OmemoRatchet.java

  1. /**
  2.  *
  3.  * Copyright 2017 Paul Schaub, 2021 Florian Schmaus
  4.  *
  5.  * Licensed under the Apache License, Version 2.0 (the "License");
  6.  * you may not use this file except in compliance with the License.
  7.  * You may obtain a copy of the License at
  8.  *
  9.  *     http://www.apache.org/licenses/LICENSE-2.0
  10.  *
  11.  * Unless required by applicable law or agreed to in writing, software
  12.  * distributed under the License is distributed on an "AS IS" BASIS,
  13.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  14.  * See the License for the specific language governing permissions and
  15.  * limitations under the License.
  16.  */
  17. package org.jivesoftware.smackx.omemo;

  19. import java.io.IOException;
  20. import java.security.InvalidAlgorithmParameterException;
  21. import java.security.InvalidKeyException;
  22. import java.security.NoSuchAlgorithmException;
  23. import java.util.ArrayList;
  24. import java.util.List;
  25. import java.util.logging.Level;
  26. import java.util.logging.Logger;

  28. import javax.crypto.BadPaddingException;
  29. import javax.crypto.IllegalBlockSizeException;
  30. import javax.crypto.NoSuchPaddingException;

  32. import org.jivesoftware.smackx.omemo.element.OmemoElement;
  33. import org.jivesoftware.smackx.omemo.element.OmemoKeyElement;
  34. import org.jivesoftware.smackx.omemo.exceptions.CorruptedOmemoKeyException;
  35. import org.jivesoftware.smackx.omemo.exceptions.CryptoFailedException;
  36. import org.jivesoftware.smackx.omemo.exceptions.MultipleCryptoFailedException;
  37. import org.jivesoftware.smackx.omemo.exceptions.NoRawSessionException;
  38. import org.jivesoftware.smackx.omemo.exceptions.UntrustedOmemoIdentityException;
  39. import org.jivesoftware.smackx.omemo.internal.CipherAndAuthTag;
  40. import org.jivesoftware.smackx.omemo.internal.CiphertextTuple;
  41. import org.jivesoftware.smackx.omemo.internal.OmemoDevice;

  43. public abstract class OmemoRatchet<T_IdKeyPair, T_IdKey, T_PreKey, T_SigPreKey, T_Sess, T_Addr, T_ECPub, T_Bundle, T_Ciph> {
  44.     private static final Logger LOGGER = Logger.getLogger(OmemoRatchet.class.getName());

  46.     protected final OmemoManager omemoManager;
  47.     protected final OmemoStore<T_IdKeyPair, T_IdKey, T_PreKey, T_SigPreKey, T_Sess, T_Addr, T_ECPub, T_Bundle, T_Ciph> store;

  49.     /**
  50.      * Constructor.
  51.      *
  52.      * @param omemoManager omemoManager
  53.      * @param store omemoStore
  54.      */
  55.     public OmemoRatchet(OmemoManager omemoManager,
  56.                         OmemoStore<T_IdKeyPair, T_IdKey, T_PreKey, T_SigPreKey, T_Sess, T_Addr, T_ECPub, T_Bundle, T_Ciph> store) {
  57.         this.omemoManager = omemoManager;
  58.         this.store = store;
  59.     }

  61.     /**
  62.      * Decrypt a double-ratchet-encrypted message key.
  63.      *
  64.      * @param sender sender of the message.
  65.      * @param encryptedKey key encrypted with the ratchet of the sender.
  66.      * @return decrypted message key.
  67.      *
  68.      * @throws CorruptedOmemoKeyException if the OMEMO key is corrupted.
  69.      * @throws NoRawSessionException when no double ratchet session was found.
  70.      * @throws CryptoFailedException if the OMEMO cryptography failed.
  71.      * @throws UntrustedOmemoIdentityException if the OMEMO identity is not trusted.
  72.      * @throws IOException if an I/O error occurred.
  73.      */
  74.     public abstract byte[] doubleRatchetDecrypt(OmemoDevice sender, byte[] encryptedKey)
  75.             throws CorruptedOmemoKeyException, NoRawSessionException, CryptoFailedException,
  76.             UntrustedOmemoIdentityException, IOException;

  78.     /**
  79.      * Encrypt a messageKey with the double ratchet session of the recipient.
  80.      *
  81.      * @param recipient recipient of the message.
  82.      * @param messageKey key we want to encrypt.
  83.      * @return encrypted message key.
  84.      */
  85.     public abstract CiphertextTuple doubleRatchetEncrypt(OmemoDevice recipient, byte[] messageKey);

  87.     /**
  88.      * Try to decrypt the transported message key using the double ratchet session.
  89.      *
  90.      * @param element omemoElement
  91.      * @return tuple of cipher generated from the unpacked message key and the auth-tag
  92.      *
  93.      * @throws CryptoFailedException if decryption using the double ratchet fails
  94.      * @throws NoRawSessionException if we have no session, but the element was NOT a PreKeyMessage
  95.      * @throws IOException if an I/O error occurred.
  96.      */
  97.     CipherAndAuthTag retrieveMessageKeyAndAuthTag(OmemoDevice sender, OmemoElement element) throws CryptoFailedException,
  98.             NoRawSessionException, IOException {
  99.         int keyId = omemoManager.getDeviceId();
  100.         byte[] unpackedKey = null;
  101.         List<CryptoFailedException> decryptExceptions = new ArrayList<>();
  102.         List<OmemoKeyElement> keys = element.getHeader().getKeys();

