Certificate Patches

New Optional Connection ID Encryption
New Crypto Helper Functions
Profiles Added
Code Cleanup
Demo scripts working again

.gitignore

@@ -29,9 +29,9 @@ node_modules
 ############
 tests/*
 
-# Example UWBridge #
+# Testing #
 ############
-uwBridge/apps/akerna/
+tempCodeRunnerFile.js
 
 # Logs and databases #
 ######################

package.json

@@ -18,7 +18,7 @@
 		"@babel/preset-env": "^7.20.2",
 		"@microsoft/eslint-formatter-sarif": "^3.0.0",
 		"@rollup/plugin-terser": "^0.4.0",
-		"Acid": "^3.0.25",
+		"Acid": "*",
 		"auto-changelog": "^2.4.0",
 		"brotli": "^1.3.3",
 		"compression": "^1.7.4",

scripts/certificates.js

@@ -1,7 +1,8 @@
 import { createProfile } from '#certificate';
 import { currentPath } from '#directory';
+import { decode } from 'msgpackr';
 const dirname = currentPath(import.meta);
-const domainCert = await createProfile({
+const domainProfile = await createProfile({
 	template: {
 		ephemeral: {
 			version: 1,
@@ -25,8 +26,8 @@ const domainCert = await createProfile({
 	savePath: `${dirname}/../services`,
 	certificateName: 'universal.web'
 });
-console.log('DOMAIN CERTIFICATE CREATED');
-const identityCert = await createProfile({
+console.log('DOMAIN Profile created (Master & IDENTITY CERTIFICATEs)', decode(domainProfile.ephemeral.certificate));
+const profile = await createProfile({
 	template: {
 		ephemeral: {
 			version: 1,
@@ -38,4 +39,4 @@ const identityCert = await createProfile({
 	savePath: `${dirname}/../profiles`,
 	certificateName: 'default'
 });
-console.log('IDENTITY CERTIFICATE CREATED');
+console.log('Profile created (Master & IDENTITY CERTIFICATEs)', decode(profile.ephemeral.certificate));

udsp/client/index.js

@@ -22,7 +22,12 @@ import dgram from 'dgram';
 // Default utility imports
 import { success, configure, info } from '#logs';
 import {
-	createSessionKey, clientSession, keypair, toBase64, emptyNonce, sessionKeys, randomConnectionId, ed25519ToCurve25519PublicKey
+	keypair,
+	toBase64,
+	emptyNonce,
+	randomConnectionId,
+	clientSessionKeys,
+	signPublicKeyToEncryptPublicKey
 } from '#crypto';
 import { pluckBuffer } from '#pluckBuffer';
 import { getCertificate } from '#certificate';
@@ -60,20 +65,20 @@ export class Client {
 			profile,
 		});
 		thisClient.keypair = keypair();
-		thisClient.destinationPublicKey = service.publicKey;
-		thisClient.destinationBoxPublicKey = ed25519ToCurve25519PublicKey(service.publicKey);
+		thisClient.destinationPublicKey = signPublicKeyToEncryptPublicKey(service.publicKey);
 		const {
 			publicKey,
 			privateKey,
 		} = thisClient.keypair;
-		const clientSessionKeys = sessionKeys(publicKey, privateKey, thisClient.destinationPublicKey);
+		const sessionKeys = clientSessionKeys(publicKey, privateKey, thisClient.destinationPublicKey);
 		const {
 			transmitKey,
 			receiveKey
-		} = clientSessionKeys;
+		} = sessionKeys;
 		thisClient.transmitKey = transmitKey;
 		thisClient.receiveKey = receiveKey;
-		configure(`Shared Keys Created`);
+		success(`receiveKey: ${toBase64(receiveKey)}`);
+		success(`transmitKey: ${toBase64(transmitKey)}`);
 		this.connect = connect.bind(this);
 		this.send = send.bind(this);
 		this.request = request.bind(this);
@@ -102,7 +107,7 @@ export class Client {
 			privateKey
 		} = thisClient.keypair;
 		thisClient.destination.publicKey = targetPublicKey;
-		const newSessionKeys = sessionKeys(publicKey, privateKey, targetPublicKey);
+		const newSessionKeys = clientSessionKeys(publicKey, privateKey, targetPublicKey);
 		thisClient.ephemeralKeypair = thisClient.reKey;
 		thisClient.transmitKey = newSessionKeys.transmitKey;
 		thisClient.receiveKey = newSessionKeys.receiveKey;

