mobile/android/base/background/fxa/FxAccountUtils.java@fc2d59ddac77 (annotated)
mobile/android/base/background/fxa/FxAccountUtils.java
Wed, 31 Dec 2014 07:22:50 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 07:22:50 +0100
- branch
- TOR_BUG_3246
- changeset 4
- fc2d59ddac77
- permissions
- -rw-r--r--
Correct previous dual key logic pending first delivery installment.
| michael@0 | 1 | /* This Source Code Form is subject to the terms of the Mozilla Public |
| michael@0 | 2 | * License, v. 2.0. If a copy of the MPL was not distributed with this |
| michael@0 | 3 | * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ |
| michael@0 | 4 | |
| michael@0 | 5 | package org.mozilla.gecko.background.fxa; |
| michael@0 | 6 | |
| michael@0 | 7 | import java.io.UnsupportedEncodingException; |
| michael@0 | 8 | import java.math.BigInteger; |
| michael@0 | 9 | import java.net.URI; |
| michael@0 | 10 | import java.net.URISyntaxException; |
| michael@0 | 11 | import java.security.GeneralSecurityException; |
| michael@0 | 12 | import java.security.InvalidKeyException; |
| michael@0 | 13 | import java.security.NoSuchAlgorithmException; |
| michael@0 | 14 | |
| michael@0 | 15 | import org.mozilla.gecko.background.common.log.Logger; |
| michael@0 | 16 | import org.mozilla.gecko.background.nativecode.NativeCrypto; |
| michael@0 | 17 | import org.mozilla.gecko.sync.Utils; |
| michael@0 | 18 | import org.mozilla.gecko.sync.crypto.HKDF; |
| michael@0 | 19 | import org.mozilla.gecko.sync.crypto.KeyBundle; |
| michael@0 | 20 | import org.mozilla.gecko.sync.crypto.PBKDF2; |
| michael@0 | 21 | |
| michael@0 | 22 | public class FxAccountUtils { |
| michael@0 | 23 | private static final String LOG_TAG = FxAccountUtils.class.getSimpleName(); |
| michael@0 | 24 | |
| michael@0 | 25 | public static final int SALT_LENGTH_BYTES = 32; |
| michael@0 | 26 | public static final int SALT_LENGTH_HEX = 2 * SALT_LENGTH_BYTES; |
| michael@0 | 27 | |
| michael@0 | 28 | public static final int HASH_LENGTH_BYTES = 16; |
| michael@0 | 29 | public static final int HASH_LENGTH_HEX = 2 * HASH_LENGTH_BYTES; |
| michael@0 | 30 | |
| michael@0 | 31 | public static final int CRYPTO_KEY_LENGTH_BYTES = 32; |
| michael@0 | 32 | public static final int CRYPTO_KEY_LENGTH_HEX = 2 * CRYPTO_KEY_LENGTH_BYTES; |
| michael@0 | 33 | |
| michael@0 | 34 | public static final String KW_VERSION_STRING = "identity.mozilla.com/picl/v1/"; |
| michael@0 | 35 | |
| michael@0 | 36 | public static final int NUMBER_OF_QUICK_STRETCH_ROUNDS = 1000; |
| michael@0 | 37 | |
| michael@0 | 38 | public static String bytes(String string) throws UnsupportedEncodingException { |
| michael@0 | 39 | return Utils.byte2Hex(string.getBytes("UTF-8")); |
| michael@0 | 40 | } |
| michael@0 | 41 | |
| michael@0 | 42 | public static byte[] KW(String name) throws UnsupportedEncodingException { |
| michael@0 | 43 | return Utils.concatAll( |
| michael@0 | 44 | KW_VERSION_STRING.getBytes("UTF-8"), |
| michael@0 | 45 | name.getBytes("UTF-8")); |
| michael@0 | 46 | } |
| michael@0 | 47 | |
| michael@0 | 48 | public static byte[] KWE(String name, byte[] emailUTF8) throws UnsupportedEncodingException { |
| michael@0 | 49 | return Utils.concatAll( |
| michael@0 | 50 | KW_VERSION_STRING.getBytes("UTF-8"), |
| michael@0 | 51 | name.getBytes("UTF-8"), |
| michael@0 | 52 | ":".getBytes("UTF-8"), |
| michael@0 | 53 | emailUTF8); |
| michael@0 | 54 | } |
| michael@0 | 55 | |
| michael@0 | 56 | /** |
| michael@0 | 57 | * Calculate the SRP verifier <tt>x</tt> value. |
| michael@0 | 58 | */ |
| michael@0 | 59 | public static BigInteger srpVerifierLowercaseX(byte[] emailUTF8, byte[] srpPWBytes, byte[] srpSaltBytes) |
| michael@0 | 60 | throws NoSuchAlgorithmException, UnsupportedEncodingException { |
| michael@0 | 61 | byte[] inner = Utils.sha256(Utils.concatAll(emailUTF8, ":".getBytes("UTF-8"), srpPWBytes)); |
