WIP

CMCDragonkai · CMCDragonkai · commit 1f64a81b6928 · 2022-09-16T15:06:42.000+10:00
diff --git a/test-bootstrapping.ts b/test-bootstrapping.ts
@@ -1,13 +1,15 @@
 import * as jest from 'jest';
 import * as jose from 'jose';
-import { webcrypto } from 'crypto';
+import { hkdf, webcrypto } from 'crypto';
 import * as bip39 from '@scure/bip39';
 import { wordlist } from '@scure/bip39/wordlists/english';
 import * as utils from '@noble/hashes/utils';
 import * as nobleEd from '@noble/ed25519';
 import * as base64 from 'multiformats/bases/base64';
 import * as noblePbkdf2 from '@noble/hashes/pbkdf2';
+import * as nobleHkdf from '@noble/hashes/hkdf';
 import { sha512 as nobleSha512 } from '@noble/hashes/sha512';
+import { sha256 as nobleSha256 } from '@noble/hashes/sha256';
 
 // @ts-ignore - this overrides the random source used by @noble and @scure libraries
 utils.randomBytes = (size: number = 32) => getRandomBytesSync(size);
@@ -257,37 +259,6 @@ async function main () {
   // Binary representation from text
   const jwe = new jose.FlattenedEncrypt(Buffer.from(privateKeyJSONstring, 'utf-8'));
 
-  // console.log(jwe);
-
-  // Used to determine the CEK?
-  // What does even mean?
-  // PBES2 means "password based encryption scheme 2"
-
-  // PBES2 is pas word based encryption
-  // it means using PBKDF2
-  // HS256 means SHA-256  as the HMAC (used as the pseudo random function)
-  // A256KW means AES 256 bit Key Wrap (used to actually encrypt)
-  // The result of encrypting a CEK wiusing the result of the pass word based encryption
-  // And coresponding key wrapping algoritm
-  // p2s is the salt input - 8 or more octets, generate random salt for every encryption operation?
-  // p2c is the count iteration - minimum of 1000 is preferred here
-
-  // We could do this directly without going through jose though
-
-  // A256GCM is better is used to actually encrypt the data
-  // Why not use HS512?
-  // AES256KW is used to encrypt the CEK
-
-  // Is the salt meant to be random?
-  // If so, does the user need to remember this salt?
-  // Because PBKDF2 will require this salt...
-  // Plus if we are decrypting it, we need to pass in the salt
-
-  // p2s is the salt input - 8 or more octets, generate random salt for every encryption operation?
-  // It doesn't matter what it is
-
-  const randomSalt = getRandomBytesSync(8);
-
   // JOSE HEADER
   jwe.setProtectedHeader({
     alg: 'PBES2-HS512+A256KW',
@@ -305,29 +276,29 @@ async function main () {
   // );
 
   // PBES2 Salt Input must be 8 or more octets
+  // const key = await noblePbkdf2.pbkdf2Async(
+  //   // Using HMAC 512
+  //   nobleSha512,
+  //   Buffer.from('some password'),
+  //   // This is how the salt is "defined"
+  //   // note how we join the alg, then a null character
+  //   // then finally the actual salt being specified
+  //   // It appears to be "saved" in the actual thing
+  //   // Buffer.from(''),
+  //   Buffer.concat([
+  //     Buffer.from('PBES2-HS512+A256KW', 'utf-8'),
+  //     Buffer.from([0]),
+  //     // randomSalt
+  //   ]),
+  //   {
+  //     c: 1000,
+  //     // It is 32 bytes, because we want a A256KW
+  //     dkLen: 64
+  //   }
+  // );
 
-  const key = await noblePbkdf2.pbkdf2Async(
-    // Using HMAC 512
-    nobleSha512,
-    Buffer.from('some password'),
-    // This is how the salt is "defined"
-    // note how we join the alg, then a null character
-    // then finally the actual salt being specified
-    // It appears to be "saved" in the actual thing
-    // Buffer.from(''),
-    Buffer.concat([
-      Buffer.from('PBES2-HS512+A256KW', 'utf-8'),
-      Buffer.from([0]),
-      // randomSalt
-    ]),
-    {
-      c: 1000,
-      // It is 32 bytes, because we want a A256KW
-      dkLen: 64
-    }
-  );
-
-  console.log('key length', key.length);
+  // console.log('key length', key.length);
+  const key = Buffer.from('some password');
 
   const encryptedJWK = await jwe.encrypt(key);
 