udsp/client/onPacket.js

@@ -5,7 +5,6 @@ import { decode } from 'msgpackr';
 import { decrypt, createSessionKey } from '#crypto';
 import { decodePacket, decodePacketHeaders } from '#udsp/decodePacket';
 imported('Server onMessage');
-import { reKey } from '#udsp/reKey';
 import { processMessage } from './processMessage.js';
 export async function onMessage(packetEncoded) {
 	const {

udsp/client/send.js

@@ -27,7 +27,7 @@ export async function send(config) {
 		connectionIdKeypair,
 		service,
 		service: { encryptConnectionId },
-		destinationBoxPublicKey
+		destinationPublicKey
 	} = client;
 	const packet = await encodePacket({
 		client,
@@ -45,7 +45,7 @@ export async function send(config) {
 		destination: service,
 		connectionIdKeypair,
 		encryptConnectionId,
-		destinationBoxPublicKey
+		destinationPublicKey
 	});
 	msgSent(`Packet Size ${packet.length}`, message, port, ip);
 	return promise((accept, reject) => {

udsp/decodePacket.js

@@ -4,7 +4,7 @@ import {
 import { decode, } from 'msgpackr';
 import { assign, } from 'Acid';
 import {
-	encrypt, nonceBox, toBase64, decrypt, boxUnseal, sessionKeys
+	encrypt, nonceBox, toBase64, decrypt, boxUnseal
 } from '#crypto';
 import { createClient } from './server/clients/index.js';
 export function decodePacketHeaders(config) {
@@ -18,6 +18,7 @@ export function decodePacketHeaders(config) {
 		state,
 		connectionIdKeypair,
 		keypair,
+		encryptKeypair
 	} = config;
 	const client = config.client;
 	info(`Packet Encoded Size ${packetEncoded.length}`);
@@ -27,14 +28,17 @@ export function decodePacketHeaders(config) {
 		return failed(`No headers -> Invalid Packet`);
 	}
 	const headers = decode(headersEncoded);
+	console.log(headers);
 	if (!headers) {
 		return failed(`No headers -> Invalid Packet`);
 	}
+	const boxPublicKey = encryptKeypair?.publicKey || keypair.publicKey;
+	const boxPrivateKey = encryptKeypair?.privateKey || keypair.privateKey;
 	info(`clientId: ${toBase64(headers.id)}`);
 	if (headers.key) {
 		success(`Public Key is given -> Processing as create client`);
-		console.log(keypair);
-		const publicKey = boxUnseal(headers.key, keypair.publicKey, keypair.privateKey);
+		console.log(toBase64(encryptKeypair.publicKey));
+		const publicKey = boxUnseal(headers.key, boxPublicKey, boxPrivateKey);
 		if (!publicKey) {
 			return failed(publicKey, 'Client Key Decrypt Failed');
 		}
@@ -45,7 +49,7 @@ export function decodePacketHeaders(config) {
 	info(`headers.id: ${toBase64(headers.id)}`);
 	if (headers.id.length > 24) {
 		success('Server Connection ID Decrypted');
-		const headerId = boxUnseal(headers.key, connectionIdKeypair.publicKey, connectionIdKeypair.privateKey);
+		const headerId = boxUnseal(headers.id, boxPublicKey, boxPrivateKey);
 		if (!headers.id) {
 			return failed(headers.id, 'Packet ID Decrypt Failed');
 		}

