push-api/resources/ece.js - external/w3c/web-platform-tests.git - Git at Google

 async function HKDF({ salt, ikm, info, length }) {
   return await crypto.subtle.deriveBits(
     { name: "HKDF", hash: "SHA-256", salt, info },
     await crypto.subtle.importKey("raw", ikm, { name: "HKDF" }, false, [
       "deriveBits",
     ]),
     length * 8
   );
 }

 // https://datatracker.ietf.org/doc/html/rfc8188#section-2.2
 // https://datatracker.ietf.org/doc/html/rfc8188#section-2.3
 async function deriveKeyAndNonce(header) {
   const { salt } = header;
   const ikm = await getInputKeyingMaterial(header);

   // cek_info = "Content-Encoding: aes128gcm" || 0x00
   const cekInfo = new TextEncoder().encode("Content-Encoding: aes128gcm\0");
   // nonce_info = "Content-Encoding: nonce" || 0x00
   const nonceInfo = new TextEncoder().encode("Content-Encoding: nonce\0");

   // (The XOR SEQ is skipped as we only create single record here, thus becoming noop)
   return {
     // the length (L) parameter to HKDF is 16
     key: await HKDF({ salt, ikm, info: cekInfo, length: 16 }),
     // The length (L) parameter is 12 octets
     nonce: await HKDF({ salt, ikm, info: nonceInfo, length: 12 }),
   };
 }

 // https://datatracker.ietf.org/doc/html/rfc8291#section-3.3
 // https://datatracker.ietf.org/doc/html/rfc8291#section-3.4
 async function getInputKeyingMaterial(header) {
   // IKM:  the shared secret derived using ECDH
   // ecdh_secret = ECDH(as_private, ua_public)
   const ikm = await crypto.subtle.deriveBits(
     {
       name: "ECDH",
       public: await crypto.subtle.importKey(
         "raw",
         header.userAgentPublicKey,
         { name: "ECDH", namedCurve: "P-256" },
         true,
         []
       ),
     },
     header.appServer.privateKey,
     256
   );
   // key_info = "WebPush: info" || 0x00 || ua_public || as_public
   const keyInfo = new Uint8Array([
     ...new TextEncoder().encode("WebPush: info\0"),
     ...header.userAgentPublicKey,
     ...header.appServer.publicKey,
   ])
   return await HKDF({ salt: header.authSecret, ikm, info: keyInfo, length: 32 });
 }

 // https://datatracker.ietf.org/doc/html/rfc8188#section-2
 async function encryptRecord(key, nonce, data) {
   // add a delimiter octet (0x01 or 0x02)
   // The last record uses a padding delimiter octet set to the value 2
   //
   // (This implementation only creates a single record, thus always 2,
   // per https://datatracker.ietf.org/doc/html/rfc8291/#section-4:
   // An application server MUST encrypt a push message with a single
   // record.)
   const padded = new Uint8Array([...data, 2]);

   // encrypt with AEAD_AES_128_GCM
   return await crypto.subtle.encrypt(
     { name: "AES-GCM", iv: nonce, tagLength: 128 },
     await crypto.subtle.importKey("raw", key, { name: "AES-GCM" }, false, [
       "encrypt",
     ]),
     padded
   );
 }

 // https://datatracker.ietf.org/doc/html/rfc8188#section-2.1
 function writeHeader(header) {
   var dataView = new DataView(new ArrayBuffer(5));
   dataView.setUint32(0, header.recordSize);
   dataView.setUint8(4, header.keyid.length);
   return new Uint8Array([
     ...header.salt,
     ...new Uint8Array(dataView.buffer),
     ...header.keyid,
   ]);
 }

 function validateParams(params) {
   const header = { ...params };
   if (!header.salt) {
     throw new Error("Must include a salt parameter");
   }
   if (header.salt.length !== 16) {
     // https://datatracker.ietf.org/doc/html/rfc8188#section-2.1
     // The "salt" parameter comprises the first 16 octets of the
     // "aes128gcm" content-coding header.
     throw new Error("The salt parameter must be 16 bytes");
   }
   if (header.appServer.publicKey.byteLength !== 65) {
     // https://datatracker.ietf.org/doc/html/rfc8291#section-4
     // A push message MUST include the application server ECDH public key in
     // the "keyid" parameter of the encrypted content coding header.  The
     // uncompressed point form defined in [X9.62] (that is, a 65-octet
     // sequence that starts with a 0x04 octet) forms the entirety of the
     // "keyid".
     throw new Error("The appServer.publicKey parameter must be 65 bytes");
   }
   if (!header.authSecret) {
     throw new Error("No authentication secret for webpush");
   }
   return header;
 }

 export async function encrypt(data, params) {
   const header = validateParams(params);

   // https://datatracker.ietf.org/doc/html/rfc8291#section-2
   // The ECDH public key is encoded into the "keyid" parameter of the encrypted content coding header
   header.keyid = header.appServer.publicKey;
   header.recordSize = data.byteLength + 18 + 1;

   // https://datatracker.ietf.org/doc/html/rfc8188#section-2
   // The final encoding consists of a header (see Section 2.1) and zero or more
   // fixed-size encrypted records; the final record can be smaller than the record size.
   const saltedHeader = writeHeader(header);
   const { key, nonce } = await deriveKeyAndNonce(header);
   const encrypt = await encryptRecord(key, nonce, data);
   return new Uint8Array([...saltedHeader, ...new Uint8Array(encrypt)]);
 }
	async function HKDF({ salt, ikm, info, length }) {
	return await crypto.subtle.deriveBits(
	{ name: "HKDF", hash: "SHA-256", salt, info },
	await crypto.subtle.importKey("raw", ikm, { name: "HKDF" }, false, [
	"deriveBits",
	]),
	length * 8
	);
	}