  104.         boolean preKey = false;

  106.         // Find key with our ID.
  107.         for (OmemoKeyElement k : keys) {
  108.             if (k.getId() == keyId) {
  109.                 try {
  110.                     unpackedKey = doubleRatchetDecrypt(sender, k.getData());
  111.                     preKey = k.isPreKey();
  112.                     break;
  113.                 } catch (CryptoFailedException e) {
  114.                     // There might be multiple keys with our id, but we can only decrypt one.
  115.                     // So we can't throw the exception, when decrypting the first duplicate which is not for us.
  116.                     decryptExceptions.add(e);
  117.                 } catch (CorruptedOmemoKeyException e) {
  118.                     decryptExceptions.add(new CryptoFailedException(e));
  119.                 } catch (UntrustedOmemoIdentityException e) {
  120.                     LOGGER.log(Level.WARNING, "Received message from " + sender + " contained unknown identityKey. Ignore message.", e);
  121.                 }
  122.             }
  123.         }

  125.         if (unpackedKey == null) {
  126.             if (!decryptExceptions.isEmpty()) {
  127.                 throw MultipleCryptoFailedException.from(decryptExceptions);
  128.             }

  130.             throw new CryptoFailedException("Transported key could not be decrypted, since no suitable message key " +
  131.                     "was provided. Provides keys: " + keys);
  132.         }

  134.         // Split in AES auth-tag and key
  135.         byte[] messageKey = new byte[16];
  136.         byte[] authTag = null;

  138.         if (unpackedKey.length == 32) {
  139.             authTag = new byte[16];
  140.             // copy key part into messageKey
  141.             System.arraycopy(unpackedKey, 0, messageKey, 0, 16);
  142.             // copy tag part into authTag
  143.             System.arraycopy(unpackedKey, 16, authTag, 0, 16);
  144.         } else if (element.isKeyTransportElement() && unpackedKey.length == 16) {
  145.             messageKey = unpackedKey;
  146.         } else {
  147.             throw new CryptoFailedException("MessageKey has wrong length: "
  148.                     + unpackedKey.length + ". Probably legacy auth tag format.");
  149.         }

  151.         return new CipherAndAuthTag(messageKey, element.getHeader().getIv(), authTag, preKey);
  152.     }

  154.     /**
  155.      * Use the symmetric key in cipherAndAuthTag to decrypt the payload of the omemoMessage.
  156.      * The decrypted payload will be the body of the returned Message.
  157.      *
  158.      * @param element omemoElement containing a payload.
  159.      * @param cipherAndAuthTag cipher and authentication tag.
  160.      * @return decrypted plain text.
  161.      *
  162.      * @throws CryptoFailedException if decryption using AES key fails.
  163.      */
  164.     static String decryptMessageElement(OmemoElement element, CipherAndAuthTag cipherAndAuthTag)
  165.             throws CryptoFailedException {
  166.         if (!element.isMessageElement()) {
  167.             throw new IllegalArgumentException("decryptMessageElement cannot decrypt OmemoElement which is no MessageElement!");
  168.         }

  170.         if (cipherAndAuthTag.getAuthTag() == null || cipherAndAuthTag.getAuthTag().length != 16) {
  171.             throw new CryptoFailedException("AuthenticationTag is null or has wrong length: "
  172.                     + (cipherAndAuthTag.getAuthTag() == null ? "null" : cipherAndAuthTag.getAuthTag().length));
  173.         }

  175.         byte[] encryptedBody = payloadAndAuthTag(element, cipherAndAuthTag.getAuthTag());

  177.         try {
  178.             return cipherAndAuthTag.decrypt(encryptedBody);
  179.         } catch (IllegalBlockSizeException | BadPaddingException | InvalidKeyException | NoSuchAlgorithmException
  180.                         | NoSuchPaddingException | InvalidAlgorithmParameterException e) {
  181.             throw new CryptoFailedException("decryptMessageElement could not decipher message body", e);
  182.         }
  183.     }

  185.     /**
  186.      * Return the concatenation of the payload of the OmemoElement and the given auth tag.
  187.      *
  188.      * @param element omemoElement (message element)
  189.      * @param authTag authTag
  190.      * @return payload + authTag
  191.      */
  192.     static byte[] payloadAndAuthTag(OmemoElement element, byte[] authTag) {
  193.         if (!element.isMessageElement()) {
  194.             throw new IllegalArgumentException("OmemoElement has no payload.");
  195.         }

  197.         byte[] payload = new byte[element.getPayload().length + authTag.length];
  198.         System.arraycopy(element.getPayload(), 0, payload, 0, element.getPayload().length);
  199.         System.arraycopy(authTag, 0, payload, element.getPayload().length, authTag.length);
  200.         return payload;
  201.     }

  203. }
Created with JaCoCo 0.8.6.202009150832