Add NWC protocol handling and NIP-44 encryption and decryption functions.

2025-09-22 17:18:47 +01:00
parent 81a6aade4e
commit 804e1c9649
16 changed files with 3089 additions and 1 deletions
--- a/pkg/crypto/encryption/README.md
+++ b/pkg/crypto/encryption/README.md
@@ -0,0 +1 @@
+Code copied from https://github.com/paulmillr/nip44/tree/e7aed61aaf77240ac10c325683eed14b22e7950f/go.
--- a/pkg/crypto/encryption/doc.go
+++ b/pkg/crypto/encryption/doc.go
@@ -0,0 +1,3 @@
+// Package encryption contains the message encryption schemes defined in NIP-04
+// and NIP-44, used for encrypting the content of nostr messages.
+package encryption
--- a/pkg/crypto/encryption/nip4.go
+++ b/pkg/crypto/encryption/nip4.go
@@ -0,0 +1,88 @@
+package encryption
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/base64"
+
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/errorf"
+	"lukechampine.com/frand"
+)
+
+// EncryptNip4 encrypts message with key using aes-256-cbc. key should be the shared secret generated by
+// ComputeSharedSecret.
+//
+// Returns: base64(encrypted_bytes) + "?iv=" + base64(initialization_vector).
+func EncryptNip4(msg, key []byte) (ct []byte, err error) {
+	// block size is 16 bytes
+	iv := make([]byte, 16)
+	if _, err = frand.Read(iv); chk.E(err) {
+		err = errorf.E("error creating initialization vector: %w", err)
+		return
+	}
+	// automatically picks aes-256 based on key length (32 bytes)
+	var block cipher.Block
+	if block, err = aes.NewCipher(key); chk.E(err) {
+		err = errorf.E("error creating block cipher: %w", err)
+		return
+	}
+	mode := cipher.NewCBCEncrypter(block, iv)
+	plaintext := []byte(msg)
+	// add padding
+	base := len(plaintext)
+	// this will be a number between 1 and 16 (inclusive), never 0
+	bs := block.BlockSize()
+	padding := bs - base%bs
+	// encode the padding in all the padding bytes themselves
+	padText := bytes.Repeat([]byte{byte(padding)}, padding)
+	paddedMsgBytes := append(plaintext, padText...)
+	ciphertext := make([]byte, len(paddedMsgBytes))
+	mode.CryptBlocks(ciphertext, paddedMsgBytes)
+	return []byte(base64.StdEncoding.EncodeToString(ciphertext) + "?iv=" +
+		base64.StdEncoding.EncodeToString(iv)), nil
+}
+
+// DecryptNip4 decrypts a content string using the shared secret key. The inverse operation to message ->
+// EncryptNip4(message, key).
+func DecryptNip4(content, key []byte) (msg []byte, err error) {
+	parts := bytes.Split(content, []byte("?iv="))
+	if len(parts) < 2 {
+		return nil, errorf.E(
+			"error parsing encrypted message: no initialization vector",
+		)
+	}
+	ciphertext := make([]byte, base64.StdEncoding.EncodedLen(len(parts[0])))
+	if _, err = base64.StdEncoding.Decode(ciphertext, parts[0]); chk.E(err) {
+		err = errorf.E("error decoding ciphertext from base64: %w", err)
+		return
+	}
+	iv := make([]byte, base64.StdEncoding.EncodedLen(len(parts[1])))
+	if _, err = base64.StdEncoding.Decode(iv, parts[1]); chk.E(err) {
+		err = errorf.E("error decoding iv from base64: %w", err)
+		return
+	}
+	var block cipher.Block
+	if block, err = aes.NewCipher(key); chk.E(err) {
+		err = errorf.E("error creating block cipher: %w", err)
+		return
+	}
+	mode := cipher.NewCBCDecrypter(block, iv)
+	msg = make([]byte, len(ciphertext))
+	mode.CryptBlocks(msg, ciphertext)
+	// remove padding
+	var (
+		plaintextLen = len(msg)
+	)
+	if plaintextLen > 0 {
+		// the padding amount is encoded in the padding bytes themselves
+		padding := int(msg[plaintextLen-1])
+		if padding > plaintextLen {
+			err = errorf.E("invalid padding amount: %d", padding)
+			return
+		}
+		msg = msg[0 : plaintextLen-padding]
+	}
+	return msg, nil
+}
--- a/pkg/crypto/encryption/nip44.go
+++ b/pkg/crypto/encryption/nip44.go
@@ -0,0 +1,260 @@
+package encryption
+
+import (
+	"crypto/hmac"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/binary"
+	"io"
+	"math"
+
+	"golang.org/x/crypto/chacha20"
+	"golang.org/x/crypto/hkdf"
+	"lol.mleku.dev/chk"
+	"lol.mleku.dev/errorf"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/crypto/sha256"
+	"next.orly.dev/pkg/interfaces/signer"
+	"next.orly.dev/pkg/utils"
+)
+
+const (
+	version          byte = 2
+	MinPlaintextSize      = 0x0001 // 1b msg => padded to 32b
+	MaxPlaintextSize      = 0xffff // 65535 (64kb-1) => padded to 64kb
+)
+
+type Opts struct {
+	err   error
+	nonce []byte
+}
+
+// Deprecated: use WithCustomNonce instead of WithCustomSalt, so the naming is less confusing
+var WithCustomSalt = WithCustomNonce
+
+// WithCustomNonce enables using a custom nonce (salt) instead of using the
+// system crypto/rand entropy source.
