Skip to content

Use AES/GCM for the JWE encrypted message as suggested by the Nimbus team #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
harri35 wants to merge 7 commits into
base: develop
Choose a base branch
from
Draft

Use AES/GCM for the JWE encrypted message as suggested by the Nimbus team #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7aeea3a
1: Use DirectEncryptor with DIR and A256GCM for JWE
harri35 Sep 22, 2022
f58ef79
1: Separate key import and usage test. Do the usage both ways using JWE.
harri35 Sep 22, 2022
a6abd03
1: Do cleanup
harri35 Sep 22, 2022
7c273b9
1: Use newer Nimbus library
harri35 Sep 23, 2022
0d4d20b
1: Use a newer Nimbus version
harri35 Sep 26, 2022
5f914dd
1: Clean up mislabeled bit and byte values
harri35 Sep 28, 2022
452b0bc
1: Use the correct key type verification
harri35 Sep 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/DomainConstants.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
package mobi.lab.keyimportdemo.domain

object DomainConstants {
const val TEK_KEY_SIZE_BITS = 256
const val CEK_KEY_SIZE_BITS = 256
const val DEVICE_TEE_WRAPPING_KEY_ALIAS = "device_wrapping_key_alias"
const val DEVICE_TEE_IMPORT_KEY_ALIAS = "device_wrapped_key_alias"
}
8 changes: 8 additions & 0 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/entities/DomainException.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,5 +31,13 @@ class DomainException(
fun noSuchImportedKeyFound(keyAlias: String): DomainException {
return DomainException(ErrorCode.NO_SUCH_IMPORTED_KEY_FOUND, keyAlias)
}

fun noSuchServerKeyFound(keyAlias: String): DomainException {
return DomainException(ErrorCode.NO_SUCH_SERVER_KEY_FOUND, keyAlias)
}

fun decryptedMessageDoesNotMatchTheOriginalMessage(message: String): DomainException {
return DomainException(ErrorCode.DECRYPTED_MESSAGE_DOES_NOT_MATCH_THE_ORIGINAL_MESSAGE, message)
}
}
}
2 changes: 2 additions & 0 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/entities/ErrorCode.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ enum class ErrorCode(val code: String) {
LOCAL_UNAUTHORIZED("local-unauthorized"),
LOCAL_NO_NETWORK("local-no-network"),
NO_SUCH_IMPORTED_KEY_FOUND("no-such-imported-key-found"),
NO_SUCH_SERVER_KEY_FOUND("no-such-server-key-found"),
DECRYPTED_MESSAGE_DOES_NOT_MATCH_THE_ORIGINAL_MESSAGE("decrypted-message-does-not-match-the-original-message"),
LOCAL_INVALID_CREDENTIALS("local-invalid-credentials");

companion object {
Expand Down
5 changes: 1 addition & 4 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/entities/KeyImportTestResult.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,7 @@
package mobi.lab.keyimportdemo.domain.entities

sealed class KeyImportTestResult {
data class SuccessHardwareTeeStrongBox(val message: String) : KeyImportTestResult()
data class SuccessHardwareTeeNoStrongbox(val message: String) : KeyImportTestResult()
data class SuccessSoftwareTeeOnly(val message: String) : KeyImportTestResult()
data class SuccessTeeUnknown(val message: String) : KeyImportTestResult()
data class Success(val keyTestResult: KeyUsageTestResult) : KeyImportTestResult()
object FailedKeyImportNotSupportedOnThisApiLevel : KeyImportTestResult()
object FailedKeyImportNotAvailableOnThisDevice : KeyImportTestResult()
object FailedTestDecryptionResultDifferentThanInput : KeyImportTestResult()
Expand Down
7 changes: 0 additions & 7 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/entities/KeyLocalUsageTestResult.kt
View file
Open in desktop

This file was deleted.

14 changes: 14 additions & 0 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/entities/KeyUsageTestResult.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
package mobi.lab.keyimportdemo.domain.entities

import mobi.lab.keyimportdemo.domain.gateway.CryptoClientGateway

sealed class KeyUsageTestResult {
data class UsageSuccess(
val keyLevel: CryptoClientGateway.KeyTeeSecurityLevel,
val serverToClientMessage: String,
val clientToServerMessage: String
) : KeyUsageTestResult()

object UsageFailedNoSuchKey : KeyUsageTestResult()
data class UsageFailedGeneric(val throwable: Throwable) : KeyUsageTestResult()
}
43 changes: 9 additions & 34 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/gateway/CryptoClientGateway.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,62 +1,37 @@
package mobi.lab.keyimportdemo.domain.gateway

import java.security.NoSuchAlgorithmException
import java.security.NoSuchProviderException
import java.security.PublicKey
import java.security.spec.InvalidKeySpecException

@Suppress("EmptyClassBlock")
interface CryptoClientGateway {
@Throws(Exception::class)
fun generateRsaKeyPairInDeviceTee(alias: String, isStrongBoxBacked: Boolean): PublicKey

@Throws(NoSuchAlgorithmException::class, NoSuchProviderException::class, InvalidKeySpecException::class)
fun getSecretKeySecurityLevel(keyStoreKeyAlias: String): KeySecurityLevel

@Throws(NoSuchAlgorithmException::class, NoSuchProviderException::class, InvalidKeySpecException::class)
fun getPrivateKeySecurityLevel(keyStoreKeyAlias: String): CryptoClientGateway.KeySecurityLevel

