jolokia 0.7.0

Simple, strong encryption.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337

//! Hybrid Public Key Encryption (HPKE) implementation.
//!
//! Ciphersuite: HPKE-Base-X25519-HKDF-SHA256-ChaCha20Poly1305.
//!
//! - **X25519**: Key Encapsulation Mechanism (KEM). Performs ephemeral-
//!   static Diffie-Hellman to establish a shared secret between sender
//!   and recipient.
//! - **HKDF-SHA256**: Key Derivation Function (KDF). Expands the shared
//!   secret into cryptographic keys.
//! - **ChaCha20-Poly1305**: Authenticated Encryption with Associated
//!   Data (AEAD). Encrypts the actual message data in authenticated
//!   chunks.
//!
//! # Message Format
//!
//! All ciphertexts begin with a **5-byte header**:
//! 1. **Algorithm ID**: 4 ASCII bytes, `b"HPKE"`.
//! 2. **Version**: 1 byte, currently `0x01`.
//!
//! After the header:
//!
//! ```text
//! [ header (5) ]
//! [ encapsulated public key length (2-byte BE) ]
//! [ encapsulated public key (variable) ]
//! [ chacha encrypted payload ]
//! ```
//!
//! - The **encapsulated public key** is produced during encryption and
//!   required for decryption. Its length is encoded as a 2-byte
//!   big-endian integer.
//!
//! - The actual **payload** is encrypted by the [`ChaCha20-Poly1305`]
//!   stream implementation. See its documentation for details on
//!   chunking, nonce structure, and framing.
//!
//! - The derived symmetric key is unique per encryption via a fresh
//!   ephemeral keypair, providing forward secrecy. Only the
//!   encapsulated key and ciphertext are sent.
//!
//! - Decryption requires the recipient's X25519 private key and the
//!   encapsulated key to derive the shared symmetric key.
//!
//! - Any header or encapsulated key mismatch results in immediate
//!   failure.

use std::io::{Read, Write};

use hpke::aead::ChaCha20Poly1305 as ChaCha20Poly1305_;
use hpke::kdf::HkdfSha256;
use hpke::kem::{Kem, X25519HkdfSha256};
use hpke::{Deserializable, OpModeR, OpModeS, Serializable};
use rand::{SeedableRng, rngs::StdRng};

use crate::cipher::ChaCha20Poly1305;
use crate::traits::{self, Cipher, Error, GeneratedKey};

// Contains algorithm name (4-bytes) and version (1-byte).
const HEADER: &[u8; 5] = b"HPKE\x01";

// Used to bind the derived keys to a specific application context or
// protocol version. It's the same idea as `HEADER` but used by HPKE
// internally.
const INFO: &[u8] = b"jolokia-hpke-stream-v1";
const EXPORT_LABEL: &[u8] = b"stream";

pub struct Hpke;

impl Cipher for Hpke {
    /// Generate an X25519 32-byte (256-bit) keypair.
    fn generate_key(&self) -> GeneratedKey {
        let mut csprng = StdRng::from_os_rng();
        let (sk, pk) = <X25519HkdfSha256 as Kem>::gen_keypair(&mut csprng);
        GeneratedKey::Asymmetric {
            private: sk.to_bytes().to_vec(),
            public: pk.to_bytes().to_vec(),
        }
    }

    fn encrypt_stream(
        &self,
        public_key: &[u8],
        reader: &mut dyn Read,
        writer: &mut dyn Write,
    ) -> traits::Result<()> {
        // Recipient's public key.
        let public_key = <X25519HkdfSha256 as Kem>::PublicKey::from_bytes(public_key)
            .map_err(|_| Error::Encrypt)?;

        // Generate an ephemeral keypair.
        //
        // Note: The private key is internal (`encryption_context`) and
        // will be used to derive a symmetric key on our (the encryptor)
        // side. The public key will be sent along and be used by the
        // recipient (the decryptor) to derive the same symmetric key
        // on his side.
        //
        // Why ephemeral? Forward secrecy. If the recipient's private
        // key ever gets compromised, passed and future messages will
        // still be safe because the derived symmetric key will be
        // _unique_ to that session/message. If not for the ephemeral
        // keypair, we would always use the _same_ symmetric key,
        // breaking forward secrecy.
        let mut csprng = StdRng::from_os_rng();
        let (encapsulated_public_key, encryption_context) =
            hpke::setup_sender::<ChaCha20Poly1305_, HkdfSha256, X25519HkdfSha256, _>(
                &OpModeS::Base,
                &public_key,
                INFO,
                &mut csprng,
            )
            .map_err(|_| Error::Encrypt)?;

