TAG_LENGTH = 16;
|
|
|
|
/**
|
|
* XChaCha20-Poly1305 Authenticated Encryption with Associated Data.
|
|
*
|
|
* Defined in draft-irtf-cfrg-xchacha-01.
|
|
* See https://tools.ietf.org/html/draft-irtf-cfrg-xchacha-01
|
|
*/
|
|
export class XChaCha20Poly1305 implements AEAD {
|
|
readonly nonceLength = NONCE_LENGTH;
|
|
readonly tagLength = TAG_LENGTH;
|
|
|
|
private _key: Uint8Array;
|
|
|
|
/**
|
|
* Creates a new instance with the given 32-byte key.
|
|
*/
|
|
constructor(key: Uint8Array) {
|
|
if (key.length !== KEY_LENGTH) {
|
|
throw new Error("ChaCha20Poly1305 needs 32-byte key");
|
|
}
|
|
// Copy key.
|
|
this._key = new Uint8Array(key);
|
|
}
|
|
|
|
/**
|
|
* Encrypts and authenticates plaintext, authenticates associated data,
|
|
* and returns sealed ciphertext, which includes authentication tag.
|
|
*
|
|
* draft-irtf-cfrg-xchacha-01 defines a 24 byte nonce (192 bits) which
|
|
* uses the first 16 bytes of the nonce and the secret key with
|
|
* HChaCha to generate an initial subkey. The last 8 bytes of the nonce
|
|
* are then prefixed with 4 zero bytes and then provided with the subkey
|
|
* to the ChaCha20Poly1305 implementation.
|
|
*
|
|
* If dst is given (it must be the size of plaintext + the size of tag
|
|
* length) the result will be put into it. Dst and plaintext must not
|
|
* overlap.
|
|
*/
|
|
seal(
|
|
nonce: Uint8Array,
|
|
plaintext: Uint8Array,
|
|
associatedData?: Uint8Array,
|
|
dst?: Uint8Array
|
|
): Uint8Array {
|
|
if (nonce.length !== 24) {
|
|
throw new Error("XChaCha20Poly1305: incorrect nonce length");
|
|
}
|
|
// Use HSalsa one-way function to transform first 16 bytes of
|
|
// 24-byte extended nonce and key into a new key for Salsa
|
|
// stream -- "subkey".
|
|
const subKey = hchacha(this._key, nonce.subarray(0, 16), new Uint8Array(32));
|
|
|
|
|
|
// Use last 8 bytes of 24-byte extended nonce as an actual nonce prefixed by 4 zero bytes,
|
|
// and a subkey derived in the previous step as key to encrypt.
|
|
const modifiedNonce = new Uint8Array(12);
|
|
modifiedNonce.set(nonce.subarray(16), 4);
|
|
|
|
const chaChaPoly = new ChaCha20Poly1305(subKey);
|
|
const result = chaChaPoly.seal(modifiedNonce, plaintext, associatedData, dst);
|
|
wipe(subKey);
|
|
wipe(modifiedNonce);
|
|
chaChaPoly.clean();
|
|
return result;
|
|
}
|
|
|
|
/**
|
|
* Authenticates sealed ciphertext (which includes authentication tag) and
|
|
* associated data, decrypts ciphertext and returns decrypted plaintext.
|
|
*
|
|
* draft-irtf-cfrg-xchacha-01 defines a 24 byte nonce (192 bits) which
|
|
* then uses the first 16 bytes of the nonce and the secret key with
|
|
* Hchacha to generate an initial subkey. The last 8 bytes of the nonce
|
|
* are then prefixed with 4 zero bytes and then provided with the subkey
|
|
* to the chacha20poly1305 implementation.
|
|
*
|
|
* If authentication fails, it returns null.
|
|
*
|
|
* If dst is given (it must be the size of plaintext + the size of tag
|
|
* length) the result will be put into it. Dst and plaintext must not
|
|
* overlap.
|
|
*/
|
|
open(
|
|
nonce: Uint8Array,
|
|
sealed: Uint8Array,
|
|
associatedData?: Uint8Array,
|
|
dst?: Uint8Array
|
|
): Uint8Array | null {
|
|
if (nonce.length !== 24) {
|
|
throw new Error("XChaCha20Poly1305: incorrect nonce length");
|
|
}
|
|
|
|
// Sealed ciphertext should at least contain tag.
|
|
if (sealed.length < this.tagLength) {
|
|
// TODO(dchest): should we throw here instead?
|
|
return null;
|
|
}
|
|
|
|
/**
|
|
* Generate subKey by using HChaCha20 function as defined
|
|
* in section 2 step 1 of draft-irtf-cfrg-xchacha-01
|
|
*/
|
|
const subKey = hchacha(
|
|
this._key,
|
|
nonce.subarray(0, 16),
|
|
new Uint8Array(32)
|
|
);
|
|
|
|
/**
|
|
* Generate Nonce as defined - remaining 8 bytes of the nonce prefixed with
|
|
* 4 zero bytes
|
|
*/
|
|
const modifiedNonce = new Uint8Array(12);
|
|
modifiedNonce.set(nonce.subarray(16), 4);
|
|
|
|
/**
|
|
* Authenticate and decrypt by calling into chacha20poly1305.
|
|
*/
|
|
const chaChaPoly = new ChaCha20Poly1305(subKey);
|
|
const result = chaChaPoly.open(modifiedNonce, sealed, associatedData, dst);
|
|
wipe(subKey);
|
|
wipe(modifiedNonce);
|
|
chaChaPoly.clean();
|
|
return result;
|
|
}
|
|
|
|
clean(): this {
|
|
wipe(this._key);
|
|
return this;
|
|
}
|
|
}
|