forked from jrconlin/WebPushDataTestPage
-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathwebpush.js
350 lines (323 loc) · 12.4 KB
/
webpush.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
/*
* Browser-based Web Push client for the application server piece.
*
* Uses the WebCrypto API.
* Uses the fetch API. Polyfill: https://github.com/github/fetch
*/
'use strict';
// Semi-handy variable defining the encryption data to be
// Elliptical Curve (Diffie-Hellman) (ECDH) using the p256 curve.
const P256DH = {
name: 'ECDH',
namedCurve: 'P-256'
};
// WebCrypto (defined by http://www.w3.org/TR/WebCryptoAPI/) is detailed
// at https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto
//
// this has the various encryption library helper functions for things like
// EC crypto. It's very nice because it makes calls simple, unfortunately,
// it also prevents some key auditing.
//
// It's worth noting that there's two parts to this. The first uses
// ECDH to get "key agreement". This allows to parties to get a secure key
// even over untrusted links.
//
// The second part is the actual message encryption using the agreed key
// created by the ECDH dance.
//
try {
if (webCrypto === undefined) {
webCrypto = window.crypto.subtle;
}
} catch (e) {
var webCrypto = window.crypto.subtle;
}
function ensureView(data) {
/* Coerces data into a Uint8Array */
if (typeof data === 'string') {
return new TextEncoder('utf-8').encode(data);
}
if (data instanceof ArrayBuffer) {
return new Uint8Array(data);
}
if (ArrayBuffer.isView(data)) {
return new Uint8Array(data.buffer);
}
throw new Error('webpush() needs a string or BufferSource');
}
Promise.allMap = function(o) {
// Resolve a list of promises
var result = {};
return Promise.all(
Object.keys(o).map(
k => Promise.resolve(o[k]).then(r => result[k] = r)
)
).then(_ => result);
};
async function HKDF({ salt, ikm, info, length }) {
return await crypto.subtle.deriveBits(
{ name: "HKDF", hash: "SHA-256", salt, info },
await crypto.subtle.importKey("raw", ikm, { name: "HKDF" }, false, [
"deriveBits",
]),
length * 8
);
}
async function wp_encrypt(senderKey, sub, data, salt) {
/* Encrypt the data using the temporary, locally generated key,
* the remotely shared key, and a salt value
*
* @param senderKey Locally generated key
* @param sub Subscription information object {endpoint, receiverKey, authKey}
* @param data The data to encrypt
* @param salt A random "salt" value for the encrypted data
*/
console.debug("calling wp_encrypt(", senderKey, sub, salt, data, ")");
if (!(data instanceof Uint8Array)) {
throw new Error("Expecting Uint8Array for `data` parameter");
}
if (!(salt instanceof Uint8Array) || salt.length != 16) {
throw new Error("Expecting Uint8Array[16] for `salt` parameter");
}
const publicKey = new Uint8Array(await crypto.subtle.exportKey("raw", senderKey.publicKey));
const body = await encrypt_with_params(data, {
userAgentPublicKey: new Uint8Array(sub.receiverKey),
appServer: {
privateKey: senderKey.privateKey,
publicKey,
},
salt,
authSecret: sub.authKey,
});
const headers = {
// https://datatracker.ietf.org/doc/html/rfc8291#section-4
// The Content-Encoding header field therefore has exactly one value, which is "aes128gcm".
'Content-Encoding': "aes128gcm",
// https://datatracker.ietf.org/doc/html/rfc8030#section-5.2
// An application server MUST include the TTL (Time-To-Live) header
// field in its request for push message delivery. The TTL header field
// contains a value in seconds that suggests how long a push message is
// retained by the push service.
TTL: 15,
};
return {
body,
headers,
}
}
// https://datatracker.ietf.org/doc/html/rfc8188#section-2.2
// https://datatracker.ietf.org/doc/html/rfc8188#section-2.3
async function deriveKeyAndNonce(header) {
const { salt } = header;
const ikm = await getInputKeyingMaterial(header);
output('ikm', base64url.encode(ikm));
// cek_info = "Content-Encoding: aes128gcm" || 0x00
const cekInfo = new TextEncoder().encode("Content-Encoding: aes128gcm\0");
// nonce_info = "Content-Encoding: nonce" || 0x00
const nonceInfo = new TextEncoder().encode("Content-Encoding: nonce\0");
// (The XOR SEQ is skipped as we only create single record here, thus becoming noop)
return {
// the length (L) parameter to HKDF is 16
key: await HKDF({ salt, ikm, info: cekInfo, length: 16 }),
// The length (L) parameter is 12 octets
nonce: await HKDF({ salt, ikm, info: nonceInfo, length: 12 }),
};
}
// https://datatracker.ietf.org/doc/html/rfc8291#section-3.3
// https://datatracker.ietf.org/doc/html/rfc8291#section-3.4
async function getInputKeyingMaterial(header) {
// IKM: the shared secret derived using ECDH
// ecdh_secret = ECDH(as_private, ua_public)
const ikm = await crypto.subtle.deriveBits(
{
name: "ECDH",
public: await crypto.subtle.importKey(
"raw",
header.userAgentPublicKey,
P256DH,
true,
[]
),
},
header.appServer.privateKey,
256
);
// key_info = "WebPush: info" || 0x00 || ua_public || as_public
const keyInfo = new Uint8Array([
...new TextEncoder().encode("WebPush: info\0"),
...header.userAgentPublicKey,
...header.appServer.publicKey,
])
return await HKDF({ salt: header.authSecret, ikm, info: keyInfo, length: 32 });
}
// https://datatracker.ietf.org/doc/html/rfc8188#section-2
async function encryptRecord(key, nonce, data) {
// add a delimiter octet (0x01 or 0x02)
// The last record uses a padding delimiter octet set to the value 2
//
// (This implementation only creates a single record, thus always 2,
// per https://datatracker.ietf.org/doc/html/rfc8291/#section-4:
// An application server MUST encrypt a push message with a single
// record.)