        // Derive a 32-byte symmetric key. Will encrypt the _message_.
        //
        // Note: Contrary to "traditional" hybrid encryption, the
        // symmetric key is not encrypted and sent along, instead, it
        // is _derived_. During encryption, it is derived by combining
        // the recipient's public key, and the ephemeral private key
        // (dropped after use). During decryption, it is derived by
        // combining the recipient's private key, and the public key
        // (`encapsulated_public_key`) that we send along.
        //
        // TODO: Zeroize the symmetric key.
        let mut symmetric_key = [0u8; 32];
        encryption_context
            .export(EXPORT_LABEL, &mut symmetric_key)
            .map_err(|_| Error::Encrypt)?;

        writer
            .write_all(HEADER)
            .map_err(|e| Error::Write(e.to_string()))?;

        // 2-bytes (16-bits) big-endian encapsulated public key length.
        // length prefix for encapsulated_key
        let encapsulated_public_key = encapsulated_public_key.to_bytes();
        let encapsulated_public_key_len = u16::try_from(encapsulated_public_key.len())
            .map_err(|_| Error::Encrypt)?
            .to_be_bytes();
        writer
            .write_all(&encapsulated_public_key_len)
            .map_err(|e| Error::Write(e.to_string()))?;
        writer
            .write_all(&encapsulated_public_key)
            .map_err(|e| Error::Write(e.to_string()))?;

        // We've written the header and the encapsulated public key,
        // the only thing left to do is to append the encrypted payload.
        ChaCha20Poly1305.encrypt_stream(&symmetric_key, reader, writer)?;

        Ok(())
    }

    fn decrypt_stream(
        &self,
        private_key: &[u8],
        reader: &mut dyn Read,
        writer: &mut dyn Write,
    ) -> traits::Result<()> {
        if usize::BITS < u16::BITS {
            return Err(Error::Platform(
                "< 16-bit platforms are not supported.".to_string(),
            ));
        }

        // Recipient's private key.
        let private_key = <X25519HkdfSha256 as Kem>::PrivateKey::from_bytes(private_key)
            .map_err(|_| Error::Decrypt)?;

        let mut header = [0u8; HEADER.len()];
        reader
            .read_exact(&mut header)
            .map_err(|e| Error::Read(e.to_string()))?;
        if &header != HEADER {
            return Err(Error::Algorithm);
        }

        // 2-bytes (16-bits) big-endian encapsulated public key length.
        let mut encapsulated_public_key_len = [0u8; 2];
        reader
            .read_exact(&mut encapsulated_public_key_len)
            .map_err(|e| Error::Read(e.to_string()))?;
        let encapsulated_public_key_len = u16::from_be_bytes(encapsulated_public_key_len) as usize;
        if encapsulated_public_key_len != 32 {
            return Err(Error::Decrypt);
        }

        let mut encapsulated_public_key = vec![0u8; encapsulated_public_key_len];
        reader
            .read_exact(&mut encapsulated_public_key)
            .map_err(|e| Error::Read(e.to_string()))?;
        let encapsulated_public_key =
            <X25519HkdfSha256 as Kem>::EncappedKey::from_bytes(&encapsulated_public_key)
                .map_err(|_| Error::Decrypt)?;

        // Combine the encapsulated public key and the recipient's
        // secret key to derive the shared symmetric key.
        let decryption_context = hpke::setup_receiver::<
            ChaCha20Poly1305_,
            HkdfSha256,
            X25519HkdfSha256,
        >(
            &OpModeR::Base, &private_key, &encapsulated_public_key, INFO
        )
        .map_err(|_| Error::Decrypt)?;

        // Derive the 32-byte shared symmetric key.
        let mut symmetric_key = [0u8; 32];
        decryption_context
            .export(EXPORT_LABEL, &mut symmetric_key)
            .map_err(|_| Error::Decrypt)?;

        // We've got the symmetric key, decrypt the payload.
        ChaCha20Poly1305.decrypt_stream(&symmetric_key, reader, writer)?;

        Ok(())
    }
}

#[cfg(test)]
pub mod tests {
    use std::io::Cursor;

    use super::*;

    use crate::traits::Base64Decode;

    // Note: We can't really test encryption alone, because the result
    // is not deteministic (the nonce prevents identical plaintexts from
    // encrypting to the same ciphertext).