@@ -342,59 +313,75 @@ async function main () {
 
   console.log(decryptedJWK.plaintext.toString());
 
+  // The salt and count are saved in the encryptedJWK
+  // but it's not encrypted, it's protected via integrity
+  // these are then used to help decrypt because the program
+  // knows that it is a PBES2
+  console.log(jose.decodeProtectedHeader(encryptedJWK));
+
+
+  // Ok great we have the ed25519 root key
+  // this is now going to be in `root_priv.json` and `root_pub.json`
+  // The `root_priv.json` is encrypted with a root password
+  // And we can proceed...
+
+  // We now need to use a DEK key for the database
+  // This can be randomly generated
+  // Or derived using HKDF from the root key
+  // Note that ed25519 keys are not meant for derivation
+  // It has to be converted to a x25519 key first
+  // Before HKDF to be used
+  // However why not just randomly generate the DEK?
+  // Well the reason is this if it randomly generates the DEK...
+  // When DEK is lost, you lose the ability to decrypt the database
+  // If you derive the DEK from the root key, you can always regenerate the DEK
+  // However there's a another problem...
+  // If the DEK is separate, then you can always change the root key without chaning the dek
+
+
+  // Let's generate a random DEK first
+  // It will be 256 bits, as we will be using AES256GCM
+  // Which is a 32 byte key
+  const dataEncryptionKey = getRandomBytesSync(32);
+
+  const x25519sharedsecret = await nobleEd.getSharedSecret(
+    rootKeyPair.privateKey,
+    rootKeyPair.publicKey
+  );
 
+  // This is 32 bytes
+  console.log(x25519sharedsecret);
 
-  // // This has to use a key to encrypt
-  // // which key can we use for this?
-  // // Do we need to create a CEK to do this?
-  // const result = await jwe.encrypt(Buffer.from('some password'));
-
-  // I think we actually need to create a key here...
-  // not just anything... how do we use a particular key to do this?
-  // It's a password
-  // console.log(result);
-
-
-
-  // A "cty" (content type) Header Parameter value of "jwk+json" MUST be used to indicate that the content of the JWE is a JWK
-
-
-
-
-  // To do this
-  // we can use webcrypto
-  // OR we can use jose
-
-
-  // Ok we got the root key pair
-  // Encode as JWK so it can be saved on disk
-  // Encrypt the private key with a root password using a symmetric cipher
-  // To do this, the root password must be hashed with a key derivation function
-  // Which is then used to encrypt the private key JWK file
-  // We can also use 2 files
-  // Or 1 file being JWKS - a set of JWKs
-  // The reason to use 2 files, is that the public key doesn't need encryption
+  // Now we use hkdf-extract
 
+  // The salt also has to be auto generated...
+  // but i really don't think we need to do this
+  // It's not some password
+  // It's the actual derived key from ed25519
+  // so what's the point of the salt here?
 
+  const PRK = nobleHkdf.extract(
+    nobleSha512,
+    x25519sharedsecret,
+    Buffer.from('some password')
+  );
 
-  // Now with the ed25519 master key
-  // We should be able to "derive/generate" subkeys DEKs
-  // These DEKs - the database one in particular should be used
-  // to encrypt the database
-  // The DEKs can be randomly generated, they do not need to be "connected"
-  // to the Master Key
-  // But the DEK when outside the DB, needs to be stored on disk
-  // In particular the DEK used for the DB must be encrypted with the root key
-  // To do this the root key can be directly used for encryption
-  // Converted to X25519 to encrypt
-  // Or use an HKDF over the ed25519 key to do so...
+  // This is 64 bytes
+  console.log(PRK);
 
+  // But maybe we should be using JWK here again
+  // And use Key Wrapping but this time with ed25519
+  // Well here is the problem
+  // The DEK is randomly generated
+  // Now we are trying to encrypt it
+  // encrypting it rquires a key symmetric key too?
+  // So encrypted JWK is...?
+  // Cause the salt is needed And where we saving the salt
+  // Or not do it aall?
+  // Let's import it into JWK first
 
+  // I think we don't need the salt, simply because no precomputation attack is possible here
 
-  // The ed25519 key is not intended for encryption
-  // We can "derive" a x25519 key to do the encryption
-  // This avoids using 2 keys
-  // Some places argue to create a second key to do this
 
 
   // console.log(nobleEd.utils.randomPrivateKey());