const padded = new Uint8Array([...data, 2]);
// encrypt with AEAD_AES_128_GCM
return await crypto.subtle.encrypt(
{ name: "AES-GCM", iv: nonce, tagLength: 128 },
await crypto.subtle.importKey("raw", key, { name: "AES-GCM" }, false, [
"encrypt",
]),
padded
);
}
// https://datatracker.ietf.org/doc/html/rfc8188#section-2.1
function writeHeader(header) {
var dataView = new DataView(new ArrayBuffer(5));
// https://codeberg.org/UnifiedPush/android-connector/issues/3
// dataView.setUint32(0, header.recordSize);
dataView.setUint32(0, 0x1000);
dataView.setUint8(4, header.keyid.length);
return new Uint8Array([
...header.salt,
...new Uint8Array(dataView.buffer),
...header.keyid,
]);
}
function validateParams(params) {
const header = { ...params };
if (!header.salt) {
throw new Error("Must include a salt parameter");
}
if (header.salt.length !== 16) {
// https://datatracker.ietf.org/doc/html/rfc8188#section-2.1
// The "salt" parameter comprises the first 16 octets of the
// "aes128gcm" content-coding header.
throw new Error("The salt parameter must be 16 bytes");
}
if (header.appServer.publicKey.byteLength !== 65) {
// https://datatracker.ietf.org/doc/html/rfc8291#section-4
// A push message MUST include the application server ECDH public key in
// the "keyid" parameter of the encrypted content coding header. The
// uncompressed point form defined in [X9.62] (that is, a 65-octet
// sequence that starts with a 0x04 octet) forms the entirety of the
// "keyid".
throw new Error("The appServer.publicKey parameter must be 65 bytes");
}
if (!header.authSecret) {
throw new Error("No authentication secret for webpush");
}
if (!header.userAgentPublicKey) {
throw new Error("No user agent pubkey");
}
if (header.userAgentPublicKey.byteLength !== 65) {
throw new Error("Wrong user agent pubkey length");
}
return header;
}
async function encrypt_with_params(data, params) {
const header = validateParams(params);
// https://datatracker.ietf.org/doc/html/rfc8291#section-2
// The ECDH public key is encoded into the "keyid" parameter of the encrypted content coding header
header.keyid = header.appServer.publicKey;
header.recordSize = data.byteLength + 18 + 1;
// https://datatracker.ietf.org/doc/html/rfc8188#section-2
// The final encoding consists of a header (see Section 2.1) and zero or more
// fixed-size encrypted records; the final record can be smaller than the record size.
const saltedHeader = writeHeader(header);
const { key, nonce } = await deriveKeyAndNonce(header);
output('gcmB', base64url.encode(new Uint8Array(key)));
output('nonce', base64url.encode(new Uint8Array(nonce)));
const encrypt = await encryptRecord(key, nonce, data);
return new Uint8Array([...saltedHeader, ...new Uint8Array(encrypt)]);
}
/*
* Request push for a message. This returns a promise that resolves when the
* push has been delivered to the push service.
*
* @param subscription A PushSubscription that contains endpoint and p256dh
* parameters.
* @param data The message to send.
* @param salt 16 random bytes
*/
function webpush(subscription, data, salt) {
console.debug('data:', data);
data = ensureView(data);
if (salt == null) {
console.info("Making new salt");
salt = newSalt();
output('salt', salt);
}
return webCrypto.generateKey(
P256DH,
true, // false for production
['deriveBits'])
.then(senderKey => {
// Display the local key parts.
// WebCrypto only allows you to export private keys as jwk.
webCrypto.exportKey('jwk', senderKey.publicKey)
.then(key=>{
//output('senderKeyPub', base64url.encode(key))
output('senderKey', mzcc.JWKToRaw(key));
output('senderKeyPub', JSON.stringify(key));
})
.catch(x => console.error(x));
// Dump the local private key
webCrypto.exportKey('jwk', senderKey.privateKey)
.then(key=> {
console.debug("Private Key:", key)
output('senderKeyPri', JSON.stringify(key))
})
.catch(x => {console.error(x);
output('senderKeyPri', "Could not display key: " + x);
});
console.debug("Sender Key", senderKey);
// encode all the data as chunks
return Promise.allMap({
endpoint: subscription.endpoint,
payload: wp_encrypt(senderKey,
subscription,
data,
salt),
pubkey: webCrypto.exportKey('jwk', senderKey.publicKey)
});
})
}
function send(options) {
console.debug('payload', options.payload);
let endpoint = options.endpoint;
let send_options = {
method: "POST",
headers: options.payload.headers,
body: options.payload.body,
cache: "no-cache",
referrer: "no-referrer",
};
// Note, fetch doesn't always seem to want to send the Headers.
// Chances are VERY Good that if this returns an error, the headers
// were not set. You can check the Network debug panel to see if
// the request included the headers.
console.debug("Fetching:", options.endpoint, send_options);
let req = new Request(options.endpoint, send_options);
console.debug("request:", req);
return fetch(req)
.then(response => {
if (! response.ok) {
if (response.status == 400) {
show_err("Server returned 400. Probably " +
"missing headers.<br>If refreshing doesn't work " +
"the 'curl' call below should still work fine.");
show_ok(false);
throw new Error("Server Returned 400");
}
throw new Error('Unable to deliver message: ',
JSON.stringify(response));
} else {
console.info("Message sent", response.status)
}
return true;
})
.catch(err =>{
console.error("Send Failed: ", err);
show_ok(false);
return false;
});
}