1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
|
// Package chain provides chain keys used in double ratchet sessions.
package chain
import (
"crypto/hmac"
"crypto/sha256"
"go.mau.fi/libsignal/kdf"
"go.mau.fi/libsignal/keys/message"
)
var messageKeySeed = []byte{0x01}
var chainKeySeed = []byte{0x02}
// NewKey returns a new chain key with the given kdf, key, and index
func NewKey(kdf kdf.HKDF, key []byte, index uint32) *Key {
chainKey := Key{
kdf: kdf,
key: key,
index: index,
}
return &chainKey
}
// NewKeyFromStruct will return a chain key built from the given structure.
func NewKeyFromStruct(structure *KeyStructure, kdf kdf.HKDF) *Key {
return NewKey(
kdf,
structure.Key,
structure.Index,
)
}
// NewStructFromKey will return a chain key structure for serialization.
func NewStructFromKey(key *Key) *KeyStructure {
return &KeyStructure{
Key: key.key,
Index: key.index,
}
}
// KeyStructure is a serializeable structure for chain keys.
type KeyStructure struct {
Key []byte
Index uint32
}
// Key is used for generating message keys. This key "ratchets" every time a
// message key is generated. Every time the chain key ratchets forward, its index
// increases by one.
type Key struct {
kdf kdf.HKDF
key []byte
index uint32 // Index's maximum size: 4,294,967,295
}
// Current returns the current ChainKey struct.
func (c *Key) Current() *Key {
return c
}
// Key returns the ChainKey's key material.
func (c *Key) Key() []byte {
return c.key
}
// SetKey will set the ChainKey's key material.
func (c *Key) SetKey(key []byte) {
c.key = key
}
// Index returns how many times the ChainKey has been "ratcheted" forward.
func (c *Key) Index() uint32 {
return c.index
}
// SetIndex sets how many times the ChainKey has been "ratcheted" forward.
func (c *Key) SetIndex(index uint32) {
c.index = index
}
// NextKey uses the key derivation function to generate a new ChainKey.
func (c *Key) NextKey() *Key {
nextKey := c.BaseMaterial(chainKeySeed)
return NewKey(c.kdf, nextKey, c.index+1)
}
// MessageKeys returns message keys, which includes the cipherkey, mac, iv, and index.
func (c *Key) MessageKeys() *message.Keys {
inputKeyMaterial := c.BaseMaterial(messageKeySeed)
keyMaterialBytes, _ := c.kdf(inputKeyMaterial, nil, []byte(message.KdfSalt), message.DerivedSecretsSize)
keyMaterial := newKeyMaterial(keyMaterialBytes)
// Use the key material returned from the key derivation function for our cipherkey, mac, and iv.
messageKeys := message.NewKeys(
keyMaterial.CipherKey, // Use the first 32 bytes of the key material for the CipherKey
keyMaterial.MacKey, // Use bytes 32-64 of the key material for the MacKey
keyMaterial.IV, // Use the last 16 bytes for the IV.
c.Index(), // Attach the chain key's index to the message keys.
)
return messageKeys
}
// BaseMaterial uses hmac to derive the base material used in the key derivation function for a new key.
func (c *Key) BaseMaterial(seed []byte) []byte {
mac := hmac.New(sha256.New, c.key[:])
mac.Write(seed)
return mac.Sum(nil)
}
// NewKeyMaterial takes an 80-byte slice derived from a key derivation function and splits
// it into the cipherkey, mac, and iv.
func newKeyMaterial(keyMaterialBytes []byte) *kdf.KeyMaterial {
cipherKey := keyMaterialBytes[:32] // Use the first 32 bytes of the key material for the CipherKey
macKey := keyMaterialBytes[32:64] // Use bytes 32-64 of the key material for the MacKey
iv := keyMaterialBytes[64:80] // Use the last 16 bytes for the IV.
keyMaterial := kdf.KeyMaterial{
CipherKey: cipherKey,
MacKey: macKey,
IV: iv,
}
return &keyMaterial
}
|