| michael@0 | 62 | byte[] outer = Utils.sha256(Utils.concatAll(srpSaltBytes, inner)); |
| michael@0 | 63 | return new BigInteger(1, outer); |
| michael@0 | 64 | } |
| michael@0 | 65 | |
| michael@0 | 66 | /** |
| michael@0 | 67 | * Calculate the SRP verifier <tt>v</tt> value. |
| michael@0 | 68 | */ |
| michael@0 | 69 | public static BigInteger srpVerifierLowercaseV(byte[] emailUTF8, byte[] srpPWBytes, byte[] srpSaltBytes, BigInteger g, BigInteger N) |
| michael@0 | 70 | throws NoSuchAlgorithmException, UnsupportedEncodingException { |
| michael@0 | 71 | BigInteger x = srpVerifierLowercaseX(emailUTF8, srpPWBytes, srpSaltBytes); |
| michael@0 | 72 | BigInteger v = g.modPow(x, N); |
| michael@0 | 73 | return v; |
| michael@0 | 74 | } |
| michael@0 | 75 | |
| michael@0 | 76 | /** |
| michael@0 | 77 | * Format x modulo N in hexadecimal, using as many characters as N takes (in hexadecimal). |
| michael@0 | 78 | * @param x to format. |
| michael@0 | 79 | * @param N modulus. |
| michael@0 | 80 | * @return x modulo N in hexadecimal. |
| michael@0 | 81 | */ |
| michael@0 | 82 | public static String hexModN(BigInteger x, BigInteger N) { |
| michael@0 | 83 | int byteLength = (N.bitLength() + 7) / 8; |
| michael@0 | 84 | int hexLength = 2 * byteLength; |
| michael@0 | 85 | return Utils.byte2Hex(Utils.hex2Byte((x.mod(N)).toString(16), byteLength), hexLength); |
| michael@0 | 86 | } |
| michael@0 | 87 | |
| michael@0 | 88 | /** |
| michael@0 | 89 | * The first engineering milestone of PICL (Profile-in-the-Cloud) was |
| michael@0 | 90 | * comprised of Sync 1.1 fronted by a Firefox Account. The sync key was |
| michael@0 | 91 | * generated from the Firefox Account password-derived kB value using this |
| michael@0 | 92 | * method. |
| michael@0 | 93 | */ |
| michael@0 | 94 | public static KeyBundle generateSyncKeyBundle(final byte[] kB) throws InvalidKeyException, NoSuchAlgorithmException, UnsupportedEncodingException { |
| michael@0 | 95 | byte[] encryptionKey = new byte[32]; |
| michael@0 | 96 | byte[] hmacKey = new byte[32]; |
| michael@0 | 97 | byte[] derived = HKDF.derive(kB, new byte[0], FxAccountUtils.KW("oldsync"), 2*32); |
| michael@0 | 98 | System.arraycopy(derived, 0*32, encryptionKey, 0, 1*32); |
| michael@0 | 99 | System.arraycopy(derived, 1*32, hmacKey, 0, 1*32); |
| michael@0 | 100 | return new KeyBundle(encryptionKey, hmacKey); |
| michael@0 | 101 | } |
| michael@0 | 102 | |
| michael@0 | 103 | /** |
| michael@0 | 104 | * Firefox Accounts are password authenticated, but clients should not store |
| michael@0 | 105 | * the plain-text password for any amount of time. Equivalent, but slightly |
| michael@0 | 106 | * more secure, is the quickly client-side stretched password. |
| michael@0 | 107 | * <p> |
| michael@0 | 108 | * We separate this since multiple login-time operations want it, and the |
| michael@0 | 109 | * PBKDF2 operation is computationally expensive. |
| michael@0 | 110 | */ |
| michael@0 | 111 | public static byte[] generateQuickStretchedPW(byte[] emailUTF8, byte[] passwordUTF8) throws GeneralSecurityException, UnsupportedEncodingException { |
| michael@0 | 112 | byte[] S = FxAccountUtils.KWE("quickStretch", emailUTF8); |
| michael@0 | 113 | try { |
| michael@0 | 114 | return NativeCrypto.pbkdf2SHA256(passwordUTF8, S, NUMBER_OF_QUICK_STRETCH_ROUNDS, 32); |
| michael@0 | 115 | } catch (final LinkageError e) { |
| michael@0 | 116 | // This will throw UnsatisifiedLinkError (missing mozglue) the first time it is called, and |
| michael@0 | 117 | // ClassNotDefFoundError, for the uninitialized NativeCrypto class, each subsequent time this |
| michael@0 | 118 | // is called; LinkageError is their common ancestor. |
| michael@0 | 119 | Logger.warn(LOG_TAG, "Got throwable stretching password using native pbkdf2SHA256 " + |
| michael@0 | 120 | "implementation; ignoring and using Java implementation.", e); |
