From 19621fecdff347e617dfa2693ddfb446617cba02 Mon Sep 17 00:00:00 2001 From: Benjamin Neff Date: Sun, 7 Feb 2016 21:33:18 +0100 Subject: [PATCH] use different key for envelope and header --- lib/diaspora_federation/salmon/encrypted_slap.rb | 14 ++++++++++---- .../salmon/encrypted_slap_spec.rb | 13 ++++++++++--- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/lib/diaspora_federation/salmon/encrypted_slap.rb b/lib/diaspora_federation/salmon/encrypted_slap.rb index 32d2bcf..3a22aae 100644 --- a/lib/diaspora_federation/salmon/encrypted_slap.rb +++ b/lib/diaspora_federation/salmon/encrypted_slap.rb @@ -172,11 +172,11 @@ module DiasporaFederation # @param [OpenSSL::PKey::RSA] pubkey recipient public_key # @return [String] encrypted base64 encoded header def encrypted_header(author_id, envelope_key, pubkey) - encoded_key = Hash[envelope_key.map {|k, v| [k, Base64.strict_encode64(v)] }] - data = header_xml(author_id, encoded_key) - ciphertext = AES.encrypt(data, envelope_key[:key], envelope_key[:iv]) + data = header_xml(author_id, strict_base64_encode(envelope_key)) + header_key = AES.generate_key_and_iv + ciphertext = AES.encrypt(data, header_key[:key], header_key[:iv]) - json_key = JSON.generate(encoded_key) + json_key = JSON.generate(strict_base64_encode(header_key)) encrypted_key = Base64.strict_encode64(pubkey.public_encrypt(json_key)) json_header = JSON.generate(aes_key: encrypted_key, ciphertext: ciphertext) @@ -197,6 +197,12 @@ module DiasporaFederation } }.to_xml.strip end + + # @param [Hash] hash { key: "...", iv: "..." } + # @return [Hash] encoded hash: { key: "...", iv: "..." } + def strict_base64_encode(hash) + Hash[hash.map {|k, v| [k, Base64.strict_encode64(v)] }] + end end end end diff --git a/spec/lib/diaspora_federation/salmon/encrypted_slap_spec.rb b/spec/lib/diaspora_federation/salmon/encrypted_slap_spec.rb index 40ec4f0..fd4c163 100644 --- a/spec/lib/diaspora_federation/salmon/encrypted_slap_spec.rb +++ b/spec/lib/diaspora_federation/salmon/encrypted_slap_spec.rb @@ -67,16 +67,23 @@ module DiasporaFederation doc1 = Nokogiri::XML::Document.parse(slap.generate_xml(recipient_key.public_key)) enc_header1 = doc1.at_xpath("d:diaspora/d:encrypted_header", ns).content cipher_header1 = JSON.parse(Base64.decode64(enc_header1)) - key_json1 = recipient_key.private_decrypt(Base64.decode64(cipher_header1["aes_key"])) + header_key1 = JSON.parse(recipient_key.private_decrypt(Base64.decode64(cipher_header1["aes_key"]))) + decrypted_header1 = Salmon::AES.decrypt(cipher_header1["ciphertext"], + Base64.decode64(header_key1["key"]), + Base64.decode64(header_key1["iv"])) recipient2_key = OpenSSL::PKey::RSA.generate(1024) doc2 = Nokogiri::XML::Document.parse(slap.generate_xml(recipient2_key.public_key)) enc_header2 = doc2.at_xpath("d:diaspora/d:encrypted_header", ns).content cipher_header2 = JSON.parse(Base64.decode64(enc_header2)) - key_json2 = recipient2_key.private_decrypt(Base64.decode64(cipher_header2["aes_key"])) + header_key2 = JSON.parse(recipient2_key.private_decrypt(Base64.decode64(cipher_header2["aes_key"]))) + decrypted_header2 = Salmon::AES.decrypt(cipher_header2["ciphertext"], + Base64.decode64(header_key2["key"]), + Base64.decode64(header_key2["iv"])) expect(enc_header1).not_to eq(enc_header2) - expect(key_json1).to eq(key_json2) + expect(header_key1).not_to eq(header_key2) + expect(decrypted_header1).to eq(decrypted_header2) expect(doc1.xpath("d:diaspora/me:env", ns).to_xml).to eq(doc2.xpath("d:diaspora/me:env", ns).to_xml) end