@Throws(Exception::class)
fun getSecretKeySecurityLevel(keyStoreKeyAlias: String): KeyTeeSecurityLevel
fun getPrivateKeySecurityLevel(keyStoreKeyAlias: String): KeyTeeSecurityLevel
fun encodeRsaPublicKeyAsJwk(alias: String, publicKey: PublicKey): String

@Throws(Exception::class)
fun importWrappedKeyFromServer(asn1DerEncodedWrappedKey: ByteArray, wrappingKeyAliasInKeysStore: String, wrappedKeyAlias: String)
fun decryptJWEWithImportedKey(keyStoreKeyAlias: String, messageWrappedTekEncryptedJWE: String): String
fun encryptMessageWithTekToJWE(message: String, keyStoreKeyAlias: String, keySizeBits: Int): String

@Throws(Exception::class)
fun decryptJWEWithImportedWrappedKey(keyStoreKeyAlias: String, messageWrappedTekEncryptedJWE: String): String

@Throws(Exception::class)
fun encryptTextWithImportedKey(keyStoreKeyAlias: String, secretMessage: String): ByteArray

@Throws(Exception::class)
fun decryptTextWithImportedKey(keyStoreKeyAlias: String, messageTekEncryptedAtClient: ByteArray): String

@Throws(Exception::class)
fun encryptTextWithWrappingKey(keyStoreKeyAlias: String, secretMessage: String): ByteArray

@Throws(Exception::class)
fun decryptTextWithWrappingKey(keyStoreKeyAlias: String, messageTekEncryptedAtClient: ByteArray): String

sealed class KeySecurityLevel {
object TeeStrongbox : KeySecurityLevel() {
sealed class KeyTeeSecurityLevel {
object TeeStrongbox : KeyTeeSecurityLevel() {
override fun toString(): String {
return "KeySecurityLevel.TeeStrongbox"
}
}

object TeeHardwareNoStrongbox : KeySecurityLevel() {
object TeeHardwareNoStrongbox : KeyTeeSecurityLevel() {
override fun toString(): String {
return "KeySecurityLevel.TeeHardwareNoStrongbox"
}
}

object TeeSoftware : KeySecurityLevel() {
object TeeSoftware : KeyTeeSecurityLevel() {
override fun toString(): String {
return "KeySecurityLevel.TeeSoftware"
}
}

object Unknown : KeySecurityLevel() {
object Unknown : KeyTeeSecurityLevel() {
override fun toString(): String {
return "KeySecurityLevel.Unknown"
}
Expand Down
8 changes: 4 additions & 4 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/gateway/CryptoServerGateway.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,14 @@ interface CryptoServerGateway {

@Throws(Exception::class)
fun decodeRsaPublicKeyFromJWKString(jwkString: String): PublicKey
fun generateAesTek(keySize: Int): SecretKeySpec
fun generateTekImportMetadata(keySizeBytes: Int, keyMasterAlgorithm: Int): DERSequence
fun generateAesCek(cekKeySizeBytes: Int): SecretKeySpec
fun generateAesTek(keySizeBits: Int): SecretKeySpec
fun generateTekImportMetadata(keySizeBits: Int, keyMasterAlgorithm: Int): DERSequence
fun generateAesCek(cekKeySizeBits: Int): SecretKeySpec
fun encryptCekWithRsaPublicKey(cekAesKey: SecretKeySpec, rsaKeyPairPublicKey: PublicKey): ByteArray
fun encryptTekWithCek(tekAesWrappedKey: SecretKeySpec, wrappedKeyDescription: DERSequence, cekAesKey: SecretKeySpec): EncryptedTekWrapper
fun encodeTekAndCetToAsn1Der(tekEncryptedWrapper: EncryptedTekWrapper, cekEncrypted: ByteArray, tekImportMetadata: DERSequence): ByteArray
fun encryptMessageWithTekToJWE(message: String, tekAesKeyAtServer: SecretKeySpec): String
fun encryptMessageWithTek(message: String, tekAesKeyAtServer: SecretKeySpec): ByteArray
fun decryptJWEWithImportedKey(messageWrappedTekEncryptedJWE: String, tekAesKeyAtServer: SecretKeySpec): String

@Suppress("ArrayInDataClass")
data class EncryptedTekWrapper(val encryptedTek: ByteArray, val tag: ByteArray, val initializationVector: ByteArray)
Expand Down
7 changes: 7 additions & 0 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/storage/ServerSecretKeyStorage.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
package mobi.lab.keyimportdemo.domain.storage

interface ServerSecretKeyStorage {
fun save(keyBytes: ByteArray)
fun load(): ByteArray?
fun clear()
}
14 changes: 0 additions & 14 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/usecases/auth/DeleteSessionUseCase.kt
View file
Open in desktop

This file was deleted.

22 changes: 0 additions & 22 deletions ...omain/src/main/java/mobi/lab/keyimportdemo/domain/usecases/auth/HasValidSessionUseCase.kt
View file
Open in desktop

This file was deleted.

24 changes: 0 additions & 24 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/usecases/auth/LoginUseCase.kt
View file
Open in desktop

This file was deleted.

15 changes: 0 additions & 15 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/usecases/auth/LogoutUseCase.kt
View file
Open in desktop

This file was deleted.

15 changes: 0 additions & 15 deletions app-domain/src/main/java/mobi/lab/keyimportdemo/domain/usecases/auth/SaveSessionUseCase.kt
View file
Open in desktop

This file was deleted.

53 changes: 0 additions & 53 deletions ...c/main/java/mobi/lab/keyimportdemo/domain/usecases/crypto/ImportedKeyLocalUsageUseCase.kt
View file
Open in desktop

This file was deleted.

Loading