| michael@0 | 121 | return PBKDF2.pbkdf2SHA256(passwordUTF8, S, NUMBER_OF_QUICK_STRETCH_ROUNDS, 32); |
| michael@0 | 122 | } |
| michael@0 | 123 | } |
| michael@0 | 124 | |
| michael@0 | 125 | /** |
| michael@0 | 126 | * The password-derived credential used to authenticate to the Firefox Account |
| michael@0 | 127 | * auth server. |
| michael@0 | 128 | */ |
| michael@0 | 129 | public static byte[] generateAuthPW(byte[] quickStretchedPW) throws GeneralSecurityException, UnsupportedEncodingException { |
| michael@0 | 130 | return HKDF.derive(quickStretchedPW, new byte[0], FxAccountUtils.KW("authPW"), 32); |
| michael@0 | 131 | } |
| michael@0 | 132 | |
| michael@0 | 133 | /** |
| michael@0 | 134 | * The password-derived credential used to unwrap keys managed by the Firefox |
| michael@0 | 135 | * Account auth server. |
| michael@0 | 136 | */ |
| michael@0 | 137 | public static byte[] generateUnwrapBKey(byte[] quickStretchedPW) throws GeneralSecurityException, UnsupportedEncodingException { |
| michael@0 | 138 | return HKDF.derive(quickStretchedPW, new byte[0], FxAccountUtils.KW("unwrapBkey"), 32); |
| michael@0 | 139 | } |
| michael@0 | 140 | |
| michael@0 | 141 | public static byte[] unwrapkB(byte[] unwrapkB, byte[] wrapkB) { |
| michael@0 | 142 | if (unwrapkB == null) { |
| michael@0 | 143 | throw new IllegalArgumentException("unwrapkB must not be null"); |
| michael@0 | 144 | } |
| michael@0 | 145 | if (wrapkB == null) { |
| michael@0 | 146 | throw new IllegalArgumentException("wrapkB must not be null"); |
| michael@0 | 147 | } |
| michael@0 | 148 | if (unwrapkB.length != CRYPTO_KEY_LENGTH_BYTES || wrapkB.length != CRYPTO_KEY_LENGTH_BYTES) { |
| michael@0 | 149 | throw new IllegalArgumentException("unwrapkB and wrapkB must be " + CRYPTO_KEY_LENGTH_BYTES + " bytes long"); |
| michael@0 | 150 | } |
| michael@0 | 151 | byte[] kB = new byte[CRYPTO_KEY_LENGTH_BYTES]; |
| michael@0 | 152 | for (int i = 0; i < wrapkB.length; i++) { |
| michael@0 | 153 | kB[i] = (byte) (wrapkB[i] ^ unwrapkB[i]); |
| michael@0 | 154 | } |
| michael@0 | 155 | return kB; |
| michael@0 | 156 | } |
| michael@0 | 157 | |
| michael@0 | 158 | /** |
| michael@0 | 159 | * The token server accepts an X-Client-State header, which is the |
| michael@0 | 160 | * lowercase-hex-encoded first 16 bytes of the SHA-256 hash of the |
| michael@0 | 161 | * bytes of kB. |
| michael@0 | 162 | * @param kB a byte array, expected to be 32 bytes long. |
| michael@0 | 163 | * @return a 32-character string. |
| michael@0 | 164 | * @throws NoSuchAlgorithmException |
| michael@0 | 165 | */ |
| michael@0 | 166 | public static String computeClientState(byte[] kB) throws NoSuchAlgorithmException { |
| michael@0 | 167 | if (kB == null || |
| michael@0 | 168 | kB.length != 32) { |
| michael@0 | 169 | throw new IllegalArgumentException("Unexpected kB."); |
| michael@0 | 170 | } |
| michael@0 | 171 | byte[] sha256 = Utils.sha256(kB); |
| michael@0 | 172 | byte[] truncated = new byte[16]; |
| michael@0 | 173 | System.arraycopy(sha256, 0, truncated, 0, 16); |
| michael@0 | 174 | return Utils.byte2Hex(truncated); // This is automatically lowercase. |
| michael@0 | 175 | } |
| michael@0 | 176 | |
| michael@0 | 177 | /** |
| michael@0 | 178 | * Given an endpoint, calculate the corresponding BrowserID audience. |
| michael@0 | 179 | * <p> |
| michael@0 | 180 | * This is the domain, in web parlance. |
| michael@0 | 181 | * |
| michael@0 | 182 | * @param serverURI endpoint. |
| michael@0 | 183 | * @return BrowserID audience. |
| michael@0 | 184 | * @throws URISyntaxException |
| michael@0 | 185 | */ |
| michael@0 | 186 | public static String getAudienceForURL(String serverURI) throws URISyntaxException { |
| michael@0 | 187 | URI uri = new URI(serverURI); |
| michael@0 | 188 | return new URI(uri.getScheme(), uri.getHost(), null, null).toString(); |
| michael@0 | 189 | } |
| michael@0 | 190 | } |