    #[test]
    fn hpke_encrypt_decrypt_roundtrip() {
        let private_key = "caEdcM9zySxJCc+HBD7QzzpJwBVWm2BcGyBMoGETi+g"
            .base64_decode()
            .unwrap();
        let public_key = "lNLRjAfH2i8QfgEBmkwb9DyigB6mFae94FYCx46qij0"
            .base64_decode()
            .unwrap();
        let plaintext = b"hello, world!";

        let encrypted = Hpke.encrypt(&public_key, plaintext).unwrap();

        let decrypted = Hpke.decrypt(&private_key, &encrypted).unwrap();
        let decrypted = String::from_utf8_lossy(&decrypted);

        assert_eq!(decrypted, "hello, world!");
    }

    #[test]
    fn hpke_encrypt_decrypt_streaming_roundtrip_shorter_than_a_chunk() {
        let private_key = "caEdcM9zySxJCc+HBD7QzzpJwBVWm2BcGyBMoGETi+g"
            .base64_decode()
            .unwrap();
        let public_key = "lNLRjAfH2i8QfgEBmkwb9DyigB6mFae94FYCx46qij0"
            .base64_decode()
            .unwrap();
        let plaintext = b"hello, world!";

        // Chunks are `4096 + 16 = 4112` bytes (message + auth).
        assert!(plaintext.len() < 4096, "{} >= 4096", plaintext.len());

        let mut encrypted = Vec::new();
        Hpke.encrypt_stream(&public_key, &mut Cursor::new(plaintext), &mut encrypted)
            .unwrap();
        dbg!(&encrypted);

        assert!(encrypted.len() > 8);

        let mut decrypted = Vec::new();
        Hpke.decrypt_stream(&private_key, &mut Cursor::new(encrypted), &mut decrypted)
            .unwrap();
        let decrypted = String::from_utf8_lossy(&decrypted);
        dbg!(&decrypted);

        assert_eq!(decrypted, "hello, world!");
    }

    #[test]
    fn hpke_encrypt_decrypt_streaming_roundtrip_same_length_as_a_chunk() {
        let private_key = "caEdcM9zySxJCc+HBD7QzzpJwBVWm2BcGyBMoGETi+g"
            .base64_decode()
            .unwrap();
        let public_key = "lNLRjAfH2i8QfgEBmkwb9DyigB6mFae94FYCx46qij0"
            .base64_decode()
            .unwrap();
        let mut plaintext = b"hello, world!".repeat(315);
        plaintext.extend(b"1");

        // Chunks are `4096 + 16 = 4112` bytes (message + auth).
        assert_eq!(plaintext.len(), 4096);

        let mut encrypted = Vec::new();
        Hpke.encrypt_stream(&public_key, &mut Cursor::new(plaintext), &mut encrypted)
            .unwrap();
        dbg!(&encrypted);

        assert!(encrypted.len() > 8);

        let mut decrypted = Vec::new();
        Hpke.decrypt_stream(&private_key, &mut Cursor::new(encrypted), &mut decrypted)
            .unwrap();
        let decrypted = String::from_utf8_lossy(&decrypted);
        dbg!(&decrypted);

        assert_eq!(decrypted, "hello, world!".repeat(315) + "1");
    }

    #[test]
    fn hpke_encrypt_decrypt_streaming_roundtrip_longer_than_a_chunk() {
        let private_key = "caEdcM9zySxJCc+HBD7QzzpJwBVWm2BcGyBMoGETi+g"
            .base64_decode()
            .unwrap();
        let public_key = "lNLRjAfH2i8QfgEBmkwb9DyigB6mFae94FYCx46qij0"
            .base64_decode()
            .unwrap();
        let plaintext = b"hello, world!".repeat(320);

        // Chunks are `4096 + 16 = 4112` bytes (message + auth).
        assert!(plaintext.len() > 4096, "{} <= 4096", plaintext.len());

        let mut encrypted = Vec::new();
        Hpke.encrypt_stream(&public_key, &mut Cursor::new(plaintext), &mut encrypted)
            .unwrap();
        dbg!(&encrypted);

        assert!(encrypted.len() > 8);

        let mut decrypted = Vec::new();
        Hpke.decrypt_stream(&private_key, &mut Cursor::new(encrypted), &mut decrypted)
            .unwrap();
        let decrypted = String::from_utf8_lossy(&decrypted);
        dbg!(&decrypted);

        assert_eq!(decrypted, "hello, world!".repeat(320));
    }
}