use different key for envelope and header

2016-02-07 21:33:18 +01:00 · 2016-02-07 21:33:18 +01:00 · 19621fecdf
commit 19621fecdf
parent 1c2e2f560d
2 changed files with 20 additions and 7 deletions
--- a/lib/diaspora_federation/salmon/encrypted_slap.rb
+++ b/lib/diaspora_federation/salmon/encrypted_slap.rb
@ -172,11 +172,11 @@ module DiasporaFederation
      # @param [OpenSSL::PKey::RSA] pubkey recipient public_key
      # @return [String] encrypted base64 encoded header
      def encrypted_header(author_id, envelope_key, pubkey)
-        encoded_key = Hash[envelope_key.map {|k, v| [k, Base64.strict_encode64(v)] }]
-        data = header_xml(author_id, encoded_key)
-        ciphertext = AES.encrypt(data, envelope_key[:key], envelope_key[:iv])
+        data = header_xml(author_id, strict_base64_encode(envelope_key))
+        header_key = AES.generate_key_and_iv
+        ciphertext = AES.encrypt(data, header_key[:key], header_key[:iv])

-        json_key = JSON.generate(encoded_key)
+        json_key = JSON.generate(strict_base64_encode(header_key))
        encrypted_key = Base64.strict_encode64(pubkey.public_encrypt(json_key))

        json_header = JSON.generate(aes_key: encrypted_key, ciphertext: ciphertext)
@ -197,6 +197,12 @@ module DiasporaFederation
          }
        }.to_xml.strip
      end
+
+      # @param [Hash] hash { key: "...", iv: "..." }
+      # @return [Hash] encoded hash: { key: "...", iv: "..." }
+      def strict_base64_encode(hash)
+        Hash[hash.map {|k, v| [k, Base64.strict_encode64(v)] }]
+      end
    end
  end
 end
--- a/spec/lib/diaspora_federation/salmon/encrypted_slap_spec.rb
+++ b/spec/lib/diaspora_federation/salmon/encrypted_slap_spec.rb
@ -67,16 +67,23 @@ module DiasporaFederation
          doc1 = Nokogiri::XML::Document.parse(slap.generate_xml(recipient_key.public_key))
          enc_header1 = doc1.at_xpath("d:diaspora/d:encrypted_header", ns).content
          cipher_header1 = JSON.parse(Base64.decode64(enc_header1))
-          key_json1 = recipient_key.private_decrypt(Base64.decode64(cipher_header1["aes_key"]))
+          header_key1 = JSON.parse(recipient_key.private_decrypt(Base64.decode64(cipher_header1["aes_key"])))
+          decrypted_header1 = Salmon::AES.decrypt(cipher_header1["ciphertext"],
+                                                  Base64.decode64(header_key1["key"]),
+                                                  Base64.decode64(header_key1["iv"]))

          recipient2_key = OpenSSL::PKey::RSA.generate(1024)
          doc2 = Nokogiri::XML::Document.parse(slap.generate_xml(recipient2_key.public_key))
          enc_header2 = doc2.at_xpath("d:diaspora/d:encrypted_header", ns).content
          cipher_header2 = JSON.parse(Base64.decode64(enc_header2))
-          key_json2 = recipient2_key.private_decrypt(Base64.decode64(cipher_header2["aes_key"]))
+          header_key2 = JSON.parse(recipient2_key.private_decrypt(Base64.decode64(cipher_header2["aes_key"])))
+          decrypted_header2 = Salmon::AES.decrypt(cipher_header2["ciphertext"],
+                                                  Base64.decode64(header_key2["key"]),
+                                                  Base64.decode64(header_key2["iv"]))

          expect(enc_header1).not_to eq(enc_header2)
-          expect(key_json1).to eq(key_json2)
+          expect(header_key1).not_to eq(header_key2)
+          expect(decrypted_header1).to eq(decrypted_header2)
          expect(doc1.xpath("d:diaspora/me:env", ns).to_xml).to eq(doc2.xpath("d:diaspora/me:env", ns).to_xml)
        end