+func WithCustomNonce(salt []byte) func(opts *Opts) {
+	return func(opts *Opts) {
+		if len(salt) != 32 {
+			opts.err = errorf.E("salt must be 32 bytes, got %d", len(salt))
+		}
+		opts.nonce = salt
+	}
+}
+
+// Encrypt data using a provided symmetric conversation key using NIP-44
+// encryption (chacha20 cipher stream and sha256 HMAC).
+func Encrypt(
+	plaintext, conversationKey []byte, applyOptions ...func(opts *Opts),
+) (
+	cipherString []byte, err error,
+) {
+
+	var o Opts
+	for _, apply := range applyOptions {
+		apply(&o)
+	}
+	if chk.E(o.err) {
+		err = o.err
+		return
+	}
+	if o.nonce == nil {
+		o.nonce = make([]byte, 32)
+		if _, err = rand.Read(o.nonce); chk.E(err) {
+			return
+		}
+	}
+	var enc, cc20nonce, auth []byte
+	if enc, cc20nonce, auth, err = getKeys(
+		conversationKey, o.nonce,
+	); chk.E(err) {
+		return
+	}
+	plain := plaintext
+	size := len(plain)
+	if size < MinPlaintextSize || size > MaxPlaintextSize {
+		err = errorf.E("plaintext should be between 1b and 64kB")
+		return
+	}
+	padding := CalcPadding(size)
+	padded := make([]byte, 2+padding)
+	binary.BigEndian.PutUint16(padded, uint16(size))
+	copy(padded[2:], plain)
+	var cipher []byte
+	if cipher, err = encrypt(enc, cc20nonce, padded); chk.E(err) {
+		return
+	}
+	var mac []byte
+	if mac, err = sha256Hmac(auth, cipher, o.nonce); chk.E(err) {
+		return
+	}
+	ct := make([]byte, 0, 1+32+len(cipher)+32)
+	ct = append(ct, version)
+	ct = append(ct, o.nonce...)
+	ct = append(ct, cipher...)
+	ct = append(ct, mac...)
+	cipherString = make([]byte, base64.StdEncoding.EncodedLen(len(ct)))
+	base64.StdEncoding.Encode(cipherString, ct)
+	return
+}
+
+// Decrypt data that has been encoded using a provided symmetric conversation
+// key using NIP-44 encryption (chacha20 cipher stream and sha256 HMAC).
