Stian/Shade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
96a8c210b2a5613620277a1f09d3a064dc4cb455
Shade/packages/shade-crypto-web/src/provider.ts
Sterister 96a8c210b2 feat(hardening): M-Hard 1-5 — crypto, auth, rate limit, fingerprints, rotation 
M-Hard 1: Cryptographic Hardening
- constantTimeEqual, zeroize, randomUint32 on CryptoProvider
- Fix Math.random() → crypto.randomUint32() for registrationId
- Zero message keys and chain keys after use in ratchet.ts
- Constant-time trust comparison in MemoryStorage + SQLiteStorage
- Timing variance test catches early-exit regressions

M-Hard 2: Self-Authenticated Prekey Server
- Ed25519 signature verification on all write routes
- signPayload/verifyPayload with canonical JSON, ±5 min replay window
- Address validation (NFKC, alphanumeric + :_-.)
- Global ShadeError → HTTP status mapping
- ShadeFetchTransport signs requests when signingPrivateKey provided
- Anonymous bundle fetches still allowed (read-only)

M-Hard 3: Rate Limiting + DoS Protection
- Token bucket rate limiter with pluggable store
- Per-route limits: register 5/h/IP, fetch 60/min/IP, replenish 10/min/id
- 64KB body size limit on POST
- Retry-After header on 429 responses

M-Hard 4: Auto-replenish + Fingerprints + Session Reset
- Safety numbers (12 groups × 5 digits, Signal-style)
- ensurePreKeyStock, resetSession, acceptIdentityChange
- verifyRemoteIdentity for out-of-band comparison

M-Hard 5: Identity Rotation with Grace Period
- rotateIdentity archives old identity, generates fresh signed prekey
- RetiredIdentity storage with addRetired/getRetired/pruneRetired
- 7-day default grace period for decrypting old sessions
- pruneExpiredIdentities for cleanup

M-Hard 8: Error Hierarchy
- New error types: Network, Storage, Validation, Timeout, RateLimit,
  Configuration, Unauthorized, Replay, IdentityRotation
- All errors have stable SHADE_* codes
- errorToHttpStatus for consistent HTTP mapping
- toJSON() for network serialization

188 tests passing, zero failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 17:45:34 +02:00

139 lines
4.5 KiB
TypeScript
Raw Blame History

import type { CryptoProvider } from '@shade/core';
import { x25519 } from '@noble/curves/ed25519.js';
import { ed25519 } from '@noble/curves/ed25519.js';
/**
* SubtleCrypto + noble/curves implementation of CryptoProvider.
*
* Uses @noble/curves for X25519 and Ed25519 (reliable across all runtimes)
* and Web Crypto API for AES-256-GCM, HKDF, and HMAC (hardware-accelerated).
*/
export class SubtleCryptoProvider implements CryptoProvider {
private readonly subtle: SubtleCrypto;
constructor(subtle?: SubtleCrypto) {
this.subtle = subtle ?? globalThis.crypto.subtle;
}
// ─── X25519 (via @noble/curves) ────────────────────────────
async generateX25519KeyPair(): Promise<{ publicKey: Uint8Array; privateKey: Uint8Array }> {
const privateKey = this.randomBytes(32);
const publicKey = x25519.getPublicKey(privateKey);
return { publicKey, privateKey };
}
async x25519(privateKey: Uint8Array, publicKey: Uint8Array): Promise<Uint8Array> {
return x25519.getSharedSecret(privateKey, publicKey);
}
// ─── Ed25519 (via @noble/curves) ───────────────────────────
async generateEd25519KeyPair(): Promise<{ publicKey: Uint8Array; privateKey: Uint8Array }> {
const privateKey = this.randomBytes(32);
const publicKey = ed25519.getPublicKey(privateKey);
return { publicKey, privateKey };
}
async sign(privateKey: Uint8Array, message: Uint8Array): Promise<Uint8Array> {
return ed25519.sign(message, privateKey);
}
async verify(publicKey: Uint8Array, message: Uint8Array, signature: Uint8Array): Promise<boolean> {
try {
return ed25519.verify(signature, message, publicKey);
} catch {
return false;
}
}
// ─── AES-256-GCM (via SubtleCrypto) ───────────────────────
async aesGcmEncrypt(
key: Uint8Array,
plaintext: Uint8Array,
aad?: Uint8Array,
): Promise<{ ciphertext: Uint8Array; nonce: Uint8Array }> {
const nonce = this.randomBytes(12);
const aesKey = await this.subtle.importKey('raw', key, 'AES-GCM', false, ['encrypt']);
const encrypted = await this.subtle.encrypt(
{ name: 'AES-GCM', iv: nonce, additionalData: aad },
aesKey,
plaintext,
);
return { ciphertext: new Uint8Array(encrypted), nonce };
}
async aesGcmDecrypt(
key: Uint8Array,
ciphertext: Uint8Array,
nonce: Uint8Array,
aad?: Uint8Array,
): Promise<Uint8Array> {
const aesKey = await this.subtle.importKey('raw', key, 'AES-GCM', false, ['decrypt']);
const decrypted = await this.subtle.decrypt(
{ name: 'AES-GCM', iv: nonce, additionalData: aad },
aesKey,
ciphertext,
);
return new Uint8Array(decrypted);
}
// ─── Key Derivation (via SubtleCrypto) ─────────────────────
async hkdf(
ikm: Uint8Array,
salt: Uint8Array,
info: Uint8Array,
length: number,
): Promise<Uint8Array> {
const baseKey = await this.subtle.importKey('raw', ikm, 'HKDF', false, ['deriveBits']);
const bits = await this.subtle.deriveBits(
{ name: 'HKDF', hash: 'SHA-256', salt, info },
baseKey,
length * 8,
);
return new Uint8Array(bits);
}
async hmacSha256(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {
const hmacKey = await this.subtle.importKey(
'raw',
key,
{ name: 'HMAC', hash: 'SHA-256' },
false,
['sign'],
);
const sig = await this.subtle.sign('HMAC', hmacKey, data);
return new Uint8Array(sig);
}
// ─── Random ────────────────────────────────────────────────
randomBytes(length: number): Uint8Array {
const buf = new Uint8Array(length);
globalThis.crypto.getRandomValues(buf);
return buf;
}
// ─── Hardening ─────────────────────────────────────────────
constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {
if (a.length !== b.length) return false;
let diff = 0;
for (let i = 0; i < a.length; i++) {
diff |= a[i]! ^ b[i]!;
}
return diff === 0;
}
zeroize(buf: Uint8Array): void {
buf.fill(0);
}
randomUint32(): number {
const buf = this.randomBytes(4);
return new DataView(buf.buffer, buf.byteOffset, 4).getUint32(0, false);
}
}
Reference in New Issue View Git Blame Copy Permalink