udsp/encodePacket.js

@@ -17,7 +17,6 @@ import {
 	toBase64,
 	signDetached,
 	boxSeal,
-	boxUnseal,
 } from '#crypto';
 export async function encodePacket(data) {
 	const {
@@ -36,12 +35,12 @@ export async function encodePacket(data) {
 		connectionIdKeypair,
 		encryptConnectionId,
 		isClient,
-		destinationBoxPublicKey
+		destinationPublicKey
 	} = data;
 	const nonce = randomize(nonceBuffer);
 	if (id) {
 		if (encryptConnectionId) {
-			headers.id = boxSeal(id, destination.publicKey);
+			headers.id = boxSeal(id, destinationPublicKey);
 		} else {
 			headers.id = id;
 		}
@@ -52,11 +51,12 @@ export async function encodePacket(data) {
 	message.t = Date.now();
 	if (isClient) {
 		if (state === 0) {
-			console.log('DESTINATION PUBLIC KEY', destination.publicKey);
-			headers.key = boxSeal(keypair.publicKey, destination.publicKey);
+			console.log('DESTINATION PUBLIC KEY', toBase64(destinationPublicKey));
+			headers.key = boxSeal(keypair.publicKey, destinationPublicKey);
 			const timeBuffer = Buffer.from(message.t.toString());
 			// This can be seperated out as an authentication request to the service or it can be done here
-			const authenticationBuffer = Buffer.concat([timeBuffer, destination.publicKey, keypair.publicKey]);
+			// It's for the client to confirm to the server that it is indeed who it says it is
+			const authenticationBuffer = Buffer.concat([timeBuffer, destinationPublicKey]);
 			const profileKeypairSignature = signDetached(authenticationBuffer, profile.privateKey);
 			message.sig = profileKeypairSignature;
 			message.idc = profile.publicKey;

udsp/server/actions/connect.js

@@ -1,5 +1,4 @@
 import { info } from '#logs';
-import { keypair, boxSeal } from '#crypto';
 export async function opn(reply) {
 	const {
 		resourceDirectory,
@@ -43,8 +42,6 @@ export async function opn(reply) {
 	}
 	// connection status - backwards compatibility
 	response.state = 1;
-	// Server connection id
-	// client.reKey = keypair();
-	// response.body.reKey = boxSeal(client.reKey.publicKey, client.publicKey);
+	// REKEY THE CLIENT BEFORE SENDING BACK
 	reply.send('struct');
 }

udsp/server/clients/index.js

@@ -9,7 +9,7 @@ import {
 	success, failed, imported, msgSent, info, msgReceived
 } from '#logs';
 import { UniqID, construct, assign } from 'Acid';
-import { sessionKeys, keypair, toBase64 } from '#crypto';
+import { keypair, toBase64 } from '#crypto';
 export class Client {
 	descriptor = 'client';
 	client = true;
@@ -86,21 +86,21 @@ export class Client {
 		info(`socket EVENT -> send - ID:${this.id}`);
 	}
 	async authenticate(packet) {
-		const nonce = packet.headers.nonce;
-		success(`idc: ${toBase64(packet.message.idc)}`);
-		success(`sig: ${toBase64(packet.message.sig)}`);
-		const idc = packet.message.idc;
-		const sig = packet.message.sig;
-		if (!idc) {
-			return failed('No Identity Provided', this.id);
-		}
-		if (!sig) {
-			return failed('No Sig Provided', this.id);
-		}
-		const sigVerify = signVerifyHash(sig, Buffer.concat([nonce, this.publicKey]), idc.key);
-		console.log('Concat Sig', Buffer.concat([nonce, this.publicKey]));
-		console.log('SIGNature Hash', sig);
-		info(`socket EVENT -> identity - ID:${this.id}`);
+		// const nonce = packet.headers.nonce;
+		// success(`idc: ${toBase64(packet.message.idc)}`);
+		// success(`sig: ${toBase64(packet.message.sig)}`);
+		// const idc = packet.message.idc;
+		// const sig = packet.message.sig;
+		// if (!idc) {
+		// 	return failed('No Identity Provided', this.id);
+		// }
+		// if (!sig) {
+		// 	return failed('No Sig Provided', this.id);
+		// }
+		// const sigVerify = signVerifyHash(sig, Buffer.concat([nonce, this.publicKey]), idc.key);
+		// console.log('Concat Sig', Buffer.concat([nonce, this.publicKey]));
+		// console.log('SIGNature Hash', sig);
+		// info(`socket EVENT -> identity - ID:${this.id}`);
 	}
 	async destroy(destroyCode) {
 		const server = this.server();