+func Decrypt(b64ciphertextWrapped, conversationKey []byte) (
+	plaintext []byte,
+	err error,
+) {
+	cLen := len(b64ciphertextWrapped)
+	if cLen < 132 || cLen > 87472 {
+		err = errorf.E("invalid payload length: %d", cLen)
+		return
+	}
+	if len(b64ciphertextWrapped) > 0 && b64ciphertextWrapped[0] == '#' {
+		err = errorf.E("unknown version")
+		return
+	}
+	var decoded []byte
+	if decoded, err = base64.StdEncoding.DecodeString(string(b64ciphertextWrapped)); chk.E(err) {
+		return
+	}
+	if decoded[0] != version {
+		err = errorf.E("unknown version %d", decoded[0])
+		return
+	}
+	dLen := len(decoded)
+	if dLen < 99 || dLen > 65603 {
+		err = errorf.E("invalid data length: %d", dLen)
+		return
+	}
+	nonce, ciphertext, givenMac := decoded[1:33], decoded[33:dLen-32], decoded[dLen-32:]
+	var enc, cc20nonce, auth []byte
+	if enc, cc20nonce, auth, err = getKeys(conversationKey, nonce); chk.E(err) {
+		return
+	}
+	var expectedMac []byte
+	if expectedMac, err = sha256Hmac(auth, ciphertext, nonce); chk.E(err) {
+		return
+	}
+	if !utils.FastEqual(givenMac, expectedMac) {
+		err = errorf.E("invalid hmac")
+		return
+	}
+	var padded []byte
+	if padded, err = encrypt(enc, cc20nonce, ciphertext); chk.E(err) {
+		return
+	}
+	unpaddedLen := binary.BigEndian.Uint16(padded[0:2])
+	if unpaddedLen < uint16(MinPlaintextSize) || unpaddedLen > uint16(MaxPlaintextSize) ||
+		len(padded) != 2+CalcPadding(int(unpaddedLen)) {
+		err = errorf.E("invalid padding")
+		return
+	}
+	unpadded := padded[2:][:unpaddedLen]
+	if len(unpadded) == 0 || len(unpadded) != int(unpaddedLen) {
+		err = errorf.E("invalid padding")
+		return
+	}
+	plaintext = unpadded
+	return
+}
+
+// GenerateConversationKeyFromHex performs an ECDH key generation hashed with the nip-44-v2 using hkdf.
+func GenerateConversationKeyFromHex(pkh, skh string) (ck []byte, err error) {
+	if skh >= "fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141" ||
+		skh == "0000000000000000000000000000000000000000000000000000000000000000" {
+		err = errorf.E(
+			"invalid private key: x coordinate %s is not on the secp256k1 curve",
+			skh,
+		)
+		return
+	}
+	var sign signer.I
+	if sign, err = p256k.NewSecFromHex(skh); chk.E(err) {
+		return
+	}
+	var pk []byte
+	if pk, err = p256k.HexToBin(pkh); chk.E(err) {
+		return
+	}
+	var shared []byte
+	if shared, err = sign.ECDH(pk); chk.E(err) {
+		return
+	}
+	ck = hkdf.Extract(sha256.New, shared, []byte("nip44-v2"))
+	return
+}
+
+func GenerateConversationKeyWithSigner(sign signer.I, pk []byte) (
+	ck []byte, err error,
+) {
+	var shared []byte
+	if shared, err = sign.ECDH(pk); chk.E(err) {
+		return
+	}
+	ck = hkdf.Extract(sha256.New, shared, []byte("nip44-v2"))
+	return
+}
+
+func encrypt(key, nonce, message []byte) (dst []byte, err error) {
+	var cipher *chacha20.Cipher
+	if cipher, err = chacha20.NewUnauthenticatedCipher(key, nonce); chk.E(err) {
+		return
+	}
+	dst = make([]byte, len(message))
+	cipher.XORKeyStream(dst, message)
+	return
+}
+
+func sha256Hmac(key, ciphertext, nonce []byte) (h []byte, err error) {
+	if len(nonce) != sha256.Size {
+		err = errorf.E("nonce aad must be 32 bytes")
+		return
+	}
+	hm := hmac.New(sha256.New, key)
+	hm.Write(nonce)
+	hm.Write(ciphertext)
+	h = hm.Sum(nil)
+	return
+}
+
+func getKeys(conversationKey, nonce []byte) (
+	enc, cc20nonce, auth []byte, err error,
+) {
+	if len(conversationKey) != 32 {
+		err = errorf.E("conversation key must be 32 bytes")
+		return
+	}
+	if len(nonce) != 32 {
+		err = errorf.E("nonce must be 32 bytes")
+		return
+	}
+	r := hkdf.Expand(sha256.New, conversationKey, nonce)
+	enc = make([]byte, 32)
+	if _, err = io.ReadFull(r, enc); chk.E(err) {
+		return
+	}
+	cc20nonce = make([]byte, 12)
+	if _, err = io.ReadFull(r, cc20nonce); chk.E(err) {
+		return
+	}
+	auth = make([]byte, 32)
+	if _, err = io.ReadFull(r, auth); chk.E(err) {
+		return
+	}
+	return
+}
+
+// CalcPadding creates padding for the message payload that is precisely a power
+// of two in order to reduce the chances of plaintext attack. This is plainly
+// retarded because it could blow out the message size a lot when just a random few
+// dozen bytes and a length prefix would achieve the same result.