	// https://datatracker.ietf.org/doc/html/rfc8188#section-2.2
	// https://datatracker.ietf.org/doc/html/rfc8188#section-2.3
	async function deriveKeyAndNonce(header) {
	const { salt } = header;
	const ikm = await getInputKeyingMaterial(header);

	// cek_info = "Content-Encoding: aes128gcm" \|\| 0x00
	const cekInfo = new TextEncoder().encode("Content-Encoding: aes128gcm\0");
	// nonce_info = "Content-Encoding: nonce" \|\| 0x00
	const nonceInfo = new TextEncoder().encode("Content-Encoding: nonce\0");

	// (The XOR SEQ is skipped as we only create single record here, thus becoming noop)
	return {
	// the length (L) parameter to HKDF is 16
	key: await HKDF({ salt, ikm, info: cekInfo, length: 16 }),
	// The length (L) parameter is 12 octets
	nonce: await HKDF({ salt, ikm, info: nonceInfo, length: 12 }),
	};
	}

	// https://datatracker.ietf.org/doc/html/rfc8291#section-3.3
	// https://datatracker.ietf.org/doc/html/rfc8291#section-3.4
	async function getInputKeyingMaterial(header) {
	// IKM: the shared secret derived using ECDH
	// ecdh_secret = ECDH(as_private, ua_public)
	const ikm = await crypto.subtle.deriveBits(
	{
	name: "ECDH",
	public: await crypto.subtle.importKey(
	"raw",
	header.userAgentPublicKey,
	{ name: "ECDH", namedCurve: "P-256" },
	true,
	[]
	),
	},
	header.appServer.privateKey,
	256
	);
	// key_info = "WebPush: info" \|\| 0x00 \|\| ua_public \|\| as_public
	const keyInfo = new Uint8Array([
	...new TextEncoder().encode("WebPush: info\0"),
	...header.userAgentPublicKey,
	...header.appServer.publicKey,
	])
	return await HKDF({ salt: header.authSecret, ikm, info: keyInfo, length: 32 });
	}

	// https://datatracker.ietf.org/doc/html/rfc8188#section-2
	async function encryptRecord(key, nonce, data) {
	// add a delimiter octet (0x01 or 0x02)
	// The last record uses a padding delimiter octet set to the value 2
	//
	// (This implementation only creates a single record, thus always 2,
	// per https://datatracker.ietf.org/doc/html/rfc8291/#section-4:
	// An application server MUST encrypt a push message with a single
	// record.)
	const padded = new Uint8Array([...data, 2]);

	// encrypt with AEAD_AES_128_GCM
	return await crypto.subtle.encrypt(
	{ name: "AES-GCM", iv: nonce, tagLength: 128 },
	await crypto.subtle.importKey("raw", key, { name: "AES-GCM" }, false, [
	"encrypt",
	]),
	padded
	);
	}

	// https://datatracker.ietf.org/doc/html/rfc8188#section-2.1
	function writeHeader(header) {
	var dataView = new DataView(new ArrayBuffer(5));
	dataView.setUint32(0, header.recordSize);
	dataView.setUint8(4, header.keyid.length);
	return new Uint8Array([
	...header.salt,
	...new Uint8Array(dataView.buffer),
	...header.keyid,
	]);
	}

	function validateParams(params) {
	const header = { ...params };
	if (!header.salt) {
	throw new Error("Must include a salt parameter");
	}
	if (header.salt.length !== 16) {
	// https://datatracker.ietf.org/doc/html/rfc8188#section-2.1
	// The "salt" parameter comprises the first 16 octets of the
	// "aes128gcm" content-coding header.
	throw new Error("The salt parameter must be 16 bytes");
	}
	if (header.appServer.publicKey.byteLength !== 65) {
	// https://datatracker.ietf.org/doc/html/rfc8291#section-4
	// A push message MUST include the application server ECDH public key in
	// the "keyid" parameter of the encrypted content coding header. The
	// uncompressed point form defined in [X9.62] (that is, a 65-octet
	// sequence that starts with a 0x04 octet) forms the entirety of the
	// "keyid".
	throw new Error("The appServer.publicKey parameter must be 65 bytes");
	}
	if (!header.authSecret) {
	throw new Error("No authentication secret for webpush");
	}
	return header;
	}

	export async function encrypt(data, params) {
	const header = validateParams(params);

	// https://datatracker.ietf.org/doc/html/rfc8291#section-2
	// The ECDH public key is encoded into the "keyid" parameter of the encrypted content coding header
	header.keyid = header.appServer.publicKey;
	header.recordSize = data.byteLength + 18 + 1;

	// https://datatracker.ietf.org/doc/html/rfc8188#section-2
	// The final encoding consists of a header (see Section 2.1) and zero or more
	// fixed-size encrypted records; the final record can be smaller than the record size.
	const saltedHeader = writeHeader(header);
	const { key, nonce } = await deriveKeyAndNonce(header);
	const encrypt = await encryptRecord(key, nonce, data);
	return new Uint8Array([...saltedHeader, ...new Uint8Array(encrypt)]);
	}