udsp/server/clients/initialize.js

@@ -1,7 +1,7 @@
 import { created } from './created.js';
 import {
 	decrypt, emptyNonce, keypair,
-	sessionKeys, toBase64, boxUnseal,
+	serverSessionKeys, toBase64,
 	randomConnectionId,
 	randomBuffer
 } from '#crypto';
@@ -20,9 +20,9 @@ export async function initialize(config) {
 		key: publicKey
 	} = config;
 	const {
-		keypair: {
-			private: serverPrivateKey,
-			key: serverPublicKey
+		encryptKeypair: {
+			privateKey: serverPrivateKey,
+			publicKey: serverPublicKey
 		},
 		clients,
 		configuration: { id: serverId }
@@ -31,14 +31,16 @@ export async function initialize(config) {
 		address,
 		port
 	} = connection;
-	const sessionKey = sessionKeys(serverPublicKey, serverPrivateKey, publicKey);
+	const sessionKey = serverSessionKeys(serverPublicKey, serverPrivateKey, publicKey);
 	if (!sessionKey) {
 		return failed('Session Key Failed');
 	}
 	const {
 		receiveKey,
 		transmitKey,
 	} = sessionKey;
+	client.transmitKey = transmitKey;
+	client.receiveKey = receiveKey;
 	success(`key: ${toBase64(publicKey)}`);
 	success(`receiveKey: ${toBase64(receiveKey)}`);
 	success(`transmitKey: ${toBase64(transmitKey)}`);
@@ -79,8 +81,6 @@ export async function initialize(config) {
 	client.publicKey = publicKey;
 	client.address = address;
 	client.port = port;
-	client.transmitKey = transmitKey;
-	client.receiveKey = receiveKey;
 	if (!server.realtime && server.gracePeriod) {
 		client.gracePeriod = setTimeout(() => {
 			const lastActive = (Date.now() - client.lastActive) / 1000;

udsp/server/clients/reKey.js

@@ -1,16 +1,14 @@
 import {
 	success, failed, imported, msgSent, info, msgReceived
 } from '#logs';
-import { sessionKeys } from '#crypto';
-export async function reKey(client, certificate, server) {
+import { serverSessionKeys } from '#crypto';
+export async function reKey(client, serverKeypair, server) {
 	const {
 		publicKey,
-		privateKey
+		transmitKey,
+		receiveKey
 	} = client.reKey;
-	const newSessionKeys = sessionKeys(publicKey, privateKey, certificate.key);
-	client.ephemeralKeypair = client.reKey;
-	client.transmitKey = newSessionKeys.transmitKey;
-	client.receiveKey = newSessionKeys.receiveKey;
+	const newSessionKeys = serverSessionKeys(serverKeypair.publicKey, serverKeypair.privateKey, publicKey, transmitKey, receiveKey);
 	client.lastReKey = Date.now();
 	await server.clientEvent('reKey', client);
 	success(`client reKeyed -> ID: ${client.id}`);

udsp/server/index.js

@@ -24,7 +24,7 @@ import { onPacket } from './onPacket.js';
 import { sendPacket } from '#udsp/sendPacket';
 import { actions } from './actions/index.js';
 import { getCertificate } from '#certificate';
-import { randomConnectionId } from '#crypto';
+import { randomConnectionId, signKeypairToEncryptKeypair } from '#crypto';
 const { seal } = Object;
 /*
   * socket ID: SID
@@ -96,6 +96,9 @@ export class Server {
 				privateKey: thisServer.certificate.privateKey,
 			};
 		}
+		if (thisServer.keypair) {
+			thisServer.encryptKeypair = signKeypairToEncryptKeypair(thisServer.keypair);
+		}
 		if (thisServer.connectionIdCertificate) {
 			thisServer.connectionIdCertificate = await getCertificate(thisServer.connectionIdCertificate);
 		} else if (thisServer.publicCertificate.encryptConnectionId) {
@@ -138,6 +141,9 @@ export class Server {
 		thisServer.send = async function(packetConfig) {
 			packetConfig.server = thisServer;
 			packetConfig.isServer = true;
+			if (!packetConfig.encryptKeypair) {
+				packetConfig.encryptKeypair = thisServer.encryptKeypair;
+			}
 			return sendPacket(packetConfig, server);
 		};
 		console.log('-------SERVER INITIALIZED-------');