+func CalcPadding(sLen int) (l int) {
+	if sLen <= 32 {
+		return 32
+	}
+	nextPower := 1 << int(math.Floor(math.Log2(float64(sLen-1)))+1)
+	chunk := int(math.Max(32, float64(nextPower/8)))
+	l = chunk * int(math.Floor(float64((sLen-1)/chunk))+1)
+	return
+}
--- a/pkg/crypto/encryption/nip44_test.go
+++ b/pkg/crypto/encryption/nip44_test.go
--- a/pkg/crypto/keys/keys.go
+++ b/pkg/crypto/keys/keys.go
@@ -0,0 +1,83 @@
+// Package keys is a set of helpers for generating and converting public/secret
+// keys to hex and back to binary.
+package keys
+
+import (
+	"bytes"
+
+	"lol.mleku.dev/chk"
+	"next.orly.dev/pkg/crypto/ec/schnorr"
+	"next.orly.dev/pkg/crypto/p256k"
+	"next.orly.dev/pkg/encoders/hex"
+	"next.orly.dev/pkg/utils"
+)
+
+// GeneratePrivateKey - deprecated, use GenerateSecretKeyHex
+var GeneratePrivateKey = func() string { return GenerateSecretKeyHex() }
+
+// GenerateSecretKey creates a new secret key and returns the bytes of the secret.
+func GenerateSecretKey() (skb []byte, err error) {
+	signer := &p256k.Signer{}
+	if err = signer.Generate(); chk.E(err) {
+		return
+	}
+	skb = signer.Sec()
+	return
+}
+
+// GenerateSecretKeyHex generates a secret key and encodes the bytes as hex.
+func GenerateSecretKeyHex() (sks string) {
+	skb, err := GenerateSecretKey()
+	if chk.E(err) {
+		return
+	}
+	return hex.Enc(skb)
+}
+
+// GetPublicKeyHex generates a public key from a hex encoded secret key.
+func GetPublicKeyHex(sk string) (pk string, err error) {
+	var b []byte
+	if b, err = hex.Dec(sk); chk.E(err) {
+		return
+	}
+	signer := &p256k.Signer{}
+	if err = signer.InitSec(b); chk.E(err) {
+		return
+	}
+
+	return hex.Enc(signer.Pub()), nil
+}
+
+// SecretBytesToPubKeyHex generates a public key from secret key bytes.
+func SecretBytesToPubKeyHex(skb []byte) (pk string, err error) {
+	signer := &p256k.Signer{}
+	if err = signer.InitSec(skb); chk.E(err) {
+		return
+	}
+	return hex.Enc(signer.Pub()), nil
+}
+
+// IsValid32ByteHex checks that a hex string is a valid 32 bytes lower case hex encoded value as
+// per nostr NIP-01 spec.
+func IsValid32ByteHex[V []byte | string](pk V) bool {
+	if utils.FastEqual(bytes.ToLower([]byte(pk)), []byte(pk)) {
+		return false
+	}
+	var err error
+	dec := make([]byte, 32)
+	if _, err = hex.DecBytes(dec, []byte(pk)); chk.E(err) {
+	}
+	return len(dec) == 32
+}
+
+// IsValidPublicKey checks that a hex encoded public key is a valid BIP-340 public key.
+func IsValidPublicKey[V []byte | string](pk V) bool {
+	v, _ := hex.Dec(string(pk))
+	_, err := schnorr.ParsePubKey(v)
+	return err == nil
+}
+
+// HexPubkeyToBytes decodes a pubkey from hex encoded string/bytes.
+func HexPubkeyToBytes[V []byte | string](hpk V) (pkb []byte, err error) {
+	return hex.DecAppend(nil, []byte(hpk))
+}
				`@@ -0,0 +1 @@`
				`Code copied from https://github.com/paulmillr/nip44/tree/e7aed61aaf77240ac10c325683eed14b22e7950f/go.`